Venture Blog

Mortgage Moments: Minimizing Risk in Data Privacy Policies

Claire Henderson
by Claire Henderson

November 17, 2022

With new technology introducing more points of vulnerability and new regulations requiring heightened attention to those vulnerabilities, it is as important as ever for the mortgage industry to assess the current state of digital security. Data privacy and security experts identified two main threats to lenders and servicers are attempts to steal data or take down their system for ransom. 

The CFPB’s new requirements cover approximately 80% of these types of attacks. Security policies will need to cover basic elements such as multi-factor authentication, password management, timely software updates, and encrypted data. However, these features alone might not leave financial institutions fully prepared for regulatory audits. These examinations of their systems will also be looking for some type of logging for all activity and updates in addition to the new standard processes. 

Raising Your Shield for Data Privacy & Security, Tom Clerici CTO of Freedom Mortgage Company, David Shirk CMCCP Managing Member of Shirk Law PLLC

“Dark patterns” have typically been relevant to UI/UX design of websites where there is some element of manipulating or misleading the user with false advertising or intentionally confusing functionality. Something mortgage lenders should now be aware of is whether any of their existing forms or workflows might be obscuring what borrowers are consenting to as these are dark patterns that regulators will be looking for more closely than before.  

An example of this would be if payment terms were hidden below the fold on a webpage where the immediately visible information was a standard truth in lending statement. In this case, the “I agree” button might seem to only be tied to this disclosure statement without realizing that it is also binding them to specific payment amounts and terms.  

Financial institutions should evaluate their customer-facing forms and realign them into a simple, clean process with separate signatures required for each agreement, disclosure, and payment opt-in. These digital agreements should also have options for the customer to make comments in case they are being asked to sign a document with any false or incorrect data that needs correcting. Determining whether customers can clearly understand the terms of the transaction may require A/B testing of closing documents in order to pinpoint where potential confusion needs to be cleared up. 

Vendor management is an equally important contributor to potential security vulnerabilities. Privacy policies should cover protection of both data provided by the mortgage institution to their vendors as well as any data a vendor provides. If vendors are providing leads, it is essential to evaluate their data collection methods in case they are utilizing dark patterns that are not protected by GLBA standards. Even if a mortgage lender has a carefully planned data privacy policy, their vendors are the most likely to cause any potential audit issues, yet the lender will be the one liable to the auditors. Therefore, due diligence in vendor management is essential. 

Financial institutions should assume their vendor will experience a breach at some point and will need to evaluate each vendor’s plan for incident response and disaster recovery. If a plan is not in place already, there is little chance of successfully defending a suitable response to an auditor. Quick notice by the vendor is crucial for the institution to support a claim that they responded quickly to a breach, so finding vendors you can trust with your data and who will work with you to meet regulations, prevent risk, and offer transparency is the best path toward preparing yourself for the worst-case scenario.  

After a plan has been established with vendors, the plan must be tested for resiliency. Security experts recommend that vendors be brought into tabletop exercises that test how well prepared origination and servicing systems are in the event of a breach. Regarding a scenario where data or business operations are ransomed, law enforcement is not an option to retrieve stolen or ransomed data and cannot replace a comprehensive disaster recovery or incident response plan. Cyberinsurance is harder to acquire and have enforced than before with increased premiums and decreased liability amounts. Including activating a cyberinsurance plan and knowing who to contact will help ease this process if it is ever necessary. 

Since servers reside with SaaS vendors along with licenses for data preservation, originators and servicers need a plan for data warehousing in case their SaaS provider leaves them or shuts down unexpectedly. These institutions need to de-risk access so they can be in a position to access their data even if the LOS goes down in order to meet statues.  


In the future, mortgage originators and servicers can expect more regulations from more auditors, meaning they need to understand their data better and deeper. The FTC has brought up data minimalization as a standard approach, which is in conflict with many mortgage institutions and their need for a full financial picture of borrowers—not to mention the AI that is starting to be used for qualification and underwriting. Experts predict that data exfiltration will continue but there will be greater frequency of attacks on availability as preventing revenue generations is more costly and damaging to their reputation than stolen data. 

To combat these added complications, mortgage companies will need to focus on tackling potential dark patterns in their messaging, establishing well-tested response plans with their vendors, and locking down digital security on all platforms, especially mobile. 

Three people gather around a tablet and smile in conversation

Secure Borrower Communications Delivered with Confidence

Learn More