Why mortgage companies place such high value on regulatory compliance and data protection.

Two things keep mortgage executives up at night: regulatory compliance and data breaches. Why those in particular? Companies can go out of business if they don’t follow compliance regulations—either that or suffer huge fines. And data breaches have innumerable financial costs, not to mention they contribute to a mood of customer distrust.

Data Breaches in the News

Data breaches usually make headlines because of the chaos they cause, and they continue to happen. Case in point: A data breach occurred recently at the second largest bank in the United States, Bank of America, affecting people applying for the Paycheck Protection Program (PPP), put in place as a COVID-19 relief measure.

Here’s what happened:

On April 22, 2020, Bank of America uploaded applicant information to the Small Business Administration’s platform, where other lenders and vendors were able to view confidential information of both small businesses and their owners. The SBA claimed this was an accident, and an internal investigation, as of this writing, is ongoing.

This is just one incident. There are many more.

2 Major Concerns: Compliance and Cybersecurity

  1. The top concern for mortgage lenders is whether their compliance measures are effective, particularly if those lenders rely on manual instead of automated processes.

  2. Cybersecurity is the second most common concern for banks and mortgage lenders, with 85% of lenders surveyed saying that data privacy is a major concern for them.

The Costs Involved

There are financial incentives for businesses to implement both compliance and security measures.

Organizations in the United States that suffer a data breach, on average, can expect to shell out $8.19 million per breach. (Financial institutions have an average cost of $5.86 million per breach.) This figure reflects losing customers, losing revenue from downtime, and the cost of acquiring new business after trying to overcome the now-poor reputation of the organization caused by the data breach. Companies that suffer a data breach also could see their stock value plummet, at least in the short-term (about six months).

Regarding compliance, regulatory fines are getting steeper for companies that are not taking a proactive stance. From 2008, when compliance regulations were put in place after the financial crisis, to 2016, banks have paid more than $204 billion in compliance fees and fines.

Time Is a Factor Regarding Data Breaches

It can take, on average, 280 days to discover and then contain a data breach. One benefit businesses with cybersecurity measures in place have is a more timely response to the breach. You know the saying, “Time is money.” In this case, businesses that can handle a data breach in 200 days or less can save, on average, $1.1 million. This could be the reason the financial services industry is among the quickest to recover from a data breach. The healthcare industry, by comparison, is one of the slowest.

The Good News: Adaptation

It can be expensive to institute compliance measures, especially if this will be handled in-house. Businesses can expect to spend a lot of resources, such as time, energy and funds, to hire an in-house compliance staff. One way to shave costs is to hire outside vendors that can handle compliance tasks. Companies that choose to outsource this duty should make sure they carefully screen their vendors.

According to a senior threat analyst at IBM, companies that implement effective cybersecurity measures fare better than organizations that don’t have any cybersecurity measures in place. The more prepared companies are at avoiding and handling a data breach, the lower the costs involved. The best course of events is to have a plan in place (using encryption, automating security, etc.) and to have employees test the cybersecurity plans regularly. Testing a cybersecurity plan is no different than conducting a fire drill. If the plan is not tested and practiced, it has the potential of not being very effective.

If, or when, your financial institution puts cybersecurity measures in place, you should not forget the importance of communicating with your customers. No one likes to be kept in the dark. It’s not easy to communicate a data breach, but if you can explain what happened, have measures in place to handle the breach effectively, and can communicate what measures you are taking right away to your customers, you’re more likely to save some of those customers who might have jumped ship otherwise.

The Bottom Line

It can be overwhelming to keep up with mortgage compliance, following the myriad rules imposed on lenders. The same goes for cybersecurity. Data breaches have become an unfortunate fact of life. In both instances, prepared companies usually fare better.

There is a silver lining for companies that adapt to changing environments. Whether it's outsourcing compliance and/or cybersecurity or handling those tasks in-house, companies that adapt sooner are usually the winners. If you do outsource, look for a firm with the latest technology and industry expertise to help you run a more efficient organization.