Enter your e-mail address and password below.


Forgot your password? New User? Register Now.
   ARTICLE   |   From Scotsman Guide Residential Edition   |   December 2017

Safeguarding Borrower Data

Information security is critical in the digital mortgage industry

Over the past few years, the mortgage industry has had to adjust to new compliance regulations and transition accordingly. With the growing emergence of technology and big data in the mortgage application process, data security stands as a major facet of compliance for mortgage lenders, mortgage technology providers and others in the industry.

In addition, stricter enforcement has increased the cost of originating mortgage loans, which impacts profitability margins. Industry players need to implement more structural changes to their processes to reduce their risk and make internal controls more effective and maintainable over time. Recent data-security concerns demonstrate that although complying with data-security regulations may cost time and money, it pays dividends in the long run.

This past summer, Equifax suffered a massive hacking attack in which sensitive information of more than 143 million Americans was breached. That equates to half of the adult American population. Equifax waited more than a month to announce the massive data breach.

As a credit reporting and monitoring company, Equifax inventories peoples’ most sensitive information: Social Security, credit card and driver’s license numbers; birthdates; addresses; and more. This left many in the mortgage industry wondering, “How can a company built on data not be more secure?” and “What security measures should my company analyze?”

Certifying financial controls

Mortgage applicants, now more than ever, need to trust their mortgage companies. After all, borrowers supply their most sensitive information — the same information Equifax inventories — when applying for a mortgage. So, what can mortgage companies and mortgage technology providers do to calm applicants’ concerns?

Start with the SOC 2 report, which is an audit on a company’s nonfinancial reporting controls. This report measures five standard criteria: security, privacy, availability, confidentiality and processing integrity. Mortgage companies, lenders, technology providers and other third-party vendors need a SOC 2 report because they process financial transactions, inventory data and share sensitive information.

Although standards can vary, all mortgage companies must verify borrower information through third parties. Pooling and verifying such sensitive information requires strict security. Thus, technology providers require enterprise-level solutions.

Many companies are scrambling to complete their reports because of the SOC 2’s intense criteria, but it is crucial to proceed for numerous reasons. SOC 2 reports verify the security behind sensitive transactions such as mortgage applications. A clean report establishes the underlying company as a trusted data host. As a result, borrowers can trust these companies with their confidential information.

Securing online data

A secure sockets layer (SSL) certificate is an additional step mortgage companies should pursue to secure their data. SSL secures and privatizes data exchanged among a server and web browser via an encrypted link.

Determining if a domain is secure is as simple as scanning the first five letters of the web address inside the browser. If the address begins with “http:”, that domain lacks an SSL. Domains equipped with an SSL certificate begin with “https:” If you don’t see the ‘s’ at the end, don’t use the site for secure information.

Much of a mortgage company’s digital infrastructure is based on external service providers. 

Mortgage companies can get the ‘s’ added to their websites by obtaining an SSL Certificate. When perusing SSL certificates, it is best to opt for the wildcard SSL certificate. It may seem more expensive on its face, but it’s actually cheaper.

One wildcard certificate secures a domain and an unlimited number of subdomains. Even a basic corporate website hosts a multitude of subdomains that often change with each page within the website. Whether it’s an “About Us” tab, a blog, or a contact form, each holds its own subdomain.

Once a company secures its domains — even a few the officers didn’t realize existed — it’s time to secure all the applications and cloud offerings used in addition to the core domain. One crack in the chain, or one bit of data breached, and a mortgage company will spend more time and money fixing the mistake than it would have securing the data in the first place.

The company’s software service providers, therefore, must hold the same data security and compliance standards as the company. Let’s say Amazon Web Services (AWS) hosts a mortgage company’s domain, documents, data and more. Common AWS applications include the following: Elastic Compute Cloud (EC2), which provides servers that run the applications; Route 53, a domain-naming system; and Relational Database Service (RDS), which stores and presents data on a cloud platform.

EC2 customers include the Financial Industry Regulatory Authority (FINRA), so by using this service, mortgage companies can be certain they are complying with that service. Route 53, connects end users of a company’s website to the servers hosted on AWS, so when a mortgage applicant submits information, it travels through Route 53 to EC2. When the application is completed, loan originators might store the information in RDS.

As you can see, much of a mortgage company’s digital infrastructure is based on external service providers, especially since the move to cloud computing. Thus, it is vital for a company to verify that the security protections of its technology providers align with the companies own protections. An online search, for example, will uncover that AWS protects its domains with SSL certificates. A mortgage company can even view the reports on AWS’s SOC compliance.

•  •  •

Complying with industry security standards can be intensive but it is highly necessary. The move toward a digitally-centered mortgage environment added compliance aspects and increased the need for data security, but it also made it essential for companies to think about compliance in an entirely different way.

Time spent ensuring data security is time spent improving and protecting the borrower experience. In addition, technology is crucial to compliance and data security because it provides the most efficient method of producing compliant loans.

Data security also presents an opportunity for innovation. Lenders and mortgage companies equipped with the best, most secure technology enjoy a competitive advantage that transfers all the way down to originators. Those that leave the old methods and adapt to this change may appreciate distinct competitive benefits.


Fins A Lender Post a Loan
Residential Find a Lender Commercial Find a Lender
Scotsman Guide Digital Magazine

Related Articles



© 2019 Scotsman Guide Media. All Rights Reserved.  Terms of Use  |  Privacy Policy