In an age when even the police themselves have something to fear from cybercriminals – earlier this month, the force in the town of Tewksbury admitted it had been forced to pay a bitcoin ransom to hackers in order to regain access to its own arrest records – perhaps its not surprising that even the book-bedecked, leather-armchaired precincts of venerable real estate attorneys might find themselves vulnerable. But a wave of recent regulatory changes is beginning to lap at the wingtips of real estate conveyancers, and may have a profound impact on smaller practitioners.

Recent federal rule interpretations have made it clear to lenders that if one of their vendors experiences a security breach and their clients’ information is compromised, the lender themselves may face liability. In particular, a 2012 bulletin from the Consumer Financial Protection Bureau informing lenders that they are expected to exercise oversight over all third-party vendors – and in particular a series of recent enforcement actions the CFPB has undertaken in the wake of the announcement – has refocused lenders’ attention on the issue.

Already, a sharp increase in overall compliance costs in the wake of the 2008 financial crisis and the passing of the Dodd-Frank Act is imperilling bottom lines at many smaller lenders, with many industry observers predicting a wave of consolidation will sweep the industry in the coming months once final Truth In Lending Act disclosure rules kick in this summer. In such an atmosphere, lenders can ill afford to keep any third-party vendor on hand whose security practices aren’t up to scratch, and that includes real estate attorneys and title search firms.

Meeting Minimum Standards
“A small conveyancer maybe doesn’t have a [dedicated] server, maybe doesn’t have security in the office, doesn’t have secure email. Doesn’t have a legitimate backup system, doesn’t have have a disaster recovery plan. Those are minimum standards” that lenders are asking about, said Michael Krone, vice president and chief operating officer at Kriss Law/Atlantic Closing & Escrow in Needham. And they’re telling their vendors, “Look, if you can’t meet these minimum standards, than we can’t use you anymore,” Krone explained.

His own firm, which operates in more than a dozen states across the country and performs thousands of closings a month, already spends hundreds of thousands of dollars a year on various security and backup systems for the data and accounts they handle, Krone said, and even they are sometimes confronted with new requirements from the lenders they work with, and those can be expensive.

For example, a new auditing protocol for third-party vendors called SSAE 16 is being rolled out this year, backed by the American Institute of Certified Public Accountants.
“You want to get SSAE 16 certified? It’s $15,000,” said Krone. “And we’ve already got lenders from the West Coast saying, ’Are you SSAE 16 certified?’ Well, we will be,” but smaller firms may not be able to keep up.

Confusion persists among both lenders and vendors on exactly what security protocols they should require and how deeply they should poke their noses in to their partners’ day-to-day business operations. Trade industry groups are trying to get out in front of the issue, with the American Land Title Association (ALTA) releasing a new set of best standards and practices last fall meant to help guide conveyancers and title examination firms.

“Many title and settlement companies already follow the best practices, but do not have written procedures in place to document it,” ATLA explains in its guide to its new rules; the group hopes that conveyancers who demonstrate adherence to the guidelines will help reassure lenders and reassure regulators of their good faith. But a formal certification process has yet to be put in place for the new rules, and at the moment they are entirely voluntary – and ATLA itself admits that for some lenders, the new rules not be enough.

While some lenders may prefer to develop their own more intensive requirements for their vendors, others may simply want to limit the number of firms they work.

“We’re already hearing from lenders that they’re going to be culling their lists down from 500 to 100, some to even 10 or 15, closing agents,” said Krone.