So far, our blog series has covered “Current Lender Requirements for ALTA Best Practices Adherence,” “An Initial Look at Available Best Practices Adoption Data,” “ALTA Best Practices—Who is Requiring What,” and “Motivating Forces Behind Lender Best Practices Requirements.” In this blog, we’ll look at the pros and cons associated with submitting a “self-certification” of compliance.
On the positive side, providing your lender with a self-certification of compliance appears to be cheaper than hiring a third party to perform an independent assessment. While an important consideration for the title agent, the downside is that doing so provides the lender with the lowest level of assurance, and therefore may not be acceptable to future lenders who may request a higher level of compliance assurance. (As noted in earlier blogs, a number of lenders specifically have stated that self-certification is not an acceptable way to demonstrate compliance). However, perhaps the greatest negative to this approach is summed up in the old adage “you only know what you know.” Without the benefit of a knowledgeable third party, familiar with all that ALTA Best Practices encompass, there really is no way to confirm that “what you know” is truly all that “you’re supposed to know.”
Unless the title agent has an in-depth understanding of all provisions in the ALTA Best Practices Assessment Procedures 2.1, and is 100% confident that he can remain compliant with these procedures, a self-certification could turn out to be an “affirmative misrepresentation.” When selling a car or house, the legal concept of “caveat emptor” or “let the buyer beware” generally applies, but with a self-certification, it’s just the opposite. You are making an affirmative representation that you have completed a thorough assessment of your day-to-day operations, and have determined that you are compliant with every aspect of ALTA Best Practices! Furthermore, in most cases, signing such a certification becomes an express representation of your commitment to ongoing compliance with these publically available standard procedures. All of these representations are provided with the express intent to encourage a lender to allow you to assist them in their compliance with state and national laws. A self-certification is a far cry from telling the person buying your used car that “it runs well.”
What does a self-certification look like?
Some lenders provide their own lender-developed form and merely ask you to sign it. Obviously, it is critical that you carefully read and understand the language utilized. Some forms may contain language and terms that are even broader than those covered in ALTA Best Practices.
ALTA has provided another solution in the form of a “Compliance Management Report.” Free to ALTA members, this document is a high-level report that companies can complete to provide the results of a self-assessment to lenders or other third parties. This form compels users to first complete self-assessments, using the Assessment Readiness Guides, before attesting they meet all of the Best Practices standards. In my opinion, this approach is far superior to “just signing” a lender-developed document. If you go through the process ALTA developed, you can feel confident in the representations you’re making or make the decision that you’re not ready to provide a self-certification.
Lastly, some seemingly less significant actions you take may give rise to the inference that you are making a representation of compliance. For example, if the lender’s letter makes it clear you are to submit “proof of compliance with ALTA’s Best Practices” program, and then only asks for a copy of your written policies and procedures manual, your submission likely will be deemed a self-certification of compliance. Essentially, by responding to the lender’s request, you are providing implied representation that: (1) the manual is in conformity with the ALTA Best Practices Framework, and (2) that you are actually adhering to, and performing, all of those policies and procedures as they appear in the manual. If you have merely completed the manual, but haven’t implemented all specified procedures, there is real risk that sending a copy of your manual could be deemed a misrepresentation of compliance.
In addition, since the lender is assuming that the manual you submit describes the procedures you actually employ, if you make changes to your manual thereafter, you must send the lender your updated versions. (When an assessment of your compliance is done by an independent third party, and an ALTA “certification package” is utilized, a copy of your manual is usually not produced with the certification of compliance, so periodic changes thereafter would not require submission of all manual updates.)
What’s the potential financial risk of self-certification?
As noted above, a self-certification of compliance is an expressed representation that your office is exercising specifically defined controls when handling customer information. A self-certification is an affirmation that you are using encrypted email, employing specific security controls with regard to data on your computers, limiting access to NPI, reconciling your escrow accounts daily, and a host of other processes, all designed to protect customer information. A recent CFPB enforcement action makes it very clear that if you are making representations that such safeguards are being employed, your failure to actually implement such safeguards can be extremely costly.
In a recent enforcement action, CFPB alleged that Dwolla, a company providing “PayPal”-type services, engaged in deceptive acts and practices by misrepresenting to consumers that it had “reasonable and appropriate data security practices.” There is no allegation that any data was improperly accessed; only that Dwolla had publicly represented to its clients that it exercised appropriate safeguards. For this infraction, the CFPB fined Dwolla $100,000. In addition, the CFPB imposed a requirement upon the board of directors to file periodic reports demonstrating its future compliance for the next five years.
This demonstrates the danger of executing a self-certification that, upon later inspection, might be found to have overstated the security measures actually employed in your operation. Self-certification can be a low-cost option for meeting the needs of those lenders who allow such proof of compliance, but self-certification also can expose the agent to substantial risks if compliance with ALTA Best Practices is overstated or misrepresented.