The mortgage industry seems to be fighting its way through an unprecedented barrage of challenges from all angles. Currently, there is a perceived vacuum in federal oversight; aggressive state regulators; the need to realign systems and processes in an era of advancing technology; and growing difficulties in dealing with data security, privacy, identity theft and fraud.
The business is in uncharted territory in many ways, but what do these uncertainties mean for compliance departments? And how do they manage these daily challenges while preparing for more?
For starters, mortgage originators and lenders face increased financial and legal risks that didn’t exist five years ago, particularly in regard to technology and data security, with incidents of fraud growing in the industry each year. This creates a need for compliance and information-technology departments to partner in new ways. They must determine what systems exist — or do not — for dealing with more stringent regulatory oversight, increased loan-origination fraud and other cyberthefts.
Because of the complexity of the challenges, consider convening teams to ensure you have a clear understanding of the regulations and possible consequences. Important areas to consider include data-security and information-security laws; histories of enforcement in each jurisdiction; an institution’s liability; private right of action; and the myriad legal and litigation risks from the federal level as well as every state in which you operate.
Internal audit
As a first step, conduct an internal audit of your systems, controls, backup, staffing expertise, plans for growth and how technology will contribute. Company teams can evaluate internal processes, procedures and data-security measures. If your candid analysis finds staff without the expertise or bandwidth to develop a proper risk-assessment protocol and implement what could be significant changes to all that you do, consider seeking guidance from outside cybersecurity consultants.
State regulators are passing new laws to address major threats, such as those raised by the data breaches at Capital One, Equifax and others. These new laws address how businesses must secure their data; require adequate infrastructure to help protect against breaches; set standards on the reasonable use and collection of online consumer data; and ensure all data is kept confidential and not shared outside your organization.
The selling of data for use in targeting people to change behaviors can have both civil and criminal penalties, as evidenced by Cambridge Analytica and Facebook facing multidistrict actions for sharing personal information during the 2016 U.S. presidential election. In addition to filings against them by the Federal Trade Commission, some 30 class-action lawsuits were awaiting litigation this past fall in a U.S. district court.
High employee costs and attrition rates may require mortgage companies to explore new technology options. For example, some companies are using artificial intelligence and machine learning to automate more of their data-crunching and analytical processes for finding errors, omissions and aberrations. Mortgage companies should consider what their security-monitoring architecture looks like and decide whether the validation process can be automated.
Growing threat
Identity theft poses a growing threat to the mortgage industry, including instances of loan-origination fraud. Incidences of fraud on mortgage applications increased nearly threefold from 2017 to 2018, going from 4% to 11% of all applications, according to studies by Javelin Strategy and Research. Smaller companies, without deep resources and experienced staff to authenticate loan applications, tend to suffer the biggest losses. Reviewing your validation practices is a must.
Compliance departments face intensified scrutiny and expectations for accuracy that may surpass the capabilities of many loan origination systems. Companies must contend with multiple state exams, often with unique requirements, while adhering to federal regulatory standards.
Compliance departments must find ways to properly manage this dynamic and deal with a regulatory Tower of Babel in an increasingly digital environment while setting a course for positive change and lower risk. Lenders must accept the fact that it’s virtually impossible today to build in technology controls that ensure compliance in every state in which they operate.
Analyze when and where staff must step in for authentication. State regulators are getting tougher, taking the role of governmental watchdog and in certain cases pursuing enforcement more aggressively. Many states are levying fines immediately, particularly for repeat violations but also for first-time offenses, rather than working with companies to correct what may have been a minor error or misinterpretation of a regulation.
Digital landscape
As the industry moves toward the adoption of fully digital mortgages, originators and lenders must be able to understand and apply regulations that were often written decades ago for paper-driven and face-to-face interactions with clients. This might mean special approaches are needed in a digital environment. For example, lenders must consider how to comply with the Americans with Disabilities Act and federal e-signature standards while offering remote online notarization.
A model for future state regulations on data privacy — and one to keep a close eye on — may be the California Consumer Privacy Act. The law, which went into effect Jan. 1, 2020, gives residents of California the right to request that a business or company delete or provide data. Businesses must be able to identify the data and delete it.
This can be difficult and costly to comply with, since each platform has its own limitations and many companies work with third-party providers and cloud-based services. Data may be in multiple locations, which makes it harder to identify. Your risk assessment should start with a worst-case scenario: a major data breach.
A mortgage company needs to understand where its data lives, and manage it securely and efficiently. This includes understanding the status of backup systems, processes and security.
Mortgage originators and lenders should develop a crisis and recovery plan for dealing with any breach. Start internally, then ensure you have a comprehensive crisis communications plan to reach external and internal stakeholders, social media and other marketing channels, and the news media. All 50 states require alerts on breaches, most often to consumer agencies and attorneys general.
Regular rehearsals
Prepare accordingly and train staff. Hold regular rehearsals and simulations on attacks, breaches, natural disasters and other issues that could compromise the security of your data and client privacy.
Breaches can be harmful to a company’s reputation and erode consumer trust. Be fast and flexible. Set up an action plan that involves company leaders, as well as compliance, legal and public relations counsel, so you can be fast to respond and honest about your plan moving forward. Your sincere approach and acceptance of responsibility for any errors as soon as possible can reduce the negative fallout.
Anticipate legal challenges that can come from a single borrower in a small state to a class-action lawsuit for larger breaches that impact multiple states. Be concerned about security from third-party providers and vendors. How are they monitored and managed? Are they up to your standards? Get insurance to address potential attacks that financially expose the company.
Have stringent controls for your company’s online marketing efforts, including assurances that loan officers or mortgage brokers follow the letter of the law. Avoid vague or misleading language related to new products, qualifications and costs.
Another challenge facing our industry is determining how long data should be retained. Mortgage originators and lenders must contend with multiple state requirements that focus on data retention, not removal, while adhering to federal regulatory standards. The industry may one day move to have a single set of standards regarding the destruction of data.
