Reading this on a computer that someone can hack into? Don’t forget that the FDIC put out a nifty guide to cyber-security – and you don’t have to be a bank to glean something.
Does your bank use a computer to watch your money or help you make home loans? The Financial Services — Information Sharing and Analysis Center, in collaboration with various industry groups, including SIFMA, has pioneered the Sheltered Harbor plan through which banks will keep a secure backup of client data in an industry standardized format to allow recovery after a cybersecurity or natural disaster. “The data is encrypted, it’s immutable, it’s in storage, should another firm need to have access to it,” said Tom Wagner, SIFMA’s managing director of financial services operations.
Rules being drafted by the Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. governing cybersecurity in the banking industry could eventually be a model for regulations governing the money management industry, industry participants say. “It’s possible that the [Securities and Exchange Commission] or [Commodity Futures Trading Commission] could conform, or at least harmonize, any current or future cybersecurity requirements with federal bank cybersecurity standards,” says Charles Horn, partner at Morgan, Lewis & Bockius.
New York Governor Cuomo recently issued proposed cyber security regulations for banks in the state to follow and other states may use this as a template. At the heart of the new regulations is a desire to protect consumers and the state’s financial system due to the growing problem of cyber-attacks targeting financial institutions. The proposed rules compel financial institutions of all sorts to take the necessary steps to construct and secure their systems against potential harm from terrorist networks or other criminal organizations. The rules also require institutions to perform regular risk assessments of their systems and to certify that they are complying with the rules each year. Though the new rules will create an additional level of regulation for financial service firms, New York’s Department of Financial Services says that it took careful steps to ensure that any new regulation would not impede innovation within the banking industry. The regulator argues that the new rules merely ensure that financial institutions are keeping up with technological advancements.
Also under the proposed rule, financial institutions would be required to have a robust cyber security system in place. That system would also have to be led by an executive officer. Other requirements include: creating a cyber security program; putting cyber security policies in writing; designating a chief information security office (tasked with implementing, overseeing and enforcing the organization’s cyber security program); and establishing policies and procedures to ensure the security of any information systems or nonpublic information that is accessible or held by third party providers.
Further, the new rules require financial institutions to notify New York’s Department of Financial Services of any data breaches within 72 hours. As we indicated at the outset, many regulators across the country are working on additional cyber security rules, so some of this could also be absorbed into those ultimately. For community bankers, any additional regulation comes at a high cost. To help, the Financial Services Information Sharing and Analysis Center (FS-ISAC) has made resources available to community banks in this area. For just $250 per year, banks with less than $1B in assets or less than $10mm in revenue can subscribe to weekly cyber updates. Yet another resource for community banks when it comes to cyber is the US Computer Emergency Readiness Team (USCERT). US-CERT is part of the Department of Homeland Security and it provides publications and educational materials, along with subscription alerts.
Quicken Loans’ Jeremy Potter writes, “In the same week that a regulator announced action against Lincoln Financial for cybersecurity and vendor management failures, HUD announced a breach of its own. According to reports, HUD exposed private data for almost 500,000 consumers. The two breaches occurred in August and September of this year. It appears to be a minor issue (last name, last 4 digits of SSN and housing address) without any use of the exposed data yet. “We are all familiar with these stories by now and the HUD story barely made headlines. The reason I thought it was important to include the SEC order against Lincoln Financial is that the language of the order is textbook vendor management and cybersecurity. In other words, how SEC determined Lincoln Financial should have acted between 2011-2015 is exactly the expectation CFPB has for all financial services firms today. Firms must conduct robust vendor management particularly around cybersecurity. What’s interesting here is Lincoln Financial had a vendor establishing firewalls & other protections but did not require the ability to select/approve the firewall or oversee the ongoing upkeep. Just asking for a firewall was not enough (admittedly, in part because a breach did ultimately occur), the firm must understand the different types of oversee the selection and execution of getting one up and running. “The growing risk to all companies is that as the threats become increasingly sophisticated and successful no amount of preparation will save us from a regulatory lookback. The fact is that the breach itself is a sign to regulators of a deficiency even if they themselves cannot protect against it. Once the breach occurs, it is almost certain that an order will follow even if all the proper policies, procedures and tests matched the firm’s activities. This is just a reality and underscores the value of cybersecurity spending and planning because we can protect against headline risk and mitigate (but not eliminate) regulatory costs should anything ever happen. Mr. Potter finished up with, “Even though regulators acknowledge that vendors are necessary in today’s complex world, there is still a lack of specific standards around what safe harbor, if any, exists when establishing a vendor management program. CFPB continues to issue policy-type statements which deserve our attention, but no one feels confident in the standard compliance life cycle – risk assessment, policy, procedure, implementation, monitoring, and auditing – when it comes to cybersecurity and vendors.”
Changing lanes to the current state of the appraisal biz, Sam Heskel, CEO of Nadlan Valuation, sees some improvement ahead for appraisal turn times, in part driven by the election of Donald Trump. How so? “Since Trump was elected, the average 30-year mortgage rate has shot up by 50 basis points, one of the biggest one-month jumps in more than a decade. One of the reasons behind the surge is the belief that his economic program will boost growth, which will raise inflation and therefore interest rates. At the same time, Trump’s plans for tax cuts and huge infrastructure and defense spending, while leaving Social Security and other entitlement benefits alone, will add trillions to the federal debt, which also puts upward pressure on rates,” per Sam.
“That’s one of the reasons I think the real estate market will slow, easing the pressure on appraisers, who have been hit with higher than usual volume over the past several months. We are also about to head into the natural cycle of a slower real estate market in the winter, with home sales easing in about half of the country.
“And while Trump’s victory may have sparked the surge in interest rates, his presidency will likely be otherwise beneficial to the housing and home finance industries, including the appraisal business. The president-elect’s transition team has already made clear its intention to dismantle the Dodd-Frank financial reform law, including the Consumer Financial Protection Bureau. While the details of what he might do are still premature, we can probably rest assured that a real estate man like Trump will not do things that make it more difficult for the industry to sell homes and close loans, according to Sam. At the very least, we can expect some rollback or easing of regulations that have added to longer appraisal turn times.”
Andrew Liput, President and CEO of SecureInsight, writes, “We now know that our next President will be New York real estate mogul Donald J. Trump. Immediately after the election the industry was buzzing with articles predicting that a Trump Presidency would mean the death knell for the Consumer Financial Protection bureau (CFPB). It will never happen for several reasons.
“First, Mr. Trump did not campaign on a platform to decrease consumer protections in financial transactions. His support for business growth might be a signal to reduce some of the industry’s regulatory morass to help reduce costs and increase lending opportunities. Mr. Trump, however, did not run a typical Republican campaign; he was more of a nationalist/populist candidate. His appeal went beyond typical business interests to working and middle class Americans concerned about the economy, government expansion, and ‘ruling elites,’ among other issues. Eliminating an agency whose stated purpose is to protect consumers from unfair, unethical and self-serving finance industry practices is not a populist position.
“Second, the jury is out whether a President Trump can legally remove CFPB Director Cordray and exert influence over how the CFPB will operate. While the recent PHH decision signaled that at least one court considered the independent management structure of the Agency unconstitutional, in that it concentrated too much power into the hands of one person, unelected and without executive branch supervision, that decision is presently being appealed and an affirmation of the lower court ruling is not guaranteed.
“Third, the CFPB does some really good work. While we may not want thousands of pages of new regulations, and occasionally the Bureau has acted as if it has little practical understanding of how the mortgage industry operates, the truth is that consumers have been better off with the Bureau in place. The CFPB has addressed real issues regarding the need for transparency, accountability and quality lending practices; in a moment of honest reflection, seasoned industry professionals must agree that regardless of their concerns that these initiatives made sense.
From where we sit in the ivory tower of SSI, this also means that vendor management rules are unlikely to change. Even the most recent ‘clarifications’ regarding third party servicer provider risk management have not changed the basic premise that lenders who expose their funds and a consumer’s NPPI to strangers must be accountable for doing so. This means knowing who your vendors are, monitoring them for risk and cutting off harmful relationships before a consumer suffers injury or loss.” Thanks Andrew!
My mother’s a Realtor and my father’s an LO, So my house is divided as this letter will show. My mom can list and sell any home And my dad always promises to close every loan. But what I’ve observed is not actually the case – For it seems that most deals blow up in their face. It starts with the sellers, and the sales price they set, My mom says you can wish, but that won’t be what you get. She goes round-n-round, and sometimes for months; Open houses, new pictures, and all kinds of stunts. Finally a buyer, now that the price looks right. Funny thing is, it’s what mommy mentioned the first night – -When she met with the sellers, and got their listing… Oh well, let’s hope the buyers qualify – back to the wishing. In comes daddy, to give it a try… Their credit looks good, so they pre-qualify. The next few days, the buyers gather their stuff And now all of sudden, this file looks tough. Daddy always says, his job is like a game… What buyers tell you then show you, are never the same. Between loan apps and emails and all types of faxes – What a buyer says is his income, is not what’s on his taxes. So daddy calls his lenders to figure this out He really wants to help the buyers get into this house. The lenders all say they will give it a go – Submit it to DU, and see what DU will show. Is it FHA or Conventional or possibly VA? DU likes the findings, and says it’s ok. So the file goes into underwriting, and the process begins… A 30-day closing is how everyone hopes this will end. 3 weeks go by, and all goes off without a hitch… Then the appraisal comes in under value, ain’t this a b*$ch?! Come to find out, the appraiser’s from Dallas – So he really doesn’t know, Houston from Alice. Now everyone’s upset – the sellers especially – So much for this transaction on closing successfully. Referrals a plenty, is what mom and dad were wishin’ Now they’ll be lucky to just get the commission. You see Santa,…this is what I see – A business full of headaches and misery. The Realtors blame the loan officers and they blame the lenders And the buyers and sellers both play the pretenders. To finish my story, just so you know Some 60 days later, the loan finally closed. I heard it was a “nightmare” as all of them are… But mommy said that “this one by far…” “…was the worst of them all!” And I’ll hear that again – But for now, mom and daddy are back to being friends. I did want a bike or a skateboard for thrashin’ But all I want for Christmas is a smooth transaction! Thank you Santa!
If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “Election Day 2016 is Over – Now What?” If you have both the time and inclination, make a comment on what I have written, or on other comments so that folks can learn what’s going on out there from the other readers.
(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. Currently there are over 300 mortgage professionals looking for operations, secondary and management roles. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to www.robchrisman.com. Copyright 2016 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)