The Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act (GLBA), was put into law in 1999 to partially deregulate the U.S. financial industry. The Safeguards Rule, established in 2003, as part of the GLBA, requires financial institutions to develop, implement, and maintain a comprehensive information security program.
In December 2021, the Federal Trade Commission (FTC) published a revised version of the Safeguards Rule. While some aspects of the Rule became effective in January 2022, new elements for financial institutions to include in their information security program will take effect on June 9, 2023.
The new rule expands the definition of “financial institution” to include activities incidental to financial activities. The FTC lists several examples of “financial institutions” and mortgage lenders are among those included.
Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.
Section 314.4(c) of the updated FTC Safeguards Rule includes the following security requirements:
- Access controls
- Data and systems inventory
- Secure development practices
- Multi-factor authentication (MFA)
- Secure disposal of customer information
- Adopt procedures for change management
- Monitor and log activity of authorized users, detect unauthorized access
Why It Matters for Mortgage Lenders
While protecting customer data is a common goal for all enterprises, this objective can be significantly more challenging when the volume and complexity of customer data are greater. Customer data belonging to a consumer purchasing groceries, for example, will look quite different than that of a borrower applying for a loan.
Consider a typical U.S. mortgage loan application. As part of the loan origination process, a borrower requesting mortgage pre-qualification will provide multiple documents to a lender. Bank statements, proof of identity, and tax returns are just a few examples. The lender’s underwriters will then review the collected information, corresponding credit reports, and other supporting documentation, to either approve or deny a borrower’s loan application.
Once a purchase contract for a property has been negotiated with the seller, the process for closing the loan begins. Loan processors will order necessary documents, such as a credit report, flood determination, survey, property appraisal, and title policy. A residential mortgage loan package will typically contain hundreds of pages, with multiple instances of protected data elements throughout a digital file. On the first page of a standard loan application form, for example, there are multiple fields containing nonpublic personal information (NPI), such as income and social security numbers. Digital mortgages may represent the most significant volume of sensitive customer data traversing a lender’s internal and external networks throughout the lifecycle of a loan.
The Consumer Financial Protection Bureau (CFPB) requires U.S. lending institutions to report public loan data. For 2021, over 4,300 lenders, including banks, credit unions, and mortgage companies, reported 21.5M loan applications. While mortgage companies account for just 22% of the institutions, they were responsible for 65% of those applications.
A conventional mortgage will typically contain hundreds of pages with multiple instances of NPI.
Under the updated Safeguards Rule, mortgage companies will be required to implement controls such as multi-factor authentication (MFA) for anyone accessing any system. All customer information held or transmitted both in transit over external networks and at rest will also require encryption. Lenders must monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
Lenders are continuing the path toward a fully digital mortgage experience with capabilities such as secure digital signatures, remote online notarization, and eRecording. While these enhancements are helping to align the experience closer to customer expectations in other industries, the complexities of a mortgage still require manual processes for hybrid closings. Additionally, lenders typically require third-party service providers to assist at various stages throughout the origination and servicing phases. For example, a mortgage lender may order a flood certification from a third-party vendor to determine whether a borrower’s property is located in a flood zone. 314.4(f)(2) of the Safeguards Rule reads “Requiring your service providers by contract to implement and maintain such safeguards…”
Given the scope of sensitive customer data stored throughout the mortgage application process, bad actors may view a lender’s mortgage portfolio as a prime target. Because non-bank lenders may now be defined as “financial institutions” under the Rule, mortgage companies should continue working with their internal risk and compliance teams to develop a proactive and comprehensive approach to protecting customer data.
What Solutions can Entrust offer mortgage lenders to help with the updated FTC requirements?
Multi-cloud environments, remote workforces, and digital onboarding processes are just a few examples of the new normal for today’s lenders. As mortgage companies progress further along their digital transformation journey, the new FTC controls will play a key role to help mitigate risk. Entrust provides mortgage lenders with a full scope of solutions designed to help protect customer data throughout the mortgage lifecycle.