The mortgage sector is already heavily regulated, and with the upcoming compliance date for the updated FTC Safeguards Rules, lenders must be especially attentive to recent regulatory changes. If your company hasn’t already prepared for the compliance date, it’s time to act. In 2022, the FTC extended the compliance deadline by six months. Yet, the new compliance date of June 9, 2023 is rapidly approaching. Here’s what mortgage companies must know about how the updated FTC Safeguards Rule will affect their business.
Updated FTC Rules for Mortgage Companies: What You Should Know
What Does the FTC Safeguard Rule Entail?
According to the FTC, the Safeguard Rule’s clear purpose “is to strengthen the data security safeguards that covered companies must put in place to protect customers’ personal information.” The change is in line with the global regulatory emphasis on how companies handle personally identifiable information (PII), and is the latest effort in a series of attempts to prevent issues like data breaches.
The Rule applies to financial organizations within the FTC’s jurisdiction under section 505 of the Gramm-Leach-Bliley Act. The FTC website provides a comprehensive list of covered businesses, but it’s important to bear in mind that their definition of financial institutions isn’t limited to traditional banks alone. Mortgage lenders of all sizes are likely to be affected, so be sure to consult the official document if you’re unsure whether the Rule applies to your business.
The Safeguards Rule is a sweeping reform of data management policy, so many businesses will have to analyze and update their current practices for handling customer information. Broadly, the Rule requires affected companies to develop, implement, and maintain a program that safeguards customer data. Yet, specific provisions go into much further detail. For example, the Rule requires a written information security program designed to accommodate each company’s size, complexity, and nature of business. According to the FTC, the program should:
- Ensure the security and confidentiality of customer data
- Protect against likely threats or hazards to the integrity or security of private data
- Protect against unauthorized access to information which could harm or inconvenience customers
Companies covered by the Rule will need to develop and roll out a comprehensive information security program — and quickly. There are nine core elements of the program, as indicated by the FTC:
- Designate a Qualified Individual to oversee the program.
- Perform a risk assessment to determine internal and external risks and threats to the confidentiality and integrity of customer data.
- Develop and implement safeguards to mitigate identified risks. (Note that this step is broken down further into a separate eight-step process, including data encryption, multi-factor authentication, and the secure disposal of customer data.)
- Consistently monitor and test the effectiveness of safeguards.
- Educate staff with security awareness training and perform routine follow-up training.
- Monitor any service providers and ensure they also have appropriate safeguards in place.
- Keep your information security program up-to-date.
- Create a written incident response plan unique to your business’s specific needs. (This plan is further broken down into seven elements, outlined under Section 314.4(h) of the Safeguards Rule.)
- Have your Qualified Individual report to the Board of Directors and provide annual written reports, which must include an overall assessment of the company’s compliance with the information security program.
How Can Mortgage Companies Prepare for the FTC Safeguard Rule?
If your mortgage company hasn’t already put efforts in place to comply with the FTC Safeguards Rule, it’s not too late to prepare. Here are five steps to consider as you develop your plan for compliance.
1. Appoint a Qualified Individual
As mentioned above, the FTC Safeguards Rule requires a Qualified Individual who will oversee the development and maintenance of your business’s customer information security program. While there may be someone within your organization who fits this role, it’s also possible to appoint an outsourced service provider. The core requirement for the title is experience in managing security operations.
2. Identify Data Sources
Before you can determine whether you have the appropriate data safeguards in place, you must first identify all internal and external assets with access to customer information. Known as digital footprint mapping, this can be a drawn-out process and may require cross-functional collaboration. Be sure to include previous third-party vendors.
3. Map Customer Data Flows
Aside from simply knowing which assets hold customer data, you’ll also need to evaluate how data flows throughout your organization. Consider the lifecycle of customer data from the very first encounter, and identify points of collection, transmission, storage, and destruction. While the FTC Rule mostly pertains to sensitive financial data, such as credit card numbers and Social Security numbers, it’s also advisable to incorporate basic contact information, as these details could be used for phishing scams or other types of cybercrime. As you perform this data mapping exercise, consider apps, systems, devices, departments, and cloud solutions that may collect, process, or store data.
4. Evaluate Your Data Security Practices
The next step is to review your data security policies and practices and compare them against the updated FTC Safeguards Rule through a comprehensive risk assessment. If you spot gaps or vulnerabilities, don’t panic. Identifying these issues now still gives you time to implement safeguards before the compliance date takes effect. Yet, you don’t want to wait too long — even if the compliance date isn’t until June, waiting to act still leaves your company vulnerable to cyber threats which could have devastating consequences.
Unfortunately, most traditional data security risk assessments are too broad to identify weak points through the lens of FTC compliance. You should therefore implement the help of a specialty cybersecurity firm, who will not only uncover vulnerabilities, but implement effective solutions to safeguard your data for both compliance and overall business protection. If your mortgage company needs assistance FTC Safeguards Rule compliance, contact IT ArchiTeks for customized solutions or book your FTC Safeguards Strategy Session today!