According to Verizon’s 2019 Data Breach Investigations Report, 10% of the 2,013 breaches that occurred in 2018 were within the financial industry. Personal data was compromised in 43% of those breaches, which were largely attributed to privilege misuse, errors or unsecure web applications.
Within real estate industry breaches, two-thirds of reported incidents resulted in the actual exposure of data to an unauthorized party. Sitting squarely across those two industries, the importance of strong data security processes in mortgage finance is clear.
While we can agree on that point, how to efficiently build those processes across the many players in the mortgage pipeline is a bit less clear. Our industry’s current decentralized approach to data security is not only cost prohibitive as we each take on significant expense to secure our part of the process, but also less secure as it creates multiple points of potential data exposure as data is gathered for or passed from step to step. From blockchain to tokenization to regular purging of personally identifiable information, there is tremendous opportunity to better safeguard homebuyer data while managing costs within the mortgage finance industry.
Current state
Today, each participant in the mortgage finance ecosystem receives and stores at least one copy of a borrower’s PII. Beginning with the lender, any other services utilized in the transaction may receive one or more documents containing PII. These documents get copied and transferred to every participant in the loan transaction – lender, mortgage insurance company, title company, appraiser, servicer, closing attorney and others.
The mortgage industry was born in the age of paper where PII was affixed permanently to each document. Over the past 30 years, the mortgage industry has “digitized,” only to turn paper into electronic bits and bytes. However, it’s still the same data in the same basic format. This creates inefficiencies in the overall system as there are multiple copies of data and documents stored in multiple locations. Any given borrower is at risk of data loss if any of these participants’ platforms are compromised thereby breaching the portion of the data and documents they possess.
Protecting all this data is costly—but it’s even more costly to remedy when breaches occur, and consumer data is exposed. Deloitte’s 2019 Future of Cyber Security Report Survey results show that financial firms spend $2,300 per employee attempting to address cyber security concerns. This pales in comparison to the average cost of a data breach of $148 per record, according to IBM’s 2018 Cost of a Data Breach Study by Ponemon. Investing in your data security capabilities pays off, though. Results show the average total cost of a data breach is $2.88 million for organizations that fully deploy security automation, compared to $4.43 million for organizations that do not deploy automation—a net total cost difference of $1.55 million.
What does that security solution look like? It could take on various forms, depending on our industry’s appetite for change. There are many different types of technologies that have the capability to simplify the management of PII within the mortgage industry, and as an industry it’s important to continue exploring different options as it relates to data security. Some options worth exploring include blockchain and the tokenization and purging of PII.
The big swing: Blockchain
One of the newer tech buzzwords in an era of efficiency and security, blockchain technology is a distributed shared ledger that records and provides an audit trail of transactions that flow through a process. Like a ledger, information is not edited—a new copy of the record is stored with the updated changes, leaving a permanent and unchanging “paper trail” of all changes and activity on a single record. Acknowledging that the players in any particular mortgage process, as well as the contents of a blockchain, can vary, here’s an oversimplified illustration:
- Buyer completes a pre-approval application with a loan officer, including PII
- Loan officer adds the full loan application to the blockchain, starting a new record
- Buyer selects a home and an appraisal is ordered
- Appraisal company receives a security key to access that single record within the blockchain for the information they need to complete the appraisal; they do not have access to other entries within the blockchain
- Rinse and repeat for mortgage insurer, titling company, servicing company, etc. throughout the life of the loan
If changes to the record occur at any point, such as marital status, salary, address, the party that takes in the change will add an updated entry to the record which will then replicate to all other parties with the key for that record. This creates a single source of truth that bridges not only players in the mortgage finance process, but also stages, while minimizing access to PII and capacity for tampering.
Blockchain could play a role throughout the mortgage finance lifecycle, enhancing data security, reducing inefficiencies, and creating space for evolution within the industry. In the loan origination space, blockchain could be used to share and secure customer financial information. In the case of title and related insurance, blockchain could be used to record and track ownership of the asset removing the need for title insurance.
In the case of mortgage claims processing, smart contracts could automate the business process triggering claims payments automatically and removing many of the manual steps. In the case of servicing, blockchain could be used to automate payments and mortgage servicing rights transfers, among other areas. Beyond the loan process, blockchain also can bring improvements to more traditional mortgage finance processes such as securitization. The use of blockchain and smart contracts in securitization could bring transparency and cost savings to the process. A blockchain could provide investors with “real time” data to all underlying collateral in a mortgage security providing investors with a more accurate assessment of its exposure and risk.
By using blockchain to handle consumer data, one can be assured that data is not tampered with and if tampered there is readily available audit information on what, how and who tampered with the data in the blockchain ledger.
“A blockchain also can be structured so that no single user can decrypt all data, which compartmentalizes any potential breaches by removing any ‘single points of failure,’” explained Carey Kirkpatrick, Ranieri Solutions chief development officer. “Finally, data sharing can be done within the blockchain to limit external file distribution and information leakage.”
So, with all these benefits, why hasn’t mortgage finance gotten on-board with blockchain already? The complexity of aging systems within the space create one challenge and according to Chak Kolli, Tata Consultancy Services chief technology officer, the challenges in adapting blockchain technology as a solution are mostly cultural with many enterprises still experimenting and waiting for others to lead.
“Success depends on the parties coming together to form a consortium to define and exchange shared information and processes via the blockchain,” Kolli said. “The consortium should come to a consensus on how the solution will be governed, who will be the neutral party that enables this governance and identifies issues that may arise and provide consensus solutions by which the entire ecosystem abides.”
While there are a plethora of products and services available that promise blockchain solutions for housing, the most successful approaches are where servicers and originators review their core processes from a fresh perspective and then consider how blockchain can help.
Many processes in servicing and origination exist solely to overcome a challenge presented by legacy systems and technology or to comply with new or modified rules or regulations. By removing those system shortfalls, it allows servicers and originators to rethink how processes could run and implement more efficient processes while still operating their businesses within the guidelines of the ever changing regulatory environment.
Too much change? Try tokenization.
While blockchain would be a sea change for the industry, tokenization presents a less invasive way to drive efficiency in protecting homebuyer data throughout the mortgage cycle. Historically, the borrower is linked to every document by their name, address and social security number. While addresses may change over time, name and SSN typically do not. They are static values or tokens of identity for an individual—but should we limit ourselves to these static values?
Tokenizing these values into some otherwise meaningless value that could be affixed to each document would remove the sensitivity of any given document because the identity of any individual is obscured. This token could then be passed through the ecosystem as a placeholder for the individual’s identity, linking documents and transactions together. In a dynamic digital world, the tokens could be assigned uniquely per individual per document, and then be time-based and/or dynamic, so the token value on one document would not necessarily match the token on another document even though it’s the same borrower.
Any time the true identity is required, an identity broker responsible for managing identification tokens for all borrower identities in the ecosystem could de-tokenize to the real value. With this notion of a central identity broker, any time the true identity was released, the borrower could either opt in or deny, or at least monitor, all disclosures, putting the consumer in greater control of their PII. The concept of tokenization has existed for quite some time, but is only now being explored in use cases, whereas the concept of an identity broker and tokenization of the identity is relatively new and not yet in widespread use.
While this solution would require integration of industry participants to utilize the identity protocols for document attribution, all documents would then be free of PII, reducing data security expenses at each step in the mortgage process. The compromise of individual documents would be of no value since they could not be linked to an individual. The compromise of the identity broker, while difficult on its own, would require the additional compromise of all the individual documents stored elsewhere to link to individuals by deciphering all tokens—an arduous task. Additionally, individual institutions could retain and store documents and data they may need for analytics like risk or pricing without concern of PII data loss. At the end of the life of the mortgage, if the document data is still required for analytics, the token value could be removed from the document or data making it completely anonymous.
In the meantime, purge.
Any shift from our industry’s current decentralized data security approach will require a cooperative mindset and time, but you can start driving efficiency in your organization today by regularly purging PII from your systems and processes. Our previous mindsets of keeping all the data because it might be useful or because it’s too hard to delete must be discarded. A strong data security program depends on PII being purged as frequently as possible. In a perfect world, it would be done in near real-time, as retention requirements expire, and be built into applications, not activated as a separate process.
To do this, you need to know exactly what data you have, its age, and where it’s stored—and then use that information to develop an intentional strategy about what to keep and what to delete. Engage your IT team in evaluating the best approach for your environment, based on the age and complexity of your systems, data structures, and regulatory retention policies.
Do you want to keep non-PII elements while removing sensitive information? Is your data stored in a single location or stored redundantly in several places? How do you manage data security in your archives and/or paper files? Your specific situation may dictate what is possible, but taking a thorough and thoughtful look at your practices will more than likely yield some level of improved effectiveness and efficiency, as well as minimize your data footprint across your organization.
While a solution that centralizes PII across the industry within a single environment would further facilitate effective data reduction, we can each work within our current construct to ensure that retained PII records are minimized. Purging PII on a regular basis will not only reduce the attractiveness of the organization to an attacker, but it’s also good practice and a requirement per some state and industry regulations. Demonstrating a commitment to protecting PII speaks volumes not only to consumers, but also to regulators.
Conclusion
Data security plays a critically important role in the mortgage finance industry where borrowers entrust their most valuable and identifiable information to various institutions as they navigate an intricate process.
As leaders and players in the industry, it’s imperative to continue evaluating and enhancing current security measures to minimize and prevent the number of data breaches. Whether those enhancements come in the form of a Blockchain solution or tokenization—or simply doing a better job of purging PII—securing borrower information will remain a top priority for savvy institutions for years to come