Editor’s note: This piece originally appeared in the June edition of MReport.
Who knew that 2019 would start with mortgage data breaches? We owe it to Bob Diachenko, the independent security researcher who first discovered the 24 million mortgage and bank loan documents lying exposed online without data protection. He was quick to report it to TechCrunch and then began the investigation. Mortgage data going back more than 10 years— containing highly sensitive personal information, including names, addresses, dates of birth, social security numbers, and more—was found accessible on a server for at least two weeks. With no password protection, the server gave complete access to anyone who cared to access the massive cache of documents. The issue worsened on January 24, when TechCrunch found another unprotected and exposed server that stored some of the original mortgage and banking documents that would typically be needed for getting a mortgage.
What is most amazing is that it took so long for a data breach of this magnitude to hit our industry. It makes one wonder, what is the extent of damage we are exposing our borrowers to in order to get ahead in the race of technology?
The breach is now being investigated by forensics, and critical facts will be reported over time. We live in a world where fraud and cybercrime are increasingly prevalent, and such scenarios make it easy for cyber thieves to steal identities, file false tax returns, and fraudulently secure loans or credit cards.
Despite these red flags, the need for stronger cybersecurity measures seems to be drowned out by other innovations designed to speed up the mortgage transaction and save money. The conversation today centers on AI, robotics, machine learning, big data, cloud technology—and the list goes on. But is our industry spending enough time evaluating what’s right for us and what’s not?
For more than two decades, experts have predicted that technology will take over the world and traditional players will be out of business. But is the traditional way of doing business obsolete yet? A deep dive into our everyday mortgage process suggests that it’s not.
Technology has certainly changed financial services, but these changes have not come without risk. Cybercrime and fraud are rising every day. One can still manage the damage in certain nonfinancial industries, but can a lender today share the liability of exposing their borrower’s financial information? If the answer is no, then why are we so eager to jump aboard the technological bandwagon without understanding the risks associated with it?
Lenders must understand the needs of borrowers in order to best use technology to improve processes that are critical to enhancing the lending experience. The mortgage industry today is losing sight of the critical factors that, when done right, can help them enhance their customer satisfaction—security, face-to-face interactions, commitment to timelines, simpler applications, and telephone conversations.
Ellie Mae’s Borrower Insights Survey 2018 was helpful in sharing insights about what borrowers want and need. Topping the list was a faster process (29.1% of borrowers surveyed), followed by a simpler application (26.8%), and more communication and face-to-face interaction (27%). While we generally think millennials want everything online, 37% of borrowers within this age group said that more face-to-face time with a lender would have improved their mortgage application experience.
Furthermore, 44.7% of borrowers surveyed said applied for their last mortgage without any online intervention, a sign that a significant number of consumers prefer an “in person” mortgage. Also interesting was that 46.5% percent of homeowners said they were “somewhat concerned” about entering their personal information online, while 22.6% of borrowers reported they were “very concerned” about entering it. Clearly, borrowers are nervous about sharing their personal information online, and there is growing evidence that they should be.
Up in the Cloud?
Cloud storage may be a feasible option for mortgage lenders to reduce their IT and infrastructure costs, especially when the entire industry is looking at cutting costs. But is it the safest option? The facts about data breaches are bound to keep lenders awake at night, as it’s not only their borrowers’ documents but also their reputation that’s at stake.
The mortgage industry can no longer ignore the threat. In the first mortgage data breach discovered in January, the exposed server contained mortgage documents that were converted into digital files through optical character recognition. These files, though accessible for some weeks, weren’t easily readable. However, in a second server that was left exposed, there were 23,000 pages of PDF documents of borrower applications, W-9 forms, and other highly sensitive personal information. Anyone could take this information and use it to apply for loans in another person’s name, potentially destroying their credit.
According to the 2017 Cost of Data Breach Study: Global Overview (Ponemon Institute, June 2017, Benchmark research sponsored by IBM Security), the average total cost of a data breach is $3.62 million, and financial services were ranked the second-highest industry when it comes to costly data breaches. The average loss for a financial services breach was $245 for each stolen record, which was significantly higher than the average cost of $141 per record for data breaches globally.
Additionally, hackers and criminal insiders cause the most data breaches globally, representing 47% of all attacks and creating an average cost of $156 per record to resolve such an attack. Meanwhile, 52% of data breaches in the U.S. were due to hackers and criminal insiders. The U.S. also paid the highest price for losing customers to data breaches.
The Right Options
What must lenders do? Technology is a necessity, but data breach numbers are skyrocketing. As it stands, lenders have three options when it comes to cybersecurity technology: build, buy, or outsource. Building technology involves your company, your resources, your servers, and your control. But in the current mortgage market, where rising costs are the biggest challenge, most lenders cannot afford to invest in this option.
Buying technology can also be a tricky but an available option for larger lenders who are able to acquire a company that has the technology they need. A recent example was Fiserv’s $22 billion deal to acquire First Data, a leading provider of cloud-based services. First Data is a master in technology and controls a third of the U.S. core banking market.
The third option is outsourcing. However, this option only works if one outsources to mature, robust, and experienced providers. Typically, this is the most practical option for the majority of lenders. From big to small, every lender can outsource to leverage readily available technology.
However, the more important question is, who are we partnering with? There are several players in the market with mind-boggling innovations. While most of them are mature tech companies, some are mom-and-pop shops or small startups. They try their hand at selling, and if unsuccessful, they wind up quickly moving on to the next venture. These providers may be less concerned or even aware of your information security needs, and more prone to careless manual errors or even cybercrime.
There are many trusted companies in the market who have decades of experience in developing solutions specifically for lenders. They know your processes well enough to suggest where there might be a need for technology and where process reengineering can help you. These companies do not exist just to sign up any new account but are committed to truly helping their customers optimize their working capital.
The ideal outsourcer should have years of experience in working with U.S.-based lenders of all sizes, including the top 25 banks. This sort of partnership can guarantee that consumer data is treated with care while also ensuring optimum security with zero tolerance for noncompliance.
Mortgage lenders should not have to live under the constant fear of exposing borrower data in their quest for faster processes. However, by combining high-tech and high-touch, leveraging the latest in data intelligence, automation, and services, lenders can close loans faster and reduce costs significantly. The key, for most, is choosing the right partner to get them to the finish line safely