It did not take long after the Silicon Valley Bank failure for politicians in Washington to rush to the next available microphone and lament the “loosening of bank regulations”. Instinctively the finger pointing began, and in many quarters ended up in the direction of the prior administration’s policy to generally roll back stringent business regulations and allow free market decisions to govern various industries. Chief among the complainants (no pun intended) was Sen Elizabeth Warren, who emerged out of the 2008 crisis as an architect and advocate for the Wall Street Reform Act and the creation of the vaunted Consumer Financial Protection Bureau ( CFPB), which she briefly directed. Just yesterday in DC’s The Hill publication, Sen Warren was reported as blaming the the collapse of Silicon Valley Bank on Republicans in Congress, which in 2018 helped pass a law to ease bank regulations put in place following the 2008 financial crisis. “No one should be mistaken about what unfolded over the past few days in the U.S. banking system: These recent bank failures are the direct result of leaders in Washington weakening the financial rules,” Warren is quoted as saying. According to The Hill piece, Warren, who voted against the 2018 bank deregulation bill, said that the crises would have been avoided if the banks were required to hold more liquid assets because the bill exempted banks with less than $250 billion in assets from rigorous Fed stress tests. Warren and other Democrats say the old rules could have caught the issues at SVB sooner. Given that politicians generally “never let a crisis go to waste,” many now suspect that the banking industry is about to be slammed with heightened regulatory scrutiny, tighter operational rules, more audits and exams, and larger and very public fines, penalties and consent orders. What does this mean for independent mortgage bankers (IMBs)? It means that they have to get back to the compliance mindset they were frightened into adopting between 2008 and 2018, and before the bottoming out of interest rates led everyone to believe that easy money was here to stay and that self-regulation meant hiring more loan officers. Keep those risk management officers and compliance directors close by folks, we are all in for a bumpy ride on the regulatory

The Consumer Financial protection Bureau (CFPB) now has rule writing authority and enforcement authority over financial institutions, with respect to the Graham-Leach-Bliley Act (GLBA), the major federal consumer information privacy and data security laws.

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance –to safeguard sensitive data. Mortgage lenders, mortgage brokers, credit unions and banks collect personal information from their customers including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; assets and their location, as well as social security numbers. The name of minor children, marital status, birth dates and more are also found throughout a typical loan file.  GLBA thus requires all lenders to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.

According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. All programs must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Covered financial institutions must: (a) designate the employee or employees to coordinate the safeguards; (b) identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of current safeguards for controlling these risks; (c) design a safeguards program, and detail the plans to monitor it; and (d) select appropriate service providers and require them (by contract) to implement the safeguards

As the recent electronic data breaches suffered by Target, Ebay and industry LOS system provider Ellie Mae demonstrate, when we live in a world where private information is shared, that information is a serious temptation for criminals. Mortgage lenders and banks, who have access to so much personal and financial information of a borrower, must take significant measures to safeguard that data and manage who has access to it.

To meet these compliance expectations, all lenders should expect to: (i) Develop a written data security plan; (ii) Designate responsible employees who may access sensitive data; (iii) Screen all employees with access upon hire and at least annually thereafter; (iv) Evaluate and monitor all third parties with access to sensitive data (ex: IT professionals, janitorial services, credit counselors, settlement attorneys, notaries, title agents); (v) Assess risks to customer data through breaches in security, including rouge employees; and, (vi) Test and monitor safeguards.

Risk management experts and industry auditors recommend that lenders, banks, credit unions and brokerage shops conduct annual screenings of all employees with access to consumer data, credit reports and financial information, as well as any third party vendor who may have access to some or all of the same data. Failure to adopt and enforce appropriate measures will eventually result in severe regulatory penalties and the potential for civil lawsuits for damages.