Nonbanks must report larger data breaches, FTC rules

Non-bank mortgage players will have to report more cybersecurity incidents to a federal regulator beginning next spring. 

The Federal Trade Commission Friday said its commissioners voted unanimously to approve an amendment to its Safeguards Rule to include non-bank financial institutions. The rule is the latest obligation for lenders and other industry firms regarding data breach reporting, as millions of mortgage customers have been impacted by hacks in the past few years. 

The FTC's rule requires non-banks to notify the agency no later than 30 days after discovery of a breach involving the information of at least 500 consumers. Incidents are defined by the agency as events where unencrypted customer data has been acquired without their authorization. 

The notices must include information about the breach, such as the number of consumers either affected or potentially affected. The reporting requirement goes into effect 180 days after the rule's publication, which would be April 27, 2024. The FTC's commissioners voted 3-0 for the amendment.

The disclosures require similar information to the notices lenders, servicers and technology vendors already post to some state attorneys general offices. Not every state requires firms to report breaches, and only around a dozen states post such notifications regularly. In those disclosures, mortgage firms often include vague references to notifying regulators. 

"Without a notification, the Commission would have no guarantee that it has found all breaches in its searches," wrote April Tabor, FTC secretary, in the recent amendment announcement. 

The Securities and Exchange Commission will begin requiring publicly traded firms in December to report cybersecurity incidents that they determine "material" – a definition that has not been clearly defined. Public companies under that rule won't have to disclose technical details of hacks but rather high-level overviews of what happened, similar to details companies post in a Maine database. 

Data breaches have impacted as many as 4 million consumers in one servicer incident in late 2021. Flagstar Bank recently said over 837,000 of its customers were entangled in a vendor cyber attack. 

Mortgage businesses also don't have an obligation to report instances of fraud to law enforcement, but feds urge them to write more detailed crime reports to increase the likelihood of investigations. Representatives from the Federal Bureau of Investigation and the Secret Service recently told a mortgage audience incidents of home equity theft and wire fraud are up, and asked for lenders to provide as much information to feds as possible.