The Consumer Financial protection Bureau (CFPB) now has rule writing authority and enforcement authority over financial institutions, with respect to the Graham-Leach-Bliley Act (GLBA), the major federal consumer information privacy and data security laws.
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance –to safeguard sensitive data. Mortgage lenders, mortgage brokers, credit unions and banks collect personal information from their customers including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; assets and their location, as well as social security numbers. The name of minor children, marital status, birth dates and more are also found throughout a typical loan file. GLBA thus requires all lenders to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.
According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. All programs must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Covered financial institutions must: (a) designate the employee or employees to coordinate the safeguards; (b) identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of current safeguards for controlling these risks; (c) design a safeguards program, and detail the plans to monitor it; and (d) select appropriate service providers and require them (by contract) to implement the safeguards
As the recent electronic data breaches suffered by Target, Ebay and industry LOS system provider Ellie Mae demonstrate, when we live in a world where private information is shared, that information is a serious temptation for criminals. Mortgage lenders and banks, who have access to so much personal and financial information of a borrower, must take significant measures to safeguard that data and manage who has access to it.
To meet these compliance expectations, all lenders should expect to: (i) Develop a written data security plan; (ii) Designate responsible employees who may access sensitive data; (iii) Screen all employees with access upon hire and at least annually thereafter; (iv) Evaluate and monitor all third parties with access to sensitive data (ex: IT professionals, janitorial services, credit counselors, settlement attorneys, notaries, title agents); (v) Assess risks to customer data through breaches in security, including rouge employees; and, (vi) Test and monitor safeguards.
Risk management experts and industry auditors recommend that lenders, banks, credit unions and brokerage shops conduct annual screenings of all employees with access to consumer data, credit reports and financial information, as well as any third party vendor who may have access to some or all of the same data. Failure to adopt and enforce appropriate measures will eventually result in severe regulatory penalties and the potential for civil lawsuits for damages.