Legal and Ethical Considerations Surrounding the Handling of Consumers’ Private Data by Mortgage Lenders

Never have there been so many legal and ethical considerations surrounding mortgage lender handling of consumer data.  There are good reasons for this fact.

Mortgage lenders have access to the most personal and private information owned and guarded by consumers.  This includes their names, age and dates of birth, marital status, home addresses, work addresses and detailed employment and salary information, assets including bank accounts, credit card and debt information, spouse and family members, and credit scores.  This information is collected usually electronically, occasionally manually, and is passed through the hands and eyes of dozens of persons both within and without an organization as the loan process progresses towards a closing.  It is obvious that the handling of this information represents a significant trust factor, as well as offering ethical and legal considerations which must be appropriately managed at the risk of litigation, regulator and reputation costs.

The Gramm-Leach-Bliley Act, Federal Trade Commission rules, CFPB, OCC and HUD directives, and new state data privacy and security laws (i.e. New York and California) among others, all bring specific obligations and the risk of severe penalties to those who fail to “plan and execute.”

Managing this problem, like most operational issues, requires a carefully crafted plan to assure the data collected from trusting consumers does not end up being stolen, lost or abused and thereby causing them harm.  Some key considerations every lender should be addressing include:

• Having a data privacy policy in place that is known throughout the company, backed by a company environment that places the handling of data at the top of its list of risk management priorities.
• Having a cyber security policy that addresses how stored data can be properly protected fro outside intrusion and internal negligence and bad actors.
• Enforcing a “clean desk” policy that prohibits employees from having smart phone and other devices in their workplace which might record or copy sensitive data. This policy should also address the proper handling and disposal of paper records through shredding and locked file cabinets, as the case may be.
• Training all employees from owners and managers to the newest hire on the importance of data privacy and security, the methods of preventing cyber breaches, and the consequences for negligent and intentional acts causing harm to the company and its clients.
• Engaging proper tools (software, hardware, and third party service providers) to help manage risk and reduce the likelihood of an event.
• Conducting appropriate evaluation of risk tools and third party providers to ensure they are working effectively and they are not subject to unacceptable risk as well.
• Establishing a crisis management policy for when something goes wrong so that you can assess, contain, restore and report an event.

Private data (also known as PII-or Personally Identifiable Information) is entrusted to mortgage lenders with the reasonable expectation that it will be handled appropriately throughout the organization.  Next to medical data, personal and financial data is the most coveted private data sought by criminals for its resale value.  Recognizing their unique role in handling this sensitive information, all lenders must plan and execute appropriately.