welcome attendees webinar best practices july 29, 2015

Welcome Attendees

WebinarBest Practices July 29, 2015

BEST PRACTICES WEBINAR

Ted WernerSenior Vice President, New York State Agency Manager

Since 2010, when FNF consolidated its three separate agency businesses and its multiple underwriting activities into a single entity, Ted's goal has been to support the best agents in New York with the best title insurance professionals and resources available in the industry.

He entered title insurance in 1982 as an underwriter for Ticor Title Guarantee Company. After two years in the New York City headquarters, Ted moved to Long Island, where he managed direct operations. After a four-year stint with TRW Title, Ted moved to Chicago Title where he was responsible for the direct and agency business in the Hudson Valley.

Guest Speaker

Christopher J. Gulotta, Esq.

Founder of The Gulotta Law Group, PLLC and Real Estate Data Shield, Inc. Mr. Gulotta is the founder of The Gulotta Law Group, PLLC and Real Estate Data Shield (“REDS”) and was one of the very first to speak to our industry on the importance of Lender Liability for their Service Providers and Information Security Compliance. Chris possesses a truly unique combination of sophistication in lender Service-Provider needs, regulator expectations and data security compliance obstacles and solutions.


Christopher is a member of ALTA’s Best Practices Task Force, working with industry leaders to develop timely and prospective regulatory solutions for title & settlement agents as a member of both “Lender” and “Settlement Agent” workgroups.

REDS, recently named ALTA’s Inaugural Best Practices Elite Provider, is the first industry-specific company to provide title & settlement companies with Security Compliance tools through its Compliance Management Platform that provides our industry with: (i) Security Policy templates; (ii) award-winning staff training courseware; and (iii) security-assessment compliance tools

Seven national title underwriters have named REDS as their Preferred Vendor for Data Security Compliance.

Chris is a graduate of Fordham Law School. He has served as a continuing legal education faculty member at Fordham Law School, Pace Law School, The Association of the Bar of the City of New York and the New York State Bar Association. He has been a featured columnist for and interviewed for articles in: The New York Law Journal, The National Law Journal, The Title Report; The Legal Description; Valuation Review, TitleNews etc., on topics including: Service Provider Compliance; Lender Liability for Service Providers; information security compliance for title and settlement agents; privacy law; title escrow funds; RESPA reform; new media and Internet law.

Guest Speaker

Matthew Reass Senior Vice President RynohLive• Formerly with a Virginia based title and

settlement agency, Matt recently joined RynohLive with thirteen years of industry experience.

• A licensed underwriter and Virginia Certified Title Settlement Agent (VCTSA), Matt also served on the Virginia Land Title Association (VLTA) Board of Directors for 2014-2015 as the Director of Events.

• Matt now serves as Senior Vice President at RynohLive where he oversees corporate management.

• Introduced nationally in February 2009, RynohLive is a patented financial management and fraud prevention system specifically designed for today’s diligent title agent.

Guest Speaker

Lee FieldsManaging Director,Business Consulting Services

Lee Fields is managing director of Business Consulting Services at Habif, Arogeti & Wynne, LLP. For the past year, through HA&W’s ComplianceSuccess® Program, Lee and his team have partnered with ALTA, underwriters, title agents, closing attorneys and settlement firms to enable ALTA Best Practices compliance across the value chain through independent third-party testing and reporting.

Habif, Arogeti & Wynne, LLP

HA&W has been recognized as a “Best of the Best Accounting Firm” in the United States. Since 1952, clients throughout the U.S. and in more than 40 countries have counted on HA&W to build value, manage risk and drive growth. As the largest tax, audit and business advisory firm headquartered in Georgia, our expertise across a broad range of services and industries provides clients with winning financial practices and insights to help them grow at every stage of their business lifecycle. Today, HA&W is the leading CPA firm in the nation to provide ALTA Best Practices compliance benchmarking, testing and reporting services through its ComplianceSuccess Program.

HA&W's ComplianceSuccess Program provides independent third-party assurance using CPA professional standards on attestation reporting, trusted by banking and financial institutions. Our fast track approach will assess your current level of compliance and provide you with a remediation plan in three to five business days. This process delivers the best price point to achieve compliance, offering complete compliance benchmarking and reporting across all seven ALTA Best Practices Pillars. To ensure the ComplianceSuccess Program is in lock step with industry standards and requirements, HA&W is actively involved at the highest level with ALTA, the AICPA, lenders and underwriters.

Becoming Compliant with ALTA Best Practices

Lee Fields

Managing Director, Business Consulting Services

Presented by:

9

Agenda

HA&W’s ComplianceSuccess Program

Overview of ALTA Best Practices

Current industry developments

Becoming compliant with ALTA Best Practices

FAQs

9

11

HA&W has been recognized as a “Best of the Best Accounting Firm”

in the United States and one of the top 50 largest firms in the nation.

A recognized leader

Best of the Best Accounting Firm2013-2014

GA’s Best Full Service Accounting Firm2012-2014

Top 100 Accounting Firm2007-2014

12

HA&W at a glance

Since 1952, clients throughout the U.S. and in more than 40 countries have counted on HA&W to build value, manage risk and drive growth. As the largest tax, audit and business advisory firm headquartered in Georgia, our expertise across a broad range of services and industries provides clients with winning financial practices and insights to help them grow at every stage of their business lifecycle.

300+Professionals

43Partners

6 IndustrySpecialties

40+Countries

25+LanguagesSpoken

4950 States

Clients inof the

Clients in

13


Comprehensive benchmarking, testing and reporting across all seven ALTA Best Practices pillars.

HA&W’s ComplianceSuccess Program is:

Fast: Our fast track approach can assess your current level of compliance and provide a remediation plan in as little as three to five business days.

Affordable: The efficiency of our process delivers the best price point to achieve compliance with ALTA Best Practices.

Comprehensive: We offer complete compliance benchmarking, testing and reporting services across all seven ALTA Best Practices pillars.

Proven: As of today, we are working with close to 200 agents, ranging from 1 to 50+ offices. Our roadmap to compliance is based on the ALTA Best Practices Framework.

Trusted: HA&W is involved at the highest levels of ALTA, the AICPA and Underwriters to ensure our benchmarking and assurance reporting services are in lock step with industry standards and requirements.

14


Pricing Overview

15


Our commitment

HA&W is confident that your lender will accept our examination or review report as defined in your engagement letter with you. We commit to:

Refunding your report fee is your lender:

– Rejects our report within 90 days of issuance and

– Requires that you obtain a second report from another CPA firm

Charging you only for incremental work necessary to reissue our report if ALTA change their Best Practices Assessment Procedures within six months of issuance of our report.

17


Why have ALTA Best Practices policies and procedures in place?

In accordance with Consumer Financial Protection Bureau (CFPB) Bulletin 2013-03, mortgage lenders are expected to have an effective process in place for managing risks of their third-party service providers.

Mortgage lenders will conduct due diligence by request and review the service provider’s documentation on their policies and procedures to support that they are in compliance with federal and consumer financial laws.

ALTA developed its Best Practices Framework for title industry professionals to use as a guideline to meet CFPB requirements.

19


National and regional financial institutions have begun announcing compliance guidelines for their third-party partners.

Institutions like Wells Fargo, SunTrust, BancorpSouth, IBERIABANK and Trustmark are leading the way on providing compliance guidelines and clarity of title and settlement professionals.

Guidelines currently range from requiring completed self-assessments to certifications by independent third parties by certain dates.

With TRID now set for October 3rd, some lenders now have “grace periods” for ALTA BP compliance certification

Becoming compliant with ALTA Best Practices

21

Becoming compliant with ALTA Best PracticesSteps to compliance

Assess current level of compliance and receive gap analysis

Remediation

Testing

Ongoing monitoring

22

Becoming compliant with ALTA Best PracticesReporting options overview by level of assurance (least to greatest)

Self-certification: No independent third-party testing

Review: Testing includes evaluating policies and procedures and making inquiries of personnel; testing performed remotely with optional onsite visit (depending on agent size)

Examination: Testing includes evaluating policies and procedures, inspecting documents and records, making inquiries of personnel, and observing activities; onsite visit provided for maximum testing and additional testing performed remotely

SOC Reporting: Assesses financial risk to lenders (with particular emphasis on escrow accounts); focuses on security, processing integrity, privacy and confidentiality; customized to include all seven ALTA Best Practices pillars; onsite visit(s) provided for maximum testing and additional testing performed remotely

23

ALTA BP Certification Guide (many report options)ALTA BEST PRACTICES CERTIFICATION REPORT GUIDE

Certification Type Service Organization Controls (SOC) Reporting Examination Agreed-Upon Procedures Review Consulting Self-Certification Underwriter Internal Audit Program

Also Known As (AKA) SOC1 = SSAE16, SOC2 Exam AUP Review Consulting Engagement; Certification Self-Assessment Various Underwriters

Who can do the testing? CPA firm only CPA firm only CPA firm only CPA firm only Any entity N/A Their internal auditors

Testing Performed

Assesses financial risk to lenders (with particular emphasis on escrow accounts); focuses on security, processing integrity, privacy and confidentiality; customized to include all seven ALTA Best Practices pillars; onsite visit(s) provided for maximum testing and additional testing performed remotely

Testing includes evaluating policies and procedures, inspecting documents and records, making inquiries of personnel, and observing activities;on-site visit provided for maximum testing and additional testing performed remotely

Testing would be jointly defined by all parties to the engagement. Testing would be developed under that engagement and is NOT required to follow the ALTA Best Practice Assessment Procedures

Testing includes evaluating policies and procedures and making inquiries of personnel; testing performed remotely with optional on-site visit (depending on agent size)

Limited third-party testing No independent third-party testing Unknown

Report Provided�CPA SOC report�CPA attestation report �CPA opinion and certificate of compliance

�CPA attestation report�CPA opinion and certificate of compliance �CPA attestation report only �CPA attestation report and certificate of compliance Certificate only None Unknown

Is Independence Required? Yes Yes Yes Yes No No No

Money back commitment from testing provider if

report is not accepted by your lender(s)?

Yes (with HA&W) Yes (with HA&W) None Yes (with HA&W) None N/A N/A

Advantages

Highest level of assurance provided for service organizations; commonly recognized by lenders in the marketplace; provides market distinction and competitive advantage

Highest level of assurance provided for ALTA Best Practices; report may be shared in the marketplace; provides market distinction and competitive advantage

Lenders must first agree to procedures to be tested

High level of assurance provided for ALTA Best Practices; must be performed by a CPA; provides market distinction and competitive advantage

Varied external cost No external cost Minimal to no external cost (depending on underwriter)

Challenges Significant investment and thoroughness of report may be unnecessary High degree of rigor required to achieve compliance

No opinion provided in report; report may not be distributed to a lender that is not party to the engagement contract

Medium degree of rigor required. Lender may require higher level of rigor to achieve compliance

No opinion provided in report; CPA oversight not provided No third-party verification

May not conform with ALTA's assessment procedures; Each underwriter program is unique and may not conform to the same standards

SummaryRecommended for title agents whose lenders require the highest level of assurance, regardless of ALTA Best Practices.

Recommended for title agents who want to offer lenders the highest level of assurance specific to ALTA Best Practices and perform more than 300 closings per year

Not recommendedRecommended for title agents that perform less than 300 residential closings per year. Bancorp South has publicly approved reviews as an acceptable form of compliance

Not recommended Not recommended Not recommended

24

Becoming compliant with ALTA Best PracticesCommon compliance weaknesses:

Lack of written policies and procedures

Lack of audit trail

Reconciliations

Information Security Program

Positive Pay

Complaint log

25

Becoming compliant with ALTA Best PracticesCommon areas of confusion:

Non-public Information

Cybersecurity

Cyber insurance

Background and credit checks

27


Why do I need to have ALTA Best Practices policies and procedures in place and have a CPA give assurance on my compliance to mortgage lenders?

In accordance with Consumer Financial Protection Bureau (CFPB) Bulletin 2012-03, mortgage lenders are expected to have an effective process in place for managing the risks of their third-party service providers, e.g. residential settlement agents and title companies. Mortgage lenders have always looked to CPA firms to give them assurance on third-party information as a way to meet their risk management guidelines.

How does the CFPB want the mortgage lenders to manage these relationships?

Mortgage lenders will conduct due diligence by requesting and reviewing the service provider’s documentation on their policies and procedures to support that they are in compliance with federal consumer financial laws. In response to the CFPB and to help mortgage bankers monitor their settlement attorneys and title companies’ compliance, ALTA developed its Best Practices Framework for title industry professionals to use as a guideline to meet these requirements.

28


What does that mean for settlement agents and title companies?

Settlement agents and title companies will need to provide their mortgage lenders with assurance that they are in compliance with federal consumer financial laws so mortgage lenders can document for the CFPB that they have developed a process to monitor their service providers and are verifying compliance.

What is my risk if I am not able to provide that level of assurance to my mortgage lenders?

Pursuant to federal consumer financial laws, mortgage lenders may face fines and enforcement action from the CFPB if they cannot show that they are properly managing their third-party relationships. For settlement agents and title companies, lack of compliance will lead to severe/catastrophic business disruption, as mortgage lenders will do business only with compliant third parties to avoid penalties and reduce risk.

29


How can I get guidance on the policies and procedures that I need to have in place?

ALTA has issued “Best Practices” for its real estate settlement firms and title companies. The CFPB, Wells Fargo and several other prominent lenders have indicated they support ALTA’s efforts in developing these “Best Practices.”

Why will my lender be asking for information on my policies and procedures, E&O insurance, complaint log and other items?

Your lenders will ask for these items to determine where you are in the process of becoming compliant and following the requirements of CFPB Bulletin 2012-03.

30


What is the first step in getting ALTA Best Practices compliant?

The first step is to determine your current level of compliance though HA&W’s Compliance Benchmark and develop a plan to remediate any deficiencies. HA&W has developed its ComplianceSuccess® Program as a fast track to compliance with ALTA Best Practices. HA&W’s Compliance Benchmark will enable you to assess your current level of compliance with ALTA Best Practices. HA&W will provide you with a gap analysis and remediation plan in as little as three to five business days and review it with you to create a customized plan of action.

Before I engage HA&W for a Compliance Benchmark, what should I prepare?

The Compliance Benchmark can be completed without any advance preparation. This will give you the most objective evaluation of your agency’s current level of compliance using ALTA’s Best Practices Assessment Procedures Framework as the benchmark.

How long does it take to complete the Compliance Benchmark?

The Compliance Benchmark will take no longer than an hour to complete.

31


How long does the remediation phase take?

Based on the suggested remediation steps generated by the gap analysis and how far along your company is in documenting its policies and procedures in accordance with ALTA Best Practices, the remediation phase can take anywhere between a few days to a few months to complete.

Once I have completed the remediation phase and policies and procedures are in place and being followed, what is next?

You will need to demonstrate compliance with those policies and procedures for a minimum period of three months, unless your mortgage lender requires a different assessment period.

32


When will I be ready to have HA&W perform the compliance testing necessary to issue a report?

Once you have remediated compliance deficiencies and in compliance for a minimum of three months, you are ready to have HA&W begin the testing process.

How can I provide CPA assurance that I am ALTA Best Practices compliant to the mortgage lender(s) I work with?

Once HA&W completes compliance testing through either a review or examination engagement, you will be provided a CPA attestation report to show your mortgage lender(s) that you are compliant with ALTA Best Practices.

What is the difference between a review and an examination attestation engagement?

A review is a cost effective option for the small title agent to provide CPA assurance on whether they are compliant with ALTA Best Practices. In a review engagement, the title agent performs ALTA’s assessment procedures using HA&W’s toolkit and we perform high-level procedures to determine compliance. An examination is designed for medium-to-large title agents, and is akin to an onsite audit of financial statements, providing a high degree of assurance based on HA&W performing ALTA’s assessment procedures, using AICPA professional guidelines.

33


What is the difference between a small agent and a medium-to-large agent?

Industry professionals have defined a small title agent as one who closes approximately 300 or less loans per year, has one to two offices, one to two escrow bank accounts and less than 10 employees. Based on mortgage lender risk profiles, small agents are considered less risky due to fewer dollars going through their escrow bank accounts. In comparison, medium-to-large title agents have higher risk profiles due to the sizable amount of funds flowing through their escrow bank accounts. Consequently, based on mortgage lender risk management policies, medium-to-large title agents will require greater CPA assurance to ensure compliance with ALTA Best Practices.

Will the lenders develop one standard of compliance reports required?

While formal requirements are still to come from lenders, HA&W issues Best Practices compliance reports that adhere to the AICPA’s attestation standards. We have discussed our reporting options for review and examination attestation engagements with the major mortgage lenders and they are confident it will enable them to comply with CFPB guidelines and meet their risk management policies. Because CPAs have historically provided financial and nonfinancial information to banks to mitigate their business risk, it is our belief that banks will continue to embrace the reputable quality of CPAs and the AICPA as providers of this nonfinancial information as well.

34


What is the difference between a CPA’s attestation report and ALTA’s certification report?

Unlike certification reports, attestations can only be performed by CPAs and adhere to AICPA professional standards trusted by banking and financial institutions.

How long does each part of the attestation process take?

From planning to the issuance of the compliance report, field work will take anywhere from a few days to a few weeks, depending on the type of attestation report being issued.

How much time will be required by my company to gather documents requested by HA&W?

As a general rule, for each location you have it will take approximately one day for reviews and up to three days for an exam to gather the information.

35


Will the compliance testing phase of the engagement be performed onsite at my office?

This depends on your engagement type. For a review engagement, no onsite visit is required. For examination engagements, an onsite visit of one to three days is necessary, depending on the number of locations and if there are common procedures at all locations. The remaining compliance testing will be conducted electronically over a secure network portal and will cause minimal disruption to the daily business of your agency.

Who will perform the necessary onsite procedures?

Either HA&W personnel or a local representative of HA&W will schedule time to perform all necessary onsite procedures.

36


What happens if deficiencies in compliance are found during the attestation engagement?

Being a part of HA&W’s ComplianceSuccess Program from the beginning reduces the likelihood deficiencies will be noted during the compliance testing stage. If any deficiencies are found during the engagement, we would notify you immediately. We would provide you with a referral for remediation assistance of at least two independent resources that could help with your remediation needs. We would then resume compliance testing.

What will I be given as a deliverable to show my mortgage lenders that I am compliant?

Depending on your mortgage lender requirements, you will receive either a review report or an examination report that can be given to your mortgage lenders, along with the ALTA assessment procedures performed and a certificate of compliance.

37


How often will I be required to go through this assessment process?

Documenting your policies and procedures and documenting compliance is a daily process. The frequency of assessments will be up to your mortgage lenders’ requirements and risk management policies, but ALTA recommends a 24-month cycle. Future attestation reports will be much less time consuming than the initial compliance process, so long as your policies and procedures remain consistent and no issues of noncompliance are noted.

What is the approximate cost of the review and examination engagements?

Depending on the number of locations, the number of closings and other company demographics, the cost of a review engagement will be approximately $2,000, and the examination engagement cost will range from approximately $8,000 to $40,000 depending on the number of locations, escrow accounts, loan closings and other company information. To get started, our Compliance Benchmark will assess your current level of compliance with the ALTA Framework of Best Practices and you will receive a gap analysis and remediation plan for $750.

38


Now that I have an attestation report, what should I do with it?

Make your lender aware. It is to your advantage to have them know of the strides your agency has made to meet regulatory standards. Mortgage lenders will be reducing the number of title agents they use to reduce their own business and regulatory risks. You can use this report to gain a competitive advantage, retain current mortgage lender relationships and grow new relationships to increase market share.

How can I be sure I’m staying compliant with ALTA Best Practices?

Staying in compliance is a dynamic process and not a one-time event. Stay updated on regulatory changes with our ongoing monitoring program to keep you in compliance.

39


Why should I choose HA&W’s ComplianceSuccess Program to provide my ALTA Best Practices testing and reporting?

HA&W was the first CPA firm in the nation to perform ALTA Best Practices compliance benchmarking and assurance reporting through its ComplianceSuccess Program. HA&W’s ComplianceSuccess Program provides independent third-party assurance using CPA professional standards on attestation reporting, trusted by banking and financial instructions. To ensure our ComplianceSuccess Program is in lock-step with industry standards and requirements, HA&W is actively involved at the highest levels with ALTA, American Institute of Certified Public Accountants, and the Mortgage Bankers Association.

40


What constitutes a complaint?

Establish your own parameters within reason. Make guidelines for employee(s) that will take the complaint and file it within the guidelines. The relevant complaints that should be considered would pertain to issues of premium calculations, disclosures, policy/title issues, mortgage payoff issues, nonpublic information (NPI) and general closing practices, as well as the timeliness their concerns are addressed.

What is considered nonpublic information (NPI)?

NPI is considered to be any personal and confidential consumer information that does not reside in the public domain. This would include, but not limited to, activity and account numbers pertaining to social security cards, credit cards, loans of any kind (mortgage, car, boat, etc.), investments, medical information, credit reports, paystubs, employment information, background/credit checks, unlisted personal addresses and tax returns.

41


What if a customer only gives you the last four digits of a social security number or account number, is this considered nonpublic information?

Yes, this is considered NPI. Although not complete, it is still partial information of what would be considered NPI and should be safeguarded.

Should a company run a background and credit check for all employees?

Background checks should be required on all personnel having access (direct or indirect) to escrow/trust account funds and NPI. Best Practices indicates it is up to the company on whether credit checks should be run. It is recommended credit checks be performed on all personnel who have direct access to the escrow/trust account(s) and consideration for it to be performed on personnel having indirect access, providing the proper segregating controls are in place. Ongoing periodic background and credit checks of the same should be considered as part of your company’s policies, procedures and internal control structure.

42


What happens if you have cyber protection and security on your computer and you accept an email from someone who does not send nonpublic information to you with encryption?

The cyber protection and controls a company may have in place on their internal systems does not extend to external entities who would transmit email without encryption. Meaning, there is a risk of information breech if another company transmits an unencrypted email containing NPI.

What is cyber insurance?

Cyber insurance is coverage purchased that is specifically tailored and available with a Business Owners Policy to protect small businesses with essential coverage related to the inherent cyber threats a business is perceived to have. The determination of the level of insurance and rates come after an analysis performed by the insurance carrier to assess the risk threat level within the various business processes of the company.

43

?Questions

44

We look forward to working with you.

Contact us

Lee FieldsManaging Director, Business Consulting Services

770.353.4776

[email protected]

Adam Klein Client Relationship Executive

770.353.4775

[email protected]

Carol Adams Client Relationship Executive

770.353-5318

[email protected]

45

“Data Security Compliance, from Laws & Regulations to Implementation”


Founder & CEO

Real Estate Data Shield, Inc.

271 Madison Avenue Suite 700

New York, NY 10016

(212-951-7302

*[email protected]

Real Estate Data Shield, Inc.© 2015

46Real Estate Data Shield, Inc.© 2015

The Old World

47Real Estate Data Shield, Inc.© 2015

The New World

48

Terminology & NPPI Defined

• Non-public Personal Information (“NPPI”):– Personally identifiable data such as information provided by a

customer on a form or application, information about a customer’s transactions, or any other information about a customer which is otherwise unavailable to the general public.

– NPPI includes first name or first initial and last name coupled with any of the following:

• Social Security Number• Driver’s license number• State-issued ID number• Credit or debit card number• Other financial account numbers


49

The Assets to be Protected


50

Relevant Sources1. Gramm-Leach Bliley Act (GLBA)2. Federal Trade Commission (FTC)

– Privacy Rule (1999)– Safeguard Rule (2003)– Disposal Rule (2005)

3. Consumer Financial Protection Bureau (CFPB)– April 2012 Bulletin – Supervisory Highlights (2012)

4. Office of the Comptroller of the Currency (OCC)– Interagency Guidelines Establishing Standards for Safeguarding Customer

Information (2001)– Third Party Relationship Bulletin (Oct. 2013)

5. Federal Reserve System– December 5, 2013 “Managing Outsourcing Risk” Bulletin

6. American Land Title Association (ALTA)– “Best Practices” for Title Insurance and Settlement Companies Version 2.0 (Jan

2013)7. State Agencies & Regulators (State Attorney General, Department of Insurance,

Attorney Professional Codes of Conduct)8. Lender mandates


51

Best Practice #3

• Best Practice: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law.

• Purpose: Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes their procedures to protect non-public customer information.– The program must be appropriate to the company’s size and

complexity, the nature and scope of the company’s activities, and the sensitivity of the customer information the company handles

– The company must evaluate and adjust its program in light of relevant circumstances, including changes in the company’s business or operations, or the results of security testing and monitoring


52

ALTA – Fourteen Assessment Procedures

Written Plan Trained Employees Risk Assessment Independent Testing of Key

Controls Acceptable Use

Acknowledgements Access Controls for NPPI Network Access Controls

w/Background Checks

Removable Media Controls NPPI encryption in motion and

at rest Monitor, detect & respond to

attacks Physical controls to protect

premises & NPPI Change/Modification & Back-

up controls Privacy Disclosures Records Retention &

Destruction


53

Procedures Example

• #3.07 – verify that:– Background checks (5 yr) w/in past 3 years– Terminated employees access rights removed

per policy– Access to systems w/NPPI prevent conflict of

interest– Annual review of access rights/privileges done– Access controls in place and tested

• Passing grade must be 100%


54

ALTA Best Practice #3 – Implementation

• Take action NOW!– Gather a team of advisors, including supervisors, technical

experts and at least one line worker– Make a plan with needed components

• Information security• Acceptable use of resources• Vendor management requirements• Respecting and protecting personal information of consumers

and employees• Privacy policy for public disclosure (print and Web)• Security incident management and reporting• Consumer inquiries and complaints

– Document the plan in detail


55

ALTA Best Practice #3 – Education

• Create Awareness and Compliance– Educate all staff, vendors and others about your

documented plan– Make it required reading– Make it the subject of regular meetings

• Formal meetings or brown bag lunches (throw a pizza party!)

– Create a culture of privacy and security• Deploy online training• Put up posters to emphasize best practices

– Lead by example• Conduct yourself in a way that reinforces the value of consumer

information and compliance


56

Employee Training

• Purpose – Approximately 39% of all data breaches are caused by negligent

employees or contractors, and comprehensive training is the most effective way to reduce this negligence.

• Benefits– The success of a company’s information security plan “depends largely on

the employees who implement it.” To kick start this success, the FTC recommends training employees “to take basic steps to maintain the security, confidentiality, and integrity of customer information.”

• Expectations

– In addition to ALTA and FTC expectations, the CFPB and OCC have emphasized in Bulletins and administrative proceedings that companies must provide for an effective training and compliance management program for all employees and service providers.


57

Local Laws and Rules of Professional Conduct for

Attorneys• Nearly every state have adopted the

American Bar Associations Model Rules of Professional conduct.

• Rule 1.6 Confidentiality of information (a) “a lawyer shall not reveal information relating to the representation of a client..”


58

Wells Fargo: March 6th 2014

Wells supports customer choice provided such third party providers “consistently meets all applicable requirements”

Wells is expanding and enhancing third party oversight…in order to monitor and measure performance

Wells recognizes some may need “transition time” If not currently following ALTA Best Practices, do you have a plan in place for adoption? Can you document and demonstrate inspection processes to validate your adoption of ALTA’s

Best Practices? F&M Bank:

December 16, 2013 Must demonstrate policies and procedures, relating to escrow security, information security,

compliance with consumer financial laws and underwriter letter stating ‘good standing’ First National Bank:

April 17th. 2015 Includes CFPB April 2012 “Service Provider” Bulletin and Questionnaire for Service Providers

to complete evidence of Compliance Efforts. BancCorpSouth:

March 2nd, 2015 Requires CFPB and Privacy Compliance and requires an independent, third-party assessment

based upon ALTA’s Best Practices by approved vendor. Self-certification not accepted Approved closing agents must complete a third-party assessment no later than July 31 st 2015.

SunTrust: April 22nd 2015

Approved settlement agents to adhere to ALTA’s Best Practices and conduct a self-assessment no later than July 1st, 2015

Lender Requirements Regarding ALTA Best Practices

59

Beginning the Compliance Process

Practical Steps to Take: Develop all required privacy and data security

policies, procedures, and plans Information Security Plan Incident Response Plan Disaster Recovery Plan Secure Password Policy Electronic Communications and Internet Use Policy

Assess your company’s risk profile Educate and train your work force Secure your work flows Ensure compliance of all service providers Implement a sound document destruction policy


60

Critical Security Controls

A. Administrative

B. Physical

C. Network


61

A) Administrative Security Critical Controls

1. Staff Training

2. Manual of Policies and Procedures

3. Privacy Notice

4. Shred-All Policy

5. Sub-vendor Non-Disclosure Agreements (NDA’s)

6. Background checks on employees handling NPPI

7. Clean Desk, Office and Screen Policy

8. Authorized Devices


62

B) Physical Security Critical Controls

1. Entryway Security & Sign-in Log

2. Clean Desk Policy

3. Clean Office

4. Locked Filing Cabinets

5. Security Cameras

6. Privacy Screens

7. Locked Offices

8. Shredding of Paper and Digital Media

9. Locks on Computers


63

C) Network Security Critical Controls

1. Password Protection

2. Computer Screen Timed Lockout

3. Using Various Brands of Firewalls (Defensive Depth)

4. Port Lockdown

5. Network Printers/Scanners

6. Restrictive Access to Programs, files etc.

7. Updates and Patches

8. Email Encryption


KEY SUGGESTIONS1. Start Preparation Now: be able to document & demonstrate your ALTA

Best Practice Pillar Compliance;2. Delegate: one person to tackle & be responsible for physical,

administrative & network security;3. Information Security Policies & Procedures: Develop & have staff sign

off (review & update annually);4. Conduct an informal security self-assessment: physical, administrative

& networks security;5. Disaster Recovery/Business continuity: Critical to lenders. Make sure

you have thought this through and have a documented plan and process in place;

6. Staff Training: When on-boarding & annually (38% of all breaches occur at the employee level);

7. Security Essentials: (i) secure entryway; (ii) sign-in logs (verify identity); (iii) staff background checks; (iv) e mail encryption; (v) clean desk, office & screen; (vi) locked file cabinets; (vii) disable USB ports & daily wipe of network printers/scanners; (viii) Check ID at door; (ix) “4th parties” must also comply;

8. On-Site Security Assessment: BP Pillar 3 best addressed independently; and

9. Global 7 Pillar Attestation: last step in demonstrating compliance.64

65

C) Network Security Critical Controls


66Compliance Management Platform™

CEO and founder of Real Estate Data Shield and The Gulotta Law Group, having represented institutional lenders in mortgage finance transactions for more than 20 years. He has developed compliance management platforms for mortgage lenders, title underwriters, and title and settlement agents.

Christopher J. Gulotta, Founder & CEO

Paul Schwartz,Chief Privacy Advisor

Richard, Purcell,Courseware Developer

An international expert on information privacy law, Professor Schwartz assists corporations and law firms with regulatory, policy, and governance issues. As professor of law at UC Berkeley and Director of the Berkeley Center for Law and Technology, he has published widely on privacy and data security topics.

A leading voice in consumer privacy and data protection challenges, Mr. Purcell is an award-winning developer of Web-based education and training courses. As Microsoft's original privacy officer, he designed and implemented one of the world's largest and most advanced privacy programs.

67

Compliance Management Platform

Components

• Threats and Vulnerabilities

• Controls and Safeguards• Information

Management Governance

• Security Infrastructure – Physical and Technical

• Employee Awareness

Risk Self-Assessment

• Consumer Privacy• Employee Data

Protection• Acceptable Use of

Company Resources – Employees

• Information Security• Information

Management – Third Parties

• Security Breach Management

Policies & Procedures• Information

Management for Real Estate Settlement Services Companies

Staff Training

68

Admin Home

70

Admin Dashboard

71

Policies & Procedures

72

Risk Self-Assessment

73

Affordable and Easy to Implement

At our Preferred Pricing:

• 10 PERSON COMPANY (CERTIFICATION PROGRAM): – Staff Training e-Courseware: $600– Information Security Policy Templates & Self-Assessment Tools: $400 – On-Site Security Assessment: $4,000*

TOTAL: $5,000 ($1,250 Savings)

• 25 PERSON COMPANY (CERTIFICATION PROGRAM):– Staff Training e-Courseware: $1,000 – Information Security Policy Templates & Self-Assessment Tools: $400 – On-Site Security Assessment: $5,375

TOTAL: $6,775 ($1,350 savings)

*Does not include travel and related expenses; includes one location/facility

74

Disclaimer

• This presentation, the supporting materials and the information contained therein do not constitute legal advice nor an attorney client relationship and is provided for information purposes only. Because laws, rules and regulations change frequently and because local laws may apply, you should consult an attorney for any specific compliance or related inquiries.


75


Founder & CEO

Real Estate Data Shield, Inc.

(212-951-7302

*[email protected]

www.realestatedatashield.com


mailto:[email protected]


http://www.realestatedatashield.com/

Presented by:

Title Industry Best Practices

ESCROW BEST PRACTICES

77

“Adopt and maintain appropriate written procedures and controls for Escrow Trust

Accounts allowing for electronic verification of reconciliation.”

ALTA Pillar No. 2


78

• Funds not clearing in a timely manner• Ex: Loan payoff, taxes, clerk/recording, etc…

• Check payee change• Ex: Stale dated tax refund

• Negative balances

• Funds deposited to incorrect account• Multiple escrow accounts

• Defalcation/embezzlement

Five Greatest Internal Threats


79

• Check fraud• Ex: Positive Pay (bank software matches check #, check date,

dollar amount & payee)

• “Revised” wire instructions

• Malware/spam bots

• Thumb drives

• External devices accessing your network• Cell phone or iPad accessing an open Wi-Fi network

Five Greatest External Threats


80

• Daily three-way reconciliation• #1 defense against fraud

• Monthly is insufficient

• Daily reports and alerts

• Comply with ALTA Pillar #2 (and all other pillars)

• Dual authorization for wires

• Secure email• Protects NPPI and complies with Best Practices

• Employee background checks

Five Critical Internal Controls


81

• Incoming wire requirements• Cash/checks up to $500; Cashier’s checks up to

$5,000-$10,000; Wires beyond

• Secure portal of online banking• Ex: Marble Secure

• Separate funding desk not tied to server

• Locking computers• No USB access / block social media

• Escrow policies & procedures:• Regularly review with staff

Five Areas for Improvement to Migrate Risk

397 Little Neck Road

3300 South Building, Suite 306

Virginia Beach, VA 23452

W: 757-333-3760

www.Rynoh.com

http://www.rynoh.com/

Wrap Up

• Thank you for participation in our Webinar. Additional reference materials are available at www.fntgnyagency.com.

• Lee Fields @ Habif Arogeti & Wynne LLP @ [email protected]

• Christopher J. Gullota, Esq. @ [email protected]

• Matt Reass @ [email protected]• We hope you found this webinar valuable and full

of helpful resources.

http://www.fntgnyagency.com/




welcome attendees webinar best practices july 29, 2015

Documents

title settlement agents

trw title

chicago title

title settlement companies

new york law journal

national title underwriters

security compliance

gulotta law group