Is Your Appraisal Process Breaking The Law?


Jennifer-MillerLenders are under tremendous compliance scrutiny, from regulators, investors, and even consumers. It seems there’s a new privacy breach at major retailers and financial institutions reported in the news almost daily. At a time when the public regularly engages lawyers in foreclosure, valuation, predatory lending, and privacy breach lawsuits that have class action potential, lenders must take a closer look at how they’re protecting consumer data. Unfortunately, some lenders are discovering that the way they order and receive appraisals is in violation of the GLB (Gramm-Leach-Bliley) Act.

The Gramm-Leach-Bliley Act, effective in 2001, addressed overall financial industry reforms as well as emerging consumer privacy and security issues. It affects the technology policies used by anyone engaged in providing financial services either directly or indirectly to consumers.

The Act regulates how consumer information is handled, and even specifically addresses real estate appraisals. If appraisals are ordered or received using regular unencrypted e-mail, or even via fax machines in an unsecured area, then GLB is being violated, since those contain consumer data that GLB protects. Private data is even more vulnerable in situations where sales contracts are attached to appraisal orders and reports. GLB strictly forbids storage of printouts of those documents in cardboard boxes or unlocked file cabinets. Yet, every day, many lenders are subjected to every one of those vulnerabilities.

As an analogy, everyone has encountered new privacy requirements related to medical information under HIPAA. Medical providers, from dentists to insurance companies, are now required to provide additional disclosures to patients, cannot provide information even to other family members, and must provide checks and balances to ensure that information is protected. HIPAA dramatically changed how privacy of medical information is implemented and it affected every aspect of any medical provider’s daily interaction with the public, from phone calls to e-mails to paper storage.

GLB is effectively the financial counterpart to HIPAA, and its impact on even the most low-level tasks conducted in real property valuation can’t be overstated.

As we’ve all seen in practically every industry, a consumer privacy breach can be incredibly expensive, and everyone in the transaction is vulnerable. From compliance penalties, legal fees, settlements, fines, and reputational risk, the consequences can bring any institution to its knees. With consumers more militant and better armed than ever, most lenders are one non-shredded trash bin or accidentally forwarded e-mail away from a privacy lawsuit.

As an example in our own industry, Nations Title Agency was caught with discarded loan applications in its (unsecured) dumpster in 2005, and was also investigated by the FTC for other alleged privacy violations. The FTC’s complaint against Nations Title is sobering evidence of its expectation that third party vendors in the mortgage loan process — everyone in the “chain of custody” of personally identifiable information — have safeguards and compliant security policies. Nations Title will be required to, among many other things, obtain third-party assessments of its ongoing compliance with GLB standards and submit them to the FTC for the next 20 years.

Obviously, this case and others prove that even if you use an AMC or other third party, you’re not out of the woods. The CFPB and OCC have also made it clear even in recent months that they agree lenders are responsible for the actions of their service providers. Many AMCs use non-secure processes either internally or with the appraiser, loan officer, or real estate agent. Even under the GLB’s “Safeguards Rule,” the lender is specifically responsible for the actions of suppliers to whom the consumer’s private information is entrusted. If they aren’t 100% GLB compliant, then the lender isn’t either, and GLB holds the lender legally liable for not auditing the practices of business partners. Think of it as “SAS-70 with a $100,000 fine per audit violation plus a prison option.” It’s not a pretty picture.

The good news is that technology can help you mitigate these risks. Lenders need a fully GLB-compliant solution, with end-to-end encryption, a secure upload/download container for sales contracts and other sensitive documents, appraisal PDFs that are never directly attached to e-mail messages, and secure paperless storage of transaction documents.

Lenders, appraisers, and mortgage professionals are subject to the GLBA rules. All are required to implement at least the following:

>> Under the Safeguards Rule, secure the transmission, receipt, and storage of data relating to any consumer’s NPI at all times, via passwords, encryption, and physical protection, backed by a written information security plan.

>> Under the Privacy Rule, provide easily understood privacy statements to any consumers who engage the appraiser, lender, or mortgage professional directly, disclosing the gathering, sharing, and security of NPI data, as well as the methods the consumer may use to opt-out of sharing of the data with third parties.

NPI includes loan terms, lender or mortgage broker name, sales concessions, co-borrower, unpublished phone numbers, other contact information, and of course more sensitive information as well. Even the fact that a particular consumer is engaged with a particular lender, at the time of the appraisal, is considered to be NPI if it has not been recorded in the public record yet or disclosed in some other way. To be safe, any borrower or individual’s information, which is not absolutely known to be public at the specific moment you receive the information, should be treated as NPI.

NPI data is potentially received electronically under many scenarios:

>> Receiving an appraisal order via e-mail

>> Receiving sales contracts and other financial documents

>> Transmitting final appraisal reports to a lender (either a lender, appraisal management company, appraisal manager, et al.)

>> Ad hoc e-mails with other service providers – agent, mortgage broker, loan officer, et al.

In addition to unauthorized access, the data must be secured from loss due to environmental hazards such as floods, as well as from technological hazards such as system failures.

Obviously, you must implement secure means of sending and receiving documents containing NPI. Utilizing regular e-mails with NPI data in the message body or attachments, and even with password protected PDFs, is not sufficient. Each institution will adopt different levels of implementation. But at its core, NPI data must be secured at all times.

There may be cases where the institution receives no NPI, and therefore, in hindsight, encryption would not have been necessary. It would be tempting for an institution to decide therefore that security overall is not needed until the presence of NPI is certain. However, the institution would not be aware of the scope of NPI until the data had already been received, which would already be a security breach if NPI was indeed present. The safest route is to assume that NPI is present, so you must secure all communications appropriately.

Any time you receive or handle a document with a credit card number, a bank account number, a loan account number, or an SSN on it, you’re handling the most sensitive data in the consumer’s NPI, and the security and privacy standards go up accordingly. Since you don’t know when you’ll receive data that already contains something sensitive, it’s prudent to employ the strictest security all the time, up front, so that it’s not “too late” by the time you see it.

Regardless of the scope and type of encryption methods and processes used, developing a written security plan describing them is not optional. The law specifically requires that it be written and regularly reviewed. The institution must have it on file, and the privacy statement must refer to its presence.

An important consideration when evaluating your compliance solutions is to scale them to your needs, and remember that it’s not “all or nothing.” Improving security and compliance is a path, not a destination. It will never be “done” because the risks and methods constantly change. Don’t feel like you have to have it all done tomorrow. You don’t. You do need to start, and be educated, however. Security and privacy issues are not going away, ever. Now, more than ever, top-level privacy and security are good business, and those safeguards are appealing to your clients. When you decide to change your policies to enhance your customers’ protections, tell the market about it so you’re leveraging your compliance expenses for your institution’s benefit, too.

About The Author