How the Mortgage Industry Puts Borrowers at Risk

A little over 2 years ago, HALOCK Security Labs surveyed 63 American mortgage lenders and discovered an alarming trend. 70% of mortgage lenders were compromising sensitive financial information through risky sharing practices.

Many of the lenders, both small and some of the largest in the nation, were using an unsecured email account to send files, a direct violation of the FTC Safeguards Rule that states emails can be sent only if they are encrypted. The majority (70%) of lenders were told to fax documents and 40% were advised to mail documents to applicants. Only 12% of lenders offered a secure portal, arguably the safest way to transmit sensitive documents.

It’s no wonder loan officers are at a loss on how to quickly and safely share documents. They are encouraged both from the business and borrower side to speed up the application process, yet they are told to rely on the antiquated methods of fax and mail. Most businesses have fax machines, sure, but many applicants likely have to search for one. And while it’s a federal offense to access a mailbox that does not belong to you, newer generations see these quaint side-of-the-road boxes about as secure as a flyer stapled to a telephone pole. Add to that the work it takes lenders to scan, collate and store these documents and you have a tediously slow process.

The Many Faults of Email

So loan officers turned to email, a modern way to send files, for sure. Sending an application, title, closing work or appraisal documents as an attachment is easy, if the attachment does not exceed the file size. But when you dig a little deeper, you see that email has plenty of faults. First being that it’s easy to disseminate, to the borrower, the title agent, the vendors, the lawyers, husbands, wives, mothers, fathers, accidental forwards, the list goes on. Second, it’s been shown that a copy of an email can be saved on different servers and devices up to 13 different times. It’s known as the Multiplication Effect of Email.

Third, most email platforms on the applicant’s side have a tenuous relationship with encryption. While the more popular email providers, Gmail, Outlook and Yahoo have all made HTTPS or SSL the default, it only encrypts the tunnel not the content of the email. End-to-end encryption, which would protect the entire journey of the email, is still in testing in Gmail, and, when available, would require users to turn it on themselves. According to Google’s latest Transparency Report, providers who don’t encrypt their email are creating messages that “are as open to snoopers as a postcard in the mail.”

All the Personal Info Contained in a Mortgage Application

When you think of all the personal information that goes into a mortgage application, it’s startling to think of the destruction a leak could cause in a single life, were that information to fall in the hands of a corrupt individual. Mortgage applications have incredible requirements when it comes to the information they need; an application could contain:

  • Driver’s license or photo ID
  • Social security numbers
  • Bank statements
  • Retirement assets
  • Federal tax returns
  • Paystubs
  • Current and future property addresses
  • Assets and liabilities
  • Construction plans

This information gets shared with a lot of different parties, from the loan officer to the title agent to the closing department. To share the application over email, applicants must give their permission; however, this rule is not always followed.

Applicants know that email will speed up the process and convenience, but many are becoming increasingly dissatisfied with how banks and other financial institutions handle their information. A Ponemon Institute study from 2013 showed a decline over the last 10 years in how much consumers trust their banks to protect their confidential information; 65% of respondents disagreed with the following statement: “My bank is committed to ensuring the privacy of my personal information is protected.”

Private Clouds Aren’t That Bad, Right?

Another method lenders and loan officers have turned to is using private cloud accounts, like Dropbox, to share documents with clients. It’s simple, all they had to do was upload to their Dropbox account and either give the client access or provide a shared link. It’s easy but not at all safe. This method ensures that the documents are now completely out of the hands of the lender, and a direct violation of compliance rules. Personal Dropboxes lack the oversight required by IT departments to keep applicant information safe.

According to another study by the Ponemon Institute on the Risk of Insecure File Sharing in October 2014, showed cloud file sharing accounts to be the riskiest way to share information. Unencrypted email followed behind it, only slightly less risky by a few points.

Screen Shot 2016-04-13 at 3.38.36 PM

And are IT departments aware of the unauthorized use of personal cloud accounts? Not exactly. The same study asked organizations whether or not they do an audit or assessment to determine if document and file sharing activities were in compliance with laws and regulations and 64% said nope. An additional 6% weren’t really sure whether they did or not.

Every respondent who took this survey had to share the industry they worked in. The highest number of respondents were in — wait for it — the financial services industry.

The Answer to the Mortgage Industry’s Woes: A Simple, Secure Portal

At this point, it’s not if, but when the mortgage industry will suffer another breach. According to Mortgage Compliance Magazine, it’s not even that the bad guys out to harm those in the mortgage industry are that industrious. They do attack, but the worst culprits of data breaches and leaks are employees — and through no malicious intent, only simple human error. Lenders may think that because they’ve done it before and nothing bad happened that they can continue on. It’s simply not true.

What mortgage lenders (and really any business that shares sensitive customer information) need is a secure portal to store and transmit sensitive documents. Loan officers don’t mean to expose their companies to data breaches through unauthorized file sharing methods, they just need a more convenient, accessible way to send and receive files.

SmartFile features are tailor-made for those in the mortgage industry. A convenient web portal that serves both as a storage account and a file transmitter is available on any computer, tablet or device, without the need to download a program. The web portal is branded to the mortgage company, cutting out the middleman and presenting only a professional front to borrowers.

In the three screenshots below, you can see how easy it is to share a folder with or without restrictions to an external client (1), access the secure web portal (2) and view and upload sensitive documents (3).

secure bank file sharing mortgage

Loan officers can finally trash the fax machine and give their applicants what they want — an easy way to access and share files. There’s no need to give clients a lengthy orientation on how to use the web portal, it’s pretty simple in how it works. Lenders can create accounts with folders that only the lender and applicant can access or lenders can send password-protected links through email to the applicant for easy uploading and downloading. Lenders can also dictate that clients use SFTP in all uploads and downloads.

Mortgage Lenders Tackle Compliance

When applicants take any action through the client portal, the lender will receive notifications of all activity through their email. Along with that activity comes detailed tracking and audit logs for the IT department and a compliant method for industry regulators. Lenders can make the access and user rules as strict or lenient as they need. Additionally, tracking of employee access to files allows for better accountability and less mistakes.

A Quicker Way to Process Mortgage Applications

Without all that back and forth through the mail, couriers or fax machine, mortgage companies can speed up their application process. SmartFile can connect in through WebDAV and let lenders work the way they’re used to (i.e., in a file explorer on the desktop). If you allow your employees to work the way they like, they’re more productive and likely to comply to company guidelines. No more files sprawling across personal cloud accounts.

A better document exchange process helps applications get approved faster. This means borrowers become homeowners in less time, resulting in happier clients. A faster approval process also means a more profitable bottom line for a mortgage company that can now streamline their process. Additionally, the reduction in paper lets companies reduce their impact on the environment.

Once More Unto the Breach?

Don’t keep holding onto the idea that insecure file transfer methods that have worked in the past will continue to keep working for you. It is so easy for a single employee to make a mistake that could result in a breach that would cost a company millions and cause immeasurable damage in reputation. A secure portal like SmartFile, lets you stop that scenario before it becomes a reality.

SmartFile is a business file mangement platform that gives you more control, compliance and security.