Higher rates and fintech advances make 2023 a golden age for mortgage servicers, with steadier revenue from lower payoff probability and deeper relationships from better use of customer data. But 2023 will also be the age of consumer data accountability for both lenders and the fintechs that power them.
On February 15, Sagent sponsored a webinar with DS News digging into the consumer data benefits and risks in this golden era of customer experience. The panelists included Sagent’s own Chief Legal Officer Wendy Lee, Sara Lazarus (SVP of Trust & Security, Stavvy), Vanessa Arias (Senior Corporate Counsel, Altisource), and Jan Duke (Chief Operating Officer, a360inc).
The webinar was chock-full of crucial info from these industry pros, tackling questions like:
- What consumers expect from engagement and privacy/protection perspectives
- The best consumer engagement practices in a 2023 regulatory context
- Top consumer data risks lender/servicers and fintechs have in 2023
- Who among borrowers, lender/servicers, and fintechs own consumer data
In case you missed it, we’ve recapped the biggest takeaways and crucial highlights from the session. Read on for more.
The Legal Framework Around Data Privacy and Protection
Wendy kicked off with a review of the proposed federal regulatory legislation around data privacy. She notes that while there are currently no existing federal regulations with regard to data privacy, there are a couple of proposed pieces of legislation:
“Right now, we don’t have active federal legislation or an effective data privacy law that covers the whole country, but there’s been a few movements in the last year on this front. The first is the ADPPA (American Data Privacy and Protection Act) which was introduced into Congress last year that had some support, evidenced by the 53-2 vote in favor of the legislation by the House Energy and Commerce Committee. There was also some Senate support for this act.”
“And really, it didn’t pass because of two main issues:
- They couldn’t get into agreement first on preemption, because some states have been active in legislating in this area, like California. California really liked its own bill and didn’t want to see this federal legislation get in the way of the progress that it believes it had been making in this area to better regulate data on behalf of consumers.
- And the second sticking point is the private right of action. Many Republicans oppose the concept of giving consumers the private right of action and the ADPPA did have a significant right of action within its terms.
Wendy then touched on the second proposed federal legislation, the McHenry Bill which was rolled out in a discussion draft on June 23 by the House Financial Services Ranking Member Patrick McHenry:
The goal of that bill was to again pass federal legislation to modernize financial data privacy laws, providing consumers more control, including how they are seeking to do this is by expanding the scope of Gramm-Leach-Bliley which servicers know has been around for quite some time to protect sensitive consumer financial data. But the scope of this act would be changed by the bill to include new data rules, allowing consumers to manage their personal information and how it’s shared with finance.
Wendy then goes on to recap the relevant regulatory bodies in the U.S. involved with oversight on consumer data privacy and protection (webinar timestamp 8:13, if you’d like to check it out), as well as diving into the current state-level legislation or the soon-to-be in effect throughout the country (10:55).
Key Trends in Data Privacy
Next up, Wendy identified key trends and hot topics in data privacy and regulation right now, including increased governance, board expertise, and oversight which, while needs can vary based on the type of organization, generally there seems to be an increased emphasis on ensuring that there’s deep expertise at the highest levels (including Board of Directors) within an organization to drive better governance surrounding data privacy controls.
Another hot topic right now is breach reporting. People are starting to get up to speed with ways to handle any kind of breach including having your response team ready to go, with everything on hand — there are a number of services that focus specifically on breaches and can help organizations navigate the process. As Wendy points out, much of breach prevention lies in how we handle data and gather it from the start of the process, and there’s a push toward better risk assessments, better Incident Response Plans, better attack, and third-party oversight …(which Jan digs into later on in the webinar).
Another common topic is the GDPR (General Data Protection Regulation) of the European Union, and it really impacts data that is gathered on European residents and citizens. Not all mortgage servicers probably have to worry about this, but with changes and expanding portfolios, and general globalization, this is an area that is creeping into our territory from a compliance standpoint. (For more on the GDPR, see Vanessa Arias’s commentary at 29:02.
And of course, as our recent cultural obsession with ChatGPT might indicate, AI is becoming more and more popular, which Wendy and Jan dig into later.
Cybersecurity and Privacy
In the next segment of the webinar, Sara Lazarus unpacks the topic of cybersecurity and privacy.
Sara shared Stavvy’s philosophy and approach to cybersecurity and privacy as enablers for the adoption of innovation, explaining their emphasis on fostering customers and integrating that into the fabric of their business. Sara explains,
There are a lot of conversations, especially in this economic environment, around security and privacy as cost, but we’re really looking at it as enablers for adoption of innovation that can end up being cost-saving. We operate as a highly regulated environment and a fairly traditional industry, and we hear that it’s super important for our customers for security and privacy to really be at the forefront. We see this all the time with the questions that we get from potential customers, and their due diligence questionnaires about what really matters to them, and so, as we built out the security program at Stavvy, we put customer trust front and center. And that’s reflected in the structure of how we organize security at Stavvy.
Our trust and security organization includes all three pieces of what we in the security community call the ‘CIA triad’, which are confidentiality, integrity, and availability.
“We’ve listened to the different priorities [our customers] have, and that has actually influenced what we focused on in our priorities with our security maturity roadmap. So last year’s roadmap was in accordance with what customers really said was important to them, in addition to, you know, evaluating according to our NIST cybersecurity framework. We really listen to customers around things like data loss protection and accelerate those pieces.”
On Artificial Intelligence
Later in the webinar (44:19), an attendee asks the panel about AI and ChatGPT [specifically], inquiring as to what some of the risks are in allowing ChatGPT access within a given organization versus the benefits that we’re seeing right now.
Sara agrees that while there is risk in what info is given to ChatGPT, she doesn’t block it within her org, instead taking the approach of sharing with the organization the need to be cautious with regard to what kind of questions are asked [and shared] to ChatGPT. She explains how ChatGPT is learning and retraining the model with the questions it is asked, so the information you ask can resurface later. So, while there is a considerable benefit to ChatGPT that can be useful in departments across the org, it’s important to make sure employees are mindful that any info they share with it could potentially come back and be used against the organization.
Wendy affirms that arming your team with what to do and not do in that environment is a great way to mitigate that risk. And, that’s true with all things that pose any level of risk as technology evolves. She goes on to say,
ChatGPT is kind of cool to the tech nerd in me, but from the risk and compliance side of me, I know I need to arm everybody to make sure they’re training, and I need to make sure it’s got a specific business purpose that outweighs the risk.
Privacy Compliance in Servicing
Next up, Vanessa Arias tackles privacy and compliance in servicing and shares some best practices to mitigate risk. Vanessa explains,
To establish privacy programs at a high level, I recommend certain steps, like first, designate a team or an individual to lead the privacy efforts of the company that also would help to identify the privacy program drivers like compliance with legal and contractual requirements, avoiding sanctions or penalties, maintaining business relationships with clients, and also protecting personal data that we’re holding.
She continues by saying, “After that is done, I would also encourage you to identify which businesses are affected by their stakeholders in order to understand the complexity of the privacy program, and how ready the company is to implement it.”
I would also recommend to meet with the stakeholders to have a better understanding of the business and operations to determine any applicable legal and contractual requirements, how the data is going to be managed — for example, how the data is collected or how we are obtaining it, including the purpose for getting the data.
Vanessa emphasizes the need to establish security protocols that will be used to store such data and how it will be transferred, for example, encryption at rest or in transit.
She recommends having a well-organized database so that you can “easily identify by person, establish a role-based access approach where the company determines who can have access to the data or specific sets of data and for what purpose, as opposed to just having everything in a general repository that many teams can have access to, and also determine how the data will be stored.”
Finally, she recommends creating policies and procedures to establish and describe the data protection practices that the company must follow in order to remain compliant with such requirements and any future requirements as well.
She closes out by emphasizing the need for a cross-functional strategy: “I would suggest maintaining an effective program by having different groups like legal privacy, IT teams, and also the business team, whether it is in-house or outsourced with specific functions working together, or successful implementation of the program. The reason I say this is because if these groups don’t come together, they could end up working in silos, and this will result in duplicate efforts, misinformation, and inefficiency. Different teams within your organization should constantly evaluate your current compliance program and controls by identifying further privacy requirements for the company to assess whether additional processes, technologies, or skills are needed, and establish improvement plans.”
Risk Management and Evaluating Third-Party Vendors
To wrap things up, Jan Duke broke down what to look for when evaluating third-party vendors to reinforce your risk management and data privacy efforts (check out the webinar at 33:11 and 38:14 to hear Jan’s full take).
According to Jan, often, many third-party vendors don’t know exactly what’s expected of them until they have an audit. So when it comes to asking your due diligence questions, it’s not just about how the vendor answers the question, it’s also about how you know for sure that they will actually follow up on those answers in the real world. Jan explains,
When you’re vetting third-party vendors, you want to know that they’ve tested their business continuity plans, they’ve tested their disaster recovery plans, but what about that incident response plan? If something happens today and your company or that vendor is hit with a ransomware attack, what do you do? Who are you allowed to tell? What do you say? How quickly do you have to report that?
“Part of that comes with cyber maturity, and evaluating the current state of an organization’s cybersecurity posture and identifying the areas for improvement. We’re all evolving daily, but some organizations are more mature than others.”
Want to listen to the webinar on demand? Access the webinar recording here, and as always, don’t hesitate to fill out the form below if you have any questions for us.