Mortgage Software Solutions Blog

Guide to New York’s Cybersecurity Regulations

The deadline is less than a month away.

As February 15, 2018 draws near, financial institutions in the state of New York are scrambling to comply with cybersecurity regulations that are new to the industry and unprecedented in the state.

Released in early March of last year, Part 500 of Title 23 or Cybersecurity Requirements for Financial Services Companies (2017) is a 14-page document detailing how finance companies will be legally required to protect nonpublic information in their computer systems.

These regulations were implemented by the Department of Financial Services (DFS) citing security risks and the “ever-growing threat” of foreign nation-states, terrorist organizations and cybercriminals. The DFS Superintendent’s office will be overseeing compliance with the new laws aimed at safeguarding sensitive information that banks, credit unions, and mortgage companies keep on file.

As the zero hour approaches, here is a quick guide to the new DFS directives.

Cybersecurity Programs for All 

The main requirement is that all financial institutions under the regulation of the DFS are now required to create and implement a written cybersecurity program. 240_F_41316834_khRM1Linm358EZL0uiTOmQS2tyeankBN.jpg

With computer-based leaks making national headlines, New York’s banks will be held to a high standard.

The main issue of information leaks is “nonpublic information” or data gathered about customers and clients that is not meant for public knowledge. This includes business information, identifying information, account numbers, and even medical information.

A “cybersecurity event” is any action or attempt of unauthorized access to this information.

Security Measures

The new DFS regulations specifically call for annual penetration testing and bi-annual vulnerability checks of all information systems.

This includes extensive recordkeeping of system activity. Each financial institution must keep transaction records for a period of 5 years and an audit trail that records at least 3 years of activity.

The DFS further urges permissions control for all software applications.

Policy Requirements

This new cybersecurity program that every institution must implement is subject to oversight. The regulations require that all policies be recorded and approved by a senior officer or the company’s board of directors.

The guidelines state that any policies laid down must address an extensive list of 14 distinct topics ranging from data governance to disaster recovery planning.

Beyond stating the goals of these new measures, the law requires that companies designate a Chief Information Security Officer (CISO) for in-house enforcement.

This individual is required to report in writing annually about security to the company’s board and will be held responsible in the event of a breach at the agency.

Risk Assessment

Beyond coming up with a plan, the new regulations require action.

Financial institutions must run a complete risk assessment of their company. The assessment must be documented and it should include an evaluation of the adequacy of the existing access controls.

By law, this assessment must be carried out by qualified cybersecurity personnel. To avoid passing the buck, companies who hire out for the job must still exercise due diligence in evaluating the adequacy of the third party’s own security practices.

The law makes it clear that the financial institution itself will be held responsible for the integrity of their new program.

Other Regulations

There is a host of supplementary details in the document that outline currently-held security precautions across the information systems industry.

For example, multi-factor authentication for network access, a time limit on data retention, and regular cybersecurity awareness training for all personnel are all part of the regulation.

Encryption guidelines are spelled out and become subject to annual review by the CISO.


The final issue addressed by the new regulation involves communication with DFS. The superintendent’s office places a strict time cap on security breach announcements. A company has no more than 72 hours to report any event that has a “reasonable likelihood of materially harming the normal operations” of the company. 

Serious events like this have always fallen under reporting laws to local supervisory bodies. Under the new law, these events will be taken up the chain of command to the Superintendent’s office immediately.  

As of last year, New York is taking cybersecurity seriously. With such strict laws, it’s understandable that financial institutions have been slow to enact changes. After the year-long cushion, the new regulations are set to be enforced and financial institutions will be held responsible if they don’t comply.

14 pages of detailed requirements are on the books. As the transition year comes to an end, banks, mortgage companies, and credit unions are under the gun to make it happen.

Are you a CIO?

Has your institution taken the proper steps for system security?

For comprehensive compliance guidance and other cybersecurity solutions and, contact us.

Topics: DocumentGuardian cloud storage mortgage business mortgage regulations Compliance Audit Mortgage Lending DFS 23 NYCRR Part 500 NYSDFS

Understanding the 4506-T Borrower Income Verification

Borrower-Income-Verification.jpgFor mortgage companies, nothing is more important than verifying that a prospective buyer has the income to repay the loan. The IRS is probably the best source to verify income, and the agency has a form that mortgagors can file with the IRS to solicit income verification.

Here are five tips we’ve put together on the use of IRS Form 4506-T Borrower Income Verification.

Fannie Mae (FNMA) and Freddie Mac Guidelines

The mortgage giants issued guidelines that require lenders to use the 4506-T Borrower Income Verification form. You will see by the effective dates below that these rules have been in effect for some time.

Fannie Mae requires lenders to obtain the form both at application and at closing for all loan applications received after September 1, 2009. Lenders must use the forms to verify borrower-provided income documentation, which the lender relies on during the underwriting process. While the lender does not have to furnish the form to FNMA before closing, FNMA does require the forms as part of the post-closing quality control process.

Freddie Mac, on the other hand, requires all lenders who rely on borrower income during the underwriting process to obtain the 4506-T form on the application date and the Note date. The guidelines were effective for applications on and after February 1, 2010.

What is the Desktop Underwriter (DU)

Fannie Mae has developed what it calls its "Day 1 Certainty" representation-and-warranty relief program. This program allows lenders to obtain three types of reports. These include:

  • Employment and income verification
  • Form 4506-T transcript reports
  • Asset reports

Vendors who want Fannie Mae to include them on the list of verification report vendors must provide the above three reports.

As of January 20, 2017, Fannie Mae has increased to 30 the number of vendors on its list of third-party companies approved as income verification vendors.

Blocks to Third-party 4506-T Requests

By mid-2015, it was clear that something was amiss with lender requests for 4506-T transcripts from the IRS. Due to internal policy changes, the IRS returned some 4506-T requests with the following rejection code notation: "Limitations."

Limitations: This code indicates red flags on the borrower's information. The flags may result from inaccuracies in the borrower's income, tax documentation, or the Social Security number used to qualify for the loan. Freddie Mac tells lenders to take these red flags as seriously as you would any fraud indicator. The "limitations" note is the IRS's way of combating fraud and keeping personal information secure from unauthorized access.

Other ways to comply: For borrowers qualifying on W-2 income only, not all financial institutions require a full IRS transcript, as long as they have confirmation of the W-2 income. (Note: Some financial institutions require the "limitations" notice retained in the file.) In other instances, a copy of the full 2014 filing must accompany the loan file.

Even if the IRS won't disclose the tax transcript to the lender, the borrower always has the right to request a copy of his transcript from the IRS, which will send the information to the individual. The individual must show proof that the transcript came from the IRS when he delivers the verifying information to his lender.

Retaining Copies of IRS Documents

Whether you obtain copies of the actual Form 1040s or transcripts of the filings, the information received from the IRS must remain as a permanent document in the quality control file.

How DocumentGuardian™ Can Help

With all the requirements for retaining mortgage applications and the verification documents required for government-backed mortgages, it's easy for mortgage loan officers to feel overwhelmed.

DocumentGuardian can help you organize and keep your business documents safe, making document management easier and more secure than ever before. Your client sends sensitive information to you through the DocumentGuardian system, which then stores your borrower's personal financial documents in a secure data center, not on desktop computers or mobile devices.

In addition, MortgageExchange helps you move documents between mortgage storage software so your staff never has to re-key information into another system. That means fewer staff hours on repetitive work and fewer errors.

If you have any questions about our suite of mortgage services, please contact us.

Get DocumentGuardian FREE

Topics: DocumentGuardian borrower income verification

A Secure Alternative for Transferring Sensitive Mortgage Documents

Securing_documents_from_borrowers_.jpgDocuments aren't really safe unless their transfer is secure from end to end. A mortgage company may store and manage its information with the highest standards, but there is still significant risk if the borrower or seller submits their documents through unsecure channels.

What are some of the best steps you can take to ensure you are meeting security compliance standards and protecting your valuable data when transferring sensitive mortgage documents?

Avoid Email

Email is a simple, popular way to send information. It is also a very unsafe way to transfer confidential information. There's no standard method of encryption for email; Simple Mail Transfer Protocol sends messages by a series of hops from source to destination, with no way to control what servers a message might go through along the way. A "honeypot" server might pass all emails along normally but also grab copies for nefarious purposes.

This scenario is even worse if a sender is using unencrypted Wi-Fi, such as a public hotspot. A criminal can just lurk nearby with a receiver to grab copies of any mail.

Offer a Secure Alternative

What can a mortgage company do about customers sending unsecured documents, and what does it need to do? You can't outright stop people from using email, but you can severely discourage its use for sending confidential data. The best way to discourage this is to provide secure document management alternatives.

Regulations require lenders to handle documents securely. Though it’s not clear whether a mortgage company can get into trouble for accepting emailed documents, regulators will certainly view you in a better light if you present your customers with a secure, convenient alternative.

If confidential customer information is intercepted in transit, this leak can damage the lender's reputation, even if it was the customer's fault. Lending institutions need to take strong measures to avoid unsecure transfers.

Documents also need to be sent to customers securely. The mortgage company has control over this and should strictly follow good practices, both for the customers' safety and to be on safe legal ground. Lenders should never send sensitive documents by email.

Drag-and-Drop or File Transfer Account?

A simple, secure way to let customers provide documents is the drag-and-drop approach. This method lets users upload documents with a secure transfer, and it can be set up with or without password protection.

If there's no password, anyone who discovers the link can upload a document, but this is a relatively minor risk. The destination server allows only uploading, not viewing, of files, so the most that anyone who gets a copy of the link can do is upload fake files. As long as employees exercise normal caution about any information that looks wrong, the chances of harm are small.

Services like Dropbox take a drag-and-drop approach but create an unprotected link which anyone can download. Dropbox allows password-protected documents, but only with paid accounts; the free version isn't well-suited for sensitive documents.

Another approach is to create a file transfer account for each customer. Once they've registered, the software will let them upload and download files. This allows for two-way file transfer between the customer and lender, and customers can review what they've already uploaded.

In a system where customers can download as well as upload files, it is necessary to authenticate the identity of the person creating the account. Confidential personal information, such as the customer's Social Security number, can help with this. For additional security, the lending institution can send the customer a code to enter when registering.

This method offers more options than the drag-and-drop approach, but it is also more complicated to set up. If customers forget their passwords, they will need a procedure to reset them, which often involves emailing a one-time link—a method which has its own security problems.

What's important in either case is to use a secure URL (starting with “https:”) with a properly configured server. A website that doesn't use a secure connection allows eavesdroppers to intercept not only documents but passwords. An unsecure web connection is even riskier than email.

The DocumentGuardian Solution

ABT's DocumentGuardian™ uses the simple, reliable, drag-and-drop approach but beefs it up with more security. The customer receives an upload link; no registration or password is required. Uploading is a simple matter of dragging the file to a window. Files are uploaded via a secure connection and sent directly to ABT's secure data center, where they're available to the lending institution. When a customer uploads a revised version of a document, the old version remains available and can be viewed, compared, or, if necessary, restored.

Equal parts simplicity and security, DocumentGuardian™ is the perfect solution to enable you and your customers to transfer sensitive documents with as little risk as possible.

To learn more about how DocumentGuardian™ and our other mortgage company technology solutions can safeguard customer confidentiality and security, please contact us.

Learn More

Topics: DocumentGuardian mortgage documents security

5 Ways DocumentGuardian Helps Mortgage Companies Protect Borrowers

protecting-borrowers-private-documentsCredit unions and mortgage companies are entrusted with some of clients’ most private information. From social security numbers to bank statements, it’s imperative that those companies are taking measured steps to protect borrowers and their private documents from cybersecurity threats.Often the borrowers themselves place their information in jeopardy when they send non-public information via unencrypted emails. This places many lenders in a predicament. Somehow, they must maintain trust, security, and compliance, without sacrificing client efficiency and convenience. Though achieving this balance was once a problem for mortgage companies, there is now a tool available that can do just that: DocumentGuardian. 

Here are five ways DocumentGuardian can help mortgage companies protect their borrowers and maintain regulatory compliance with ease.

  • Encourages Better Borrower Habits

The mortgage lending process requires borrowers to supply loan officers with a great deal of private and sensitive information. Unfortunately, most borrowers aren’t thinking about their own cybersecurity when they send that information. They often assume that because they are sending these files to a trusted source, their files are in good hands. 

These bad habits can not only result in borrowers’ information being intercepted or stolen, but they can also reflect poorly on the mortgage companies involved. When lenders are audited, government agencies blame them for any client-produced security blunders, and this blame isn't entirely misplaced. With pressure from customers and looming deadlines, some lenders are tempted to take careless security risks.

Responsible loan officers educate their clients on what they can and cannot send via unsecured email. After educating customers on the importance of sending non-public personal information (NPI) through secure means, lenders can use DocumentGuardian to provide them with an easy solution that encourages better security habits from the start.

  • Eases Pain Points

The truth is, customers are more concerned with avoiding pain points and inconvenience than they are with complying with regulations. So, it’s up to mortgage companies to ease any potential pain points, while still protecting their borrowers and maintaining compliance. Solutions like DocumentGuardian supply both mortgage companies and borrowers with a tool that makes sending and receiving client documents safe and easy, reducing the numerous clicks, passwords, and log-ins typically involved in secure transactions. 

DocumentGuardian offers clients a simple-to-use interface that allows them to securely send documents and information, eliminating their pain points and yours.

To use the feature, mortgage officers supply customers with a link to a private, secure webpage. For easy customer access, this link can even be included in the loan officer's email signature. The customer opens the link, without needing any logins or complicated passwords. Then, they simply drag and drop their documents to the secure web page. 

  • Stores Information Securely in the Cloud

Once the files are scanned for viruses, DocumentGuardian stores them in secure Cloud data centers, not on mobile apps or desktop hard drives where there is an increased risk of files being hacked. For this reason, compliance auditors prefer secure Cloud storage to file-sharing apps.

Secure storage benefits mortgage companies because there is no need to download additional software or security updates, and there is an added layer of protection that safeguards sensitive information. As part of the MortgageWorkspace suite of services, DocumentGuardian regularly updates to stay within regulatory compliance and to adapt to changing security demands. 

  • Transfers, Downloads, and Uploads Encrypted Files

When clients send NPI through open, unsecured connections, they run the risk of man-in-the-middle security breaches, among other types of attacks. During this type of breach, the hacker is able to monitor traffic and even intercept or compromise messages, such as emails. 

DocumentGuardian technology doesn't require a login. Instead, clients drag and drop their documents into a secure web page (click to view a sample page) through the link you have supplied. The documents are then uploaded to your secure file on the cloud. This completely eliminates the opportunity for hackers to read messages as they are sent and received. 

From there, the SSL 256-bit encrypted documents are accessed as needed. You are able to manage and further secure documents by setting an expiration date for documents that are only needed temporarily. 

  • Track and Record Activity

Once files are uploaded, the client gets a receipt that documents the transaction. On the lender side, all activity on the secure web page is logged and archived. In the event of an audit, this information is readily available.

 For most mortgage customers, few things are more daunting than complex paperwork. Ease customer pain points by supplying your clients with familiar drag-and-drop options. When the process is easier for them, it is easier for you too. DocumentGuardian is available to any user of MortgageWorkSpace. For more information on DocumentGuardian, the latest addition to ABT’s MortgageWorkSpace platform, please contact us.

Learn More

Topics: email security data security DocumentGuardian