Mar. 3: Notes & opinions on cybersecurity, HMDA concerns, and tips for a rising rate environment

I think that my cat Myrtle stole my password. Small packages have been showing up from Amazon with her name. Maybe she read the password on the yellow sticky note on my computer. Seriously, security is no laughing matter.

Cybersecurity & HMDA

According to a FS-ISAC survey of information security officers, the best ways to combat cyber-attacks are: employee training (35%), network defense and upgrades (25%) and breach prevention (17%).

The Securities and Exchange Commission voted ten days ago on whether firms will be required to disclose any cyber risks and incidents that could financially harm their firm. (The guidance has not been updated since 2011.) And yes, new guidelines were issued on cybersecurity disclosures for public companies, including suggestions for adjusting insider trading policies to account for investigations into cyberbreaches.

The SEC reiterated that cyber risks and incidents may fall under the scope of material nonpublic information, and corporate insiders could run afoul of the law by trading company securities while in possession of such information. The guidelines also encourage companies to adopt prophylactic measures such as restricting employee trading while a breach investigation is under way and before it is disclosed.

“Companies are going to need to examine their policies and procedures to ensure they explicitly account for information related to cybersecurity risks and incidents, including while they’re under investigation,” said John Carlin, partner at law firm Morrison & Foerster LLP.

The SEC said companies should develop plans to elevate alerts about cyber incidents so that top management knows when to avoid trading.

Richey May’s cybersecurity advisory and compliance team developed the following white paper to help you better understand the cybersecurity landscape, the regulatory and legal requirements impacting your business, and the critical role a qualified CISO plays in your comprehensive cybersecurity strategy: Cybersecurity and the Evolving Demands for CISOs.

The Securities and Exchange Commission has issued subpoenas and information requests to determine whether technology companies and promoters of initial coin offerings and cryptocurrencies comply with securities laws, sources say. The Enforcement Division created a cyberunit last year, and former Commissioner Dan Gallagher says that this is “the tip of the iceberg” and that “there is going to be a ton of enforcement activity.”

Lenders and bankers are mostly good at managing risk. A 2017 Wolters Kluwer’s survey of banks and credit unions shows a slight increase in anxiety levels of financial institutions, particularly in the area of managing risk. Notably, 65% of respondents expressed concern about their organization’s ability to manage risk across all lines of business vs. 52% in 2016.

The survey finds banks are feeling pressure from several areas, the primary one being complying with new Home Mortgage Disclosure Act (HMDA) requirements. More than 50% of respondents said the new requirements will have a significant impact on their organization.

HMDA is an area that should be on the watch-list for community banks, given this concern and potential changes that could occur in the future. In December, the CFPB said it intends to review its controversial 2015 rule, recognizing that the compliance requirements pose “significant systems and operational challenges.” Adding fuel to the fire, several House Financial Services subcommittee members recently aired their concerns about the additional data points being collected under the rule and the extra burden for community-based financial institutions.

Not surprisingly, cybersecurity and data security led the list of top risks expecting escalated priority in 2018, with 83% of respondents indicating their organization will focus on cybersecurity over the next 12 months vs. 70% in 2016.

Steve Brown from PCBB observes, “Financial institutions also noted several obstacles they face in managing an effective compliance program. The survey found 46% of respondents cited inadequate staffing as a main concern, while 39% named manual compliance processes. Meanwhile, 34% said there were just too many competing business priorities. And a new survey by FS-ISAC shows only 8% of financial firm cybersecurity leaders report directly into the CEO. The organization notes that direct and unrestricted communication between cybersecurity and the CEO and board would enhance decision-making and increase transparency.”

I received this note from Mitch Tanenbaum, Partner at Cybercecurity LLC regarding some thoughts he had on cybersecurity. “Executives need to educate themselves about cybersecurity. We see that will some of our clients, but a lot are still making it an IT problem. It is an IT problem until some employee wires $5 million to an account in China. It is until some employee clicks on a link that infects your network and encrypts all your files. You get the idea.

“On to passwords.  Passwords are irrelevant. You can’t make them complex enough or protect them well enough. People just need to get over that. Two factor, or multi-factor, authentication is a must.  We are slowly getting our clients to understand that. When a client has their cloud account logged into from some hacker because some employee clicked on a link and coughed up their password and now they have a cyber incident, they begin to understand why passwords just don’t work any more.

“We have had multiple clients dealing with attacks against Office 365 this month alone. It has nothing to do with security in Office 365, it is just the biggest target. Why go after G-suite and be able to attack 10% of the mortgage universe when you can go after Office 365 and hit 90%?

“Office 365 security is actually much better than G-Suite security. Microsoft has released a free tool for Office 365 to manage their security score and if the IT folks are aggressive about using it, it will definitely make things more secure. Google has released something sort of, kind of similar, but it is way less mature and only works for G-Suite Enterprise customers, which is a very small portion of G-Suite customers.

“Office 365 has so many security tools that IT admins often don’t know about all of them. For example, some of our customers implemented a rule recently that stops hackers from automatically forwarding email from compromised user email accounts, but when we talked to some of our customers they say, ‘Really? I didn’t know I could do that.’

“Let me leave you with a scary thought. When the Directors of all the National Intelligence Community testified before Congress recently there were two quotes that scared me a bit (not that they surprised me, but I was surprised they admitted it publicly). The quotes are:

–NSA Chief Admiral Mike Rogers: “If you think the problem is challenging now, just wait. It’s going to get much, much worse.” 

–Director of National Intelligence Dan Coats: “Cybersecurity is my greatest concern and top priority — ahead of weapons of mass destruction and terrorism.” 

(From the U.S. Senate Intelligence Committee Annual World-wide Threats hearing Feb 14, 2018). Ponder that for a few minutes!

“Your readers can start becoming educated to read my cybersecurity blog. It is free, with no ads and I try to write it in a way that is tech jargon free.”

Interest rates

The effects of higher mortgage rates are beginning to trickle into the data. Existing home sales were weak in January as first-time buyers retreated from the ownership markets. Despite knowing that rates were heading higher (nearly every member of the Federal Open Market Committee has been telling us as much, as has nearly every piece of economic data), thus cutting into refi volume, were lenders and loan officers caught unaware? Ignorant? Complacent?

David Kittle, Senior Relationship Manager of Enterprise Sales at Radian, suggests, “Prepare – don’t panic. Ten years of manipulated interest rates held at record lows and a refinance atmosphere that settled most into a secure environment of consistent production has led to a comfortable but risky complacency.

“The television has been saturated with commercials touting the fastest ways to refinance and begs our Veteran population to borrow up to 100% of their home’s value to eliminate consumer debt created during the past 10 years of mediocre economic growth. Much of our loan officer population has less than 10 years’ experience. They’re extremely tech savvy, but can they sell in a rising interest rate market when purchase, not refinance, is order of the day?

“If asked, can your origination staff define index or margin? Most are too inexperienced to know what an Adjustable Rate Mortgage is and how it works. ARMs will return because the homebuyer is used to interest rates in the 3% range and will demand a low rate with an affordable payment.

“The media will gasp as lenders promote ARMs, remembering only those programs that were interest-only with little to no underwriting required. The 3/1 – 5/1 – 5/5 and 7/1 adjustable rate programs, fully amortizing with solid caps and solid underwriting will be an attractive alternative to a higher fixed rate offering. Let’s not forget caps and fully indexed rate, something else the LO will have to learn about to intelligently discuss and explain to the borrower exactly how the adjustable rate mortgage works.

“Dust off your ARM disclosures, search for a quality portfolio investor and begin to train your sales staff to sell. ARMS, when sold to the right borrower, are a great way to diversify your product offering.

“Keeping interest rates at record lows assisted our industry but hurt the over 62 population. There’s been no gain on fixed income assets and very small increases in their Social Security check. Rates will rise, but it’s not the time to panic. It’s time to think, to train and prepare to offer and sell a viable alternative to the fixed rate loan, ARMS!”

Raymond Eshaghian, President of GreenBox Loans, Inc., in Los Angeles, CA feels that many home owners are no longer going to qualify with higher rates. “Three out of 10 members of the work force are self-employed, and they will have to look into alternative financing solutions, such as bank statement loan programs that help them qualify without the use of tax returns. The interest rate increases will impact the demand for buyers and may alternatively affect real estate values. The sooner the Realtors and mortgage brokers adopt non-QM alternative options, the higher the likelihood that the lost demand due to rising rates can be supplemented by creative financing solutions for motivated buyers.”

Gagan Sharma, President and CEO of BSI Financial, commented on rising rates. “Our sense is that while rates are higher, those increased rates are partly due to the continued improvement in the economy. As a result, the borrowers’ income situation is also better, and they may be able to afford the slightly higher monthly mortgage payments. The higher rates and more expensive homes increase the monthly mortgage payment, but the better economy and jobs situation should help the borrowers afford the payment.”

Shane Martin, EVP of Strategy and Business Development with InHouseUSA, a provider of innovative valuation solutions, forecasts, “This spring’s purchase market will be hot as demand is pulled forward from the summer markets in anticipation of rising interest rates. Any increase in interest rates may put somewhat of a damper on the market, but I think there are other factors that could offset that pressure. For one thing, supply is tight and demand for housing has remained relatively strong so far this year, even with interest rates moving higher. Data from the Mortgage Bankers Association (MBA) show that mortgage applications to purchase a home have mainly risen each week in 2018, and activity has been strong.”

“Economists are forecasting that mortgage rates will reach 5% by the second half of 2018. The last time we saw 5% was 2011. Still, 5% is low when viewed historically. There is an entire generation of new home buyers who have never seen rates at 5%, however.  I think the move in rates will cause urgency to buy while the tight supply will raise pricing, causing affordability issues. Homebuyers will try to move quickly in late winter and the early spring to lock in at today’s rates in anticipation of further interest rate increases going forward this year.”

The 30-year fixed average is creeping up to 4.50%, yet volume is not down. What’s going on? Tom Millon, CEO of Capital Markets Cooperative, gives his take: “Historically, mortgage volume plummets when rates spike because of the lost refi business, but we’re now in a purchase market, so refi is having less impact. We sometimes see purchase volume surge when rates are rising because buyers think they better act quickly. The lock volume index is the highest it’s been since September and the MBA’s Purchase Index is up 8% from one year ago, when rates were a quarter of a percent lower. All things considered, we’re cautiously optimistic about volume near-term, but we’re not so naive to think it won’t reverse course if rates keep heading up.”

On a personal note, my Dad doesn’t care about email, underwriting guidelines, a politician’s view of the GSEs, or how the CFPB is funded. Today’s his 95th birthday. Given his life growing up during the Depression, twenty years in the Navy through WWII and Korea, and twenty years in a cannery, it is noteworthy since he drinks alcohol, smoked, never set foot in a gym and was certainly overweight, or worried about whether mortgage rates were 3%, 8% or 18%. He keeps life in perspective and knows things will come to an end for him some day, but until then… have another Happy Birthday Dad!

Visit for more information on our industry partners, access archived commentaries, or to subscribe to the Daily Mortgage News and Commentary. If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “Servicing: All It’s Cracked Up to Be?” If you have both the time and inclination, make a comment on what I have written, or on other comments so that folks can learn what’s going on out there from the other readers.


(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. Currently there are over 300 mortgage professionals looking for operations, secondary and management roles. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to Copyright 2018 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)

Rob Chrisman