The Consumer Financial Protection Bureau, or CFPB, is a federal agency in charge of financial regulations. Created in the wake of the 2007 financial crisis, the CFPB united consumer financial protection under one agency to strengthen laws against unfair and deceptive practices.
Among other things, CFPB compliance regulates how realtors are expected to protect the privacy of their clients — especially when they are moving through the settlement process. While real estate agencies are naturally anxious about the new requirements, asking, “What is CFPB compliance?” might be the wrong question. Realtors are subject to a range of laws — not all of them under the jurisdiction of the CFPB — and need compliance strategies that cover all their bases.
The CFPB was created as part of the Dodd-Frank Act. Dishonest practices in mortgages, credit cards and loans were a major cause of the Great Recession, prompting congress to demand more financial industry regulation. According to Jobe Danganan, Chief Legal Officer at Sindeo,
The CFPB is important given its broad reach in consumer financial products, the number of laws it enforces (over a dozen…), and its ability to penalize companies who violate the law, with up to $1 million per violation per day. In its 4+ years of existence, the CFPB has fined companies which violated consumer financial laws over $4 billion and given that money back to the hands of consumers.
The CFPB is designed to help consumers across the financial industry, says Braden Perry, financial services and government investigations attorney with Kennyhertz Perry, LLC:
The Dodd-Frank Act tasks the CFPB with helping consumers obtain the information necessary to make informed and responsible financial decisions; protecting consumers from harmful practices and discrimination; eliminating outdated and unnecessary regulations; consistently and evenhandedly enforcing federal consumer financial law to promote fair competition; and increasing market transparency.
The term CFPB compliance can come across as a little misleading. The CFPB isn’t a set of regulations, but a regulatory agency that enforces a wide range of laws. Many CFPB enforcement actions focus on banks and mortgage lenders, not on realty companies. Realtors should focus primarily on CFPB rules that govern data security, privacy policies and disclosure.
Keep in mind that each state has its own regulations defining sensitive data and the regulation of how it is protected. Realtors may actually face more scrutiny under state data protection rules than CFPB regulations. They could face lawsuits for noncompliance or negligence if they fail to abide by these laws.
CFPB compliance rules are an important factor in how you protect data, but they’re only one factor. Realtors need compliance strategies that cover federal, state, and local laws on privacy and data protection in every jurisdiction they operate in. The most effective way to do this is by creating a unified set of data security best practices, and applying those across your organization.
“The CFPB enforces the Gramm Leach Bliley Act (GLBA, Regulation P), and the Fair Credit Reporting Act (FCRA, Regulation V),” says Jobe Danganan. “Mortgage lenders, brokers, and real estate companies must adhere to disclosure requirements and information sharing restrictions under these two laws.”
The laws require realtors to protect Nonpublic Personal Information (NPI). The FTC defines NPI as “any ‘personally identifiable financial information’ that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise ‘publicly available.’”
NPI includes:
Because NPI is so broad, organizations really need to protect everything. Mortgage applications, emails with clients, credit inquiries and other electronic exchanges should all be treated as classified data.
Organizations also need to create privacy policies, and provide them to new clients, generally by the time the customer relationship is established. If you share information with third-parties, you need to give them an opt-out notice, allowing them to decline before you share the info. Some types of necessary sharing don’t require an opt-out notice. For example, you can disclose information to third-party administrators who handle your paperwork, consumer reporting agencies, or your company’s lawyer.
Encryption is a technique to protect data. An encrypted email or file is scrambled using an electronic key, which is stored securely. Only parties with the key can decrypt and read the file — anyone else looking at it will just see a string of gibberish.
When it’s combined with data security best practices, encryption drastically decreases the odds of a breach and limits the amount of data exposed, should a breach occur. It can help prevent attacks by outside hackers along with accidental internal breaches. Encryption should be the first line of defense for any realtor — especially large organizations, which are more likely to be targeted by hackers. However, you need the right encryption.
Encryption can’t completely protect your business unless employees use it all the time. Realtors need encryption solutions that are extremely secure, easy to use, and convenient.
PGP and other public-key email encryption programs (so-called, because they use a public key to encrypt, and a separate private key to decrypt) are very secure, but they’re difficult and inconvenient to use. Before you can use PGP, you need to:
Realistically, you’ll never get all your clients and partners to install it. It’s also inconvenient; you have to enter the key every time you switch devices. On top of that, PGP has no good way to send attachments or send group emails.
Virtru provides the strength, convenience and ease of use you need for a CFPB compliance solution. It integrates with your existing account, providing military-grade email encryption with a single click. You can send attachments and group emails like normal, even if your recipient hasn’t installed Virtru. It works flawlessly with our Google encryption, protecting stored files, documents, and everything else your organization does in the cloud.
Encryption can stop hackers, but it can’t stop mistakes. It only takes a moment of inattention to put in the wrong address or accidentally forward an email with NPI in the body. Virtru can correct your errors, preventing a tiny mistake from turning into a big CFPB compliance breach. It allows you to:
We’ve all clicked “send” without thinking. Virtru can be the difference between an embarrassment and a disaster.
There’s a big difference between understanding what CFPB compliance is and knowing how to use this technology to protect your organization. There’s always a chance an employee will miss an essential step — or that they just don’t understand security. Common mistakes include forwarding NPI to a partner after a client opts out, forgetting that NPI extends beyond PII, failing to notice a mistake that could be corrected with Virtru DLP, and forgetting to turn on encryption before hitting send, therefore disabling Virtru’s features for that email.
While Virtru can correct the mistakes your employees notice, Virtru DLP can prevent those they don’t. When someone in your organization tries to send an email that may breaks compliance, it can take appropriate actions, including:
Virtru DLP’s customizable rules give you the power to detect a wide range of compliance-specific information. Its warning messages in particular help realtors enforce CFPB compliance while educating employees. With the high costs of accidental disclosure and the low cost of Virtru, no real estate organization should be without it.
CFPB compliance requires privacy policies, but the details are left up to your organization. The American Land Title Association suggests a few best practices for security and other compliance objectives.
ALTA recommends companies conduct background checks to restrict NPI access, and limit or ban the use of removable storage, such as thumb drives. Company computers should be secured, and your company should create technology policies to protect data.
Companies need secure procedures to destroy or secure old NPI It’s easy to forget about client info left on old computers (or in old file folders) and assume it’s gone, potentially leading to a breach, unless you’re careful to destroy unneeded data.
Ideally, you should work with external auditors to develop and test your security procedures. Regular trainings are a must, even if employees have already heard it all. Sending a memo covering security isn’t enough; unless your employees fully incorporate best-practices into their work routines, they could still breach NPI.
Company culture is often the biggest obstacle to CFPB compliance, according to Braden Perry:
Many regulated companies are “reactive,” meaning that they do not anticipate issues but wait for issues to arise and then act or “react.” [They’re] short-sighted, looking at the near-term and not focused on long-term goals. “Proactive” companies are forward looking, not only in anticipating issues that might arise, but in having clear directions and goals.
Braden recommends that companies remain open to change. Reactive organizations tend to resist security initiatives, creating an “uphill battle” for compliance staff. To succeed, organizations need full management buy-in.
With the scrutiny the financial industry faces, CFPB compliance can be intimidating, but it doesn’t have to be difficult. Virtru provides out-of-the-box business security solutions for realtors, bringing military encryption to your office. With Virtru email and file encryption, you’ll be able to protect everything you do in the cloud. Instead of worrying about securing an email, you’ll be able to focus on closing the deal.