The mortgage industry is in a unique period of transition, with one foot in the traditional world of finance and another in the ever-changing world of tech. Meanwhile, regulations in both worlds are increasing, meaning today’s mortgage lenders must be hyper-vigilant to ensure they’re compliant on all fronts.
That task is daunting, but industry players (including legacy lenders, digital lenders, mortgage tech companies and tech companies that serve mortgage clients) can live up to the challenge by treating customer security as a team effort. Here are three internal practices that can make this work.
1. Include diverse voices in the C-suite
Any mortgage company with an online presence must also comply with state and federal privacy and security regulations. Any tech startup that serves mortgage customers must comply with mortgage industry regulations. To ensure that both happen consistently, companies playing in the mortgage space must have representatives in the C-suite responsible for overseeing best practices on three fronts: Mortgage, tech and compliance.
Having such leaders ensures that major decisions don’t unintentionally undermine a company’s security or compliance on any front and that security and compliance are proactively included in every part of a company’s offering.
At a legacy mortgage lender, this might look like a tech executive advising on security best practices for creating and maintaining the company’s mobile app. At a tech startup hoping to serve mortgage clients, this might look like a chief compliance officer or chief security officer overseeing data mapping and management as the California Consumer Privacy Act (CCPA) takes effect.
This may sound simplistic, but it’s not always intuitive when companies see themselves as clearly on one side or the other of the mortgage-to-tech spectrum. Mortgage industry veterans tend to know mortgage regulations inside and out; tech executives are well-versed in the demands of data privacy. The danger of not including leaders with varied backgrounds is that mortgage industry participants risk knowledge gaps they’re unaware of–in other words, not knowing what they don’t know.
As we’ve seen with data breaches in the last few years, that can be a costly way to operate.
Equifax, for example, knew about a data vulnerability in its system for at least two months before that vulnerability led to one of the biggest data breaches of 2017. The 100-plus-year-old financial firm may have thought it was okay to ignore the vulnerability; if it had heeded input from a more tech-savvy leader, it might have known better.
On the other side of the spectrum, we have Ascension, a data analytics firm that serves financial and mortgage companies. Because it failed to password protect one of its servers, millions of customer documents were exposed–including many containing mortgage information. While that’s arguably also a tech-first error, the company might have been more vigilant about its security if it were better versed in the stringent laws governing how customer mortgage data must be handled.
Diverse perspectives in the C-suite can help set the tone for an organization’s security and data protection, but to be most effective, companies must also follow universally recognized best security practices. This brings me to the second internal practice.
2. Voluntarily seek security certification
Mortgage regulations are not optional; companies that don’t comply risk fines and penalties that could inhibit their ability to operate. On the tech side of things though, laws haven’t kept up with the pace of innovation: Most security best practices are still voluntary.
The CCPA is changing that, but we’re still a long way from mortgage and mortgage tech companies facing data regulations as stringent as those that regulate their lending and financial practices.
That matters because consumers care about data security. In fact, while 96 percent of people care about data privacy, only 25 percent trust companies to handle their personal information. And that’s not as it should be: 92 percent believe that businesses should be proactive about data protection.
The opportunity is clear … mortgage lenders that can demonstrate they’re taking proactive steps to protect customer data will win customer trust. Mortgage tech and other FinTech providers selling to lenders that can demonstrate how they’ll help lenders improve customer data security will have an easier sell.
As far as which security certifications to prioritize, I recommend that mortgage tech companies focus on SOC-2 and ISO/IEC 27001. Lenders looking to partner with mortgage tech providers should look for organizations that have these certifications. Here’s what they do:
►SOC-2, which is overseen by the American Institute of Certified Public Accountants (AICPA), ensures that systems within SaaS and tech companies adhere to certain standards of security, availability, processing integrity, confidentiality, and customer data privacy.
►ISO/IEC 27001, which is overseen by the International Organization for Standardization, verifies that a company adequately protects customer data as part of its larger information security management system.
Both require ongoing maintenance from certificate holders, meaning that organizations with current certifications can be seen as adhering to best practices for maintaining the security of customer data. One part of maintaining certification is proving that employees consistently handle data in secure ways. This brings me to the final practice mortgage and mortgage tech firms can implement to ensure customer data security.
3. Create a culture of security
Just as important as having a C-suite with diverse backgrounds is building a culture of security at every level of an organization.
Every day, every single person at an organization makes choices that affect the security of the company and therefore the security of all its customers’ data. Will you download that e-mail attachment? Will you hold the building door for the person behind you? Will you reuse your work e-mail password on a social media account?
There’s no way to guarantee every decision every employee makes is secure, but by creating a culture of security, you create an environment where employees approach their work with a security-first mindset.
This starts with providing adequate training, both for general best practices (like locking your computer screen whenever you step away from your desk) and for job-specific best practices (like checking any code written against a known vulnerability database). To obtain SOC-2 and ISO/IEC 27001 certification, organizations have to provide such training to every employee.
While it’s important that employees at every level receive clear instructions for how to do their jobs securely, it’s also important that leaders at every level enforce security policies consistently.
When secure behaviors happen both from the bottom up and from the top down, an organization has a true culture of security. At this point, security is the default mode of operation, meaning that culture is much more likely to endure and yield positive outcomes.
Security and customer protection are a competitive advantage
We’re currently in an era of increasing regulation in the mortgage tech space. For customers, that’s a good thing. In addition to the greater financial security mortgage industry regulations offer, data security regulations will improve the security of consumers’ personal data and therefore offer greater peace of mind.
Mortgage and mortgage tech companies that prove adept at complying with regulations and therefore protecting customer information and creating secure, carefree experiences will beat out competitors in the coming years.
Customers will only expect greater data security and privacy in the future; as they do, they will flock to mortgage lenders with a clean data privacy track record and a compliance-first operating style. These lenders, then, will be pushed to choose tech providers with robust security credentials.
The beauty is that this shift is not a trend; rather, it’s a long-term move toward practices that lead to better outcomes for everyone involved, meaning everyone who steps up to meet increasing security and privacy demands will win.
Maria Moskver is the chief legal and compliance officer at Cloudvirga. A results-driven executive with more than 20 years of experience in the consumer financial services industry as a practicing attorney and chief compliance officer for technology-based companies, Moskver has extensive knowledge of federal and state-specific regulatory issues and a strong track record of establishing cultures of compliance.