The recent announcement that First American Title Insurance Company and Lender Processing Services  have reached an agreement to develop and implement a managed title and closing services platform should not surprise anyone.  Title underwriters have for years grappled with the problem of how to manage and reduce the risk they face by allowing independent agents to handle searches, policies and disbursements at residential closings without the type of supervision that would ensure uniform quality and risk management. The inability of underwriters to manage this risk in the last financial crisis led to significant financial losses for them in litigation costs and claims, and resulted in increased fees for the CPL, efforts to find surety coverage for agents, and enhanced supervision.  However the risk remains, and as the market cycle exits the refinance boom stage and enters the more risky purchase business stage, the old fears of significant losses are sure to have re-surfaced.

When SSI was launched in July 2012, the reaction by the small agents and their trade associations was largely negative.  The move towards independent vetting and risk management was seen as intrusive, unnecessary, costly, redundant, and (to some) a total sham.  Having researched and study the risks associated with the closing process, and having met with and studied the title industry, its operations and risk management policies, I saw this reaction as incredibly short sighted.

After more than ten years of studying the issue I was convinced that independent vetting, uniform standards and best practices across the closing profession, would help level the playing field for small agents so that they could compete against large managed offices and regional escrow and closing firms.  Vetting might allow them to demonstrate their commitment to quality service and consumer protection.  Unfortunately some of the trade associations did not agree and instead directed their members not to cooperate with independent vetting firms.  Some even went so far as to file complaints with regulators claiming that vetting firms were “abusive consumer practices” and “scams” designed to “make more money for lenders.”

A year later vetting is here to stay.  The CFPB, HUD, FNMA, OCC, FDIC and others have been very clear that third party vendor management includes closing professionals and therefore lenders most demonstrate a process and procedure to manage closing agent risk.  The large underwriters appear poised to offer banks their own solution: consolidation and centralization.  Ultimately the small agents will suffer and may be pushed out of the industry, not by a vetting firm (only the bad actors lose by vetting) but by the very companies with whom they have agency contracts today.  Why?, because it makes little sense to face significant financial risk in an arrangement where the management of that risk is costly and difficult to control.  Mortgage lenders learned that the hard way trying to work through “net branch” operations, which regulators no longer permit for good reason.

Today title, escrow and settlement agents are faced with a dilemma and how they address it and respond to the challenge may very well shape the future of the settlement profession.  I for one am pulling for the little guy.

Increasing regulatory pressures on banks and lenders to adopt greater risk management systems and processes are aimed at establishing a more uniform approach to quality control industry-wide.  At the same time these pressures seek to protect consumers from the type of non-managed business decisions that were at the root of the financial industry collapse several years ago. Consequently federal regulators and the GSEs are requiring mortgage makers to demonstrate that they have adequate policies addressing full enterprise risk management, stem to stern, and that these policies are more than just window dressing.  Audits are requiring that proof be provided that such policies are being used, adapted and modified as needed in response to threats and actual loss events.

At SSI we call this broad-based approach to total risk management the Mortgage Risk Operations Model, or MROM.  An MROM implies that banks and lenders have conducted an internal audit and analysis of all of their procedures and operating systems throughout the mortgage manufacturing cycle.  Lenders have then identified key touch points where regulatory, compliance, quality control and risk management issues arise. Once these touch points are establish, then appropriate controls were developed for each issue, backed by guidelines, overlays, training, technology, ongoing monitoring and management oversight.  Testing, revisions and enhancements are conducted regularly in response to perceived and actual threats.  An MROM committee or team meets weekly or monthly (depending upon an organizations size) to review issues and ensure the MROM is operating properly. Records and reports are maintained in the event of an audit to demonstrate commitment to managing enterprise risk.

The key touch points in developing an MROM will likely involve the following stages of the mortgage cycle: loan origination, processing, underwriting, pre-funding QC, closing, post-closing, 3^rd party post funding QC, and ongoing QC/QA training. At these stages the evaluation may address such things as employment screening, best practices, employee performance valuations, quality control plans, automated fraud tools, third party service provider risk and company-wide training. It will also necessarily require ensuring a culture of accountability, self-evaluation, risk reporting, and adequate response.

At SSI of course  is on third part service provider risk management.  We partner with banks, lenders and credit unions to provide an outsourced solution to evaluating risk, monitoring it on an ongoing basis, and issuing reports.  Our services typically assist these entities in their MROM at the processing, underwriting, and closing stages of the manufacturing cycle.  Quality service provider risk management at these touch points ensures that in the event of an audit a bank may demonstrate that their approach is Independent, comprehensive, includes ongoing monitoring, provides a method to respond to high risk individuals and events, and engages the proper technology to assure data security, data privacy and uniform regular reporting.

Adopting an MROM fulfills the expectations of regulators that mortgage makers have an appropriate strategy to manage risk and changes in a volatile business environment, integrating a uniform but flexible approach to maximizing business success through quality production.  Such an approach also fulfills expectations that internal company cultures will embrace accountability and consumer protection.

What’s in your MROM?  Within the next calendar year you and our staff will need to have an appropriate answer to this question.

Never heard of “blockchain” technology?  Well then you better start Googling it, because like the fax machine, personal computer and the Internet, blockchain data authentication, storage and sharing technology promises to change the way financial transactions occur in a transformational way. Along the way the way banks make loans, and the way we access public data (including property title information) could be radically changed, many say for the better.

A blockchain facilitates secure online transactions. It refers to a decentralized and distributed digital ledger that records transactions across many computers in such a way that the registered transactions cannot be altered retroactively.  Data can be distributed but not copied, can be shared but not stolen, can be personal but because any confidential data will be registered in a unique code to you.  This code or “keys” as referred to in blockchain lingo, consists of a long, randomly-generated string of numbers and characters that one day you may carry with you in an Orwellian manner so that you can unlock all of your own personal information in this database structure. (“Hi there, I am number 679K0iYZX56!34721#, what is your code?”)

Information held on a blockchain exists as a shared and continually reconciled database over a global network of computers that makes it nearly impossible to be corrupted and hacked.. Data is not stored in any single location, meaning the records it keeps are truly public and easily verifiable. Hosted by millions of computers simultaneously, its data is accessible to anyone on the internet.

There has been some talk about how blockchain technology could prevent financial fraud, reducing that risk for lenders, and also to manage public property records.  This latter idea could radically alter the title industry by eliminating the need for a “middle man” to verify authenticated property information and thereby making that information available to everyone using a simple blockchain data search tool.

In May 2016, Forbes Magazine published an article titled “How Blockchain Technology Could Change the World.”    Author  Bernard Marr wrote “We have become used to sharing information through a decentralized online platform (the internet). But when it comes to transferring value – for example money – we are usually forced to fall back on old fashioned, centralized financial establishments such as banks.  Even online payment methods [such as} Paypal… generally require integration with a bank account or credit card to be useful.  Blockchain technology [could] eliminate this [need] by filling three important roles – recording transactions, establishing identity and establishing contracts – traditionally carried out by the financial services sector.”

A September 2015 World Economic Forum report predicted that by 2025 10% of GDP will be stored on blockchain technology.   That is twenty billion ($20B) reasons to pay attention.

In April last year I traveled to Washington DC to attend the CFPB forum on the mortgage closing process.  The build-up to this event came on the heels of the open public comment period the Bureau established for consumers and industry participants to offer personal experiences, ideas, suggestions and comments about the residential mortgage closing process.   The sum and substance of the open comment period was reviewed, edited and compiled into a CFPB Report entitled: “Mortgage Closings Today.”

I must say that the CFPB event was not as exciting as I hoped.  The Bureau has decided, at least for now, to focus on e-signing and e-closings as a solution to complaints by consumers that they are overwhelmed with the closing experience.  Director Cordray stated that the Bureau believes that consumers need more time to review documents and if they receive them electronically three days before a closing, they would have the time to properly review, understand and digest the loan package and thereby be better prepared to close the single largest financial transaction of their lives. The Director also talked about embedding notes and explanations in the documents as an educational component so that consumers could get an education not otherwise provided today by most closing professionals.

There was very little talk about settlement agents other than consumer complaints about their failure to explain documents, and rushing borrowers to complete the closing with little time to ask questions.  I had expected a conversation about an agent certification/education initiative for agents, who usually have no knowledge of the mortgage process, just the real estate, title and legal aspects of the closing. There was none.

A question and answer period followed the Director’s remarks and while most commented on how an e-closing would improve the process, not everyone was sold.  I was impressed with comments made by Margot Saunders, an attorney with the National Consumer Law Center.  Ms. Saunders pointed out that e-closings may possibly exclude a significant segment of consumers who do not have access to computers or have the knowledge and experience to use them in a manner that will relieve the stress of the overall experience.  She also explained that it also does not really address the core issue: the complexity of these documents and the failure of the professionals who participate in closing the loan to take the time to explain them fully so that a consumer can make an informed decision whether to proceed.

I applaud the CFPB and Director Cordray for the work they are doing to improve the overall mortgage experience for consumers, as well as the closing table experience in particular.  And while I believe that the e-closing initiative is an interesting first step towards a more efficient and consumer friendly experience, I believe that the time has come for uniform standards, cross-discipline best practices, and mandatory education. Measures such as these will ensure that anyone acting in such an important role in a major consumer financial transaction has the minimum knowledge, experience and ability to properly advise a consumer regarding the mortgage closing.

A recent panel on fraud issues included a healthy debate about the extent to which a lender can rely on the insured closing letter as a means to offset risk at the closing table.

Advocates felt that ALTA’s best practice initiative backed by the letters should give lenders sufficient assurances that any bad act at the closing table would be deterred or insured.  Others felt differently.  One audience member asserted that the insured closing letters were woefully inadequate to offset the type of risks that lenders care about most.

A careful reading of these letters exposes their limited applicability to a lender’s critical compliance and risk concerns.  In an era of heightened consumer protections, data security and risk monitoring what exactly do these letters, which are not an insurance product, offer?  Not enough to rely on them unconditionally.

Here are some of the key features of the standard insured closing letter issued nationally by various underwriters.  The language is similar if not identical no matter who is issuing the letter.

• “We agree to reimburse you for an actual loss incurred when the issuing attorney or closing agent…fails to follow your written closing instructions to the extent that (a) title is impaired or liens not properly recorded, or (b) the agent commits fraud with your funds or misapplies your funds, or (c) commits fraud in handling your documents. (emphasis added)

Exclusions to the letter include:

• Where the closing instructions vary from the title protection ordered in the title report;
• Failure of the agent to deposit the mortgage proceeds into the bank which you designated by name;

Some issues not covered by these letters include:

• Agents who conspire with others to commit fraud;
• Agents who steal or misuse a consumer’s personal and financial data obtained at closing;
• Agents who fail to report the fraud of others at the closing table;
• Agents who comply with closing instructions but are complicit in straw buyer, short sale, fraud, foreclosure rescue fraud, and undisclosed intervening flips;
• Agents who steal a borrower’s deposit or cash to close;
• Agents who permit cash outside closing.

In addition because these letters are not an insurance product, they are not uniform nationally (several states prohibit them, notably New York), not regulated like insurance, and are invoiced as a title charge not an insurance premium.

Finally, because the letters are not insurance, disputes regarding coverage are relegated to the courts, where litigation costs are expensive.  There is no insurance commissioner to complain to and no regulatory authority to help mediate disputes and investigate bad claims acts.

Quite simply reliance on the insured closing letter as risk management is misplaced confidence in a document that was never intended to protect lenders from all of the types of risks they face when closing loans, risks that can ultimately result in repurchases and fraud losses.  More importantly the insured closing letter, when collected in the mortgage process, does not excuse a lender from conducting the type of due diligence it must perform to meet CFPB, OCC, HUD and FNMA requirements for vendor management and consumer protection.

Until a suitable replacement can be implemented nationwide lenders should view these letters for what they are worth:  one small part of a larger enterprise risk management obligation to protect consumers and assure loan quality.

The Consumer Financial protection Bureau (CFPB) now has rule writing authority and enforcement authority over financial institutions, with respect to the Graham-Leach-Bliley Act (GLBA), the major federal consumer information privacy and data security laws.

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance –to safeguard sensitive data. Mortgage lenders, mortgage brokers, credit unions and banks collect personal information from their customers including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; assets and their location, as well as social security numbers. The name of minor children, marital status, birth dates and more are also found throughout a typical loan file.  GLBA thus requires all lenders to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.

According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. All programs must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Covered financial institutions must: (a) designate the employee or employees to coordinate the safeguards; (b) identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of current safeguards for controlling these risks; (c) design a safeguards program, and detail the plans to monitor it; and (d) select appropriate service providers and require them (by contract) to implement the safeguards

As the recent electronic data breaches suffered by Target, Ebay and industry LOS system provider Ellie Mae demonstrate, when we live in a world where private information is shared, that information is a serious temptation for criminals. Mortgage lenders and banks, who have access to so much personal and financial information of a borrower, must take significant measures to safeguard that data and manage who has access to it.

To meet these compliance expectations, all lenders should expect to: (i) Develop a written data security plan; (ii) Designate responsible employees who may access sensitive data; (iii) Screen all employees with access upon hire and at least annually thereafter; (iv) Evaluate and monitor all third parties with access to sensitive data (ex: IT professionals, janitorial services, credit counselors, settlement attorneys, notaries, title agents); (v) Assess risks to customer data through breaches in security, including rouge employees; and, (vi) Test and monitor safeguards.

Risk management experts and industry auditors recommend that lenders, banks, credit unions and brokerage shops conduct annual screenings of all employees with access to consumer data, credit reports and financial information, as well as any third party vendor who may have access to some or all of the same data. Failure to adopt and enforce appropriate measures will eventually result in severe regulatory penalties and the potential for civil lawsuits for damages.

For years real estate closing work has been the “bread and butter” of many small law practices.  Representing buyers and sellers in sales and mortgage closing transactions can be a lucrative practice area, and because there are no significant rules and training or practice barriers as for example complex criminal defense or tax work, it has helped many an attorney pay off their law school loans.  That perception may be changing with the wide adoption of new vendor management requirements for third parties.

There is no question that the third party service provider management directives of the CFPB, FDIC, OCC and others cover attorneys who handle mortgage proceeds and closing documents in connection with residential real estate transactions.  There is no exemption for lawyers performing these functions nor does state bar licensing requirements satisfy the regulatory mandates for banks.  Lenders must comply with these vendor management rules or face unacceptable risks.  Accordingly real estate lawyers are being confronted more often with requests by lenders that attorneys submit to vendor management or “vetting” processes to meet regulatory expectations.  These processes may be internal to the bank, or they may be outsourced to third party vendor management firms such as the one we operate.

Why are attorneys covered? Because they have access to a lender’s funds, borrower funds and critical loan documents.  Quite frankly a bad attorney has the means and the method to cause serious financial harm very quickly.  The recent disclosure that a prominent attorney and his law firm in Georgia were alleged to have stolen as much as $30 Million in trust proceeds over several years dramatically highlights this point.

Lawyers who handle real estate closings may have access to a borrower’s complete personal and financial history, usually contained in the closing documents, especially the RESPA Form 1003 mortgage application.  The 1003 sets forth a consumer’s identity information (including SSN), address, workplace history, bank, and asset information.  Other closing documents may detail family relationships, marriage and divorce information, and similar personal data.

Attorneys, more than any other discipline that makes up the closing professional industry are generally the most educated, most trained, and most supervised group. However, even the state bar associations are largely reactionary to attorney malpractice and criminal behavior.  They simply do not have the technology, labor force and resources to engage in the type of ongoing risk evaluation and reporting that the government expects to ensure proper consumer protection.

The news about vendor management is coming slowly to many lawyers.  Real estate attorneys generally are contract and real property law specialists.  They know the ins and outs of the real estate transaction but virtually nothing about the mortgage process, as well as the regulations lenders must follow to ensure a safe transaction for the consumer.  Today however lawyers conducting closings need to know a lot more about the process, including disclosures, closing instructions, signs of mortgage fraud, and vendor management rules.

In the end, the old way of doing business as a real estate closing attorney is changing and changing fast.  There are good reasons for these changes, and attorneys are encouraged to study the applicable regulations and statutes so that they can better understand why they may be asked to become “vetted” before they close their next residential real estate transaction.

When the CFPB issued Bulletin 2102-3, forever changing the way that banks and lenders nationwide look at third party relationships, they offered only a bare outline of detail regarding what that risk management should include.  The general directive included: risk evaluation, ongoing monitoring, and verification of internal controls. Since then lenders have tended to interpret these requirements in ways that reflect their own risk appetite and compliance culture.  Some seek to merely “check the box,” while others are intent on crossing every “t” and dotting every “i.”

Clearly not all vendors are alike, and while there has not been any written guidance on the matter, comments from the CFPB seem to imply that a company should address the risk of a third party vendor in relation to the level of potential harm they might cause to a consumer.  Therefore it is logical to assume that there is a qualitative measurement of risk that a lender can perform and thereby place third parties in different risk buckets, applying different risk management standards to each bucket in relation to the risk level associated with the activity.  For example a vendor who has no access to a lender’s consumer data and records should obviously be evaluated differently than one who did.

The highest risks are generally third parties who have access to consumer data as well as those who interact directly with consumers in the loan process.  This group should include IT consultants, appraisers, mortgage brokers, and settlement agents, among others.  The lowest risks should include very large, well-capitalized and highly managed entities such as investors, national title underwriters, and large accounting firms.   Space does not permit me to expound further and discuss all the different risk levels and groups however it is worth noting that our research makes it clear to us that settlement agents are the highest risk third party vendor a lender will encounter.  The reasons for this are logical and easy to enumerate.

Settlement professionals, including attorneys, escrow agents, title closers, notaries and others who handle funds disbursement and documents at a closing, have access to more sensitive data and documents than anyone else, while also having access to the mortgage proceeds. This places them in perhaps the most critical, and therefor the highest risk area in the loan process.  The fact that most lenders have fraud technology which helps them identify bad actors and other risk factors at the front end of the manufacturing process (origination, processing and underwriting) and rarely any type of tool at the back end (closing and post-closing) makes the vetting and monitoring of settlement agents perhaps the highest priority for any lender today.

Need more proof?  An independent study conducted by FinCEN, the Financial Crimes Enforcement Network, which is the official repository for industry SARS filings, found that over the past five years escrow and settlement services are the largest and fastest growing areas of mortgage fraud.  Given the fact that the industry has embraced complex and effective front end fraud deterrence and prevention tools for years but is only now beginning to embrace closing and settlement fraud programs, the report is not surprising.  However the good news remains the continued progression towards widespread settlement agent vetting, monitoring and reporting that is currently transforming the settlement industry.  It is weeding out bad actors, encouraging best practices, and providing lenders with critical data to help them make better choices for closing services. Everyone wins in the end: lenders, agents and consumers.

Wells Fargo Bank and the Federal Bureau of Investigation (FBI) recently issued separate alerts throughout the industry regarding settlement agent wire fraud.  The reports, circulated in September, provided details of a widespread scam whereby criminals are hacking attorney and title agent email addresses and changing wire instructions prior to closing.  When the new instructions are not validated the criminals make off with the mortgage proceeds.

While most lenders request written wiring instructions, whether to satisfy warehouse bank requirements or their own internal risk management policies, very few verify them.  The assumption is made that if the instructions are being sent from the email address of an attorney or title company then they must be valid.  Some lenders are taking an extra step and checking the ABA routing number and bank account number with the Federal Reserve website to verify that the account is actually at the bank indicated.  However these processes are not a foolproof method to avoid the type of fraud warned of by federal law enforcement.

The most efficient way to protect your bank from wire fraud through this latest criminal scheme is to only wire funds to a verified account.  Verifying an account means more than simply checking the Federal Reserve records.  It requires true verification, at the source, that (a) the account is truly a trust account and not a business or personal account, (b) the account holder and authorized signers match the company owners and, (c) the account is in good standing and not fraught with bounced checks or fraud alerts.  Once the account is directly verified, then a bank should never wire funds to any other trust account associated with that settlement professional. In the event an account is changed (which does occur occasionally) then the new account must be verified prior to be used in conjunction with a closing.

At Secure Insight we have always prided ourselves in building something more than a “check the box” risk management platform.  Built with the input of risk experts at Lloyds, the Secure Insight platform has always included a direct at the source trust account verification and ongoing monitoring component.  We are proud to say that none of our bank clients would ever wire funds for any reason to an account that has not been independently verified by our analysts.  Perhaps this is one reason why after four years, the vetting of more than 25,000 settlement agents nationwide, and more than 750,000 closed transactions, not one of our clients has ever experienced a loss from escrow and settlement fraud.

Whether you choose to hire a firm such as ours to manage the risk, or you are committed to building, developing and managing your own process, one thing is certain.  You should never wire mortgage proceeds to an account that has not been truly vetted and verified.  In addition, any last minute requests to change wiring instructions should cause an immediate red flag alert, and a closing delayed until the change can be determined to be legitimate.

“Data privacy” and “data security” are terms most lenders are hearing over and over again these days.  The reasons for this are numerous but include the CFPB’s focus on the issue, increased publicity over data breaches in business and industry, and heightened concern by consumers about how their sensitive non-public information is being managed by banks.

Although data privacy and data security are terms that are commonly used interchangeably, they in fact mean different things.  A data security policy is required to ensure that data privacy is protected.  When a lender is entrusted with a borrower’s highly private information, the business must develop, implement and manage a security policy to protect this data.   So data privacy identifies that personal and private information which must be protected and how it may be used in a business in an appropriate manner, while data security includes the means and methods used to ensure the security of the data both internally (from employee breaches) and externally (from third party breaches).

Data privacy rules mean that lenders must define and police the appropriate use of borrower data within their walls.  This includes what data is gathered (relevance to services), who has access (need to know), and where data is stored (how long and how safe).  Both the CFPB and the Federal Trade Commission have jurisdiction over the mishandling and misuse of consumer data, and each may enforce penalties against lenders that have failed to ensure the privacy of a borrower’s data.  At a minimum, lenders must screen employees with access to private data regularly, have an appropriate policy in place regarding handling of data, and test these policies on an ongoing basis.

Data security encompasses your company’s practices and processes that are in in place to ensure data is not being used or accessed by unauthorized individuals or parties. It ensures sensitive data is accurate and reliable and is available when those with authorized access need it. A data security plan includes facets such as collecting only the required information, keeping it safe, and destroying any information that is no longer needed. These steps will help any business meet the legal obligations of possessing sensitive data. A data security policy is simply the means to the desired end, which is data privacy. However, no data security policy can completely overcome the efforts of third parties bent on hacking into databases and seeking access to consumer data to monetize for improper and illegal purposes. At a minimum, lenders must develop written data security policies that include safe storage of data and penetration testing of their backup systems (local and/or cloud) to search for gaps and leakage.

Knowing that there is no such thing as a foolproof data security system and that all systems are ultimately vulnerable to breach by determined criminals, lenders must demonstrate a commitment to adopting the most stringent policies relevant to the size and scope of their business, while also considering purchasing crimes and cyber liability insurance to off-load risk in the event of unexpected and unintended breaches.

Making sure all borrower data is private and being used properly can be a near-impossible task that involves multiple layers of security. Fortunately, with the right people, process and technology, lenders may support their data security policies through continual monitoring and visibility into every access point and with insurance back-up.