Email is a big part of communication with mortgage applicants, but it poses many security problems. Companies are torn between their need to protect confidential financial information and the customer’s desire for convenience. Customers don't want to go through extra steps, but they'll be very unhappy if intercepted information leads to identity theft. So will mortgage employees. That's why mortgage businesses need to understand why email security is so important.
Email standards emerged very early in the history of the internet, when security wasn't a serious concern, and unfortunately, they haven't improved a lot since then.
- Senders can trivially impersonate other people, including their email addresses.
- Mail goes through multiple hops, providing many opportunities to read mail in transit.
- People often don't notice what address a message comes from, and some software even hides it.
- Unsecure connections to mail servers are common. They send passwords as plain text, allowing for their interception.
A study by Halock Security Labs found that lenders often use unsecure email practices.
- 70% of the loan officers in the study let applicants send tax documents and other financial information as unencrypted email attachments.
- Only 12% provided a way of sending email securely.
- Loan officers cited customer convenience over security as the reason for using email.
The American Land Title Association has issued rules specifying that non-public personal information, in connection with real estate sales, must be transmitted securely. It recommends adopting a written privacy and information security program for protecting such information, in order to comply with federal and state laws.
Some major services, such as Gmail, encrypt mail while it's moving between their own servers, but they can't do anything about the final hop if a message goes to a different host. People have created security measures, such as PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard), that attempt to provide vendor-independent, end-to-end encryption. Unfortunately, they are so clumsy to use that they have never caught on.
Passwords are another problem. Many people connect to mail servers using an unsecured connection, which means their passwords go through as plain text. If they combine this with an unsecured wi-fi connection, they're literally broadcasting their passwords for anyone nearby to steal. People who get mail through an application can and should use an SSL/TLS connection to their provider. This encrypts logins and other data in transit, and once they set it up, it simply works without the users having to do anything more.
Secure email portals use either a website, a special application, or an add-on to an existing application. They're a departure from how people normally send and receive their mail, but some are more disruptive than others. Finding an approach that provides security, without making customers unhappy, is a tricky balance.
The best solutions combine email and web technology. Email can notify people that information is waiting for them, and a password-protected web connection can deliver it securely.
ABT's DocumentGuardian™ is the safest and easiest way for your borrowers to send you NPI (non-public information) documents. Compliance auditors recommend it because unlike box-type file sharing apps, DocumentGuardian stores your borrower documents in our secure data center, not on individual computers and mobile devices. Loan oficers and borrowers access DocumentGuardian™ through a secure browser connection, so their own logins and uploads are safe.
To minimize the risk of impersonation (called "phishing"), loan officers should advise customers to look at their mail carefully, make sure it links to the usual website, and inform them if anything looks suspicious. The consistent appearance that DocumentGuardian provides will give customers confidence that the mail they receive is authentic.
Businesses that use secure methods of exchanging documents with their customers enjoy a better reputation and are safer from charges of negligence. Contact us to learn how we can help you attain this necessary level of security.