Mitigating Cyberattacks

QUESTION 

Well, it finally happened! We were hit with a cyberattack. We’re a small bank but have handled our cybersecurity carefully and passed safety and soundness exams. Yet, we were attacked. It seems nobody is safe! 

We don’t know where the attack came from, but a new computer consultant thinks our cybersecurity will need to be improved. She is especially concerned about internal threats by employees who do not follow our system rules. 

We would like you to suggest the types of proactive measures we should take to protect ourselves from cyberattacks. 

In what ways can we mitigate cyberattacks? 

ANSWER 

Your organization must be vigilant in protecting your data and operations from all threats, including ransomware, phishing, social engineering leading to business email compromises, and distributed denial-of-service (DDoS) attacks. The attacks include incidents directly related to critical vulnerabilities. 

All financial institutions and associated entities should take immediate and comprehensive action to protect their systems, sensitive data, and the financial well-being of their members. 

I will recommend certain primary mitigation steps and best practices. Monitoring, testing, and training must be ongoing to safeguard against evolving cyber threats. 

Here are nine proactive measures you can take to mitigate cyber threats. 

MITIGATING CYBER THREATS

1. Multifactor authentication 

Implement multifactor authentication for all sensitive accounts and systems, including email accounts and remote access portals. This measure adds an extra layer of protection against unauthorized access and phishing attempts. 

2. Employee cybersecurity awareness training 

Conduct regular cybersecurity training for all employees to raise awareness about phishing, social engineering, and other common attacks. Educate employees about the risks and implications of clicking suspicious links or opening malicious attachments. 

3. Email security and anti-phishing measures 

Deploy advanced email security solutions with phishing detection and blocking capabilities. Here are a few that come to mind: Slender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Authentication, Reporting, and Conformance (DMARC) protocols to prevent email spoofing and enhance email authenticity. If you’re unfamiliar with these terms, speak to your consultant about them. 

4. Incident response plan 

Develop and regularly test an incident response plan to ensure a swift and coordinated response in the event of a cyberattack. Assign specific roles and responsibilities to designated personnel and rehearse various attack scenarios. Be sure to have a robust Disaster Recovery and Business Continuity Plan. Also, establish a Crisis Command Structure. 

Learn about our Disaster Recovery and Business Continuity Plan. 

 5. Vendor risk management 

Review and assess the cybersecurity practices of all third-party vendors that provide financial services and products. Verify that vendors use sound risk management principles, have robust security measures, and regularly review their security posture. 

6. Network segmentation and DDoS protection 

Implement network segmentation to contain the impact of a potential compromise. Deploy DDoS protection measures, such as traffic filtering and rate limiting, to defend against DDoS attacks. Speak to your consultant about how best to implement this process. 

7. Regular data backups and recovery testing 

Maintain frequent data backups and test the data recovery process regularly. In a ransomware attack, backups can prevent data loss and reduce the need to pay the ransom. 

8. Threat intelligence sharing 

Participate in threat intelligence-sharing communities to stay informed about emerging threats and attack trends. Sharing information can help strengthen the industry’s collective defense. 

9. Continuous monitoring and security updates 

Monitor network traffic, logs, and systems continuously to detect and respond promptly to suspicious activities. Stay informed about the latest security updates and apply patches promptly. 

Proactive cybersecurity measures safeguard systems and data integrity and confidentiality. Consider adopting these mitigation steps and best practices, as they can enhance your security posture and protect against cyberattacks.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

Personally Identifiable Information

QUESTION 

We passed our information security review by our banking department. However, they found that our description of personally identifiable information was too narrow. 

We need to revise our policies and procedures and submit them to the banking department. Hopefully, you can offer a broader understanding of this area of customer privacy. 

What is a good working description of personally identifiable information for our policy? 

ANSWER 

Most people have heard of nonpublic personal information, called “NPI.” To be precise, as it relates to financial institutions, NPI is personally identifiable information (“PII”) that:

 

1.    The consumer provides to a financial institution;

2.    Results from a transaction or service provided for the consumer; or

3.    The financial institution otherwise obtains, and that is not publicly available.[i]

As a practical matter, most information that a financial institution collects from a consumer or customer is NPI. In fact, NPI also includes lists, descriptions or groupings of consumers, even if the data is publicly available, if the financial institution has derived the data from an individual’s nonpublic personal information. 

Personally identifiable information, PII, is any information a consumer or customer gives to a financial institution in connection with applying for or receiving a product or service.[ii] 

To broaden the foregoing description, PII is (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.[iii] 

Here are a few common examples of PII:

 

·     Name: full name, maiden name, mother’s maiden name, or alias;

·     Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number;

·     Personal address information: street address or email address;

·     Personal telephone numbers;

·     Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting;

·     Biometric data: retina scans, voice signatures, or facial geometry

·     Information identifying personally owned property: VIN or title number; and

·     Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person.

However, there are examples that, on their own, do not constitute PII, as more than one person could share these traits. But when linked or linkable to one of the above examples, the following could be used to identify a specific person:

 

·       Date of birth;

·       Place of birth;

·       Business telephone number;

·       Business mailing or email address;

·       Race;

·       Religion;

·       Geographical indicators;

·       Employment information;

·       Criminal history;

·       Medical information;[iv]

·       Education information;[v] and

·       Financial information.

Thus, PII refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information linked or linkable to a specific individual. 

It is essential to note that the definition of PII is not anchored to any single category of information or technology.[vi] Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, the financial institution should recognize that “non-PII” – non-personally identifiable information – can become PII whenever additional information is made publicly available – in any medium and from any source – that, when combined with other available information, could be used to identify an individual. 

Indeed, there is even PII that is considered high risk, called “High Risk PII.” The Department of Energy describes High Risk PII as PII which, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.[vii] Examples of High Risk PII include Social Security Numbers (SSNs), biometric records (i.e., fingerprints, DNA, etc.), health and medical information, financial information (i.e., credit card numbers, credit reports, bank account numbers, etc.), and security information (i.e., security clearance information). 

While all PII must be handled and protected appropriately, High Risk PII must be given greater protection and consideration – especially following a breach – because of the increased risk of harm to an individual if it is misused or compromised. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 15 USC § 6809(4)

[ii] 16 USC § 313.3(o)(1)

[iii] Safeguarding Against and Responding to the Breach of Personally Identifiable Information, OMB Memorandum M-07-16, May 22, 2007

[iv] May be subject to HIPAA requirements

[v] May be subject to FERPA requirements

[vi] Op. cit. iii

[vii] Department of Energy Privacy Program, DOE O 206.1 Chg1 (MinChg), January 16, 2009

Servicing Quality Control: System and Procedures

QUESTION 

We are a mortgage lender in the Midwest. We were doing portfolio retention through a servicer, but now we are bringing servicing in-house and doing our own servicing. 

The plan is to launch the new servicing department in the next ninety days. We need a full complement of servicing policies and procedures. 

In addition, we need to know about the system requirements for servicing quality control and the basic servicing quality control procedures. 

Your firm provides a servicing policies and procedures library, so we hoped you could provide the information we need. Please note we contacted your office recently for assistance. 

What are the system requirements for quality control servicing? 

What are some quality control procedures involved in servicing? 

ANSWER 

We provide a policies and procedures compliance library for servicing (as well as one for mortgage loan originations). The compliance library is customized to your servicing platform. And we’ll maintain it for you. 

As a servicer, you must have fully documented, written policies and procedures that address all aspects of mortgage servicing. If you want to contact me directly, I would be glad to discuss your needs in detail. Contact me here. 

With respect to system requirements, I advise thinking ahead about the quality control system needs because how your system operates will determine its effectiveness and flexibility. 

There are numerous investor and legal requirements in each jurisdiction where you operate as a servicer. These must be well-documented and provide for a review of the following:

 

·       aspects of the delinquent mortgage loan servicing system;

 

·       the system to control and monitor bankruptcy proceedings; and

 

·       the foreclosure monitoring system.

The servicer must develop a quality control program addressing delinquency management and default prevention. Proper staffing and training are mandatory. And you must implement a strong business continuity and disaster recovery program. 

The servicer must audit quality control regularly at the loan level. (If you are subservicing, you must audit the servicer’s process at the loan level.) For loan level servicing quality control audits, contact us here. 

The servicer must implement certain primary system requirements for servicing quality control, as follows:

 

1.   Conduct regular testing of compliance with applicable laws in all jurisdictions in which it operates;

 

2.   Regularly review and assess the adequacy of internal controls;

 

3.   Keep a record of any activity under the applicable internal systems;

 

4.   Report comprehensive results of all testing to the senior management;

 

5.   Promptly take appropriate corrective action if these systems identify a problem area; and

 

6.   Make comprehensive testing results and any evidence of corrections available for review upon the investor’s request. 

With respect to servicing quality control procedures, there are a few themes that run throughout the written policies and procedures. As a servicer, you must monitor your compliance with the investor’s requirements and federal and state mandates through regular quality control procedures that are ratified, established, conducted, and monitored. 

The servicer must maintain adequate quality control procedures and systems. Implementing a self-assessment for various operational functions should be considered. At a high level, the servicer must be able to:

 

·      ensure that the mortgage loans are serviced under sound mortgage banking and accounting principles and in compliance with investor guidelines;

 

·      guard against misrepresentation and dishonest, fraudulent, or negligent acts by any parties involved in the mortgage loan servicing process;

 

·      protect against errors and omissions by officers, employees, or other authorized persons;

 

·      verify and audit the accuracy of the loan adjustment (i.e., ARM adjustments) and facilitation of timely responses to errors identified by the borrower, the servicer’s regulatory agency, or the investor; and

 

·      protect the investor’s investment in the security properties. 

Failure to maintain adequate servicing quality control standards may result in a servicer being in breach of its contact with investors. 

Furthermore, I urge you to perform annual quality control tests to ensure that all outsourcing firms and third-party vendors fully comply with investor guidelines and federal and state requirements. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

Servicing Quality Control: Recurring Adverse Findings

QUESTION 

We have used your servicing quality control group for many years. We like how we can have direct contact with the auditors. Recently, we asked one of your auditors for feedback about the adverse findings they see happening among the many servicers you audit. 

The response was very helpful because your servicing compliance group provides servicing quality control to servicers in many states. We have virtually eliminated “confirmation bias” by getting your wide-ranging information across the servicing spectrum. 

We’re hoping you would share with others a few of these findings. 

What are some recurring violations in your servicing quality control findings concerning servicing transfers, payment posting, loss mitigation, and UDAAP? 

ANSWER 

Thank you for the opportunity to provide our servicing compliance solutions. Most of our servicing clients retain us for servicing quality control and monthly or hourly servicing compliance support. 

Because we work with servicers of differing sizes, complexity, and risk profiles, we constantly update our review criteria to reflect the range of audit findings. One of the aims of servicing quality control is to anticipate examiners’ regulatory compliance expectations. 

Contact us for information regarding our servicing quality control.

Active subscribers receive a 10% discount per loan file. 

Contact us HERE. 

I will provide an outline of recurring adverse findings along with remedial recommendations. Of course, the potential list of adverse results is formidable. Since 2006, when we first began servicing quality control, we have identified numerous recurring regulatory violations. 

Interestingly, as noted in its reports, the Consumer Financial Protection Bureau has picked up on similar violations.[i] Clearly, anticipating adverse findings is critical to quality control auditing. 

Servicing Transfers 

Policies and Procedures 

Regulation X[ii], implementing the Real Estate Settlement Procedures Act (RESPA), requires servicers to maintain policies and procedures reasonably designed to achieve specific objectives.[iii] By “procedures,” Regulation X refers to the actual practices the servicer follows.[iv] 

Under Regulation X[v], transferee servicers must maintain policies and procedures to identify necessary documents and information not included in a servicing transfer and obtain such information from the transferor servicer. 

But we have found that some servicers violated Regulation X when they failed to maintain policies and procedures reasonably designed to achieve the objective of facilitating the transfer of information during servicing transfers. 

For instance, servicers’ policies and procedures were not reasonably designed because they failed to obtain copies of the security instruments or, in fact, any documents reestablishing the security instrument, to establish the lien securing the mortgage loans after servicing transfers. 

Recommendation: Update policies and procedures; implement new training. 

Payment Posting 

After a transfer of servicing, Regulation X requires that, during the 60-day period beginning on the effective date of transfer, servicers not treat payments sent to the transferor servicer as late if the transferor servicer receives them on or before the due date.[vi] We’ve found that servicers treated payments received by the transferor servicer during the 60-day period as late when not transmitted by the transferor to the transferee until after the 60-day period. 

This violates Regulation X because the transferor had received the payment within the 60-day period beginning on the effective date of the transfer. 

Recommendation: Remediate consumers; update policies and procedures; implement training; and revise internal controls. 

Contact us for information regarding our servicing quality control.

Active subscribers receive a 10% discount per loan file. 

Contact us HERE. 

Loss Mitigation 

Disclosure Violations 

We have issued adverse findings when servicers violated Regulation X and Regulation Z by failing to provide the specific required information in several circumstances: 

• Specific reasons for denial when they sent notices that included vague denial reasons, such as informing consumers that they did not meet the eligibility requirements for the program; that is, If a servicer denies a borrower’s complete loss mitigation application for any loan modification option available to the borrower, then its evaluation notice[vii] must include the specific reason or reasons for the denial.[viii] 

• Correct payment and duration information for forbearance: When a servicer offers a short-term loss mitigation option, such as a forbearance plan, it must promptly provide a written notice that includes the specific payment terms and duration of the program.[ix] and

• Information in periodic statements about loss mitigation programs, such as forbearance, to which consumers had agreed. Regulation Z requires servicers to include delinquency information on the periodic statement or in a separate letter if a consumer is more than 45 days delinquent.[x] This includes a requirement to provide a notice of any loss mitigation program to which the consumer has agreed.[xi] 

Recommendation: Update letter templates; implement enhanced monitoring. 

Timing and UDAAP Violations 

Suppose a servicer receives a complete application more than 37 days before a scheduled foreclosure sale. In that case, Regulation X[xii] requires servicers to evaluate the complete loss mitigation application within 30 days of receipt and provide written notices to borrowers stating which loss mitigation options, if any, are available. We have found that some servicers violated Regulation X when they failed to evaluate complete applications within 30 days of receipt.[xiii] 

Indeed, examiners often find that some servicers evaluate the application within 30 days but fail to provide the required notice to borrowers within 30 days as required.[xiv] 

Recommendation: Improve policies; implement additional training. 

Also, there is a UDAAP issue involved in this determination since examiners have found that servicers engage in an unfair act or practice when they delay processing borrower requests to enroll in loss mitigation options (including COVID-19 pandemic-related forbearance extensions) based on incomplete applications.

Digital Advertising Disclosures

QUESTION 

We are going to start digital advertising soon. This is not an area that we understand well. We brought in an outside consultant for some guidance. They are good with marketing but have no experience in compliance. 

I drafted the advertising policy and kept it updated. However, the section on digital marketing has to be completely revised. I need some rudimentary definitions of digital advertising and a few guidelines for disclosures. 

What is digital advertising? 

What are some guidelines for digital advertising disclosures? 

ANSWERS 

For regulatory compliance purposes, I define digital advertising as a form of marketing through online channels, such as websites, streaming content, and more. My views throughout this article are meant to apply to regulatory compliance concerning mortgage banking. 

Advertising compliance is tricky and highly technical, legally speaking, and it is highly regulated. To support our clients, we offer Advertising Reviews and Marketing Compliance Reviews. 

Contact us here for information about these and other compliance services. 

Digital ads span media formats, including text, image, audio, and video. These ads are also used for brand awareness, customer engagement, launching new products, and driving repeat sales. 

Terms and Definitions 

According to Regulation Z, an advertisement is "a commercial message in any medium that promotes, directly or indirectly, a credit transaction." 

And "triggering terms" are specific terms used in various advertising media that "trigger" additional disclosures. 

Generally, the term "advertisement" does not include promotional material containing fifteen words or less that does not contain references to specific rates, points, discounts, fees, material loan factors, or "triggering terms," for instance, such as imprinted pencils, pens, or balloons. 

Traditional Advertising 

There's a considerable difference between traditional advertising, such as magazines, billboards, and direct mail, and digital advertising. Here's a non-comprehensive list of traditional advertisements: 

·      Newspapers, magazines, or catalog advertisements; 

·      Brochures, direct mail literature, messages on customer statements, or other printed materials, including applications; 

·      Electronic media, including Internet home pages and electronic billboards; 

·      Signs, either interior or exterior, and displays, and billboards; 

·      Radio, television, or public address system broadcasts; 

·      Oral communications between financial institution employees and actual or potential customers, including telephonic and face-to-face solicitations or responses to inquiries; and 

·      Communications made through Facebook, LinkedIn, text messaging, and other social media avenues. 

A host of federal and state regulations are involved in advertising compliance. For instance, an assortment of Acts, statutes, rules, regulations, guidelines, and practices apply at the federal level. Here are just a few of them: 

·     Fair Housing Act

·     Equal Credit Opportunity Act

·     Truth in Lending Act

·     Federal Trade Commission Mortgage Advertising Rules

·     The Federal Trade Commission (FTC) implemented the Mortgage Acts and Practices – Advertising (MAP) rules. MAP rules are designed to prohibit misrepresentations regarding mortgage products.

·     FHA/HUD Regulations

·     Real Estate Settlement Procedures Act

·     Unfair, Deceptive, or Abusive Acts or Practices 

We have found two key differences between traditional and digital advertising in our advertising compliance reviews. These differences are resilience and precision. 

Resilience 

An example of resilience is how quickly digital ads can go live. Printing and distributing ads through traditional channels – such as sending out newspapers or painting a billboard – can take significant time. However, digital advertising has a much shorter lead time, appearing on a website almost immediately after publishing the ad. If the digital ad is based on a template, the process may take only a few minutes. 

Another feature of resilience is, unlike print advertising, where an ad can't be changed once it has been published, digital ads are resilient even after the campaign goes live. Depending on the specific channel, it may be possible to adjust the creative content, timing and frequency, targeting, and more. Professional marketers call this "in-flight optimization," where you can make adjustments to ad campaigns based on how they are performing. 

Digital advertising also allows for budget adjustments in real-time. Complex and high-profile digital advertising campaigns may be just as expensive as traditional advertising (or more). Still, digital ads are also accessible to many financial institutions without significant budgets and may scale up or down to match the financial investment. 

Precision 

We have found that digital advertising provides another key difference between itself and traditional advertising. Traditional ads in magazines, on TV, or billboards reach anyone who sees them. In contrast, digital advertising lets the financial institution use different targeting methods to be more precise and reach audiences more likely to be interested in its products and services. 

Depending on the format, a company may limit its digital ad to certain times of day or exclude audiences who have already viewed the ad from seeing it again. With digital ads, an institution can reach audiences browsing online for loan products. Or the digital ad might reach the target audience when they're streaming a TV show, visiting a favorite website, or using social media. Even if they don't choose to contact the advertiser at that moment, reaching them in these different contexts can help them remember the institution's brand. 

Here's a non-comprehensive list of digital advertisements: 

·      Display advertising. These ads use text and visual elements, such as images or animation, and can appear on websites, apps, and devices. They appear in or alongside the content of a website. 

·      Online video advertising. These are video ads that use a video format. Video ads appear in places similar to display ads: on websites, apps, and devices. In-stream video ads appear before, during, or after video content. 

·      Search advertising. Also called search engine marketing (SEM), these ads appear in search engine results pages (SERPs). They are typically text ads that appear above or alongside search results. 

·      Audio advertising. These ads play before, during, or after online audio content, such as streaming music or podcasts. 

·      Social media advertising. Ads that appear on social media platforms like Facebook or LinkedIn. 

·      Streaming media advertising. These video ads appear in streaming media content delivered over the Internet without satellite or cable.