Apr. 7: Notes lending disparity; cybersecurity – blockchain a solution looking for a problem?

“Rob, have you ever heard that underwriters are like cats? They’re either really indecisive, or they like to assess all the risk factors before making a decision.” I have now – thanks. I mentioned this to my cat Myrtle as I was standing there with the door open, asking her, “In or out, in or out?”

Lending disparity

Maria Vergara, the President of NAHREP Consulting Services, sent, “Your readers should remember that owning a home remains the most reliable way for American families to build wealth and is often financially better than renting. But access to homeownership is not equal. Hispanic and black households still have lower homeownership rates than non-Hispanic white households. The gap is getting narrower, but still needs to be addressed. Many factors contribute to this disparity and understanding their impacts can be difficult. There is new research from the Urban Institute and Sloan Foundation’s Administrative Data Research Facility that shows a considerable gap in homeownership rates between neighborhoods with low levels of limited English proficient (LEP) residents and those with higher levels of LEP residents.

“The report said, among other things, ‘If we control for other factors that influence homeownership (e.g., income, age, and race), neighborhoods with the highest concentrations of LEP residents have homeownership rates 5 percentage points lower than rates in neighborhoods with the median concentration of LEP residents. Limited English proficiency has a considerable impact on homeownership rates.’ This research establishes that it is a barrier on top of other, more researched barriers. This finding suggests that we might expand homeownership by better serving the LEP community.

Computer stuff, oh, and will blockchain fix everything?

To the average person, which I find myself below quite often, blockchain is a mystery. The basic premise of blockchain is that it is a data management structure, often referred to as a “distributed ledger,” which can be read by all users and accessed by all users using individualized keys, which are essentially passwords. When users transact, they create a package of information referred to as a “block” that is chained together to the prior transaction blocks through digital fingerprints called “hashes.” The shared ledger, which does not rely on a single central database, is updated periodically. A blockchain can be public or private — in the case of public land records, it would be public and therefore provide universal access to title information. That said…

Decisions by Depository Trust & Clearing Corp., BNP Paribas and SIX Group to stop working on blockchain projects reflect Wall Street’s concerns about industry readiness and cost. “Basically, [blockchain has become] a solution in search of a problem,” said DTCC’s Murray Pozmanter.

Yet Ranieri Solutions, a financial services technology investment firm founded by Lewis S. Ranieri, father of the securitized mortgage market, has partnered with Symbiont, the market-leading blockchain and smart contract company, to explore opportunities to use Symbiont’s platform to systemically improve all aspects of the mortgage industry. The combination of Ranieri’s deep knowledge of the mortgage market coupled with Symbiont’s expertise in deploying enterprise blockchain networks led to the partnership between the firms.

“The mortgage market, despite significant efforts, continues to lag behind from a technological standpoint creating inefficiencies that impact mortgage loans throughout their life cycle,” Mr. Ranieri said. “By partnering with Symbiont, a proven blockchain pioneer, Ranieri Solutions believes that together we can implement this transformative technology to bring necessary efficiencies, transparency, and security to the mortgage markets.”

American Banker published a fine note from Michael E. Reyen. “Since the financial crisis of 2008, there has been a certain level of distrust with respect to residential mortgages. This distrust is rooted in the secondary mortgage market, in which thousands of residential mortgage loans were originated and then sold and assigned to successor lenders and/or trustees, sometimes multiple times. The documentation for many of these assignments was sloppy or nonexistent — giving rise to numerous robo-signing scandals and judges across the country who took it upon themselves to crusade against banks within the foreclosure process. All of this resulted in a much slower and more expensive mortgage foreclosure process — and raised mortgage costs more generally. The current practice of requiring title insurance for all mortgage loans also adds complexity and cost to the mortgage lending process.

“But it’s possible that blockchain technology could provide an answer to all of these problems. There is currently a heightened focus on the use of blockchain technology for various types of transactions, including by the public sector. The Deloitte Center for Government Insights found last March that land registration was the second most popular area of focus for public-sector experiments being conducted with blockchain, behind digital payments and currency. Countries including Sweden, Georgia and Honduras have studied potential applications to land registries, and Burlington, Vermont, is currently running a small pilot program testing the idea.

“There are a number of potential benefits in using blockchain for land administration and mortgage collateral. By putting property records on a blockchain, government officials could combine the act of conveyance (transferring ownership from one party to another) and the act of providing notice through recording, which would eliminate risks relating to the gap in time between execution and recording and address documents being lost in the recording process. The process could also decrease reliance on title insurance by offering a more easily accessible title record that combines information from multiple government offices — and it would allow for less localized record keeping. If you don’t have to access the title record through local services/title companies/attorneys, it should decrease the cost of the overall process. Because the record is immutable, it cannot be changed or tampered with, reducing opportunities for fraud. Use of blockchain could also improve the accuracy of these records by eliminating human input error.”

The STRATMOR Group’s current blog is, “How Good is Your Company’s Cyber-Security?”

A global CFO survey by the Hackett Group finds only 33% have the appropriate resources and personnel in place to implement their digital plan. The most difficult aspect is the lack of experienced personnel, as competition comes from across all industries for the same pool of talent.

On April 3rd, the Financial Crimes Enforcement Network (FinCEN) issued Frequently Asked Questions (FAQs) on the new Customer Due Diligence (CDD) requirements going into effect May 11, 2018. 37 questions are posed and answered in the FAQ.

If you’re interested in penetration testing, GFMA has released a framework of detailed guidance to help financial institutions adequately test the resilience of cybersecurity precautions through penetration testing and to assure regulators correct procedures are observed. “The goal of the GFMA proposal is not to compete with existing frameworks but rather to coordinate their development and use to ensure that financial institutions are able to safely, securely and efficiently increase their cyber resilience while complying with their supervisory requirements.”

Every lender and bank know it can be difficult and expensive to develop an in-house cyber security team. This is true, in part, because of a nationwide shortage of cyber security talent. For community banks and smaller lenders, outsourcing IT security can be good, but it also can increase risks. CEOs usually start by asking how complex your IT environment might be and fit that to the skills of your technology team. The more locations, servers, devices and access points you have, the more complicated the necessary security arrangements will need to be.

Another thing to consider here is whether your company is easily handling regulatory and reporting requirements, or whether such tasks are taking up a disproportionate amount of staff resources and time. Then you can determine the best way to proceed.

What about disaster recovery? Hurricanes, earthquakes, floods…In the case of a natural disaster, it is important to recover quickly. To do so, you need to recover facilities, data, and customer access points as you manage and monitor branch systems as things get back to normal.

Lenders and bankers are fearful and dealing constantly with cyberattacks. Having confidence in a team is one thing, but doing penetration testing, having more targeted audits and other factors can help ensure expectations meet reality. Security monitoring is one of the services most commonly outsourced to a third-party provider. If your bank lacks the budget or personnel to handle comprehensive monitoring and security alerts, this is a place where a vendor may add value.

Planning for a real security incident is important. As part of your preparation for that possibility, you may want to establish a relationship with a vendor that specializes in forensics and incident response. Having their number at your fingertips in the heat of a crisis can make the difference between a stumble and a coordinated, logical response.


Steve Brown from PCBB recommends that, “Third-party security testing is a best practice, if your bank develops some of the IT-based services and products it offers customers, and may be a compliance requirement. Though you probably do your own testing as well, there’s no substitute for an outside firm with the objectivity and expertise to really push network penetration testing, application security testing, and product security testing.

“Third-party assessments can also mean asking a vendor to examine the security measures taken by other vendors, an acquisition target, or business partners. This is a chance to see another company’s potential security gaps through a new set of eyes, before those risks complicate your own security fabric.

“Outsourcing some technology tasks may more efficiently help you manage cyber risks and allocate your resources, but it can also add risks. So, care and diligence must be used. Be selective and carefully vet all vendors diligently, as this is an area where you cannot afford to see critical mistakes.”

Mitch Tanenbaum with CyberCecurity, LLC, writes on the role of the CISO (Chief Information Security Officer), “Any lender that is not vigilant about cybersecurity is in for trouble. Regarding the CISO’s role, I think it is a big mistake for the CISO to report to the CIO. It is a total conflict of interest. Even if, under one regime, it is working OK, how well does it really work if the CISO says that the emperor has no clothes – that the CIO is doing something wrong? And, in that organizational structure, the CIO is a filter between the CISO and the executive suite. In many companies, the head of IT, whatever that is called, including CIO, reports to the CFO, so now you have way too many filters between the CISO and the Board.

“Given the lack of cyber expertise in general and cyber security expertise specifically on the Board and in the executive suite, inviting the CISO to have a seat at that table is very important. That is not a ding at those folks, it is just that it is not their focus.  For decades cyber and cybersecurity weren’t that important at the strategic level. It is now critical.

“The CISO needs to be an internal evangelist for cybersecurity, intimately involved in many decisions, for example, like vendor selection. A client recently asked our opinion about the security profile of a vendor – IMPORTANTLY BEFORE they made a decision to engage this vendor. After some review we recommended they look elsewhere. The client opted for another vendor – one that had a much better cybersecurity story – and they are happy with that vendor. But the engagement must be before the decision is made.

“Another role for the CISO is to engage with customers. We often do that for clients. When their customers come visit, we are part of the conversation and when the discussion moves to cybersecurity, the client has someone on their team at the table who can answer questions and engage the customer’s technical team directly instead of saying, ‘We’ll get back to you on that.’ It makes for a much more positive impression.

“It is very difficult for smaller banks and lenders to find and retain an experienced CISO. If the CISO is good, why would they go someplace where they are going to be a department of one with no possibility of advancement? It is unlikely that most moderate size and smaller companies need more than a one-person CISO staff. Yes, a company needs operational security staff, but that staff needs to report into the CIO, not the CISO. But second, how can a company, who does not have that skillset on staff, even interview potential CISOs to figure out who has the right talent and who does not?

“CyberCecurity offers a virtual CISO service to our clients since they may only need a CISO for 10, 20 or 30 hours a month. We strongly disagree with the premise that a CISO should be doing operational cybersecurity. He or she should be directing IT to do that, not doing that him or herself. He or she should be providing advice – up to the executive suite and Board, down to the rank and file staff and across to the CIO/IT manager and other management team members.”

(Thanks to Lisa G. for this one.)

A linguistics professor told his class: “In English, a double-negative forms a positive. In some languages though, such as Russian, a double negative is still a negative. There is no language, however, wherein a double positive can form a negative”

To which came a voice from the back of the room: Yeah, right.”

Visit www.robchrisman.com for more information on our industry partners, access archived commentaries, or to subscribe to the Daily Mortgage News and Commentary. If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “How Good is Your Company’s Cyber-Security?” If you have both the time and inclination, make a comment on what I have written, or on other comments so that folks can learn what’s going on out there from the other readers.


(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. Currently there are over 300 mortgage professionals looking for operations, secondary and management roles. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to www.robchrisman.com. Copyright 2018 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)

Rob Chrisman