A Guide to the Updated FTC Rules for Mortgage Companies

According to the FTC, the Safeguard Rule’s clear purpose “is to strengthen the data security safeguards that covered companies must put in place to protect customers’ personal information.” The change is in line with the global regulatory emphasis on how companies handle personally identifiable information (PII), and is the latest effort in a series of attempts to prevent issues like data breaches.

The Rule applies to financial organizations within the FTC’s jurisdiction under section 505 of the Gramm-Leach-Bliley Act. The FTC website provides a comprehensive list of covered businesses, but it’s important to bear in mind that their definition of financial institutions isn’t limited to traditional banks alone. Mortgage lenders of all sizes are likely to be affected, so be sure to consult the official document if you’re unsure whether the Rule applies to your business.

• Ensure the security and confidentiality of customer data
• Protect against likely threats or hazards to the integrity or security of private data
• Protect against unauthorized access to information which could harm or inconvenience customers

Companies covered by the Rule will need to develop and roll out a comprehensive information security program — and quickly. There are nine core elements of the program, as indicated by the FTC:

• Designate a Qualified Individual to oversee the program.
• Perform a risk assessment to determine internal and external risks and threats to the confidentiality and integrity of customer data.
• Develop and implement safeguards to mitigate identified risks. (Note that this step is broken down further into a separate eight-step process, including data encryption, multi-factor authentication, and the secure disposal of customer data.)
• Consistently monitor and test the effectiveness of safeguards.
• Educate staff with security awareness training and perform routine follow-up training.
• Monitor any service providers and ensure they also have appropriate safeguards in place.
• Keep your information security program up-to-date.
• Create a written incident response plan unique to your business’s specific needs. (This plan is further broken down into seven elements, outlined under Section 314.4(h) of the Safeguards Rule.)
• Have your Qualified Individual report to the Board of Directors and provide annual written reports, which must include an overall assessment of the company’s compliance with the information security program.

If your mortgage company hasn’t already put efforts in place to comply with the FTC Safeguards Rule, it’s not too late to prepare. Here are five steps to consider as you develop your plan for compliance.

As mentioned above, the FTC Safeguards Rule requires a Qualified Individual who will oversee the development and maintenance of your business’s customer information security program. While there may be someone within your organization who fits this role, it’s also possible to appoint an outsourced service provider. The core requirement for the title is experience in managing security operations.

Before you can determine whether you have the appropriate data safeguards in place, you must first identify all internal and external assets with access to customer information. Known as digital footprint mapping, this can be a drawn-out process and may require cross-functional collaboration. Be sure to include previous third-party vendors.

Aside from simply knowing which assets hold customer data, you’ll also need to evaluate how data flows throughout your organization. Consider the lifecycle of customer data from the very first encounter, and identify points of collection, transmission, storage, and destruction. While the FTC Rule mostly pertains to sensitive financial data, such as credit card numbers and Social Security numbers, it’s also advisable to incorporate basic contact information, as these details could be used for phishing scams or other types of cybercrime. As you perform this data mapping exercise, consider apps, systems, devices, departments, and cloud solutions that may collect, process, or store data.

The next step is to review your data security policies and practices and compare them against the updated FTC Safeguards Rule through a comprehensive risk assessment. If you spot gaps or vulnerabilities, don’t panic. Identifying these issues now still gives you time to implement safeguards before the compliance date takes effect. Yet, you don’t want to wait too long — even if the compliance date isn’t until June, waiting to act still leaves your company vulnerable to cyber threats which could have devastating consequences.

Unfortunately, most traditional data security risk assessments are too broad to identify weak points through the lens of FTC compliance. You should therefore implement the help of a specialty cybersecurity firm, who will not only uncover vulnerabilities, but implement effective solutions to safeguard your data for both compliance and overall business protection. If your mortgage company needs assistance FTC Safeguards Rule compliance, contact IT ArchiTeks for customized solutions or book your FTC Safeguards Strategy Session today!