It did not take long after the Silicon Valley Bank failure for politicians in Washington to rush to the next available microphone and lament the “loosening of bank regulations”. Instinctively the finger pointing began, and in many quarters ended up in the direction of the prior administration’s policy to generally roll back stringent business regulations and allow free market decisions to govern various industries. Chief among the complainants (no pun intended) was Sen Elizabeth Warren, who emerged out of the 2008 crisis as an architect and advocate for the Wall Street Reform Act and the creation of the vaunted Consumer Financial Protection Bureau ( CFPB), which she briefly directed. Just yesterday in DC’s The Hill publication, Sen Warren was reported as blaming the the collapse of Silicon Valley Bank on Republicans in Congress, which in 2018 helped pass a law to ease bank regulations put in place following the 2008 financial crisis. “No one should be mistaken about what unfolded over the past few days in the U.S. banking system: These recent bank failures are the direct result of leaders in Washington weakening the financial rules,” Warren is quoted as saying. According to The Hill piece, Warren, who voted against the 2018 bank deregulation bill, said that the crises would have been avoided if the banks were required to hold more liquid assets because the bill exempted banks with less than $250 billion in assets from rigorous Fed stress tests. Warren and other Democrats say the old rules could have caught the issues at SVB sooner. Given that politicians generally “never let a crisis go to waste,” many now suspect that the banking industry is about to be slammed with heightened regulatory scrutiny, tighter operational rules, more audits and exams, and larger and very public fines, penalties and consent orders. What does this mean for independent mortgage bankers (IMBs)? It means that they have to get back to the compliance mindset they were frightened into adopting between 2008 and 2018, and before the bottoming out of interest rates led everyone to believe that easy money was here to stay and that self-regulation meant hiring more loan officers. Keep those risk management officers and compliance directors close by folks, we are all in for a bumpy ride on the regulatory

Never have there been so many legal and ethical considerations surrounding mortgage lender handling of consumer data.  There are good reasons for this fact.

Mortgage lenders have access to the most personal and private information owned and guarded by consumers.  This includes their names, age and dates of birth, marital status, home addresses, work addresses and detailed employment and salary information, assets including bank accounts, credit card and debt information, spouse and family members, and credit scores.  This information is collected usually electronically, occasionally manually, and is passed through the hands and eyes of dozens of persons both within and without an organization as the loan process progresses towards a closing.  It is obvious that the handling of this information represents a significant trust factor, as well as offering ethical and legal considerations which must be appropriately managed at the risk of litigation, regulator and reputation costs.

The Gramm-Leach-Bliley Act, Federal Trade Commission rules, CFPB, OCC and HUD directives, and new state data privacy and security laws (i.e. New York and California) among others, all bring specific obligations and the risk of severe penalties to those who fail to “plan and execute.”

Managing this problem, like most operational issues, requires a carefully crafted plan to assure the data collected from trusting consumers does not end up being stolen, lost or abused and thereby causing them harm.  Some key considerations every lender should be addressing include:

• Having a data privacy policy in place that is known throughout the company, backed by a company environment that places the handling of data at the top of its list of risk management priorities.
• Having a cyber security policy that addresses how stored data can be properly protected fro outside intrusion and internal negligence and bad actors.
• Enforcing a “clean desk” policy that prohibits employees from having smart phone and other devices in their workplace which might record or copy sensitive data. This policy should also address the proper handling and disposal of paper records through shredding and locked file cabinets, as the case may be.
• Training all employees from owners and managers to the newest hire on the importance of data privacy and security, the methods of preventing cyber breaches, and the consequences for negligent and intentional acts causing harm to the company and its clients.
• Engaging proper tools (software, hardware, and third party service providers) to help manage risk and reduce the likelihood of an event.
• Conducting appropriate evaluation of risk tools and third party providers to ensure they are working effectively and they are not subject to unacceptable risk as well.
• Establishing a crisis management policy for when something goes wrong so that you can assess, contain, restore and report an event.

Private data (also known as PII-or Personally Identifiable Information) is entrusted to mortgage lenders with the reasonable expectation that it will be handled appropriately throughout the organization.  Next to medical data, personal and financial data is the most coveted private data sought by criminals for its resale value.  Recognizing their unique role in handling this sensitive information, all lenders must plan and execute appropriately.