Secure Insight Mortgage Industry Blog

The mortgage lending industry has faced severe financial threats and incurred significant financial harm due to data security and data privacy breaches.  These breaches have resulted in wire fraud, data theft and identity theft in the past few years.  The industry has previously come together and incorporated tools and policies to combat the issue, however the government’s stay at home orders are now taking many into uncharted waters and raising risk concerns.

Those professionals now sheltered in place at home, who include mortgage industry processors, underwriters and closers, as well as settlement professionals, including attorneys, title agents and escrow officers, need to adopt measures to protect banks and consumers from harm.

Just as they would in their offices, these important workers who have daily access to consumer personal and financial data, and are transmitting information, files and even wire instructions via email, must maintain strict policies to avoid fraud.  This means to only use company email addresses when conducting business, turning off home computers when not working, destroying hard copies of files instead of simply throwing them in the trash (via shredder or simply tearing them up), avoiding talk about consumer personal information within earshot of family or friends who may be about, and not leaving laptops and hard files in their vehicles when traveling or simply sitting in the driveway.

In addition to these simply personal practices, sheltered at home workers must be even more diligent regarding wire fraud.  Whenever there is a breakdown or interruption in a well conceived and executed workflow, there is the possibility for exploitation by criminals.  With so many conducting work at home it is only natural to let one’s guard down a bit, to skip strict compliance and operational policy steps, and even perhaps in an early morning or late evening state of tiredness, miss a phishing communication that can open the door to financial disaster.

As we all learn to adjust to the new normal when it comes to the mortgage industry, let us not forget to focus on the potential harm that data privacy and security breaches can cause to everyone.

 

In the midst of the current COVID-19 health crisis, lenders and settlement agents who schedule and conduct mortgage loan closings where a small group of people typically gather to sign documents and finalize a transaction should consider adopting a process that offers a safe place to conduct business.  A suggested checklist might include the following:

1.  Speak with all parties who intend to appear at a live closing and inform them that you will be implementing a clean and safe environment;
2. Make sure that anyone who is displaying ANY symptoms of illness (coughing, sneezing, runny nose, fever) does not appear and where possible send a substitute professional (realtor, attorney, title agent, notary, escrow officer).  Where a seller or buyer is ill consider, with proper legal advice, whether you can close with a duly executed power of attorney.
3. Restrict the numbers of persons in the closing room. If necessary mail checks to realtors, limit family members attending, and ask anyone not directly involved not to appear.
4. Clean the closing room thoroughly, clean all table surfaces, all chairs and the door handles (this must be done before each closing if more than one is taking place that day);
5. Make hand sanitizer available for everyone;
6. Make sure that the room is properly ventilated, and open a window if possible;
7. Offer (new, unused) masks to anyone who may want to use one;
8. Be prepared so that the participants can get in and get out quickly.  Have all documents ready to sign and notarize,  have all copies made,  have all checks cut and ready to distribute;
9. Have everyone bring their own signing pens so they are not shared around the table;
10. Ask the seller to clean keys, garage door openers and anything else being handed over to the buyer at the closing.
11. Keep the atmosphere pleasant, despite all the precautions the idea is not to create a “war room” environment but simply to create a safe place where people can feel comfortable without being scared.
12. Lastly, consider learning more about e-mortgages and e-closings as well as remote notarization.  These platforms are the wave of the future and will allow complex mortgage transactions to be managed seamlessly from a distance.  Lenders and closing agents need to learn the e-process however it is not to difficult it just requires a change in the way you think about documents and signatures and notarization.

Secure Insight and DocMagic have been working for a year on developing an e-closing training program to help settlement agents understand the process and be qualified to conduct e-closings using the DocMagic platform.  Given the current interest in expanding the use of e-mortgages and e-closings, we are working very hard to launch an online education and qualification site very shortly. If you wish to know more reach out to us.

In the meantime, get out the cleaning products and masks and keep closing those loans!

 

With the latest news that towns, cities, counties and in some places entire states are shutting down as a precautionary measure to prevent the spread of COVID-19, concern is rising that the inability to record notices of settlement, deeds, mortgages and mortgage satisfactions will upend the closing industry.

In order to successfully conclude the closing of a mortgage transaction several important things must occur. Loan documents must be executed and in some cases notarized. Prior liens must be extinguished and discharged of record. New ownership instruments (deeds and leases) must be properly recorded. In addition, the new mortgage instruments must also be recorded. The timing of recordings is also critical to the proper structure of legal rights in and against a property.

In most places in the United States today these key transfer and lien documents must be submitted manually and then converted to digital files allowing for property history records to be catalogued and then reported publicly. If an office is closed for business due to the health crisis this may mean that these recordings will not take place or may be significantly delayed.

Lender’s rely on these public records, as do title agents and their title insurer partners, to provide an accurate report of the ownership and debt condition of a property in the mortgage evaluation and closing process. Lenders also rely upon title insurance policies to issue within a reasonable time following closing (in some states at the closing table) in order to complete the loan file and prepare it for sale into the secondary market.
Potential chaos in recording also raises the level of risk from closing and title fraud, as the inability of lenders, and title agents to know the current status of a property invites criminals to hide liens, manipulate ownership records, and potentially close more than one loan on the same property through multiple transactions.

Diligence throughout the mortgage process has become customary today, with more lenders than ever adopting comprehensive closing fraud processes backed by effective technology tools to root out potential criminals. As this health crisis extends throughout the United States diligence in financial transactions must increase, especially in the face of rising refinance volume due to low rates and the emerging Spring purchase market.

If you would like to know how Secure Insight can assist you in managing closing table risk, please give us a call for a free demo.

Many lenders mistakenly believe that as long as they receive a closing protection letter (CPL) from a title agent or closing attorney then they have nothing to fear about a loss that may occur at the closing table.  These lenders may collect an agent’s insurance certificate or declaration page but take no steps to verify insurance is valid, paid and in effect.

There are serious negative consequences with this approach to risk management and loss mitigation.

I have covered the inadequacies of the CPL elsewhere and will not repeat them all today.  To summarize: its not insurance, it does not cover all risk (including cyber, general fraud, wire fraud) and it is aggressively defended when claims are made.  In addition, recovery under a CPL may be restricted if their is a bond or insurance policy available for offset and subrogation which makes verification of those items critical.

Agent’s are not universally required by all states to carry errors and omissions coverage or a fidelity bond so no lender can simply assume that everyone carries them. While no serious professional would operate without having some form of insurance protection, lender’s must inquire because no lender should do business with anyone who fails to carry reasonable coverage.  Quite frankly, no lender should agree to send a wire and loan documents to any professional who does not have insurance coverage sufficient to cover potential losses at a closing.  In today’s wire fraud environment the case for requiring cyber liability coverage (often not covered in traditional E&O) is also highly warranted.

Insurance verification can be a tricky process.  Simply collecting a certificate of insurance or declaration page is not enough.  Policy limits, policy restrictions, previous incident omissions and paid status (i.e. paid in full or financed) are key issues which must be addressed.  Furthermore proper verification cannot take place without an authorization from the agent and confirmation with the insurance office where the policy or bond was issued.

No risk management process is foolproof. No risk assessment tool is 100% accurate. No vendor warranty or guarantee is absolute.  Accordingly lenders must consider how they will manage insurance and bond verification and ensure they have a process in place so that when an event takes place, there will be a reliable source of recovery beyond a restrictive and very limited closing protection letter.

At Secure Insight we obtain digital authorizations from all closing agents allowing insurance and bonds to be verified.  Insurance and bonds are confirmed with the issuing office, payments verified and financed payments tracked.  Our agent risk reports set forth types of coverage, including cyber, and their coverage limits and expiration dates.  We took these steps from day one, way back in 2012, because our process was built in conjunction with risk advisors from Lloyds who understood well the need for comprehensive risk assessment to avoid losses.

In our world where reducing the risk of loss at the closing table is a  paramount concern, we understand that the CPL is not enough to offset and manage a loss event that could cost you hundreds of thousands of dollars and a hit on your reputation.

 

 

Identity theft and misrepresentation in mortgage transactions has traditionally concentrated in the reverse mortgage business.  In these cases one can clearly see how elderly homeowners can be manipulated into taking out loans or selling their homes through unscrupulous means.  Oftentimes these transactions are conducted with powers of attorney and not every lender inquires why such a document is being used, although the form is regularly reviewed for legal sufficiency.  Identity theft is likewise a problem in the reverse mortgage business as fake powers of attorney and forged loan documents and deeds can create a legal nightmare for elderly homeowners as well as the lenders who unwittingly engage with fraudsters instead of the actual borrowers.

A bill in New York state (Assembly Bill 5626) was recently signed into law in January 2020 by Governor Cuomo targeting deceptive consumer practices surrounding reverse mortgages and imposing new requirements on borrower representation during loan closings.

This new law addressed what legislators saw as“deceptive practices,” requiring reverse mortgage lenders to provide supplemental consumer protection materials while imposing additional restrictions on lenders related to their payment of insurance premiums and property taxes. The new law also addressing closing table representation, requirement those involved in the settlement of the mortgage transaction to include licensed New York attorneys.  At least one attorney must be present on the sides of both the lender and the borrower to conduct a reverse mortgage closing.

Consequently lenders in New York engaged in reverse mortgage business must ensure their is proper representation, and with the burden on the lender to manage the issue this elevates vendor management obligations as well.  In the past many New York lenders took advantage of the fact that New York allows a ‘lender attorney” to be at the closing, which meant lenders could avoid scrutinizing closing attorneys and simply maintain a limited approved attorney list to manage the regulatory obligations surrounding third party vendor  risk.

With the requirement that lenders demonstrate borrowers in reverse mortgages had independent legal representation, lenders now must make sure that those attorneys are screened for risk too.

Secure Insight maintains the largest database of pre-screened and risk monitored closing attorneys in the United States.  With thousands of New York attorneys rated for risk, and verified as being licensed, insured, with verified trust accounts and free of background issues that might create the potential for harm, lenders have a ready-made solution to meeting new York’s new mandate.

Check us out at http://www.SecureInsightSales.com or contact us at info@secureinsight.com and let us help you manage your new regulatory obligations in the State of New York. We have supervised more than 8 Million mortgage closings without a loss.

Yesterday the Federal Reserve Chairman Jerome Powell testified in front of the US House  Financial Services Committee about monetary policy generally, however he was asked an interesting question during his appearance by  Representative Brad Sherman (D-CA).

Rep. Sherman inquired why the Federal Reserve does not establish a payee name matching requirement to prevent wire transfer fraud when wires are criminally misdirected to parties who are not the intended recipient.

Thus if a lender directs that proceeds of a mortgage loan be sent to “John Doe” yet during the closing process an offshore hacker intercepts email communications and substitutes wire instructions so that the wire is sent to “ABC Co. Ltd.” instead, why is the wire even approved?

We know that many banks do verification on incoming wires.  I have had a few wires held up or rejected when the sender misspelled my name or the name of my company.  Why wouldn’t name matching rules be implemented for outgoing wires as well?

While we cannot manage the Federal Reserve name matching rules, here at Secure Insight we do go beyond just verifying that wire instructions were previously used or that they simply match an account at a US bank in the Federal Reserve system.  Our analysts verify that the name on every account matches the name of the vetted and verified account holder, and when there is a discrepancy between what was presented to us and public records (licenses, insurance, bonds, corporate filings we require a written explanation and additional evidence of ownership before the account is posted in an business profile and cleared for our lender to send outgoing wires.

Wire fraud is the single largest risk to banks (and most consumers) today.  It is a multi- billion dollar crime epidemic. While we go along way to make sure our client’s only wire to trusted accounts, and have successfully supervised millions of loan transactions without a wire fraud loss, we encourage the Federal Reserve to examine the issue of payee name matching as an additional and critical component to overall wire fraud deterrence.

A recent article in Bloomberg Business Week chronicled the SIX YEAR plight of a reporter who was a victim of identity theft.  The cost mentally, physically, financially and to his reputation was severe and life changing.  Consumers are paralyzed without good credit, and the theft of identity can  launch a nightmare scenario involving significant personal losses and restricted access to much needed credit.

Mortgage lenders are obligated through compliance rules as well as state laws to protect consumer non-public information typically collected in the course of the mortgage application, loan approval and closing process so that it does not fall into the wrong hands.  Few truly understand the magnitude of diligence and supervision that is required to effectively protect this sensitive data.  Banks routinely collect nearly all personal and financial data that defines a consumer’s identity and existence while evaluating a mortgage loan application.  This data is handled by many people internally and externally in the course of normal business operations.

To the extent that a lender can manage and control its staff they can effectively, with rules and proper management, prevent losses.  However when lenders deliver some or all of the consumer data to vendors outside their sphere of influence and control the risk rises to a high alert levels.  Does the vendor itself have internal controls?  Are their employees who have access to the data screened and monitored?  How is data stored and protected from intrusion and theft? Does the vendor have sufficient insurance coverage (errors and omissions, crimes and cyber) to offset any potential losses?  These are only some of the critical questions that must be addressed when considering the responsibility a lender has when sharing consumer data.

One of the most serious gaps in managing the risk of consumer data privacy and protection takes place at the closing table. In most instances lenders are sending their money as well as consumer non-public financial and personal information into the hands of people with whom they have a very temporary and superficial relationship. A lender’s ability to assess risk from these transaction partners is too often hampered by the volume of business, lack of trained staff, conflicts where the partners may also be referral sources, and insufficient time to be thorough and analytical in evaluating the level of appropriate risk.

Outsourcing vendor management can be an effective solution provided the vendor assessment company has the tools, technology, process and credibility to assess risk, report on risk and flag issues without causing delays to the loan process or the closing.

Seeking and purchasing insurance is helpful however it is not a deterrent or preventative solution, only a concession that in the event a loss occurs there is a policy limit to offload the financial harm.  By then consumers are outraged, reputations are damaged, and, like the Bloomberg article author it may be years to set things straight.

To learn more about what Secure Insight offers to help manage closing table risk, please visit our website at http://www.secureinsightsales.com.

 

 

 

 

The National Credit Union Administration, based in Washington, was an early advocate for vendor management policies.  As early as 2001, the NCUA issued a guideline suggesting that credit unions manage third party service provider risk carefully. The suggestion had no real weight however.

After the CFPB issued its Bulletin 2012-3 bringing third party vendor management much more into the compliance forefront, the NCUA  supported the effort but had no real power to enforce similar rules.  I had the pleasure of meeting with NCUA officials in Spring 2012 to discuss the topic and explain what I was creating to help the industry manage closing table risk from third party settlement professionals. While they liked what they saw they could not do much other than wish me luck.

Today news broke in the Credit Union Times that the NCUA’s Inspector General is investigating the issue of vendor risk to credit unions.  The IG indicated that “the agency faces “unique challenges” because it is the only banking regulator without power to supervise.”

Of course many credit unions outsource more than closing table functions to vendors.  The use of CUSOs, credit union service organizations, to act as the “back office” for credit union lending establishes a significant reliance on third parties for a great deal of the mortgage lending process.

The IG told Congress that, “credit unions regularly hire vendors and these relationships pose various potential risks to credit unions, as they must relinquish a certain level of control over products and services to the third party vendor as an inherent part of the relationship.”  The NCUA is seeking authority from Congress for the power to regulate and supervise third-party vendors.  Not everyone agrees, however.

Some in the credit union community do not want additional oversight, which is a common reaction when an unregulated business practice suddenly is caught in the cross hairs of regulatory scrutiny. As we found when we started Secure Insight back in 2012 as the first closing table vendor management tool, change does not come easily.  People who have had unfettered access to the mortgage process without any regulation, or with little regulation, understandably balk at being the subject of risk management scrutiny.

In the end what is best for consumers is best for business.  It is therefore very likely the credit union industry will see enhanced scrutiny of third party vendor relationships in the near future, coming into line with existing regulations governing banks and mortgage lenders generally.

Never have there been so many legal and ethical considerations surrounding mortgage lender handling of consumer data.  There are good reasons for this fact.

Mortgage lenders have access to the most personal and private information owned and guarded by consumers.  This includes their names, age and dates of birth, marital status, home addresses, work addresses and detailed employment and salary information, assets including bank accounts, credit card and debt information, spouse and family members, and credit scores.  This information is collected usually electronically, occasionally manually, and is passed through the hands and eyes of dozens of persons both within and without an organization as the loan process progresses towards a closing.  It is obvious that the handling of this information represents a significant trust factor, as well as offering ethical and legal considerations which must be appropriately managed at the risk of litigation, regulator and reputation costs.

The Gramm-Leach-Bliley Act, Federal Trade Commission rules, CFPB, OCC and HUD directives, and new state data privacy and security laws (i.e. New York and California) among others, all bring specific obligations and the risk of severe penalties to those who fail to “plan and execute.”

Managing this problem, like most operational issues, requires a carefully crafted plan to assure the data collected from trusting consumers does not end up being stolen, lost or abused and thereby causing them harm.  Some key considerations every lender should be addressing include:

• Having a data privacy policy in place that is known throughout the company, backed by a company environment that places the handling of data at the top of its list of risk management priorities.
• Having a cyber security policy that addresses how stored data can be properly protected fro outside intrusion and internal negligence and bad actors.
• Enforcing a “clean desk” policy that prohibits employees from having smart phone and other devices in their workplace which might record or copy sensitive data. This policy should also address the proper handling and disposal of paper records through shredding and locked file cabinets, as the case may be.
• Training all employees from owners and managers to the newest hire on the importance of data privacy and security, the methods of preventing cyber breaches, and the consequences for negligent and intentional acts causing harm to the company and its clients.
• Engaging proper tools (software, hardware, and third party service providers) to help manage risk and reduce the likelihood of an event.
• Conducting appropriate evaluation of risk tools and third party providers to ensure they are working effectively and they are not subject to unacceptable risk as well.
• Establishing a crisis management policy for when something goes wrong so that you can assess, contain, restore and report an event.

Private data (also known as PII-or Personally Identifiable Information) is entrusted to mortgage lenders with the reasonable expectation that it will be handled appropriately throughout the organization.  Next to medical data, personal and financial data is the most coveted private data sought by criminals for its resale value.  Recognizing their unique role in handling this sensitive information, all lenders must plan and execute appropriately.