|
|
|
|
An Internet Management & IT Infrastructure
Research Consulting Firm
A Chicago Based Consulting Firm
|
|
|
Mortgage Company Concerns
The Challenges ahead
Critical Examination of FTC (SR) Enforcement
Against Mortgage Companies
|
Revised: 12:02 PM 11/21/06
(Part I) (First Companies Charged)
What we can Learn
from the FTCs (2004) Nationwide Sweep of Mortgage Companies
(to assess compliance with the GLBAs Safeguards Rule)
FTC's first cases enforcing the Safeguards Rule.
GLBA = Gramm-Leach-Bliley Act (of 1999)
SR = Safeguards Rule (a component of GLBA [TITLE 5 Sec. 501(b)])
FTC = Federal Trade Commission (Governmental Enforcement Agency)
Companies Charged:
1. Nationwide Mortgage Group, Inc. (Nationwide)
President: John D. Eubank (Also Charged)
Company Location: Fairfax, Virginia
Company Business: Mortgage Broker
2. Sunbelt Lending Services, Inc. (Sunbelt),
a subsidiary of:
Cendant Mortgage Corporation
headquarters: Clearwater, Florida
Time Period: November 2004
(Part II) (The Issues/Complaints)
Reasons for Non-Compliance and Administrative Action:
1. "Not having reasonable protections for customer's sensitive personal and
financial information"
2. "Failed to implement safeguards to protect its customers' names, social security
numbers, credit histories, bank account numbers, income tax returns,
and other sensitive financial information".
According to the FTC's complaints,
"both companies"
failed to comply with the Rule's "basic" requirements, including:
a.) that they "assess" the risks to sensitive customer information and
b.) implement safeguards to control these risks.
Also "both companies"
c.) violated the GLB Privacy Rule,
which requires financial institutions to provide consumers with privacy notices
describing how they use and disclose consumers' personal information.
Nationwide (According to the FTC Complaint):
1.) failed to train its employees on information security issues;
2.) oversee its loan officers' handling of customer information; and
3.) monitor its computer network for vulnerabilities *****
4.) did not provide the privacy notices, to its customers
Sunbelt (According to the FTC Complaint):
1.) did not provide the (privacy) notices to its "online" customers
2.) failed to oversee the security practices of its service providers
and of its loan officers working from remote locations throughout the state of Florida.
(Part III) (Settlement/Consent Order)
Sunbelt Lending Services, Inc.
Agreed to settle similar FTC charges. :
1.) Settlement with Sunbelt will bar future violations of the Safeguards Rule
2.) Require biannual audits of Sunbelt's information security program by a qualified,
independent professional for 10 years.
The proposed "consent order" with Sunbelt
1.) bars the company from future violations of the Safeguards Rule and the Privacy Rule.
In addition,
2.) the company must have its security program certified as meeting or exceeding
the standards in the consent order by an independent professional within six months
and every other year thereafter for 10 years.
3.) The order also contains standard recordkeeping provisions to allow the FTC
to monitor Sunbelt's compliance.
The Commission votes to issue the administrative complaint against Nationwide and
to accept the consent agreement with Sunbelt were 5-0.
These are the FTC's first cases enforcing the Safeguards Rule.
(Part IV) (SR in part)
The Safeguards Rule:
Implements the security requirements of the GLB Act,
requires financial institutions to have reasonable policies and
procedures to ensure the security and confidentiality of customer information.
The Rule requires financial institutions to implement a written information security program
that is appropriate to the company's size and complexity,
the nature and scope of its activities,
and the sensitivity of the customer information it handles.
As part of its program, each financial institution must also:
(1) assign one or more employees to oversee the program;
(2) conduct a risk assessment; ****
(3) put safeguards in place to control the risks identified in the assessment and
regularly test and monitor them;
(4) require service providers, by written contract, to protect customers'
personal information; and
(5) periodically update its security program.
Example of Companies covered:
* Payday Lenders,
* Check-Cashing Businesses,
* Professional Tax Preparers,
* Auto Dealers (engaged in financing or leasing),
* Electronic Funds Transfer Networks,
* Mortgage Brokers,
* Credit Counselors,
* Real Estate Settlement Companies, and
* Retailers (that issue credit cards to consumers).
The FTC targeted Nationwide and Sunbelt
as part of a nationwide sweep of automobile dealers and
mortgage companies to assess compliance with the Rule.
(Part V) (Key Words/Food for Thought)
Key Words:
1. "Reasonable" policies and procedures (What is considered "reasonable"?)
2. Information Security Program (in writing)
3. Risk Assessment (in writing)
4. Implement Safeguards (How much is enough?)
5. Privacy Notices (by now should "already" be in place)
6. "oversee" the security practices of its service providers ****
(is the SP doing his job? How can you really know?)
7. "train" its employees on "information security issues"
(Which employees must be trained?)
(Certainly all that handle customer's sensitive data)
(on "which" Information security issues?)
(and to what extent?)
(will the Bar continually be "raised" on this "Training Issue"?)
Information from:
http://www.ftc.gov/opa/2004/11/ns.htm
Next Issue to be placed under Examination:
Non-Ecrypted Email ****
(Transfer of Customer's Sensitive Data)
|
|
|
|
CLICK HERE