Who Has Access to Your Borrowers’ Data?
The Consumer Financial Protection Bureau (CFPB) now has rule-writing authority and enforcement authority over financial institutions, and this includes interpreting how various federal data privacy and protection statues will be enforced in the mortgage industry. As a mortgage lender, bank, credit union or broker shop you need to know what these statutes and rules mean for your business. The Gramm-Leach-Bliley Act (GLBA) requires financial-related institutions to safeguard sensitive data. Because you collect personal information from customers, including names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security Numbers, the GLBA requires that you ensure the security and confidentiality of this type of information. As part of the implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. All programs must be appropriate to the financial institution's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Covered financial institutions must identify and assess risks to customer information, design a safeguards program, and detail the plans to monitor it; as well as select appropriate service providers and require them (by contract) to implement the safeguards The Federal Fair Credit Reporting Act (FCRA) governs personal information included in consumer reports. The main “security” feature of FCRA is that the law limits access to certain “permissible purposes,” such as credit, employment, insurance underwriting and rental history. Many companies covered by FCRA may also be “financial institutions” under GLBA. Amendments were made to the FCRA by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). As a safeguard against identity theft, FCRA and FACTA require any company with access to a consumer’s credit information to manage its access, use and disposal to protect identity theft and improper use. In the end, data security rules under GLBA, CFPB, FCRA, FACTA, and Dodd-Frank mandate that you know who has access to borrower information, and manage the risk of loss, theft and other harm that may occur. Settlement agents (lawyers, escrow agents, title agents and even notaries) routinely access (and sometimes retain for their records) data regarding a borrower’s name, address, Social Security Number, bank account information, employment history, assets, income, all which are clearly visible on the 1003 and HUD-1 at closing. Various other documents at the closing table may reveal even more information, such as credit issues, family relationships (children’s names, divorce, separation, civil unions, etc.). Can you vouch for the credibility of these individuals when it comes to such personally sensitive data? Better yet, if there is a breach or loss and a consumer is harmed, will you be able to demonstrate that you took appropriate steps to vet these people before you provided them such access? Just in case you were wondering, the Closing Protection Letter (CPL) does not cover you in the event that a settlement agent improperly accesses and uses a borrower’s personal information. However, independent vetting and monitoring can provide the comfort factor you need to ensure you are taking reasonable steps to meet data security and privacy rules. Andrew Liput is president and CEO of Secure Settlements Inc., a company he founded after nearly 10 years studying the problem of escrow and closing fraud and the uninsured risks associated with mortgage closing professionals. He may be reached by e-mail at [email protected]