Utah’s New Mortgage Rules Require Data Security

Jordan Bingham           08/21/2023

Utah DRE’s Mortgage Commission is making some changes

The increase in cyber attacks targeting mortgage lenders over the past couple of years has come into the focus of industry regulators. One such group that has recently voted to add data security requirements to current regulation is the Utah DRE’s Mortgage Commission. These new requirements went into effect August 3rd, 2023. The goal of these new requirements is to help mortgage lenders do more to protect the borrower data they have access to.

I had the opportunity to work with the Commission on these new policies. While all of the new rules require some level of effort from lenders, they each play a meaningful role in ensuring that borrower data is better protected. These new regulations apply to every mortgage shop in the state.  Even single-person shops are required to take specific actions to safeguard their customers’ data.

Remember that besides state-specific regulations, mortgage lenders also must comply with the GLBA Safeguards Rule, which is a national requirement. 

New requirements for mortgage lenders in Utah:

1. PLM/BLM must establish, maintain, and enforce written policies and procedures that ensure:
   • Customer Privacy
   • Customer Information Security
   • Encryption of Data
   • Password Management
   • Cyber Security Policy for Employees
2. Employees must use a secure VPN that is provided by their sponsoring mortgage entity when teleworking.
3. All consumer data must be properly deleted when it is no longer required to be stored. This includes deleting it from all possible locations that it could be stored.
4. If a lender suspects they have been breached, they must notify all clients whose data may have been affected. This must be done in writing and without an unreasonable delay.
5. Employees who are terminated or are no longer associated with a sponsoring mortgage entity must turn over all consumer documents to that specific entity.
6. PLM/BLM is responsible for conduct of employees regardless of their location. This specifically includes employees that work remote.
7. Originators cannot advertise an unregistered office location, including on social media, business cards, etc…
8. Originators cannot meet with consumers at their home unless their home is registered as a branch office.
9. All originators and mortgage entities must make their data available to state regulators and investigators when requested.

Are you prepared?

Do you have the required policy documents? Are all of your employees set up on VPNs to protect their internet traffic? Do you know for sure that all consumer data that is no longer required to be kept is deleted? This includes emails in your inbox or sent folder that may have consumer data attached. What about an incident response plan if you or your employees do get hacked?

If you have all of the above, you may be in compliance with Utah’s updated data security regulations for mortgage lenders. But even then, if you are hacked, you will soon be required to notify all affected consumers in writing. This could mean the type of reputational damage many companies never recover from.

Whether you’re worried about complying with updated regulation, or just  keeping you and your borrowers’ data safe, LendSafe’s comprehensive information security program provides all of the tools you need. Instead of hiring an in-house cybersecurity expert or relying on expensive outside providers that may not have experience in mortgage lending and compliance, using LendSafe ensures a standardized, industry-specific solution at a fraction of the cost. Our program is automated and overseen by cybersecurity experts so that you can spend your time focusing on your business.

Please reach out to LendSafe at 801-382-9567 if you want to find out more about how we can help you protect your borrowers and comply Utah’s new data security regulations for mortgage lenders. Or feel free to email me directly at [email protected] with any questions you have.