Tag: mortgage fraud

Data Breaches from Email Phishing Scams Still Rocking Mortgage Industry: WEI Mortgage latest victim.

Just today the industry learned that WEI Mortgage has discovered a data breach from an email phishing scam last Fall that appears to have exposed loan file information and borrower personal identifying data such as Social Security numbers to outside parties.

Back in October 2016 I wrote that Wells Fargo Bank and the Federal Bureau of Investigation (FBI) had issued separate alerts throughout the industry regarding settlement agent wire fraud.  The reports provided details of a widespread scam whereby criminals are hacking attorney and title agent email addresses and changing wire instructions prior to closing.  When the new instructions are not validated the criminals make off with the mortgage proceeds.  Despite these warning, this crime scheme is spreading as title agents, lenders, attorneys and the consumers they serve are finding out to their great harm. WEI is only the latest victim.

According to Wikipedia, Phishing is “the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”

Although the FTC, through the Graham-Leach-Bliley Act, and the Consumer Financial Protection Bureau (CFPB) have broadcast the need for data security and privacy measures to protect consumer non-public, personal information (NPPI), many banks either are unable or unwilling to implement the steps required to root out and block criminal enterprises in the US and overseas who are busy hacking into email accounts.

Several incidents around the country in the past year have reflected a similar theme.  Hackers accessed a lender’s email, either through a borrower’s address, a loan officer using a personal email domain not protected by a lender’s network, or an attorney’s email.  The scammers then sent an email, either to the title agent, attorney or to the closing department of the lender, including revised wiring instructions.  The wires were then sent to the criminal’s bank and not the intended recipient.  In one case in Florida a title company is accused of neglecting to conduct appropriate internal data security measures after it received a bogus wire instruction and sent it off to a consumer who then wired the seller’s proceeds to someone else.  With the money long gone, the seller sought recovery against the agency and the buyer for their alleged negligence.

Affirmative measures to combat this crime are being implemented by many in the industry.  For example many lenders are taking an extra step and checking the ABA routing number and bank account number with the Federal Reserve website to verify that the account is actually at the bank indicated.  Others are sending a verification of trust account to the settlement agent’s bank to verify that the account is truly a trust account in the name and for the business of the title agent, attorney or other closing professional.

Most title agents are now sending lenders and attorneys their title reports with cover letters containing language in red or bold black print with instructions such as:  We no longer send wiring instruction by email, please call our offices to verify the proper bank information!

Phishing is not a new problem.  I have located articles dating back to 2005 warning consumers and lenders about email phishing schemes designed to access and steal NPPI. It is clear that this is a serious problem that is getting more serious as technology has advanced and criminals have become more resourceful and bold.

Today’s announcement by WEI Mortgage is yet another acknowledgement that electronic innovation in society generally and in the mortgage banking industry specifically, while offering tremendous benefits also offers serious perils.   With federal and state regulators very firm positions on lender obligations to protect consumers from harm due to data security breaches, and lawyers lining up to file lawsuits for damages, every lender is on notice that they very well could be the next victim.  Cyber liability insurance coverage carriers are surely experiencing a booming sales period.

 

Why Settlement Agents Pose the Greatest Risk to Mortgage Lenders and Borrowers

Settlement agents, the men and women who manage the closing of residential mortgage loans, carry a great burden with them.  Each time they close a loan they have access to mortgage proceeds, lender documents including the important collateral security instruments (note and mortgage) and borrower personal and financial information (in the final 1003 and other closing table documents). No other third party that participates in the mortgage loan assembly-line process has greater authority, greater responsibility and greater opportunity to commit fraud.

Because fraud risk is elevated during periods of high purchase volume, as opposed to a boom in rate and term refinances, lenders are faced with the potential for serious losses when the managing of closing agent risk fails to occur.

It was not until about 2011 that the FBI and FINCen began to report title and closing fraud as a subset of overall mortgage fraud.  Since that time the numbers have consistently demonstrated that fraud at the closing table is more than 20% of overall fraud.  With the annual reported mortgage fraud numbers in excess of $4 Billion this means that the actual reported losses are in the $800,000-$1 Billion range.  This is an enormous problem for the industry and one which only recently has been addressed with heightened vendor management scrutiny.

While it is certainly true that the vast majority of settlement agents (attorneys, title agents, escrow officers and notaries) are professional, competent and trustworthy there are many who are not.  One reason for this is that the different disciplines have varied education, training, licensing, insurance and bond requirements.  The second is that there are no performance standards or uniform, cross-disciplinary training programs to ensure that everyone has a base of key knowledge about all things consumer protection, mortgage loan and title insurance. Another issue is the lack of required training in regulatory and compliance for this group of professionals so that they have an understanding of what investors, the GSEs, HUD, the CFPB and state regulators expect from lenders in the nature of risk compliance and loan quality assurance.

While the industry has come a very long way since Secure Insight began in 2012 and created a storm of controversy over settlement agent vetting, much has yet to be done to assure lenders and borrowers that the single largest financial transaction of their lives has been fully vetted and managed for risk.   We continue to strive to enhance our tools and to find means and methods to assure both of these groups that they can trust a process that poses so much potential for financial harm.

For more information reach out to us at

in**@se***********.com











and visit our website at www.secureinsightsales.com

 

 

 

Enterprise Risk Management: What’s in Your MROM?

Increasing regulatory pressures on banks and lenders to adopt greater risk management systems and processes are aimed at establishing a more uniform approach to quality control industry-wide.  At the same time these pressures seek to protect consumers from the type of non-managed business decisions that were at the root of the financial industry collapse several years ago. Consequently federal regulators and the GSEs are requiring mortgage makers to demonstrate that they have adequate policies addressing full enterprise risk management, stem to stern, and that these policies are more than just window dressing.  Audits are requiring that proof be provided that such policies are being used, adapted and modified as needed in response to threats and actual loss events.

At SSI we call this broad-based approach to total risk management the Mortgage Risk Operations Model, or MROM.  An MROM implies that banks and lenders have conducted an internal audit and analysis of all of their procedures and operating systems throughout the mortgage manufacturing cycle.  Lenders have then identified key touch points where regulatory, compliance, quality control and risk management issues arise. Once these touch points are establish, then appropriate controls were developed for each issue, backed by guidelines, overlays, training, technology, ongoing monitoring and management oversight.  Testing, revisions and enhancements are conducted regularly in response to perceived and actual threats.  An MROM committee or team meets weekly or monthly (depending upon an organizations size) to review issues and ensure the MROM is operating properly. Records and reports are maintained in the event of an audit to demonstrate commitment to managing enterprise risk.

The key touch points in developing an MROM will likely involve the following stages of the mortgage cycle: loan origination, processing, underwriting, pre-funding QC, closing, post-closing, 3rd party post funding QC, and ongoing QC/QA training. At these stages the evaluation may address such things as employment screening, best practices, employee performance valuations, quality control plans, automated fraud tools, third party service provider risk and company-wide training. It will also necessarily require ensuring a culture of accountability, self-evaluation, risk reporting, and adequate response.

Adopting an MROM fulfills the expectations of regulators that mortgage makers have an appropriate strategy to manage risk and changes in a volatile business environment, integrating a uniform but flexible approach to maximizing business success through quality production.  Such an approach also fulfills expectations that internal company cultures will embrace accountability and consumer protection.

SSI is a third party service provider managing closing table risk.  We partner with banks, lenders and credit unions to provide an outsourced solution to evaluating risk, monitoring it on an ongoing basis, and issuing reports.  Our services typically assist these entities in their MROM at the processing, underwriting, and closing stages of the manufacturing cycle.  Quality service provider risk management at these touch points ensures that in the event of an audit a bank may demonstrate that their approach is Independent, comprehensive, includes ongoing monitoring, provides a method to respond to high risk individuals and events, and engages the proper technology to assure data security, data privacy and uniform regular reporting.

What’s in your MROM?  If you are not asking that question then you are missing an important compliance evaluation that may limit your future business success.

  • 1
  • 2