TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/1205400
22 | M R EP O RT FEATURE any other company that stores customer data in the cloud. Of course, if you work for a major financial brand and you're reading this article, chances are that some- one in your organization is aware of this requirement, but develop- ing a broader understanding of the security risks that exist within your company can help everyone better prepare for the avoidance of or possibility of a data or security breach (and understand even more quickly how to respond). To meet these standards, you must have organizationwide compliance practices and policies that do several things. As you read this list, you should be able to check each of these off without trouble: 1. Monitor known malicious activity and unknown activity. To do this, you must establish a baseline for what is normal and have continuous security monitoring in place. 2. Have a system that sends alerts in the event that customer data is accessed by unauthorized parties. Communication around these events is not optional. 3. Maintain detailed guidelines that articulate the who, what, when, why, and how of secu- rity incidents and responses, i.e. an incident response plan. This process must be com- prehensive and actionable on a quick timeline, and this is the step that will help you pass your audit and instruct your team in the event that something does trigger this response. It is critical that this not only be a plan: This must be a useful and specific docu- ment that could help your development team and your customer service team deploy appropriate responses at the right time. While monitoring systems is important in case of an emergen- cy such as a data breach, to avoid false positives, you must have a system in place that demonstrates what is normal activity for your business or you'll risk triggering many false positives within your system. It is also a good idea to use this process and its maintenance to get an understanding of where the risks are for your business and what the critical risks could be. This way, you'll be able to modify your alerts to ensure that you're not overreacting or putting energy toward less serious concerns. Ongoing Employee Training Is Key to Certification Maintenance F intechs and fintech-powered mortgage originators operat- ing on the fringes of banking regulation may not have strong regulatory incentives to comply with current regulations and seek certifications, but it is best to position your company on the side of compliance. An important piece of this process is to make sure employees are trained and informed and that their everyday operational practices are in line with company standards. A major component in meet- ing these international standards is to provide ongoing employee training, especially for those who handle consumer data on a regu- lar basis. As people who work in mortgage tech, your employees know exactly how much data they're putting out in the world when they apply for or refinance their mortgage, and they appreci- ate having a company culture that promotes data privacy and security. Employees that put security first will appreciate the importance of taking every step along the way. Don't Underestimate the Value of Compliance I mproving your risk manage- ment practices provides your organization and any partners or customers increased peace of mind that their data is highly secure, which is important be- cause compliance remains a top concern among lenders from both incumbent and challenger banks who work with mortgage lending. This concern comes alongside the rise of nonbank mortgage loan servicers: in 2019, an Inside Mortgage Finance analysis found that these companies held 58% of U.S. mortgages in their portfolios. It appears the future of mortgage lending is here, and consum- ers are choosing to go with the option they like best. Since these customers are not favoring long-established financial brands over fintech challengers, it follows that they aren't think- ing about some of the differences that distinguish between these types of institutions for industry experts. However, it is important to note that even major banks, lending institutions, and their service providers fail to secure their customers' data. Consider First American Financial Corp.: it exposed 885 million files contain- ing personal financial data earlier this year, the oldest of which were scanned copies of docu- ments that were 16 years old. This cache of documents was avail- able to anyone who knew where they were—authentication was required. As any borrower or lender will tell you, this should never happen. Who You Trust Matters T he cat is out of the bag. The value of data-driven insights has been so touted that The Economist declared data the "new oil" back in 2017, which is particu- larly apt when you consider the hazards of "spilled" data. And, everyone you or your mortgage fintech works with must be evaluated for data and security hygiene. You may recall another major data breach that happened which highlights the importance of choosing partners who have the same high standards for compli- ance with data privacy regula- tions. Ascension Data & Analytics now infamously exposed the financial data of over 54,000 mortgage borrowers because of an alleged "server configuration error." This kind of mistake is unacceptable. The mortgage industry is a web of purchases and sales, and most borrowers understand that their loan originator may not hold their loan for the duration of its life- time. So, they select their business partners in part by assessing other companies' data and security practices. It is simpler to work with companies that are also cer- tified by outside standard-bearing organizations than to draw up your own list of requirements. By choosing to meet international industry standards, your company will be well-positioned to win contracts and consumer confi- dence. Build a Strong Baseline of Security and Compliance W hen you approach partners or customers who have strict data requirements, perhaps especially incumbent banks and major lenders, being able to demonstrate that you meet the same strict requirements that they must comply with allows you to onboard more seamlessly. In the mortgage industry, your financial brand's compliance with privacy and data security stan- dards is a litmus test you want to pass when you first approach partner organizations or potential clients. There is no substitute for meeting the standards held by international standard-bearing or- ganizations and having a demon- strable culture of compliance from the top-down. . MARIA MOSKVER is the Chief Legal and Compliance Officer at Cloudvirga, a digital mortgage origination platform. A results-driven executive with over twenty years of experience in the consumer financial services industry as a practicing attorney and chief compliance officer for technology-based companies, Moskver has extensive knowledge of federal and state-specific regulatory issues and a strong track record of establishing cultures of compliance.