New privacy rules, digital mortgages broaden cybersecurity needs
Consumers' desire for a digitized mortgage process and increased data-privacy regulation force lenders into a race to keep up with evolving cybersecurity risks extending beyond their own operations.
"What worked three years ago won't work today and what works today won't work in another three years," Erin Harris, manager of vendor management at Mortgage Quality Management & Research, said in an interview. "Five years ago, you didn't really hear about wire fraud and data breaches weren't taking place, but unfortunately that’s the world we live in now and cybersecurity is a big part of it."
Encryption provides a major means of securing information, whether it's in the lender's system or in transit to another company. An encrypted connection assures the data can't be intercepted in route.
However, it's not enough for lenders' in-house proceedings remain buttoned up; they also need to make sure their vendors take the precautions they're supposed to once they receive consumers' information.
"As a lender, you need to look at your vendors to see if they have policies and procedures in place and if they're following them," Harris said. "It's very much a trust-but-verify mantra."
So in a sea of counterparties, lenders must manage the cybersecurity risk involved in exchanging data with each one that they work with in order to keep borrowers' personal information secure.
"Generally, once a lender has sold a loan, they're ceding the control of that loan, including the data, to another party," Alex Wood, chief information security officer at Pulte Mortgage, said in an interview. "That's an area vendor management practices need to come in, because you want to make sure when you give control of that data to someone else, they're going to protect it as well."
One challenge in vendor management is that it presents an expense without generating profit, making it tough to justify financially.
But its value in risk management clearly has a potential price tag. By safeguarding borrowers from fraudulent wiring information, of example, a lender can both save money and protect a client relationship.
If borrowers lose their down payment money to a scam artist who intercepts loan information and sends false wiring information for a down payment, they can no longer purchase that house and the lender loses a loan.
Wire fraud alone generated more than $1.4 billion in losses from over 300,000 cases in 2017, according to the FBI's Internet Crime Complaint Center. The dollar volume and incidence of wire fraud has generally trended upward since 2013.
The regulation of data privacy also is increasing, making cybersecurity more of a business imperative for lenders.
For example: California passed the California Consumer Privacy Act in 2018, giving those in the state enhanced rights with the privacy of their public information. There also has been a push for uniform data privacy law at the federal level.