7/29 Best Practices Materials - Fidelity National Title Group
advertisement
Welcome Attendees Webinar Best Practices July 29, 2015 BEST PRACTICES WEBINAR Ted Werner Senior Vice President, New York State Agency Manager Since 2010, when FNF consolidated its three separate agency businesses and its multiple underwriting activities into a single entity, Ted's goal has been to support the best agents in New York with the best title insurance professionals and resources available in the industry. He entered title insurance in 1982 as an underwriter for Ticor Title Guarantee Company. After two years in the New York City headquarters, Ted moved to Long Island, where he managed direct operations. After a four-year stint with TRW Title, Ted moved to Chicago Title where he was responsible for the direct and agency business in the Hudson Valley. Guest Speaker Christopher J. Gulotta, Esq. Founder of The Gulotta Law Group, PLLC and Real Estate Data Shield, Inc. Mr. Gulotta is the founder of The Gulotta Law Group, PLLC and Real Estate Data Shield (“REDS”) and was one of the very first to speak to our industry on the importance of Lender Liability for their Service Providers and Information Security Compliance. Chris possesses a truly unique combination of sophistication in lender ServiceProvider needs, regulator expectations and data security compliance obstacles and solutions. Christopher J. Gulotta, Esq. Christopher is a member of ALTA’s Best Practices Task Force, working with industry leaders to develop timely and prospective regulatory solutions for title & settlement agents as a member of both “Lender” and “Settlement Agent” workgroups. REDS, recently named ALTA’s Inaugural Best Practices Elite Provider, is the first industry-specific company to provide title & settlement companies with Security Compliance tools through its Compliance Management Platform that provides our industry with: (i) Security Policy templates; (ii) award-winning staff training courseware; and (iii) security-assessment compliance tools Seven national title underwriters have named REDS as their Preferred Vendor for Data Security Compliance. Chris is a graduate of Fordham Law School. He has served as a continuing legal education faculty member at Fordham Law School, Pace Law School, The Association of the Bar of the City of New York and the New York State Bar Association. He has been a featured columnist for and interviewed for articles in: The New York Law Journal, The National Law Journal, The Title Report; The Legal Description; Valuation Review, TitleNews etc., on topics including: Service Provider Compliance; Lender Liability for Service Providers; information security compliance for title and settlement agents; privacy law; title escrow funds; RESPA reform; new media and Internet law. Guest Speaker Matthew Reass Senior Vice President RynohLive • Formerly with a Virginia based title and settlement agency, Matt recently joined RynohLive with thirteen years of industry experience. • A licensed underwriter and Virginia Certified Title Settlement Agent (VCTSA), Matt also served on the Virginia Land Title Association (VLTA) Board of Directors for 20142015 as the Director of Events. • Matt now serves as Senior Vice President at RynohLive where he oversees corporate management. • Introduced nationally in February 2009, RynohLive is a patented financial management and fraud prevention system specifically designed for today’s diligent title agent. Guest Speaker Lee Fields Managing Director, Business Consulting Services Lee Fields is managing director of Business Consulting Services at Habif, Arogeti & Wynne, LLP. For the past year, through HA&W’s ComplianceSuccess® Program, Lee and his team have partnered with ALTA, underwriters, title agents, closing attorneys and settlement firms to enable ALTA Best Practices compliance across the value chain through independent third-party testing and reporting. Habif, Arogeti & Wynne, LLP HA&W has been recognized as a “Best of the Best Accounting Firm” in the United States. Since 1952, clients throughout the U.S. and in more than 40 countries have counted on HA&W to build value, manage risk and drive growth. As the largest tax, audit and business advisory firm headquartered in Georgia, our expertise across a broad range of services and industries provides clients with winning financial practices and insights to help them grow at every stage of their business lifecycle. Today, HA&W is the leading CPA firm in the nation to provide ALTA Best Practices compliance benchmarking, testing and reporting services through its ComplianceSuccess Program. HA&W's ComplianceSuccess Program provides independent third-party assurance using CPA professional standards on attestation reporting, trusted by banking and financial institutions. Our fast track approach will assess your current level of compliance and provide you with a remediation plan in three to five business days. This process delivers the best price point to achieve compliance, offering complete compliance benchmarking and reporting across all seven ALTA Best Practices Pillars. To ensure the ComplianceSuccess Program is in lock step with industry standards and requirements, HA&W is actively involved at the highest level with ALTA, the AICPA, lenders and underwriters. Becoming Compliant with ALTA Best Practices Presented by: Lee Fields Managing Director, Business Consulting Services 9 Agenda HA&W’s ComplianceSuccess Program Overview of ALTA Best Practices Current industry developments Becoming compliant with ALTA Best Practices FAQs HA&W’s ComplianceSuccess Program 11 A recognized leader HA&W has been recognized as a “Best of the Best Accounting Firm” in the United States and one of the top 50 largest firms in the nation. Best of the Best Accounting Firm 2013-2014 GA’s Best Full Service Accounting Firm 2012-2014 Top 100 Accounting Firm 2007-2014 12 HA&W at a glance 300+ Professionals Clients in 40+ Countries 43 Partners 25+ Languages Spoken 6 Industry Specialties Clients in 49 of the 50 States Since 1952, clients throughout the U.S. and in more than 40 countries have counted on HA&W to build value, manage risk and drive growth. As the largest tax, audit and business advisory firm headquartered in Georgia, our expertise across a broad range of services and industries provides clients with winning financial practices and insights to help them grow at every stage of their business lifecycle. 13 HA&W’s ComplianceSuccess Program Comprehensive benchmarking, testing and reporting across all seven ALTA Best Practices pillars. HA&W’s ComplianceSuccess Program is: Fast: Our fast track approach can assess your current level of compliance and provide a remediation plan in as little as three to five business days. Affordable: The efficiency of our process delivers the best price point to achieve compliance with ALTA Best Practices. Comprehensive: We offer complete compliance benchmarking, testing and reporting services across all seven ALTA Best Practices pillars. Proven: As of today, we are working with close to 200 agents, ranging from 1 to 50+ offices. Our roadmap to compliance is based on the ALTA Best Practices Framework. Trusted: HA&W is involved at the highest levels of ALTA, the AICPA and Underwriters to ensure our benchmarking and assurance reporting services are in lock step with industry standards and requirements. 14 HA&W’s ComplianceSuccess Program Pricing Overview 15 HA&W’s ComplianceSuccess Program Our commitment HA&W is confident that your lender will accept our examination or review report as defined in your engagement letter with you. We commit to: Refunding your report fee is your lender: – Rejects our report within 90 days of issuance and – Requires that you obtain a second report from another CPA firm Charging you only for incremental work necessary to reissue our report if ALTA change their Best Practices Assessment Procedures within six months of issuance of our report. Overview of ALTA Best Practices 17 Overview of ALTA Best Practices Why have ALTA Best Practices policies and procedures in place? In accordance with Consumer Financial Protection Bureau (CFPB) Bulletin 2013-03, mortgage lenders are expected to have an effective process in place for managing risks of their thirdparty service providers. Mortgage lenders will conduct due diligence by request and review the service provider’s documentation on their policies and procedures to support that they are in compliance with federal and consumer financial laws. ALTA developed its Best Practices Framework for title industry professionals to use as a guideline to meet CFPB requirements. Current industry developments 19 Current industry developments National and regional financial institutions have begun announcing compliance guidelines for their third-party partners. Institutions like Wells Fargo, SunTrust, BancorpSouth, IBERIABANK and Trustmark are leading the way on providing compliance guidelines and clarity of title and settlement professionals. Guidelines currently range from requiring completed self-assessments to certifications by independent third parties by certain dates. With TRID now set for October 3rd, some lenders now have “grace periods” for ALTA BP compliance certification Becoming compliant with ALTA Best Practices 21 Becoming compliant with ALTA Best Practices Steps to compliance Assess current level of compliance and receive gap analysis Remediation Testing Ongoing monitoring 22 Becoming compliant with ALTA Best Practices Reporting options overview by level of assurance (least to greatest) Self-certification: No independent third-party testing Review: Testing includes evaluating policies and procedures and making inquiries of personnel; testing performed remotely with optional onsite visit (depending on agent size) Examination: Testing includes evaluating policies and procedures, inspecting documents and records, making inquiries of personnel, and observing activities; onsite visit provided for maximum testing and additional testing performed remotely SOC Reporting: Assesses financial risk to lenders (with particular emphasis on escrow accounts); focuses on security, processing integrity, privacy and confidentiality; customized to include all seven ALTA Best Practices pillars; onsite visit(s) provided for maximum testing and additional testing performed remotely 23 ALTA BP Certification Guide (many report options) ALTA BEST PRACTICES CERTIFICATION REPORT GUIDE Certification Type Service Organization Controls (SOC) Reporting Examination Agreed-Upon Procedures Review Consulting Self-Certification Underwriter Internal Audit Program Exam AUP Review Consulting Engagement; Certification Self-Assessment Various Underwriters CPA firm only CPA firm only CPA firm only CPA firm only Any entity N/A Their internal auditors Assesses financial risk to lenders (with particular emphasis on escrow accounts); focuses on security, processing integrity, privacy and confidentiality; customized to include all seven ALTA Best Practices pillars; onsite visit(s) provided for maximum testing and additional testing performed remotely Testing includes evaluating policies and procedures, inspecting documents and records, making inquiries of personnel, and observing activities;on-site visit provided for maximum testing and additional testing performed remotely Testing would be jointly defined by all parties to the engagement. Testing includes evaluating policies and procedures and Testing would be developed under making inquiries of personnel; testing performed remotely that engagement and is NOT with optional on-site visit (depending on agent size) required to follow the ALTA Best Practice Assessment Procedures Limited third-party testing No independent third-party Unknown testing Report Provided CPA SOC report CPA attestation report CPA opinion and certificate of compliance CPA attestation report CPA opinion and certificate of compliance CPA attestation report only CPA attestation report and certificate of compliance Certificate only None Unknown Is Independence Required? Yes Yes Yes Yes No No No Yes (with HA&W) None Yes (with HA&W) None N/A N/A High level of assurance provided for ALTA Best Practices; must be performed by a CPA; provides market distinction and competitive advantage Varied external cost No external cost Minimal to no external cost (depending on underwriter) Medium degree of rigor required. Lender may require higher level of rigor to achieve compliance No opinion provided in report; CPA No third-party verification oversight not provided May not conform with ALTA's assessment procedures; Each underwriter program is unique and may not conform to the same standards Recommended for title agents that perform less than 300 residential closings per year. Bancorp South has publicly approved reviews as an acceptable form of compliance Not recommended Not recommended Also Known As (AKA) SOC1 = SSAE16, SOC2 Who can do the testing? Testing Performed Money back commitment from testing provider if Yes (with HA&W) report is not accepted by your lender(s)? Advantages Highest level of assurance provided for service Highest level of assurance provided for ALTA Best organizations; commonly recognized by lenders in the Lenders must first agree to Practices; report may be shared in the marketplace; marketplace; provides market distinction and competitive procedures to be tested provides market distinction and competitive advantage advantage Challenges Significant investment and thoroughness of report may be High degree of rigor required to achieve compliance unnecessary Summary Recommended for title agents whose lenders require the highest level of assurance, regardless of ALTA Best Practices. No opinion provided in report; report may not be distributed to a lender that is not party to the engagement contract Recommended for title agents who want to offer lenders the highest level of assurance specific to ALTA Not recommended Best Practices and perform more than 300 closings per year Not recommended 24 Becoming compliant with ALTA Best Practices Common compliance weaknesses: Lack of written policies and procedures Lack of audit trail Reconciliations Information Security Program Positive Pay Complaint log 25 Becoming compliant with ALTA Best Practices Common areas of confusion: Non-public Information Cybersecurity Cyber insurance Background and credit checks FAQs 27 HA&W’s ComplianceSuccess Program Why do I need to have ALTA Best Practices policies and procedures in place and have a CPA give assurance on my compliance to mortgage lenders? In accordance with Consumer Financial Protection Bureau (CFPB) Bulletin 2012-03, mortgage lenders are expected to have an effective process in place for managing the risks of their thirdparty service providers, e.g. residential settlement agents and title companies. Mortgage lenders have always looked to CPA firms to give them assurance on third-party information as a way to meet their risk management guidelines. How does the CFPB want the mortgage lenders to manage these relationships? Mortgage lenders will conduct due diligence by requesting and reviewing the service provider’s documentation on their policies and procedures to support that they are in compliance with federal consumer financial laws. In response to the CFPB and to help mortgage bankers monitor their settlement attorneys and title companies’ compliance, ALTA developed its Best Practices Framework for title industry professionals to use as a guideline to meet these requirements. 28 HA&W’s ComplianceSuccess Program What does that mean for settlement agents and title companies? Settlement agents and title companies will need to provide their mortgage lenders with assurance that they are in compliance with federal consumer financial laws so mortgage lenders can document for the CFPB that they have developed a process to monitor their service providers and are verifying compliance. What is my risk if I am not able to provide that level of assurance to my mortgage lenders? Pursuant to federal consumer financial laws, mortgage lenders may face fines and enforcement action from the CFPB if they cannot show that they are properly managing their third-party relationships. For settlement agents and title companies, lack of compliance will lead to severe/catastrophic business disruption, as mortgage lenders will do business only with compliant third parties to avoid penalties and reduce risk. 29 HA&W’s ComplianceSuccess Program How can I get guidance on the policies and procedures that I need to have in place? ALTA has issued “Best Practices” for its real estate settlement firms and title companies. The CFPB, Wells Fargo and several other prominent lenders have indicated they support ALTA’s efforts in developing these “Best Practices.” Why will my lender be asking for information on my policies and procedures, E&O insurance, complaint log and other items? Your lenders will ask for these items to determine where you are in the process of becoming compliant and following the requirements of CFPB Bulletin 2012-03. 30 HA&W’s ComplianceSuccess Program What is the first step in getting ALTA Best Practices compliant? The first step is to determine your current level of compliance though HA&W’s Compliance Benchmark and develop a plan to remediate any deficiencies. HA&W has developed its ComplianceSuccess® Program as a fast track to compliance with ALTA Best Practices. HA&W’s Compliance Benchmark will enable you to assess your current level of compliance with ALTA Best Practices. HA&W will provide you with a gap analysis and remediation plan in as little as three to five business days and review it with you to create a customized plan of action. Before I engage HA&W for a Compliance Benchmark, what should I prepare? The Compliance Benchmark can be completed without any advance preparation. This will give you the most objective evaluation of your agency’s current level of compliance using ALTA’s Best Practices Assessment Procedures Framework as the benchmark. How long does it take to complete the Compliance Benchmark? The Compliance Benchmark will take no longer than an hour to complete. 31 HA&W’s ComplianceSuccess Program How long does the remediation phase take? Based on the suggested remediation steps generated by the gap analysis and how far along your company is in documenting its policies and procedures in accordance with ALTA Best Practices, the remediation phase can take anywhere between a few days to a few months to complete. Once I have completed the remediation phase and policies and procedures are in place and being followed, what is next? You will need to demonstrate compliance with those policies and procedures for a minimum period of three months, unless your mortgage lender requires a different assessment period. 32 HA&W’s ComplianceSuccess Program When will I be ready to have HA&W perform the compliance testing necessary to issue a report? Once you have remediated compliance deficiencies and in compliance for a minimum of three months, you are ready to have HA&W begin the testing process. How can I provide CPA assurance that I am ALTA Best Practices compliant to the mortgage lender(s) I work with? Once HA&W completes compliance testing through either a review or examination engagement, you will be provided a CPA attestation report to show your mortgage lender(s) that you are compliant with ALTA Best Practices. What is the difference between a review and an examination attestation engagement? A review is a cost effective option for the small title agent to provide CPA assurance on whether they are compliant with ALTA Best Practices. In a review engagement, the title agent performs ALTA’s assessment procedures using HA&W’s toolkit and we perform high-level procedures to determine compliance. An examination is designed for medium-to-large title agents, and is akin to an onsite audit of financial statements, providing a high degree of assurance based on HA&W performing ALTA’s assessment procedures, using AICPA professional guidelines. 33 HA&W’s ComplianceSuccess Program What is the difference between a small agent and a medium-to-large agent? Industry professionals have defined a small title agent as one who closes approximately 300 or less loans per year, has one to two offices, one to two escrow bank accounts and less than 10 employees. Based on mortgage lender risk profiles, small agents are considered less risky due to fewer dollars going through their escrow bank accounts. In comparison, medium-to-large title agents have higher risk profiles due to the sizable amount of funds flowing through their escrow bank accounts. Consequently, based on mortgage lender risk management policies, medium-tolarge title agents will require greater CPA assurance to ensure compliance with ALTA Best Practices. Will the lenders develop one standard of compliance reports required? While formal requirements are still to come from lenders, HA&W issues Best Practices compliance reports that adhere to the AICPA’s attestation standards. We have discussed our reporting options for review and examination attestation engagements with the major mortgage lenders and they are confident it will enable them to comply with CFPB guidelines and meet their risk management policies. Because CPAs have historically provided financial and nonfinancial information to banks to mitigate their business risk, it is our belief that banks will continue to embrace the reputable quality of CPAs and the AICPA as providers of this nonfinancial information as well. 34 HA&W’s ComplianceSuccess Program What is the difference between a CPA’s attestation report and ALTA’s certification report? Unlike certification reports, attestations can only be performed by CPAs and adhere to AICPA professional standards trusted by banking and financial institutions. How long does each part of the attestation process take? From planning to the issuance of the compliance report, field work will take anywhere from a few days to a few weeks, depending on the type of attestation report being issued. How much time will be required by my company to gather documents requested by HA&W? As a general rule, for each location you have it will take approximately one day for reviews and up to three days for an exam to gather the information. 35 HA&W’s ComplianceSuccess Program Will the compliance testing phase of the engagement be performed onsite at my office? This depends on your engagement type. For a review engagement, no onsite visit is required. For examination engagements, an onsite visit of one to three days is necessary, depending on the number of locations and if there are common procedures at all locations. The remaining compliance testing will be conducted electronically over a secure network portal and will cause minimal disruption to the daily business of your agency. Who will perform the necessary onsite procedures? Either HA&W personnel or a local representative of HA&W will schedule time to perform all necessary onsite procedures. 36 HA&W’s ComplianceSuccess Program What happens if deficiencies in compliance are found during the attestation engagement? Being a part of HA&W’s ComplianceSuccess Program from the beginning reduces the likelihood deficiencies will be noted during the compliance testing stage. If any deficiencies are found during the engagement, we would notify you immediately. We would provide you with a referral for remediation assistance of at least two independent resources that could help with your remediation needs. We would then resume compliance testing. What will I be given as a deliverable to show my mortgage lenders that I am compliant? Depending on your mortgage lender requirements, you will receive either a review report or an examination report that can be given to your mortgage lenders, along with the ALTA assessment procedures performed and a certificate of compliance. 37 HA&W’s ComplianceSuccess Program How often will I be required to go through this assessment process? Documenting your policies and procedures and documenting compliance is a daily process. The frequency of assessments will be up to your mortgage lenders’ requirements and risk management policies, but ALTA recommends a 24-month cycle. Future attestation reports will be much less time consuming than the initial compliance process, so long as your policies and procedures remain consistent and no issues of noncompliance are noted. What is the approximate cost of the review and examination engagements? Depending on the number of locations, the number of closings and other company demographics, the cost of a review engagement will be approximately $2,000, and the examination engagement cost will range from approximately $8,000 to $40,000 depending on the number of locations, escrow accounts, loan closings and other company information. To get started, our Compliance Benchmark will assess your current level of compliance with the ALTA Framework of Best Practices and you will receive a gap analysis and remediation plan for $750. 38 HA&W’s ComplianceSuccess Program Now that I have an attestation report, what should I do with it? Make your lender aware. It is to your advantage to have them know of the strides your agency has made to meet regulatory standards. Mortgage lenders will be reducing the number of title agents they use to reduce their own business and regulatory risks. You can use this report to gain a competitive advantage, retain current mortgage lender relationships and grow new relationships to increase market share. How can I be sure I’m staying compliant with ALTA Best Practices? Staying in compliance is a dynamic process and not a one-time event. Stay updated on regulatory changes with our ongoing monitoring program to keep you in compliance. 39 HA&W’s ComplianceSuccess Program Why should I choose HA&W’s ComplianceSuccess Program to provide my ALTA Best Practices testing and reporting? HA&W was the first CPA firm in the nation to perform ALTA Best Practices compliance benchmarking and assurance reporting through its ComplianceSuccess Program. HA&W’s ComplianceSuccess Program provides independent third-party assurance using CPA professional standards on attestation reporting, trusted by banking and financial instructions. To ensure our ComplianceSuccess Program is in lock-step with industry standards and requirements, HA&W is actively involved at the highest levels with ALTA, American Institute of Certified Public Accountants, and the Mortgage Bankers Association. 40 HA&W’s ComplianceSuccess Program What constitutes a complaint? Establish your own parameters within reason. Make guidelines for employee(s) that will take the complaint and file it within the guidelines. The relevant complaints that should be considered would pertain to issues of premium calculations, disclosures, policy/title issues, mortgage payoff issues, nonpublic information (NPI) and general closing practices, as well as the timeliness their concerns are addressed. What is considered nonpublic information (NPI)? NPI is considered to be any personal and confidential consumer information that does not reside in the public domain. This would include, but not limited to, activity and account numbers pertaining to social security cards, credit cards, loans of any kind (mortgage, car, boat, etc.), investments, medical information, credit reports, paystubs, employment information, background/credit checks, unlisted personal addresses and tax returns. 41 HA&W’s ComplianceSuccess Program What if a customer only gives you the last four digits of a social security number or account number, is this considered nonpublic information? Yes, this is considered NPI. Although not complete, it is still partial information of what would be considered NPI and should be safeguarded. Should a company run a background and credit check for all employees? Background checks should be required on all personnel having access (direct or indirect) to escrow/trust account funds and NPI. Best Practices indicates it is up to the company on whether credit checks should be run. It is recommended credit checks be performed on all personnel who have direct access to the escrow/trust account(s) and consideration for it to be performed on personnel having indirect access, providing the proper segregating controls are in place. Ongoing periodic background and credit checks of the same should be considered as part of your company’s policies, procedures and internal control structure. 42 HA&W’s ComplianceSuccess Program What happens if you have cyber protection and security on your computer and you accept an email from someone who does not send nonpublic information to you with encryption? The cyber protection and controls a company may have in place on their internal systems does not extend to external entities who would transmit email without encryption. Meaning, there is a risk of information breech if another company transmits an unencrypted email containing NPI. What is cyber insurance? Cyber insurance is coverage purchased that is specifically tailored and available with a Business Owners Policy to protect small businesses with essential coverage related to the inherent cyber threats a business is perceived to have. The determination of the level of insurance and rates come after an analysis performed by the insurance carrier to assess the risk threat level within the various business processes of the company. 43 Questions 44 Contact us We look forward to working with you. Lee Fields Adam Klein Carol Adams Managing Director, Business Consulting Services Client Relationship Executive Client Relationship Executive 770.353.4776 770.353.4775 770.353-5318 lee.fields@hawcpa.com adam.klein@hawcpa.com carol.adams@hawcpa.com Christopher J. Gulotta, Esq. Founder & CEO Real Estate Data Shield, Inc. 271 Madison Avenue Suite 700 New York, NY 10016 (212-951-7302 *cgulotta@redatashield.com Real Estate Data Shield, Inc.© 2015 45 The Old World Real Estate Data Shield, Inc.© 2015 46 The New World Real Estate Data Shield, Inc.© 2015 47 • Non-public Personal Information (“NPPI”): – Personally identifiable data such as information provided by a customer on a form or application, information about a customer’s transactions, or any other information about a customer which is otherwise unavailable to the general public. – NPPI includes first name or first initial and last name coupled with any of the following: • Social Security Number • Driver’s license number • State-issued ID number • Credit or debit card number • Other financial account numbers Real Estate Data Shield, Inc.© 2015 48 Real Estate Data Shield, Inc.© 2015 49 1. 2. 3. 4. 5. 6. 7. 8. Gramm-Leach Bliley Act (GLBA) Federal Trade Commission (FTC) – Privacy Rule (1999) – Safeguard Rule (2003) – Disposal Rule (2005) Consumer Financial Protection Bureau (CFPB) – April 2012 Bulletin – Supervisory Highlights (2012) Office of the Comptroller of the Currency (OCC) – Interagency Guidelines Establishing Standards for Safeguarding Customer Information (2001) – Third Party Relationship Bulletin (Oct. 2013) Federal Reserve System – December 5, 2013 “Managing Outsourcing Risk” Bulletin American Land Title Association (ALTA) – “Best Practices” for Title Insurance and Settlement Companies Version 2.0 (Jan 2013) State Agencies & Regulators (State Attorney General, Department of Insurance, Attorney Professional Codes of Conduct) Lender mandates Real Estate Data Shield, Inc.© 2015 50 • Best Practice: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law. • Purpose: Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes their procedures to protect non-public customer information. – The program must be appropriate to the company’s size and complexity, the nature and scope of the company’s activities, and the sensitivity of the customer information the company handles – The company must evaluate and adjust its program in light of relevant circumstances, including changes in the company’s business or operations, or the results of security testing and monitoring Real Estate Data Shield, Inc.© 2015 51 Written Plan Trained Employees Risk Assessment Independent Testing of Key Controls Acceptable Use Acknowledgements Access Controls for NPPI Network Access Controls w/Background Checks Removable Media Controls NPPI encryption in motion and at rest Monitor, detect & respond to attacks Physical controls to protect premises & NPPI Change/Modification & Backup controls Privacy Disclosures Records Retention & Destruction Real Estate Data Shield, Inc.© 2015 52 • #3.07 – verify that: – Background checks (5 yr) w/in past 3 years – Terminated employees access rights removed per policy – Access to systems w/NPPI prevent conflict of interest – Annual review of access rights/privileges done – Access controls in place and tested • Passing grade must be 100% Real Estate Data Shield, Inc.© 2015 53 • Take action NOW! – Gather a team of advisors, including supervisors, technical experts and at least one line worker – Make a plan with needed components • • • • Information security Acceptable use of resources Vendor management requirements Respecting and protecting personal information of consumers and employees • Privacy policy for public disclosure (print and Web) • Security incident management and reporting • Consumer inquiries and complaints – Document the plan in detail Real Estate Data Shield, Inc.© 2015 54 • Create Awareness and Compliance – Educate all staff, vendors and others about your documented plan – Make it required reading – Make it the subject of regular meetings • Formal meetings or brown bag lunches (throw a pizza party!) – Create a culture of privacy and security • Deploy online training • Put up posters to emphasize best practices – Lead by example • Conduct yourself in a way that reinforces the value of consumer information and compliance Real Estate Data Shield, Inc.© 2015 55 • Purpose – Approximately 39% of all data breaches are caused by negligent employees or contractors, and comprehensive training is the most effective way to reduce this negligence. • Benefits – The success of a company’s information security plan “depends largely on the employees who implement it.” To kick start this success, the FTC recommends training employees “to take basic steps to maintain the security, confidentiality, and integrity of customer information.” • Expectations – In addition to ALTA and FTC expectations, the CFPB and OCC have emphasized in Bulletins and administrative proceedings that companies must provide for an effective training and compliance management program for all employees and service providers. Real Estate Data Shield, Inc.© 2015 56 • Nearly every state have adopted the American Bar Associations Model Rules of Professional conduct. • Rule 1.6 Confidentiality of information (a) “a lawyer shall not reveal information relating to the representation of a client..” Real Estate Data Shield, Inc.© 2015 57 Lender Requirements Regarding ALTA Best Practices Wells Fargo: March 6th 2014 Wells supports customer choice provided such third party providers “consistently meets all applicable requirements” Wells is expanding and enhancing third party oversight…in order to monitor and measure performance Wells recognizes some may need “transition time” If not currently following ALTA Best Practices, do you have a plan in place for adoption? Can you document and demonstrate inspection processes to validate your adoption of ALTA’s Best Practices? F&M Bank: December 16, 2013 Must demonstrate policies and procedures, relating to escrow security, information security, compliance with consumer financial laws and underwriter letter stating ‘good standing’ First National Bank: April 17th. 2015 Includes CFPB April 2012 “Service Provider” Bulletin and Questionnaire for Service Providers to complete evidence of Compliance Efforts. BancCorpSouth: March 2nd, 2015 Requires CFPB and Privacy Compliance and requires an independent, third-party assessment based upon ALTA’s Best Practices by approved vendor. Self-certification not accepted Approved closing agents must complete a third-party assessment no later than July 31st 2015. SunTrust: April 22nd 2015 Approved settlement agents to adhere to ALTA’s Best Practices and conduct a self-assessment no later than July 1st, 2015 58 Practical Steps to Take: Develop all required privacy and data security policies, procedures, and plans Information Security Plan Incident Response Plan Disaster Recovery Plan Secure Password Policy Electronic Communications and Internet Use Policy Assess your company’s risk profile Educate and train your work force Secure your work flows Ensure compliance of all service providers Implement a sound document destruction policy Real Estate Data Shield, Inc.© 2015 59 A. Administrative B. Physical C. Network Real Estate Data Shield, Inc.© 2015 60 1. 2. 3. 4. 5. 6. 7. 8. Staff Training Manual of Policies and Procedures Privacy Notice Shred-All Policy Sub-vendor Non-Disclosure Agreements (NDA’s) Background checks on employees handling NPPI Clean Desk, Office and Screen Policy Authorized Devices Real Estate Data Shield, Inc.© 2015 61 1. 2. 3. 4. 5. 6. 7. 8. 9. Entryway Security & Sign-in Log Clean Desk Policy Clean Office Locked Filing Cabinets Security Cameras Privacy Screens Locked Offices Shredding of Paper and Digital Media Locks on Computers Real Estate Data Shield, Inc.© 2015 62 1. 2. 3. 4. 5. 6. 7. 8. Password Protection Computer Screen Timed Lockout Using Various Brands of Firewalls (Defensive Depth) Port Lockdown Network Printers/Scanners Restrictive Access to Programs, files etc. Updates and Patches Email Encryption Real Estate Data Shield, Inc.© 2015 63 1. 2. 3. 4. 5. 6. 7. 8. 9. Start Preparation Now: be able to document & demonstrate your ALTA Best Practice Pillar Compliance; Delegate: one person to tackle & be responsible for physical, administrative & network security; Information Security Policies & Procedures: Develop & have staff sign off (review & update annually); Conduct an informal security self-assessment: physical, administrative & networks security; Disaster Recovery/Business continuity: Critical to lenders. Make sure you have thought this through and have a documented plan and process in place; Staff Training: When on-boarding & annually (38% of all breaches occur at the employee level); Security Essentials: (i) secure entryway; (ii) sign-in logs (verify identity); (iii) staff background checks; (iv) e mail encryption; (v) clean desk, office & screen; (vi) locked file cabinets; (vii) disable USB ports & daily wipe of network printers/scanners; (viii) Check ID at door; (ix) “4 th parties” must also comply; On-Site Security Assessment: BP Pillar 3 best addressed independently; and Global 7 Pillar Attestation: last step in demonstrating compliance. 64 Real Estate Data Shield, Inc.© 2015 65 Christopher J. Gulotta, Founder & CEO CEO and founder of Real Estate Data Shield and The Gulotta Law Group, having represented institutional lenders in mortgage finance transactions for more than 20 years. He has developed compliance management platforms for mortgage lenders, title underwriters, and title and settlement agents. Paul Schwartz, Chief Privacy Advisor An international expert on information privacy law, Professor Schwartz assists corporations and law firms with regulatory, policy, and governance issues. As professor of law at UC Berkeley and Director of the Berkeley Center for Law and Technology, he has published widely on privacy and data security topics. Richard, Purcell, Courseware Developer A leading voice in consumer privacy and data protection challenges, Mr. Purcell is an award-winning developer of Webbased education and training courses. As Microsoft's original privacy officer, he designed and implemented one of the world's largest and most advanced privacy programs. 66 Staff Training Policies & Procedures • • • • • • • Consumer Privacy Employee Data Protection Acceptable Use of Company Resources – Employees Information Security Information Management – Third Parties Security Breach Management Information Management for Real Estate Settlement Services Companies Risk Self-Assessment • • • • • Threats and Vulnerabilities Controls and Safeguards Information Management Governance Security Infrastructure – Physical and Technical Employee Awareness 67 68 70 71 72 At our Preferred Pricing: • 10 PERSON COMPANY (CERTIFICATION PROGRAM): – Staff Training e-Courseware: $600 – Information Security Policy Templates & Self-Assessment Tools: $400 – On-Site Security Assessment: $4,000* TOTAL: $5,000 ($1,250 Savings) • 25 PERSON COMPANY (CERTIFICATION PROGRAM): – Staff Training e-Courseware: $1,000 – Information Security Policy Templates & Self-Assessment Tools: $400 – On-Site Security Assessment: $5,375 TOTAL: $6,775 ($1,350 savings) *Does not include travel and related expenses; includes one location/facility 73 • This presentation, the supporting materials and the information contained therein do not constitute legal advice nor an attorney client relationship and is provided for information purposes only. Because laws, rules and regulations change frequently and because local laws may apply, you should consult an attorney for any specific compliance or related inquiries. Real Estate Data Shield, Inc.© 2015 74 Christopher J. Gulotta, Esq. Founder & CEO Real Estate Data Shield, Inc. (212-951-7302 *cgulotta@redatashield.com www.realestatedatashield.com Real Estate Data Shield, Inc.© 2015 75 Title Industry Best Practices Presented by: ESCROW BEST PRACTICES ALTA Pillar No. 2 “Adopt and maintain appropriate written procedures and controls for Escrow Trust Accounts allowing for electronic verification of reconciliation.” 77 ESCROW BEST PRACTICES Five Greatest Internal Threats • Funds not clearing in a timely manner • • Ex: Loan payoff, taxes, clerk/recording, etc… Check payee change • Ex: Stale dated tax refund • Negative balances • Funds deposited to incorrect account • • Multiple escrow accounts Defalcation/embezzlement 78 ESCROW BEST PRACTICES Five Greatest External Threats • Check fraud • Ex: Positive Pay (bank software matches check #, check date, dollar amount & payee) • “Revised” wire instructions • Malware/spam bots • Thumb drives • External devices accessing your network • Cell phone or iPad accessing an open Wi-Fi network 79 ESCROW BEST PRACTICES Five Critical Internal Controls • Daily three-way reconciliation • • • #1 defense against fraud Monthly is insufficient Daily reports and alerts • Comply with ALTA Pillar #2 (and all other pillars) • Dual authorization for wires • Secure email • • Protects NPPI and complies with Best Practices Employee background checks 80 ESCROW BEST PRACTICES Five Areas for Improvement to Migrate Risk • Incoming wire requirements • • Cash/checks up to $500; Cashier’s checks up to $5,000-$10,000; Wires beyond Secure portal of online banking • Ex: Marble Secure • Separate funding desk not tied to server • Locking computers • • No USB access / block social media Escrow policies & procedures: • Regularly review with staff 81 397 Little Neck Road 3300 South Building, Suite 306 Virginia Beach, VA 23452 W: 757-333-3760 www.Rynoh.com Wrap Up • Thank you for participation in our Webinar. Additional reference materials are available at www.fntgnyagency.com. • Lee Fields @ Habif Arogeti & Wynne LLP @ Lee.Fields@hawcpa.com • Christopher J. Gullota, Esq. @ cgulotta@redatashield.com • Matt Reass @ matthew.reass@rynoh.com • We hope you found this webinar valuable and full of helpful resources.
