The Mortgage Lending Industry Lacks Information Security
If you do very much online shopping, you have probably purchased something in the past from a website that has a digital badge verifying that the website is PCI DSS compliant. It usually looks something like this:
PCI DSS is short for the Payment Card Industry Data Security Standards. This is a set of data security standards set and kept up-to-date by a council made up of the major credit card companies. In order for a company to process credit cards, they are required to adhere to the standards set forth in the PCI DSS, and to verify their compliance with a third-party assessor. I used to work for one of those third party assessors. My job was to help companies achieve compliance through annual questionnaires and quarterly vulnerability scans. Even small companies that only processed a handful of credit card transactions per year were required to be in-compliance with the PCI DSS or risk losing their ability to process credit card payments. For some companies, this meant making major changes to the way they accepted, processed, and stored credit card and customer data. But it was necessary in order to protect customer credit card information from hackers.
A few years later, I found myself working as a mortgage originator. I was accepting, processing, storing, and sending credit card details, tax returns, W2s, Drivers Licenses, Bank Statements, and more. But there was never an assessment I had to take, or a vulnerability scan done on my network. In fact, there was never very much instruction given at all in regards to information security. When I took the test to become a licensed originator, there was not a single question on the test that pertained to data security. The many hours of training and continuing education I sat through never mentioned anything either. It shocked me that there are checks in place requiring companies to verify the security of their networks and systems, with specific guidelines, vulnerability testing, and training before they can process credit cards. But thousands of mortgage lenders are processing and storing much more sensitive data everyday and have never had any type of security assessment, vulnerability scan, or anything else to verify that their employees are taking the necessary steps to protect against hackers. Most large banks have teams of people working around the clock to make sure your data is secure, but small to medium-sized mortgage lenders don’t have the resources to hire a cybersecurity professional. This often results in having a subpar information security program, or none at all, and leaving borrower data unprotected.
Why Borrowers Need LendSafe
From a borrower’s perspective, it’s almost impossible to truly know how your data is treated once you hand it over to a loan originator. Let’s say you’re buying a new home and shopping lenders. You’ve narrowed your search to two local mortgage brokers that have the best rates.
- Lender #1 has no information security program. Their originators work remotely and have never received any training on how to protect borrower data. Some of the originators use their shared family computer to process and store client documents when their kids aren’t playing Minecraft. They still have all of their client documents stored on their email server and have never purged anything.
- Lender #2 has thorough security policies and procedures in place. Their originators also work remotely, but are required to abide by LendSafe’s security standards. This means that each employee takes a yearly assessment to ensure they’re receiving, processing, storing, and purging borrower data regularly, and taking all necessary precautions to protect that data in the process. They undergo vulnerability scanning, training, operational auditing, and other methods of testing to ensure cyber-risk is mitigated to the highest degree possible.
If pricing is similar and you care about the confidentiality of your most sensitive personal data, you will choose to go with Lender #2. Choosing to go with Lender #1 is opening yourself up to the possibility of malicious criminals accessing your documents for years to come. But unfortunately for most borrowers, they are unable to differentiate between the two lenders from their point of view. Without a third party to verify that Lender #2 is taking the necessary precautions behind the scenes, borrowers would make the assumption that both Lender #1 and Lender #2 are probably taking the same measures to protect borrower data.
One of the main purposes of LendSafe is to bring consumer clarity to the security practices of mortgage lenders. When borrowers are searching for a lender and they see the “LendSafe Certified” seal on a lender website, they will know with confidence that their documents and data will be taken care of securely.
Why Mortgage Lenders Need LendSafe
If you pay attention to news headlines, you undoubtedly see stories almost daily about cyber-breaches and hacks. While most of the big headlines highlight breaches of large, established companies, small to medium-sized companies are hacked constantly. Mortgage lenders are a prime target of cyber-criminals due to the sensitivity of the data they collect. While you may not realize it, there are likely local mortgage lenders in your area that have fallen victim to hackers.
When your business becomes the victim of a cyber-crime, the consequences can be severe. One anonymous mortgage originator recently told me the story of a ransomware attack that affected their entire company in late 2020. The lender had to pay a huge sum of money to recover their borrowers’ data from hackers. They then had to inform all of their current and past customers of the breach and provide credit monitoring and identity theft protection services to them. The legal fees, ransomware payments, lost revenue from clients, regulator action, and loss of loan originators who no longer wanted to be associated with the hack dealt a huge blow to the lender. It was difficult to avoid liability because their information security program was close to non-existent.
Choosing to operate a mortgage lending company without a robust information security program is taking a huge risk. Using LendSafe to lower liability and increase cybersecurity within the company mitigates that risk.
LendSafe Protects Both Lenders and Borrowers
With the threat of cyber-attacks growing each day, mortgage lenders need to be more proactive in protecting their borrowers’ data. Small to medium-sized lenders need a solution outside of hiring a full-time cybersecurity professional to make that happen. LendSafe fills that operational gap for them and allows them to focus on what they do best – closing loans.