Tag: emailscams

When a Closing Attorney’s E&O Policy is not Actually Insurance and Why a Lender Should Care

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

If you are merely collecting a “Certificate of Coverage” on behalf of a closing attorney and passing them through your loan process as meeting your internal risk management protocols you may be in for an unpleasant surprise if a claim arises.

At Secure Insight we do more than collect insurance certificates, we review policies and validate coverage and payment directly at the source: the insurance agency or insurer where the policy originated.  We ask important questions about the validity and extend of coverage, and exclusions, because in the event of an incident a lender needs to know they can offset risk by filing a claim that will be processed and paid under a valid policy of insurance.

Recently we have discovered a rise in offshore, low cost risk-shared E&O coverage plans.  These companies and policies are designed to exploit the high cost nature of E&O for real estate attorneys and other professionals by offering ridiculously low fees for coverage. Notice I said “coverage” and “fees” and not “insurance” and “premiums.”  That is because these policies are not traditional insurance and are likely not worth the paper on which they are written.

Risk sharing groups in the E&O space are based upon the concept of cooperative pooled risk arrangements.  The idea, which has found success in the health insurance area, relies upon the pooling of all plan participant fees to cover expected losses from claims.  The problems with this arrangement  in the E&O space are numerous.

First, the plan is not an insurance product, and therefore is not governed by insurance laws or regulators.  It is not filed or supervised in the United States.  Second, the companies arranging these risk sharing pools are inevitably based outside the legal jurisdiction of the United States making the enforcement of any lawful claim highly improbable and definitely costly.  We are talking Belize by the way, not Canada, by way of example.  Third these companies have no obligation to publish financials or provide any accounting of the fees being collected and supposedly held in a risk pool for the payment of claims.  Fourth, the policies of coverage (they cannot use terms such as insurance and deductible) usually limit the covering company’s obligations significantly.  One policy issued in Belize that I reviewed recently denied any obligation to defend a covered attorney in the event of a lawsuit and created a right on their part to access the attorneys personal and bank records, tax returns, finances and assets so they can recover their losses directly from the covered party!

It appears many attorneys and others are being misled into believing that they can actually receive $2 Million in aggregate insurance coverage for $400 annually rather than $4,000 annually and they will meet their own risk needs and those of their counter-parties in the mortgage industry.  This is certainly not the case.

At Secure Insight we do more than just collect documents, we do real analysis, assign risk ratings, and monitor risk 24/7.  Reviewing E&O “coverage” is just one way we accomplish that and ensure that our lender clients have a real source to offset potential losses and not one that looks like insurance but is really something else.

To our attorney friends: buyer beware!  As my mother used to say, “If it appears too good to be true it usually is dear.”

New Attorney E & O Exclusion Exposes Lender Closing Table Risk in Massachusetts

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

We have noticed that in Massachusetts, insurance carriers providing attorney errors and omissions coverage have been quietly adding a new exclusion to their new and renewal policies.  This exclusion is known as the “Disbursement of Funds” exclusion, and it creates enhanced risk for lenders in that state in the event an attorney fails to properly disburse funds.  Any “negligence” in this regard will not be covered as it had been traditionally in the past.

The exclusion reads as follows:

“The following acts are EXCLUDED from coverage under this policy: the disbursement or transfer of funds related to (a) the deposit of a counterfeit check or a check with insufficient funds; (b) the lack of a written verification from the issuing bank that the funds are available and valid, (c) a fraudulent scheme, or (d) the failure of any funds reaching the proper party or the intended recipient, for any reason.”

In a discussion with a Massachusetts agent we learned that some insurers are doing this because (i) the cost of wire fraud is becoming unbearable for them and (ii) they want to push attorneys to pay for cyber liability coverage which would help cover some (but not all) of the risk now being excluded.  Cyber coverage is not mandated for attorneys in Massachusetts.

The problem for lenders is that this new exclusion means that there is NO COVERAGE they can attach for reimbursement for a claim where an attorney disburses funds before a deposited check clears (which occurs far too often) or where an attorney fails to follow the closing instructions and disburses the proceeds to the wrong party or in the wrong amount.  Although these acts/omissions rise to the level of negligence, with this new exclusion there will be no coverage.

At Secure Insight we are encouraging attorneys in Massachusetts whom we monitor to acquire cyber liability coverage and also to certify to the adoption of internal policies and practices avoiding the risks inherent in the excluded matters.

As always, it is critical to keep abreast of all changes in all matters which may affect your mortgage lending business.  At Secure Insight we are watching for you, 24-7, 365 days a year to help prevent losses from title and closing fraud.

Stay vigilant and stay clear of fraud!

NYSAR Reports Up Market for Sales in NY, with No CPL Lenders Face More Purchase Mortgage Closing Table Fraud Risk

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

Lending in New York?  Purchase money business always carries closing fraud risk, however New York business tends to be riskier for many lenders.  The state has high average loan amounts, features instrument recording procedures that delay evidence of mortgage and deed recordings for long periods of time following the closing, and there is no CPL (closing protection letter) in the state.  Lenders doing business in New York should be pleased business is on the uptick, however if they do not have a closing table fraud prevention tool in their arsenal they may be facing more risk of potential losses due to fraud.

The NYSAR report released today stated in part:

“With 46,883 new listings and 29,100 pending sales across the Empire State in the first quarter, the real estate market is trending upwards, according to the housing market report released today by the New York State Association of REALTORS®. New listings were up 4.1 percent from the first quarter of 2018 while pending sales rose 0.8 percent.

Median sales prices were also up in a quarter-over-quarter analysis, rising 6.8 percent to $275,000. The average home sales price increased 1.5 percent as well to $360,526.

While closed sales declined from the first quarter of 2018, dropping 6.2 percent to 24,405 homes, other factors are allowing potential home buyers to remain optimistic. According to Freddie Mac, the 30-year fixed rate mortgage rate has steadily decreased since the beginning of 2019, falling to 4.27 percent, its lowest rate since January 2018.

With the typically strong spring season just around the corner, inventory continues to rise, increasing 3.4 percent to 63,504 homes for sale across the state.  The month’s supply of homes for sale was up 5.6 percent in year over year comparisons to 5.7 month’s supply. A 6-month to 6.5-month supply is considered to be a balanced market.”

 

 

Protecting Borrower Data in An Age of Hacking and Phishing Schemes

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

“Data privacy” and “data security” are terms most lenders are hearing over and over again these days.  The reasons for this are numerous but include federal and state regulator focus on the issue, increased publicity over wire fraud and data storage breaches in business and industry, and heightened concern by consumers about how their sensitive non-public information is being managed by banks.

Although data privacy and data security are terms that are commonly used interchangeably, they in fact mean different things.  A data security policy is required to ensure that data privacy is protected.  When a lender is entrusted with a borrower’s highly private information, the business must develop, implement and manage a security policy to protect this data.   So data privacy identifies that personal and private information which must be protected and how it may be used in a business in an appropriate manner, while data security includes the means and methods used to ensure the security of the data both internally (from employee breaches) and externally (from third party breaches).

Data privacy rules mean that lenders must define and police the appropriate use of borrower data within their walls.  This includes what data is gathered (relevance to services), who has access (need to know), and where data is stored (how long and how safe).  Both the CFPB and the Federal Trade Commission have jurisdiction over the mishandling and misuse of consumer data, and each may enforce penalties against lenders that have failed to ensure the privacy of a borrower’s data.  At a minimum, lenders must screen employees with access to private data regularly, have an appropriate policy in place regarding handling of data, and test these policies on an ongoing basis.

Data security encompasses your company’s practices and processes that are in in place to ensure data is not being used or accessed by unauthorized individuals or parties. It ensures sensitive data is accurate and reliable and is available when those with authorized access need it. A data security plan includes facets such as collecting only the required information, keeping it safe, and destroying any information that is no longer needed. These steps will help any business meet the legal obligations of possessing sensitive data. A data security policy is simply the means to the desired end, which is data privacy. However, no data security policy can completely overcome the efforts of third parties bent on hacking into databases and seeking access to consumer data to monetize for improper and illegal purposes. At a minimum, lenders must develop written data security policies that include safe storage of data and penetration testing of their backup systems (local and/or cloud) to search for gaps and leakage.

Knowing that there is no such thing as a foolproof data security system and that all systems are ultimately vulnerable to breach by determined criminals, lenders must demonstrate a commitment to adopting the most stringent policies relevant to the size and scope of their business, while also considering purchasing crimes and cyber liability insurance to off-load risk in the event of unexpected and unintended breaches.

Making sure all borrower data is private and being used properly can be a near-impossible task that involves multiple layers of security. Fortunately, with the right people, process and technology, lenders may support their data security policies through continual monitoring, testing and visibility into every access point with insurance back-up when things go wrong.

Data Breaches from Email Phishing Scams Still Rocking Mortgage Industry: WEI Mortgage latest victim.

Written by Andrew Liput on . Posted in Secure Insight Blog. Leave a Comment

Just today the industry learned that WEI Mortgage has discovered a data breach from an email phishing scam last Fall that appears to have exposed loan file information and borrower personal identifying data such as Social Security numbers to outside parties.

Back in October 2016 I wrote that Wells Fargo Bank and the Federal Bureau of Investigation (FBI) had issued separate alerts throughout the industry regarding settlement agent wire fraud.  The reports provided details of a widespread scam whereby criminals are hacking attorney and title agent email addresses and changing wire instructions prior to closing.  When the new instructions are not validated the criminals make off with the mortgage proceeds.  Despite these warning, this crime scheme is spreading as title agents, lenders, attorneys and the consumers they serve are finding out to their great harm. WEI is only the latest victim.

According to Wikipedia, Phishing is “the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”

Although the FTC, through the Graham-Leach-Bliley Act, and the Consumer Financial Protection Bureau (CFPB) have broadcast the need for data security and privacy measures to protect consumer non-public, personal information (NPPI), many banks either are unable or unwilling to implement the steps required to root out and block criminal enterprises in the US and overseas who are busy hacking into email accounts.

Several incidents around the country in the past year have reflected a similar theme.  Hackers accessed a lender’s email, either through a borrower’s address, a loan officer using a personal email domain not protected by a lender’s network, or an attorney’s email.  The scammers then sent an email, either to the title agent, attorney or to the closing department of the lender, including revised wiring instructions.  The wires were then sent to the criminal’s bank and not the intended recipient.  In one case in Florida a title company is accused of neglecting to conduct appropriate internal data security measures after it received a bogus wire instruction and sent it off to a consumer who then wired the seller’s proceeds to someone else.  With the money long gone, the seller sought recovery against the agency and the buyer for their alleged negligence.

Affirmative measures to combat this crime are being implemented by many in the industry.  For example many lenders are taking an extra step and checking the ABA routing number and bank account number with the Federal Reserve website to verify that the account is actually at the bank indicated.  Others are sending a verification of trust account to the settlement agent’s bank to verify that the account is truly a trust account in the name and for the business of the title agent, attorney or other closing professional.

Most title agents are now sending lenders and attorneys their title reports with cover letters containing language in red or bold black print with instructions such as:  We no longer send wiring instruction by email, please call our offices to verify the proper bank information!

Phishing is not a new problem.  I have located articles dating back to 2005 warning consumers and lenders about email phishing schemes designed to access and steal NPPI. It is clear that this is a serious problem that is getting more serious as technology has advanced and criminals have become more resourceful and bold.

Today’s announcement by WEI Mortgage is yet another acknowledgement that electronic innovation in society generally and in the mortgage banking industry specifically, while offering tremendous benefits also offers serious perils.   With federal and state regulators very firm positions on lender obligations to protect consumers from harm due to data security breaches, and lawyers lining up to file lawsuits for damages, every lender is on notice that they very well could be the next victim.  Cyber liability insurance coverage carriers are surely experiencing a booming sales period.