Mortgage Software Solutions Blog

How New York’s Latest Cyber Security Law Will Impact You

sgfhj.jpgNew cyber security laws in New York mean strict accountability for businesses.

Cyber security is on the brink of an unprecedented crackdown in New York.

The finance industry is preparing for a new normal that looks vastly more stringent than before.

Part reaction to consumer outrage and part finger-pointing to the market for accountability when it comes to data breaches, the regulation titled Cybersecurity Requirements for Financial Services Companies (2017) is a broad re-draw of the rules by the state regulator.

In a country where the sector has historically played fast and loose with handling missteps, all eyes are watching to see how quickly it can adapt to the new normal.

As everyone settles in for the ride, industry insiders are already forming hypotheses about how far this new regimentation will reach.

Laying Down the Law

The new law outlining consumer data security measures in New York State is the first of its kind in the United States.

Officially released in March of 2017 with a built-in year of lag time, the enforcement date has arrived. As of Thursday February 15, 2018 enforcement is in full effect.

Financial institutions are expected to have stepped up their game in safeguarding computer systems and the sensitive information stored inside. A full guide to the highly prescriptive requirements can be found here.

The end goal is to avoiding security breaches by making businesses sufficiently fearful of repercussions. If they do foster an environment that allows for future problems or leaks of personal data, the stakes are high.

Who the Law Affects

The current law has been interpreted to include all banking, insurance, lending, and mortgage brokerage firms that are operating in New York. Every company under that heading will be held to the new standard.

This means that entities must get in gear to assess their actual and potential cybersecurity risks and make a solid plan to mitigate them.

The good news for IT departments is that due to the highly detailed guidelines about policy and the use of technology to patch up the security gaps, they have rather exact instructions to follow.

Beyond State Lines

At first glance, companies outside of New York might assume they have been spared from the harshest regulations in the country. After a closer look, it seems imminent that the change will have a wide-ranging impact.

Going forward, consumers will rely on their financial institutions to keep personal data safe. Not only are the expectations high, but the safety net sets the stage for demanding the same in other states.

Mortgage companies across the country are targeted by hackers due to the quantity of information and the quality of its use for fraud purposes. Companies outside of New York in the same industry should brace for the arrival of comparable laws on their home turf.  

Out-of-state entities with branches in New York should have a response as well, even before their own states begin drafting something similar.

In fact, other states are already following suit. Colorado and Vermont introduced their own measures within months after the NY regulation was put in place.

Vermont’s law names “securities professionals” as the intended subjects of its tighter regulations. Without specifying banks, the use of this broad term leaves the door open for enforcement with entities that may not previously fall under the state’s traditional regulation agencies.

As a global financial hub, even entities doing business in New York should consider getting the jump on re-assessing their policies as a continuity plan.

Beyond the Finance World

The effect of intensified scrutiny over cyber security practices will logically spill over to third-parties who work in the finance world and businesses who directly manage cyber security for the industry.

Fortune magazine goes one step further, predicting that ripple effect will go well beyond the financial industry. It could cover security events by any business that stores personal data “from point-of-sale to payroll providers.”

After that, it seems the industry shake-up will likely bleed into any major industry that houses consumer data using any sort of technology. These days, companies who aren’t keeping customer information in a computer system are few and far between.

The only thing the industry seems sure of is how this trend in accountability will not be contained by state lines or by industry.

In the early days of this new law’s enactment, the extent of this chain reaction is yet to be seen.

Over the next fiscal year, New Yorkers will lead the way, with countless gazes focused on them for cues of how to adapt.

ABT’s cloud-based portal MortgageWorkSpace adds banking level security to email, servers, PC’s and mobile devices in the mortgage industry. Contact us to learn more.


Topics: Compliance Due Diligence cyber security mortgage company security financial data security cybersecurity mortgage business mortgage industry Consumer Finance Protection Bureau Compliance for Mortgage Companies Compliance Audit cloud-based data Mortgage Lending 23 NYCRR Part 500 NYSDFS network safety

The Inevitable Mortgage Audit: Are You Prepared?

The Inevitable Mortgage Audit: Are You Prepared?

Anyone who has worked in the mortgage arena for any length of time knows that mortgage audits are inevitable. But even if you know that audits are a reality of the job, are you actually prepared?

Luckily, we're here to give you an idea about that—five ideas, in fact.

The Federal Financial Institutions Examination Council (FFIEC)

Working in the mortgage field, you are no doubt familiar with this group. The FFIEC has the power to develop and prescribe uniform principles and standards for examinations of financial institutions. The Council provides training for examiners at both the federal and state levels. It also provides guidance on compliance audits to the financial services industry through its member agencies.

Don't Reinvent the Wheel. Utilize Risk Assessment Models.

Several of the regulatory agencies with jurisdiction over financial institutions provide assessment models that can help with risk management. In addition, some industry organizations and commercial companies offer similar models. Just to name a few:

  • Consumer Financial Protection Bureau (CFPB) in its Supervision and Examination manual
  • Federal Reserve (the Fed) in its Community Bank Risk-Focused Consumer Compliance Supervision Program
  • Federal Deposit Insurance Corporation (FDIC), Comptroller of the Treasury (OCC) and National Credit Union Association

These organizations all publish guidance on risk assessment programs that will help you demonstrate your institution's risk as it is, not as the board wishes it would be.

In addition, offers a Mortgage Compliance Checklist Tool to help mortgage companies comply with the various lending regulation requirements.

Compliance Risk Assessment

Compliance examinations, these days, rely less on identifying non-compliant transactions and more on assessing risk and evaluating the financial institution's components that manage, mitigate, or prevent risk. Your financial institution's risk assessment should focus on its structure, policies, and procedures; how actively your board participates in oversight; and of course, your products and services.

Here are three basic questions your compliance risk assessment should answer:

  • First, identify your worst case scenario—not just now but in the future.
  • What controls does your institution have in place?
  • How well do your controls limit the impact of non-compliance?
  • How big is the gap between the worse case scenario and the controls you have in place? That gap is the risk that you want to reduce to as small a point as possible.

What Characteristics to Assess

The following are the characteristics that you want to identify with respect to:

  • Each of Your Institution's Products: Identify the volume and activity—whether it's a new product or an old one. Determine how complicated the product is and whether you intend to make changes or have recently made changes to the product.

  • Your Institution's Internal Operations: Identify how large your staff is, your turnover rates, whether the organization operates with centralized management or not, whether the staff and the organization's culture are compliance driven, and whether the organization has a robust internal monitoring system. Also review recent compliance risk assessment efforts.

  • Third-Party Service Providers: Identify compliance monitoring and due diligence efforts.

  • Each of Your Services: Identify any unfair, deceptive, abusive acts or practices as required by regulatory agencies.

  • Your Consumer Complaint Process: Identify response time and efficacy, and review the record-keeping policy with respect to complaints.

The Federal Compliance Laws for Financial Institutions

The American Bar Association provides its members with a list of the Federal laws that require financial institutions to comply with their rules and regulations and that cover mortgage audits. Just to remind you how regulated the mortgage industry truly is, here is a sampling:

  • Truth in Lending (Regulation Z) disclosure statements
  • Equal Credit Opportunity Act (Regulation B)
  • Fair Credit Reporting Act
  • Federal Reserve Board Regulation, Fair Credit Practices Rule
  • Fair Debt Collection Practices Act
  • ServiceMembers Civil Relief Act

To read an analysis of the accuracy of the CFPB's mortgage compliant data, see National Mortgage Professional Magazine's article from February 2017, entitled "Analysis: How Accurate is CFPB Mortgage Complaint Data?"

To learn more about compliance for mortgage companies, please contact us. We are your resource for all your mortgage company audit compliance questions.

Topics: Compliance Consumer Finance Protection Bureau Compliance for Mortgage Companies Compliance Audit