The Updated GLBA Safeguards Rule and Mortgage Lenders

Jordan Bingham           08/26/2022

What is the GLBA Safeguards Rule?

Update: Enforcement of certain parts of the updated Safeguards Rule has been pushed back to June 2023 to give time for lenders to be in compliance. The purpose of the Gramm-Leach-Bliley Act Safeguards Rule is to enforce data security practices that help financial institutions protect consumer data. This set of regulations was amended late 2021 to include relevant updates and more specific requirements. They will go into effect December 9, 2022 (See update above).

The majority of the GLBA Safeguards Rule’s individual requirements apply to mortgage lenders of all sizes. Even single-person shops are required to take specific actions to safeguard their customers’ data. Some requirements only apply to businesses that store the data of over 5,000 clients at any given time. I will discuss those later.

Requirements for all mortgage lenders:

1. You must have a designated “Qualified Individual” oversee your company’s data security program. This person must have expertise and experience proportionate to the amount of data they are tasked with protecting. The role must be assigned to a single individual, not multiple, and can be an outside service provider or individual.
2. Regularly train employees to recognize and react appropriately to cyber-threats.
3. Perform a Risk Assessment. This assessment will help identify internal and external vulnerabilities threatening the confidentiality or integrity of your clients’ data. It will determine what changes need to be made in order to better protect that data.
4. Regularly review access controls. Who in your organization has access to consumer data? Do they need to have access to it in order to do their job? These are important questions to ask when considering the level of access to consumer data that employees have access to.
5. Regularly map out your data ecosystem. Review how your company accepts, stores, processes, transmits, and purges consumer data. How often is that data purged? Can the data be accessed from anywhere else? Because if you don’t know where the data is, you can’t effectively protect it.
6. Encrypt consumer data both at rest and in-transit. Sending and storing this data without the use of encryption leaves it vulnerable and more easily accessible to hackers.
7. Assess your third-party services. Does the LOS software you use effectively protect your customers? Apps on your computer or phone could also pose a security risk if not carefully considered and vetted.
8. Use Multi-Factor Authentication. One of the simplest ways to protect your accounts, multi-factor authentication is required in all circumstances except as is approved by the company’s Qualified Individual in writing.
9. Destroy consumer data when you are no longer required to keep it. This includes purging it from all backups and secondary locations.
10. Regularly evaluate any changes made to your information technology infrastructure. If you get a new router or change your LOS system, you must consider how this affects your company’s data security.
11. Where possible, keep a log of employees’ access to company resources and systems.
12. Monitor and regularly test for vulnerabilities. Through careful monitoring and vulnerability scanning every 6 months, you can catch and remediate points of weakness before they are exploited by a hacker.
13. Regularly update your information security program. Keep it current to effectively address current and upcoming threats facing your company.

Storing data belonging to over 5,000 clients?

For mortgage lenders that have the data of over 5,000 consumers in their possession, there are 3 additional requirements. It is important to note that the 5,000-client requirement covers any data stored, not just active clients for that year. This means that if a company processes around 2,000 loans per year, they likely exceed the 5,000-client limit since they are required to store consumer data for a minimum of 3 years.

The 3 additional requirements for these lenders are:

1. Complete a regular written risk assessment. This requirement is more stringent for companies with 5,000+ client records than it is for smaller lenders, as smaller lenders are not required to complete a written assessment. This assessment is an important tool in identifying areas of improvement, as well as creating a record of issues that were presented to upper management.
2. Have a written incident response plan. An incident response plan outlines what you do when a cyber-related incident occurs. If you turn on your computer tomorrow and realize you have been hacked, what is your next plan of action? An incident response plan provides guidance when you need it most.
3. The qualified individual must report annually to the company board of directors on the status of the information security program, and any events or concerns. This must be done in writing.

What are you doing about it?

Most small to medium-sized mortgage lending shops usually fail to comply with most of the requirements listed in the GLBA Safeguards rule. This leaves them vulnerable to fines and other enforcement actions by the FTC. It also opens the door for potential lawsuits if these companies get hacked.

LendSafe’s comprehensive information security program for mortgage lenders provides the tools necessary to comply with the updated Safeguards Rule and more effectively protect borrower data. Instead of hiring an in-house cybersecurity expert or relying on expensive outside providers that may not have experience in GLBA Safeguards Rule compliance, using LendSafe ensures a standardized, industry-specific solution at a fraction of the cost. Our program is automated and overseen by cybersecurity experts so that you can spend your time focusing on your business.

Please reach out to LendSafe at 801-382-9567 if you want to find out more about how we can help you protect your borrowers and comply with the GLBA Safeguards Rule. Or feel free to email me directly at [email protected] with any questions you have.

For additional reading and my primary source, please refer to the text of the GLBA Safeguards Rule.