Tuesday, March 28, 2017

New York State "Cybersecurity" Requirements

If you own your network infrastructure, big changes coming to New York

For MortgageManuals.com customers, your Information Security Plan covers the requirements

New York State licensed financial entities have received notice of new specific requirements for cyber-security. Rules went into effective March 1, 2017, and compliance deadlines start August 28, 2017. Cyber-security is a synonym for information security when data is stored or accessed via an electronic information storage and retrieval network. In other words, cyber-security deals with network security in addition to basic information security.

Complete text of Cyber-security Rule

At the heart of the requirements, aside from standard information security remediation, companies must have some form of dual factor authorization. If you use a token or mobile password in addition to your password, you probably already comply.

Are you Exempt?

The law contains a number of key exemptions:

Exemption - Asset Size: < 10 employees OR < $5 MM in revenue OR < $10 MM assets

Exempt from 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16

You must still have policies and procedures, you must control access, conduct a risk assessment, identify if 3rd parties have an CISP,

Exemption - "Agent" classification: If you use someone else's system (such as wholesaler's or investor's)

Exemption - No server: If you don't own and operate the infrastructure

Exempt from 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16

You must still control access, conduct a risk assessment and identify if 3rd parties have a CISP.

IF YOU ARE EXEMPT, YOU MUST FILE AN EXEMPTION BY AUGUST 28, 2017. A copy of the exemption certification is on the last page of the announcement - click here.

This is the page where New York State mortgage lender and broker licensees can file their exemption reports
To file your exemption certificate go to http://www.dfs.ny.gov/about/cybersecurity.htm and click on the large orange filing button graphic.

If you are NOT Exempt

For entities which are NOT exempt, we identify where your policies and procedures meet the requirements. While there are a number of preparations entities must make to comply, unless you maintain your own servers the actual, physical changes normally will be undertaken by your third party infrastructure provider.

If you obtained your information security policy from us, you may share it with your infrastructure vendors, as it addresses the requirements:

Section 500.02 Cybersecurity Program

By virtue of having a written policy in place, you comply with this section. In addition, our policy states the protocol for testing the program, another requirement of this section.

Section 500.03 Policy 

This section defines what must be in your policy and procedure. We identify those things that are the responsibility of the network provider, and those which are the responsibility of the mortgage company.

(a) information security; the actual plan for protecting NPI - #1 - mortgage company
(b) data governance and classification; the system by which you identify data that is NPI - #2 -  mortgage company
(c) asset inventory and device management; infrastructure provider
(d) access controls and identity management; infrastructure provider & #3 password policy mortgage company
(e) business continuity and disaster recovery planning and resources; #4 mortgage company
(f) systems operations and availability concerns; infrastructure provider
(g) systems and network security; infrastructure provider
(h) systems and network monitoring; infrastructure provider
(i) systems and application development and quality assurance; infrastructure provider
(j) physical security and environmental controls; #5 mortgage company
(k) customer data privacy; #6 mortgage company
(l) vendor and Third Party Service Provider management; #7 mortgage company
(m) risk assessment; #8 mortgage company
(n) incident response. #9 mortgage company

Addressed in Info Security Plan
Chief Information Security Officer (CISO) – you must install one, if you don’t have one
2-90 #5
Penetration Testing – CISO must conduct yearly, vulnerability assessment every 6 mos
2-90-4 #7
Audit Trail – keep records of all activity
Access Control – must control access to NPI on network
2-90-2 #3
App Security – certify developed programs free of defects
Risk Assessment – Identify what NPI is at risk when
2-90-2 #8
Personnel – must have training and certifications
2-90-7 #9
3rd Party Assessments – evaluate whether 3rd parties comply
2-90-4 #7
Multi-Factor Authentication – must have at least 2
2-90-2 #3
Records Retention – limits on NPI data retained
2-90-2 #10
Training – must train annually
2-90-6 #9
Encryption – NPI protected by encryption during transit
2-90-2 #11
Incident Response Plan
2-90-2 #2

Page 1 - Information Security Plan - Showing References to Requirements

Page 2 - Information Security Plan 

Page 1 - Disaster Recovery Plan/Business Continuity Plan

Page 1 - Customer Privacy Policy

Friday, March 17, 2017

Updated Regulatory Compliance One-Pager

Mortgage Compliance One-Pager - Desk Reference/Study Guide for laminating

Updated 3/17/17

I recently re-took the NMLS' National Test with Uniform State Component. I neglected to take the Uniform State Test add-on when it first came out, but thought that if I needed to add additional licenses later, it wouldn't be so bad to re-take the National Test. I worried that I might have a problem because the last time I took it, I really struggled with the intricate test questions, puzzling over three or possibly four correct answers to decide which one was the "best right answer." This time, I found the test questions much more straight-forward. The bad news: I didn't score 100. What did I get wrong?

I should have studied my own mortgage compliance guide!

I have found that people don't really like to read pages and pages of material. "Can't you cook it down for me?" they ask. So we did. We authored a series of "QuickNotes" (QuickStart: QuickNotes... get it?) which have helped thousands cram and pass the national test. These one page "cheat sheets" boil the material down to its most fundamental level.

Regulatory Compliance Matrix - Click to Download

 Click to Download Regulatory Compliance Matrix

Document Not Clicking? Try this link.

Loan officers love our cheat sheets. Compliance trainers and regulators hate them. "There's not enough content!" they complain. But the infographic tells it all. Sure you can study MORE, but loan officers aren't attorneys. We get lost reading 3000 pages of code. Just like an attorney or compliance officer would get lost reading 3000 rate sheets and program guidelines a day.

We use this methodology in our new loan originator training, too. Instead of 2000 words describing how to to something, we give an illustrated form, a checklist, or a reference tool like this one which highlights Ability to Repay Guidelines.

Ability to Repay and Mortgage Knowledge Tools - Click to Download

 Download Ability to Repay Matrix

Click here to download these tools at no cost or obligation. Also, feel free to provide feedback.

What I THINK I got wrong...

  • PMI Cancellation @78% 
  • Do Not Call from 8am to 9pm
  • Balloon Payment Qualifying
  • Section 32 (High Costs) max Debt Ratio is 50%
  • Confusing question on Finance Charges with options I would consider ALL to be finance charges. (I think they wanted the recording fee, still not sure)

These items are ALL on the study guides, so my advice is to study these all. I knew I was going to pass, but I was surprised about how many questions I had to review at the end.

Monday, March 6, 2017

CFPB's Complaint Line a "Targeting Tool"

The targeting of audit subjects through the use of the CFPB Complaint Portal means you need a proactive complaint resolution process

Since the Consumer Financial Protection Bureau began accepting complaints related to mortgage transactions in 2011, the industry's fears that this would simply act as a targeting mechanism have been realized. Multiple complaints, more than a single complaint, act as a red flag attracting the worst kind of scrutiny. Recent presentations by CFPB Senior Analyst Ann Thompson confirmed this. As a preventative tool, our first recommendation involves adding a daily or weekly check of state and national complaint portals by the company's compliance manager.

But it goes beyond dealing with complaints. You must take a proactive attitude. Make it easy for your customers to file a complaint with you and company management directly, before the customer elevates it to the regulator to resolve it. This means:

  • Adding prominent "complaint" button on web pages
  • Proactively sourcing "compliments and complaints" via promotional materials
  • Asking customers "have I addressed all of your concerns today?" question in the footer of all electronic communications
In addition, have an effective process for resolving complaints once they arise. This is called a "Complaint Resolution Process"

More importantly, though, all employees need to understand they must participate in communicating to troubleshoot, document and resolve complaints.

Complaint Resolution 101

This is a problem solving business, and there is rarely a loan where absolutely everything goes as planned.

If you have our Quality Control and Compliance Modules we provide you with a Complaint Resolution Policy template. It's time to pull it out and make sure you are ready to adhere to it.

Rule # 1

LISTEN! Listen to the customers complaint. Identify what the customer's real problem is and acknowledge that it is a problem. You do not have to admit fault to show empathy.

Rule # 2

DOCUMENT! Make sure the file has been documented with correspondence and that the conversation log has been populated. Complete a complaint report and deliver it to the manager for review.

Rule # 3

RESOLVE and close the complaint. Based on the manager's determination, diary your Outlook Calendar to follow up with the customer and ascertain that the problem was handled. Not every customer will be happy, but if you are responsive, the customer will not automatically elevate the complaint.

Sample Complaint Resolution Policy - Request a Free One
Complaint Policy Sample