Table of Contents Section 1 Overview of the Compliance Program... 5 1.1 Mission Statement... 5 1.2 Annual Review and Updating... 5 1.3 Role & Responsibilities of the Compliance Officer... 6 1.4 Role & Responsibilities of the Executive Board... 6 1.5 Legal Requirements of Section 114 & 315 of FACTA... 7 1.6 Quality Control... 7 1.7 Auditing... 8 1.8 Training... 8 Section 2 Terminology... 9 2.1 Summary... 9 2.2 Identifying Information... 9 2.3 Definitions... 10 2.4 Identification of Red Flags... 12 2.5 List of 26 Red Flags by the Federal Trade Commission... 12 Section 3 Red Flag Detection and Response... 14 3.1 Address Discrepancies... 14 3.2 Accuracy of Information from Credit Agency Reports... 14 3.3 Social Security Validation... 15 3.4 Factual ID Reports... 15 3.5 Alerts, Warnings from a Consumer Reporting Agency... 16 3.6 Procedures for Mitigating Alerts from a Credit Agency... 16 3.7 Presentation of Suspicious Documents... 17 3.8 Presentation of Suspicious Personal Identifying Information... 17 3.9 Notices Received for Suspicious Activity... 18 3.10 Red Flag Response to Presented Documents... 18 3.11 Re-Pollution of a Borrower s Credit Report... 19 Section 4 Mitigation... 19 4.1 Assessment of Risk... 19 4.2 Mitigation Steps for Cleared Variance... 20 4.3 Non-returning Pre-qualification Applicants... 20 4.4 Steps When the Red Flag Cannot be Mitigated... 20 Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 1
4.5 Filing a Suspicious Activity Report (SAR)... 21 4.6 Identity Theft Affidavit... 22 Section 5 Information Security... 23 5.1 Safeguarding Confidential Information... 23 5.2 How Information is Obtained... 24 5.3 E-Mail Policies and Procedures... 25 5.4 Electronic Access... 26 5.5 Network and Internet Policy... 26 5.6 Prohibited Activities... 27 5.7 Authorized Use of Software... 28 5.8 Administrative Access Control... 29 5.9 Firewall Procedures... 29 5.10 Data Center Security... 30 5.11 Document Destruction... 30 5.12 Incident Response and Preparedness... 31 Section 6 Consumer Privacy... 32 6.1 Privacy Policy... 32 6.2 Gramm-Leach-Bliley Act... 32 6.3 Consumer Privacy Notice to Applicants... 33 6.4 Confidentiality Agreement for Service Providers... 33 6.5 Closing Agent Authority under the Consumer Privacy Act... 33 Section 7 Fair and Accurate Credit Transactions Act... 35 7.1 Summary of the Fair and Accurate Credit Transactions Act... 35 7.2 Notices Required Under FACTA... 35 7.3 Fraud Alerts and Active Duty Alerts Initial Alert... 36 7.4 Access to Free Reports Initial Alert... 36 7.5 Fraud Alert and Active Duty Alert Extended Alert... 37 7.6 Access to Free Reports Extended Alert... 37 Section 8 Fair Credit Reporting Act (FCRA)... 38 8.1 Summary of the Regulation... 38 8.2 Permissible Purpose... 38 8.3 Credit or Insurance Solicitations... 39 8.4 Responsibilities of Furnishers of Information... 39 8.5 Responsibilities Regarding Disputes... 40 8.6 Record Retention... 40 Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 2
Section 9 U.S.A. Patriot Act... 41 9.1 Customer Identification Program (CIP)... 41 9.2 Customers Subject to CIP Requirements... 41 9.3 Required Customer Information to Be Collected... 41 9.4 Verification Through Documents... 42 9.5 Customer Notice... 43 Section 10 Vendor Management... 44 10.1 Policy Statement... 44 10.2 Vendor Risk Assessment... 44 10.3 Vendor Monitoring... 45 Section 11 Red Flags Check List... 46 Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 3
This Plan Was Updated October 2012 Revised December 2012 Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 4
Section 1 Overview of the Compliance Program 1.1 Mission Statement has developed this Red Flags Identity Theft Plan in accordance with Section 114 & 315 of the Fair and Accurate Credit Transactions Act of 2004. The foregoing policy has been developed to reflect the size, structure and business model of the company. The Red Flags Identity Theft Plan has been developed with the consent and approval of the company s Senior Executives, Board of Directors and Compliance Managers. The Red Flags Identity Theft Plan outlines the company s overall corporatewide program to detect, prevent and mitigate identity theft. Elements of the program apply to all company employees, contractors, affiliates, third party service providers, secondary market investors, insurers and agencies. Every entity handling a mortgage application or has access to any form of consumer information is responsible for ensuring compliance to the plan. has designated a responsible person to serve as Director of Compliance and ensure compliance to the plan, dissemination of materials and staff training. Members of senior management are responsible for ensuring the role as Director of Compliance is carried out adequately and that a second-in-command person be trained to serve in the absence of the Director of Compliance or Security Officer. Every employee is required to sign an acknowledgement that he/she has read and understands all components of the plan. 1.2 Annual Review and Updating On an annual basis, the company s senior executives and Board of Directors shall review the plan, audit reports and assess the merits of the plan. Changes and recommendations shall be discussed and approved. As appropriate and in accordance with the company s growth as well as changes to the company s business model, service delivery platforms, and expanded market areas, the foregoing plan shall be amended by the director of compliance. Revisions shall be submitted and approved by senior management. Bay Equity performs background checks on all new employees at application and all existing employees on an annual basis. This review includes GSA, GLB, and OFAC which is run through an approved Fraud Investigation service. In addition, applicable training and dissemination of updated materials shall be provided to all employees, affiliates and service providers. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 5
1.3 Role & Responsibilities of the Compliance Officer On at least a quarterly basis, the Compliance Officer is to make a written report to the executive board regarding the status of the company s compliance activities. Listed are the general areas of responsibility of the Director of Compliance: 1. Development and updating of the policy guide 2. Overall administering of the program 3. Oversight of employee background checks at application and annually 4. Development and delivery of employee training on an annual basis 5. Editing or adding to the list of red flags 6. Assigning the level of risk to each red flag 7. Development of forms and recordkeeping materials 8. Coordination of audit functions 9. Report results of audits to senior management 10. Ensuring related policy and procedures ensure compliance with the program, including: Consumer privacy policy Information security policy Vendor management 1.4 Role & Responsibilities of the Executive Board The company s executive board is responsible for ensuring the overall effectiveness of the plan and providing assistance to the Director of Compliance. Listed are the key responsibilities of the executive board: 1. Reviewing and approving the company s Red Flag Identity Theft Program and recommending updates or changes 2. Monitor changes to federal laws and mandates to ensure the company has the tools and resources to remain compliant 3. Providing guidance and assistance to the Director of Compliance charged with administering the program 4. Review audit reports and results of regulatory examinations 5. Review the company s response to incidents Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 6
6. Assess overall effectiveness on a periodic basis 1.5 Legal Requirements of Section 114 & 315 of FACTA must ensure that legal requirements are met in accordance with Section 114 & 315 of FACTA. Summarized are the compliance obligations of the regulation: 1. The filing of Suspicious Activity Reports (SAR) in accordance with the regulation and applicable supervisory agency (Refer to BSA/AML/SAR Policy Manual) 2. Complying with prohibitions of FACTA regarding the sale, transfer, and placement for collection of certain debts resulting from identity theft 3. Implementing any requirements regarding the circumstances under which credit may be extended when the company detects a fraud or active duty alert 4. Implementing any requirements for furnishers of information to consumer reporting agencies, such as to correct or update inaccurate or incomplete information, and not to report information that the furnisher has reasonable cause to believe is inaccurate 1.6 Quality Control requires management to ensure that the pre-funding and post-funding quality control file reviews include steps to determine if the requirements of the Red Flags identity theft plan are met. Pre-funding file reviews are performed by an in-house team of quality control auditors using Tena s SecondLook software. In addition, each mortgage application should be examined during the loan process to ensure that any noted red flags are properly mitigated via Mavent and CoreLogic (review wording). Bay Equity outsources post-funding quality control to Tena Companies, the compliance officer is responsible to ensure the company s quality control administrator monitors the QC efforts of the service provider and that the red flag monitoring is included in management reports. Any exceptions noted in QC findings report shall require remediation and management response. Corrective action may include acceptable curing options for the borrower file and or employee training. See Vendor Management for further requirements related to outsourcing. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 7
1.7 Auditing requires management to ensure that the internal controls and procedures established under the Red Flags Identity Theft plan to be tested at least annually by internal or external auditors. Reports of these audits should be reported to management and the board with recommendations for corrective action. 1.8 Training requires training for all employees about identify theft. All staff shall be trained: to detect red flags with regard to new applications to detect red flags related to the refinancing of borrowers whose prior confidential information is retained by the company. to mitigate identity theft, whether or not it is the employee s responsibility to complete the detection and mitigation steps. Regarding the contents of this policy and any underlying policies. Including but not limited to BSA/AML/SAR Policy, CIP, Privacy and OFAC. All new employees must receive identity theft training within 4 weeks of hire. All employees shall receive annual training to include: Any and all changes to this or related policies Regulatory changes with respect to related regulations Developments, changes and/or related industry best practices which may have occurred during the last year. A refresher and reinforcement of new hire training topics Those employees who are required to complete the follow through steps for red flag detection, response and mitigation shall complete advanced training and receive industry updates and guidance from agencies and federal regulators. All agency and federal guidelines are available to these employees through AllRegs.. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 8
Section 2 Terminology 2.1 Summary s Red Flag Identity Theft program applies to day-to-day operations and internal workflow on an interdepartmental level as well as external branches & operations centers. Compliance is applicable to all employees, agents, affiliates, third party brokers, loan correspondents, closing agents and other service providers. The primary objectives of the program are to detect, prevent, and mitigate identity theft in connection with the opening of all covered accounts or any existing covered accounts. This policy and subsequent procedures are designed to control reasonably foreseeable risks to the company s loan applicants and existing borrowers. 2.2 Identifying Information Specifically, identity theft is a fraud committed or attempted using the identifying information of another person without authority. Identifying information means any name or number that may be used (alone or in conjunction with any other information) to identify a specific person including the following: Name Social Security Number Date Of Birth Official State Or Government Issued Driver s License or Identification Alien Registration Number Government Passport Number Employer Or Taxpayer Identification Number Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 9
2.3 Definitions The following definitions correspond with the terms and entities referenced in Sections 114 and 315 of FACTA: Address Discrepancies Notices sent to lenders by credit agencies informing the lender of a substantial difference between the information provided on the request order form with the agency's database. Mandatory response steps include cross - checking data, verifying directly with the consumer and submitting a confirmation to the credit agency. Covered Accounts Credit cards, checking/savings accounts, car loans, cell phone service, utilities, margin accounts and mortgage loans. Creditors Organizations that regularly extend, renew or continue credit; companies that make arrangements to extend, renew or continue credit; and assignees of companies who extend, renew, continue credit. Examples are: finance companies, utility companies; automobile dealers, telecommunication companies, mortgage brokers and mortgage lenders. Creditors that advance funds on behalf of a person for expenses incidental to services provided by the creditor to that person are excluded from the definition of creditor under the Red Flag Program Clarification Act of 2010. Financial institutions Banks, thrifts, credit unions and entities that hold a "transaction account" where a consumer can make payments, drafts or transfers Examples are checking & savings accounts and broker accounts where consumers can write checks. Identity Theft A fraud committed or attempted using the identifying information of another person without authority. Identify Theft Report A report that alleges an identity theft; a copy of an official, valid report filed by a consumer with an appropriate Federal, State, or local law enforcement agency. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 10
Identifying Information Any name or number that may be used alone or in conjunction with any other information to identify a specific person. Incident Response Reporting of an information security breach, suspicious activity or red flag alert which cannot be cleared. Mitigation Evidence documented through a paper trail or interactive comment submitted to a factual ID vendor that the Red Flag alert has been cleared and no longer presents a risk; or reporting of an incident. Red Flags Alerts, discrepancies, warnings, variance, or unusual activity or pattern that is noticed by the creditor. Red Flag Detection A workflow step where a comparative review is made among documents furnished by the borrower, the information reported on the loan application, verification responses and information reported by credit repositories Detection steps may include the use of SSN validation tools, fraud checks and factual ID reports. Risk Assessment An evaluation of the risk to the lender and/or exposure to identity theft to the consumer. Response Action that the lender takes to obtain explanations and/or supporting documents from borrowers to clear discrepancies or unwarranted "false positives". Suspicious Activity Report (SAR) A federal form submitted to a law enforcement agency that describes the suspicious activity and identifies all known parties. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 11
2.4 Identification of Red Flags Red flags apply to covered accounts that include new or existing customer information accessed by the creditor or accessed by third parties. Red flags are often discovered by cross-checking telephone directories, public or internet sources. Listed are the types of sources which may contain a red flag: Documents furnished by the consumer Documents furnished by transaction parties Documents furnished by employers or other income source Notices received from outside persons or entities in connection to the account being serviced Red Flags are generally identified on consumer reports as: Alerts, notifications or warnings on the credit report Alerts noted on an SSN validation check Alerts noted on a Factual ID or Fraud-Check 2.5 List of 26 Red Flags by the Federal Trade Commission Listed are the 26 Red Flags identified by the Federal Trade Commission: 1. A fraud alert was indicated in the consumer report 2. Notice of a credit freeze in a consumer report 3. A consumer reporting agency provided notice of address discrepancy 4. Unusual credit activity, such as an increased # of accounts or inquiries 5. Documents provided for identification appear altered or forged 6. Photograph on ID inconsistent with appearance of customer 7. Information on ID inconsistent with information provided by customer 8. Information on ID, such as signature, inconsistent with information on file at financial institution 9. Application appearing forged, altered or destroyed and reassembled Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 12
10. Information on ID does not match any address in the consumer report, SSN has not been issued or appears on the SSN Administration s Death Master File 11. Lack of correlation between Social Security number range and date of birth 12. Personal identifying information associated with known fraud activity 13. Suspicious addresses supplied, such as a mail drop, prison, phone numbers associated with pagers or answering service SS number provided matches info submitted by another customer 14. SS number provided matches info submitted by another customer 15. Address or phone number matches other applicants 16. Customer unable to supply identifying information in response to notification that the application is incomplete 17. Personal information inconsistent with information already on file at financial institution or creditor 18. Person opening account or customer unable to correctly answer challenge questions 19. Shortly after change of address, creditor receives request for additional users of account 20. Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment 21. Drastic change in payment patterns, use of available credit or spending patterns 22. An account that has been inactive for a lengthy time suddenly exhibits unusual activity 23. Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account 24. Financial institution or creditor notified that customer is not receiving paper account statements 25. Financial institution or creditor notified of unauthorized charges or transactions on customer s account 26. Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 13
Section 3 Red Flag Detection and Response 3.1 Address Discrepancies requires immediate response to all notices of address discrepancy that is received from the credit reporting agency. The notice is sent when the agency has noted a substantial difference between the borrower s address the company provided when requesting the report to the address(es) in the agency s file. Upon receipt of such notice, it is the responsibility of the loan processor or underwriter to a) compare the information in the credit report provided by the agency and; b) verify the information in the credit report direc tly with the consumer. is required by law to furnish a borrower s address to the credit agency after the processor or underwriter reasonably confirms accuracy to the credit agency. Reasonable confirmation is when a lender can form a reasonable belief that the credit report relates to the borrower; has established a continuing relationship with the borrower; or regularly furnishes information to the credit agency. 3.2 Accuracy of Information from Credit Agency Reports requires that all credit reports and additional investigative reports be cross referenced for accuracy. Should there be a discrepancy in a borrower s address or other identifying information from one consumer report to an additional report, all steps and procedures must be followed. The response, request for borrower explanations and other mitigation must be separately applied to each consumer report ordered. may inform applicants that they can dispute the accuracy of credit information directly through the credit reporting agency. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 14
3.3 Social Security Validation requires a Social Security validation from a minimum of at least one consumer credit agency or factual investigation service. No mortgage file can continue with processing based on the social security that is provided on employer wage statements or other identifying information. Validation of SSN must be from authorized sources that obtain information from the Social Security Administration. 3.4 Factual ID Reports s underwriting procedures must conform to the investor or agency standards. A Factual ID shall be ordered on 100% of purchase transactions. Each report must indicate a sales transaction or chain of title record for the subject property. For cash-out refinance transactions where there is less than one year s seasoning since the last refinance of the applicant, a factual ID shall be ordered. On a case-by-case basis, underwriters may request a factual ID as a pre-funding condition. s underwriting procedures must conform to the investor or agency standards. A Fraud Check shall be ordered on all applications that are submitted to underwriting. Each Fraud Report is maintained in an electronic format attached to the specific loan record in Bay Equity s loan operations system as part of record retention. Any Alerts identified in the Fraud Report are reviewed and cleared by underwriting prior to final approval. Any Alerts that cannot be cleared shall be escalated to compliance for further investigation. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 15
3.5 Alerts, Warnings from a Consumer Reporting Agency requires immediate response to all alerts and warnings contained in a tri-merge credit report and/or all alerts and warnings noted on a Factual ID or Fraud Check report. The following examples are consistent with the types of red flags previously noted by the FTC: 1. A fraud or active duty alert is included with a credit report. 2. The credit agency provides a notice of credit freeze in response to a request for a consumer report. 3. The credit report provides a notice of address discrepancy. 4. The credit report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries b. An unusual number of recently established credit relationships c. A material change in the use of credit, especially with respect to recently established credit relationships d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor 3.6 Procedures for Mitigating Alerts from a Credit Agency Upon receipt of a consumer report that contains an initial, extended, or active duty alert, it is the responsibility of the processor and underwriter to re-verify the identity of the customer. In addition to the company s requirements for ID information under the USA Patriot Act, the company shall request at least one additional piece of verification as per Bay Equity s Customer Identification Program. If the alert contains instructions to contact the consumer before taking any action on the request, then the processor must contact the consumer for an explanation. Processors must document the steps taken to clear any Red Flags by providing a clear explanation in the conversation log and uploading documentation used to clear the Alert in the loan file or LOS system. Additionally, the submitted additional verification by the borrower should be indicated. Permission must be granted by a supervisor or the compliance officer to continue processing any loan application prior to the mitigation of Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 16
the red flag. If the red flag cannot be mitigated within thirty days of receipt of an application, the company will issue a Notice of Adverse Action. 3.7 Presentation of Suspicious Documents requires immediate response to all discrepancies and suspicious information found on documents furnished by the loan applicants or third parties. The following examples are consistent with the types of red flags previously noted by the FTC: 1. Documents provided for identification appear to have been altered or forged. 2. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 3. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 4. Other information on the identification is not consistent with readily accessible information that is on file with the company, such as a signature card or a recent check. 5. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. 3.8 Presentation of Suspicious Personal Identifying Information requires immediate response to all discrepancies and suspicious information found on documents furnished by the loan applicants or third parties. The following examples are consistent with the types of red flags previously noted by the FTC: 1. Personal identifying information provided is inconsistent when compared against external information sources such as: a. The address does not match any address in the credit report; or b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration s Death Master File. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 17
2. Personal identifying information provided by the customer is not consistent with other documents provided by the customer 3. The applicant does not respond to notifications that the application is incomplete or requests for more information 4. Personal identifying information provided is not consistent with previous information on file with the company. 5. Personal identifying information provided is associated with known fraudulent activity detected by the company, such as: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 6. Personal identifying information provided is of a type commonly associated with fraudulent activity such as: a. The address on an application is fictitious, a mail drop, or prison; or b. The phone number is invalid, or is associated with a pager or answering service. 3.9 Notices Received for Suspicious Activity requires immediate response to all notices received from third parties, existing or former customers, law enforcement authorities or other persons notifying the company that it has identified fraudulent activity or identity theft. 3.10 Red Flag Response to Presented Documents requires immediate response whenever a red flag is detected, wherever applicable, where the borrower is contacted to submit additional necessary information. Examples of responses are: Ask borrower to submit a written explanation Ask borrower to submit supporting documentation to clear the discrepancy Request borrower s employer to furnish supplementary payroll records. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 18
Processors and/or underwriters must complete a red flag checklist or use another procedure to document the detection, investigation, and outcome or response. The checklist must be placed in the borrower s folder or stored with borrower s other information in database. Copies should be uploaded to the electronic file folder for record retention. 3.11 Re-Pollution of a Borrower s Credit Report Re-pollution of a consumer s credit report occurs when information that has been identified as resulting from identity theft, either by the borrower or their credit agency continues to be reported as valid information. To avoid repollution, the following procedures will be followed if the company receives either of the following: Notice from a consumer reporting agency that information Bay Equity LLC provided resulted from identity theft An identity theft report from a consumer If the information is received from a credit agency, the compliance officer will conduct an investigation and verify the information is correct. After the investigation has been completed and the company has verified that the information provided to the credit reporting agency was the result of identity theft, the compliance officer will take action necessary to block the information. Section 4 Mitigation 4.1 Assessment of Risk must assess the level of risk and evaluate the exposur e to identity theft to the company and/or consumer. All processors and underwriters must immediately respond to suspicious activities, bogus or suspicious documents, document discrepancies, alerts on the credit report and/or alerts or warnings on a fraud check or Factual ID. The employee must respond to the Red Flag on a level that is commensurate with the degree of risk posed to the borrower or company. In some cases, the risk may be increased due to identity theft caused by a data security breach. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 19
4.2 Mitigation Steps for Cleared Variance must proceed with proper steps for mitigating the red flag or alert. These steps are followed when a red flag is cleared due to circumstances where there is a bona fide error or explained variance. These measures include: 1. Contacting the customer to obtain explanations and/or documentation 2. Contacting employers, gift donors, financial institutions to correct or supplement erroneous information previously provided 3. Updating the information on the reported loan application and LOS system 4. Updating the credit report via an interactive comment/feedback option 5. Updating the documents contained in the loan file 6. Completion of the Red Flag Checklist 4.3 Non-returning Pre-qualification Applicants must proceed with proper steps for mitigating the red flag or alert for all loan applications, including pre-qualifications that do not result in a submitted application; an application closed for incompleteness, a denied application and withdrawn application. These steps are followed when a red flag is detected: 1. Complete the Red Flag Checklist 2. Issue a letter to the consumer that describes the red flag and a statement that informs the applicant that, due to the cancellation of the application, the lender is not responsible for further steps that may be required to correct or mitigate the discrepant data 4.4 Steps When the Red Flag Cannot be Mitigated must proceed with its usual steps for denying the loan application or close the file for incompleteness if a) the loan does not meet the investor or agency standards and/or b) the red flag cannot be mitigated. The following procedure is for applicants whose circumstances do not warrant filing of a suspicious transaction. 1. Complete the red flag checklist Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 20
2. Issue a Letter of Adverse Action with applicable reason(s) 3. Issue a separate letter to the consumer that describes the red flag and a statement that informs the applicant that, due to the cancellation of the application, the lender is not responsible for further steps that may be required to correct or mitigate the discrepant data 4. Enter the proper HMDA code for denial in the LOS system as either: a. Denied b. Closed for Incompleteness c. Withdrawn 5. Draft a file memoranda that explains the type of red flags, identifies the source of the information, explains the reason(s) why the detected alert could not be mitigated 6. Submit a copy of the memoranda to the compliance officer 7. Notify Law Enforcement if warranted 4.5 Filing a Suspicious Activity Report (SAR) must report all instances of identity theft on a suspicious activity report (SAR) in accordance with the guidance provided by the Financial Crimes Enforcement network (FinCEN) and Bay Equity s BSA/AML/SAR Policy Manual. If applicable, the company will also report suspected mortgage fraud within the narrative of the SAR. A SAR must be filed within 30 days after the company becomes aware of a suspicious activity or transaction. The filing deadline may be delayed an additional 30 days if the relevant party is not yet identified, however the total time may be no longer than 60 days. In addition to filing a SAR, the company must notify law enforcement for violations that require immediate attention, such as suspected terrorist activity. Specifically, when identity theft is believed to be the underlying cause of the known or suspected criminal activity, we will complete a SAR in the following manner: 1. In Part III, Box 35, check all appropriate boxes that indicate the type of known or suspected violation being reported and, in addition, in the Other category, write in Identity Theft. 2. In Part V, explain what is being reported, including the grounds for suspecting identity theft in addition to the other violations being reported. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 21
3. In the event that the only known or suspected criminal violation detected is identity theft, write in Identity Theft as appropriate, in the Other category in Part III, Box 35. 4. Provide a description of the activity in Part V of the SAR. will utilize FinCEN s BSA E-Filing system for filing suspicious activity reports by enrolling online at http://bsaefiling.fincen.treas.gov. SAR records must be maintained for 5 years from the date of the SAR filing. Records should include both SAR filing and supporting documentation. 4.6 Identity Theft Affidavit To assist borrowers who are found to be victim of identity theft, the following procedures are followed: 1. Provide the customer with the company s identity theft package. Instructions must be provided to assist the customer in completing the required forms. The packet includes: a. Cover Letter b. Identity Theft Affidavit Instructions c. Additional Identity Theft Procedures d. Identity Theft Affidavit e. Fraudulent Account Statement 2. Applicants can contact the Identity Theft Hotline of the Federal Trade Commission (FTC) at http://www.consumer.gov/id.theft or call toll free (877) 438-4338. 3. The company can obtain identity theft packets from the FTC website 4. Suggest the customer file a police report with local law enforcement agencies to document the crime. 5. Suggest the customer contact fraud departments of each of the three major credit bureaus and request that a fraud alert and/or a victim s statement be placed in their credit file. 6. Suggest that the customer order a free credit report to monitor their identity theft situation. Listed are the phone numbers of the three national credit bureaus: Equifax (800) 525-6285 Experian (888) 397-3742 Trans Union (800) 680-7289 Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 22
Section 5 Information Security 5.1 Safeguarding Confidential Information Below is an overview of Bay Equity s Information Security policy which can be viewed separately. Employees may have access to confidential information contained in the company s customer data base. Integral to the success of the mortgage industry is the business of refinancing loan applications of existing customers. Consumers may prefer to save time, and in certain cases, the expense of appraisals and other verification documents and request the review and re-use of their prior mortgage file depending on the age of documentation contained in the previous loan transaction. In all instances, the company requires the consumer sign a new credit authorization and Consumer Privacy Notice, whether or not an application is taken. All loan originators, processors and other staff-members referencing file documents from former customers for the purposes of evaluation and processing and application shall adhere to the policies set forth regarding use and re-use of consumer information and information-sharing. For direct marketing to prior customers, the consumer may be unaware of what information, and the extent of information, that has been made available to the company representative, who may be a different loan originator. In these cases, caution must be exercised to assure the borrower that access to their information was duly authorized and in compliance with privacy regulations. A general policy for safeguarding consumer information is to mark all e-mails and correspondence with "Confidential. For purposes of this policy, confidential information includes, but is not limited to: Information regarding personnel who are currently or formerly employed by the company Procedures for computer access and passwords of employees and system users. Any information pertaining to mortgage borrowers who have closed loans with the company Any information regarding mortgage applicants whose loans were closed for incompleteness, withdrawn, denied or counter-offer not accepted. Prospect information concerning potential customers of the company Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 23
Any other information relating to the company s research, marketing, operations, investors, warehouse lenders and secondary marketing agencies. 5.2 How Information is Obtained Information can be stolen from consumers from a variety of ways. Thieves may use the information directly or sell the information to others, including thieves operating outside of the country. Listed are the various methods associated with identity theft: Dumpster Diving This is a method that involves thieves peering through the discard trash of a business. Companies who empty office trash into unsecured areas or unlocked outdoor receptacles are vulnerable to thieves seeking confidential consumer information. Mail Theft Mail can be stolen directly out of a consumer s mailbox. Another form of mail theft is when a thief completes a change of address form at the post office to divert a consumer s mail to another address where it can be intercepted and identity stolen. Shoulder Surfing This is a method used by thieves in public places, such as shopping malls and airports. Typically, shoulder surfing consists of long distance calling card numbers that are entered into public telephones. Skimming There are various methods associated with skimming and involve electronic and manual procedures for stealing credit card information. Skimmers are often employees of third parties, such as retailers or restaurants. The thief will either manually copy the credit card information while the customer waits, or use a sophisticated device where a swipe is made through an elicit piece of equipment that the thief keeps hidden. Third Parties Most third parties, such as employers, maintain personal information about individuals that, if obtained, can be used to commit identity theft. Dishonest employees working for the third party can commit identity theft without knowledge of their employer. Unauthorized Credit Reports Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 24
A thief poses as a landlord, employer, or financial advisor and orders a credit report claiming that they have a permissible business purpose. 5.3 E-Mail Policies and Procedures s e-mail system is designed to improve service to customers, enhance internal communications, and reduce paperwork. Employees using the company s e-mail system must adhere to the following policies and procedures: 1. s e-mail system, network, and Internet/Intranet access are intended for business-use only. Employees may access e- mail and the Internet for personal use only during non-working hours, and strictly in compliance with the terms of this policy. 2. All information created, sent, or received via the company s e-mail system, network, Internet, or Intranet, including all e-mail messages and electronic files, is the property of the company 3. reserves the right to access, read, review, monitor, and copy all messages and files on its computer system at any time and without notice. When deemed necessary, the company reserves the right to disclose text or images to law enforcement agencies or other third parties without the employee s consent. 4. Any message or file sent via e-mail that contains borrower information of any type must come from an approved Bay Equity email address and must have the employee s company approved email signature attached. 5. Information transmittals must utilize extreme caution to ensure that the correct e-mail address is used for the intended recipient(s). 6. Any mortgage documents, including closing packages, and/or confidential customer information sent to service providers must be properly protected by a firewall or other appropriate security device(s) and/or software and transmitted through SSL systems. 7. All borrower confidential information cannot be sent via e-mail unless encrypted by company approved encryption software and according to established company procedure in affect at the time of transmittal. This includes, but is not limited to, the transmission of customer financial account numbers, Social Security numbers and other nonpublic consumer information. 8. Any mortgage documents, including closing packages, and/or confidential customer information sent to service providers must be Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 25
properly protected by a firewall or other appropriate security device(s) and/or software and transmitted through SSL systems. 9. Employees must provide the System Administrator and/or Information Security Officer with all passwords upon request. Passwords may not be changed without permission. 10. Only authorized management personnel are permitted to access another person's e-mail without consent and access shall be limited for the business related purposes except for unforeseen circumstances requiring access for other purposes. 11. All messages archived in the company s server, network and workgroup computers shall be deemed company property. Employees must archive messages to prevent them from being automatically deleted. Employees are responsible for knowing the company s e-mail retention policies. 12. Misuse and/or abuse of electronic access, including but not limited to, personal use during working hours, copying or downloading copyrighted materials, unprofessional content searches or messages will result in disciplinary action, up to and including termination. 5.4 Electronic Access provides every employee with electronic access to all employees that handle loan origination, closing and post-closing information. Personnel are assigned an e-mail address, a network connection, and Internet access. This policy governs all use of the company s network, Internet access, and e-mails system at all company locations and offices. This policy includes, but is not limited to, electronic mail, chat rooms, the Internet, news groups, electronic bulletin boards, the company s VPN / Intranet and all other company electronic messaging systems. This policy governs the information security for all documentation utilized by the company and its affiliates, whether the communication is made by telephone, mail, facsimile, courier or any electronic system. 5.5 Network and Internet Policy Network configurations enable loan processors, originators, closing coordinators and administrative staff to access certain files. All rules and policies with respect to consumer information apply to files accessed among network users. Safeguarding confidential information involves local area network (LAN) and wide area network (WAN) configurations. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 26
requires all users having access to networked information comply with the safeguarding of confidential information in accordance with the foregoing red flags identity theft plan, as follows: 1. reserves the right to monitor, inspect, copy, review, and store at any time and without prior notice any and all usage of t he network and the Internet, as well as any and all materials, files, information, software, communications, and other content transmitted, received, or stored in connection with this usage. Use of network and Internet access extends throughout an employee s term of employment, providing the employee does not violate the company s policies regarding network, Internet or Intranet use. 2. By accepting an account password, related information, and accessing the company s network or Internet system, an employee agrees to adhere to company policies regarding their use. Employees agree to report any misuse or policy violation(s) including use of an account password by anyone other than the designated employee to the Security Officer. 3. reserves the right to suspend access at any time, without notice, for technical reasons, possible policy violations, security or other concerns. 4., at its sole discretion, will determine what materials, files, information, software, communications, and other content and/or activity will be permitted or prohibited. All such information, content, and file are the property of the company. 5. Network administrators may review files and intercept communications for any reason, including but not limited to maintaining system integrity and ensuring employees are using the system consistently with this Policy. 5.6 Prohibited Activities s employees are prohibited from using the company s e-mail system, network, or Internet/Intranet access for the following activities: 1. Downloading software without the prior written approval of the Security Officer. 2. Printing or distributing copyrighted materials. This includes, but is not limited to, software, articles and graphics protected by copyright. 3. Using software that is not licensed by the manufacturer or approved by the company. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 27
4. Sending, printing, or otherwise disseminating the company s proprietary data or any other information deemed confidential. 5. Operating a business or otherwise engaging in commercial activity outside the scope of employment. 6. Sending or forwarding messages containing borrower consumer credit or confidential information or account numbers. 7. Sending or forwarding a message that discloses personal information without authorization. This shall also include accessing, transmitting, receiving, or seeking confidential information about borrowers or mortgage transactions without written authorization. 8. Using another employee s password or impersonating another person while communicating or accessing the network or Internet including, but not limited to any company approved software or LOS system. 5.7 Authorized Use of Software purchases, leases or maintains site licenses for computer software applications from a variety of commercial manufacturers. To ensure compliance with software license agreements, the company s security policy, and to prevent identity theft resulting from shared, copied or unauthorized downloading of software programs, applications and data, all employees must adhere to the following: 1. Software must be used in accordance with the manufacturer s license agreements. Employees acknowledge they do not own the Loan Origination System (LOS), Desktop Originator, Loan Prospector, or other mortgage pre-qualification programs used in connection or as an adjunct to the firm s LOS system that are supplied by the company. 2. Employees may not make additional copies of any software, unless expressly authorized by the company and software publisher. 3. Any employee who knowingly makes, acquires, or uses unauthorized copies of computer software licensed to the company, or who places or uses unauthorized software on the company premises or equipment shall be subject to disciplinary action or termination. 4. Employees must obtain permission from the Security Officer prior to installing personal software onto the company s computer system. Employees are not permitted to copy software from the company s computer system for installation on home or other computers without prior authorization. Copyright 2012 Mortgage Resource Center, Inc. d/b/a AllRegs. ALL RIGHTS RESERVED. Without 28