Safeguarding the Reverse Mortgage Business in the Cyber Security Age

In the wake of numerous, high-profile cyber security breaches that have afflicted some of the world’s largest technology companies, it’s incumbent upon financial professionals in particular – even in the reverse mortgage industry specifically – to be aware of cyber security threats and how to protect against attacks that can affect clients, business and employees.

This is according to a panel of experts discussing the topic of cyber security in the context of the reverse mortgage business, which was held at the National Reverse Mortgage Lenders Association (NRMLA) Annual Meeting in Nashville, Tenn.

High-profile data breaches

Setting the stage for the importance of observing physical and digital security, several recent high-profile breaches at major technology companies were highlighted. These include the July 2019 data breach at Capital One that compromised over 100 million records of its customers; a May 2019 breach at title insurance company First American Financial Corporation which affected as many as 885 million individual records from unknown numbers of customers; the 2017; and the 2017 data breach at consumer credit reporting agency Equifax that exposed the personal data of as many as 143 million people.


“If it can happen to these big marquee, publicly-traded companies, it can happen to anybody in this room,” says Mark Johnson, president of appraisal management company the LRES Corporation. “We need to determine how we take those headlines back to our own operations, and move forward in terms of coming up with a plan.”

While reverse mortgage companies come with their own sets of unique concerns, the fact that they deal with sensitive financial information belonging to borrowers means that special precautions need to be taken and implemented in order to safeguard companies, clients and employees. This is according to Sarah Cavanaugh, senior compliance officer at Finance of America Reverse (FAR).

“For FAR, we have a strong vendor management program under the legal/compliance umbrella,” Cavanaugh says. “We have a large wholesale division, and we need to make sure we conduct our due diligence and make sure they meet our requirements in compliance and risk management.”

Major areas of focus

The four areas of concern in this arena for any business, up to and including reverse mortgage businesses, are physical security; information security; compliance management; and oversight and enforcement. Physical security involves the actual security of the building the business operates in, and all of the sensitive physical objects (including paper records) that the business must be able to adequately protect. This can include attributes as simple as having secure doors and cameras on the premises.

“Physical security isn’t always about just security, sometimes it’s about safety,” says Jill Haro, SVP of corporate administration at LRES. “Safety comprises facilities, employees and systems. One key part of safety centers on emergency procedures, and making sure that everyone knows where they’re supposed to go in the event of an emergency.”

Compliance management involves a dedicated division that ensures the company, its partners and employees are all making sure that security policies are being followed, while oversight and enforcement examines legislative changes that can have an affect on the way that the company complies with applicable regulations.

Cyber security in the reverse mortgage business

Information security is a component that most people today refer to as “cyber security,” and involves technology, software, non-public information, and sensitive business and personal data. Increasingly, important documents such as disclosures can be communicated electronically, and because the primary reverse mortgage demographic centers on people over the age of 62, sometimes hurdles can be presented in making sure that necessary information security is upheld, Cavanaugh says.

“With our clientele, most of our clients are seniors. It’s been a slow process to get our customers adapt to the new world of electronic disclosures, email and communication,” she says. “We need to be really, really sensitive to that, because you cannot send non-public information, or NPI, without encrypting it, because otherwise you’re just leaving it open to the world.”

Specifically in terms of disclosures, a balance needs to be found in terms of both the ongoing customer service desire to make particular tasks easy, while also making sure that potentially sensitive data is sufficiently protected for both the good of the client, and the good of the company.

“If [a client asks] to be emailed a disclosure even with encryption, you have to actually have consent from the borrower to receive disclosures electronically, and that consent has to be granted electronically. That’s key,” Cavanaugh says. “You have to have ‘e-consent,’ and the ability to create an audit log where you can track their consent, when they opened [a document], when they downloaded it, and you have to retain that information.”

The general ease of being able to send and receive electronic documents does come with some risk, and making sure that the often narrowly circumscribed regulations are followed is essential in order to balance the ease of electronic transmissions with due-diligence to protect clients and companies alike.

“It is a balancing act,” Cavanaugh describes. “[Recently], we had a borrower’s daughter call our offices wanting to talk about the borrower’s loan. We did not obtain consent from the borrower to speak to her daughter, so that’s one of those points where a decision needed to be made. We can’t do that. As a salesperson it’s tough [to have to say no to that request], but as a compliance person there’s a lot of exposure that could put the company in really big trouble.”

Companies featured in this article:

, , , , ,

Join the Conversation (1)

see all

This is a professional community. Please use discretion when posting a comment.

  • While this is an interesting topic it seems too limited most likely due to problem of not having sufficient space. There are far more basic questions such as who is responsible for ensuring that the cyber security of a TPO is adequate, when the TPO spreads their originations between two or three Mortgagees? What about a TPO which also has life, health, property, and casualty insurance operations and HECM originators have access to the insurance producers’ CRM and vice versa due to the CRM apps they use are on the same operating system and user passwords open most apps, is that something that the company’s supervising Mortgagees should have detected?

    Although security of physical facilities is a valid topic, how is that so much different than the security requirements for those same facilities in protecting hard copies of that same information? However, cyber security goes far beyond that. Password security and ensuring that password security is working as designed years after initial implementation and such security is still adequate in the current environment is another subject of interest. Are new passwords required quarterly and semi annually? Do TPOs have a system put in place to inform the Mortgagee about changes in personnel with access to systems?

    One interesting case for our CPA firm in considering the weakness in internal controls was when our head systems guy was invited to a meeting of systems people of the client which was held in their glass walled conference room that sat on an elevated platform which was clearly visible to the vast majority of their employees from their desks. Our systems guy was invited to the last part of a prior meeting on updating the security of their system. On the chalkboard was something that looked like the systems password. Sure enough to make sure all systems employees were aware of changes in their systems password, it was changed in the middle of each week and left on the chalkboard for 4 hours on the day of the change for the convenience of systems employees. Obviously that practice created quite a stir for the partner in charge of that audit. But similar practices go on all over the place by well meaning computer employees. Catching and eliminating these practices are part of keeping cyber information safe; it may require firing those creating and perpetuating such practices.

    Cyber security is such a huge subject that going off on tangents should be avoided. There is nothing wrong with the compliance stories about originators who do too much to help children of borrowers and borrows but again those issues existed long in 1990 long before the current cyber age.

    If NRMLA offers a session like this again, it would be great to have it dedicated to the safeguards that had to be created or tweaked because of cyber issues and cyber issues alone.

string(113) ""

Share your opinion