What Title & Escrow Companies are Doing to Stay at the Forefront of Data Security Compliance
In today’s business environment, data protection has become the predominant focus of businesses and regulators. We have seen this transformation happening everywhere, including concerns about personal data protection on the Obamacare website, privacy on Facebook, the massive data breach at Sony, the hacking of escrow companies, and the mandate given to the major lenders by the Consumer Financial Protection Bureau (“CFPB”) which included expectations around banks and non-banks (lenders) to oversee business relationships, including compliance initiatives, with their service providers.
Regulatory Changes – ALTA Best Practices 7 Pillars
Historically regulators and interested third parties were most concerned with three characteristics of a company: 1) the company’s strength (net worth); 2) the company’s ability to meet its immediate obligations (liquidity); and 3) the company’s ability to operate at a profit (net income). However, the focus today has transitioned toward the integrity of a company’s financial information systems and data confidentiality.
In the settlement industry, the American Land Title Association (“ALTA”) stepped forward with a response to the CFPB’s mandate. With the concurrence of the major lenders, ALTA created a set of benchmark standards known as “ALTA’s Best Practices.” The most comprehensive of these seven pillars of standards is their third set of standards known as Pillar 3. This Pillar is concerned with information systems virus prevention, firewall protection, layers of access and administrative rights, active data protection, protection of archived data, email encryption, etc.
When ALTA’s Best Practices was first published, the expectation was that, if a company had to be “Best Practices certified,” the certification would be done in one of two ways.
- The first way was for a third party (typically a public accounting firm) to come into the title or escrow company and perform a compliance audit. The audit findings would then be issued in a report to the interested lenders.
- The second way was for the title or escrow company to submit their data concerning ALTA’s seven pillars to a third party, and then regularly update the information.
The interested lenders could then periodically access the information through a web portal and determine the level of compliance with Best Practices.
Compliance with ALTA – Reporting Options
Shortly after Best Practices was issued, public accounting firms began looking at how they would perform these audits. They were also looking at what type of report was to be issued. Many firms concluded that the proper approach in performing and reporting on these types of engagements was not a compliance audit, but instead was an SSAE No. 16 audit.
SSAE stands for Statements on Standards for Attestation Engagements, auditing standards put forth by the Auditing Standards Board of the American Institute of Certified Public Accountants. Standard number 16 is commonly known as a “service auditors’ report,” or a report on the controls at organizations that provide services to user entities. SSAE No. 16 requires that an organization provide a description of its “systems” along with a written assertion by management. The auditor then performs a series of procedures intended to verify the assertions of management.
Clarifying SOC 1 and SOC 2, Type 1 and Type 2
Typically there are two systems that may be reported on by the auditor. The reports on these systems are called SOC 1 and SOC 2.
- SOC 1 covers the system of controls over financial reporting.
- SOC 2 concerns the system of controls relevant to security, availability, processing integrity, and confidentiality, or privacy.
In other words, SOC 1 is concerned with the financial accounting systems, and SOC 2 is concerned with the title and/or escrow software, the internet, and data security, etc. A SOC 1 or SOC 2 audit can be either a Type 1 or a Type 2. Type 1 is a report on controls as of a specific point in time, and Type 2 is a report on controls over a period of time. Typically the first SSAE No. 16 report for a company is a Type 1 report, and the subsequent years’ reports are Type 2 reports.
An SSAE No. 16 engagement in the settlement industry requires some time to prepare for. For an escrow company the procedures cover nearly 250 individual items denoted in the ALTA Best Practices Pillars. For title companies the procedures can be nearly 100 additional items. So why are companies having these audits done?
Return on Investment with Lenders
The answer for most companies is that they feel that these audits give the lenders the most assurance that the systems of controls in the company are secure. SSAE No. 16 audits performed for escrow and title companies also give the lenders assurance that the policies and procedures relevant to trust accounting and banking are in place sufficient and followed. For title companies, SSAE No. 16 audits provide assurance that title processing and recordation procedures are adequate, and that pricing policies are maintained and followed. Lastly these audits provide assurance that licensing, insurance and consumer complaint tracking (a focal point of the CFPB) procedures are in place and sufficiently in line with the standards of ALTA’s Best Practices.
A majority of the title and escrow industry throughout the United States have adopted the standards of ALTA’s Best Practices. Most of these companies are also having SSAE No. 16 engagements performed.
This article is written at a time when the transition toward consistency in the lender mandate is still in disarray. What is certain is that procedures need to be in place that are adequate to protect consumer information and consumer funds, to assure lenders that sufficient escrow and title procedures are being followed, and that complaints are addressed and resolved in a timely manner.
If your company has not performed an internal assessment of these issues, the assessment should be done as soon as possible. The guidance provided by the ALTA Governance Committee is to have an SSAE No. 16 audit in process by August 1, 2015.
Based on discussions with management of the firm’s current SSAE No. 16 title and escrow client base, lenders have increasing asked whether title and escrow companies can demonstrate compliance with the ALTA Best Practices through a SOC 1 or SOC 2 report. Title and escrow companies that can demonstrate that a third party CPA firm has attested that the ALTA Best Practices were in place (through a SOC 1 and SOC 2 report) puts them at an advantage to be utilized by lenders over title and escrow companies that cannot demonstrate compliance.