Email remains an important channel of communication with borrowers. Yet it exposes loan originators, and the companies they work for, to security risks.
Financial organizations—and originators in particularly since they are on the front line with borrowers—face a decision on how much security they want because it can undermine the lending experience. The security concern has to be balanced with borrowers’ preference for convenience. Keep it simple is preferred. At least until borrowers are victimized by identity theft.
Then, the responsibility, and reputation risk, fall solely on the originator and the firm. Lenders are responsible for ensuring the personal data of borrowers remains private, and yet, the risk of not taking steps to thwart a cyberattack is often overlooked.
According to a study by Halock Security Labs of email practices of lending firms, the use of unsecured email is not unusual, far from it. Consider the following:
- Fully 70% of originators allowed borrowers to send tax documents and other financial information as unencrypted email attachments.
- Only 12% provided a way of sending email securely.
- The reason for assuming this risk was to make the lending experience easier for the consumer.
Security standards are ancient and not much has been done to enhance them. But the tools used to illicitly gain access to the personal data have improved exponentially. For instance, senders can easily impersonate other people, including their email addresses. Recipients don’t pay enough attention to the address from which an email comes, and sometimes software is deployed to hide it. Nor is it unusual for people to send their passwords as plain text, through unsecured connections to mail servers.
Some trade groups are taking steps: the American Land Title Association, or instance, that outlines steps to protect confidential client information related to real estate sales. It calls for steps, such as establishing a written privacy and an information security program for protecting such information, in order to comply with federal and state laws.
Technology is available that can ensure that all parties to a transaction are protected—and risk is mitigated if not eliminated.
For many firms, combining email and web technology works best. Email can notify people that information is waiting for them, and a password-protected web connection can deliver it securely. To be sure, it’s a change for borrowers.
But the approach could play a role in providing effective security without making borrowers feel uncomfortable.
