Mortgage is one of the most heavily regulated industries in the world, with watchdogs like the Consumer Financial Protection Bureau (CFPB) and regional regulators enforcing several laws to protect both borrowers and the bank. This can take a heavy toll on your compliance burden, including hefty penalties for non-compliance.
In recent years, the compliance burden has intensified further due to two reasons – post-recession and pandemic-era relief norms, and the digitization of the mortgage business. IT compliance in mortgage is now more important than ever, with sensitive data traversing through digital channels, housed remotely on the cloud, and mortgage platforms being used by multiple stakeholders or users.
When mortgage executives use unapproved ‘shadow IT’ tools, the risk of non-compliance increases manifold.
What Is Shadow IT in Mortgage?
Shadow IT refers to the use of non-standardized technology at the workplace without explicit approvals from the IT teams, which could be either hardware or software use.
For example, a law around compliance for mortgage origination may mandate underwriters to use a specific loan origination system (LOS), with its own private cloud storage. But going against compliance for mortgage origination, an executive may store a loan approval file in their personal Dropbox account. This is a case of shadow IT in mortgage.
Why does shadow IT occur?
The most common reason is convenience and what the employee perceives as efficiency. In the above example on compliance for mortgage origination, it is possible that the employee has forgotten their login credentials to the company’s LOS. Instead of contacting IT and asking for help, they decide to take a shortcut and store the file temporarily in their personal account.
Similarly, shadow IT can occur if an employee logs into mortgage systems from a mobile phone when they are only supposed to use company-provided workstations. Indeed, the chances of this occurring have gone up in the last two years, with so many employees working remotely, outside the immediate supervision of their managers. Remote employees may also find it difficult or inconvenient to reach out to the proper teams managing IT compliance in mortgage since they are sitting in a different location.
Shadow IT Indirectly Increases Non-Compliance Risk
It should be noted that shadow IT does not directly cause regulatory non-compliance. In other words, watchdogs do not mandate that specific systems and platforms be used to handle borrower data, provide mortgage servicing, and conduct verifications. Instead, they define the standards for securing the systems – for example, the PCI Data Security Standard (PCI DSS) mentions the rules that a network must adhere to, in order to process consumer payments in a compliant manner.
When employees use shadow IT, they risk non-compliance in mortgage origination, servicing, title processes, property preservation, and other parts of the mortgage value chain, since there is no guarantee that the unapproved hardware and software tools meet the norms set by industry regulators.
For example, if an employee were to inadvertently expose a large database of borrower information in the public domain, this is a breach of compliance and data privacy laws. Shadow IT often contributes to risks like these, as employees are likely to circumvent password protection, access privilege rules, data sharing norms, etc. This expands the surface area of potential threats and makes you open to non-compliance.
Top Shadow IT Risks to Watch Out for in Mortgage Process
To ensure IT compliance in mortgages, it is necessary to watch for, and address the following:
1. Employees not being familiar with IT best practices
Lack of proper technical knowledge and how to navigate digital systems compounds the risks around IT compliance in mortgage. It is well-known that the mortgage industry employs an aging workforce, which may not be digitally native. Further, when employees join from a different industry, they must be trained on mortgage systems and how to (and how not to) use them. Otherwise, employees may take unnecessary risks, such as plugging their personal media into workstations or using their personal email accounts.
2. Insufficient budget allocation for employee tools
When employees perceive a budget deficit, they may try to get the same tasks done using a cheaper or free system. If a mortgage business does not convey that there are sufficient budgets for core employee needs, there is a risk that workers will turn to shadow IT tools. This is particularly true for everyday workplace applications like team collaboration systems, cloud storage, borrower data management, and hardware peripherals like contact center headsets.
3. A remote working culture and flexibility in the workplace
Remote working has become commonplace after the pandemic, even in a highly regulated industry like mortgage. Consider the fact that Vermont law required Mortgage Loan Originators (MLOs) to work out of a licensed location before COVID-19, which has changed since then.
The same is true for most local and state governments, creating an overall culture that prioritizes flexibility and remote work. While it is important to allow a degree of empowerment and autonomy, detailed remote working guidelines are necessary to ensure IT compliance in mortgage and prevent risk-prone bring-your-own-device (BYOD) behavior.
Emphasizing Cybersecurity and Working with Compliant Partners
Mitigating the effects of shadow IT has two elements – conducting regular cybersecurity audits to identify risks like:
- Improper access privileges, where too many users can access borrower data
- Networks that are exposed to shadow IT vulnerabilities, and, therefore, unsuitable for customer communication
- Gaps in user education and training
- Unapproved communication channels like WhatsApp being used in the workplace
- Non-compliant hardware setups, including personal Bluetooth devices
The second element is working with fully compliant partners. Mortgage businesses typically work with a wide range of third-party vendors, from outsourcing partners to property preservation contractors. It is extremely difficult to make sure that no one in this network resorts to shadow IT tools. That is why it is vital to prioritize security and IT compliance when selecting a partner, such as Nexval, which has dedicated cybersecurity expertise to ensure IT compliance in mortgage.
Shadow IT is an unavoidable reality in the post-pandemic mortgage industry. Discuss how to address it with our mortgage Tech Gurus.