Title companies, settlement companies, title agents, closing attorneys, closing agents, and real estate settlement attorneys or professionals (collectively referred to herein as “title agents”) looking for a competitive edge in the mortgage lending game now have a powerful switch-hitter to add to the line-up: certification of compliance with American Land Title Association Best Practices Framework: Title Insurance and Settlement Company Best Practices (ALTA Best Practices).
In today’s landscape of cyber threats, the Consumer Financial Protection Bureau (CFPB) and other regulators expect financial institutions (lenders) and their third-party service providers (in particular title agents) to take appropriate steps to protect borrowers’ personally identifiable information, personal private information, personal private data or non-public personal information (NPI). To maintain their competitive position with lenders, title agents must demonstrate that they are following best practices for handling NPI in use, transfer, storage, and disposal.
Batter on Deck: ALTA Best Practices
ALTA Best Practices aim to help title agents demonstrate that they have proper policies, procedures, and controls in place to help ensure compliance with real estate closing laws and regulations designed to protect borrowers’ personal information. ALTA Best Practices are a voluntary set of industry-developed standards and were not designed to meet state legal requirements or be CFPB compliant. If state laws or CFPB regulations are more stringent, you should ensure that your policies, procedures, and controls comply with those laws and regulations.
Some lenders require title agents to obtain third-party assurance of compliance with ALTA Best Practices to continue to conduct business with that agent or to keep them on the “approved list.”
ALTA also provides ALTA Best Practices Framework: Assessment Procedures (Assessment Procedures) for determining the title agent’s ALTA Best Practices compliance. You can engage anybody to perform the compliance certification, but we recommend speaking with your lender clients to determine if they will accept the certification from that organization. Our experience with lenders has shown that in most cases they prefer receiving a compliance certification assurance report from a CPA firm. Due to CPA firms’ independence, objectivity, and professional standards, lenders have long relied on them to mitigate their business risk by providing assurance on financial and nonfinancial information.
ALTA Best Practices are broken down into seven “pillars.” The third pillar, which is the most in-depth and addresses potentially the most damaging business risk, involves adopting and maintaining a privacy and information security program to protect consumers’ NPI. CPA firms assessing a title agent’s compliance with ALTA Best Practices must perform a total of 17 separate procedures (and numerous sub-procedures) to evaluate the title agent’s information security policies and controls. These procedures range from ensuring the company has a written information security plan that is updated at least annually to inspecting policies and controls over record retention and disposal.
Game Plan: Constant Vigilance
Demonstrating compliance with ALTA Best Practices might seem overwhelming, but title agents that adopt the following five-point strategy will be well ahead of the game.
1. Assess risks. An effective risk assessment begins with defining all of the people and systems that “touch” the data, whether in an encrypted or unencrypted state, from the time it is received until it is destroyed. This evaluation of risks should also answer questions about how the data flows through the organization, including, but not limited to, the following:
- Where and how is data received by the information system(s)?
- How is data protected during the transmission process?
- Where does data rest—with the business itself or with a third-party data center?
- What are potential internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of the data?
- At what points and to whom is the data available as an unencrypted file (also known as “in the clear”)?
2. Review controls (or lack thereof) at each touch point. Understanding all of these risks provides a basis from which to evaluate controls that mitigate them. Organizations should have in place policies and controls to protect NPI whether it is in use or being transferred, stored, or destroyed. While advanced controls—such as encrypting data at rest—require additional money and resources (storage space, hardware, software, IT personnel), they can drastically reduce the risk of data exposure in the event a database is compromised.
3. Implement policies and training to strengthen controls. Even the best technological controls can be defeated by one wrong computer click made by an employee, and that makes the human factor the number one risk to data. Many of the ALTA Best Practices Assessment Procedures boil down to ensuring that the right policies and training are in place to instill a culture of data security. The overarching message of information security policies and training should emphasize the need to prioritize long-term security over short-term convenience. For example, the organization should have a policy that specifies which types of data should be transferred using a secure file transfer site (or even in an encrypted state) rather than via regular email.
4. Test frequently. The ALTA Best Practices Assessment Procedures specifically require the title company to demonstrate that qualified independent staff regularly tests the effectiveness of key information security controls, systems, and procedures. The level of control risk drives the frequency of testing. Most IT control risks will warrant at least annual testing, as required by ALTA Best Practices.
5. Remain vigilant. Data security requires constant vigilance and determination. Title companies should invest the time and money to regularly update risk assessments, implement new information security controls as risks and circumstances change, and monitor the effectiveness of all policies and controls.
ALTA and the CFPB have made it clear that even the smallest title agent has an obligation to protect the data they have collected. Every member of the company that has any part in the use, transmission, storage, or disposal of NPI must clearly understand this responsibility and the associated policies and controls to safeguard it.
CRI can Help You Join the ALTA Compliance Major League
With major league expertise in protecting data security and providing certification assurance regarding ALTA Best Practices compliance, CRI can help evaluate your IT policies and controls or provide independent assurance that those policies and controls follow ALTA Best Practices. Contact us to learn how we can help get your company ready through our ALTA Best Practices Readiness Assessment.