Tag: Dodd-Frank

Successful Risk Management Requires Proper Top-Down Governance

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

Any organization seeking to adopt appropriate operational risk management policies and procedures must ensure that they have met the five step process to ensure success.  This process focuses on proper governance.  It is not enough to simply “check the box” and hope that wire fraud, mortgage fraud and closing fraud never reach the organization.

The first step is LEADERSHIP BUY-IN.  Unless the “C Suite” decides to make risk management a priority no effective tools or policies will succeed.  There must be top down leadership in this area.  If your chief risk officer (CRO) or chief security officer (CSO) have to “push” their agenda, then the organization is in trouble.  Effective leadership is not only embracing the issue though, it also means effectively communicating it throughout the organization so that even the receptionist and the part-time employees know where you stand on the issue.

The second step is DEFINED HEAD OF COMPLIANCE.  Someone must be placed in charge.  Studies show that management by committee on risk issues results in failure.  Decide who is in charge  and let them manage with minimal interference.

The third step is ORGANIZATIONAL CULTURE.  As mentioned above, everyone has to buy into the  importance of risk and the method chosen to manage the risk.  Frequently in the mortgage industry sales and operations staff push back on risk management and compliance rules and tools because they are viewed as “disruptive” to their departmental goals (more sales, quick closings).  Without the buy-in of these departments measures to address risk of fraud and cyber crimes will not be successful.  Attitudes and behaviors must fall into line with processes and procedures.

The fourth step is CLEAR PROCESSES AND PROCEDURES.  Putting a process into place or using a tool only works if you go beyond the simple framework itself and successfully implement them.  We have seen lenders engage a tool or service and then never use it or only use it occasionally, without any clear policy directives.  Beyond implementation is testing and oversight.  Someone must be regularly making sure that your risk management tools actually work.

The fifth and last step is having a RESPONSE PLAN.  This is important to understand: No risk management tool or policy is foolproof. When an event occurs, whether a cyber breach, wire fraud or other loss, how you react, how quickly you react, and how you learn from the event can be more important than the event itself.  More than one lender recently has found that reputation risk and litigation risk arise when an organization fails to properly react following an event.

The last point to make is that cyber risk and fraud risk must be an “untouchable” line item in your operating budget.  Addressing these issues cannot be the “last in, first out” business decision we see too often.  When business is down, the risk of harm is GREATER because you do not have the economic cushion to absorb a loss. Good leaders, who manage an effective top-down process and set the proper tone about operational risk will not sacrifice protective tools and policies at the first sign of a market slow down.

We spent 12 years studying closing table risk, including 5 years working with risk analysts at Lloyds. Our closing table risk management tool is designed to meet your operational needs, with little disruption, while providing effective management of the risk of loss from cyber crimes that evolve in wire fraud, and all manner of closing and title fraud.  If you are a business leader concerned about closing table risk, please reach out and ask us how we can provide a solution you and your risk team will embrace.

 

 

Conviction of Attorney and Title Agency CEO for $26 Million Fraud Crime Reinforces Need for Closing Agent Risk Management

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

According to an article published today in Mortgage Professional America, the former CEO of LandCastle Title, who also served as the managing partner of a real estate law firm, will spend 15 years in federal prison for orchestrating a scheme to bilk his firm out of millions of dollars.

Nathan E. Hardwick IV, 53, operated both LandCastle Title and Morris Hardwick Schneider, a law firm that specialized in residential real estate closings and foreclosures. He was convicted in October of wire fraud, conspiracy, and making false statements to a federally insured financial institution.

Real estate attorneys and title professionals have access to lender funds, lender loan documents (including the note and mortgage), are charged with satisfying liens and judgments and ensuring lien priority.  They also have direct access to consumers and all of the consumer’s personal and financial information.  One a scale of 1 to 10, with 10 being the highest risk tier, settlement agents are in Tier 10.

Lenders must have a comprehensive, ongoing program of evaluating, rating, monitoring such risk as well as taking immediately steps to alter or disengage in any relationship that may cause harm.

Title and closing fraud are, by most estimates, a nearly $1 Billion dollar annual problem.  If you add in wire fraud the numbers escalate.

Ignoring this risk will not make it go away.  The Nathan Hardwicks of the industry will make sure of that.  Be vigilant and remember our motto: “trust, but verify.”

Protecting Borrower Data in An Age of Hacking and Phishing Schemes

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

“Data privacy” and “data security” are terms most lenders are hearing over and over again these days.  The reasons for this are numerous but include federal and state regulator focus on the issue, increased publicity over wire fraud and data storage breaches in business and industry, and heightened concern by consumers about how their sensitive non-public information is being managed by banks.

Although data privacy and data security are terms that are commonly used interchangeably, they in fact mean different things.  A data security policy is required to ensure that data privacy is protected.  When a lender is entrusted with a borrower’s highly private information, the business must develop, implement and manage a security policy to protect this data.   So data privacy identifies that personal and private information which must be protected and how it may be used in a business in an appropriate manner, while data security includes the means and methods used to ensure the security of the data both internally (from employee breaches) and externally (from third party breaches).

Data privacy rules mean that lenders must define and police the appropriate use of borrower data within their walls.  This includes what data is gathered (relevance to services), who has access (need to know), and where data is stored (how long and how safe).  Both the CFPB and the Federal Trade Commission have jurisdiction over the mishandling and misuse of consumer data, and each may enforce penalties against lenders that have failed to ensure the privacy of a borrower’s data.  At a minimum, lenders must screen employees with access to private data regularly, have an appropriate policy in place regarding handling of data, and test these policies on an ongoing basis.

Data security encompasses your company’s practices and processes that are in in place to ensure data is not being used or accessed by unauthorized individuals or parties. It ensures sensitive data is accurate and reliable and is available when those with authorized access need it. A data security plan includes facets such as collecting only the required information, keeping it safe, and destroying any information that is no longer needed. These steps will help any business meet the legal obligations of possessing sensitive data. A data security policy is simply the means to the desired end, which is data privacy. However, no data security policy can completely overcome the efforts of third parties bent on hacking into databases and seeking access to consumer data to monetize for improper and illegal purposes. At a minimum, lenders must develop written data security policies that include safe storage of data and penetration testing of their backup systems (local and/or cloud) to search for gaps and leakage.

Knowing that there is no such thing as a foolproof data security system and that all systems are ultimately vulnerable to breach by determined criminals, lenders must demonstrate a commitment to adopting the most stringent policies relevant to the size and scope of their business, while also considering purchasing crimes and cyber liability insurance to off-load risk in the event of unexpected and unintended breaches.

Making sure all borrower data is private and being used properly can be a near-impossible task that involves multiple layers of security. Fortunately, with the right people, process and technology, lenders may support their data security policies through continual monitoring, testing and visibility into every access point with insurance back-up when things go wrong.

CFPB: No More Regulation by Enforcement? An Analysis

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

According to Mortgage Professional America, the acting director of the Consumer Financial Protection Bureau, Mick Mulvaney, recently told industry leaders that the CFPB will no longer practice “regulation by enforcement.”

“The regulation by enforcement answer is really simple – we aren’t doing it anymore,” Mulvaney said. “It’s a fairness issue. If you’ve done something for so long and the government wants to change the rules, shouldn’t’ the government have to tell you they are changing the rules before they fine you?”

Mulvaney said further, “We are not out to make you look like a bad guy if you are not. We are out to enforce the law, not become the law.”

On its face some might see this as a reprieve from Dodd-Franks post-2008 regulatory expansions.  However this is not what Director Mulvaney is saying.  He is not indicating to lenders that existing regulations and laws will not be enforced.  He is implying that his agency (and only his agency) will no longer aggressively seek to enforce ambiguous or unwritten regulations in an effort to “find a crime” where none exists on its face.

In the absence of specific Congressional action, Dodd-Frank is alive and well and unless the CFPB issues writings specifically retracting its published bulletins and directives lenders still must be certain to meet every single compliance rule that they have been struggling to address over the past several years.

In addition, as I have written about previously, where the federal government leaves a vacuum the states often rush in to fill up.  Thus several states including New Jersey, Pennsylvania and others have recently announced the creation of state-level consumer financial protection agencies whose mission is no doubt designed to compensate for any actual or perceived erosion of the prior policies of the Cordray-led CFPB.  Because mortgage lenders are creatures of state licensing, unlike federally chartered banks and depository institutions, it does not seem very much will be changing any time soon for these businesses.

CFPB loosening its regulatory grip?  Don’t lay-off those compliance managers nor reallocate their budgets just yet.