“Non-compliance can create a perfect storm of increased governance, substantial fines, loss of public trust and decreased overall revenue.”
Regulations, Breaches and eDiscovery: Drilling Into Compliance Pains By Jim McGann
JUNE 2013 n National Mortgage Professional Magazine n
Compliance is like a little black dot on your tooth. You see it, you ignore it … it starts to get sore, and still ignore it. It cracks or causes unbearable pain, and eventually it’s time for a root canal. That time- and cost-intensive root canal could have easily been avoided with a one-step visit to the dentist for a little filling, or even better, regular checkups or “audits” of your mouth. However, most of us have irrational fears of the dentist’s chair and all of his tiny instruments–and much like dealing with compliance regulations– it’s all too often something we put off until it’s too late. Instead of seeing all of those sharp metal dental instruments, the financial industry sees stacks of regulations, data breaches snagging headlines and a growing legal presence. Balancing, deciphering and setting policies to manage the new compliance-driven environment are no small feats. But as pain-staking and sometimes costly as proactive compliance management can be, it pales in comparison to the costs of non-compliance. Non-compliance can create a perfect storm of increased governance, substantial fines, loss of public trust and decreased overall revenue. To mitigate these risks, more leading financial institutions are using technology to reduce compliance risks surrounding e-mails and files and better organize and manage data. These technology-based data solutions allow policies to be set around data retention to mitigate regulatory violations, data breaches and eDiscovery costs. “Proactive information management is critical,” said Bruce Radke, head of the records management, e-
discovery and data privacy practice group of international law firm Vedder Price. “Our experience has indicated that the most common challenges for mortgage lenders and brokers include: Managing loans your company has bought or sold, including integrating recent loans into current servicing processes, limiting and controlling access to documents and ensuring sufficient chain of custody and authentication of records. As a result, lenders are conducting a gap assessment on their information governance practices to determine potential areas of non-compliance and associated magnitude and probability of risk and then prioritize tasks to address those gaps.”
Data breaches and you Many of the new regulations govern client communications and documents: What is contained in them, how they are defined and how long they are maintained. In order to comply, there needs to be a set policy. These policies are easier to establish because they are all dictated by law. In addition, the numerous regulations requiring disclosures, NMLS numbers and other communications can be locked in using either internal software or a mortgage-specific marketing vendor. The ability for originators to mass e-mail can even be eliminated or restricted to certain marketing content, removing much of the regulatory risk. What then becomes mission-critical is Personally Identifiable Information (PII) located within these e-mails. A Social Security or bank account number left off an application and quickly e-mailed from applicant to originator creates a violation. If policies aren’t created to encrypt or remove those e-
mails from the system, institutions are increasing their chances of being susceptible to data risks. “Customers are proving highly sensitive financial information to their lenders and mortgage brokers, that trust will likely be irreparably damaged if that information is compromised either thru a malicious hacking or even an incident caused by an innocent mistake,” Radke said. Data breaches are hard to manage because few know where the sensitive information lies until it has been exposed. In addition, hackers are getting savvier creating a sharp rise in unwanted access. Worldwide, 2,644 breaches were reported in 2012, more than double the 2011 number, according to the non-profit Online Trust Alliance. Financial institutions by far have not enacted the technology capable of locating this information and proactively managing it. A number of data profiling products exist to uncover PII on desktops, networks servers and other places within the company so they can be properly addressed according to policy. “When this information is aggregated, it poses substantial security risks, and yet the precautions that should accompany these data treasure troves have not really kept pace with the level of information collected,” class action attorney Joseph Siprut told the Chicago Tribune.
Regulations and disposition The Consumer Financial Protection Bureau (CFPB) recently rolled out another set of rules surrounding who can contact homeowners and when, and gives buyers much more protection. Along with a slew of other regulations, compliance and non-compliance to these laws can be tracked through e-mail communication. Email communication creates a record of what your company did. While that oversight and accountability is key, once these communications lose context and business value and are not part of a required reten-
tion period, they become a liability. Emails sent by former employees or that are simply old and unaccessed cannot be properly interpreted. Tongue-in-cheek gestures sent among colleagues or old modification e-mails can easily be misunderstood and published. While banks primarily worry about the communications being sent today, communications from five, 10 or more years ago can cause an even greater pain are they are often not in compliance with today’s rule and contain language that is no longer permissible. If these aged e-mails were to re-circulate, the risks would be significant. Policies must be set to understand, organize and make decisions on its retention and location. “It is better to understand what information you have, where it is located and identify what sensitive data can be disposed of without adversely affecting business operations and still meet regulatory compliance obligations,” Radke said.
eDiscovery preparation Whether the result of a data breach, foreclosure or regulatory violation, lawsuits are part of every industry. While there is no way to avoid these legal proceedings, there are ways to proactively prepare for the greatest outcome. All too often, series of e-mails and files are put on legal hold, but only a small fraction of them are actually are of importance. Over time, the important documents get buried within the archives and either requires large legal bills to uncover or cannot be found at all. Not producing requested evidence does not bode well for any case. “There is a growing trend where homeowners are using banks’ inadequate recordkeeping practices as a defense in foreclosure actions,” Radke said. “Due to those shortfalls, lenders have been unable to produce the mortgage note—and other critical documentation that proves ownership of the debt, resulting in lenders being unable to establish the legal chain of