July 30: Notes on HR 2121, the importance of MISMO, and cybercrime – what is “the darknet?”

I was little suspicious the other day when I received two e-mails from my cat Myrtle. One was the joke at the bottom of this e-mail. The other was more distressing. It wasn’t that the English was stilted, and that there were a couple typos. It was the fact that she claimed that she represented an employment agency, was doing a survey of salaries, and requested that copies of all my employees’ W-2s be uploaded to a secure site. I don’t even have W-2 employees.


Obviously I am making light of a very serious situation. “With the proliferation of shadowy black markets on the so-called ‘darknet’ — hidden crime bazaars that can only be accessed through special software that obscures one’s true location online — it has never been easier for disgruntled employees to harm their current or former employer. At least, this is the fear driving a growing stable of companies seeking technical solutions to detect would-be insiders.”


A study of embezzlement by US employees by Hiscox finds companies with 151 to 250 employees were hit by the following schemes most often: vendor invoices and false billing (21.4%), payroll fraud (11.8%), funds theft (8.4%), check fraud (6.8%) and credit card fraud (2.9%). Meanwhile, companies with 251 to 500 employees most often saw vendor invoices and false billing (17.9%), credit card fraud (17.6%) and funds theft (8.4%).


Despite the importance of cybersecurity amidst an environment of increasingly sophisticated and aggressive hackers, however, a large percentage of bank executives are fairly clueless about their organizations’ cybersecurity efforts and whether or not they are actually successful.


Can you believe that 12% of CEOs do not know if their organizations have been hacked within the past 2 years, while roughly 47% of bank EVPs and managing directors and a whopping 72% of SVPs and directors are also unaware of the efficacy of their banks’ cybersecurity measures?


Given such a wide disparity between executive level awareness of bank efforts to fend off cyberattacks, opportunities for hackers are being created as they continually search for a way into banks. If bank employees across the board are not educated about the importance of cybersecurity, or the efforts their own institutions are taking, it seems extremely easy for employees to unknowingly jeopardize such security efforts. Interestingly, this possibility did not rank among executives’ top concerns regarding security.


According to one study, when executives were asked to identify the areas they believe are most vulnerable in their banks’ data security, sharing data with third parties was the biggest concern of both CEOs and other executives (EVPs through managing directors). Meanwhile, external attackers were the biggest concern of the next level of executives (SVPs through directors).

When it comes to executives’ top concerns in the event of a security breach, financial loss was the top concern of CEOs, followed by reputation, litigation, job security and finally regulatory enforcement. Reputation was the top concern of the rest of the executives, followed by financial loss and regulatory enforcement.


While it is not necessarily surprising that CEOs often look at cybersecurity differently than other executives, the unfortunate reality is that lenders and banks can’t afford to let such information gaps remain. Hackers are constantly looking for such gaps, so communication is critical.


Community banks should take the time to ensure that all employees are kept up to date about their banks’ big picture cybersecurity efforts and the steps they can take to ensure these efforts are successful. One place where lenders and community banks can begin is with the website specifically created for this purpose by the FFIEC at http://www.ffiec.gov/cybersecurity.htm. This website was created specifically to help financial company executives determine where their biggest cybersecurity risks are, so that they can take steps to reduce such threats.


And the UK is reporting that for the first time ever, cybercrime has now surpassed all other forms of crime in the country. Advisen, “the leading provider of data, media, and technology solutions for the commercial property and casualty insurance market,” published an infographic that illustrates cyber risk trends derived from the company’s proprietary cyber database of more than 26,000 cases.    “Ransomware incidents, in which a type of malicious code encrypts data and demands payment for its recovery, are one of today’s fastest growing cyber threats. As of mid-year, the number of cases is projected to double from 2015 to 2016, reaching an all-time high. Cyber cases exposing more than one million records peaked in 2013, but the number of cases in 2015 remains 70% higher than those in 2010.    “In addition, the number of suits filed alleging a violation of the Telephone Consumer Protection Act (TCPA) reached an all-time high in 2015 and is expected to grow even higher in 2016. Similarly, TCPA violations have increased by 40% from 2014 to 2015, resulting in a 140% increase in settlements within the same time period.   “’Other cyber risk categories that have seen steady growth are System/Network Security Disruptions and Privacy Violations, both of which tripled in size from 2010 to 2015,’ commented Aloysius Tan, Advisen’s Cyber Expert and Product Manager. ‘Privacy violations grew 13% from 2014 to 2015—a trend we expect to continue.’”   (Advisen’s cyber database includes more than 26,000 cases involving billions of unauthorized disclosures, thefts, or serious disruptions of customer & employee identities, corporate assets, and systems capabilities. Growing at a rate of 200 new cases with 1000 updates per week, this loss data is housed in a structured, relational database, and is mapped to the appropriate company from our database of over 20 million insureds.)


HR-2121 is still in the news. Some say that the bill, passed by the House earlier this year and now moving through the Senate, “is being hailed as a triumph for small business. The legislation, if approved, would make it easier for loan officers leaving a big bank to take a job with a small independent lender or start a brokerage.” The MBA, for example, as one of its priorities, is focused on getting H.R. 2121, the SAFE Transitional Licensing Act, through the Senate.


Yet there is opposition. Bob Schwab writes, “HR 2121 is blatantly unfair to all fully licensed MLO’s. We were all required to take all of the necessary steps to become fully licensed MLOs and all of the Bank MLOs got a free pass. They did not have to take 20 hours of classwork, pass a federal and state exam, undergo a background check, submit finger prints, allow the government to pull their credit or pay a lot of money to the NMLS. When we change companies we have to wait for the regulators blessing before we can originate. Many times we have to get fingerprinted again (this is totally ridiculous- finger prints don’t change), or have a new background check or allow the government to pull our credit before we can originate. The fees the regulators charge are ridiculous.


“The last time I changed employers I went from a BRE shop to a DBO shop. It took the regulators over 30 days to approve the change. I was unable to make a living for this 30-day period. I know other fully licensed MLOs that have had to wait for up to 60 days for the regulators. Why should a ‘registered’ MLO who has not done any of the things I’ve had to do as a fully licensed MLO get a free pass? Please see the National Association of Mortgage Professional stance on this bill here:


“HR 2121 would allow unlicensed, federally-registered loan originators to have a 120-day temporary license where they would be allowed to originate loans prior to completing the requirements currently established in the Secure and Fair Enforcement of Mortgage Licensing (SAFE) Act. NAMB believes state law and regulations are in place for consumer protection and should not be by-passed by those not properly educated and tested. HR 2121 and any Senate companion bill will dilute all states’ rights to protect consumers.


“’One of the touchstones of the Dodd-Frank Act was to permit states to go beyond federal law to protect consumers in their state,’ said NAMB Government Affairs Chair Valerie Saunders. ‘HR 2121 completely nullifies state consumer protections.’


“’In 2012, the CFPB stated that its regulations do not allow states to provide for transitional licensing for registered, but unlicensed, loan originators who leave banks to act as loan originators while pursuing a state license,’ said Rocke Andrews, president of NAMB. ‘In addition, CSBS remains neutral on a bill they should have a solid opinion on. This destroys state consumer protections by cramming down a licensing construct that states have demonstrated they don’t want.’”


Lastly, some information on MISMO (Mortgage Industry Standards Maintenance Organization) deserves some airtime. Jocelyn St. James from Sapient Global Markets has a piece about how MISMO is laying the foundation for a stronger mortgage industry foundation.


“Despite the large volume of data generated throughout the life of a loan, the mortgage industry has traditionally lacked a robust, standardized method by which to track and store individual data elements. With the repercussions of burst of the housing bubble still being felt almost a full decade later, lenders have had to adapt to a series of stricter regulatory guidelines, while, under the watch of the FHFA, the GSEs have undergone significant business, operational and technological changes. The common theme among these changes is a desire to create more transparency within the mortgage industry in order to prevent a second housing crisis. By adopting and maintaining the MISMO data standard, organizations are able to simultaneously mitigate concerns around data transparency while also enabling more efficient communication within the industry.


“The changes undergone by Fannie Mae and Freddie Mac since being placed under conservatorship have included a series of programs under a parent initiative called the Uniform Mortgage Data Program. Leveraging the MISMO framework as a base, UMDP seeks to create a standard means by which both GSEs will consume loan level data. The first initiative that went live in 2011 focused on the collection of appraisal data, with a second initiative following in 2012 containing the set of data elements needed for the delivery of single family loans. While both of these initiatives have focused on loan data in the primary market, analysis on an initiative related to the collection of servicing data is currently underway.


“Additionally, the foundation laid by UMDP has already allowed Fannie Mae and Freddie Mac to return tangible benefits to the market. In January 2015, Fannie Mae delivered the Collateral Underwriter tool, designed to help lenders more easily assess risk on a given appraisal. Furthermore, Freddie Mac has rolled out a pilot version of its Loan Advisor Suite, which aims to help lenders avoid mortgage repurchases through loan and property data validation, as well as automatically monitor when lenders are released from their rep and warrant obligations. Utilizing a standard method of communication has allowed for easier vendor integration with these tools.


“Work on two long-term FHFA directed standardization initiatives is currently underway between the GSEs. The first is the Common Securitization Platform, a platform both GSEs would leverage to issue and maintain their securities. Secondly, the FHFA has directed the Fannie Mae and Freddie Mac to begin analysis on a single security, which would involve issuing a security backed by a mix of loans from both portfolios.


“While the secondary market has been undergoing changes brought on through conservatorship, the primary market has been dealing with the effects of a period of major regulatory change. Last fall’s TRID implementation required lenders throughout the United States to conduct a major overhaul of their processes and procedures. To help industry participants align with the new regulation, MISMO produced an upgraded TRID-compliant schema. While not the only measure of vendor readiness, the ability to upgrade to the latest version of MISMO was seen by many as a way to determine if a given loan origination system was truly prepared for the changes brought on by TRID.


“Companies looking to help originators ease the burden of the new regulation were able to utilize MISMO to create software solutions for the industry. As organizations continue to comply with the data standards being rolled out under UMDP, as well as regulatory changes such as the upcoming HMDA+ implementation, it is clear that those organizations that invest the time now to align with the MISMO data standard will find themselves in a better position to adapt and react accordingly. Additionally, moving towards a common data infrastructure will enable the industry to better make informed decisions based on robust and clean data, as well as provide the transparency long sought by stakeholders.



Most cat videos are “a dime a dozen,” but this short one, of a cat apparently watching a horror movie, is definitely a good use of 60 seconds.





(Copyright 2016 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)

Rob Chrisman