AJanuary 2014 investigation by HALOCK Security Labsfound 70% of mortgage lenders allowed customers to send sensitive information through regular email, including information such as W-2s and tax documents. The research also found that most of the top U.S. lenders followed the same “unsecure practices” as small lenders. This sets up a ripe environment for data breaches, loss of reputation, and the likelihood of the “long tail of compliance” to hit hard.
Let’s be frank about the real estate transaction business, particularly mortgage lenders, who are constantly engaging these supply chains. This increasingly places them in the path of responsibility for protecting clients’ money and non-public personal information (NPPI) coveted by online thieves for identity theft scams. Yet, only now are smaller real estate settlement service providers starting to invest in network, physical and administrative security as required by Gramm-Leach Bliley Act and FTC privacy “safeguard” regulations.
Lenders, regulators, and title underwriters understand that independent title and settlement agents (ITSAs) play a critical role in facilitating mortgage finance transactions. These mostly small, closely-held companies possess the local knowledge, expertise, efficiency and coverage required, and provide consumers, lenders, and title underwriters with the ability to consummate such transactions nationwide. They can do so with nearly unlimited scalability and on a daily basis.
Beyond ensuring that lenders are primary lien holders, the role that an ITSA plays requires extensive contact with consumers and lenders. They handle highly sensitive NPPI and receive and disburse large sums of funds through mortgage disbursement and other escrow accounts. This requires lenders, consumers and scores of parties involved in such transactions to reach beyond the traditional expertise of ITSAs and rely upon their fidelity and adherence to a score of expanding federal and state laws, rules and regulations.
On Oct. 30, 2013, the Office of the Comptroller of the Currency (the “OCC”) raised the compliance bar for banks in the context of the management of their third party relationships. This new OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” may very well impact our industry more directly, more quickly and in a significantly more comprehensive manner than their earlier bulletins.
The OCC raises concern that banks may generally have “failed to” assess the risks associated with third-party providers, perform due diligence and on-going monitoring of these relationships, and enter into agreements properly assessing internal risk management capabilities. The OCC now expects “more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities [including] significant bank functions (e.g., payments, clearing,settlements, custody).” This heightened expectation thus places banks and ITSAs even more squarely in the regulatory cross-hairs.
If this mounting regulatory concern and effort to identify the risks associated with the use of service providers were not enough, consider how the largest mortgage lender has recently weighed in on this.
In March 2014, Wells Fargo issued a Settlement Agent Communications Newsletter, “Looking forward in 2014 and beyond.”While recognizing the value of the local title and settlement agent, Wells makes clear that as third-party compliance expectations increase, so too will Wells’ expectations of their service providers, through increased monitoring and performance metrics. Wells supports the American Land Title Association’s (ALTA) Best Practices and identifies a “transition time” to become a compliance “top performer.” Wells enquires into whether the implementation process has begun and whether ITSAs are able to document and validate it independently.
Understandably, lenders are struggling to determine how to implement these mandates, given the lack of a uniform, national consistency regarding closing practices and the roles of ITSAs, and how, if at all, to scale-down such requirements and determine what precisely is “appropriate” in each circumstance and in each closing locality.
Despite this, the various regulatory agencies emphasize and generally are in agreement on the following key points and expectations regarding lenders’ risk management of their third-party service providers:
Lender Responsibility and Third-party Service Providers:A lender’s use of service providers doesn’t diminish their responsibility to ensure all related activities are conducted in a safe and sound manner, consistent with applicable laws and regulations.
Third-party Relationships Greatly Increase a Lender’s Risk Profile:In particular, a lender’s strategic, reputation, compliance, and transaction risks are all heightened by the use of third-party service providers.
Adopting a Risk Management Process (RADDCO) to Control Risk:A risk management process should include: (a) A risk assessment to identify the lender’s needs and requirements; (b) proper due diligence to identify and select third-party service providers; (c) written contracts that outline duties, obligations, and responsibilities of the parties involved; and (d) ongoing oversight (monitoring) of the third parties and third-party activities.
Oversight of Third-parties and Lender Flexibility:A lender’s risk profile is unique and requires a tailored risk mitigation approach appropriate for the scale of its specific third-party relationship, the materiality of the risks present and the ability of the lender to manage those risks.
Yet, increased legal and regulatory compliance requirements are only part of the picture.
Christopher J. Gulotta is an attorney at Real Estate Data Shield Inc. Bud Walder, VP of Marketing for DataMotion, also contributed to this blog. They are members of LenderSecure, a group of companies dedicated to helping real estate professionals meet American Land Title Association best practices