Security Breach: What brokers are doing to guard their clients' privacy

In the wake of client privacy breaches of mortgage brokers a few years ago, the industry has improved security measures. John Tenpenny found out what some brokerages and brokers are doing to ensure the personal information of mortgage broker clients isn’t compromised

Things have changed in the mortgage broker business since John Gabriel was first doing mortgages nearly a quarter century ago. Especially, he says, when it comes to keeping client information out of the hands of fraudsters.

“We didn’t have this thing called a fax machine,” says Gabriel, Director of Compliance and Education with Mortgage Alliance Canada. “When I met you, I took an application, I took your information, I phoned a courier service and they took that information directly downtown to the lender. So, if fraud is happening; I don’t think the lender is doing it, I know I’m not doing it. So the only other person in this equation is the courier.”
 
In June of 2010, the Office of the Privacy Commissioner of Canada released an audit of the mortgage broker industry in the wake of data breaches in 2008 at several brokerages. The report stated that while some of the mortgage brokerages improved some privacy and security measures following the breaches, they failed to implement controls to raise the alarm about any future suspicious activity.
 
In the space of a few months, 14 data breaches occurred, where in each case, someone impersonating an experienced mortgage agent downloaded credit reports for people who hadn’t even applied for a mortgage. As a result, the personal information of thousands of people across Canada was compromised.
 
The audit also raised concerns about data security, haphazard storage of documents containing personal information; inadequate consent by clients; and a general lack of understanding about, and accountability for, privacy issues.
 
Gabriel, who is also a member of CAAMP’s fraud subcommittee, says Mortgage Alliance moved swiftly after the company discovered two cases of fraud perpetrated by individuals working at two satellite offices. Now there is a central hiring system in place.
 
“Anyone being hired has to meet with one of our regional managers or senior staff and they have to show two pieces of ID and our employee signs off on having seen the identification,” says Gabriel. There are now probationary periods in place for new hires where it may be up to 60 days until they are able to access credit bureau reports. Newly installed security measures with software such as Equifax also flag suspicious behaviour, like a high number of requests in a short period of time. Access to the system can then be shut down quickly. Gabriel also says that TMACC policies state that no credit reports are to be pulled without a signed consent form.
 
When it comes to electronic data, Mortgage Alliance, as per the Privacy Commissioner, had proper security with regards to servers and making sure private and corporate information are securely stored.
 
“When the Privacy Commissioner was doing their audit, they physically visited our server site and gave us a very high rating for protection,” says Gabriel. Data is password-protected and the information resides on the servers, not the individual computer. And passwords are changed every three months
 
“If you take my laptop, it doesn’t have any client information,” adds Gabriel.
 
 “The general population is becoming paranoid; ‘what kind of information do they have, how long are they keeping it, what are they doing with it?’ They are becoming more aware of the trend of identity theft,” says Suzie Smibert, senior manager and practice leader with Ernst & Young’s western Canadian security practice in Calgary.
 
She says mortgage brokerages need a privacy policy framework and preventative controls. As well, when a privacy breach does occur, companies need to be proactive and transparent in gaining back customer trust.
 
“They need to reach out and say, ‘There has been a privacy breach and here are the steps we are taking to protect the information.’ If the company is trying to keep the incident hush-hush, then it’s harder for the public to trust them,” says Smibert.
 
At Mortgage Architects, ensuring private information remained private was already a priority before the 2008 industry breaches.
 
“When those issues were raised by the Privacy Commissioner in 2008, we were in good shape because we had already implemented a platform that had eliminated a lot of those issues,” says Dong Lee, VP, operations at Mortgage Architects and MortgageBrokers.com. When Arcitects was created back in 2006, it was put into operation with provincial approval to go to a paperless compliance process, an in-house software system known as Workbench. MortgageBrokers.com adopted the same system in 2010.
 
The biggest issue for brokers is keeping copies of their files in their possession, says Lee. “When our people complete a mortgage application, they will actually submit the file to us electronically through an internal portal at which point those files are then used for compliance. They can then shred their files because a copy of what they uploaded is always available to them at their convenience,” explains Lee.
 
By enabling brokers to access client files anywhere from a secure server, Mortgage Architects and MortgageBrokers.com have eliminated the need for brokers to keep files in their office or home which create all sorts of customer privacy issues, says Lee.
 
“We’ve maintained very strict security protocol related to technology. We have all of our servers hosted in a secure location and a taped backup is also stored in a secure vault. There’s also an office protocol at head office to lock away all files at the end of the day.”
 
Marty Coubrough, co-owner of VERICO One Link Mortgage & Financial in Winnipeg, says his firm is in the process of moving to electronic secure storage of client information. Although not yet entirely paperless, VERICO One Link is moving towards this goal. 
 
“Filogix now has the ability to upload and store client files on a very secure platform, and we are encouraging our agents to scan and upload their client files after funding. We have contracted a shredding company who handles the interim storage, pick up and secure shredding of the files once they have been electronically processed. Our agents sign a very tight privacy policy when they join us, and we have policies in place covering the safeguarding of all client files and personal information, whether it is on the agent’s  laptop or BlackBerry  (which should be secured by passwords); or hard copy files which are to be stored in a locked and secure environment.”
 
“I believe the best solution to the problem is electronic secure storage of documents” says Coubrough, who sits on the VERICO National Advisory Board. 
 
As his title implies, Gabriel is also responsible for ensuring brokers are properly trained and educated.
 
“I’m fairly confident is saying that MAC has the best training program in the industry,” he says. “We’re training a minimum three times a week – new brokers and experienced brokers. I send out e-mails every week reminding our people about our policies and procedures making sure they’re getting consent forms and doing their due diligence on referrals.”
 
In terms of hiring, Lee says his company maintains strict controls. In addition to implementing RedX, Mortgage Architects also does background and credit checks on any potential new hires.
 
“We only hire the best of the industry in terms of well-established brokers,” he says. “We hire brokers by referral. It has to come through our Lead Planner, who can recommend hiring a new agent, but that approval is only given by our regional vice-presidents. We very rarely have people who knock on our door and say ‘I’d like to be a mortgage agent.’”
 
The company has also been ahead of the curve when it comes to client consent and privacy policy. Since 2006 they’ve had a legally vetted client consent form that is part of each file. “So even when we do our CRM, all of our customers have to sign a consent form indicating that they are willing to participate in the program,” says Lee.
 
Education and vigilance are important in staying one step ahead of mortgage fraud says Coubrough. “It’s something that you have to bring up with your brokers right from the very beginning and it sets the stage for your expectations.”
 
While all the measures taken by mortgage brokerages and their brokers have come a long way in improving safeguards for consumers, the most important factor is brokers remaining aware of their duty to protect the privacy of their clients, something Gabriel is quick to remind his staff of.
 
 “I tell them, ‘the next time you hear from me, you probably don’t want to be hearing from me.’”
 
 
 
What the OPC Audit found
 
The audit of five mortgage brokerages by the Office of the Privacy Commissioner of Canada found that following the breaches, the five audited brokerages significantly tightened their practices for hiring agents. However, the audit found there was a lack of adequate controls to restrict agents’ access to credit reports. Specifically, the web-based tool used to obtain credit reports doesn’t allow brokers to limit the number of credit reports an agent can download.  In addition, there are no technological controls to monitor for, and raise the alarm about, suspicious activity.
 
Among the other risks to personal information highlighted in the audit:
 
·         Some brokers stacked files containing personal information on the floor or on desks within accessible offices.  One had overflow storage in an unsecured parking arcade.
 
·         Brokers lacked shredders capable of securely destroying documents.  One broker was re-using the reverse side of old, filled-out mortgage applications in order to print out new applications.
 
·         Credit reports were sometimes obtained prior to consent from a client being recorded and there was no ability for clients to opt out of secondary uses of their personal information, such as marketing.
 
·         There was a lack of training about privacy responsibilities and many agents did not know to whom they should turn with a privacy-related question.  In one case, a broker franchisee stated that his organization’s chief privacy officer was located at the brokerage’s head office when, in fact, he was the chief privacy officer.
 
 
 
 
Mortgage Brokers – PIPEDA and you
 
Since mortgage brokers and their agents regularly collect, use and disclose personal information during the course of their work, they have privacy legislation compliance obligations.
For mortgage brokers and their agents, compliance with privacy legislation is not only essential, but it can help build an atmosphere of trust with clients, improve organizational reputability, and strengthen business operations.
 
The Personal Information Protection and Electronic Documents Act(PIPEDA) is Canada’s federal privacy legislation that applies to organizations engaged in commercial activities across the country, except in provinces that have their own private sector privacy laws. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in inter-provincial and international transactions.
 
The Office of the Privacy Commissioner of Canada (OPC) audited a number of mortgage brokers and released the audit report in June 2010. Based on this audit, we have developed a number of best practices for brokers and their agents with respect to their information-handling practices, among these are:
 
Have A Privacy Plan And Be Open About Your Practices: Private sector privacy legislation requires organizations to build privacy policies that outline how they collect, use and disclose their customers’ personal information. In the OPC’s Privacy Guide For Small Businesses, there are a number of tips to help you develop and build a privacy policy.
 
Your privacy policy should be made available to your clients – make it available on your website and available in print for clients without Internet access. As well, your clients should know who in your organization they can contact if they have questions regarding their personal information.
 
Collect Only What You Need: Your privacy plan should identify that you limit the collection of personal information for specified purposes – and your business practices should reflect that! For example, a Social Insurance Number (SIN) should not be used as a general identifier, and its collection, use and disclosure should be limited to its legislated purposes only.
 
Obtain Your Client’s Consent: You should obtain and document your client’s express consent before obtaining credit reports and providing information to lenders. Individuals need to know – in a meaningful way – how their personal information is going to be handled. This is especially true if their personal information is used for secondary purposes such as marketing, in which case express consent should be used with the ability for individuals to opt out.
 
Limit Access to Personal Information on a “Need-To-Know” Basis: Having your clients’ personal information is like having their wallet – and should be protected as such. Develop policies that limit access to personal information on a “need-to-know” basis. For example, when it comes to credit reports, only those individuals who need them should have access to them.
 
 Safeguard Personal Information: A variety of physical and technological methods can be used to safeguard personal information, these include: locked filing cabinets, alarm systems, secured premises, computer passwords and encryption. Files stored in the open, such as in open boxes in hallways or left unattended in easily accessible areas, could be accessed by unauthorized individuals and be the cause of a data breach.
 
As well, agents who take files home – either electronic or paper files - should ensure that they have a safe place in which to store them, otherwise, files should not be removed from the brokers’ premises.
 
Keep Only What You Need For As Long As Is Required: You should only keep information for as long as is required and consideration must be given to any legislative requirements – federal or provincial. As well, make sure your clients are aware of your retention requirements, policies and procedures. Your policies and procedures should be periodically reviewed to ensure that your operations and practices mirror what you say you are doing.
 
A retention policy should also demonstrate that personal information is securely disposed of in a reasonable time. For example, if mortgage applications and credit reports are no longer required and your policy includes shredding, it is recommended that a cross-cut shredder is used.
Develop A Training Plan: PIPEDA requires that employees understand their role in implementing privacy policies. As such, brokers and their agents need to be aware of their privacy responsibilities and company-specific privacy practices.
 
Training should take place before agents are in a position to handle personal information and ideally refresher training should be given on a regular basis.
 
Develop a Breach Response Plan: A privacy breach occurs when there is unauthorized access to, or collection, use, or disclosure of, personal information. It can happen when customer data is lost on a USB stick, stolen via a cyber attack on your IT systems, or mistakenly e-mailed, faxed or mailed to a party who is not authorized to have the information.
 
It is important to develop a clear set of procedures with respect to handling any unauthorized access or loss of personal information – and tying this to your business continuity planning would be a good idea. Your plans and procedures should take into consideration: (1) breach containment and preliminary assessment activities; (2) evaluation of the risks associated with the breach;(3) a notification strategy; and (4) steps need to prevent future breaches.
 
The OPC has developed a number of online resources and tools specifically to help private sector organizations subject to PIPEDA understand their privacy obligations. We encourage you to access these documents from the OPC’s Information for Private Sector Organizations web page.
 
Source: Canadian Association of Accredited Mortgage Professionals