0
0
With the recent hacks of Equifax, Google, Target, and other major companies, everyone is becoming much more concerned about information security (InfoSec). It’s no different in mortgage lending.
Lenders need to protect the vast amounts of a consumer’s non-public personal information (NPPI) that they collect during a loan process.
It’s not easy when so much of the lending process is now being done online and all information is housed in a lenders operating systems.
To compound things, much of the information gathered is transmitted between the lender and other entities during the loan process. Entities like verification vendors that provide services that validate certain consumer info like income, employment, and assets.
Are these companies dedicated to protecting the consumers’ private information as well? They should be and a lender needs to make sure that they do.
A lender needs to vet each third-party service providing vendor that utilizes any of the consumer’s NPPI. Lenders need to ensure the vendor has the necessary information security systems, processes, policies, and procedures in place to ensure that any information provided to it by a lender is secure, at all times.
An analysis must be done to determine the risks involved in utilizing a certain vendor. They must know:
- What information will be involved
- The effects on the lender’s operations if the vendor fails, or discontinues doing business.
- How much of the lender’s operation is dependent on the vendor continuing what they do, without a security breach?
Although many smaller companies that provide support services to lenders, especially some providing the verification services, believe they have or may have, adequate information security, they cannot provide proper evidence.
Because of the time and costs involved, some do not have security audit reports, like an SSAE 16 or SOC 2, that would show the testing and adequacy of their systems.
These types of reports are crucial for both the lender and the vendor. They evidence that the company has in place systems that work in protecting the NPPI with which they are entrusted.
If you are using the services of any such vendor, I strongly suggest you perform your due diligence to ensure that they can protect your customer’s NPPI as well as you can. Do your annual reviews, do the analysis, review their security policies, procedures, and audit reports.
Otherwise, you may be opening the doors to some problems from data breaches. These are breaches that could cause you both reputational and financial problems.
Of course, this all assumes that you, as a lender, already have all the necessary information security systems in place. Do you?
