Regina M. Lowrie, CMB, of Dytrix on How Lenders Can Protect Against Cyberfraud
Regina M. Lowrie, CMB, is President and CEO of Dytrix, a fintech company that enables secure financial transactions for institutions through the Dytrix Platform, which includes wire/ACH transfer validation and closing agent management. She has more than 30 years of experience in the financial services industry and has established and managed multiple successful banking/lending organizations. In 2005, she became the first woman Chair of the Mortgage Bankers Association and continues to serve on many MBA committees. She can be reached at rlowrie@dytrix.com.
MBA NEWSLINK: Why are more mortgage lenders being targeted by cybercriminals, and why are there not more safeguards in place?
REGINA LOWRIE, CMB: It’s not just mortgage lenders that are being targeted – it’s the whole financial services industry. But mortgages have particular vulnerabilities that make them an easy target. First, every loan transaction involves multiple parties, especially purchase mortgages. And many of these parties, including realtors and closing agents, are operating on unsecured networks that can be easily hacked by cybercriminals. Second, there are many emails sent between the point of sale and closing between lenders, realtors and closing agents. Savvy criminals are monitoring transactions and wait until the loan is about to close to send a fraudulent email, telling the recipient that wiring instructions have changed. Other industries don’t rely on so much email communication.
There are safeguards lenders could take, but the reason many don’t is because they’ve been doing things a certain way for years. But for many lenders, it’s not a problem until it happens to them, and it is often human nature to put off doing something unless someone makes you. Until the federal and state governments said non-essential businesses had to shut down and people had to practice social distancing to stop the spread of the coronavirus, people weren’t volunteering to do these things.
NEWSLINK: What has been the impact on banks and other mortgage lenders from wire and identity fraud attempts? What’s your outlook for 2020?
LOWRIE: Wire and identify fraud attacks have been increasing steadily since 2012. And according to FBI stats, email wire fraud is already one the fastest growing cybercrimes in the U.S. with more than $26 billion in losses from compromised business emails since 2016. Unless we as an industry address the problem, it’s going to continue to grow. Our clients get it and are taking the issue very seriously, but the industry as a whole has been slow in recognizing the risk.
For smaller, independent lenders, one wire fraud incident can have a major impact on the balance sheet. That’s not the case for big banks because they look at it from a reputational risk perspective, so it doesn’t get highlighted that often. The bottom line is that lenders are continuing to wire hundreds of thousands of dollars to bank accounts in which they haven’t validated the recipient. That’s got to change.
NEWSLINK: How does the typical wire fraud transaction take place?
LOWRIE: During a typical real estate wire fraud transaction, the cybercriminal monitors the transaction by email and waits until just before closing to send out an email that looks legitimate but is actually sent from a fake account. It could be a very subtle difference that’s easy to overlook, such as the sender’s email address is one letter different than the closing agent’s email address. The email states there is a change in the wire instruction and requests that the lender send the money to a fraudulent account. Within minutes, that money leaves the country and typically never recovered.
Consumers have also been victims. I’ve had lenders relay incidents in which their wire got to the closing table, but the borrower received an email asking for closing funds to be sent to a different account that turned out to be fake. They could be sending their life savings and when they show up to the closing table, the money is not there.
NEWSLINK: Doesn’t the Closing Protection Letter or errors and omissions insurance protect lenders from wire and identity fraud?
LOWRIE: Neither the CPL nor E&O insurance covers the lender for transmitting funds to the wrong account. The CPL only protects the lender if the closing agent made a mistake. For example, if the lender’s closing instructions for a no cash-out refi say that the closing agent cannot disperse more than $1,000 at settlement, and the agent disperses more, that’s covered in the CPL. But if a cybercriminal sends the lender an email saying wire instructions have changed, and the lender wires the money, that’s not covered in either the CPL or the lender’s E&O insurance.
By the way, many lenders that are concerned about these threats have been getting cybersecurity insurance. However, these policies typically have an exclusion that states if the lender’s employee emails money to a fake account and did not make an attempt to validate the wire instructions, the theft will not be covered.
NEWSLINK: How do these fraud attempts impact lenders’ balance sheets?
LOWRIE: As I mentioned earlier, a successful wire fraud attack can immediately impact a smaller lender’s net worth. For larger lenders, it’s more about reputational risk—but that risk is huge. Real estate wire fraud has a domino effect because multiple people get hurt in every attack. By now, we’ve all heard the stories about borrowers losing all their money and their home. I think it’s worth mentioning that, as this issue continues to grow, it’s only a matter of time before regulators come down hard on our industry for not addressing it. Federal agencies that regulate our industry exist to protect consumers. They don’t care about your balance sheet.
NEWSLINK: You’ve been involved in a number of start-ups over the course of your career. What inspired you to create Dytrix—what did you see (or not see) that was needed in the industry?
LOWRIE: Four years ago, one of my consulting clients, a fairly large bank with mortgage operations, had gone through a regulatory audit from the OCC. This client had a robust vendor management program but when it came to monitoring closing agents, they weren’t doing anything. This is fairly typical of large lenders, by the way. There are so many closing agents and the lenders do not get to pick who they work with, so it’s a daunting task to manage them.
So, I started developing technology to help lenders manage closing agents as a third-party risk. We started off validating bank accounts for wire transfers. But as I learned more about the what the FBI was identifying as a growing risk to our industry, we added a wire validation solution. Everything grew from there.
Without technology, the process of monitoring closing agents and validating all the different factors involved in a single wire transfer is incredibly cumbersome. There are just so many steps that lenders have to do manually. And right now, I feel the problem is about to get much worse.
Think about how many people are out of work right now or in danger of losing their income entirely. Lenders are under incredible stress trying to get loans to the closing table. This is just one more area in which they are past the saturation point. As a result, mistakes are going to happen. Our industry is a sitting duck for anyone overseas who is involved in this type of activity. We are a perfect target.
(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at msorohan@mba.org; or Michael Tucker, editorial manager, at mtucker@mba.org.)