Complying with increasing regulations is a focal point for appraisal industry professionals as we head into 2014. More than ever, regulators are pressuring lender clients to ensure that their outsourced service providers, especially those providing critical services such as those related to real estate settlement services, are also complying with consumer protection and privacy related laws, rules and regulations.
At the same time, more dependence on technology has led to almost every step of the valuation process being automated or moved online, bringing with it an increased interconnectedness and attendant risk.
Because the world of regulation is merging with the world of technology, data security isn’t just an industry talking point anymore; it has become a legal obligation.
Protecting sensitive information is necessary from both a legal and best practice standpoint, which is why enforcing data security can not only help keep companies out of the courthouse going forward, but can also help ensure professional stability.
Regulation background
The need for data security extends from lenders to the appraisal management companies (AMCs) and appraisal companies that they contract appraisals out to.
“Privacy and the safeguarding of customer information laws, rules and regulations applies to all real estate settlement service providers,” said Christopher Gulotta, founder and chief executive officer of Real Estate Data Shield, a provider of security compliance solutions, information policy templates, online staff training, certification and company self-assessment tools for settlement service providers. “[Settlement service providers] are a critical vendor in the supply chain, or the process flow, between banks and consumers, and in that role, they traffic in significant non-public personal customer information and have an obligation to safeguard, properly handle and dispose of that information.”
The Gramm-Leach-Bliley (GLB) Act, which was enacted in 1999, requires all “financial institutions” to adopt policies and procedures to protect non-public personal information in their possession from security threats. Real estate settlement services companies — including lenders, title and settlement companies, appraisers, appraisal companies and underwriters — are included in the broad definition of “financial institutions.”
Additionally, the Federal Trade Commission’s (FTC) Privacy Rule, Safeguards Rule and Disposal Rule independently dictate that settlement service companies: provide notice of their privacy policies to clients and consumers, develop written security plans describing their protection programs and properly dispose of sensitive information.
And while these specific provisions have been in place for years, the onus to adopt protective measures has become a priority only as of late.
“In April 2012, the Consumer Financial Protection Bureau [CFPB] released a bulletin called the Service Provider Bulletin where they reminded lenders that as regulated entities, … they are going to be held responsible for the acts or misdeeds of their third-party vendors,” Gulotta said. “In other words, just because a lender outsources one of its services or products, doesn’t mean that they’re any less responsible for protecting consumers or observing the laws.”
The bulletin, and a similar one on third-party relationships from the Office of the Comptroller of the Currency (OCC) released in October 2013, can be interpreted as a warning shot for all settlement services companies to get their operations in line with regulations.
“There is a thinking in the industry, given the CFPB and the OCC’s emphasis on [data security], that lenders are now, out of concern for that, going to be pushing down increased compliance requirements to their third-party vendors,” Gulotta said. “And getting out in front of it is a lot better than having a lender walk in and audit you or a regulator come in and audit you and you represent an unsafe, unsound and non-secure environment.”
Adopting data security measures
According to Christopher Gulotta, there are three main phases of data protection that companies need to be mindful of: physical, administrative and network security.
Physical security relates to maintaining office quarters in a way that helps protect data. Examples include workers keeping files with sensitive information protected from public view (clean desk policy), locking file cabinets and certain offices that contain data to allow only relevant individuals access and installing security cameras.
Administrative security entails developing adequate corporate practices from the top down. Examples of administrative security include performing background checks on employees and demanding passwords get changed regularly to be able to successfully log in to company networks.
Finally, network security pertains to how stable and secure the network architecture is of a company’s computer systems. This step usually requires IT professionals to monitor the company’s network to ensure firewalls are up to appropriate standards, the network is properly secured from hackers and emails containing non-public personally identifiable information are encrypted.
Once a company assesses its physical, administrative and network protocols, it needs to take the requisite steps to upgrade its security measures.
“If you are going to say that you safeguard customer information, you are going to want to demonstrate that you take privacy laws seriously,” Gulotta said.
According to Gulotta, the first part of showing that a company is taking privacy laws seriously is documenting in writing the specific plans, policies and procedures that will be adopted. The next step is training all employees in the new procedures. Within this step is the need for all employees to understand the laws, risks and best practices for safeguarding information that pertains to them. The last step is to do a final assessment to verify that the policies and procedures implemented are protecting customer information in the way in which they were designed to.
Many companies outsource security audits to independent companies to try to pinpoint any shortcomings in policy. Having an independent assessment provides increased credence to lenders and regulators that a company takes its security seriously and has engaged in a complete assessment and remediation process.
In the end, regulators are going to want to see that companies have all bases covered in air-tight, definitive ways when it comes to their security procedures.
“I think the new thing that you’re going to see more in 2014 is lenders wanting to know that you had an independent assessment or audit of your security processes, systems and procedures,” Gulotta said. “I don’t think they can continue to rely on companies merely saying, ‘Yes, I comply with all federal, state and local consumer protection laws, privacy laws and data security laws.’ I don’t think the regulators are going to consider that robust due diligence.”
Adopting best practices in 2014 and beyond
The recent laws, notices and bulletins dished out by the regulating bodies of the appraisal world have established that policy enforcement is going to be amplified in the future.
The AMCs and appraisal companies that can best showcase their ability to conform to tightened guidelines are the ones that are going to be in the best position to sell themselves to lenders.
“I see compliance as the new marketing. It has to be a core competency; it has to be a line item on your budget,” Gulotta said. “You’re selling compliance now as much as you are selling customer service and operational results. Those things were always a given with lenders. But now, you have to also sell compliance. If you can’t sell compliance to a lender, you are barking up a tree.”
“I don’t think banks want Yankee tickets or nice dinners,” Gulotta continued. “I think they want to know that when the CFPB, the OCC or the FTC walks into their office because of a data breach or an audit, they have a robust file showing that they and their vendors are compliant.”
The risk is too great for third parties not to adopt full-scale security policies. Not having proper security measures in place in the future could leave unprepared companies branded with a scarlet letter that could permanently damage the reputation they have spent years promoting.
“If you’re a big bank or publically traded company and you suffer a data breach, you take some shareholder money, get slapped on the wrist by the FTC, conduct mandated remediation, hire independent consultants, train your staff, improve your policies, improve your training and show that you took steps to fix it — that’s fine,” Gulotta said. “But what if you are a vendor in this supply chain? You’re toxic now.”
Ultimately, the liability is too great to expect lenders to contract out work to a company with a tainted reputation.
To emphasize the weight of noncompliance moving forward in an era of heightened regulation, lender scrutiny and privacy threats, Christopher Gulotta put it succinctly: “Comply or die.”