As the mortgage industry lenders implement the requirements to meet the New York Cyber Security requirement (DFAS) and the FFIEC CAT, the Equifax breach highlights the existing risk surrounding data integrity, fraud and the need for enhanced controls. Consumer finance and mortgage banks will have to manage the ongoing threat of fraud which the mortgage press and our clients have reacted to by showing an increased demand for third party diligence, oversight and controls.
National Mortgage News Reported Monday September 11, 2017 the Seven Aftershocks of the Equifax Breach of which one of the 7 points highlighted was precisely Third-party vendor risk. National Mortgage news shared , “Under New York’s new cybersecurity rules for banks, by March 2019, state-regulated banks will have to have in place a series of safeguards for third-party vendors that have access to their networks or to whom they provide data…For Financial Institution’s, this sort of breach raises a vexing question, because many of them provide nonpublic information to credit reporting agencies, and it underscores the fact that when you provide network access or sensitive information to a vendor, the diligence process has to be tightened as these sorts of attacks become more frequent.”
The data compromised in this attack was identifying consumer data which put consumers at risk from malicious actors who can use this data to engage in criminal activity. It is very likely that the exposed data will be used to create fraudulent loan applications or engage in activity which can directly harm the consumer in many unanticipated ways.
Third party services providers serving the mortgage lending community range in size, infrastructure and cyber security frameworks. Credit Bureaus should be on the more advanced end of the security spectrum but this latest attack shows an industry leading organization is vulnerable to a massive data breach. In mortgage funding, various vendors such as closing agencies will clearly not have all the cyber security controls of the credit bureaus. The threat to mortgage banks on funding wire diversion is real and we continue to take on new mandates as groups are seeking a proven risk prevention strategy. Further we are working with insurers to provide more applicable cyber, social engineering and crimes policies that protect the closing agent and closing attorney community and the lenders in mutually beneficial ways.
William Klumper a longtime Mortgage Bank CIO, CSO and FundingShield advisor shared, “The recent loss of upwards of 143 million records by Equifax will have significant impacts on the housing industry. The criminal element will use this information in combination with data from previous breaches and information available from various social media sites to create a very convincing persona which could be used for high dollar fraud. These threats will continue for many years after this breach is a far distant memory. The use of services such as FundingShield’s WAVs services will provide an added layer of protection for lenders, settlement agents, borrowers and sellers during the funding process in an environment where data elements used to authenticate identities have been comprised by the very systems that maintain the data.”
As a best practice loan closing level documents should be verified for every loan closing by lenders to confirm that CPL coverage, which they are paying for, is valid and enforceable. Further, a control measure should be in place to verify and authenticate every wire account where lenders funds will be sent for settlements and closings.
We feel there are three basic measures that should be adopted by lenders our clients leveraging as part of an overall enhanced cyber security and risk management framework that the industry should adopt:
Our data across hundreds of billions of closings show 17% of loans do not have proper documentation, licensed parties, CPLs or other requirements needed to confirm title insurance coverage. Making sure you have an enforceable CPL is the first line of defense and FundingShield works to confirm this at a loan level under our Guardian Service.
Every wire on every loan should be verified using our WAVs or Guardian Service.
Lenders should have a standard for their third party service providers in terms of internal controls, data retention and basic evidence that policy and procedures are reviewed and enforced. The standards set by the lender should be enforced whereby an auditable system can be leveraged to track, control and automate third party risk such as FundingShield’s SPC product.