If the CFPB has been clear about anything, it is that protecting the consumer at every point of the transaction is its highest priority. State enforcement agencies and regulators are starting to follow suit. New rules are being imposed, and a number of rules which have been on the books for years are starting to be enforced after years of dormancy.
Data security and the protection of nonpublic personal information is crucial, even in offices that have little contact with nonemployees. All the policies in the world won't be effective if your office space puts the secure data of your client and the consumer at risk.
In light of this, we have seen a dramatic rise in the number of physical audits performed by the largest lenders of their correspondent and downstream partners. Auditors are physically onsite, undertaking surveillance of foot traffic and pedestrian patterns in the surrounding neighborhood as well as within the building.
For the smaller mortgage lender — whether credit union, regional bank or lending company — the amount of resources required to maintain compliance has become overwhelming, but there are fairly simple fixes to an office floor plan that can mean the difference between a CFPB fine and a passing grade.
Ironically enough, in its quest to improve transparency in the mortgage lending industry, the CFPB has, in some ways, discouraged that very thing. We work with a lending company which leased a beautiful retail office in a storefront, street-level location in a high traffic area, with floor-to-ceiling windows everywhere. The primary consumer strategy for that lender was transparency: it invited the consumer to see as much of what that lender was doing as possible, and arranged its office to reflect that attitude. The office layout was akin to a chef's table at a fine restaurant. Anyone walking into the branch could see the staff going about its business from the reception area. Needless to say, this client has had to do a tremendous amount of work in the opposite direction of the original strategy with that space under today’s NPI mandates.
Any number of physical fixes can ease the risk when it comes to windows and other visual access points, most of which are common sense. Facing computer monitors away from windows to protect from peering eyes is one solution. If your office has more than one floor, positioning those workstations working most often with and closest to NPI on upper stories is a good idea.
Finally: window treatments. When used properly during nonbusiness hours, blinds and shades are an efficient obstruction.
Another thing we see frequently, especially when lending businesses use ground-floor locations, is that the plumbing almost invariably is located to the rear of the building — away from the street or storefront. As a practical matter, any guests needing to make use of the bathroom facilities usually need to walk through quite a bit of the office to reach them.
This, in turn, requires taller cubicle walls, protective computer screen covers and the like. While these measures are necessary to protect NPI, they also have the negative impact of isolating employees, which has real consequences for office culture, management and collaboration.
A receptionist or attendant as first-line to greet and register guests is standard practice, and designating someone to escort visitors through spaces with ample NPI is common sense. Some lenders, to further protect themselves, invest in an alarm system or video surveillance at entrances, exits and doorways leading to areas containing sensitive material. Locks on all doors — a basic idea but surprisingly not always implemented — leading to areas where NPI is stored are also necessary.
Disposing of NPI is yet another area in which it's easy to run afoul of compliance. NPI removal is hardly as simple as shredding documents and erasing files. Common sense policies mandating regular shredding, obliteration of old digital files and the like should be used. Similarly, dumpsters and garbage cans should have limited access to the public. And, of course, employees should be trained and refreshed on what is — and isn't — appropriate for traditional disposal methods (garbage cans, etc.).
The majority of lending businesses in our industry are already compliant when it comes to protecting NPI and other sensitive data. For others, looming audits or enforcement actions on their peers might serve as a reminder to review existing policies and physical facilities. In either case, it's never overkill to revisit your compliance efforts and determine whether your office space is conducive, or obstructive, to them. Should you find the latter, don't assume that your landlord will be unwilling to work with you on build-outs or revisions. The consequences should you fail to act on inadequacies are not worth it.