Should a Settlement Agency Be Considered a Daycare for Customer Data?

Protect Computer DataAll too often, title and settlement agents give little more than a passing thought to the importance of protecting highly sensitive customer data.  But to the lenders we service, the care and protection of the customer data with which we’re entrusted is extremely important.  That’s because the law unequivocally requires customer data to be protected and, on at least an annual basis, various federal regulators are going to conduct multi-day, in-office assessments of lenders’ policies, procedures, and actual practices to ensure lenders are effectively protecting that data, even when it is in the hands of settlement agents.  Lenders realize that if they fail to protect the data, it can cost millions of dollars in fines, and even more importantly, the incalculable damage associated with the loss of customer confidence.  Title agents need to be more aware of the lender’s perspective on the importance of protecting customer data.

Title agents should think of lender data as the lender’s child and their role in protecting it as that of the lender’s daycare agency.  I think lenders would agree that this is an appropriate analogy.  The care of one’s child and the care of customer data are both of paramount importance.  In this analogy, lenders want to be sure their “sons or daughters” are cared for in a safe and secure “daycare facility” while out of their direct control.  They would want to be assured that while their “child” is at the daycare, it’s protected from a whole variety of rare, but very possible occurrences.  For example, as a parent evaluating a daycare facility, you would likely want to be assured that:

  • No one can randomly walk into the facility and leave with your child.
  • If there was a fire or a tornado, the daycare has a pre-established exit plan to ensure everyone stays safe.
  • During the day, your child’s growing mind is properly nurtured, and you are kept advised about the positive ways the daycare staff is handling those responsibilities.
  • If the daycare takes your child on field trips, there are policies and procedures in place to ensure there will always be enough chaperones, and they are properly trained to watch over the children when they are away from your secure facility.
  • The daycare is regularly inspected by a daycare licensing agency, it has a comprehensive manual outlining processes for carrying out day-to-day responsibilities, and it has an unrestricted offer to allow you to stop by anytime to personally inspect the high degree of care your child is receiving.

You can see the analogy.  If title agencies had been treating lenders’ customer data with the same degree of care that parents would want a daycare to treat their child, there never would have been a need for ALTA to develop a set of Best Practices for the title and settlement industry.  Unfortunately, title agents haven’t always been able to assure their lenders that they do everything they can to protect the confidentiality of lender customer data.  It’s not that title agents ever intended to mishandle confidential data– it’s just that many became lax in the handling of their files.  This “lax attitude” can be attributed to two separate, but complementary, factors.

First, in the past, lenders had never placed an emphasis on title agents’ demonstrating utilization of any sort of best practices when handling customer data.  This expectation is changing as lenders are implementing vendor management strategies that involve contracts specifically describing what they expect from their third-party vendors.  See the recent blog published by Venable LLP, entitled “Five Tips for Addressing Information Security in Your Service Contracts,”  that provides lenders advice about what they should be requiring of entities like title agents.

Secondly, title agents over the years have become desensitized to handling the substantial amount of highly confidential data contained in the files we use in our day-to-day jobs.  As a result, closing files were routinely passed from person to person throughout the office and left readily accessible (to even the unsupervised night cleaning staff) in unsecured file cabinets or storage boxes.  Many of these files housed copies of borrowers’ 1003 loan applications, which contained intimate details about the borrowers’ earnings, bank account and credit card numbers, and outstanding balances, along with a host of other historical financial data.  Title agents simply treated all this confidential information in those files as routine paperwork necessary for producing a HUD-1 or Closing Disclosure.  This was in stark contrast to how they treated their own personal data.  For example, at the end of each pay period, many title agents receive a sealed envelope containing their paycheck.  The envelope is sealed because “what we are paid” is generally deemed “confidential.”  To keep that paycheck data private, most agents will personally deposit their checks in the bank, rather than allow a colleague to deposit them during a regular bank run to deposit closing funds.  That’s the paradox—we treat our $796.78 weekly paycheck deposit as confidential and something to be handled personally to ensure it remains confidential, but routinely allow a less-seasoned staff  access to files containing the “mother lode” of clients’ most intimate financial history.

As regulatory pressure continues to increase for lenders to demonstrate their protection of customer data, it is inevitable that lenders will begin to require title agents to enter into written service agreements, and such service contracts likely are to become increasingly more detailed.  The blogs at the below links provide insight into what third parties can expect that lenders will start incorporating into their third-party contracts, based on advisement they are receiving.

Got Vendors?  Guidelines for Third-Party Vendor Management

NY Department of Financial Services: check your vendors’ cybersecurity

Lawsky warns banks to face their vendor backdoors

As time progresses and lenders become better at documenting their expectations and requirements for title agents’ handling of confidential data, title agents will need to change their internal work processes.  They eventually will evolve into daycare centers for data and will demonstrate the appropriate degree of care required of that role.  ALTA’s Best Practices is a framework for achieving this expected degree of care.  By taking steps to develop adequate internal policies and procedures, and implementing them throughout your organization, you will be prepared to confidently sign almost any service-level contract that a lender will send you in the future.  If you need help developing your policies and procedures or certifying that you are in compliance with ATA Best Practices, give PYA a call, (800) 270-9629.