ARMCO Boosts QC Process Efficiency And Security

ACES Risk Management (ARMCO), a provider of enterprise financial risk management solutions, has announced new product enhancements that increase QC process efficiency and security for lenders and servicers using its auditing platform, ACES Audit Technology. The top features of this upgrade include the addition of single sign-on capability, and integration with DataVerify.

Featured Sponsors:



ACES’ new single sign-on capability enables users to access ACES using the same login credentials and password they use to access their company computers—a feature of particular use to enterprise-level organizations.

“Our clients have realized that using ACES as their testing and compliance platform across the enterprise brings standardization and cost savings,” said Phil McCall, president of ARMCO. “Our addition of single sign-on allows our enterprise clients to integrate ACES as part of their suite of corporate applications utilized by one single login and password.”

Featured Sponsors:


ACES’ new direct integration with DataVerify enables users to order DataVerify’s data verification assistance services directly from the ACES platform. It also transfers data directly from the loan file, and automatically files the DataVerify reports into the appropriate area, eliminating the security risks and errors that can result from rekeying and transferring information manually.

Featured Sponsors:


“Lenders and servicers often contract staff in declining markets, like the one the industry is currently facing,” said McCall. “As we found through the most recent ARMCO Mortgage QC Industry Trends Report, this can put them at risk of errors and other quality issues. This upgrade further helps assuage the challenges that can occur when lenders and servicers downsize and reorganize.”

About The Author

Knock, Knock, Who’s There?

*Knock, Knock, Who’s There?*
**By Scott Kersnar**

ScottK***When word got out in March that coughed up information on Attorney General Eric Holder and other celebrities, worries once again shot up about hackers on the Internet, even though these incidents did not involve hacking per se.

****The security problem with Internet access to free credit reports, says Garret Grajek, CTO for Irvine, CA-based SecureAuth, is that answers to many of the security questions “can be found on Web pages” or even guessed. He said people too often simplify the problem of having multiple IDs and passwords “by using a few of them for everything.”

****Whenever stories about security breaches get headline coverage, the general outcry is for foolproof security. S0 suppose the CFPB and other regulators decree that the standard of protection for online transactions in financial services be that security become absolutely foolproof? In today’s compliance-driven world, no one can call such a scenario far-fetched. The problem that always lingers is how to comply with stricter standards without slowing internet transactions to a crawl.

****If you go to Google, you will find the strongest user authentication described as: “username/password or PIN code + PKI smart card + biometric characteristic checking + bilateral challenge response procedure based on PKI x.509 digital certificate and asymmetrical cryptographic techniques.”

****Wow. To a non-expert like me, that certainly sounds formidable. So let’s say this level of security is needed for transmitting sensitive information in patient files within and between healthcare systems. But it sounds like overkill as the security needed, for example, to protect e-signing of disclosures in a real estate transaction. How do you vary the security measures required to fit different needs?

****“Our whole message is that this is a solvable problem, “said Grajek. “But the solution can’t rely on ID and password only.” He said a key attribute of a stronger system is that it allows bilateral authentication “that insures that the user gives them a certificate that is not phishable by attackers.” At the same time, he said, the system ”must be malleable enough to cover all the different types of authentication.” SecureAuth has patented a solution enabling authentication engines to have that kind of malleability.

****The SecureAuth IdP system provides identity protection combining SSO and single, two and three-factor authentication in one platform for cloud and Web.

****When users log on to a user like Credit Interlink, for example, they are authenticated by their username and password, and a four-digit PIN is issued via a phone call or other message. A certificate is stored on the machine for verifying identity and authorizing access.

****When security is being increased, a major objective always is to minimize user inconvenience. Credit Interlink commended SecureAuth for providing two-factor authentication that stores the certificate locally on the machine so users do not need to enter a PIN each time they log on.

****At this writing, said Grajeck, x.509 certificates have never been hacked. That doesn’t mean they never will. Being a leading-edge security provider means never relying on any one measure.

LOS Gets Security Seal Of Approval

*LOS Gets Security Seal Of Approval*
**By Tony Garritano**

***In an over-regulated world like the mortgage industry has become, security matters. Lenders have to protect the sensitive information about their borrowers. The old answer to this issue was to make sure that your vendor is SAS 70 certified, but that just isn’t good enough anymore. Vendors have to go further and the good vendors are doing just that. For example, Associated Software Consultants, Inc. (ASC), a provider of loan automation, business rules flexibility, SaaS deployment and a single platform for mortgage, consumer and commercial lending now has successfully completed a SSAE 16 SOC 2 Type II audit of its corporate headquarters and its managed hosting services with zero exceptions. Here’s why this is important:

****This evaluation includes a strong set of controls and requirements specifically designed around data center service organizations. The Statement on Standards for Attestation Engagements (SSAE) No. 16, known as SSAE 16, has been put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Its purpose was to replace an aging SAS 70 standard that needed to be refreshed, but more importantly, one that would keep pace with the growing push towards more globally accepted international accounting standards.

****Companies undergoing an SSAE 16 examination produce a description of their “system” along with providing an Assertion by management. The system includes services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities. The “written assertion” by management forms one of the key differences with previous standards which did not require this document.

****“SSAE16 is a much more comprehensive and rigorous standard,” said Joseph Schmigel, Director of Information Technology at ASC. “By meeting the standard, we’re able to provide our customers an even greater measure of confidence that their SaaS deployed  loan processing and secondary marketing system infrastructure and business information is being adequately protected in our facilities. “Achieving the SSAE 16 standard symbolizes our commitment to operational excellence and provides our customers with independent validation of the effectiveness of our operations”.

****Successful completion of the SSAE 16 Audit indicates that ASC processes, procedures and controls have been formally evaluated and tested by an independent accounting and auditing firm. The examination included the company’s controls related to security monitoring, change management, service delivery, support services, backup and environmental controls, logical and physical access as well as the accuracy of the security, availability, integrity, confidentiality and privacy controls for ASC’s hosted systems.

Fraud Detection Vendor Gets Security Seal

*Fraud Detection Vendor Gets Security Seal*
**By Tony Garritano**

***Do you want to end up in the papers having not secured your customer’s sensitive information? Of course not. That’s where technology comes in. For example, Interthinx has earned a National Institute of Standards and Technology (NIST) certification recommendation from SecureInfo for two of its automated products for the residential mortgage markets. Here’s what happened here:

****SecureInfo subjected both FraudGUARD and PredProtect to extensive review to determine that the products meet the stringent security requirements of the NIST. As part of its standard procedure, SecureInfo conducted interviews, examinations, tests, and vulnerability scan analyses to evaluate 115 NIST SP 800-53, Revision 3 controls and control enhancements.

****Mike Smith, chief technology officer and chief architect for Interthinx, stated, “We are particularly pleased that as an independent third party serving as an Agent of the Certification Authority, SecureInfo recommended that both FraudGUARD and PredProtect be issued an Authorization to Operate.”

****“Interthinx takes great pride in its security measures and stands ready to work with government agencies to help mitigate risks through improved data integrity and compliance,” said Kevin Coop, president of Interthinx.

****Interthinx, a Verisk Analytics subsidiary, is a national provider of risk mitigation solutions focusing on mortgage fraud, collateral risk and valuation, regulatory compliance, forensic loan audit services, loss mitigation, and loss forecasting. Interthinx offers predictive analytics to the residential mortgage industry.

Market Analysis: LOS Gets Security Patent

*LOS Gets Security Patent*
**By Tony Garritano**

***With all these new rules is your workflow becoming more and more confusing? It’s enough to drive anyone a bit crazy. But, you guessed it, technology can help. To this end, origination vendor Ellie Mae has announced that the United States Patent and Trademark Office has issued the company a patent for an advanced security model that enables managers, loan officers and processors to securely access critical loan files and documents online. The company now holds six patents.

****The invention––U.S. Patent number 8,126,920 entitled, “Enterprise Security Management System Using Hierarchical Organization and Multiple Ownership Structure”––is a hierarchical organization and security model for networked computing. It allows multiple ownership of system files and resources while maintaining flexibility of organizational control and strict security rules over the users. In other words, Ellie Mae’s technology allows loan origination system and other networked computer users to access, work and collaborate securely on files and documents.

****In addition, a user’s access and/or ability to make changes may be limited or controlled by members higher up in the organization or network. For example, a lender can restrict what actions a mortgage manager can perform on loan files and documents or limit what a loan officer or processor can approve and what data and files they can access.

****“As our industry migrates to cloud computing and Software as a Service (SaaS), new opportunities and challenges for clients are being created,” said Limin Hu, Ellie Mae’s co-founder and chief technology officer. “On one hand, this new paradigm enables greater access and efficiency within organizations and supply chains; on the other hand, it also increases the possibility of security lapses. Our new, patented technology addresses both the productivity and security concerns of our clients, and we believe may have applications beyond the mortgage industry.”

Market Analysis: Security Concerns About SaaS Persist

*Security Concerns About SaaS Persist*
**By Tony Garritano**

***As lenders embrace Software as a Service, security concerns arise. Is it safe? What about how it will protect sensitive information? The truth is that SaaS is safe. As proof, there are certificates that can ensure a level of security that all lenders should ask for. For example, PROGRESS has learned that IndiSoft, a technology development firm that provides software as a service (SaaS) solutions based on a collaborative rules-based workflow platform for the financial services industry, has achieved the ISO 27001:2005 Information Security Management System Standard. Here’s the scoop on this standard certificate:

****This certification verifies IndiSoft’s practices for software development, licensing as well as support services and will give its U.S. clients added assurance that they are working with a company that operates using well-established, reputable principles. The ISO 27001:2005 ISMS Standard is a series of documents established by the International Organization for Standardization (ISO), the world’s largest developer of international standards.

****“We have always believed in a process-driven approach, and this certification provides our clients with a level of assurance in our operations, as well as confidence in our existing systems and their alignment with international work practices and standards,” said Sanjeev Dahiwadkar, president and CEO of IndiSoft. “Our technology delivers transparency in auditing processes and ensures compliance for our clients. This accreditation is an acknowledgement of our systematic approach to managing their secure information.”

****ISO is a network of the national standards institutes for 162 countries and created the standard to set international requirements for quality management systems. Adopted today by more than 80 countries, the ISO /IEC 27001:2005 ISMS provides a management framework for continuing conformance to information security systems.

****So dot the Is and cross the Ts when looking into SaaS vendors, but don’t shy away from this delivery model, it could work for you.

Market Analysis: Putting Cloud Computing To The Test

*Putting Cloud Computing To The Test*
**By Tony Garritano**

***The National Institute of Standards and Technology (NIST) has taken a hard look at cloud computing. Cloud computing has been the subject of a great deal of commentary. Attempts to describe cloud computing in general terms, however, have been problematic because cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models. As a result, the NIST released its definition of cloud computing along with some guidelines to ensure security. Here’s what they said:

****First, in defining cloud computing, the NIST noted, “A cloud computing system may be deployed privately or hosted on the premises of a cloud customer, may be shared among a limited number of trusted partners, may be hosted by a third party, or may be a publically accessible service, i.e., a public cloud. Depending on the kind of cloud deployment, the cloud may have limited private computing resources, or may have access to large quantities of remotely accessed resources. The different deployment models present a number of tradeoffs in how customers can control their resources, and the scale, cost, and availability of resources.”

****NIST went further to detail the economic considerations that users need to consider when going to the cloud. The institute said, “In outsourced and public deployment models, cloud computing provides convenient rental of computing resources: users pay service charges while using a service but need not pay large up-front acquisition costs to build a computing infrastructure. The reduction of up-front costs reduces the risks for pilot projects and experimental efforts, thus reducing a barrier to organizational flexibility, or agility. In outsourced and public deployment models, cloud computing also can provide elasticity, that is, the ability for customers to quickly request, receive, and later release as many resources as needed. By using an elastic cloud, customers may be able to avoid excessive costs from overprovisioning, i.e., building enough capacity for peak demand and then not using the capacity in non-peak periods. Whether or not cloud computing reduces overall costs for an organization depends on a careful analysis of all the costs of operation, compliance, and security, including costs to migrate to and, if necessary, migrate from a cloud.”

****While endorsing cloud computing overall, NIST did warn that users need to prepare for security. NIST pointed out, “Organizations should be aware of the security issues that exist in cloud computing and of applicable NIST publications such as NIST Special Publication (SP) 800-53. As complex networked systems, clouds are affected by traditional computer and network security issues such as the needs to provide data confidentiality, data integrity, and system availability. By imposing uniform management practices, clouds may be able to improve on some security update and response issues. Clouds, however, also have potential to aggregate an unprecedented quantity and variety of customer data in cloud data centers. This potential vulnerability requires a high degree of confidence and transparency that cloud providers can keep customer data isolated and protected. Also, cloud users and administrators rely heavily on Web browsers, so browser security failures can lead to cloud security breaches. The privacy and security of cloud computing depend primarily on whether the cloud service provider has implemented robust security controls and a sound privacy policy desired by their customers, the visibility that customers have into its performance, and how well it is managed.”

****To clarify, NIST released guidelines on privacy and security around cloud computing. Proactive technology vendors within the mortgage space are both adopting cloud computing and seeking to educate the mortgage space on the benefits of this technology advancement. For example, PROGRESS in Lending has learned that eLynx, a portfolio company of American Capital, has released a new white paper that will help companies that utilize Cloud computing technology understand the recently released guidelines on security and privacy issued by the NIST. The paper, entitled “Data Security in the Cloud,” summarizes the government’s recommendations related to cloud-based services offered by eLynx to the financial services and real estate industries.

****“Too many companies have over-used the concept of cloud computing in an effort to gain a marketing advantage,” said Alan Matuszak, Vice President of Software Engineering and Operations for eLynx. “In the process, many executives in our industry find they have unanswered questions when it comes to data security and privacy as they relate to these advanced systems. This new paper answers some of those key questions.”

****eLynx has been offering cloud-based services for close to two decades. The company’s experienced executives contributed to the paper, which also outlines how eLynx meets or exceeds all NIST recommendations.