Explore our Resource Library to learn more about securing your data, documents, and dollars.

Best Practices Boot Camp Webinar Resources

Best Practices Boot Camp Webinar Part 2

Best Practices Boot Camp Webinar Part 1

RynohLive

Six Steps To Total Escrow Security

Settlement agents and attorneys have been doing business the same way for decades, but the business world is very different now — especially for settlement agents. And the worst kept secret is how vulnerable the average settlement agent’s escrow account is to fraud, embezzle-ment, cyber-attacks and unintentional mistakes.

How Did We Get Here?

The title insurance/settlement industry came under lender, legislator and regulator scrutiny because of the perceived lack of effective controls within the industry, as evidenced by the pervasive escrow theft taking place, which resulted in a loss of confidence in the industry’s ability to police itself. The demise of two regional underwriters in 2011 — the result of escrow theft by their agents — was the catalyst for a comprehensive review by the National Association of Insurance Commissioners (NAIC) and other regulators.

Specifically, regulatory bulletins CFPB 2012-03 and OCC 2013-29 contained guidance that placed the responsibility for the qualification, monitoring and oversight of third-party vendors with lenders, previously the sole domain of title insurance underwriters. Now, underwriters and title agencies need to quickly demonstrate that they have established proper and reliable controls to protect settlement funds.

All the while, title agents have handled their escrow funds the same way they’ve always handled them. That way of doing business does not work anymore. As the NAIC noted in its 2013 Escrow Security White Paper, banks are awake to the fact that escrow theft carries ramifications of reputational damage, loss of revenue, resulting claims and, maybe most importantly, a regulatory response and all of the costs associated with remediation.

But it’s not just the headline-grabbing boogeymen out to get you. There are everyday errors and intentional shortfalls made “just this once” that happen far more regularly that put your company’s reputation at risk. What was once OK is now unacceptable.

As a means for establishing effective financial controls for their agents, underwriters are turning to RynohLive in order to mitigate embezzlement and other losses of settlement funds; while at the same time reducing the cost of insurance bonds that are required as additional protection against claims arising from the improper handling and disbursement of agent-held funds.

Without immediate action and sometimes fundamental changes, the entire industry structure may be at risk. If you, the title agent, do not update your internal processes and controls, and adapt your business now, lenders and regulators will more than likely decide to eliminate your company as a third party service provider.

These decisions are already being made.

Your bank, underwriter and the consumers at the closing table are all looking at you and your escrow account. Can you look them all in the eye and say that their money, their financial security, and their reputations are all secure?

The Good News

The above is certainly painful for some to read, but it’s a necessary preamble as to the state of the title insurance industry, and it highlights the main area of risk: your escrow account.

Here is the good news: Much of your risk is almost completely eliminated. By following these simple escrow accounting best practices, and using today’s technology to your advantage; your business and your customers’ funds will be safer instantly.

RynohLive presents 6 Steps to Total Escrow Security.


STEP 1

Daily Three-way Reconciliation of All Escrow Trust Accounts — NOT Monthly

Three-way reconciliations always have been held as THE accounting best practice, and they still are. The difference in 2014 is the timing. NAIC lists the three-way reconciliation as one of the major basic best practices within its Escrow Fraud White Paper. The American Land Title Association (ALTA) stepped up the industry standards within its Best Practices by calling for a monthly three-way reconciliation. That is a step in the right direction, at least when compared to the previously undefined expectation throughout the industry.

But while monthly three-way reconciliation may be an improvement from where the industry has been, it still leaves you susceptible to fraud, embezzlement and crippling accounting errors. A Phoenix-Hecht study noted that “frequent reconcilement is often your last line of defense to prevent fraud.” A monthly standard will only put up that last line of defense 12 times out of 365 days in a year.

In golf terms, a monthly reconciliation is being 120 yards away from the green and a quarterly or annual reconciliation is being 180 yards away from the green. The extra yardage helps, but you still have a ways to get to the hole. Within that 30-day window, fraud, negative file balances, pending deposits, unsent wires, unprocessed mortgage payoffs, remain very real possibilities, and costly.

Time Can’t Be An Excuse

In 1980, an excuse that “this process is too cumbersome” was real. In 2014, it is not. There is too much technology and integration possible today. Settlement agents have no excuse for handling funds with a 1980s sensibility.

What Can Happen In 30 Days?
The fraudulent: A Virginia Beach title agency caught suspicious activity in its escrow account. The agency was poised to be victimized by the ZeuS Bot and Zero Access Rootkit Malware that had infiltrated its network. The Bot was programmed to infiltrate via the settlement software (specifically targeting title agents). It created fictitious settlement files, moved funds into these fictitious files and posted checks to disburse the funds held in the agency’s escrow account. Luckily, a daily reconciliation report noted these fraudulent disbursements, allowing the title agent to save the $2,000,000 held in the account, avoid insolvency and the bad press. … What would have happened in 30 days?

The everyday: The clock hit 6 p.m. and “X” Title Agency went home for the night. Meanwhile, a bank branch (in another state) transposed two input entry numbers. This accidentally withdrew $87,000 from “X” Title’s account. The next day, this error was caught by a morning report from “X” Title’s escrow accounting software. This was a giant annoyance for “X” Title and the bank, but ultimately it was resolved quickly. … What would have happened in 30 days?

With the stakes so high today, and with the software so accessible, daily reconciliations are simple, so why take a risk with other people’s money? Title underwriters and lenders started asking this question, very seriously, in 2012. They don’t want a 120 yard chip shot to the flag. They want a “tap-in.” And so should you.

Total Security

The above problems were easily iden-tified and solved by RynohReport. This daily report is automatically delivered to you each morning with your first “cup of coffee.” Rynoh’s Morning Re-port apprises you of the status of your escrow account and tracks those criti-cal disbursements that represent your greatest financial and reputational li-ability. These alerts serve as red flags to head off or eliminate: check fraud; ACH and wire fraud; bank errors; dis-bursing errors; and deter embezzle-ment. In addition, the Reconciliation Wizard identifies those items prevent-ing three-way reconciliation and pro-vides corrective guidance.

THREE-WAY RECONCILIATION:

A three-way reconciliation is a method for discovering shortages (intentional or otherwise), charges that must be reimbursed or any type of errors or omissions that must be corrected in relation to an escrow trust account. This requires the escrow trial balance, the book balance and the reconciled bank balance to be compared. If all three parts do not agree, the difference shall be investigated and corrected.


STEP 2

Electronic Verification Of Reconciliation

OK, so you are doing a three-way reconciliation every day. Now what?

ALTA’s Best Practices are industry standards that cover a title agent’s crucial function within the closing and settlement process. Following ALTA’s Best Practices is a good start on the path toward total escrow security, but that’s all it is — a start. Back to our golf analogy, for lenders, the Best Practices for escrow accounting are tap-ins — gimmies — that agents need to have in place.

ALTA’s Best Practice Pillar No. 2 is the call to “adopt and maintain appropriate written procedures and controls for escrow trust accounts allowing for electronic verification of reconciliation.

But what does electronic verification mean? Does this mean that an email from you to your underwriter with a PDF attachment of your reconciliation meets the requirement? NO: True electronic verification goes well beyond an email.

Electronic Verification Systems (EVS) compare items through electronic means to ensure the validity of the item or document being submitted for review or analysis. For reconciliation purposes: Does the underlying data held by the bank and accounting system support the reconciliation results? An electronic copy of a reconciliation statement is simply another form of paper that cannot be analyzed for accuracy, which subverts the true purpose of evolving to electronic verification.

EVS allows you and your underwriter to deal with facts in the form of unquestionable, verified data.

This concept is hardly new and hardly a secret. In 2009, the New York State Insurance Department, in a bulletin that noted an increased focus on title insurance defalcation, listed this as a main deterrent: “Get an automated solution to monitor your escrow accounts through three-way and daily reconciliation of escrow accounts.” How far back was 2009? The first iPad was released in 2010.

EVS for your escrow accounts means automation. That’s what the regulators are looking for; that’s what banks and underwriters are looking for; and that’s what consumers’ funds demand in order to be safe from malfeasance.

Total Security

Because these are gimmies, you should not have to spend much time manually accomplishing these tasks. There is turnkey software out there that easily automates these processes. RynohLive, for example, automates these tasks and has a COMPLETE history of your bank account at the ready.

RynohRecon retrieves the transactions that have cleared the bank and reconciles them against your accounting software every business day, identifying anomalies such as mistakes, potential fraud or audit concerns.

Ninety percent of all national and regional underwriters have endorsed RynohLive. In fact, among its recommended escrow accounting practices, Alliant National Title Insurance Co. lists a daily three-way reconciliation and positive pay. The regional underwriter also recommends RynohLive for this.

Don’t take ALTA’s word for it, don’t even take our word for it. Here is what the New York State Mortgage and Title Unit concluded were the best seven steps settlement agents could take to deter defalcations:

  1. Don’t insure behind a naked transaction.
  2. Submit accurate information on the HUD-1 form. Agents need to ensure the HUD-1 form is accurate, truthful and in compliance with the lender’s closing instructions.
  3. In purchase transactions, submit only the seller’s proceeds. In refinance transactions, transmit only the borrower’s loan proceeds.
  4. Send the payoff letter on the date of disbursement via certified mail or courier.
  5. Get an automated solution to monitor your escrow accounts through three-way and daily reconciliation of escrow accounts.

STEP 3

Use Positive Pay — Immediately

Positive pay is the putter in your escrow accounting golf bag — it is a basic tool for playing the game. Unlike your putter, positive pay is a can’t-miss solution. The NAIC agrees, noting in its recent Title Escrow Theft and Title Insurance Fraud white paper that positive pay is critical for escrow security. And it’s far from a new solution. Even in 2006, before the financial world collapsed, a Phoenix-Hecht white paper extolled positive pay’s virtues for essentially ending check fraud.

“Utilizing a positive pay service will become increasingly more important as the banking industry moves to settle check payments by clearing check images and image replacement documents rather than the original paper checks,” the 2006 paper stated.

Positive pay is an automated check fraud detection tool offered by most banks. How it works is simple:

One of your checks arrives at ABC Bank.

ABC Bank processes the check and matches it against a list of authorized, written checks issued by your company.

In this process, ABC Bank compares: 1) check number, 2) check dollar amount, and 3) check date. If the bank offers payee match, it will also verify the check payee.

If everything matches — the bank has verified that this check is identical to the critical information you have provided on your daily list of approved checks — then the check is processed for payment.

But if there is a discrepancy…

sponse to this email notification, there is a decision time limit as you must advise the bank as how to process that check (Pay or Do-Not Pay). The check(s) requir-ing a decision may be: fraudulent; errone-ously processed (posted) by the bank; a voided check presented for payment; or a miss-numbered check. If you do not notify the bank as to how to process the check, “your decision,” the bank will apply your “default decision.” The default decision, (“Pay” or Do-Not Pay”), is how you wish the bank to process the check should you fail to notify them before the decision cut-off time. The recommended default deci-sion is “Do-Not Pay.” A default decision of “Pay” immediately creates liability for you if the check in question was fraudu-lent. Your default decision instructed the bank to “pay” the check. We believe that it is easier to apologize to a client for a good check that was returned because of a “processing error at the bank,” than it is to have to face the financial loss from a fraudulent check.

What if my bank doesn’t offer positive pay?

Then it might be time to get a new bank. The issue is too important to ignore.

RynohLive however provides a standalone non-payee match positive pay solution (RynohPay) that is a part of the basic RynohLive service. RynohPay provides the same protection as non-payee match positive pay. If your bank provides positive pay, we highly recommend that you utilize that service, especially if the bank provides payee match. Positive Pay is an ALTA Escrow Best Practice.

Total Security

Positive pay on its own is crucial, but there are some obvious operational hurdles for your title agency to clear to regularly provide the check list to the bank and to communicate effectively and quickly in the event of an issue. To help streamline this process, RynohPay provides fully automatic and synchronized positive pay transmissions to your bank (either for payee or non-payee matching).

KNOW YOUR BANK:

Your banker and Bank are essential elements of a successful settlement operation. It must be a strategic decision based upon bank capability, core services, and financial stability; and not merely about the promise of business. But if your bank does not pass the litmus test, this relationship has to be left behind before your company is.

Other than positive pay with payee match, here are some factors to consider in your bank selection:

  • Financial Stability of the Bank (http://www.bankrate.com/rates/ safe-sound/bank-ratings-search.aspx)
  • What are the security requirements for on-line banking?
  • Size might matter — larger banks tend to have better IT security.
  • Do they have a separate department dedicated to title and settlement?

STEP 4

Track Your Disbursements Daily

Positive Pay is your putter, and without it you will be lost, but this isn’t putt-putt. You need to utilize a variety of clubs in your bag to perfect your escrow accounting game.

Large sums of money are coming in and going out of your escrow account daily, which means you need to track the status of your disbursements daily. NOT doing this puts you and potentially your customers’ at risk. Tax checks, deed recording checks, payoffs, home insurance premiums, are but a few that if not paid in a timely manner create both a financial and reputational risk plus potential penalties or fines for your agency.

Important note: For as much as “good funds” are talked about within the title industry, this is not a recognized banking concept. If you are making sure to distribute “good funds,” you are not living up to highest banking standards and leaving yourself open to risks. Collected funds are the only safe standard and should be the only funds you disburse.

Total Security

RynohTrax verifies all receipts and disbursements; provides notification for critical items not posted for either payment or credit; and validates funds flowing into and out of each file. RynohTrax will even alert you if funds have been deposited into the wrong account. The critical payments specified by your company can be tracked by payee, purpose or amount with an alertment issued after a specified timeframe.

Collected funds:

Funds deposited and irrevocably credited to a settlement agent’s account used to fund the disbursement of settlement proceeds.

A lender returned an insufficient payoff without notifying us. The return wire showed up in our Morning Report the next day. We immediately identified the problem, and re-wired the correct amount.

If we were reconciling monthly, I wouldn’t have known about this for almost 30 days.

RynohLive not only saved us nearly $1,800, but prevented our borrower from getting a 30 day late notice on his credit.

Cort Ashton, Vice President, Cottonwood Title Insurance Agency, Inc., Salt Lake City

For all but the smallest title agencies, certain processes can be established such as required, separation of duties for book-keeping, reporting and check-writing, file documentation requirements, internal audits, background checks for newly-hired employees, mandatory use of trust accounts to separate escrow and premium funds from operational accounts, restrictions on investment of trust account funds into accounts that are guaranteed, required lock-up of certain documents and notary stamps, and clear communication of expectations surrounding ethical practices and ensuring employees of whistleblower protections.

NAIC Escrow Theft


STEP 5

Establish Strong Cyber Fraud Protection

Even after you’ve implemented all of these checks and balances, caught every accidental error, locked up the escrow funds and thrown away the key, there is still a possibility for theft. Escrow security technology is progressing at a rapid pace just so it can keep up with cyber fraudsters. In this game, the fraudsters are always a stroke ahead. You need an eagle — a score above and beyond — to beat them.

Cyber fraud doesn’t appear like it does in the movies, either, where you click on an email, your screen turns red, locks up, and instantly you recognize that you are in trouble. Many of these malware “bots” just sit there in the background, gathering password and keystroke information, waiting for the right time to silently access your accounts and wire funds.

Here is a list of some possible attacks:

Malware, Trojans, Viruses and Bots. Malicious software engineered to initiate financial crimes.

Key loggers. Invisible software that tracks key strokes.

Spear-Phishing. Emails that try to exploit human vulnerability and get someone to click an insidious link.

Did you know that your business bank accounts do not have any statutory protections? If they get wired to Russia illegally, the bank is under no obligation to make you whole.

Here are some basics for sound cyber fraud protection, to stop those bots from taking root:

Create strong, constantly changing passwords that are at least 10 characters long and include a combination of capital letters, lowercase letters, numbers and special characters. Use separate passwords for each online account.

Protect your company’s network: Review your network topology, which means ensuring security devices are configured correctly.

Utilize a combination of a quality antivirus program, a firewall and top-level email spam protection.

Verify that any data you transmit is sent over a Secure Sockets Layer (SSL) and that any hosted web software you use has a secured URL beginning with “https.”

Institute employee best practices, such as limiting Internet browsing and disable thumb drives.

Remove old user accounts and rename default administrative account names.

An isolated, secure, stand-alone computer not connected to your network that handles all of your online banking — and NOTHING else.

Ensure that Adobe, Adobe Flash, Java Script and other programs are not installed on this computer.

Use either Google Chrome or Mozilla Foxfire as your web browser, and do not include any add-ons to the browser installation.

Dual authorization of disbursements. One person originates the wire, but the funds can only be released and approved by another person.

Clear the browser cache before starting an online banking session in order to eliminate copies of Web pages that have been stored on the hard drive.

Total Security

An important word for your business is encryption. Your computers and banking environment need to be encrypted. There are products on the market that offer additional encrypted layers of protection, such as Marble Security.

RynohLive offers the most comprehensive Virtual Private Network (VPN) in which to conduct all of your online banking activity when teamed with Marble Security. Marble’s easy-to-use service assesses the risks associated with mobile, personal devices, PCs, apps and networks, and enforces security policies that allow access to a secure virtual private network. Marble Control, managed by RynohLive, allows IT administrators to manage security deployment from devices over the Internet. RynohLive clients can set policies, run risk reporting, and access a rich dashboard to track devices, users, applications and reports.

We have caught errors where the closer may not have entered the deposit in Proform, so there is nothing to match, or the deposit may have been entered in Proform but the deposit was actually not made, such as earnest money that needed to be transferred from another account. A payoff check may not have been sent/ delivered and an alert lets me know it has not been cashed. What I really like about Rynoh is if there is a discrepancy, it tells me the process to go through to correct it. It only takes me a few minutes each morning to review the reports, and the end of the month, reconciliation is a breeze compared to what we were doing. It saves a lot of time. I really appreciate being able to make any corrections within a day or two instead of trying to re-invent the wheel 30 to 40 days later.

Mary Tanner, Hometown Title, Eureka, Ill.


STEP 6

Create Automated Reports To Send To Your Underwriters

Your title errors are covered by your title underwriter or your E&O policy. But your escrow account? That is yours. Some states have started to shift on this, however. Some background:

The Demotech Defalcation Study noted that a few states have “statutorily imposed strict liability for title underwriters for the fraudulent acts of their agents. By transferring the risk of loss directly to the insurer, underwriter strict liability puts the onus on the insurer to appoint agents of high character and financial responsibility, and to implement oversights of agents’ practices.”

According to the Demotech Defalcation Study, even without strict liability, many regional and national underwriters have “instituted policies and procedures to oversee their agents and prevent theft, fraud and other questionable practices by their agents… In addition, new technology is enabling underwriters to utilize accounting software to identify potential instances of defalcation.

From the NAIC Escrow Theft white paper: “Title underwriters increasingly must expend a great deal of resources to detect, prevent and combat problems associated with these types of losses. Conducting audits, investing in software and monitoring transactions are just a few examples of the costs to title underwriters associated with escrow and title premium theft. Title underwriters can exercise more ‘hands-on’ control, policies and procedures for reduction of these problems with direct operations.

And if you refer back to ALTA’s Best Practices, you’ll notice a portion saying, “Results of the reconciliation are reviewed by management and are accessible electronically by the Company’s contracted underwriter(s).

Essentially, the standard is moving to transparency. Title insurance underwriters are now requiring management reports from their title agents — and they want it electronically.

With escrow accounts receiving an intense focus from regulators on lenders and from lenders on title insurance underwriters, this trend is not likely to reverse. Sure, in a perfect world, title agents remain the sole eyes on the their escrow accounts. But if it was a perfect world, no one would be stealing escrow funds. Concessions and improvements must be made.

That’s why this final step is so important. Direct, automated underwriter reporting may become mandatory before you know it.

Total Security

NAIC mentioned integrated software solutions that offer “real-time interaction between title insurers and title insurance agents.” Picture a golfer and his caddy, both reading the lines of a green together to look for any potential problems. The match win (and their stake of the money) are both on the line.

“These solutions that integrate such title and escrow activities as policy orders, policy and endorsement issu-ance, search functions, accounting and administration of escrow and settlement funds can help reduce ad-ministrative costs for title insurance agents, improve record retention, re-duce inadvertent mishandling of funds and provide a less expensive method for insurers to audit and oversee activ-ities of title insurance agents. These commercially available programs can provide much needed controls for title underwriters and title agencies.” (This is RynohLive).

Agents using RynohLive can be monitored, audited and verified 24×7 by their underwriters. With the RynohReport, agents can compile customized alerts into an automated, emailed Morning Report. These alerts serve as red flags to head off and eliminate check fraud, prevent disbursing losses and deter embezzlement and other fraud.

With RynohSecure, underwriters, lenders, regulators and auditors can establish alert criteria independent of agents and direct operations. It provides access to the agent’s RynohLive system to review escrow account activity from the agent’s operations.


Conclusion

If you take nothing else out of these steps, take this: Escrow security is just as much about finding/fixing the everyday errors as it is about protecting your agency from cyber-attack, fraud, and embezzlement of settlement funds.

RynohLive has protected more than $500 billion and more than 1.5 million real estate transactions. Title insurance agents, and their underwriters saved more than $7.5 million in fraud and error losses in 2013 alone. Specifically, eight agencies are still in business today only because they had RynohLive to help prevent: check fraud, illegal ACH’s and wires; cyber-fraud; embezzlement; or bank and disbursing errors.

In a 2014 survey of clients, virtually 100% reported that RynohLive had saved them time, money and prevented errors or fraud. Many reported that RynohLive had saved them over $100,000 in escrow losses due to check fraud, ACH fraud, wire fraud, or employee or bank error.

  • On average agents using RynohLive saved more than $5,000.
  • ~70% said RynohLive identified employee errors or disbursement errors
  • >50% caught bank errors
  • >50% identified returned wires.
  • >75% prevented check fraud
  • All agreed that RynohLive saved them time and worry.

Remember, these are basics for the title industry today and technology makes it easy. Follow the six steps outlined in this whitepaper, implement a winning combination of software and services, and you shouldn’t worry either.

In the days before we had RynohLive, there were a few unpleasant and costly payoff faux pas. A lender called once, telling us the borrower on a refinance was getting collection calls from their old lender. OUCH. The worst thing is forgetting to wire a payoff, then realizing it was an FHA loan … and the payoff has just gone up by the amount of one month’s interest! Now, we are assured every day that all payoff wires have been sent on closed files – and if not, we’re able to get them done in a timely manner, avoiding further interest accrual. We have been alerted to initiate payoffs SEVERAL times. Thank you, Rynoh!

Cathy White, Thurman, White & Anderson, Lexington, Ky.

PDF

877.467.9664 / www.rynoh.com

Change

Change will only occur when it can no longer be avoided” RMR

Our industry is facing a myriad of challenges and changes largely resulting from the implosion of the U.S. economy in 2008 and the subsequent legislation enacted to prevent a reoccurrence. Trillions of dollars in “bad” mortgages and mortgage backed securities originated during the U.S. housing boom created a worldwide financial crises rivaled only by the 1929 depression. Since 2008 revenue and profitability plummeted throughout the title and settlement industry, and while there has been a “recovery”, the real-estate industry is by no means robust. As in the mortgage lending sector, in the title and settlement sector, the significant disruption in transactional volume that the recession triggered, also brought to light all too many compliance deficiencies that led in some instances to outright fraud, escrow fund theft and title agent defalcations. Many title agencies are no longer in business, and those that have “survived” are now facing another, if not greater challenge; namely adopting the new standards for market conduct in order to meet more rigorous and actively enforced regulatory oversight requirements.

The “new” oversight requirements evolved from the Consumer Financial Protection Bureau created by the Dodd-Frank Legislation. Multiple Federal Agencies (e.g., the OCC, FDIC, Federal Reserve, etc.), have issued rulings that remind lenders that they are in fact responsible for the market conduct of their third party providers: title and settlement agents are but a few. Further, lenders must establish evaluation standards and put in place mechanisms for proactive management and on-going oversight of these third parties to ensure that the new consumer protection and long-standing safety and soundness requirements are being met.

The most profound change is that now not only will agents be governed and answerable to their title insurance underwriters, but they also will be overseen, monitored, and answerable to the lenders for whom they serve as third party providers. Lenders rule! Now, it will not be a matter of two or three underwriters with very similar requirements. Every mortgage company sending a loan package and escrow funds will need to have your agency’s compliance package, and enroll your agency in their compliance program. Given this spike in compliance oversight, smart agents are wondering: What will you need to include in this program?; Will each lender address the requirement uniformly?; Will what’s acceptable for one be valid for another?; and, How will we know what is required? The answer is simple, No one knows!

Most of the major money bank lenders have, in response to these oversight and liability requirements, drastically reduced the number of title agencies with whom they are willing to utilize as their third party vendors. By restricting their networks, they restricted liability. Large national title agencies (LNTA) have been working feverishly for the past year plus to put in place Master Service Level Agreements to ensure that they have a continued ability to receive business and remain viable in the “new marketplace”. They have embraced ALTA Best Practices as a performance baseline. LNTA’s have established a compliance infrastructure with dedicated compliance officers, budgeted for implementation, and implemented process improvements necessary to: protect client non-public personal information (NPPI); ensure IT and physical security; and safeguard escrow settlement funds.

Many have expressed concern that the role of the small independent title agency is being diminished perhaps to the point of becoming an industry “white elephant”. For those agencies that have not embraced the changing requirements, and have resisted change, there truly will be no future. For those that are in the process of changing/ implementing, the questions then become: does my agency have a chance to compete in the new market environment; what do I have to do to stay viable; will anything that I do even make a difference; how much is enough; what is my future? Other unanswered questions include: how long will I have to meet the new standards; how will they be enforced; and how will I know if what I have done is “good enough”?

Doing nothing is not an option and there is only one outcome. And while the small agent will never have the financial resources available to the large national agencies, just remember that the magnitude of their compliance concerns is exponentially greater as well. Many have multiple offices in multiple states, and hundreds of employees. Each of those offices and each of those employees must be trained, certified and comply. Small agency compliance problems are minute from that standpoint. Policy and procedure standardization is far simpler, and much less complex.

There will be additional costs, and for a small agency, it is not unreasonable for those expenses to be in the neighborhood of $25,000 – $50,000. If you have a good relationship with you banker, this is the time to request that line of credit to fund the associated costs if financial resources are not immediately available. Many of the actions necessary to achieve compliance are relatively inexpensive, and easily implemented. It is all a matter of prioritization, planning, commitment and follow-through. The question that you must ask yourself: “Is my business worth $50,000.00?” All of the items that are being required quite frankly are things that we should have been doing all along. Your clients should expect that your agency will protect their personal data, closing documents, and disburse their settlement funds securely. Just because your operation is on a smaller scale, does not mean that your clients should not be equally secure when they select your agency for title and settlement services.

There will be a future and it is not all gloom and doom for those that are out front in achieving compliance certification. Common thought has been that settlement and escrow agents had until August 2015 to attain compliance certification. This was the date established by the CFPB for RESPA –TILA implementation. That is not necessarily the case. Many lenders are already asking settlement agents to verify compliance. Many agencies have already received letters or email requests to provide compliance documentation. The response time allowed is brief, some only a matter of a few days, and certainly no time is available to start the process/ complete the required certification standards. You will need to demonstrate that you have met some of the requirements and that you have a plan in place, and that your agency is on track, and has embraced the transformation. How much is enough is purely speculative. Certainly, the more achieved the better the likelihood of staying in the game! There are many agencies that have already been removed from approved settlement listings because they had done little or nothing. It is recommended you initiate the compliance process now and have completed the ALTA certification package no later than September 2014. This does not mean that everything has to be completed by then, however sooner is better.

This March, Wells Fargo, the Nation’s largest lender, in a newsletter to its network of settlement agents, endorsed ALTA’s Best Practices; affirmed that it values local title and settlement providers that deliver a high level of professionalism, customer service and quality to the their customers; and supports consumers’ choice for title and settlement services, as long as “that choice is one able to consistently meet all applicable requirements.” But that same Wells newsletter also cautioned settlement service providers that lender oversight is increasing and that they should be in the process of documenting their compliance enhancement efforts and be prepared to demonstrate their “Top Performer” status.

Another cause for optimism is the OCC Semi-Annual Risk Perspective that was released June 25th. In the report one of the key risks facing Large Banks is “Third-party arrangements that introduce concentration risk”. This is exactly what the large money bank lenders other than Wells Fargo have done to mitigate their third party risk. Size does not preclude fraud and defalcation; rather it can magnify the losses exponentially. E.g.: TitleServ a large national title agency doing business in 47 states was shuttered in 2010 for massive fraud measured in tens of millions of dollars.

STAY THE COURSE AND BECOME “AGENTS OF CHANGE”

Getting Started: ALTA Best Practices Certification Package (www. alta.org/bestpractices/index.cfm)

Simple and easy starting points:

  1. Secure email. If you are not already sending prelims to your lenders via secure email, you are openly acknowledging that you do not understand or acknowledge the importance of protecting NPPI. You may have already lost a referral source and simply don’t know it yet.
  2. Document destruction. Secure shredder boxes for all excess documents.
  3. Daily three-way reconciliation. In 2009 the New York BOI recommended to agents: “Get an automated solution to monitor your escrow accounts through three-way and daily reconciliation of escrow accounts”. LNTA’s reconcile three ways each day, as do virtually all the title and escrow agencies in the West. When I have been out West, as I recently was at the Pacific Northwest Annual Conference, every agent reconciled daily, utilized positive pay, and limited the acceptance of good funds. I jokingly said, “Back East we don’t know Escrow!” No offense intended but those are the simple hard facts.
  4. Positive Pay with Payee Match. At a very minimum you must utilize positive pay. If you currently are not utilizing positive pay contact your banker and get it established before the end of the month.

  5. Physical Security. Clean Desks and a written physical security program are easy to implement. Write up a check list of the actions to be taken at the end of each business day, ensure that computer monitors are shielded and not viewable by others and that screen savers automatically activate after a brief period of inactivity. Where are you closed settlement files stored? Hopefully they are all electronically scanned and stored in the “clouds”. If those files are not, you must move them to bonded secure storage. Jack Rabbit Storage units and home attics or garages are not adequate. If settlement files are stored in your office, is the space locked and access limited? Is there controlled entry with a record of who entered and what files were removed and when were they returned. Do you have an inventory of the files being stored? Are your offices alarmed? Are keys controlled, and not easily duplicated? Are there electronic access controls? Etc….

  6. IT Security. This is the toughest requirement. Getting started is relatively simple but requires some rather stringent rules and changes. The below are simplistic and inexpensive:

    • Strong Passwords
    • Locking Down Firewalls
    • Eliminating Wi-Fi usage in the office
    • Removing USB ports and DVD drives
    • Establishing a dedicated stand-alone computer for online banking
    • Restricting the ability to surf the net
    • Keep Cell phones and other portable devices off the network.
    • Subscribe to Real Estate Data Shield.(my only product plug)

I. Your employees will receive the required IT security training and training certificate.

II. IT assessment and validation is offered.

III. Tailored IT programs are available.

The above is by no means a complete listing of all that must be done. From a compliance perspective, it represents a “reasonable” start. These actions (and the documentation of each such enhancement) outlined above can be accomplished within a matter of a few weeks, and hopefully will demonstrate a “good-faith compliance effort” on your part, that should enable your agency to continue to receive business referrals from your lender and realtor networks as you progress to reach full compliance.

Caveat: This is a personal opinion/ recommendation based upon having participated in the ALTA Best Practices and Future of the Title Industry panels; Testimony before the National Association of Insurance Commissioners (NAIC) on “Escrow Standards the Imperative for Change”; Input to the NAIC Escrow Whitepaper; and meetings with money bank lenders and the CFPB. These recommendations do not necessarily reflect the opinions and recommendations of ALTA; your title insurance underwriters; or any lender compliance considerations.

PDF

FAQ’s

What is RynohLive?

RynohLive is a patented automated escrow and financial managementsystem that provides settlement agents the necessary tools to track and manage their escrow accounts. These tools include daily three-way reconciliation; daily and monthly reporting including tracking and alerting of critical disbursements; as well as integration with bank Positive Pay systems.

How does RynohLive work?

By monitoring activity in settlement software as well as in escrow bank accounts (read-only), RynohLive utilizes unique algorithms to automate the reconciliation process and provides daily reporting on account activity.

How do you obtain access to the settlement software and our escrow accounts?

The RynohLive Service Manager adaptor is installed to connect with your escrow software. This Service Manager currently updates every 10 minutes and identifies any new or updated data entered into your settlement software. To collect daily bank transactions, we require either a direct secure ftp connection with your bank or a read-only access with the agency’s online banking system. These are read-only permissions, no entitlements to wires or transfers. RynohLive needs only to access transactional information.

What settlement software do you work with?

We work with nearly all settlement software on the market today including:

AccuTitle          AtClose          Closers’ Choice          DoubleTime           GATORS          Landtech

RamQuest          ResWare          Settlement Assistant          SnapClose          SoftPro Select

SoftPro Enterprise          SoftPro Standard          TSS TitleExpress          TurboTitle

What is Positive Pay?

Positive Pay is a check fraud prevention system offered by most banks that matches each check presented for paymentagainst a list of checks previously authorized and issued by the company. Items being compared are check number, check date, dollar amount, and in some instances, the check payee.

How does Positive Pay work? 

Positive Pay requires that the agent send (or transmit) a file of issued checks to the bank each day.  When a check is processed for payment by the bank and it does not have an exact “match” to a check in the issued file, it becomes an “exception item.” In the morning, the agent will receive an email notification that contains any exception items that must be reviewed. The client is then required to make a decision on the items marked as exceptions within a given timeframe, or the check will fall into a default decision (it is recommended the default decision always be do not pay). RynohLive will integrate with your bank’s Positive Pay and automate the daily file submission. RynohLive also offers a standalone solution if Positive Pay is not offered by your bank.

What is the onboarding process and how long does it take? 

The onboarding process begins by registering at www.rynoh.com. Immediately after registering, you will receive an email confirming your registration and informing you that a team member will be in touch with you within 24 hours. A second email will follow alerting you that your account has been activated, providing you precise instructions on adding your bank accounts, and outlining the remainder of the registration process. Training for you and your team will then bescheduled– and most clients will be using RynohLive inless than two weeks.

Does RynohLive meet the requirements of ALTA’s Best Practices?

Yes, in fact,RynohLive isthe only solution on the market that allows agents to meet the requirements of Pillar #2, which specifically calls for the electronic verification of reconciliation– a claim that monthly reconciliation firms simply cannot make.With RynohLive, your accounts are reconciled three-ways,and you have embedded tools that assist you identifying potential problems inyour account. The “Reconciliation Wizard” identifies itemspreventing proper three-way reconciliation,flagserror(s), and pinpoints the necessary corrective actions.

What is the cost of RynohLive?

RynohLive is surprisingly inexpensive. Clients are invoiced on closed files, which are defined as a file containing a minimum of a single deposit and three disbursements. The cost per file is significantly discounted with the number of files that are closed by the agents. For example:

*An agent closing 10 files per month will be invoiced $75 for that month.

*An agent closing 50 files will be invoiced $287.50 (or less than the cost of one billable hour for many attorneys).

*2014 pricing

Fact Sheet

  • RynohLive is a patented, automated escrow management system that provides settlement agents the necessary tools to track and manage their escrow accounts. These tools include: daily, automatic, three-way reconciliation; daily and monthly reporting, including tracking and alerting of critical disbursements; and more.
  • ALTA Best Practices Pillar #2 is achievable only with RynohLive. Electronic verification of reconciliation ensures that underlying bank transactions and accounting system entries support the reconciliation provided. RynohLive provides electronic access to underwriters.
  • Endorsed, recommended or mandated by title insurance underwriters nationwide.
  • Meets CFPB/Dodd-Frank requirements for financial transparency, as well as other legal and regulatory requirements for safeguarding settlement funds.
  • In national marketplace since 2009.
  • Protected more than $250 billion and 1 million real estate transactions.
  • Seven agencies are still in business today only because they had RynohLive.
  • Prevents check, ACH and wire fraud; quickly identifies embezzlement and bank or disbursing errors.
  • 2013: Prevented more than $2 million in previously unseen form of cyber fraud in accounting system for Virginia title agency. FBI agent in the case was amazed the agent was not rendered insolvent, that there were no underwriter claims and that lenders and clients were “protected”
  • Saved agents more than $7.5 million in fraud and error losses in 2013 alone.
  • Law firm identified employee embezzlement upon RynohLive installation. The fraud had been ongoing and undetected for more than four years!
  • Identified $1.5-million wire error “Day One” for a Tennessee agent.
  • Accounts automatically reconciled daily and fully audited 24/7.
    • “Reconciliation Wizard” identifies accounting issues and provides for the ability to easily correct.
    • Reconciliation Analysis 24×7 identifies potential regulatory or audit issues.
    • Built-in anti-fraud algorithms identify potentially fraudulent or improper practices.
    • Critical disbursements tracked until negotiated for payment.
    • Management reporting enables proactive account management.
  • Functional modules:
    • RynohPay – Fully automated positive pay delivery system. Payee or non-payee match files submitted in synchronization with individual bank’s update cycle. Standalone system for agents whose banks do not offer positive pay.
    • RynohTrax – Agent managed system for tracking critical disbursements by payee; purpose or amount within a specified timeframe. Results reported daily.
    • RynohRecon – Fully automated reconciliation system with built in “Reconciliation Wizard” and “Reconciliation Analysis,” and many other tools to ensure accounts are properly maintained 24/7. Even alerts agent when funds have been deposited into the wrong account, and identifies the account holding the funds.
    • RynohReport – Full menu of management reports including monthly reconciliations, revenue tracking and archives. Monthly reconciliations automatically sent to underwriter or regulator with provision for review/correction before submission.
    • RynohSecure – Audit and analysis module. Entire escrow account is fully audited 24/7 with built-in and user tailored anti-fraud algorithms, and automated reporting.

Installation and activation almost overnight.

    • Seamless integration that runs “in the background,” no new software to learn or changes in operational procedures required.
    • Cyber fraud protection available through Marble Security for secure online banking, no matter where you bank.
    • Housed in an SSAE-16 SOC-2 certified data center located in Northern Virginia. Servers are mirrored and balanced with web servers isolated from database and operating system servers. Disaster recovery server housed in Dallas ensures uninterrupted availability.
    • TRUSTe certified, RynohLive displays the TRUSTe privacy shield to demonstrate its strict adherence to all requirements for protecting your and your clients’ non-public personal information (NPPI) and data.

Cyber Fraud Alert - A New Variant

RynohLive prevents Cyber Fraud from costing agent ~$2,000.000.00

Earlier this year, RynohLive’s “Morning Report” alerted a Virginia Beach, Virginia title agency to suspicious activity in their escrow account. The agency was poised to be victimized by the ZeuS Bot and Zero Access Rootkit Malware that had infiltrated their network. Rather than accessing their online banking, the Malware “went into their settlement/ accounting software”, then created ficticious settlement files, “moved” funds into these fictitious files from valid funded settlement files, and posted checks as disbursement of the funds held in the agency escrow account. From post incident analysis, it appears as if the Malware was able to gain access through an outdated version of Java.

Had the agent not been attentive and carefully reviewed their “Morning Report”, the initial loss would have been well in excess of $300,000. Once succesful, the ZeusBot would have been back for the remaining balance of well over $2,000,000. This loss of settlement funds would have rendered the agency insolvent, impacted their clients and created a large claim for their title insurance underwriter, and potentially bad press for their bank!

The checks that the Malware “issued” would have cleared the agency’s escrow account since the agency was utilizing positive pay. The positive pay files sent to the bank for that day contained the fraudulent checks! Only because of RynohLive was the agency alerted, able to intercede, take action, and notify the bank before any of the checks cleared. This heretofore unknown form of Cyber Fraud was an attempted end run around check and online banking security protocols. The FBI agent investigating the case was amazed that RynohLive was able to detect the fraud and totally prevent the loss.

In addition to subscribing to RynohLive, how else can you protect your agency against cyber fraud?

1) Uninstall all versions of Java, then reinstall the latest version of Java and update it.

Currently: Version 7 Update 14

2) Set and enforce strong administrative controls for those with access to your settlement and disbursing

a. Freeze files after closing so that changes cannot be easily made;
b. Limit those who can make changes for disbursed files;
c. Limit functions for individuals disbursing funds. E.g.: Remove their ability to delete files or create new files; transfer funds; disburse files with negative balances, etc.

3) Ensure that network computers log-off the network automatically after a brief period of inactivity.

4) Consider utilizing biometrics as a replacement for passwords as login credentials.

5) Consider placing your settlement software in a hosted environment, and only accessing the cloud utilizing IronKey (Marble Security) cyber secure access.

IT Security 101 Do’s:

    • Have a managed antivirus solution.
    • If IT professionals are not available, assign updating all machines on the network to a user. This user should update all applications, plugins, Windows updates, and any other software on the machines at least once every other week.
    • Software firewalls should be active and updated on all machines within the network.
    • Have a “network usage policy” signed by everyone using your network
    • Have security enabled for your Wi-Fi
    • Change default passwords (you would be surprised how often they are not)
    • If feasible, track the devices that you allow on your network. Known as BYOD from Marble Security.
    • Install/scan virus protection on computers before they access your network.
    • Use an intrusion detection system if possible, there are good free resources.
    • Use groups and the “need-to-know” process for file access; do not give access where it is not needed.
    • Use VPN over SSL for external connections.
    • Use HTTPS when transferring personal or customer data (Encrypted Email)
    • Backups are vital and should be done frequently (at least daily)

Don’ts:

  • Don’t use WEP security for Wi-Fi
  • Don’t assume Apple products are secure
  • Don’t assume phones are secure
  • Don’t use office-wide passwords for anything

Real Estate Data Shield

Why do I need a Compliance Management Platform?

Data security compliance

is the lender’s No. 1 concern in the management of their service providers.  Regulators are holding lenders strictly responsible for the compliance of their vendors. Striving to meet these compliance mandates, our industry is adopting and fulfilling ALTA’s Best Practice initiatives.

Our Compliance Management Platform™(“CMP”)

offers specific compliance and data security solutions to meet these data security demands. Following the guidelines promoted by ALTA and the regulations of federal and state agencies, Real Estate Data Shield‘s tools are user friendly, cost-effective and industry specific.

Our CMP provides the following solutions

Policy Templates for Information Security and Privacy
Security and Privacy Staff-Training e-courseware, full analytics, post-course exam and certificate of completion
Security practices self-assessment tool

By deploying our Compliance Management Platform,™ you demonstrate compliance to lenders and regulators, minimize exposure to data breaches, and reduce risk of business disruption due to regulatory investigations.

Compliance Management Platform™

Targeted – specifically designed for the title & settlement industry. The CMP tools help meet the rising lender, regulator & industry demand for data security

Timely – lenders have identified data security compliance as their No. 1 concern with regard to their service providers

Necessary – regulators such as the Consumer Financial Protection Bureau, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation emphasize that lenders are responsible for the compliance of their service providers

Consistent – the CMP solutions work together using a common language and approach to provide a practical, easy-to-use and comprehensive solution to today’s data security challenges

Staff Training: The Key Recommendation

Employee training is one of the most effective strategies your company can take to avoid a security breach and ensure compliance with federal laws, rules, and regulations. Implementing a sound training program will improve staff performance in handling sensitive consumer information. It will also satisfy the key recommendations of regulators, professional associations and information management experts.

The Federal Trade Commission (FTC)

The success of a company’s information security plan “depends largely on the employees who implement it” so training employees “to take basic steps to maintain the security, confidentiality, and integrity of customer information” is critical to that success. (“Complying with the Safeguards Rule” Bulletin)

The Consumer Financial Protection Bureau (CFPB)

Companies “must provide for an effective training and compliance management program for all employees and service providers.” (Supervisory Highlights Bulletin, Fall 2012)

American Land Title Association (ALTA)

ATLA’s 2013 “Title Insurance and Settlement Company Best Practices” Bulletin requires “appropriate management and training of employees” and “conducting ongoing employee training” to “ensure that a real estate settlement company can meet state, federal and contractual obligations governing the settlement process.”

The Office of the Comptroller of the Currency (OCC)

Financial Institutions are required to “train employees to ensure proper implementation of the Financial Institution’s information security program.” (Interagency Guidelines Establishing Standards for Safeguarding Customer Information)

Do Banks Have To Ensure That Vendors Comply With Privacy And Security Laws?

Fact Sheet for Banks

Banks are now expected to ensure that vendors comply with all applicable privacy and security laws.

Congress created the Consumer Financial Protection Bureau (CFPB) in 2010 to regulate consumer protection in the United States. On April 13, 2012, the CFPB issued a bulletin (CFPB Bulletin 2012-03) requiring financial institutions to have an effective process in place to manage the risks of service provider relationships.

Financial institutions are to take steps to ensure that service providers are familiar with legal requirements, that they make efforts to implement these requirements carefully and effectively, and that they exhibit appropriate internal controls. The CFPB “expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships.”

CPFB Requirements:

The CPFB requires supervised banks and nonbanks to take steps to ensure that business arrangements with service providers do not create unwarranted risk to consumers. Pursuant to the April Bulletin, these steps include:

  • Conducting due diligence to verify that the service provider understands and is capable of complying with the law.
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with the law.

Our Solution

Our employee-training program in privacy and security is designed specifically for the Title & Settlement industry. Our interactive e-Courseware teaches your employees how to comply with federal laws, rules, and regulations to satisfy the CPFB’s expectations. This cost-effective training allows you to significantly reduce your company’s liability risks.

Omni Intermedia has awarded its 2012 Bronze Award to Real Estate Data Shield for its compliance and data security e-Courseware. The Omni awards committee honored Real Estate Data Shield for quality and content that achieved the highest standards of excellence in educational training.

After completing our course, your employee will know how to demonstrate reasonable care in handling personal data. Your company will be less likely to experience a data breach. The course also includes a built-in accreditation process. Following successful completion of the course, Real Estate Data Shield issues a certification, which demonstrates that an employee has gained essential knowledge about safe data handling practices.

We are a team of highly successful Title & Settlement entrepreneurs, internationally recognized privacy experts, and award winning e-courseware designers.

Let us help you be Privacy Smart.TM

Do Real Estate Settlement Companies Have To Protect Personal Information?

Fact Sheet for Real Estate Settlement Companies

The Gramm-Leach-Bliley (GLB) Act requires all “financial institutions” to adopt policies and procedures to protect nonpublic personal information.

Real Estate Settlement Companies Are Subject To The GLB Act

  • The GLB Act defines “financial institution” very broadly as “any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956” (12 U.S.C. 1843(k)).
  • The Federal Reserve Board has included “real estate settlement services” as an example of such financial activities (12 C.F.R. 225.28). Consequently, real estate settlement companies are subject to the rules and regulations of the GLBA.
  • A real estate settlement company is broadly defined as a company that provides services in connection with a real estate settlement closing (12 U.S.C.A. 2601 et. seq.). Real estate settlement companies include, but are not limited to: title companies, title and settlement companies, real estate agencies, appraisers, and underwriters.

Responsibilities under the Law and Industry Best Practices

  • Issue a Privacy Notice: Real estate settlement companies are required to provide “a clear and conspicuous notice” that accurately states the company’s privacy policies and practices (FTC Privacy Rule, 16 CFR Part 313).
  • Create an Information Security Plan: Real estate settlement companies are required to develop a written information security plan that describes their program to protect customer and consumer information (FTC Safeguards Rule, 16 CFR Part 314).
  • Properly Dispose of Personal Information: The Fair and Accurate Credit Transactions Act (FACTA) requires real estate settlement companies to properly dispose of personal information, and to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal (FTC Disposal Rule, 16 CFR Part 682).
  • Provide Data Breach Notifications: Real estate settlement companies in forty-six states and the District of Columbia are required to notify consumers in the event of a data security breach involving personal information. The only four states without a security breach law are Alabama, Kentucky, New Mexico, and South Dakota.
  • Follow ALTA Best Practices: In January 2013, the American Land Title Association (ALTA) issued benchmark “Best Practices” for Title & Settlement Companies. These include the requirement of “a written privacy and information security program.” As part of this Best Practice, ALTA also called for “appropriate management and training of employees to ensure compliance with a company’s information security program.”

Our Solution

Our employee-training program is designed specifically for the Title & Settlement industry. Our interactive e-Courseware teaches your employees how to comply with federal laws, rules, and regulations. This cost-effective course allows you to significantly reduce your company’s liability risks.

Omni Intermedia has awarded its 2012 Bronze Award to Real Estate Data Shield for its compliance and data security e-Courseware. The Omni awards committee honored Real Estate Data Shield for quality and content that achieved the highest standards of excellence in educational training.

Do Title Companies Have Fewer Obligation Than Title And Settlement?

Fact Sheet for Title Companies

Title companies get no “free pass” when it comes to privacy and data security laws. Under federal law, they are treated exactly the same as Title & Settlement companies with identical obligations to comply with privacy and data security laws.

  • Title companies are defined as “financial institutions.” Section 225.86 of Title 12 of the Code of Federal Regulations includes real estate title abstracting as an activity that is financial in nature. Any financial institution that provides financial products or services to consumers must comply with the privacy and security provisions of the Gramm-Leach-Bliley Act as well as the rules that the Federal Trade Commission issued pursuant to it: the Privacy Rule and the Safeguards Rule.
  • The Gramm-Leach-Bliley Act (GLBA) requires all financial institutions to develop and maintain security measures and safeguards to protect all documents containing “nonpublic personal information.”
  • Nonpublic personal information means “personally identifiable financial information” that a consumer supplies or that is obtained in connection with a transaction involving a financial product or services. So long as this information is not available publicly, which is a narrowly defined category, it is covered information under Federal law.
  • Title companies generally do not handle exclusively public information. Most title companies handle private consumer information on a daily basis. Such information includes information provided on loan or insurance applications, account information, and information from a consumer credit report. Common documents with non-public information include transfer tax returns, bank pay-off letters, and statement of identify forms (such as copies of drivers’ licenses). All these documents contain personal information, including social security numbers and account numbers, which federal regulations require be protected with appropriate measures.
  • The FTC is increasingly using litigation as a means of enforcing its rules and regulations. For example, in FTC v. Nations Title Agency et al. (2006), a title company had disposed of confidential customer information in an unsecured dumpster, and hackers had exploited security flaws in the title company’s network. The title company was found in violation of the FTC’s Safeguards Rule, Privacy Rule, and Disposal Rule.

Our Solution

Our employee-training program in privacy and security is designed specifically for the Title & Settlement industry. Our interactive e-Courseware teaches your employees how to comply with federal laws, rules, and regulations. This cost-effective training allows you to significantly reduce your company’s liability risks.

Omni Intermedia has awarded its 2012 Bronze Award to Real Estate Data Shield for its compliance and data security e-Courseware. The Omni awards committee honored Real Estate Data Shield for quality and content that achieved the highest standards of excellence in educational training.

After completing our course, your employee will know how to demonstrate reasonable care in handling personal data. Your company will be less likely to experience a data breach. The course also includes a built-in accreditation process. Following successful completion of the course, Real Estate Data Shield issues a certification, which demonstrates that an employee has gained essential knowledge about safe data handling practices.

We are a team of highly successful Title & Settlement entrepreneurs, internationally recognized privacy experts, and award winning e-courseware designers.

What Is The Value Propostion In Staff Training?

Staff Training Value Proposition

The Statistics: The Ponemon Institute – a prominent research center dedicated to privacy, data protection and information security policy – has analyzed data breach incidents within U.S.-based companies (2011 Cost of Data Breach Study: United States). Significant findings from the report include:

  • An astounding 39% of all data breaches are caused by employee or contractor negligence.
  • An additional 37% of all breaches are caused by malicious or criminal attack, often by rogue employees or contractors.

Employers are partly to blame. Many organizations have failed to educate employees on the necessary measures to reduce data security and privacy threats.   Another Ponemon study found that employees “do not believe their organizations provide ample training or adequate policies to inform them about data protection and security practices in their workplace.” (2009 Annual Study: Cost of a Data Breach)

The Key Recommendation: Employee Training

Do you want to reduce your company’s risk of suffering a data breach? Data privacy and security experts and regulators repeatedly recommend employee training as one of the most crucial and effective strategies in avoiding data breach. For example:

  • The Federal Trade Commission (FTC) has stated that “the most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.” (Federal Trade Commission, Protecting Personal Information: A Guide for Business)
  • Symantec, the largest developer of security software, has stated that employee education and training is one of the “best practices to thwart a cyber attack.” (2012 Endpoint Security Best Practices Survey)
  • The Privacy Technical Assistance Center (PTAC), a division of the U.S. Department of Education, has stated that security training for all data users is the “best strategy for ensuring that a major threat to data security … is proactively addressed before more breaches occur.” (Data Security and Management Training: Best Practice Considerations)
  • The American Land Title Association (ALTA) has issued benchmark “Best Practices” for Title & Settlement Companies. These include the requirement of “appropriate management and training of employees to ensure compliance with a company’s information security program.” (ALTA, Title Insurance and Settlement Company Best Practices)

Our Solution

Real Estate Data Shield has developed an employee-training program in privacy and security that is designed specifically for the Title & Settlement industry. In less than thirty minutes, our interactive e-Courseware teaches your employees how to comply with federal laws, rules, and regulations. Our cost-effective training significantly reduces your company’s liability risks by allowing you to demonstrate legal and regulatory compliance.

Omni Intermedia has awarded its 2012 Bronze Award to Real Estate Data Shield for its compliance and data security e-Courseware. The Omni awards committee honored Real Estate Data Shield for quality and content that achieved the highest standards of excellence in educational training.

After completing our course, your employee will know how to demonstrate reasonable care in handling personal data. Your company will be less likely to experience a data breach. The course also includes a built-in accreditation process.

Lender Liability Timeline

Lender Third-Party Service Provider Liability: Timeline & Analysis

How unprecedented lender regulation has triggered a Compliance Age in the Title & Settlement Industry

Christopher J. Gulotta, Esq., Real Estate Data Shield, Inc.®

Lenders, regulators, and title underwriters recognize that independent title and settlement agents (ITSAs) play a critical role in the facilitation of mortgage finance transactions. These mostly small and closely held companies possess the local knowledge, expertise, efficiency, and coverage needed and provide consumers, lenders, and title underwriters with the ability to consummate such transactions nationwide, with nearly unlimited scalability, on a daily basis. Beyond ensuring that lenders are primary lien holders, the role of ITSAs requires that they have extensive contact with consumers and lenders, handle highly sensitive non-public personal information (NPPI), and receive and disburse huge sums of funds funneled through mortgage disbursement and other escrow accounts. This requires lenders, consumers, and scores of parties involved in such transactions to reach beyond the traditional expertise of ITSAs, and to rely upon on their fidelity and adherence to a score of expanding federal and state laws, rules, and regulations.

Heightened legal and regulatory compliance requirements are only part of the picture. In addition, leading institutions have become more involved in the regulatory arena, including multiple federal and state regulators, lenders, and the industry trade association, the American Land Title Association (ALTA). Collectively, these parties aim at rendering the title and settlement process safe and sound and ensuring it is conducted in a manner that best protects consumers. ALTA’s Best Practices provides ITSAs with a tangible list of critical criteria that endeavors to reconcile all regulatory sources and industry mandates.

Yet there are some tensions and conflicting goals among the stakeholders, which create industry uncertainty over how to best adapt to and embrace this rising compliance expectation.

For example, the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) have differing regulatory objectives. While both regulators make clear that lenders are responsible for all the vendors in their supply chain, the OCC requires lenders to act in a safe and sound manner, whereas the CFPB requires lenders to act in a manner that provides consumer protection in the context of consumer financial laws. These seemingly consistent goals can, in operation, sometimes conflict. (For example, a consumer’s right to choice of vendors can conflict with the safety and soundness of the closing process.) Moreover, the operative guidance these regulators provide lenders was designed to be “flexible” or discretionary. In effect, this leaves lenders with the sword of Damocles hanging overhead when trying to determine how to implement, scale, and push down these mandates to an industry that varies in practice from state to state and often county to county.

Understandably, lenders are struggling to determine how to implement these mandates, given the lack of a uniform, national consistency regarding closing practices and the roles of ITSAs, and how, if at all, to scale-down such requirements and determine what precisely is “appropriate” in each circumstance and in each closing locality.

In the absence of a uniform, consistent guideline for compliance, a concrete timeline, and a clear understanding of what is expected of ITSAs, an implementation ambiguity exists at a time when all should be moving forward.

So what are ITSAs to do? Fortunately, for such companies, ALTA has created and charged special task forces and committees with developing a list of the most essential categories of compliance. In fact, ALTA went further by meeting with the principal stakeholders, including lenders, regulators, and title underwriters, to make the seven pillars of their Title Insurance and Settlement Company Best Practices Version 2.0 (July 19, 2013) and their Assessment and Certification processes as robust and consistent as possible with what such stakeholders and the industry deem most appropriate moving forward into the emerging Compliance Age of our industry.

Throughout the following chronology of operative regulatory Guidelines, Rules, and Bulletins, the various regulatory agencies emphasize and generally are in agreement on the following key points and expectations regarding lenders’ risk management of their third-party service providers:

  • Lenders are responsible for their third-party service providers: A lender’s use of service providers does not diminish their responsibility to ensure that all related activities are conducted in a safe and sound manner, consistent with applicable laws and regulations. In fact, service providers are subject to the same risk management, consumer protection and privacy obligations that would be expected if the lender were conducting the activities directly. Service providers are also subject to the same regulatory oversight and scrutiny as lenders.
  • Reliance on third-party relationships can significantly increase a lender’s risk profile. In particular, a lender’s strategic, reputation, compliance, and transaction risks are all heightened by the use of third-party service providers.
  • To control this risk, lenders should adopt a risk management process (RADDCO). A risk management process should include: (a) A risk assessment to identify the lender’s needs and requirements; (b) proper due diligence to identify and select third-party service providers; (c) written contracts that outline duties, obligations, and responsibilities of the parties involved; and (d) ongoing oversight (monitoring) of the third parties and third-party activities.
  • Lenders have flexibility in their oversight of third-party service providers. A lender’s risk management system should reflect the complexity of its third-party service provider activities and the overall level of risk involved. Each lender’s risk profile is unique and requires a tailored risk mitigation approach appropriate for the scale of its particular third-party relationships, the materiality of the risks present, and the ability of the lender to manage those risks. Thus, no single system is ideal for every lender or circumstance.

Timeline Summary (chronologically):

  1. July 2001: The OCC releases “Interagency Guidelines Establishing Standards for Safeguarding Customer Information” (12 CFR § 30, Appendix B). The OCC ensures that national banks and federal savings associations operate in a safe and sound manner and in compliance with applicable laws. In these Guidelines, the OCC advises that a lender, in fulfilling its oversight obligations, should: (a) exercise appropriate due diligence in selecting its service providers; (b) enter into contract requiring service providers to implement appropriate measures to meet the objectives of the Guidelines; and (c) monitor its service providers to confirm they are implementing the agreed-upon security measures. As part of this monitoring, a lender should review audits, summaries of test results, or other equivalent evaluations of its service providers.
  2. November 2001: The OCC releases Bulletin 2001-47, “Third-Party Relationships: Risk Management Principles.” Providing further guidance to lenders on managing risks that may arise from their business relationships with third parties, this Bulletin highlights four key requirements of a lender’s risk management process: (a) risk assessments to identify the lender’s needs and requirements; (b) proper due diligence to identify and select third-party service providers; (c) written contracts outlining duties, obligations, and responsibilities of the parties involved; and (d) ongoing oversight of the third parties and third-party activities.
  1. June 2008: The Federal Deposit Insurance Corporation (FDIC) releases Bulletin FIL-44-2008, “Guidance for Managing Third-Party Risk.” This Bulletin and the supporting Financial Institution letter describe potential benefits and risks arising from third-party relationships and outline risk management principles for a lender’s significant third-party relationships. The language and content of this bulletin is substantially similar to OCC Bulletin 2001-47.
  1. March 2012: The five largest mortgage servicers enter into consent judgments. The Justice Department, HUD, and 49 state attorneys general announce the filing of their landmark $25 billion agreement with the nation’s five largest mortgage servicers to resolve violations of state and federal law.The agreement provides for “new servicing standards” that mortgage servicers are required to implement. Servicers are required to oversee and manage their third-party relationships in which they must perform due diligence and conduct reviews to ensure viability.Servicers must also conduct audits of third-party providersto ensure compliance with applicable state and federal lawand that servicers regularly review and assess the adequacy of the internal controls and procedures of their third-party providers
  1. April 2012: The CFPB releases Bulletin 2012-03, “Service Providers.” This Bulletin makes clear that the CFPB expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures consumer protection through compliance with Federal consumer financial law. Specifically, the CFPB expects lender banks to have “an effective process for managing the risks of service provider relationships.” Lender banks should: (a) conduct thorough due diligence to verify that each service provider understands and is capable of compliance; (b) review the policies, procedures, internal controls, and training materials of service providers to ensure that the service provider conducts appropriate training and oversight of employees; (c) include in service provider contracts clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities; (d) establish internal controls and on-going monitoring to determine whether each service provider is complying with the law; and (e) take prompt action to address any problems identified through the monitoring process, including terminating the relationship where appropriate.
  1. October 2013: The OCC releases Bulletin2013-29, “Third-Party Relationships: Risk Management Guidance.” This Bulletin replaces and rescinds Bulletin 2001-47 and raises the compliance bar for banks in the context of their management of third-party relationships. The OCC raises concern that banks may generally have “failed to” assess the risks associated with third-party providers, perform due diligence and on-going monitoring of these relationships, and enter into agreements properly assessing internal risk management capabilities. The OCC now expects “more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities [including] significant bank functions (e.g., payments, clearing, settlements, custody).” This heightened expectation thus places banks and ITSAs even more squarely in the regulatory cross hairs. If this mounting regulatory concern and effort to identify the risks associated with the use of service providers were not enough, consider how the largest mortgage lender has recently weighed in on this:
  1. March 2014: Wells Fargo issues Settlement Agent Communications Newsletter, “Looking forward in 2014 and beyond.” While recognizing the value of the local title and settlement agent, Wells makes clear that as third-party compliance expectations increase, so too will Wells’ expectations of their service providers, through increased monitoring and performance metrics. Wells supports ALTA’s Best Practices and identifies a “transition time” to become a compliance “top performer.” Wells inquires into whether the implementation process has begun and whether ITSAs are able to document and validate it independently.

In conclusion, while we do not have a uniform template for compliance and a hard timeline, True North for ITSAs is clearly to work diligently to achieve and be able to demonstrate compliance with ALTA’s Best Practices. Doing so ensures that your company is well positioned to withstand lender or regulator scrutiny and that you are able to tangibly demonstrate and market precisely what the up-stream referral sources will now require.

Christopher J. Gulotta, Esq., is the founder of Real Estate Data Shield, Inc. and principal of The Gulotta Law Group, PLLC. He frequently writes and speaks on compliance issues relating to title & settlement agents.

DataMotion

FAQ’s

How Does The DataMotion Platform Save Me Money?

  • No Overhead
  • No IT maintenance
  • No courier or Overnight Delivery fees
  • Reduced Carbon footprint means fewer dollars spent
  • Help with Compliance means no fines, lawsuits, etc
  • Time saved by employees means dollars saved
  • Increased productivity means dollars saved
  • Reduced bandwidth for large files…reduced costs

Is DataMotion a “Green Solution?”

Every day, businesses exchange tens of thousands of digital files, large and small. DataMotion is committed to helping businesses become more efficient and productive, reduce costs and reduce their carbon footprint by providing a “green” method of sharing digital files.
DataMotion enables businesses to eliminate the need for courier and overnight delivery services with our Managed File Transfer solution.

Are DataMotion Services Encrypted?

Yes, our solutions provide military-grade encryption for the smallest businesses to the largest enterprises.

How Much Do DataMotion Services Cost?

Please click here to submit a request for pricing information, or just give us a call. We would be more than happy to assist you.

Can All Users Receive And Sent Files Using DataMotion?

Anyone can receive emails using DataMotion SecureMail without a paid license. In order to initiate emails or file transfer, however, you will need to have a license. Any person responding to an email they have received through SecureMail can respond to those emails without having a paid account. Of course, paid users can send emails using DataMotion. If you would like to get a multi-user 14-day complimentary trial for your company, please click here.

How Does DataMotion Provide Compliance To Regulations Such As HIPAA And SOX?

DM provides a platform to help organizations to meet compliance requirements by providing governance capabilities such as tracking, reporting, filtering and auditing of information exchanged between business partners, colleagues or customers.

Do I Need To Download Special Client Software?

No. As long as you have access to a web browser, you can access your DataMotion account, and send and reply to emails. Our on-demand software will also provide automatic updates.

Do Your Solutions Work With Email Clients Like Outlook and Lotus Notes?

Yes. DataMotion is entirely standards-based, and fits easily with the systems you have, such as archive systems, DRM systems, e-discovery software and email platforms (including Exchange, Notes and GroupWise). You can be up and running within one business day.

Do You Have Expertise In Specific Industries?

Successful business processes are streamlined, automated and secure, enabling companies to do more business, with more partners and more customers, productively and in compliance with industry and government standards. For over a decade, DataMotion has been providing best-of-breed solutions that allow businesses across many different industries to automatically communicate and work securely, seamlessly, and quickly, regardless of processes, systems, and data formats.

I Have Legacy Systems That Currently Don’t Talk To One Another. Can DataMotion Help?

Yes. The DataMotion Platform, an on-demand or on-site service offering, governs information transfer between disparate and often-asynchronous legacy systems for secure business communications and trustworthy collaboration. DataMotion provides an intelligent information transport system that can bridge disparate systems, improve service levels and build customer trust. And since our Platform service is offered as an on-demand service in the cloud, our customers are up and running in a matter of days. Companies going through M&A can send secure messages to their new colleagues and business partners, well before their internal email systems can be integrated. This is crucial in exchanging critical information needed to keep key customers and business partners satisfied during this time of financial volatility and market uncertainties.

What Are The Advantages Of An On-Demand (SaaS) Solution Over On-Premise Or In-House Deployment?

  • Low Total Cost of Ownership (No hardware to purchase, no capital expenditures)
  • Quick Implementation
  • Minimal Training
  • Light Footprint
  • Minimal Administration Required – Ideal for resource-limited environments
  • Reduced Bandwidth
  • Drastically reduced risk of downtime
  • Upgrades auto-delivered so you always have latest version

Do I need to purchase all services on the DataMotion Platform, or can I do it based upon my needs?

The DataMotion Platform is just that. It is a foundation upon which all our services rest. SecureMail is at the core of our solutions, and is the technology used to move information from A to B, so SecureMail is the only prerequisite for all our solutions. Outside of that, you only need to pay for what you use.

Why Do I Need SecureMail?

Email is an integral part of doing business today. Enhancing the email process does not need to be costly or complicated. DataMotion SecureMail is cost effective, easy to install and quick to implement.
DataMotion SecureMail makes email communication as secure as it is easy. Built on top of the DataMotion Platform, it offers flexibility that enables businesses to enjoy the same high-end encryption used by government agencies and large financial and healthcare enterprises.

How Quickly Can DataMotion Services Be Up And Running?

Our on-demand service can be up and running in just a few hours. On-premise deployment, while quick, requires a bit more time, as we will come to your facility to help get you up and running, and trained.

Why do DataMotion services protect?

DataMotion protects and governs sensitive information being exchanged between business partners, colleagues and customers.

Why do I need DataMotion if I already have security software installed?

DataMotion compliments, and is not intended to replicate most security software. DataMotion tracks, filters, secures, audits and manages and automates information in motion.

What size businesses use DataMotion services?

The DataMotion Platform easily scales to provide solutions for the smallest businesses through to the largest enterprises.

Why did you change your name?

CertifiedMail has concentrated on serving the secure email space for nine years. During that time it has expanded the product via customer-led development projects. These features have extended the platform well beyond secure email. The original name – CertifiedMail – was too restrictive. Therefore, the company decided to rebrand not only the company name, but the product names as well.

I used CertifiedMail to send email. Will the way I send email through DataMotion change?

No, it will not. You may continue using the same process as before to send and receive secure mail.

Will my current contract with CertifiedMail.com change?

No, it will not. In fact, DataMotion, Inc. is a wholly-owned subsidiary of CertifiedMail.com, Inc.

Will this change the way in which I contact support?

Yes, we have enhanced your support contact options. You may contact support by dialing 1 800-672-7233, or by clicking this support link.

How do I ask additional questions not addressed here?

Please feel free to call us at 1 800-672-7233 or click here for contact information. We look forward to hearing from you.

SecureCloud

PC Magazine Technical Excellence Award

CertainSafe Ultra-Secure, File Sharing is Honored in PC Magazine’s Coveted “Technical Excellence Award in Security”

MicroTokenization of data is the main reason CertainSafe is recognized as one of the “Best Steps Forward in Technology and Science”

COLORADO SPRINGS, Colo. Dec. 16, 2014 – CertainSafe, a global provider of highly secure data security solutions, today announced that it was named to PC Magazine’s 2014 Technical Excellence Awards in the category of Security, which features “breakthroughs that will change the future.”

CertainSafe’s award-winning, ultra-secure file sharing, storage and messaging service joins some elite companies that were issued PC Magazine’s Technical Excellence Award over the past 31 years. The annual awards examine forward-thinking technology in several product categories that PCMag editors believe will have a major impact. PCMag is recognized as one the top leading authorities on technology, delivering labs-based, independent reviews of the latest products and services. Past recipients of the award have included game-changing technologies such as the first 386-based computer in the 1980s, Intel Pentium, Apple Power Mac G5, 802.11g-based Wi-Fi, Amazon EC2, Apple iPad, Verizon Wireless 4G LTE, and Project Natal (which became the Microsoft Xbox Kinect).

PCMag reviewer Neil J. Rubenking recognized CertainSafe as an Editor’s Choice Award winner earlier this year prior to its placement in the security category of the Technical Excellence Awards.

According to Rubenking, CertainSafe’s cloud-based service “not only encrypts your data, its MicroEncryption system scatters the encrypted bits across multiple servers. A hacker who breached the encryption on one server would get nothing but bits and pieces, useless without the other parts of the file. CertainSafe maintains PCI Level One certification and is fully HIPAA compliant.”

“If your company has to comply with HIPAA or other standards for protection of Personally Identifiable Information, the mere act of using a non-compliant cloud storage system could be a costly violation. That’s where CertainSafe comes in,” continues Rubenking.

“If Sony and the almost daily victims of cyber-sieges had been using CertainSafe, these data breaches most likely would not be happening,” said Pete Hoekstra, congressman and former chairman of the House Intelligence Committee, who joined CertainSafe’s advisory board earlier this year. “Why waste resources on costly forensic investigations into who is behind these attacks when technology exists to prevent them in the first place?”

“Data security, compliance, and control are the last remaining apprehensions of many companies moving to the cloud,” continues Hoekstra. “CertainSafe’s MicroEncryption – MicroTokenization process can remove these concerns once and for all. This is a technology unlike any other in the marketplace today, making it security that you can actually trust.”

“The rash of data breaches and hacks at companies like Target, Sony and others has delivered a wake-up call and exposed how vulnerable any individual, business or government installation are to losing control of highly sensitive internal information,” said Richard Marshall, Former director of Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security, who recently joined the company’s advisory board.

“Cybercriminals are working around the clock to develop and unleash new threats faster than companies can react to them. Once intruders are in, they have access to virtually all of your data and records,” said Steven R. Russo, executive vice president of CertainSafe. “This is the dark side of the Internet, but it does not have to be that way. It has been repeatedly proven that ‘bulk encryption’ is not secure enough.”

CertainSafe’s advantage comes from its proprietary MicroTokenization technology that uses MicroEncryption to encrypt each file individually down to the byte level, which sets it apart from all known available competing file sharing and data based cyber-protection platforms. Customers also benefit because CertainSafe’s technology and servers are maintained in-house and not outsourced. This practice ensures unparalleled levels of security and reliability and all but prevents the threat of a mass data breach, by making it mathematically improbable if not impossible to accomplish.

CertainSafe can secure any data type, including simple text, documents, and even top-secret files. It is the only file sharing service to offer PCI Level 1 DSS Certified data storage. As PC Magazine editor noted, CertainSafe users can store HIPAA, PCI, PFI, PHI, PII as well as other types of sensitive data that require compliance.

Other security features unique to CertainSafe include a multi-layered login process that uses personal pictures and personal phrases delivered from different servers. A randomized challenge question(s) follows the personal image to provide maximum login security.

Learn more about CertainSafe at www.certainsafe.com.

About CertainSafe

CertainSafe’s mission is to make the world safer, one byte at a time. Through proprietary MicroTokenization® technology, data is made safe from breaches once and for all. CertainSafe’s PCI Level 1 DSS Certification separates them from all file sharing and collaboration platforms. Users can store HIPAA, PCI, PFI, PHI, PII as well as other types of highly sensitive data including those requiring compliance. Don’t trust your data to anyone else. CertainSafe provides a 100% money back guarantee. Visit us at www.certainsafe.com.

Media Contact:

Len Fernandes, 1-888-317-4687 ext. 702, Len (at) firecrackerpr.com, www.firecrackerpr.com

First Advantage

Best Practices Boot Camp Webinar