Equifax breach fuels digital mortgage doubts
Editor's Note: NMN is proud to present the 2017 Digital Mortgage Conference Sept. 28-29 in San Francisco. Click here to read more from our digital mortgage special report.
Digital mortgages are improving the borrowing experience for consumers, but they may also complicate fraud risks stemming from the Equifax data breach.
"A data breach of this magnitude is not contemplated in the development of a digital mortgage or any mortgage," said Debbie Hoffman, a consultant who advises lenders on legal and compliance issues. "Because digital is less personal and more systematic, I think the risk could be greater."
Fraud risk is "marginally" higher for digital mortgages than traditional ones, said Nick Larson, manager of real estate strategy at LexisNexis Risk Solutions.
Digital mortgages won't likely be the first target for identity thieves using the Social Security numbers, driver's license numbers and other personally identifiable information stolen from Equifax. Credit cards or retail items that can be purchased online in the short term with less scrutiny are easier to access.
But identity thieves tend to broaden their reach over time, and they could potentially fake enough borrower data to close a home loan, particularly if the process is compressed and done entirely online. But they would have to clear a number of digital hurdles to pull it off.
"I suppose under the right conditions it is possible, but it's probably really easy to get caught," said Dan Cutaia, founder of digital mortgage startup BeLoanReady, adding that he would advise lenders to consult experts for more guidance on how much risk they have and how best to manage it.
The mortgage industry has a lot of exposure to Equifax.
Tri-merged credit reports that include Equifax data are generally accessed by all mortgage lenders. Equifax also partners with many influential companies. Equifax, for example, is one of Fannie Mae's key vendor partners enabling its Day 1 Certainty data verifications, and also partners with Freddie Mac.
"There is no doubt Equifax will have a lot of tough questions from lenders" as a result of the breach, said Garth Graham, a senior partner at industry consulting firm Stratmor Group.
So far Fannie, Freddie, loan origination system provider Ellie Mae and several others that have business partnerships with Equifax have respectively said they find no signs their data has been compromised as a result of the breach, but they are continuing to monitor the situation.
All these players are more frequently automating processes that have been done in person in the past, such as appraisals done to verify refinances, notarizations and electronic closings.
These practices may increase fraud risk, but even traditional mortgages originated with human intervention may not be immune to a data breach where a fraudster has access a lot of borrower information.
For example, Cutaia recalls at least one instance during the housing bust where an identity thief used a real driver's license number and a real borrower's name to make a convincing fake ID with his photo on it and showed up at the closing in person with it undetected.
Providers of digital mortgages and related services and technology, as well as traditional lenders, go through many more steps to authenticate borrowers now than they did in the past.
The automated data verifications used in many digital mortgage technologies cut down on human processing time and help reduce data entry errors. But they also pose new fraud risks that lenders must protect themselves against.
For example, 360 Mortgage Group recently implemented a digital mortgage self-service tool that streamlines the application process by minimizing the amount of information collected from consumers. While traditional processes require underwriters to use third-party sources to validate data provided by borrowers, 360 Mortgage "inverts" that process by presenting information pulled from data aggregators to the borrower for verification.
So what's to stop a fraudster who has some stolen consumer data from obtaining more data from the digital mortgage application?
For starters, borrowers have to go through a rigorous identity verification process that includes validating whether the borrower's name matches the name registered to the cellphone number provided on the application.
"If there is anything that indicates that this is not a valid consumer that we're dealing with, it will stop the process and tell you that you've got to call," said 360 Mortgage President Mark Greco.
Once a borrower's identity is validated, the applicant is presented multiple choice questions to verify information like income and assets that was pulled from third-party sources. The answer options are presented in ranges, so the actual data point is not revealed to the user until the end of the process when the borrower is asked to sign a form 1003 mortgage application.
The system also asks other detailed questions that the only the borrower is likely to know. "One example is, '10 years ago you bought a car, what color was that car?'" Greco said.
The Austin, Texas-based lender also contracts with third-party data security companies that regularly monitor its systems and test it for vulnerabilities.
These types of safeguards make digital mortgage applications a more difficult target for fraudsters, even if they already have some stolen data about a consumer.
Lenders and technology providers are doing more to authenticate borrowers having battled with their own security breaches and evolution of fraud risks, and that should help manage risks from the Equifax breach, said Ann Fulmer, chief strategy and industry relations officer at FormFree.
While identity thieves got a lot of information from the Equifax breach "there is no one database that has every single piece of information about every single person," so it would be difficult for a scam artist to construct a fake identity that makes it all the way through multiple layers of identity checks, she said.
"Credit as always been at the epicenter of mortgage authentications, but that benchmark no longer carries the clout it once did," said Brett Chandler, founder and CEO of FormFree.
In addition to fraud prevention methods developed post-crisis like examining relationships between parties to transactions through analytics to identify potential collusion, automation can analyze whether borrower behavior, devices or locations break usual patterns.
Even if someone used the stolen Equifax information to apply for a mortgage, "there are a lot of things lenders can do through digital means to make things quite hard for fraudsters," said Frank McKenna, the chief fraud strategist at risk management firm PointPredictive.
Because of the size of the breach, the federal government is likely to get involved and put more regulations in areas like data security and privacy. But it will be the lending community's responsibility to implement those new regulations, McKenna said.
There are services that will scan a driver's license to see if it's a forgery. Selfies can also be used to prove identity and digital fingerprint services are available.
Notarize, a company that provides automated notarization of documents online during digital-mortgage closings, uses three-factor authentication that includes quizzing borrowers on information only they should know, photo IDs that go through forensic analysis and video recordings of closings.
Advanced authentication will likely include additional measures beyond this like "biometric" forms of identification, said Paul Bjerke, vice president, fraud and identity management strategy at LexisNexis Risk Solutions.
"It could follow in the footsteps of Apple, which just announced facial recognition on their phones. The innovators will get there," said Hoffman.
Even biometric identifiers could have limitations. Older facial recognition technologies, for example, could be tricked, but newer forms, like the "Face ID" that Apple recently unveiled with its new iPhone, have addressed those concerns.
"With the old format of facial recognition you could put a picture in front of the camera, but with this, you can't," said Terry Kurzynski, senior partner at Halock Security Labs.
The Equifax breach "is going to redefine how we figure out credit for people. The Social Security number and name, we can't count on that right now."
The extra authentication steps and expenditures could be in some ways a setback for digital mortgages, as trust in technology and processing speed contribute to their appeal, but it won't be an insurmountable hurdle.
"I don't think digital should be stopped," said Fulmer. "I just think we need to come up with new factors for authentication."
The industry will likely prove resistant to additional authentication measures at first, in part due to costs and questions about how to prevent stored information from being exposed to potential electronic theft or privacy concerns. But it will be a long-term trend, said Kurzynski.
— Austin Kilgore contributed to this report.