It did not take long after the Silicon Valley Bank failure for politicians in Washington to rush to the next available microphone and lament the “loosening of bank regulations”. Instinctively the finger pointing began, and in many quarters ended up in the direction of the prior administration’s policy to generally roll back stringent business regulations and allow free market decisions to govern various industries. Chief among the complainants (no pun intended) was Sen Elizabeth Warren, who emerged out of the 2008 crisis as an architect and advocate for the Wall Street Reform Act and the creation of the vaunted Consumer Financial Protection Bureau ( CFPB), which she briefly directed. Just yesterday in DC’s The Hill publication, Sen Warren was reported as blaming the the collapse of Silicon Valley Bank on Republicans in Congress, which in 2018 helped pass a law to ease bank regulations put in place following the 2008 financial crisis. “No one should be mistaken about what unfolded over the past few days in the U.S. banking system: These recent bank failures are the direct result of leaders in Washington weakening the financial rules,” Warren is quoted as saying. According to The Hill piece, Warren, who voted against the 2018 bank deregulation bill, said that the crises would have been avoided if the banks were required to hold more liquid assets because the bill exempted banks with less than $250 billion in assets from rigorous Fed stress tests. Warren and other Democrats say the old rules could have caught the issues at SVB sooner. Given that politicians generally “never let a crisis go to waste,” many now suspect that the banking industry is about to be slammed with heightened regulatory scrutiny, tighter operational rules, more audits and exams, and larger and very public fines, penalties and consent orders. What does this mean for independent mortgage bankers (IMBs)? It means that they have to get back to the compliance mindset they were frightened into adopting between 2008 and 2018, and before the bottoming out of interest rates led everyone to believe that easy money was here to stay and that self-regulation meant hiring more loan officers. Keep those risk management officers and compliance directors close by folks, we are all in for a bumpy ride on the regulatory

“Data privacy” and “data security” are terms most lenders are hearing over and over again these days.  The reasons for this are numerous but include the CFPB’s focus on the issue, increased publicity over data breaches in business and industry, and heightened concern by consumers about how their sensitive non-public information is being managed by banks.

Although data privacy and data security are terms that are commonly used interchangeably, they in fact mean different things.  A data security policy is required to ensure that data privacy is protected.  When a lender is entrusted with a borrower’s highly private information, the business must develop, implement and manage a security policy to protect this data.   So data privacy identifies that personal and private information which must be protected and how it may be used in a business in an appropriate manner, while data security includes the means and methods used to ensure the security of the data both internally (from employee breaches) and externally (from third party breaches).

Data privacy rules mean that lenders must define and police the appropriate use of borrower data within their walls.  This includes what data is gathered (relevance to services), who has access (need to know), and where data is stored (how long and how safe).  Both the CFPB and the Federal Trade Commission have jurisdiction over the mishandling and misuse of consumer data, and each may enforce penalties against lenders that have failed to ensure the privacy of a borrower’s data.  At a minimum, lenders must screen employees with access to private data regularly, have an appropriate policy in place regarding handling of data, and test these policies on an ongoing basis.

Data security encompasses your company’s practices and processes that are in in place to ensure data is not being used or accessed by unauthorized individuals or parties. It ensures sensitive data is accurate and reliable and is available when those with authorized access need it. A data security plan includes facets such as collecting only the required information, keeping it safe, and destroying any information that is no longer needed. These steps will help any business meet the legal obligations of possessing sensitive data. A data security policy is simply the means to the desired end, which is data privacy. However, no data security policy can completely overcome the efforts of third parties bent on hacking into databases and seeking access to consumer data to monetize for improper and illegal purposes. At a minimum, lenders must develop written data security policies that include safe storage of data and penetration testing of their backup systems (local and/or cloud) to search for gaps and leakage.

Knowing that there is no such thing as a foolproof data security system and that all systems are ultimately vulnerable to breach by determined criminals, lenders must demonstrate a commitment to adopting the most stringent policies relevant to the size and scope of their business, while also considering purchasing crimes and cyber liability insurance to off-load risk in the event of unexpected and unintended breaches.

Making sure all borrower data is private and being used properly can be a near-impossible task that involves multiple layers of security. Fortunately, with the right people, process and technology, lenders may support their data security policies through continual monitoring and visibility into every access point and with insurance back-up.