An Economist article in 2017 made the claim that data is the new oil, arguing that data is now the most valuable resource available to businesses. While the validity of that claim has since been debated, there’s no question that data is an incredibly valuable asset – just look at the volume of regulations that protect how companies must store and transmit customers’ personally identifiable information (PII).
The problem in the world of mortgage technology is that too many startups have failed to comply with those regulations. As a result, customers are vulnerable to a variety of preventable incidents (from theft of funds to identity theft) and the companies themselves are left paying fines for their lapses, and losing customers’ trust.
Here’s a look at the three-pronged reason data security continues to be a problem among fintech startups (including mortgage technology companies) and how we as an industry can improve the landscape.
Security Lapses at Financial Companies
You don’t have to dig too deep to find security lapses at financial companies.
Take the infamous Equifax data breach of 2017: the 118-year-old credit reporting bureau was responsible for a breach that affected 147 million Americans. Because of a security flaw the company reportedly knew about for at least two months before the incident happened, sensitive data like social security numbers was left exposed.
If the company had acted faster to address the vulnerability, the breach (a violation of protections laid out by the Gramm-Leach-Bliley Act) might never have happened.
But Equifax is an old company. It was founded in an era before television, never mind the internet. While company leaders were almost certainly aware of their duties under the GLB Act’s regulations, the company itself clearly didn’t have the tech- and security-first culture necessary to respond to threats on an ongoing basis.
Compliance Lapses at Tech Companies
On the other hand, there are also plenty of examples of the reverse: compliance lapses at tech companies hoping to serve the financial industry.
In January of this year, for example, a breach at the data and analytics firm Ascension led to the exposure of 24 million financial and banking documents dating back to 2008. The breach happened because a server was left without a password protecting it, meaning anyone on the public internet could conceivably find its contents, which included a variety of PII.
What’s notable about the breach is that Ascension specifically targets its services to the financial and mortgage industries. Because of that, its leaders should be well aware of the stringent regulations that exist in this space and should have taken much more rigorous measures to protect the customer data.
The breach, by exposing borrower information to the general public, could conceivably amount to a violation of FTC Act for those banks and lenders that worked with Ascension.
Unfortunately, these and other violations of industry regulations are not uncommon in fintech startups. Often, they result when tech leaders try to disrupt a highly regulated space without an adequate understanding of the nuanced ways those spaces are regulated. Someone with a tech background may mistakenly believe that, because their company only touches one part of the mortgage lending process, for example, they only have to worry about regulations that specifically touch that part.
In reality, all fintech companies must be invested in the bigger framework of regulations and security.
Target and the Trust Network
This reality was most memorably illustrated by the infamous Target data breach of 2013. The box store’s payments system was breached when a hacker managed to get login credentials for an HVAC company that had access to Target’s system.
Target’s system was secure. The payments system was secure. But because the HVAC company had a weak point, hackers had an entry point.
The lesson was clear: it’s not enough for companies to build and maintain a system that adheres to data security rules and complies with relevant regulations; they must also ensure that the companies they work with (and connect their systems with) are secure and compliant. And, this goes double for anyone in a highly regulated space like mortgage tech.
The Solution: Starting with Compliance and Security
The only way to ensure the security and compliance of a company in the fintech or mortgage tech space is to approach service offerings with a security- and compliance-first attitude. This means designing for security and compliance rather than retrofitting systems, in other words, ensuring that there are early hires in leadership positions with backgrounds and experience in technical security and regulatory compliance.
Without security and compliance infrastructure built into the fabric of a mortgage or mortgage-adjacent startup, adjusting to changing regulations and a shifting technological landscape becomes too burdensome. And, as soon as a company falls behind on security and compliance, it risks not just the security of end users but also its viability, as partners avoid working with companies that put them at risk.
Data will continue to fuel the world of mortgage lending; startups in the space that hope to thrive must demonstrate to customers and industry partners that they respect their data by making data security and information privacy top priorities.
%401x.svg){kind=icon}
