Preparing for the Proverbial Compliance Storm: There Should Be an App for That

storm400If only there was a “Best Practices” app to let us know when your lenders will require a Certification of Compliance.

With a “weather app” on your cellphone, rain should never come as a surprise.  One simply looks at the displayed radar images, clicks the “future” tab, and immediately sees where storms are headed and when they will arrive.  Although this is amazing technology, it has limits.  You can’t control when or where the rain hits, but you can at least be prepared when it arrives.

Unfortunately, we don’t always make use of these types of applications and often are caught unprepared by a downpour.  The same scenario can happen in the business world—absent an “app” to warn us of an impending storm, we must take advantage of all available information or otherwise face major disruptions in operations.

As a title professional, you might be caught by a sudden “thunderstorm” when your largest lender sends a letter requiring proof of your compliance with ALTA Best Practices.  While you can’t avoid the letter, you can avoid any potential upheaval by being prepared to provide the required proof of compliance.  A heavy rainstorm is not nearly as disruptive if you carry a big “Best Practices” umbrella.

Change is inevitable.  Just as you can’t predict tomorrow’s weather by observing today’s sunshine, you  can’t assume your lender will never request proof of compliance merely because they’ve never done so in the past.  In fact, just as we all recognize the weather will change, it’s logical to assume that lenders’ attitudes toward compliance will change as well.  The million-dollar question is when it will happen.

Unfortunately, there is no app for determining when Best Practices will be required, but recognizing the intense regulatory pressure applied to financial institutions might be a helpful indicator of what to anticipate.

If a Best Practices app did exist, it would highlight a host of regularly occurring events signifying a steady move toward a proof-of-compliance requirement.  It would list recent regulatory guidance letters from the Office of the Comptroller of the Currency (OCC), Federal Reserve Board of Governors (FRB), Federal Deposit Insurance Corporation (FDIC), and the Consumer Financial Protection Bureau (CFPB), all of which unequivocally demand that lenders exercise higher due diligence over their third-party vendors.  The app also would display the growing list of newspaper articles detailing cybersecurity breaches and the skyrocketing increase in identity theft.  It would list the CFPB’s propensity for levying fines in the $100,000–$500,000 range for maintaining poorly designed policies and procedures.  The app also would chronicle the increasing anxiety of individual board of directors and senior bank officers who are aware they face personal liability for failing to implement robust and effective cybersecurity controls.  In short, if these real-time events were displayed on our imaginary app, we would see that there is no question that proof of Best Practices compliance is imminent, and we are directly in the path of the looming storm.

Assuming you acknowledge the pressure lenders face, the next question is when that pressure might manifest as requirement letters demanding proof of compliance.  Or, to state the question more pointedly, when will lenders be forced to shed long-standing closing relationships to do business only with those who can appropriately demonstrate actual compliance with Best Practices?

Most agree that lenders only will impose that requirement when “something” occurs.  There is a lengthy list of potential events that could cause existing pressure to explode, requiring every lender simultaneously to demand proof of compliance as a condition of maintaining “approved closer” status.  Such events could include large fines levied against lenders for failure to exercise appropriate due diligence, or security breaches that compromise lenders’ client data.  However, the initial triggering event may not be cataclysmic or even reported in the newspaper.  Remember the old adage about the “straw that broke the camel’s back?”  There are numerous seemingly obscure, recently implemented regulatory changes in the financial institution world that could prove to be that proverbial “last straw.”

One such change arises out of the Federal Financial Institutions Examination Council (FFIEC).  This organization is a formal U.S. governmental interagency body that includes all five banking regulators—the FRB, FDIC, the National Credit Union Administration, OCC, and CFPB.  The FFIEC is empowered to prescribe principles, standards, and report forms to promote uniformity in the supervision of all financial institutions.

On September 9, the FFIEC updated its Information Security booklet, which is a key part of its Information Technology Examination Handbook.  This is a manual that title professionals would never have any occasion to read, but its release could have a significant impact on the way they continue to do business with their lender clients.  For staff bank examiners employed by the financial institution regulators, the booklet provides specific guidance for assessing a financial institution’s information security operations.  The booklet highlights the importance of implementing effective oversight of third-party service providers.  Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”

In this section, assessing whether the financial institution has acted appropriately, the booklet lists an “Action Summary” which requires that bank management should oversee outsourced operations through the following:

  • Appropriate due diligence in third-party research, selection, and relationship management.
  • Contractual assurances for security responsibilities, controls, and reporting.
  • Nondisclosure agreements regarding the institution’s systems and data.
  • Independent review of the third party’s security through appropriate reports from audits and tests.
  • Coordination of incident response policies and contractual notification requirements.
  • Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported.

When reviewing these requirements, try to imagine the examiner’s reaction when he or she opens your firm’s bank file.  If your file only includes a copy of your errors and omissions declaration page and info about whom to contact when requesting a closing protection letter, would that be enough?  What about if your file also contained a copy of your written policies and procedures?  What if it included a copy of your “self-assessment” of compliance with Best Practices?  Do any of these documents provide enough information for the examiner to conclude that the issues identified in the above bulleted items were satisfactorily managed by the bank?

This booklet, which offers exactly the same guidance to every lender in the nation, gives me crystal clear insight into the future of the title and closing industry.  Unfortunately, that future will not look like today, when closing agencies are asked merely to provide a CPL and proof of E&O.  I envision a future where your agency’s internal bank file will contain engagement contracts with specific service level requirements and copies of thorough policies and procedures detailing your use of encryption, long passwords, and physical security descriptions.  Your file will contain correspondence in which you have advised that your policies and procedures have been periodically tested, along with documented proof of periodic staff retraining.  Detailed breach notification plans also will appear in that file.  And, in all likelihood, your file will contain certifications of compliance, issued by a credible independent third party, documenting your compliance with a host of cybersecurity controls that are much more stringent than the processes currently required under Pillar 3 of ALTA’s Best Practices Framework.

Why do I believe that these changes will take place?  Because unless the level of documentation described above appears in your file, a bank examiner consulting the FFIEC Information Security Handbook and asking the required questions will discover problems that will lead to the failure of the financial institution.  Banks cannot afford to fail, so they will require that title and settlement agencies provide information that will enable them to pass.

The preceding thoughts are why I have devoted more than two years to speaking at seminars and educating title professionals about the importance of adopting and implementing Best Practices.  While only a handful of lenders to date have issued letters requiring proof of compliance with Best Practices, that fact shouldn’t imply that the majority of lenders have decided that they will never require your compliance.  When you analyze and comprehend the increasing, unrelenting pressures from their respective regulators, you must conclude that a requirement to demonstrate compliance is inevitable.

It’s time to bite the bullet and take the steps necessary to prepare for the moment when you begin to receive letters from your current lenders requiring your proof of compliance with ALTA’s Best Practices.  By being proactive, working diligently to implement the required policies and procedures, and securing a certification of compliance before it’s required, your practice will be prepared.  Doing so today, while it is relatively easy to find a credible independent third party to assess your compliance, can ensure that you continue to service lenders once they formally announce their requirements.  Remember, when the storm begins, there may not be enough umbrellas to go around.