TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/1205400
20 | M R EP O RT FEATURE D ata is the most valu- able resource a financial technology (fintech) company holds, as evi- denced by the thick stack of regu- lations that dictate its protection. But many mortgage tech startups don't have a firm grasp on indus- try regulations when it comes to data security and privacy. These organizations also fail to understand their obligation to safeguard data throughout the entire mortgage process. Many fintech companies may be aware that the old Facebook motto doesn't apply in their industry, but this is especially true for fintechs that deal with mortgages and lending: infamous technology adages such as "move fast and break things" will likely land you in hot water in this the consumer fintech world. The public is now well aware that fintech startups and chal- lenger banks alike risk exposing their customers to fraud and iden- tity theft when they try to move quickly or flounder on due-dili- gence. People know this because it has become an all-too-common experience to lose trust in your financial institution, whether it's your mortgage lender or the fund holding your retirement account. But there is a clear path for- ward. This article will discuss why fintech companies need a security-first attitude and how they can build trust amid a changing regulatory landscape. Data Security Is More Important than Ever Before Y our customers trust you with an enormous amount of personal and financial data. From social security numbers to tax records, mortgage lending requires that consumers share a significant array of an individual's most sensitive personal and financial data. One of the worst ways to break that trust is to be caught in a data breach that exposes their personal data. Data privacy breaches are so ubiquitous today that Wikipedia has a living list of famous data breaches by year and reason. Of course, this is not a definitive resource, but it does demonstrate something powerful: this is a pervasive global problem. All industries are struggling to keep data safe and secure, and it is all too easy to make it onto the list of companies that failed at this task. While some brands are strong enough to survive the blow of a high-profile security breach, it is unlikely that the average mort- gage fintech startup has accrued this kind of clout in its lifetime. A 2019 whitepaper by Tealium reported that 85% of consumers won't forgive a company's mishan- dling of their information, even if they previously trusted the brand, so when it comes to handling customer data, financial brands must plan and act accordingly. Consumer Awareness May Be Low, but Your Brand Must Keep Up P ublic awareness of the new regulations on personal data and privacy is shockingly low: 70% of consumers haven't heard of the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR), and 62% say they don't read privacy policies. But that doesn't mean your company should not be prepared to meet these regulatory requirements as soon as possible. If you haven't already, get up to speed on Service Organization Controls 2 (SOC-2) certifica- tion and ISO/IEC 27001 rules as soon as possible. These are just two examples of standards for information management systems and data security, the latter ap- plying specifically to cloud-based systems. You should also familiar- ize yourself with the new FTC data security orders, which offer more specific guidance, increase third-party assessor accountability, and elevate data security consid- erations to the C-suite and board level. Consider the specific goals of the SOC-2 rules, which ensure that cloud-based systems are 1) secure, 2) available, 3) have process integrity, 4) are confidential, and 5) ensure the privacy of customer data. It is simple enough for busi- ness leaders to look at this list and agree that this is a reasonable standard to meet for data and organizational security. While becoming certified as compliant with these standards is not a simple undertaking, for those seeking to comply with the SOC-2 standards, there are two steps to take: 1) undergo a techni- cal systems audit, and 2) imple- ment and follow detailed security policies and procedures that must also be maintained in writing. These requirements are relevant to any tech-based security orga- nization that stores customer data in the cloud, which is applicable to the majority of financial orga- nizations operating today. This includes any SaaS company and The Unseen Risks Employee training can be as important as cutting-edge tech when it comes to guarding your reputation and protecting your data assets. By Maria Moskver