#MBATech2022: Mortgage Industry Faces Growing Security Risks

(l-r) Ike Suri; Michele Buschman; Adam Chaudhary; and David Townsend.

LAS VEGAS—Security risks don’t just mean breaches and ransomware. Increasingly, individuals and companies are losing money due to wire fraud and other attacks.

“Technology is the biggest security risk companies face,” said Ike Suri, Chairman & CEO of FundingShield LLC, Newport Beach, Calif., leading a discussion here at the Mortgage Bankers Association’s Technology Solutions in Mortgage Banking Conference & Expo. “It’s at an epidemic level—the FBI reports it among the top-three white collar crimes—and those of us in the industry know that it is also drastically underreported. Companies don’t want you to know how vulnerable they are.”

“We’re seeing systems compromised at every level of business—and it’s increased substantially since the start of the Russia-Ukraine crisis,” said. Michele Buschman, Chief Information Officer of American Pacific Mortgage Corp., Roseville, Calif. “We’re working on education programs for our loan officers on how to work with customers electronically at the beginning of the loan process—we’re trying to add an extra layer of protection and education.”

At APM, Buschman said, “we try to emphasize the ‘human firewall.’ We try to make sure our employees are the first line of defense against wire fraud and cybersecurity.”

“When we talk about security in the loan process, we identify realtors as the first issue,” said David A. Townsend, President and CEO of Agents National Title Incenter LLC, Columbia, Mo. “Realtors and title agents, particularly the smaller operations of one to five employees, are particularly vulnerable and it is where we try to target our education efforts.”

Townsend cited an instance in which a title payoff agent became the target of cybertheft. “We were able to catch it early on,” he said. “It was a very sophisticated operation.”

Adam Chaudhary, President of Funding Shield LLC, said challenges are structural. “We have a largely decentralized recording system—hundreds of recording offices that are largely independent and not well regulated,” he said. “Data is fragmented, and multiple parties coming to a closing with the motivation to close the transaction as quickly as possible—and they are vulnerable to fraud.”

From the lending perspective, Chaudhary said, lenders must be nimbler. “There tends to be a focus on third-party service providers—we vet them once and we assume they are fine, when we should be vetting on a regular basis,” he said.

“The paradigms we are dealing with is finding fraud ahead of time, so we don’t become a statistic,” Suri said. “Insurance is difficult to find—it’s hard to find the ability to cover that risk. When wire fraud occurs, the money is gone—and it’s not just us who are on the hook, but it affects the home buyers as well.”

Consumers, Suri said, have little recourse. “Fraudsters tend to strike on weekends, so they have 48 hours before the fraud is detected. When this happens, oftentimes the consumers end up suing everyone—the attorneys, the lender, the title agents—and it exposes the level of security, or lack of security, in the system.”

“The real question is, where is the recourse?” Chaudhary said. “Preventive solutions are what’s driving the process right now…but the only way you can offer recourse is by demonstrating you have a degree of control.”

The closing protection letter does provide some recourse for fraud, Townsend said. “If those funds are diverted, the letter protects the parties involved. It also validates the agent receiving the money.”

“There’s less risk involved in you splitting an order of wings at a restaurant than there is for a $300,000 transaction to purchase a home,” Chaudhary noted. “There are tighter security precautions for your credit card than there is for the home-buying process.”

“It’s critical from the lenders’ perspective that you automate some of those checks at the human level, so that you can add a layer of prevention,” Buschman said.

“Everyone needs to hear about this—from the C-suite to the interns,” Chaudhary said. “You need to review your processes and educate everyone about how to make your systems more secure.”

“We have to do a better job of educating our customers,” Buschman said. “We don’t have control over their systems. One of the things we try to convey to our employees is that the more you can help educate your customers, they more they will view you as a trusted provider.”

Oh, and by the way, blockchain is not the end-all/be-all. “Blockchain was supposed to put us all out of business,” Townsend said. “But it’s still a human process. If a human enters bad information into blockchain, then the system is compromised. And we’re still in business.”

“Blockchain is worthless unless you have a lot of processes being vetted and a lot of reps and warranties put in place,” Chaudhary said.

“Blockchain definitely has a future, but it’s going to require a lot more work,” Suri said.

Panelists did, however, praise the work of MISMO for its effort in standardizing security datasets for the real estate finance industry. “When you align all of the stakeholders, you create a true digital transaction,” Townsend said.

“The sooner we adopt tools that mitigate cybersecurity, the better off the industry will be,” Suri said. “The bad guys are always going to find a way to make money—we have to have the tools to prevent them from doing that.”

Looking ahead, Townsend said, “real-time payments are the way to go. But widespread adoption of that is at least 10 years away. There is still a lot of work to do.”