Data Security – What Every Mortgage Professional Needs To Know

Download Your Free PDF Copy of “Data Security – What Every Mortgage Professional Needs to Know” – Including Helpful Resources, Links, and Examples

By John Paasonen, CEO of Maxwell & Ken Kantzer, Co-Founder PKC Security

Mention data security to a mortgage executive and it’s enough to make them squirm. You can’t open a newspaper without reading about a security breach, even from some of the world’s most avantgarde technology companies.

Data is the heartbeat of the mortgage industry. Protecting it should be the priority for all organizations, no matter their size. And it’s time to size up to the reality that the conventional methods of security are no longer sufficient.

Featured Sponsors:


Ken Kantzer knows a bit about data security. He is the co-founder of PKC Security, a cybersecurity consulting firm. He has undertaken cybersecurity consulting and code audit efforts across multiple sectors: high-tech startups, financial services, oil & gas, industrial infrastructure, and high-security government systems.

Reduce Fractured Business Architecture

The way most mortgage companies work is fractured and insecure. Data resides on systems from the loan officer’s messaging app on their smartphone through to the LOS and everywhere in between. Data sits in Word documents. It lives in Outlook. And it’s transferred to third parties as part of the process every day.

Despite marketing promises to the contrary, there is no single all-in-one platform today. Indeed that may be an unrealistic utopia. What is realistic is a set of best-of-breed, modern systems that work together seamlessly.

Featured Sponsors:

“The best way to get hacked is to have systems on your hands that no one at your company understands,” says Ken. “Given the choice, opt for platforms that employ the most modern security measures, and simple interfaces between your systems.”

Protect Data Dynamically

The conventional castle-and-moat approach to data security is outdated. The financial services industry, particularly the mortgage vertical, must move beyond just firewalls, antivirus, content filtering, and threat detection. “The old idea of putting up a wall and standing watch just doesn’t hold true anymore,” says Ken. “The new approach to data protection focuses on resiliency — systems must ensure that even in worst-case scenarios where there is a data breach, the data can be rendered useless.”

Encryption is one such example of this approach. Mortgage companies can maintain control of their data, even when it is deployed in the cloud or in their data center. By moving security controls as close as possible to the data, a mortgage company can ensure that even after the perimeter is breached, the information remains secure. “At PKC, we always look at how cloud services use encryption, and how the encryption keys used by the service are protected. When encryption is properly implemented, it can be a huge help in strengthening the security of a service, but when it’s improperly implemented, it can actually hurt, by lulling users into a false sense of security.”

Featured Sponsors:

If you haven’t been breached yet, you’re either lucky or you don’t even know it happened. Only mortgage companies that adopt a combination of password managers, encryption-at-rest (using tools like BitLocker or FileVault), and two-factor authentication can be confident that data is useless should it fall into unauthorized hands.

Make Sales & I.T. Collaborate

Hopefully you do the basics: security awareness training, security policies that are enforced across the organization, and a consistent process of monitoring and reviews. Although these are necessary, they often feel like shackles for the sales team.

As many CIO’s realize, employees are often the weakest link. “The key to security is not a sexy new kind of technology, it’s not machine or deep learning,” says Ken. “Of all the awesome technology to deploy to catch bad things before they happen, it’s your frontline employees that will have the highest rates of detection.”

When IT team and sales collaborate, it is the opportunity to confer the feeling that owning security is their responsibility. The key to security is getting every person to care about it, to set a shared value that we must “protect our house” both at home and in the office.

Rather than IT attempting to shackle sales, have them arm the sales team with market-leading mobile communication and collaboration tools that solve their problems, make them more productive and are, by their very nature, secure.

Finally, use the best technology has to offer to reduce non-selling administrative or customer service aspects of a loan officer’s role. Too often, those activities take up more time than the selling loans, and sadly are often created by poorly designed technology tools themselves. Ken agrees: “A mortgage company that understands how to minimize the amount of time a loan officer and her team spends doing administrative tasks, such as data entry and chasing borrowers for documents, will win by helping them be more productive.”

Hack Yourself

It sounds counterintuitive if not downright scary: invite hackers to analyze your systems, looking for security holes, and pay out a “bounty” when they find them. But PayPal, Western Union, Square, Simple and other financial services companies that have created or worked with so-called bug bounty programs say they’re an effective supplement for the work done by sometimes-strapped internal security folks.

Outside the industry, it’s become a common-enough practice that even the U.S. government launched a “Hack the Pentagon” program. Hackers have already found 100 vulnerabilities in Department of Defense systems and the program has paid out $15,000 to 1,400 participants.

Pay hackers to take your side and work with you, and avoid the legal, privacy, intellectual property and cyberfraud issues that result when they go it alone.

Companies that have been using bug bounty programs for years see only benefit to them. Along with the many other types of security defenses mortgage companies need, offering a bug bounty, or undergoing a quarterly penetration test, is likely to become a best practice in the industry.

Empower Your Customers

Two in three customers said they’d cease doing business with a company that experienced a breach where financial information was stolen. Half of the respondents to the global survey by Gemalto said they’d stop doing business with a company where personal information was stolen. A quarter of people said they’d consider legal action against the breached company.

In fact, a mortgage company can even increase customer trust by telling borrowers about the security measures that they have put in place to protect their data. By being open about the efforts they are making with regards to data protection, like encrypting data in transit and at rest, they can be perceived as trusted innovators.

Mortgage companies can take this a step further and, as well as informing customers about what they are doing to protect them, can also tell them what to do in order to protect themselves and become safer users of their services — for example, instructing them not to send sensitive documents by email.


Security must be at the forefront of all decisions made by mortgage professionals. Rather than letting this slow you down or cripple your organization, use security as your asset to grow your business. Have your teams empower each other rather than limit the capabilities of each group. Challenge yourselves regularly.

Technology and proper processes unlock efficiencies and can improve not only the security of your clients information, but your bottom line as well.

About Maxwell

Maxwell is a lightweight digital mortgage platform, helping lending teams become more efficient and provide the digital experience borrowers expect. Maxwell was created on the principle that mortgage companies will win by betting on the augmentation of human ability, not by replacing it with faceless technology. At Maxwell, the power of the human relationship is core to how we build software.

Founded in 2015, Maxwell is a member of the Mortgage Bankers Association and the Colorado Mortgage Lenders Association. In 2017, we were named one of the most innovative companies in real estate by HousingWire Magazine. Every day, our software is used by originators across the U.S. to serve thousands of homebuyers.

Download Your Free PDF Copy of “Data Security – What Every Mortgage Professional Needs to Know” – Including Helpful Resources, Links, and Examples


Managing Risks To Data Integrity And Security

You Can Download This Full Article As A PDF HERE

Sanjeev-MalaneyToday’s lending environment is far different from that of even just a few years ago. Heightened regulations, increases in unannounced audits by the CFPB and an ever more-complex economic environment have forced originators to change the way they do business. But even with the myriad of changes that have taken place over the past several years, there’s one threat to lenders that has remained constant: the inability to maintain data integrity.

The mortgage industry has long struggled to ensure the quality, transparency and auditability of loan information. Lenders struggle with data entry errors, conflicting information that requires risky judgment calls and untold hours spent trying to complete and reconcile data after a loan is funded. As a result of the part “bad” data played in the recent financial crisis and recent litigation, quality initiatives are taking hold across the industry. Regulators are working to ensure that proper oversight is in place to authenticate loan information throughout the loan process.

Some common practices and beliefs contribute to a lender’s inability to ensure data integrity and security, including the reliance on paper-based processes, the mistaken belief that the LOS is the source of truth for loan data because it is the system of record and the use of insecure methods to share loan documents with others involved in the loan transaction.

Paper-based processes should be a thing of the past

While the printing, copying, and shipping of paper documents should be a thing of the past, for many lenders, it is still at the heart of the origination process and contributes to the inability to maintain data integrity. A typical loan captures thousands of pieces of data, and the potential for error is huge.

The reliance on paper also poses a huge security risk. Visit any lender with a paper-based process, and it is obvious that keeping confidential information secure is a losing battle. Paper files with confidential borrower information are stacked on desks and on tables in clear view of anyone who might be visiting the office. Account numbers, social security numbers and other personally identifiable information is in the clear, available to anyone who might have bad intentions.

Once the loan is funded, it is still very common for a lender to retain all paper loan files in a storage unit or warehouse, to be searched through manually whenever necessary. By doing this, however, they put the files and confidential borrower information at great risk. Anyone who has access to the files has access to a treasure trove of confidential borrower information. If the warehouse or storage facility is broken into or damaged by fire or inclement weather, there is no insurance policy that can keep the confidential information from criminals or that can replace the lost information. Third-party document storage services are often seen as good alternatives, but are expensive and often located far from the lender’s office, resulting in an inconvenient, inefficient, and costly search and retrieval process.

Moving to a paperless process improves data integrity and increases overall data security. Today’s imaging and document management solutions replace paper mortgage folders with electronic loan files that are processed electronically from beginning to end. Using a modern document imaging solution, lenders eliminate the manual entry of loan data which introduces inaccuracies, and lenders have a reliable online workflow that results in better protection for loan information, as well as higher productivity, reduced costs and higher quality loans.

In addition, paperless technology guarantees an easily accessible audit trail for a loan file, enabling lenders to collect information quickly and have all corresponding communications relevant to that loan available within seconds. In the case of an audit, rather than scrambling to gather paper files that may be difficult to locate, lenders have complete electronic loan files available to them with a couple mouse-clicks.

Your LOS is not the source of truth for loan data from documents

While relying on paper exposes vulnerabilities in and of itself, the central issue affecting data integrity is the potential for inaccuracies when data is entered, or overwritten, in a lender’s loan origination system (LOS). Many lenders mistakenly believe that an LOS is a “source of truth” for loan information. In fact, an LOS is primarily a “system of record”, capturing, storing and listing information, which can be mistyped or manually changed over the lifecycle of a loan.

While the best source of data associated with the loan is the original documents used in the loan process, LOSs don’t provide the lender with the appropriate tools to easily locate the data on the original document and compare it with what is in the LOS.

Today, lenders invest a lot of time and resources playing the “stare and compare” game, in which a human being compares information across multiple loan documents to spot discrepancies, and also compares the information on the source documents to the information in the LOS. Whether the lender uses in-house staff or outsourced labor to complete the task, this practice is time-consuming, error-prone and costly. In most cases, this quality control (QC) is done late in the process, or even after the loan has closed, limiting any possible corrective actions. With more comprehensive document management technology, lenders are able to implement QC throughout the lifecycle of a loan, not just at the end, which leads to better quality loans and better business decisions.

An advanced document imaging and collaboration platform also provides the ability to extract data from loan documents and to validate that data across any number of loan documents, while always maintaining a link to the original source document. This technology makes it easy to compare data in the LOS with the data on the original document and alerts the lender of discrepancies in the data, as well as missing data or missing documents immediately.

Maintaining the link to the source document is critical. An LOS system can extract data for rules engines and other purposes but loses the connection between that data and its source document. If multiple versions of the same document are submitted for a loan, which version of the document served as the source for the data value that is in the LOS? With best-of-breed document management technology, the lender is always able to link from the data to an electronic image of the source document, so the source can be verified and is never in question.

What’s more, a comprehensive audit trail is created for any changes made to the data values, while always maintaining a link to the source documents. An LOS creates an audit trail of changes made in the system, but, again, the link to the original document is lost.   If a regulator were to request an audit, lenders should have the confidence that the tools they use to run their businesses will help see them through an investigation rather than send them to a warehouse to sift through stacks and stacks of yellowing documents and possibly never find the source document required to validate a business decision.

Sharing Isn’t Always Good

During the life of a loan, many parties are involved in the transaction including lender representatives, real estate professionals, title insurance agents, closing officers, and many others. Moreover, each of these parties is accustomed to different workflows, technologies and protocols when handling loan files. Today, much of the communication between these parties is done via fax, email, or the transport of paper files back and forth. The insecure channels used by the parties to collaborate on loans not only introduce the risk of human error, but significantly increases the security risk of lost or stolen files.

A document management platform gives lenders the ability to securely collaborate with co-workers and third-party service providers as the loan moves through the process. An LOS system may provide collaboration capabilities, but not secure “workspaces” where lenders can invite co-workers, or trusted service providers, to exchange documents and collaborate through the loan process. Using a document management platform for secure collaboration also speeds the transaction because electronic communication is instantaneous, and days aren’t wasted resending lost or poorly transmitted faxes or mailing paper documents back and forth. Emailing faxing, and shipping documents that contain sensitive information in the clear should be a thing of the past, and a best-of-breed document management platform offers a secure, more efficient alternative.

The mortgage industry has seen more changes in the past several years than in the past few decades. As a result of these changes, lenders must be prepared to change the way they do business by investing in technology that ensures loan data integrity and security.

By using a software solution designed to ensure data integrity, lenders improve the consistency and quality of loan information throughout the lifecycle of the loan, not just after a loan closes, when it is often too late to remedy. Technology also increases the security of loan information, as it replaces paper-based processes with secure, electronic channels for document management and collaboration. In today’s increasingly competitive and complex lending environment, the focus should be on delivering high-quality loans. With a focus on data integrity and security, lenders will be better able to meet both their operational objectives and financial goals.

About The Author


Sanjeev Malaney

With more than 17 years as Capsilon’s Founder and CEO, Sanjeev Malaney has proven himself as a visionary, a pioneer and a leader when it comes to the quest for bringing to market the true end-to-end digital mortgage. Capsilon has transformed the traditional mortgage process, enabling enterprise lenders to deliver a better borrower experience, help loan officers close loans up to five times faster and lower overall production costs by as much as 50%, by reducing massive staffing expenses that lenders ultimately have to pass on to the borrower.

Enhance Data Security Through E-Mail

You Can Download This Article As A PDF HERE

The key is having a solution that is easy and simple to not only implement, but use for everyone involved in the e-mail transmission. This approach ensures greater traction and compliance. Cyberthreats in mortgage affect your entire business. Are you protected? PaperClip’s eM4 protects customers’ personal information from unwarranted access and the accountability for its use. This significantly mini mixes your exposure to compliance and reputational risk. Here’s how it works:

Until now, the industry has lacked a truly compliant email solution, which by industry definition requires that a disinterested third party maintain both the keys used to encrypt the data and a “chain of custody” audit of the emails themselves. eM4, which fulfills both of these requirements, documents the secure life of the e-mail across the Internet and provides the industry with a bar-raising solution that ensures the highest level of fully auditable confidentiality.

eM4 captures e-mail metadata and stores it so that all subscribers can reconcile and reproduce the information for necessary audits. A secure web portal provides access for interactive auditing and period reporting. eM4 subscriber service is so easy to use that it requires no user training. The system does all the work behind the scenes, with the user barely detecting any difference from usual e-mail activity. Simple encoding rules secure e-mails across the Internet in a compliant manner, and no user keys are required, which eliminates the cost of keys and their associated management. Non-subscribers can also use eM4 to reply to subscriber e-mails in secure and compliant way.

eM4, which stands for “e-mail 4 Compliance,” is a unique service providing a level of true e-mail compliance without undertaking the more cumbersome option of secure electronic document delivery. Unlike standard secure electronic delivery in which messages must be retrieved at a secure location, with eM4 users simply send e-mail as usual. The system deploys in less than one day, requires no user training, and is affordable by an individual user to even the largest enterprise customers.

If you want to be protected just PaperClip it.


Mortgage Industry Advancement

Download This Article As A PDF HERE

For years PaperClip has been helping the securities and insurance industries go paperless. PaperClip follows the paper filing metaphor of Cabinet, Drawer, Folder, Document, Page and Annotations. Replacing the paper filing system with an electronic mirror version, training and adoption comes quickly. Projects involving elaborate workflow rules are lengthy deployments, hard to follow especially in the financial services industry and simply the wrong place to focus; workflow belongs in the data system, why, because that’s where all the data is. Now Mike Bridges, President of PaperClip, speaks out about how the mortgage industry can adopt straight through processing in a quick and easy way.

Q: You’ve spent the last 20 years in the electronic document manage business across Life Insurance, Securities and Mortgage industries. How are they the same and how are they different?

MIKE BRIDGES: They are the same because everyone wants to reduce or eliminate paper within their process and company. If paper is your choice to receive, process and store, it’s costing $1.30 per page cradle to grave. The financial services industries in the early nineties knew they wanted to get rid of the paper and those who had the staff and the budgets implemented enterprise wide workflow and document management solutions. Institutions implemented expensive solutions with the promise to stop paper at the mailroom and gain efficiencies by elaborate document workflows. By the early 2000s, the majority of those systems were pushed out of the workflow and took on the role of document archiving. Now in 2014, the trend is overwhelmingly outsourcing to an online provider. SaaS vendors offer application expertise, economy of scale, code maintenance, DR&BC and a path of innovation.

Their differences are not that great. They all have either a captive or independent distribution channels; ninety plus percent execute their process with paper, receive paper from their trading partners and close with paper. Mortgage transactions have the most documents and third-party interactions compared to Life Insurance or Securities. Securities as an industry really solved their problem in the early 1970s with the creation of the “Depository Trust & Clearing Corporation.” New York City before the DTCC would literally messenger around town, stock certificates and checks. The DTCC did two things, stored all the paper certificates securely around warehouses; not much different than how the county maintains the property title, and through computer trading, allowed one net settlement account transfer at the end of the trading day. The Securities industry has made and continues to make progress in transactional business, but when you step outside of trading, they’re right back to paper.

The Mortgage industry over the past few years has found a new respect for electronic documents and their budgets are reflecting it. Still dominated by paper, the new flood of compliance and litigation collecting documentation and using it effectively requires document management.

Q: We hear all the time that it’s not about the technology; it’s about how fast people can change. Over the last decade, what have you seen as some of the most significant adoption or change?

MIKE BRIDGES: In the past 10 years one of the most significant adoptions is probably the fact that we’ve reached the point where organizations will accept an imaged page of paper and allow the shredding of the original paper, clearly making the image page the archived exact copy of record. Working with over 500 financial services companies, electronic document management is a staple. These players understand you convert paper as early as possible and manage image files.

Another example of imaging use is Check21. The Life Insurance industry started accepting check images for payment processing five years ago. Producers have been sending check images for years with the application, which carriers would accept to start the underwriting, but they still required the paper check to be mailed. Today, many carriers will accept the front and back scans of a check and will process the check image as an ACH transaction into their bank account; the sender then returns the check marked void or shreds it.

Technology compliance has dramatically changed the industries. With the movement of computing resources to the cloud or SaaS hosting, this data move has placed more pressure on that Service Provider. In the past the ISV (Independent Software Vendor) developed software and the customer would deploy it (i.e. the data was their responsibility). Now, the data is the Service Providers’ responsibility. Most recent are the new HIPAA regulations clearly defining the Service Provider as a “Business Associate.” This means the Service Provider could be subject to HHS/OCR fining authority. This type of thinking is beginning to show up in new government regulations and will continue.

E-Sign Point-of-Sale solutions have been the big focus for the last decade. The end goal was “Straight Through Processing” (STP), the complete elimination of paper or the need of paper to complete a business transaction. Some have found success when they apply STP to a slice of the process, in other words, just taking a bite of the elephant. Weak adoption continues to plague the effort for several good reasons. Data collection, who’s keying in all the data into an application or worse, a browser, is the main problem. I’m not referring to contact info; I’m talking about the data models (MISMO, LBTC, ACORD, etc.) which require over 200 fields of information to be captured for the most basic transaction. Some of these transactions can require thousands of fields to be completed; let’s remember MISMO has over 3,000 defined terms and ACORD is not that far behind. The fact that this data is typically collected from diverse sources (Appraisals, Credit, Lender, LOS, etc.) which causes their challenge to flip to integration with trading partners. This has suffered because the ISV community could not wait for the Technology Standards groups to produce the best road map. Many times these standards discussions where dominated by the 800-pound gorilla in the room and politics ensued; and the end result was flawed standards.

Q: Given the progress of imaging and STP, why does the use of paper continue to grow every year?

MIKE BRIDGES: It is funny that the use of paper continues to grow given the impact of the Internet. I recently read that the overall growth is one percent every year through 2017- much better than the 6% growth of the 90s. Some experts contribute the increase to the practice of “TransPromo.” This refers to a transaction document that consists of a promotional message that is positioned alongside essential transactional information. I think the financial services industries are seeing the growth in new compliance standards. Remember, each new rule requires some documentation of evidence, more paper.

Q: Will we ever see STP work end to end?

MIKE BRIDGES: No, back to the number one problem. Where is all the data coming from? The Life Insurance industry five years ago turned to “Call Centers.” These centers would call the applicant and ask many reflexive questions to complete term applications and produce an ACORD 103 message and filled in forms. These are not simple solutions, Carriers maintain over 1,000 reflexive questions for call center activity. Again, any sophisticated products that require professional guidance typically end up on paper applications.

The Mortgage industry leverages an ISV community and a process called “Scatter/Gather,” let the subject matter experts collect the data and send it back to the requestor. This of course requires data exchange standards. Today the standards process is fundamentally flawed. This is why successful ISVs continue to develop or acquire technology that builds out the STP or End-to-End process. This approach removes the needs for standards and integration since the ISV is in total control. An effective standards model or vendor can only grow the ISV community and the opposite will produce several large ISVs. Ultimately, the market will choose the winners but unless we get an effective way to exchange data, it’s no contest.

Q: If current standards are flawed, what could be an alternative?

MIKE BRIDGES: What I really mean is that the exercise of Standard Organizations to send everyone home with a standard to develop themselves will result in many different implementations. Twenty five percent of ISV staffs do nothing but work on customer standards integration.

What I learned many years ago in the Power Plant Generation industry is that their data model was the most effective way to exchange and use data. I first introduced this model at an AIIM conference (Association of Image and Information Management) in 1996. Members of NAILBA heard the speech and we began to introduce the concepts into their technology meetings. Their work produced the Electronic Document eXchange (EDX) Standard 1997. Their real work focused on a data dictionary of defined terms. Several vendors implemented EDX and today LBTC Surveys report 80% of their documents exchange as images. My company moves over 4 million documents per month between 500 plus companies.

NAILBA Tech’s next project was to create a data dictionary for their current data messages and end the resource drain of integrating with all the non-standard standards. Before that effort started, NAILBA outsourced its standards to ACORD. Currently, ACORD has started working groups to design a data dictionary model.

Since 2010, MISMO has been focused on building a business Logical Data Dictionary (LDD) and Reference Model to ensure semantic clarity and promote interoperability. If done well, this could be the break ISV’s needed-finally everyone is calling the same thing, the same thing. I know we’re watching this closely. Exchanging data and documents is one of our core businesses.

Q: With great adoption of STP, how will that impact imaging?

MIKE BRIDGES: Demand for imaging, Electronic Document Management (EDM), will continue to grow. Only EDM can accomplish the goal of being paperless. LOS or AMS solutions may store electronic documents commonly called vaulting. The truth is that EDM users need to service all their business operations (e.g. Accounting, Human Resources, Compliance, Legal, Commissions, Marketing, etc.). EDM (SaaS) must meet the requirements to be accepted as their books and records. E-Signed transactions or XML files are just another electronic document to EDM. EDM SaaS providers function as a Disinterested Third Party (D3P), which provides safe harbor from those involved in the transactions, including the point of sale vendor. The Securities industry requires it; one of their many regulations says “if the electronic document is the exclusive document, a copy shall be stored with a D3P.” In addition, the D3P signs an agreement allowing access to the documents and data without the custom’s consent. EDM is more than a vault by an order of magnitude but there is no question, EDM integration and communications are a requirement. EDM SaaS provides the best practices married with technology compliance, disaster recovery and business continuation requirements as well.

Q: Since you mentioned it, how do you see technology compliance changing in the near future?

MIKE BRIDGES: Enforcement is the only thing that’s really going to impact technology compliance. I do know we have the tools today to secure our systems, but unless organizations like FINRA, HHS/OCR, CFPB and State Regulators put it on their checklist, identity thief will continue to grow. The most vulnerable are those DIY people storing electronic documents on their internal file servers to people using free websites for storage or secure their emails and file transfers. When the enforcement arm gets going, it will be quick and the collection of fines will be welcomed by their respective treasuries.

Two-factor authentication is becoming popular for granting access to Non Public Information (NPI), but I don’t think the public will find it user friendly. Many of the regulations today allow the consumer to opt-out of secure transmissions when putting their NPI on the Internet; this waiver does not relieve third parties. The business community storing and exchanging third-party NPI must comply, “vendors must remain above reproach.”

Internet Protocol Lockout Service is another trend some companies are pursuing. This lockout or isolation service provides public access from within a distinct geographic location. I’m a company that only conducts business in the United States or a given State and isolate my inbound/outbound traffic to only the US or my State.  Stop all other traffic before it reaches my firewall. This approach greatly reduces the risk of outsiders trying to do mischief or Denial of Service attacks or worst, a desktop takeover.

Apathy remains our largest challenge. We have the tools and until enforcement arrives, systems will sit there like stacks of money on a park bench with nobody watching.

Industry Predictions

Mike Bridges thinks:

1. Processing paper cost $1.30 per page, going electronic cost $0.30 per page. We can process electrons better, faster and cheaper than we can process atoms.

2. A vibrant vendor community is directly related to the quality of their standards.

3. If you ignore Technology Compliance, either the bad guys or the good guys will find out; either way you’ll regret it.

Insider Profile

Since 1995, Mike Bridges has served as President, Vice President of Marketing & Sales, Director of Professional Services,and Consultant for PaperClip Software. In his current role, he is responsible for strategic direction, operations, and corporate communications. Prior to joining PaperClip Software, Mike was the Executive Vice President and co-founder of CMF Design System, a custom software and systems integration firm. Mike received a Bachelor of Science from Rowan University and served as a Captain in the United States Marine Corps.

Cyber Security Begins With A Plan

*Cyber Security Begins with A Plan*
**By Mike Bridges**

MikeB***The frequency of online attacks against U.S. business continues to increase, along with the cost of defending against those attacks and mitigating any resulting data breaches. Cybercrime now costs a U.S. business $8.9 million per year, an increase of 6% from 2011 and 38% from 2010.  Those findings come from the “2012 Cost of Cyber Crime Study,” which was sponsored by security intelligence tool vendor HP and released Monday (10/8/2012) by Ponemom Institute. The businesses profiled in the study also reported that on average, they’re collectively seeing 102 successful attacks per week, up 72 attacks per week in 2011 and 50 attacks per week in 2010.

****The average breach costs $214 per record compromised; another cost factor is that it’s taking businesses longer to respond to security breaches. On average, it now takes a business 24 days to spot and resolve an attack, although some cleanup operations extended to 40 days. On average, each cleanup cost $592,000, a 42% increase from the average reported in 2011 of $416,000. (Ponemon Institute and Hewlett Packard- 2013).

****Cyber Security begins with a plan. This plan should be developed based on the requirements and risk of protecting third party Non Public Information (NPI). Requirements are driven by federal, state and self-regulatory organizations (SRO) representing the best practices and minimum techniques used to protect NPI and the account of its use. Risk is the harm lost NPI can do to an individual, family or company when used to conduct crime.

****Cybercrime can fall into two categories, Active and Passive Cybercrime. Active is when the crime attacks a target directly. Identity thief, credit card fraud, processing platform takeover and website shut downs. Passive attacks listen to the party line (Internet) to collect information which is not public, intercepting executive communications on financial decisions, intellectual property, legal strategies or summarized as “the stock tip.”

****Financial Institutions need to protect their NPI from potential cyber threats, this includes the mortgage industry. How do you do that? I’ll give you some tips next week.

Since 1995, Mike has served as President, Vice President of Marketing & Sales, Director of Professional Services,and Consultant for PaperClip Software. In his current role, he is responsible for strategic direction,operations, and corporate communications. Prior to joining PaperClip Software, Mike was the Executive Vice President and co-founder of CMF Design System, a custom software and systems integration firm. Mike received a Bachelor of Science from Rowan University and served as a Captain in the United States Marine Corps.

Are You Prepared For Hackers?

*The Threat Of Hackers*
**By Tony Garritano**

TonyG***Are you concerned about data security? You should be. In response to this new threat, vendors like Rentsys Recovery Services, a provider of disaster recovery solutions for businesses ranging from community banks and credit unions to enterprise organizations, have completed Service Organization Controls 2 (SOC 2) audits, which examine and identify potential risks associated with Rentsys’ information systems.

****In this case, Rentsys’ completion of the comprehensive audit between September 2012 and March 2013 validates its commitment to providing its customers with secure technology and services. The audit’s principles test for security against unauthorized access, availability for operation, process integrity, confidentiality and privacy. In addition, the SOC 2 audit includes data collection, testing, observation of operations, reviewing of documentation and security procedures and analysis.

****Garland Heart Management Group, an independent auditing firm, conducted the audit and formally evaluated and rigorously tested Rentsys’ processes, procedures and information systems to ensure the company meets regulatory standards.

****“Our achieved compliance of the SOC 2 audit demonstrates Rentsys’ knowledge of the testing requirements as well as our commitment to our customers having the highest levels of data security,” said Walt Thomasson, managing director of Rentsys Recovery Services.

****Founded in 1995, College Station, Texas-based Rentsys Recovery Services is a provider of comprehensive disaster recovery and business continuity solutions for businesses ranging from small bank branches to large enterprise organizations. Has your vendor been audited?

Tony Garritano

Tony Garritano is chairman and founder at PROGRESS in Lending Association. As a speaker Tony has worked hard to inform executives about how technology should be a tool used to further business objectives. For over 10 years he has worked as a journalist, researcher and speaker in the mortgage technology space. Starting this association was the next step for someone like Tony, who has dedicated his career to providing mortgage executives with the information needed to make informed technology decisions. He can be reached via e-mail at

Ensuring Data Security

*Ensuring Data Security*
**By Mike Bridges**

MikeB***The key is having a solution that is easy and simple to not only implement, but use for everyone involved in the e-mail transmission. This approach ensures greater traction and compliance. Cyberthreats in mortgage affect your entire business. Are you protected?  PaperClip’s eM4 protects customers’ personal information from unwarranted access and the accountability for its use. This significantly minimizes your exposure to compliance and reputational risk. Here’s how it works:

****Until now, the industry has lacked a truly compliant e-mail solution, which by industry definition requires that a disinterested third party maintain both the keys used to encrypt the data and a “chain of custody” audit of the emails themselves. eM4, which fulfills both of these requirements, documents the secure life of the e-mail across the Internet and provides the industry with a bar-raising solution that ensures the highest level of fully auditable confidentiality. eM4 captures e-mail metadata and stores it so that all subscribers can reconcile and reproduce the information for necessary audits. A secure web portal provides access for interactive auditing and period reporting.

****eM4 subscriber service is so easy to use that it requires no user training. The system does all the work behind the scenes, with the user barely detecting any difference from usual e-mail activity. Simple encoding rules secure e-mails across the Internet in a compliant manner, and no user keys are required, which eliminates the cost of keys and their associated management. Non-subscribers can also use eM4 to reply to subscriber e-mails in secure and compliant way.

****eM4, which stands for “e-mail 4 Compliance,” is a unique service providing a level of true e-mail compliance without undertaking the more cumbersome option of secure electronic document delivery. Unlike standard secure electronic delivery in which messages must be retrieved at a secure location, with eM4 users simply send e-mail as usual. The system deploys in less than one day, requires no user training, and is affordable by an individual user to even the largest enterprise customers.

****If you want to be protected just PaperClip it.

Since 1995, Mike has served as President, Vice President of Marketing & Sales, Director of Professional Services,and Consultant for PaperClip Software. In his current role, he is responsible for strategic direction,operations, and corporate communications. Prior to joining PaperClip Software, Mike was the Executive Vice President and co-founder of CMF Design System, a custom software and systems integration firm. Mike received a Bachelor of Science from Rowan University and served as a Captain in the United States Marine Corps.

The New Age Is Coming

*The New Age Is Coming*
**By Tony Garritano**

TonyG***As we move to a more digital lending environment the need to ensure the security of data will be very important. To this end, I have learned that IndiSoft has received approval for DD2345 certification from the U.S. Department of Defense under the U.S./Canada Joint Certification Program for its secure data destruction application WipeOut. The company has also completed the process to become a National Association of Information Destruction (NAID) member providing another level of certification for application. NAID is the international trade association for companies that provide information destruction services. Here’s what all this should mean to lenders:

****Protecting the privacy and financial information of consumers is more important than ever due to the increasing threat of identity theft as well as new federal regulatory requirements. IndiSoft’s efforts demonstrate the company’s continuous efforts to provide robust technology that is secure and meets all regulatory requirements.

****“The certification is essential when working with financial industry clients, which are managing sensitive information every day,” said Jeremy Pease, IndiSoft’sexecutive vice president of infrastructure. “Companies want the additional peace of mind that they are protecting their customers and themselves. Becoming a member of NAID is yet another way that IndiSoft will stay up to date on industry and regulatory changes.”

****WipeOut enables users, with proper security and login requirements, to permanently remove sensitive data that is no longer needed from the hard drive of a server, PC or laptop.

****“Since we are working with hundreds of clients’ sensitive information, such as tax returns and supporting documents, managing security is paramount to us,” said Rajiv Mahajan, principal at the Columbia, Md.-based accounting firm Shalini Gupta and Associates. “This includes secured destruction of documents that are no longer required. WipeOut gives us peace of mind because we have a way of managing this critical aspect of document management and privacy.”

****WipeOut is accessed through a designated username and password from each device on which the application is installed. Additionally, authorized users can avoid federal penalties for privacy violations by using the proper data destruction tools that also maintain a complete audit trail as evidence of the steps taken to eliminate data leaks.

Tony Garritano

Tony Garritano is chairman and founder at PROGRESS in Lending Association. As a speaker Tony has worked hard to inform executives about how technology should be a tool used to further business objectives. For over 10 years he has worked as a journalist, researcher and speaker in the mortgage technology space. Starting this association was the next step for someone like Tony, who has dedicated his career to providing mortgage executives with the information needed to make informed technology decisions. He can be reached via e-mail at

Understanding The News: PPE Gets SSAE-16 Certification

*PPE Gets SSAE-16 Certification*
**Vendor Ensures Security**

***PROGRESS in Lending has learned that LoanSifter, a provider of product eligibility and pricing solutions for the mortgage banking industry, has successfully completed a rigorous SSAE-16 Type II SOC 1 (Service Organization Controls Report) examination in accordance with the latest reporting standards put forth by the American Institute of Certified Public Accountants (AICPA). The achievement gives lenders, banks and credit unions assurance that their data is being protected by one of the toughest standards that exist in the financial services industry.

****The Statement on Standards for Attestation Engagements No. 16 (SSAE-16) standard is used to assess a company’s internal controls for data protection. Tampa, Florida-based BrightLine CPAs & Associates, Inc. independently conducted LoanSifter’s SSAE-16 examination for the period of September 1, 2011 through March 15, 2012.

****“The nature of the financial industry requires reliable partners with a proven history and a commitment to excellence, so ensuring the security of client data has always been of utmost importance to LoanSifter,” said LoanSifter President Bruce Backer. “The results of the SSAE-16 Type II examination validate the stringent controls and safeguards employed by LoanSifter to ensure the integrity of our data and processes across our platform. At a time when trust is at a premium in the mortgage industry, our users can have confidence that their data – and their borrower’s data – is safe with us.”

****A Type II examination – the type that LoanSifter received – determines whether a company’s policies and procedures were effective during the examination period. It is more demanding than a Type I examination, which only involves the examiner’s opinion on a company’s controls.

****LoanSifter received an unqualified report on the criteria described in its assertion statement, with no exceptions for any tested controls, demonstrating the company’s commitment to the highest standards of operational excellence for its SaaS-based mortgage platform.