Skip to main content

Housing bill provision harms privacy, says diverse coalition

Jun 23, 2008

FTC targets mortgage companies in violation of safeguards ruleCraig Atchleypersonal and financial information, Federal Trade Commission In December 2007, a mortgage company that left loan documents with consumers' sensitive personal and financial information in and around an unsecured dumpster agreed to settle Federal Trade Commission (FTC) charges that it violated federal regulations. The FTC's complaint alleges that the Northbrook, Ill.-based mortgage company violated the disposal, safeguards and privacy rules by failing to properly dispose of credit reports or information taken from credit reports, failing to develop or implement reasonable safeguards to protect customer information and not providing customers with privacy notices. FTC Chair Deborah Platt Majoras said: "Every business, whether large or small, must take reasonable and appropriate measures to protect sensitive consumer information from acquisition to disposal. This agency will continue to prosecute companies that fail to fulfill their legal responsibility to protect consumers' personal information." The actions taken by the FTC, pursuant to the safeguards rule, were a part of what the FTC has termed a "nationwide compliance sweep" directed at mortgage companies and automobile dealers engaged in auto financing. The safeguards rule was incorporated to assure the security and confidentiality of customers' personal information, labeled by the FTC as non-public information (NPI). The purpose is to prevent NPI from falling into the wrong hands, resulting in substantial harm or inconvenience to the customer, a first step in preventing identity theft. The safeguards rule was an extension to the Gramm-Leach-Bliley Act (GLB) and became effective May 23, 2003. It requires financial institutions to conduct privacy risk assessments and implement appropriate safeguards to protect and secure NPI. The GLB Act was enacted on Nov. 12, 1999. In addition to reforming the financial services industry, the act addressed concerns relating to consumer financial privacy. The GLB Act required the FTC and other government agencies that regulate financial institutions to implement regulations to carry out the act's financial privacy provisions. The regulations required all covered businesses to be in full compliance by July 1, 2001. The FTC is responsible for enforcing its Privacy of Consumer Financial Information Rule. What most Mortgage Brokers don't know is that the GLB Act names them, specifically, as a financial institution that must comply with the requirements of the act. The industry has addressed the GLB Act's Privacy of Consumer Financial Information Rule that requires loan applicants to sign the privacy policy disclosure, which provides the applicant an opportunity to "op out" of the company's policy of sharing personal information with affiliates and third parties. Brokers think they are in compliance because that document is among all the other disclosures that are signed at application. Just as ominous, however, is the risk of non-compliance with the safeguards rule. The Illinois company is the most recent prosecution among several mortgage companies that the FTC has targeted in the past. This is the first time the FTC has assessed a monetary fine. In previous cases, identified below, the companies were just required to get professional help to implement an information security plan and audit its effectiveness on a periodic basis. According to the FTC ... In January 2005, the FTC settled a charge against a Clearwater, Fla. mortgage company who had failed to oversee the security practices of its service providers and of its loan officers working from remote locations throughout the state of Florida. The order barred the company from future violations of the safeguards rule and the Privacy of Consumer Financial Information Rule. In addition, the company was ordered to have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within six months and every other year thereafter for 10 years. The order also contained standard recordkeeping provisions to allow the FTC to monitor compliance. In April 2005, the FTC settled a charge against a McLean, Va. mortgage company, with offices in 10 states and multiple Web sites; the company agreed that it violated federal law by failing to provide reasonable security for sensitive customer data. The FTC complaint alleged that the company violated the safeguards rule because it: (1) failed to assess risks to its customer information until more than a year after the safeguards rule took effect; (2) failed to implement appropriate password policies; (3) did not encrypt or otherwise protect sensitive customer information; and (4) failed to ensure that its service providers were providing appropriate security for customer information. In October 2005, the FTC settled a charge against a Tuckerton N.J.-based mortgage company which alleged that it had failed to comply with the safeguards rule's basic requirements, including that they assess the risks to sensitive customer information and implement safeguards to control these risks. In addition, it failed to train its employees on information security issues, oversee its loan officers' handling of customer information and monitor its computer network for vulnerabilities. The settlement bars the company from misrepresenting the extent to which it maintains and protects the privacy, confidentiality or security of any personal information collected from or about consumers, and prohibits violations of the safeguards rule. The settlement also requires that it hire an independent third-party auditor to assess its security procedures every two years for the next 10 years, and to certify that these procedures meet or exceed the protections required by the safeguards rule. The settlement also contains certain recordkeeping requirements to allow the FTC to monitor compliance. Identity theft—the real threat These cases only deal with improper handling of credit files and securing data; the real threat is identity theft originating in the workplace. Credit account theft, check fraud, Social Security number theft and drivers license fraud could all originate from any mortgage loan application file. Such information has even been bought and sold on the Internet. If it is traced back to the mortgage company, the problem gets worse because now the state attorney general's office gets involved. All but a few states have adopted identity theft laws which contain requirements that mirror the safeguards rule. In the state of Texas, companies such as Radio Shack, CVS Pharmacy and Life Time Fitness, along with a host of smaller companies, have all been subjects of investigation and prosecution by the attorney general's office for violations under the Texas Identity Theft Enforcement and Protection Act of 2005. Although there is an awareness of the need to secure and dispose of NPI in the mortgage industry, few, if any, Mortgage Brokers possess a formal plan to comply with the GBL Act. The FTC specifically requires that businesses subject to the GBL Act, regardless of size, implement and maintain a comprehensive written information security plan to protect customer NPI. Without such a plan, the broker has no defense if there is a security breach and sensitive customer information is lost or compromised. Identity theft does not have to be committed for a breach to occur. A loan officer or processor leaving the company with customers' NPI is a breach. The only defense the broker has is to have in place a formalized information security plan. In the case of the Florida company, one of the charges was the "failure of the company to assess the risks to its customer's information until more than a year after the safeguards rule took effect." If a company has made no attempt to comply with the requirements of the safeguards rule, it exacerbates the problem. No matter how innocent the broker, ignorance of the law is not an excuse. The safeguards rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must: •Appoint an information security officer to coordinate the information security program; •Determine the risk to customer and employee NPI in each area of the company's operation by identifying how NPI is collected, handled, stored and disposed of when no longer needed; •Design and implement rules to safeguard NPI in those areas of risk, and regularly monitor and test the effectiveness of the rules; •Select service providers such as shredding companies, Web site providers and professional trainers, and contract with them to implement safeguards; and •Evaluate and adjust the program in light of relevant circumstances, including changes in the firms business or operations, or the results of security testing and monitoring. Brokers must consider and address any unique risks raised by their business operations—such as the risks raised when processors take files home to complete work, when loan officers access customer data from their homes or other off-site locations, or when customer data is transmitted electronically outside the company network. The requirements are designed to be flexible. Companies should implement safeguards appropriate to their own circumstances. For example, some companies may choose to put their safeguards program in a single document, while others may put their plans in several different documents, such as one to cover an information technology division and another to provide the training of employees. Similarly, a company may decide to designate a single employee to coordinate safeguards, or it may assign this responsibility to several employees who will work together. These are the initiatives the FTC is expecting Mortgage Brokers to take in order to evaluate the risk posed to their customers NPI. Evidence that a company is in compliance with the safeguards rule requires documentation. The FTC recommends that after the evaluation is complete, the company: •Prepare written policies and procedures; •Conduct employee training on the policies; •Have each employee sign an employee agreement to comply; •Formally adopt an employee interviewing, hiring and training policy; •Establish disciplinary action for violation of policy; •Formally adopt the policies and procedures; •Formally appoint an information security officer; and •Create an NPI security breach action procedure to implement in case a security breach occurs. This is not a time to gamble. When the government passes a new law, it doesn't plaster it on the front page of every newspaper in the country—it makes examples of companies and lets someone else print the story. With identity theft on the rise with more sophisticated thieves, the pressure is on for the government to pull out all stops to dampen the spread. The FTC is looking for mortgage companies that are out of compliance with one purpose: to make violations so costly that the industry will take notice and comply out of fear. For additional information and compliance requirements under the safeguards rule, please visit Craig Atchley is president of The SafeGuards Institute. He may be reached at (214) 228-6598 or e-mail [email protected].
About the author
Jun 23, 2008
NEXA Pays Loan Officers 100% Of Commission Splits

LOs won't pay per-file fees or other hidden fees with NEXA100, says NEXA Founder and CEO Mike Kortas.

May 22, 2024
The Right Prescription

‘Doctor Loans’ making healthy strides in Florida

May 21, 2024
123 Newrez Employees Laid Off In Florida and Colorado

WARN Notices were filed the day after Computershare Mortgage Services, SLS acquisition closed.

May 07, 2024
Ishbia Predicts A Rate Cut By Election Day

CEO of United Wholesale Mortgage shares 'personal perspective' in new YouTube video

May 03, 2024
Yield Curve, Schmield Curve?

The yield curve is a harbinger, not the be-all, end-all for lenders.

May 02, 2024
UWM, UMortgage Under Attack For Alleged Shell Scheme

A report released on April 25 by the hedge-funded media company alleges UWM set up a shell company, UMortgage.

Apr 25, 2024