JAMES F. FLYNN
New regulations ‘overkill’

As identity theft continues to rise, federal regulators are asking the mortgage industry to ensure the security of their customers’ information as well as establish a response program in the event of a security breach. Most local mortgage practitioners are just becoming aware of the new guidelines and reaction has been mixed; some characterize the new requirements as too stringent while others deem them necessary.

Before the guidelines were established, the Federal Trade Commission conducted a nationwide compliance sweep in late 2004 and charged two mortgage companies with violating the agency’s Gramm-Leach-Bliley Safeguards Rule. The Safeguards Rule implements the security requirements of the GLB Act and requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information. It became effective in May 2003. The GLB Privacy Rule, which took effect in 2001, requires financial institutions to provide consumers with privacy notices describing how they use and disclose consumers’ personal information.

In March, other federal agencies, like Office of Thrift Supervision and Office of the Comptroller of the Currency, provided amendments primarily focusing on ensuring that a security program has a response component to deal with the event of a breach of security resulting in the loss of protected information, according to David Hadlock, regulatory counsel to the Massachusetts Mortgage Association.

Although that guidance is directed toward federally chartered institutions, Hadlock said all financial institutions and third-party vendors should take the guidance into consideration.

“Historically, commentary and other guidance by federal regulators have been incorporated into, or relied upon in some way, by state regulators or in court actions involving interpretation of the relevant regulation and statute,” Hadlock said.

The response program guidelines are a lengthy document, but Hadlock said there are essential components of which lenders should be aware. At a minimum, the institution should implement procedures related to assessing the nature and scope of the incident and identifying what customer information systems and types of customer information have been accessed or misused. Also, institutions should notify their primary federal regulator as soon as possible when they become aware of an incident involving unauthorized access or use of sensitive customer information.

In an incident where unauthorized access to customer information involves systems maintained by a third-party service provider, the guidelines say it is the institution’s responsibility to notify customers and regulators.

According to the guidelines, the institution should conduct a reasonable investigation to determine the likelihood that information has been or will be misused. Notification of the customer should then follow. Customer notice may be delayed if a law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay.

Customer notice should be given in a clear and conspicuous manner. The notice should describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use. It also should generally describe what the institution has done to protect the customers’ information from further unauthorized access. The notice should have a phone number customers can call for further assistance.

The guidelines come a few months after the Federal Trade Commission conducted a nationwide compliance sweep and charged two mortgage companies with violations. The FTC said Virginia-based Nationwide Mortgage Group failed to train its employees on information security issues, oversee its loan officers’ handling of customer information and monitor its computer network for vulnerabilities. Florida’s Sunbelt Lending Services, a subsidiary of Cendant Mortgage Corp., failed to oversee the security practices of its service providers and loan officers working from remote locations, according to the FTC.

“Privacy just keeps escalating,” Hadlock said. “It’s no coincidence the FTC is sweeping and other agencies are writing guidelines.”

‘Panic and Pandemonium’

But are local, state-chartered companies abiding by the rules?

“In terms of the response programs Â… state-chartered companies aren’t anywhere near close to that level of pro-action,” Hadlock said.

The majority of mortgage companies do have a general level of awareness that customer information needs to be private, but Hadlock said it is a “mixed bag” in terms of the number of companies who have more specific awareness of what regulators expect.

“The general awareness is there, but the execution on the variety of things you must do, they’re not doing,” Hadlock said.

James F. Flynn, president of Marathon Mortgage in Hopkinton, said his company has spent many man-hours and thousands of dollars to comply with the original regulations. Marathon Mortgage employs a shredding company that shreds sensitive documents on site, which Flynn said he feels is important.

“It [company policy] should be ‘shred on site,'” Flynn said.

The company also has spent money to secure regular office waste that is not sent to a shredder.

“Think of the people who come into your operation,” Flynn said of possible security loopholes.

The company, which made 720 loans last year, has spent between $8,000 and $12,000 on additional computer security.

Marathon Mortgage currently is in the process of establishing a response program in the event of a security breach. Flynn said many people in the industry are not aware of the new guidelines. While identity theft has become a problem nationwide, Flynn said he believes the response program guidelines may be “overkill.”

“It’s [security-related incidents] climbing to a head, but overall it might be happening in isolated areas,” Flynn said. “If you’re doing it [establishing security procedures] right, it should fall into place and that response [contingency] shouldn’t happen.”

Despite those sentiments, Flynn said the company will establish a response system, but said he is unsure how notifying state regulators will work.

“There is no direction from the state level,” Flynn said.

Hadlock said regulators at the state level are not set up to receive notification. But, he said, that does not mean companies regulated by the state should ignore the federal guidelines.

“It should be considered by everyone,” Hadlock said. “Anyone regulated by the law should consider that guidance as applicable.”

Hoping the state Division of Banks will establish a protocol for response programs, Flynn has approached the DOB in the past but a policy has not yet been established.

“They address issues that are put in front of them,” Flynn said.

David Cotney, senior deputy commissioner at the DOB, said his office does review the interagency guidelines when they are issued. However, he said he was not aware of any specific guidelines for companies that report directly to the DOB.

According to Norwell-based Conway Financial Services Vice President Rosemary O’Neil, the company recently has taken steps to assure customer information isn’t released. Over the last decade, however, the company did not take “great pains” to lock up customer information.

“There was a [level of] trust” in the past that companies employed in lieu of specific regulations, she said.

But today, the company is far more focused on evolving regulatory compliance issues. Compliance comes with a cost, however. Conway Financial has hired a full-time employee to monitor compliance needs. Assuring there is building and file security has also been a focus for the company. O’Neil said Conway Financial has spent approximately $60,000 to assure the company, which has 20 employees, is fully compliant with security and privacy regulations. Like Flynn, O’Neil said the guidelines are somewhat aggressive because she believes the incidents where customer information is stolen are isolated.

“It creates so much panic and pandemonium,” O’Neil said of the security mandates.

Although he admits the federal requirements are “a significant burden,” Bob Kalagher of Ross Mortgage Co. in Leominster, said they nevertheless are very necessary.

“It is necessary in some cases, especially if you consider the magnitude of private information,” he said. “This is warranted to some degree.”