Equifax breach fu­els digital mort­gage doubts

National Mortgage News - - Contents - By bon­nie sin­nock and brad finkel­stein

digital mort­gages are im­prov­ing the bor­row­ing ex­pe­ri­ence for con­sumers, but they may also com­pli­cate fraud risks stem­ming from the Equifax data breach.

“A data breach of this mag­ni­tude is not con­tem­plated in the de­vel­op­ment of a digital mort­gage or any mort­gage,” said Deb­bie Hoff­man, a con­sul­tant who ad­vises lenders on le­gal and com­pli­ance is­sues. “Be­cause digital is less per­sonal and more sys­tem­atic, I think the risk could be greater.”

Fraud risk is “marginally” higher for digital mort­gages than tra­di­tional ones, said Nick Lar­son, man­ager of real es­tate strat­egy at Lex­isNexis Risk So­lu­tions.

Digital mort­gages won’t likely be the first tar­get for iden­tity thieves us­ing the So­cial Se­cu­rity numbers, driver’s li­cense numbers and other per­son­ally iden­ti­fi­able in­for­ma­tion stolen from Equifax. Credit cards or re­tail items that can be pur­chased on­line in the short- term with less scru­tiny are eas­ier to ac­cess.

But iden­tity thieves tend to broaden their reach over time, and they could po­ten­tially fake enough bor­rower data to close a home loan, par­tic­u­larly if the process is com­pressed and done en­tirely on­line. But they would have to clear a num­ber of digital hur­dles to pull it off.

“I sup­pose un­der the right con­di­tions it is pos­si­ble, but it’s prob­a­bly re­ally easy to get caught,” said Dan Cu­taia, the founder of digital mort­gage startup Be LoanReady, adding that he would ad­vise lenders to con­sult ex­perts for more guid­ance on how much risk they have and what is the best way to man­age it.

The mort­gage in­dus­try has a lot of ex­po­sure to Equifax.

Tri- merged credit re­ports that in­clude Equifax data are gen­er­ally ac­cessed by all mort­gage lenders. Equifax also part­ners with many in­flu­en­tial com­pa­nies. Equifax, for ex­am­ple, is one of Fan­nie Mae’s key ven­dor part­ners en­abling its Day 1 Cer­tainty data ver­i­fi­ca­tions, and also part­ners with Fred­die Mac.

“There is no doubt Equifax will have a lot of tough ques­tions from lenders” as a re­sult of the breach, said Garth Gra­ham, a se­nior part­ner at in­dus­try con­sult­ing firm Strat­mor Group.

So far Fan­nie, Fred­die, loan orig­i­na­tion sys­tem provider El­lie Mae and sev­eral oth­ers that have busi­ness part­ner­ships with Equifax have re­spec­tively said they find no signs their data has been com­pro­mised as a re­sult of the breach, but they are con­tin­u­ing to mon­i­tor the sit­u­a­tion.

All these play­ers are more fre­quently au­tomat­ing pro­cesses that have been done in per­son in the past, such as ap­praisals done to ver­ify re­fi­nances, no­ta­riza­tions, and elec­tronic clos­ings.

“If there is any­thing that in­di­cates this is not a valid con­sumer we’re deal­ing with, it will stop the process and tell you that you’ve got to call.”

— Mark Greco, Pres­i­dent, 360 Mort­gage

These prac­tices may in­crease fraud risk, but even tra­di­tional mort­gages orig­i­nated with hu­man in­ter­ven­tion may not be im­mune to a data breach where a fraud­ster has ac­cess a lot of bor­rower in­for­ma­tion.

For ex­am­ple, Cu­taia re­calls at least one in­stance dur­ing the hous­ing bust where an iden­tity thief used a real driver’s li­cense num­ber and a real bor­rower’s name to make a con­vinc­ing fake ID with his photo on it and showed up at the clos­ing in per­son with it un­de­tected.

Providers of digital mort­gages and re­lated ser­vices and tech­nol­ogy, as well as tra­di­tional lenders, go through many more steps to au­then­ti­cate bor­row­ers now than they did in the past.

The au­to­mated data ver­i­fi­ca­tions used in many digital mort­gage tech­nolo­gies cut down on hu­man pro­cess­ing time and help re­duce data en­try er­rors.

But they also pose new fraud risks that lenders must pro­tect them­selves against.

For ex­am­ple, 360 Mort­gage Group re­cently im­ple­mented a digital mort­gage self- ser­vice tool that stream­lines the ap­pli­ca­tion process by min­i­miz­ing the amount of in­for­ma­tion col­lected from con­sumers.

While tra­di­tional pro­cesses re­quire un­der­writ­ers to use third- party sources to val­i­date data pro­vided by bor­row­ers, 360 Mort­gage “in­verts” that process by pre­sent­ing in­for­ma­tion pulled from data ag­gre­ga­tors to the bor­rower for ver­i­fi­ca­tion.

So what’s to stop a fraud­ster who has some stolen con­sumer data from ob­tain­ing more data from the digital mort­gage ap­pli­ca­tion?

For starters, bor­row­ers have to go through a rig­or­ous iden­tity ver­i­fi­ca­tion process that in­cludes val­i­dat­ing whether the bor­rower’s name matches the name reg­is­tered to the cell phone num­ber pro­vided on the ap­pli­ca­tion.

“If there is any­thing that in­di­cates that this is not a valid con­sumer that we’re deal­ing with, it will stop the process and tell you that you’ve got to call,” said 360 Mort­gage Pres­i­dent Mark Greco.

Once a bor­rower’s iden­tity is val­i­dated, the ap­pli­cant is pre­sented mul­ti­ple choice ques­tions to ver­ify in­for­ma­tion such as in­come and as­sets that was pulled from third- party sources.

The an­swer op­tions are pre­sented in ranges, so the ac­tual data point is not re­vealed to the user un­til the end of the process when the bor­rower is asked to sign a form 1003 mort­gage ap­pli­ca­tion.

The sys­tem also asks other de­tailed ques­tions that the only the bor­rower is likely to know. “One ex­am­ple is, ‘10 years ago you bought a car, what color was that car?’” Greco said.

The Austin, Texas-based lender also con­tracts with third-party data se­cu­rity com­pa­nies that reg­u­larly mon­i­tor its sys­tems and test it for vul­ner­a­bil­i­ties.

These types of safe­guards make digital mort­gage ap­pli­ca­tions a more dif­fi­cult tar­get for fraud­sters, even if they al­ready have some stolen data about a con­sumer.

Lenders and tech­nol­ogy providers are do­ing more to au­then­ti­cate bor­row­ers hav­ing bat­tled with their own se­cu­rity breaches and evo­lu­tion of fraud risks, and that should help man­age risks from the Equifax breach, said Ann Ful­mer, chief strat­egy and in­dus­try re­la­tions of­fi­cer at For­mFree.

While iden­tity thieves got a lot of in­for­ma­tion from the Equifax breach “there is no one data­base that has ev­ery sin­gle piece of in­for­ma­tion about ev­ery sin­gle per- son,” so it would take a lot scam artist to con­struct a fake iden­tity that makes it all the way through mul­ti­ple lay­ers of iden­tity checks, Ful­mer said.

“Credit as al­ways been at the epi­cen­ter of mort­gage au­then­ti­ca­tions, but that bench­mark no longer car­ries the clout it once did,” said Brett Chan­dler, founder and CEO of For­mFree.

In ad­di­tion to fraud pre­ven­tion meth­ods de­vel­oped post- cri­sis like ex­am­in­ing re­la­tion­ships be­tween par­ties to trans­ac­tions through an­a­lyt­ics to iden­tify po­ten­tial col­lu­sion, au­to­ma­tion can an­a­lyze whether bor­rower be­hav­ior, de­vices or lo­ca­tions break usual pat­terns.

Even if some­one used the stolen Equifax in­for­ma­tion to ap­ply for a mort­gage, “there are a lot of things lenders can do through digital means to make things quite hard for fraud­sters,” said Frank McKenna, the chief fraud strate­gist at risk man­age­ment firm Poin­tPre­dic­tive.

Be­cause of the size of the breach, the fed­eral gov­ern­ment is likely to get in­volved and put more reg­u­la­tions in ar­eas like data se­cu­rity and pri­vacy. But it will be the lend­ing com­mu­nity’s re­spon­si­bil­ity to im­ple­ment those new reg­u­la­tions, McKenna said.

There are ser­vices that will scan a driver’s li­cense to see if it’s a forgery. Self­ies can also be used to prove iden­tity and digital fin­ger­print ser­vices are avail­able.

No­ta­rize, a com­pany that pro­vides au­to­mated no­ta­riza­tion of doc­u­ments on­line dur­ing digital- mort­gage clos­ings, uses three- fac­tor au­then­ti­ca­tion that in­cludes quizzing bor­row­ers on in­for­ma­tion only they should know, photo IDs that go through foren­sic anal­y­sis and video record­ings of the clos­ings.

Ad­vanced au­then­ti­ca­tion will likely in­clude ad­di­tional mea­sures be­yond this like “bio­met­ric” forms of iden­ti­fi­ca­tion, said Paul Bjerke, vice pres­i­dent, fraud & iden­tity man­age­ment strat­egy at Lex­isNexis.

“It could fol­low in the foot­steps of Ap­ple, which just an­nounced fa­cial recog­ni­tion on their phones. The in­no­va­tors will get there,” said Hoff­man. Even bio­met­ric iden­ti­fiers could have lim­i­ta­tions. Older fa­cial recog­ni­tion tech­nolo­gies, for ex­am­ple, could be tricked, but newer forms, like the “Face ID” that Ap­ple re­cently un­veiled with its new iPhone, have ad­dressed those con­cerns.

“With the old for­mat of fa­cial recog­ni­tion you could put a pic­ture in front of the cam­era, but with this, you can’t,” said Terry Kurzyn­ski, se­nior part­ner at Halock Se­cu­rity Labs.

The Equifax breach “is go­ing to re­de­fine how we fig­ure out credit for peo­ple. The So­cial Se­cu­rity num­ber and name, we can’t count on that right now.”

The ex­tra au­then­ti­ca­tion steps and ex­pen­di­tures could be in some ways a set­back for digital mort­gages, as trust in tech­nol­ogy and pro­cess­ing speed con­trib­ute to their ap­peal, but it won’t be an in­sur­mount­able hur­dle.

“I don’t think digital should be stopped,” said Ful­mer. “I just think we need to come up with new fac­tors for au­then­ti­ca­tion.”

The in­dus­try will likely prove re­sis­tant to ad­di­tional au­then­ti­ca­tion mea­sures at first, in part due to costs and ques­tions about how to pre­vent stored in­for­ma­tion from be­ing ex­posed to po­ten­tial elec­tronic theft or pri­vacy con­cerns. But it will be a long- term trend, said Kurzyn­ski.

— Austin Kil­gore con­trib­uted to this re­port.



Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.