Officially the Mortgage Bankers Association is calling this year’s National Technology Conference “Connect”. Unofficially it could probably be renamed “Let’s Talk About TRID” because the rapidly approaching TILA/RESPA Integrated Disclosure (TRID) rules are the topic du jour here in Orlando this week.
By my count, there are two major sessions dedicated to TRID and at least four or five other break-out sessions on technology, compliance and e-closings that will certainly delve into this topic. And in every conversation, it’s been the opening discussion. The optimist in me believes that for the most part the industry will be ready for TRID’s Aug.1 debut, (but not without many all-nighters that any college student would be proud of).
So I’m going to look beyond TRID, to the next major technology expense and issue lenders and vendors will have to tackle: information security.
At this year’s conference, the MBA’s RESTECH sub-committee on information technology launched a comprehensive plan to help the industry understand the risks and challenges of protecting our assets and the non-public information of our consumers.
Cyber Attacks on the Rise
Despite the vast amounts of confidential, personal information that our industry collects daily, we haven’t been the victim of a Sony or Target-like attack. At least not yet we haven’t. But a recent report by the law firm of Foley & Lardner suggests that this problem is growing exponentially and that our luck may be running out.
Three years ago, the report says, there were approximately 93 million records lost in data breaches worldwide. Two years ago, that number jumped to 552 million records and last year the number of records lost due to targeted attacks increased to more than 1 billion.
Separately, they report the average cost of curing a distributed denial of services (DDOS) attack was $100,000 and the fully-loaded cost of a single data breach was $5.8 million: putting the total cost of cyber threats at $400 billion.
Today, there are two different sessions focusing on this issue. The first deals with information security essentials and the second with security and vendor management, including managing the security of your chosen vendors.
These will focus on the key elements of prevention: process, technology, policy and the human component. Information security and these key elements of prevention need to be at the forefront of every business decision. And they need to be continually reviewed by a company’s executive team, and analyzed at the board level. As one of my associates likes to say, “There’s security in obscurity and there’s real security”.
After Sony’s embarrassing emails were leaked to the media (and the world), an IT consultant that I follow made an interesting comment. He said the incident reinforced his belief and proved that “the ultimate safety when it comes to email is not ever using email.” Moreover, any retained data, in email or any other form, is at risk for loss if you are the target of sophisticated hackers (or unsophisticated, like a phishing attack). This got me thinking: does our industry have too much information, do we really need it all, and must we keep it forever?
Obviously, we need information to make prudent loan and loan servicing decisions. Various federal and state regulations require us to maintain this data for specific periods of time. Under the qualified mortgage (QM) rule, lenders now have life-of-the-loan rebuttal risk, so now going forward lenders will routinely store all of the files, data and images used to make underwriting and ability to repay decisions. Our vendors—credit, document, fraud and tax transcript providers—will also store the pieces of this information that they deliver to us.
But how do we know when we don’t need it anymore? Suppose I am a lender originating a QM loan and selling it servicing released to a GSE or an aggregator. Shouldn’t there be some easy way of finding out whether that loan even exists, say five years down the road? And if it doesn’t, because the home was sold or the borrower refinanced with another lender, wouldn’t it be a prudent policy to securely purge some of the information that I’ve been storing (and protecting) all these years? To be clear, I’m not talking about borrower contact information, but rather dated, now useless information like old pay stubs, tax returns and credit bureaus. Do I really need this information now that the loan has been extinguished? Shouldn’t I instruct my vendors to purge it as well?
At the moment, there’s no easy way for originators that aren’t servicers (or the MSR holder) to know which loans are still active. Developing a comprehensive database that an originator could easily “ping” to determine loan status would be one way to solve this problem, and another way to reduce the threat of cyber terrorism.
This wasn’t a topic of discussion in Florida this week. But perhaps it is something our industry should consider once TRID is behind us and before we become another cyber security statistic.