According to Verizon’s 2019 Data Breach Investigations Report, 10% of the 2,013 breaches that occurred in 2018 were within the financial industry. Personal data was compromised in 43% of those breaches, which were largely attributed to privilege misuse, errors or unsecure web applications.
Within real estate industry breaches, two-thirds of reported incidents resulted in the actual exposure of data to an unauthorized party. Sitting squarely across those two industries, the importance of strong data security processes in mortgage finance is clear.
While we can agree on that point, how to efficiently build those processes across the many players in the mortgage pipeline is a bit less clear. Our industry’s current decentralized approach to data security is not only cost prohibitive as we each take on significant expense to secure our part of the process, but also less secure as it creates multiple points of potential data exposure as data is gathered for or passed from step to step. From blockchain to tokenization to regular purging of personally identifiable information, there is tremendous opportunity to better safeguard homebuyer data while managing costs within the mortgage finance industry.
Today, each participant in the mortgage finance ecosystem receives and stores at least one copy of a borrower’s PII. Beginning with the lender, any other services utilized in the transaction may receive one or more documents containing PII. These documents get copied and transferred to every participant in the loan transaction – lender, mortgage insurance company, title company, appraiser, servicer, closing attorney and others.
The mortgage industry was born in the age of paper where PII was affixed permanently to each document. Over the past 30 years, the mortgage industry has “digitized,” only to turn paper into electronic bits and bytes. However, it’s still the same data in the same basic format. This creates inefficiencies in the overall system as there are multiple copies of data and documents stored in multiple locations. Any given borrower is at risk of data loss if any of these participants’ platforms are compromised thereby breaching the portion of the data and documents they possess.
Protecting all this data is costly—but it’s even more costly to remedy when breaches occur, and consumer data is exposed. Deloitte’s 2019 Future of Cyber Security Report Survey results show that financial firms spend $2,300 per employee attempting to address cyber security concerns. This pales in comparison to the average cost of a data breach of $148 per record, according to IBM’s 2018 Cost of a Data Breach Study by Ponemon. Investing in your data security capabilities pays off, though. Results show the average total cost of a data breach is $2.88 million for organizations that fully deploy security automation, compared to $4.43 million for organizations that do not deploy automation—a net total cost difference of $1.55 million.
What does that security solution look like? It could take on various forms, depending on our industry’s appetite for change. There are many different types of technologies that have the capability to simplify the management of PII within the mortgage industry, and as an industry it’s important to continue exploring different options as it relates to data security. Some options worth exploring include blockchain and the tokenization and purging of PII.
The big swing: Blockchain
One of the newer tech buzzwords in an era of efficiency and security, blockchain technology is a distributed shared ledger that records and provides an audit trail of transactions that flow through a process. Like a ledger, information is not edited—a new copy of the record is stored with the updated changes, leaving a permanent and unchanging “paper trail” of all changes and activity on a single record. Acknowledging that the players in any particular mortgage process, as well as the contents of a blockchain, can vary, here’s an oversimplified illustration:
- Buyer completes a pre-approval application with a loan officer, including PII
- Loan officer adds the full loan application to the blockchain, starting a new record
- Buyer selects a home and an appraisal is ordered
- Appraisal company receives a security key to access that single record within the blockchain for the information they need to complete the appraisal; they do not have access to other entries within the blockchain
- Rinse and repeat for mortgage insurer, titling company, servicing company, etc. throughout the life of the loan
If changes to the record occur at any point, such as marital status, salary, address, the party that takes in the change will add an updated entry to the record which will then replicate to all other parties with the key for that record. This creates a single source of truth that bridges not only players in the mortgage finance process, but also stages, while minimizing access to PII and capacity for tampering.
Blockchain could play a role throughout the mortgage finance lifecycle, enhancing data security, reducing inefficiencies, and creating space for evolution within the industry. In the loan origination space, blockchain could be used to share and secure customer financial information. In the case of title and related insurance, blockchain could be used to record and track ownership of the asset removing the need for title insurance.
In the case of mortgage claims processing, smart contracts could automate the business process triggering claims payments automatically and removing many of the manual steps. In the case of servicing, blockchain could be used to automate payments and mortgage servicing rights transfers, among other areas. Beyond the loan process, blockchain also can bring improvements to more traditional mortgage finance processes such as securitization. The use of blockchain and smart contracts in securitization could bring transparency and cost savings to the process. A blockchain could provide investors with “real time” data to all underlying collateral in a mortgage security providing investors with a more accurate assessment of its exposure and risk.