Why Haven’t Loan Officers Been Told These Facts?

Significant Sections of the Amended FTC Safeguards Rule Implementation Deadline Drawing Near, Mandatory Deadline December 9, 2022

The FTC has published a small entity compliance guide for the Amended FTC Safeguards Rule – FTC Safeguards Rule: What Your Business Needs to Know

Mortgage brokers and other third-party originators are responsible for safeguarding consumers’ nonpublic personal information (NPI) that is collected during the loan manufacture from misuse. The failure to comply with applicable elements of the rule can have severe consequences.

In the announcement, the FTC went out of its way to specifically mention mortgage brokers as subject to the rule. So keep in mind that some form of compliance beats no attempt at compliance. Also, without evidence and artifacts, you have non-compliance. Document your implementation.

Train Your Staff

This question is a simple yes or no. As a person responsible for implementing the Safeguards Rule, do you possess any artifacts or evidence demonstrating appropriate staff training and supervision related to the Safeguards Rule?

Take Ownership of Safeguarding NPI with Vendors

This question is also another simple yes or no. Do you have written agreements with vendors regarding the safeguarding of NPI?

Consider this everyday occurrence. Suppose you divulge NPI to a non-affiliate (vendor) in connection with the loan manufacture. In that case, there should be some written agreement with the vendor that they (the vendor) will Safeguard NPI in compliance with the Safeguards Rule. Contractors with NPI access require written agreements and possibly training as appropriate to comply with the Amended Safeguards Rule.

From the FTC 10/27/21:

The Federal Trade Commission today announced a newly updated rule that strengthens the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information. In recent years, widespread data breaches and cyberattacks have resulted in significant harms to consumers, including monetary loss, identity theft, and other forms of financial distress. The FTC’s updated Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”


Subtitle A of Title V of the GLBA required the FTC and other Federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information. Pursuant to the Act’s directive, the FTC promulgated the Safeguards Rule in 2002. The Safeguards Rule became effective on May 23, 2003.

From the Small Business Entity Compliance Guide:

The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

This publication serves as the small entity compliance guide under the Small Business Regulatory Enforcement Fairness Act. Your best source of information is the text of the Safeguards Rule itself.

What does the Safeguards Rule require companies to do?

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” (The definition of “nonpublic personal information” in Section 314.2(l) further explains what is – and isn’t – included.)

Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

    • to ensure the security and confidentiality of customer information;
    • to protect against anticipated threats or hazards to the security or integrity of that information; and
    • to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

What does a reasonable information security program look like?

  • a) Designate a Qualified Individual to implement and supervise your company’s information security program. 
  • b) Conduct a risk assessment. 
  • c) Design and implement safeguards to control the risks identified through your risk assessment.
    • Implement and periodically review access controls.
    • Know what you have and where you have it.
    • Encrypt customer information on your system and when it’s in transit.
    • Assess your apps.
    • Implement multi-factor authentication for anyone accessing customer information on your system.
    • Dispose of customer information securely.
    • Anticipate and evaluate changes to your information system or network.
    • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
    • Regularly monitor and test the effectiveness of your safeguards.
    • Train your staff.
    • Monitor your service providers.
    • Keep your information security program current.
    • Create a written incident response plan.
    • Require your Qualified Individual to report to your Board of Directors.
      Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.

Read the small business compliance guide here: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know


BEHIND THE SCENES – The Last Day With The Wagon

Wells Fargo Terminates the Correspondent Channel

Busted, down on Bourbon Street
Set up, like a bowlin’ pin
Knocked down, it gets to wearin’ thin
They just won’t let you be

You’re sick of hangin’ around and you’d like to travel
Get tired of travelin’, you want to settle down
I guess they can’t revoke your soul for tryin’
Get out of the door and light out and look all around

Sometimes the light’s all shinin’ on me
Other times, I can barely see
Lately, it occurs to me
What a long, strange trip it’s been

Truckin’, I’m a goin’ home
Whoa, whoa, baby, back where I belong
Back home, sit down and patch my bones
And get back truckin’ on

– Words by Robert Hunter

First brokers and now correspondents. If Wells Fargo had an official theme song, one must consider the Grateful Dead’s “Truckin” as fitting.

With respect to third-party originations, “no mas” could well be Wells Fargo’s new official mortgage slogan. Like many other market participants, Wells Fargo sees now as an excellent time to rearrange the lending portfolio, including mortgage financing.

Wells Fargo has come a long way from a post-Dodd-Frank industry darling to the reviled Wells Fargo of today. From a sleepy regional lender with a distinctive wild west heritage to an over-sized merged mortgage giant. And back again? Not so fast, whipper snapper! The retail origination channel is still there.

What a long, strange trip it’s been. Wells might proclaim no mas today but look for a return when the weather is more favorable.

We could never miss you unless you go away. Hope you get back truckin’ on. Fare well, Wells Fargo, and thanks for the memories!

Article from Bloomberg here:


Other Movement

Some interesting moves are afoot. Rocket Mortgage has publicly entered into a few intriguing alliances. One of those is with the Spanish banking giant Santander, a dominant mortgage participant in parts of the east. Santander announced earlier this year that it had decided to throw in the mortgage towel. Completely.

Who is Getting the Shaft?

Surprise, between the sheets, a few months later, and guess what strange bedfellows we found, cuddled up like Romeo and Juliet. Santander and Rocket. One has to wonder if the alliance came before or after Santander’s plan to shut down US mortgage operations. Accordingly, the move may portend a disturbing trend.

Then, when you thought you’d seen it all, catch Rocket Mortgage for your next vacation! See the United Miles ad below.

These sorts of “alliances” may dampen competition and undermine the industry’s health. Expect moves like this to draw scrutiny.


Do you feel like you are missing the partnering boat? Learn about how to partner with referral sources. Use marketing services agreements to grow your business. Not to dampen competition but to gain a seat at the table.

Remember your strengths – agility, commitment, and necessity! At present, business as usual is over. The next two years could be challenging. Originate loan types you are not yet originating. Originate from new sources.


Tip of the Week – Take a chance and just say yes

Step out of your comfort zone and focus on unexploited marketing opportunities with underbanked market segments

The LOSJ hopes to encourage our readers to seek Blue Oceans. With the growing wealth gap and threats of housing insecurity, third-party originations have never been more important than right now.

As the loan volume challenges mount, look for opportunities with existing fulfillment partners. On the other hand, observe how the rats flee the sinking ship. Support the lenders that are committed to wholesale and correspondent lending. Demand the support and products necessary to thrive despite the contracting market.

While mortgage and housing are undeniable in recession by any measure, as Mark Twain famously observed about New England’s weather, “If you don’t like the weather in New England now, just wait a few minutes.”

So stick around. The sun will soon shine again. In the meantime, don’t fight the tide. Let the market give you the incentive to build a broader, more valuable business for today and tomorrow.

One of the primary challenges in making the change is getting started. The LOSJ intends to provide a few implementation tips in the coming issues.

FNMA Construction Loan
FNMA Construction Loans

FHLMC Renovation Loan
FHLMC Renovation Program
Renovation Program Video

Downpayment Assistance through NeighborWorks and HFAs
Neighborworks America (Grants and DAP)
State Housing Finance Agencies (HFA)
Down Payment Resource

Reverse Mortgage
The National Reverse Mortgage Lenders Association

Subprime Lending – Attend the LoanOfficerSchool.com 2022 CE for things to know about implementing subprime lending.