This feature originally appeared in the February issue [1] of MReport.
Data is the most valuable resource a financial technology (fintech) company holds, as evidenced by the thick stack of regulations that dictate its protection. But many mortgage tech startups don’t have a firm grasp on industry regulations when it comes to data security and privacy.
These organizations also fail to understand their obligation to safeguard data throughout the entire mortgage process. Many fintech companies may be aware that the old Facebook motto doesn’t apply in their industry, but this is especially true for fintechs that deal with mortgages and lending: infamous technology adages such as “move fast and break things” will likely land you in hot water in this the consumer fintech world.
The public is now well aware that fintech startups and challenger banks alike risk exposing their customers to fraud and identity theft when they try to move quickly or flounder on due-diligence. People know this because it has become an all-too-common experience to lose trust in your financial institution, whether it’s your mortgage lender or the fund holding your retirement account. But there is a clear path forward. This article will discuss why fintech companies need a security-first attitude and how they can build trust amid a changing regulatory landscape.
Data Security Is More Important Than Ever Before
Your customers trust you with an enormous amount of personal and financial data. From social security numbers to tax records, mortgage lending requires that consumers share a significant array of an individual’s most sensitive personal and financial data.
One of the worst ways to break that trust is to be caught in a data breach that exposes their personal data. Data privacy breaches are so ubiquitous today that Wikipedia has a living list of famous data breaches by year and reason. Of course, this is not a definitive resource, but it does demonstrate something powerful: this is a pervasive global problem.
All industries are struggling to keep data safe and secure, and it is all too easy to make it onto the list of companies that failed at this task. While some brands are strong enough to survive the blow of a high-profile security breach, it is unlikely that the average mortgage fintech startup has accrued this kind of clout in its lifetime.
A 2019 whitepaper by Tealium reported that 85% of consumers won’t forgive a company’s mishandling of their information, even if they previously trusted the brand, so when it comes to handling customer data, financial brands must plan and act accordingly.
Consumer Awareness May Be Low, but Your Brand Must Keep Up
Public awareness of the new regulations on personal data and privacy is shockingly low: 70% of consumers haven’t heard of the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR), and 62% say they don’t read privacy policies.
But that doesn’t mean your company should not be prepared to meet these regulatory requirements as soon as possible. If you haven’t already, get up to speed on Service Organization Controls 2 (SOC-2) certification and ISO/IEC 27001 rules as soon as possible.
These are just two examples of standards for information management systems and data security, the latter applying specifically to cloud-based systems. You should also familiarize yourself with the new FTC data security orders, which offer more specific guidance, increase third-party assessor accountability, and elevate data security considerations to the C-suite and board level.
Consider the specific goals of the SOC-2 rules, which ensure that cloud-based systems are 1) secure, 2) available, 3) have process integrity, 4) are confidential, and 5) ensure the privacy of customer data. It is simple enough for business leaders to look at this list and agree that this is a reasonable standard to meet for data and organizational security.
While becoming certified as compliant with these standards is not a simple undertaking, for those seeking to comply with the SOC-2 standards, there are two steps to take: 1) undergo a technical systems audit, and 2) implement and follow detailed security policies and procedures that must also be maintained in writing.
These requirements are relevant to any tech-based security organization that stores customer data in the cloud, which is applicable to the majority of financial organizations operating today. This includes any SaaS company and any other company that stores customer data in the cloud. Of course, if you work for a major financial brand and you’re reading this article, chances are that someone in your organization is aware of this requirement, but developing a broader understanding of the security risks that exist within your company can help everyone better prepare for the avoidance of or possibility of a data or security breach (and understand even more quickly how to respond).
To meet these standards, you must have organization wide compliance practices and policies that do several things. As you read this list, you should be able to check each of these off without trouble:
- Monitor known malicious activity and unknown activity. To do this, you must establish a baseline for what is normal and have continuous security monitoring in place.
- Have a system that sends alerts in the event that customer data is accessed by unauthorized parties. Communication around these events is not optional.
- Maintain detailed guidelines that articulate the who, what, when, why, and how of security incidents and responses, i.e. an incident response plan. This process must be comprehensive and actionable on a quick timeline, and this is the step that will help you pass your audit and instruct your team in the event that something does trigger this response. It is critical that this not only be a plan: This must be a useful and specific document that could help your development team and your customer service team deploy appropriate responses at the right time.
While monitoring systems is important in case of an emergency such as a data breach, to avoid false positives, you must have a system in place that demonstrates what is normal activity for your business or you’ll risk triggering many false positives within your system.
It is also a good idea to use this process and its maintenance to get an understanding of where the risks are for your business and what the critical risks could be. This way, you’ll be able to modify your alerts to ensure that you’re not overreacting or putting energy toward less serious concerns.
Ongoing Employee Training Is Key to Certification Maintenance
Fintechs and fintech-powered mortgage originators operating on the fringes of banking regulation may not have strong regulatory incentives to comply with current regulations and seek certifications, but it is best to position your company on the side of compliance. An important piece of this process is to make sure employees are trained and informed and that their everyday operational practices are in line with company standards.
A major component in meeting these international standards is to provide ongoing employee training, especially for those who handle consumer data on a regular basis. As people who work in mortgage tech, your employees know exactly how much data they’re putting out in the world when they apply for or refinance their mortgage, and they appreciate having a company culture that promotes data privacy and security. Employees that put security first will appreciate the importance of taking every step along the way.
Don’t Underestimate the Value of Compliance
Improving your risk management practices provides your organization and any partners or customers increased peace of mind that their data is highly secure, which is important because compliance remains a top concern among lenders from both incumbent and challenger banks who work with mortgage lending.
This concern comes alongside the rise of nonbank mortgage loan servicers: in 2019, an Inside Mortgage Finance analysis found that these companies held 58% of U.S. mortgages in their portfolios.
It appears the future of mortgage lending is here, and consumers are choosing to go with the option they like best. Since these customers are not favoring long-established financial brands over fintech challengers, it follows that they aren’t thinking about some of the differences that distinguish between these types of institutions for industry experts.
However, it is important to note that even major banks, lending institutions, and their service providers fail to secure their customers’ data. Consider First American Financial Corp.: it exposed 885 million files containing personal financial data earlier this year, the oldest of which were scanned copies of documents that were 16 years old. This cache of documents was available to anyone who knew where they were—authentication was required. As any borrower or lender will tell you, this should never happen.
Who You Trust Matters
The cat is out of the bag. The value of data-driven insights has been so touted that The Economist declared data the “new oil” back in 2017, which is particularly apt when you consider the hazards of “spilled” data. And, everyone you or your mortgage fintech works with must be evaluated for data and security hygiene.
You may recall another major data breach that happened which highlights the importance of choosing partners who have the same high standards for compliance with data privacy regulations. Ascension Data & Analytics now infamously exposed the financial data of over 54,000 mortgage borrowers because of an alleged “server configuration error.” This kind of mistake is unacceptable.
The mortgage industry is a web of purchases and sales, and most borrowers understand that their loan originator may not hold their loan for the duration of its lifetime. So, they select their business partners in part by assessing other companies’ data and security practices. It is simpler to work with companies that are also certified by outside standard-bearing organizations than to draw up your own list of requirements. By choosing to meet international industry standards, your company will be well-positioned to win contracts and consumer confidence.
Build a Strong Baseline of Security and Compliance
When you approach partners or customers who have strict data requirements, perhaps especially incumbent banks and major lenders, being able to demonstrate that you meet the same strict requirements that they must comply with allows you to onboard more seamlessly.
In the mortgage industry, your financial brand’s compliance with privacy and data security standards is a litmus test you want to pass when you first approach partner organizations or potential clients.
There is no substitute for meeting the standards held by international standard-bearing organizations and having a demonstrable culture of compliance from the top-down.