Documents aren't really safe unless their transfer is secure from end to end. A mortgage company may store and manage its information with the highest standards, but there is still significant risk if the borrower or seller submits their documents through unsecure channels.
What are some of the best steps you can take to ensure you are meeting security compliance standards and protecting your valuable data when transferring sensitive mortgage documents?
Email is a simple, popular way to send information. It is also a very unsafe way to transfer confidential information. There's no standard method of encryption for email; Simple Mail Transfer Protocol sends messages by a series of hops from source to destination, with no way to control what servers a message might go through along the way. A "honeypot" server might pass all emails along normally but also grab copies for nefarious purposes.
This scenario is even worse if a sender is using unencrypted Wi-Fi, such as a public hotspot. A criminal can just lurk nearby with a receiver to grab copies of any mail.
Offer a Secure Alternative
What can a mortgage company do about customers sending unsecured documents, and what does it need to do? You can't outright stop people from using email, but you can severely discourage its use for sending confidential data. The best way to discourage this is to provide secure document management alternatives.
Regulations require lenders to handle documents securely. Though it’s not clear whether a mortgage company can get into trouble for accepting emailed documents, regulators will certainly view you in a better light if you present your customers with a secure, convenient alternative.
If confidential customer information is intercepted in transit, this leak can damage the lender's reputation, even if it was the customer's fault. Lending institutions need to take strong measures to avoid unsecure transfers.
Documents also need to be sent to customers securely. The mortgage company has control over this and should strictly follow good practices, both for the customers' safety and to be on safe legal ground. Lenders should never send sensitive documents by email.
Drag-and-Drop or File Transfer Account?
A simple, secure way to let customers provide documents is the drag-and-drop approach. This method lets users upload documents with a secure transfer, and it can be set up with or without password protection.
If there's no password, anyone who discovers the link can upload a document, but this is a relatively minor risk. The destination server allows only uploading, not viewing, of files, so the most that anyone who gets a copy of the link can do is upload fake files. As long as employees exercise normal caution about any information that looks wrong, the chances of harm are small.
Services like Dropbox take a drag-and-drop approach but create an unprotected link which anyone can download. Dropbox allows password-protected documents, but only with paid accounts; the free version isn't well-suited for sensitive documents.
Another approach is to create a file transfer account for each customer. Once they've registered, the software will let them upload and download files. This allows for two-way file transfer between the customer and lender, and customers can review what they've already uploaded.
In a system where customers can download as well as upload files, it is necessary to authenticate the identity of the person creating the account. Confidential personal information, such as the customer's Social Security number, can help with this. For additional security, the lending institution can send the customer a code to enter when registering.
This method offers more options than the drag-and-drop approach, but it is also more complicated to set up. If customers forget their passwords, they will need a procedure to reset them, which often involves emailing a one-time link—a method which has its own security problems.
What's important in either case is to use a secure URL (starting with “https:”) with a properly configured server. A website that doesn't use a secure connection allows eavesdroppers to intercept not only documents but passwords. An unsecure web connection is even riskier than email.
The DocumentGuardian™ Solution
ABT's DocumentGuardian™ uses the simple, reliable, drag-and-drop approach but beefs it up with more security. The customer receives an upload link; no registration or password is required. Uploading is a simple matter of dragging the file to a window. Files are uploaded via a secure connection and sent directly to ABT's secure data center, where they're available to the lending institution. When a customer uploads a revised version of a document, the old version remains available and can be viewed, compared, or, if necessary, restored.
Equal parts simplicity and security, DocumentGuardian™ is the perfect solution to enable you and your customers to transfer sensitive documents with as little risk as possible.
To learn more about how DocumentGuardian™ and our other mortgage company technology solutions can safeguard customer confidentiality and security, please contact us.