Rob Nunziata of ActiveComply: Regulatory Implications of Employing Remote Workers

Rob Nunziata is co-founder and CEO of ActiveComply, Orlando, Fla., a provider of cloud-based platforms that help companies in highly regulated industries stay compliant. He is also Co-CEO of Orlando-based FBC Mortgage LLC, one of the nation’s largest retail home lenders. Before joining FBC more than 17 years ago, he worked at First Horizon National Corp. Contact him at rob@activecomply.com.

MBA NEWSLINK:  What are some of the regulatory and agency requirements for which mortgage lenders with remote employees are subject?

Rob Nunziata

ROB NUNZIATA: Mortgage lenders are subject to multiple regulations and requirements depending on where and how they do business. HUD, for example, has certain policies in place that require lenders to ensure privacy protection for FHA borrowers – even when they have staff working from home. That means that computer screens should only be visible to the user and no one else. Other rules for securing loan files also still apply whether someone is working in a licensed office or from home. Most recently, lenders have been subject to a growing number of state laws involving the use of remote workers and what their staff can and cannot do when working from home.

NEWSLINK:  What is a hot button for state regulators?

NUNZIATA: Our customers tell us that the states are most concerned with consumer data protection. It’s not terribly hard to understand why. Just in the past several years, there’s been a significant increase in privacy violations and data breaches involving mortgage lenders and servicers. Some of these incidents have resulted in regulatory enforcement actions as well as multi-million-dollar class action settlements.

Because of such incidents, state regulators have been busy enforcing new laws designed specifically to protect consumer privacy, which makes the process of ensuring remote workers remain compliant much more complex. These requirements often include rules to ensure remote workers aren’t storing private consumer data at their homes. Some states are going a bit further, though. For example, the Rhode Island Department of Banking recently issued rules that require lenders to use appropriate risk-based monitoring and oversight processes for work performed by employees from home. Meanwhile, Kansas requires lenders to annually review and certify that their employees are taking reasonable precautions to protect sensitive consumer information and provide written documentation upon request. California goes so far as to state that remote work locations can only include residences that are only accessible to the immediate household who lives there – no transient rentals like Airbnb.

NEWSLINK:  How are lenders addressing these important issues?

NUNZIATA: Ultimately, lenders need a sound strategy and additional resources to manage remote workers compliantly, wherever they do business. Currently, some lenders have dedicated staff that do on-site inspections of remote offices and workers. However, with the market now contracting, many lenders simply don’t have the resources to ensure remote worker compliance without some kind of help. As a result, many are turning to encrypted technology to help ensure and document their compliance and reduce risk.

Thankfully, new solutions are making these efforts fairly simple and straightforward.  By using employees’ geo-tracking function on their own phones, for instance, companies can determine the location of their remote workers at any point in time. There are also tools that can verify the internet protocol address, location, and speed of a remote worker’s internet connection as well as secure video technology that can help companies inspect remote workplaces. When these tools are combined on a single platform, mortgage companies are able to manage and address any issues involving their remote teams without the exorbitant travel expense that comes with doing it in person.

NEWSLINK:  Are there other government rules or regulations that remote office inspections using technology help?

NUNZIATA: Beyond rules specific to the financial services industry? Absolutely. Employees of any company who work remotely are bound by regulations in the state they live and work, including payroll laws, how they are classified as employees, sexual harassment training requirements, and so on. We’ve also seen some employees are filing workers compensation claims for injuries sustained in their own homes. By using remote inspections, however, an employer can reduce this risk by verifying an employee’s safe working conditions and documenting it on video.

NEWSLINK:  Is there a federal agency that polices remote office workers?

NUNZIATA: Not yet. So far, states have taken the lead in developing requirements and regulations for remote employees. Many of these efforts sprang out of the COVID-19 pandemic, when states granted lenders temporary permission to allow their employees to work from home instead of from a licensed location. Since then, about 20 states have enacted laws that make these flexibilities permanent.

In fact, the Mortgage Bankers Association recently created proposed model state legislation and regulations to facilitate these efforts. The group’s proposal includes safeguards for protecting consumer information in compliance with the Gramm-Leach-Bliley Act in addition to ensuring the installation of security patches for their networks. The MBA also released some best practices involving remote workers, such as forbidding licensed employees to meet with consumers at their remote work location like their homes, and not promoting their remote work location on a company’s brochures or other marketing materials.

That being said, we think it’s likely we’ll see new federal regulations that apply to lenders with remote workers. In the future, agencies may ask that lenders submit a list of their remote employees, when they started working remotely, and specific information about where they work and what hardware and security protocols they use. We may also see rules that restrict remote employees from working from any public location, such as a library or coffee shop.

NEWSLINK:  Which states or federal agencies can a lender use remote office inspections?

NUNZIATA: At this early stage of the game, over 50% of U.S. states have formally enacted laws or regulations to permit remote work so long as certain supervision measures are met by financial institutions. Remote inspections performed through technology serve as a proactive tool that gives lenders the best chance to satisfy government concerns while minimizing costs. Over time, as more government rules and regulations are developed, we believe remote inspection technology will quickly adapt to ensure companies are able to meet the new rules as they develop.   

NEWSLINK:  Do regulators and agencies already have a checklist for remote office workers?

NUNZIATA: Not necessarily, regulators often look to lenders to explain and prove how they are properly supervising their remote employees. That’s why it is important for lenders to be proactive by verifying that the remote employee and workspace conditions remain compliant. For example, with the right technology, companies can utilize remote inspections for at-home employees to ensure they are meeting current requirements as well as the company’s own guidelines and procedures. Showing a governmental agency proof of compliance can prevent unnecessary actions against the mortgage company. If and when regulators—state or federal—do come out with more formalized checklists, having access to easy, affordable, and accessible technology to ensure compliance will be key.

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at msorohan@mba.org; or Michael Tucker, editorial manager, at mtucker@mba.org.)