This article originally appeared in American Land Title Association’s online archive in 2015 and has been updated for accuracy to reflect Virtru’s current product offerings.
Purchasing a home is one of the scariest and most exciting decisions a person can make. One of the most terrifying aspects of homebuying is the amount of personal financial information a potential homeowner must disclose to a team of strangers. The mountain of paperwork required in a home settlement is passed across the table to the real estate agent, the buyer and seller, the real estate lawyer and the title agency. In addition, prior to closing, a homeowner might be sending all sorts of paperwork via email, from HUD documents to loan applications.
Given how vulnerable a consumer can be during a home transaction, there are several measures in place to protect homeowners and sellers from data privacy breaches, as well as being slammed with hidden fees. While in the twentieth century, most of these protections could be found scattered across multiple laws and agencies, they’ve since been consolidated under the authority of the Consumer Financial Protection Bureau (CFPB).
The Importance of CFPB Compliance
One of the largest safeguards protecting consumer data privacy is the Consumer Financial Protection Bureau. Title agents and other professionals who handle housing transactions must maintain CFPB compliance, or else they face steep financial penalties. Between July and December 2014, CFPB compliance regulations led to over $19 million in remediation paid out to more than 92,000 consumers.
But what does CFPB entail, and how can title agencies and other entities working with home settlement protect their clients and their businesses?
NPI and TILA-RESPA: Two Arms of CFPB Compliance
Two of the most important aspects of maintaining CFPB compliance are protecting the security and privacy of NPI (non-public information) and keeping your agency in line with TILA-RESPA, a pair of laws that work to ensure that users have helpful, transparent access to information pertaining to their home settlements, including any costs and fees associated with the final transaction.
The Truth in Lending Act, or TILA, was passed in 1968 to help manage costs related to consumer credit transactions by requiring disclosures and transparency from lenders. One of the most important aspects of TILA is the requirement of standardized forms so that consumers can easily understand and compare the costs of taking out a loan or mortgage. The Real Estate Settlement Procedures Act, or RESPA, was passed in 1974 and promises a similar slate of protections to TILA, but with its own set of forms.
For improved consumer clarity and enforcement, both of these acts were brought together under the Dodd-Frank Act to integrate consumer disclosures and consolidate forms, all under the authority of the CFPB. With that integration, TILA-RESPA became a crucial component of maintaining CFPB compliance.
What Protecting NPI Entails
Protecting NPI like social security numbers or bank information is an important part of maintaining CFPB compliance. To help agencies better equip themselves to protect sensitive consumer data, the American Land Title Association (ALTA) has issued a number of guidelines surrounding NPI best practices:
- Restrict access to NPI only to those who need to access it, when they need to access it. Also ensure that all employees undergo background checks before being granted access. After an agency no longer has reason to access the data, it should be disposed of thoroughly.
- The use of removable data devices, like thumb drives, should be either prohibited outright or strictly controlled via an organization-wide policy.
- NPI should only be delivered via secure methods (so if you’re emailing NPI in any form, you should be using an email encryption service like Virtru).
- Create a disaster management plan in case things go wrong. This could be as straightforward as a security breach, or even just a server or network failure that impacts business continuity.
- Establish and follow procedures to audit your organization for CFPB compliance, and review those procedures to ensure that the audits themselves don’t leak NPI.
- Ensure that your agency is well-informed of your state’s security breach notification laws, and is prepared to follow them in case of a data leak.
TILA-RESPA Compliance and Consumer Privacy
To facilitate TILA-RESPA compliance for businesses that deal in home settlements, the CFPB has released a guide to the TILA-RESPA Integrated Disclosure Rule. While the main focus of TILA-RESPA is on transparency, there are several mentions of data privacy in the full text of the law. Because the forms necessary to close on a house differ significantly from those required prior to TILA-RESPA, it can introduce confusion as to who has access to what information. To maintain TILA-RESPA and CFPB compliance without violating consumer privacy or causing a breach of NPI, it’s crucial that you provide proper training and knowledge sharing to everyone in your organization so that, say, a Closing Disclosure doesn’t end up on the wrong person’s desk — or in their inbox.
Consumer Privacy and CFPB Compliance
Jeffrey Grant is an attorney licensed in the state of Florida to practice real estate, probate and trust administration law. We met with him to discuss how CFPB compliance and TILA-RESPA relate to consumer data privacy, and whether email encryption is a necessary component of protecting NPI.
1. With the introduction of TILA-RESPA in CFPB compliance, how have things changed?
There has been a tremendous amount of change already, with an extreme emphasis towards the implementation of the ALTA’s best practices, rumor has it, that several lenders will begin requiring a self-certification of your best practices materials.
2. How is the industry reacting to the new regulation?
There is a lot of uncertainty at the moment, as the regulations constitute a large change in the manner in which business is conducted. Only a few of the largest lenders in the business (lenders will be making the bulk of the implementation decisions regarding the new CFPB regulations) have indicated the manner in which they will be operating, though the industry and its vendors are continuing to adapt in the face ever fluid conditions.
3. What do you consider NPI in the industry?
We would consider any document that has social security numbers, dates of births or bank account numbers to be NPI, in addition to other pertinent and private communications received from clients.
4. How did you manage NPI before?
We had the ability to send documents securely through our practice management software and would frequently use that when transmitting NPI.
5. Where is NPI usually stored? Do you keep physical copies of anything? Will that change?
We keep physical copies of all of our files for at least seven years. Additionally, our data is scanned to our server and is backed up regularly.
6. How often is NPI transmitted over email?
It’s possible for NPI to be transmitted over email several times per week, and this is typical for the industry.
7. Do some states have additional regulation? If so, does this impact transactions occurring across state lines?
Almost all of our transactions are Florida specific. However, I am aware that the Bar Associations of other states require attorneys to encrypt their email.
8. Do you think encryption is an important part of protecting NPI?
Yes. Encryption allows you to securely transmit NPI, while minimizing the inconvenience to our staff as well as to the consumer.
9. Do you think the CFPB will expand its rules to specifically require encryption in the future?
I don’t know if the CFPB will ever get that specific. In general, their regulations have been left open for interpretation, and include some room to operate for both large and small entities based on the volume of business and level of complexity for the organization.
Email Encryption: Your Secret Weapon for CFPB Compliance
While CFPB compliance doesn’t explicitly require email encryption, ALTA best practices require that you only transmit consumer NPI via secure methods. As Jeffrey Grant shared above, email encryption is recommended to preserve the convenience of email without sacrificing privacy or security. If your agency isn’t currently using email encryption to protect your email messages and attachments, it’s time to make the switch.
Virtru is an easy-to-use email add-on that provides client-side email encryption with the flip of a switch. Unlike other methods of email encryption, you don’t have to be a tech whiz to secure your emails with Virtru. With no new software to install or logins and passwords to remember, you can continue sharing NPI via email without changing the way you work today.
To learn more about how Virtru can help make CFPB compliance easier for your organization, contact us today.
