The Federal Trade Commission recently conducted a “nationwide compliance sweep” and charged two mortgage companies with violating the agency’s Gramm-Leach-Bliley Safeguards Rule. No Massachusetts firms were charged with those types of violations, but some in the local mortgage industry say that doesn’t mean compliance is perfect.

According to the FTC, the Safeguards Rule implements the security requirements of the GLB Act and requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information. It became effective on May 23, 2003.

The GLB Privacy Rule, which took effect in 2001, requires financial institutions to provide consumers with privacy notices describing how they use and disclose consumers’ personal information.

“It’s becoming much more of a focal point statute due to the increase in identity theft,” said David Hadlock, counsel to the Massachusetts Mortgage Association.

Jessica Rich, spokeswoman for the FTC, said the sweep was done to assess GLB compliance throughout the United States. She said some companies might have been advised to do more in their efforts to comply with GLB, but that information is not made public.

The FTC alleges that the two companies, Virginia-based Nationwide Mortgage Group and Florida-based Sunbelt Lending Services, a subsidiary of Cendant Mortgage Corp., failed to comply with the Safeguards Rule’s basic requirements. That includes assessing the risks to sensitive customer information and implementing safeguards to control those risks. Also, the FTC said Nationwide failed to train its employees on information security issues, oversee its loan officers’ handling of customer information and monitor its computer network for vulnerabilities. Sunbelt, according to the FTC, failed to oversee the security practices of its service providers and of its loan officers working from remote locations throughout the state of Florida.

‘All Over the Globe’

Both companies violated the Privacy Rule, the FTC alleges, as Nationwide did not provide privacy notices to its customers and Sunbelt did not provide notices to its online customers.

Hadlock said it is still unclear what effect the sweep will have on the New England area, but said some in the mortgage industry are making a few mistakes when trying to comply.

“Companies are all over the globe in terms of level of awareness,” Hadlock said. “It is a small section of the industry both trying and achieving reasonable success.”

Ruth Dillingham, vice president and special counsel for the Lenders Division of First American Title Insurance Co. and chairwoman of the Massachusetts Mortgage Bankers Association, said she also has seen spotty compliance activity.

“There are a fair number of smaller operations that are not overseen by the [Federal Deposit Insurance Corp.] who haven’t come up against [the Safeguard Rule],” said Dillingham.

Hadlock said some companies are failing to educate ownership and management about the law’s requirements and the privacy concerns or weaknesses of the company’s operations, using information technology resources that do not know industry-specific requirements and attempting internal drafting of mandatory documentation including policies and training and testing materials, resulting in ineffective compliance efforts and expensive use of human resources.

Companies are also depending on secondary-market investors or misguided reliance on “passing” state exams as indications that the company is in compliance and waiting for enforcement actions, private actions and the negative results of “noncompliance” to hit bigger or “other” companies as a warning sign that additional effort is required.

“There is a false sense of security because they are not getting cited,” Hadlock said.

He added that the FTC sweep is meant to remind people about compliance: The FTC is not writing a new law, but enforcing an old one.

James Dougherty, executive director of the Massachusetts Mortgage Association, said there is no question such rules are necessary, especially with the popularity of the Internet.

“There’s an urgent need … for remedies of abuses of this technology,” Dougherty said. “[But] it is too soon to say whether or not [the law] is working.”

Hadlock said there is a lot of general unawareness about disclosure to consumers.

“This is more than a form,” he said.

Hadlock said companies must draw up contracts with their vendors, but also oversee the vendors to assure they are furthering a company’s compliance obligations.

“The industry has generally not recognized the contractual obligation,” Hadlock said.

So what should mortgage companies do? According to Hadlock, there are few things.

“Know that the time for serious efforts and meaningful results is now,” he said in a newsletter about the sweep. “The ongoing development of laws and continued evolution of identity theft is not only embodied in the FTC sweep, but it is also a foreseeable motivator in private, single-plaintiff and class-action claims.”

Companies should combine use of its internal staff, IT and law compliance experts to develop a comprehensive, practical and cost-effective program. Hadlock also advises companies to involve its human resources staff, in conjunction with outsourced human resource programs, in hiring and retention of staff that will further privacy goals.

Hadlock said even if companies are not proactively sharing data, they must still have internal practices to protect consumers.

The Massachusetts Mortgage Bankers Association issued information about the privacy law when it went into effect.

“Even if you use or disclose nonpublic personal information only to process loan applications and close loans, you still must provide a notice regarding your privacy policy,” the notice said.

Dillingham, who has been conducted seminars on the topic for more than a year, said the trade associations are trying to educate people in the industry. Dillingham said many of the requirements are practical, such as putting a password on a computer, training people and having contracts with vendors. However, Dillingham said she still sees “flashes of recognition,” when someone realizes they may not be in full compliance.

“The exercise for the industry is how do you do it effectively without compliance becoming your day job,” Hadlock said.