By Debbie Hoffman
What are regulators’ top priority for the mortgage industry? What area has been having the most activity—and compliance gaps? Which players have—and have not—been getting the most regulatory heat? The answer is vendor oversight among supervised institutions in the mortgage industry. The increased use of service providers by mortgage lenders, including technology vendors, to outsource certain functions has prompted regulators to take a closer look at the oversight of service providers. Regulators do not want outsourcing to become a way by which lenders can circumvent responsibility, liability, or regulations. One of the more recent vendor oversight issues being concentrated upon by regulators is cyber security, particularly due to significant and fast-moving changes in technology.
Regulatory Guidance in Vendor Management
Lenders’ delegation of certain aspects of work along the mortgage lifecycle to outside service providers has become commonplace because it enables organizations to delegate to experts in a cost efficient manner. It also allows lenders to outsource and utilize technology that they have not developed internally.
Due to regulatory oversight, lenders now have one function that is absolutely essential and unavoidable—the monitoring of service providers whom they have contracted with to perform designated functions. This is because vendors are looked upon by regulators as an “extended arm” of the lenders, and therefore lenders are liable for the acts, and any non-compliance, of their service providers. Some vendors have regulatory compliance oversight that is different from those they serve, such as SAFE Act licensing to mortgage loan originators working for vendors (which is not required if an originator works directly for the lender). Notwithstanding, the lender utilizing the vendor’s services ultimately has liability if the vendor’s actions are unauthorized.
With regulators holding lenders responsible for vendors’ actions, the Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), Federal Reserve Board (FRB), and the Federal Deposit Insurance Corporation (FDIC) have issued regulatory guidance for lenders to follow. The CFPB has issued the most recent guidance via a Service Providers Bulletin dated October 19, 2016, which was an update to the original guidance issued on April 13, 2012. From this regulatory guidance, critical factors have been identified to set the basis for vendor management programs. These factors include the following: risk assessment and planning of service providers, due diligence, review of policies and procedures (P&P), ongoing monitoring, taking corrective action, oversight and accountability, documentation and reporting, and independent reviews. Vendor contracts should include provisions that allow the lender to comply with these factors.
The CFPB designated five of the abovementioned factors (due diligence, P&P review, monitoring, corrective action, and contractual integration) as the minimum factors recommended in any vendor management program. Due diligence includes verifying that the vendor understands and is capable of complying with consumer financial laws. Vendors’ policies, procedures, internal controls, and training materials must be reviewed to ensure appropriate oversight and training of employees or agents with consumer contact or compliance responsibilities. Clear compliance expectations, with enforceable consequences for violating compliance-related responsibilities, including engaging in Unfair, Deceptive or Abusive Acts or Practices (UDAAP), should be included in the vendor’s contract. In addition, lenders must establish internal controls and ongoing monitoring to determine whether vendors are complying with consumer financial law, and if problems are identified, prompt corrective action must be taken, including terminating the relationship if necessary. The CFPB October 2016 update to the original bulletin specifically adds in that the CFPB expects risk management programs to vary depending upon the service being performed, (i.e. the size, scope, complexity, importance, and potential for consumer harm), and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations.
The OCC adds the four additional factors in every vendor management program—risk assessment and planning, oversight and accountability, documentation and reporting, and independent reviews. Risk assessment and planning is an essential first step to evaluating the risks posed by each vendor and developing a plan to manage the future relationship. The remaining three OCC factors are additional steps occurring during the relationship to ensure the risk management process continues to run smoothly with all necessary documentation being kept, reporting is made, and risk is kept low.
Cyber Security: A High Priority in Vendor Management
Cyber security should be one of the top considerations when reviewing a vendor due to the fact that the protection of a client’s information is only as strong as the security software and human oversight protecting it. When lenders outsource certain functions to vendors, access to their clients’ personal and sensitive information is often shared. Companies that have fallen victim to data and cyber breaches are left spending billions of dollars to repair cyber infrastructures damaged by hackers, pay damages to consumers, and pay fines and penalties to regulatory agencies. They are also forced to spend an inordinate amount of time, energy, and focus to repair their image and brand. Thus, vendor management is extremely important because if vendors fall victim to data and cyber breaches, lenders will suffer the same damages as if they had committed the breach themselves, except it may be more difficult to reverse the effects of the breach on the lender.
There are numerous ways data hackers execute cyber-attacks as detailed in the chart in this article titled “Types of Cyber-Attacks.” Common types of attacks in the mortgage industry are malware, denial-of-service (DoS) / distributed-denial-of-service (DDoS) and phishing attacks.
|Types of Cyber-Attacks|
|Type of Attack||How Does it Gain Entry?||Actions to Prevent Entry|
Trojans, viruses, worms
|Email attachments, software downloads or system vulnerabilities||Do not click on links or download attachments from unknown senders|
Malware acquired by clicking on an advertisement
|Infected display ads are uploaded to different sites using an ad network||Do not click on ads|
Request for data by an illegitimate third party
|Through requests sent via email asking users to click a link and enter their personal data||Requests for information via email should be verified over the phone|
|Brute Force/Pw Attacks
Guess your password
|Guesses passwords through information||Set long, incomprehensible, and alphanumeric passwords|
Impersonates endpoints of online information exchanges
|Through a non-encrypted wireless access point||Only use encrypted wireless access points and make sure URL is “https”|
|DoS / DDoS
Makes network resource unavailable to its intended users
|Server is overloaded with traffic||Cannot prevent; monitor data flow|
Malware is a broad term that encompasses a range of cyber threats including Trojans, viruses, and worms. It is usually a code introduced to a system through email attachments, software downloads, or operating system vulnerabilities, and the code is inserted with the cruel intent to steal data or destroy something on a computer.
Phishing attacks are requests for data sent via email from someone posing as a trusted third party. The third party sends a link to users for them to click, which takes the user to a dummy site to enter their personal data. For example, a phishing scheme, known as “the account takeover,” occurrs when potential mortgage purchasers are contacted by a scammer that identifies himself as their real estate agent. Through email, the scammer advises the purchasers of a change in wiring instructions and reroutes their mortgage payments to the scammer’s offshore bank account.
During a DoS attack, attackers attempt to make a machine or network resource unavailable to its intended users by sending high volumes of data or traffic through the network until it becomes overloaded and is no longer functional. The most common way to execute this attack is through a DDoS attack where the attacker will use multiple computers to send the traffic or data to overload the system.
While there are separate recommendations to prevent each type of cyber-attack, maintaining a secure system with regular software updates is a universal method. Lenders must perform thorough due diligence upon their vendors prior to onboarding to include review of the service provider’s systems and security. One way to do this is to inquire as to whether the vendor utilizes standard cyber security basic frameworks like the NIST Cybersecurity Frameworks (SSAE16). The lender should also review the vendor’s policies and procedures, particularly as they pertain to privacy, confidential data and cyber breach plans. In reviewing the policies, a specific look on protocols pertaining to password protections and employee departures should be reviewed.
When performing due diligence upon a vendor, the question should be asked as to whether there is a top-down approach to addressing cyber security. This is a company-wide matter that should not be addressed in a silo by the information security department. There should be a culture of partnership among the teams – compliance/legal, operations, finance, sales, marketing, human resources, and executive leaders. The various teams need to be aware of the cyber risks, generally understand them, have a basic grasp of “tech language,” and know what to do in the event of a breach. When reviewing vendors, if this culture is not pervasive or a service provider does not have the capital to address the risk, there should be a large hesitancy in continuation of the partnership.
Another way to evaluate whether service providers take cyber security as a high priority is examining how the vendor trains and educates their employees. Since many attacks depend upon the actions of people, one of the best methodologies of prevention is education of all employees, starting with the Board of Directors, company officers, and executives and trickling down to every single employee. Such education should include not only the types of attacks, but the various kinds of data that contains confidential or protected personal information, such as tax returns, W-2 forms, driver licenses, pay stubs, recent bills, and banking statements. In addition, employees should be educated on what concerns exist regarding storage and the transmittal of data; the policies and procedures that the company has regarding confidential or protected personal information; and what action employees should take if they see potential hacks.
The contract between the lender and service provider should capture the details of the relationship. The contract should include representations and warranties as to data, system, and product integrity. Other provisions that should ideally be included in vendor contracts include the lender’s right to notification, investigation, and audit upon breach; indemnification for security incidents; insurance provisions; protections regarding storage, transmittal, encryption, and data back-up; continuous auditing rights; allowance for routine penetration testing; root cause analysis; and provisions for data destruction.
While vendors may have their own planned response to a cyber-attack, it is critical that overseeing lenders have an “Incident Response Plan Timeline” to address steps to be taken in the event of such a breach by a service provider. Similar to a timeline for a direct breach, the plan should have a list of outside counsel and forensic experts ready to hire if needed to quickly assess the damage and harm. In addition, state laws require notification to consumers of harm, as well as to government regulators. Thus the plan should include such a template notification letters to be used in the event that the vendor does not provide such notification. The plan must also address managing public relations and engaging in client relationships and customer conversations. Furthermore, it needs to outline the necessity for assessments of security changes and remediation of the cause of the breach.
Today, cyber security is a growing area of concern, especially with the constant developments in and reliance upon technology. It is of particular concern in the mortgage industry as lenders share more of their clients’ highly sensitive and personal information with service providers, while cyber attackers develop additional creative ways to access the data. The discussion of a system breach is no longer centered on whether it will occur, but when it will occur. However, if mortgage companies implement sound vendor management policies, they are on the right path to minimalizing their susceptibility to future breaches and its lasting impact upon their companies and clients.
Debbie Hoffman is chief legal officer at Digital Risk LLC. She can be reached at DKHoffman@DigitalRisk.com.