eClosing: Is it Safe and Secure?
Disclaimer: This blog is provided for informational/instructional purposes only and does not constitute the giving of legal advice or establish an attorney-client relationship. Stewart makes no express or implied warranties with regard to and shall have no liability for any errors or omissions or for the results of the use of such material. You should not assume that this information and materials is error-free or that it will be suitable for the particular purpose that you have in mind. It is not intended to direct your closing practices or to change the provisions of Stewart’s underwriting agreements. Escrow and settlement services are outside the scope of Stewart’s agency contracts. You should seek the advice of your own legal counsel in making all decisions pertaining to escrow and closing matters under state and federal law.
One of the myths related to eClosing is that it is not safe and secure. In light of the recent Equifax breach, where a potential 143 million Americans may have had private information exposed, the impact of a security breach is top-of-mind for many companies – and a significant disruptor for title companies and lenders. There are things the title and mortgage industry can do to mitigate legal and compliance risks on the path to eClosing and eClosing integrations. Even though escrow matters are outside the scope of our underwriter/agency agreement, this blog is intended to provide information for you to consider becoming an eClosings enabled company.
Title companies and lenders should regularly evaluate whether technology vendors meet cybersecurity requirements and expectations.
Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies and lenders to develop a written information security program that describes the procedures you employ to protect data and personal information. This program must be appropriate to your size and complexity; the nature and scope of your activities; and the sensitivity of the customer information you handle. You should evaluate and adjust your program regularly, in light of changes in your business operations and the results of security testing and monitoring. For title companies and lenders, it is important to look at how cybersecurity laws and regulations are enforced by state and federal regulators, and also how mortgage lenders address this are compliance requirements for settlement agents, as both may be a target for enforcement by regulators. Title companies and lenders should endeavor to follow regulatory guidance to ensure best practices in cybersecurity and to mitigate their regulatory risk. In addition, being responsive to this guidance is essential as private plaintiffs are likely to rely on any deviation from regulatory guidelines, as well as your own policies and procedures, as evidence of inadequate cybersecurity requirements in litigation in the wake of a cyber breach.
Talk to your eClosing Vendors.
You should perform your own due diligence to assess whether or not eClosing technology vendors have sufficient security policies, procedures and programs and other protocols in place to protect consumer information. Data Security and audit rights should also be included in any vendor contract, especially in the case of eClosings, which would be heavily dependent on data transfer via computers. Most eClosing vendor technology has increased security for personal information. eClosing vendors should be able to demonstrate the following:
How does eClose vendor technology ensure the loan, title and closing documents have not been modified?
- Signed Document Locking with Tamper Evident Markers. Vendor technology should offer tamper evidence, which seals or uses other techniques to protect an electronic signature from unauthorized access or tampering. Title companies and lenders should ask digital signature vendors how their technology links the electronic instrument with the user authentication to avoid future signer repudiation. Any technology should record all important signature activities and create a secure record of evidence that the signature used was not tampered with in any way – which might also invalidate the electronic signature. Tamper-sealed or encrypted certificates are often used to record the date, time stamp and other signature activities and to create an audit trail to prove ownership and information about each signer’s identity.
- Secure Storage and Retrieval of Signed Document. Vendor technology should use a secure storage and a secure retrieval method that can be proven. Title companies and lenders should consider whether a vendor’s storage and retrieval system includes high data security standards, as well as privacy safeguards consistent with industry best practices which includes length of time the files are available and whether this complies with state regulations (i.e. Texas P-17 and P-32).
- Audit Trail for Every Signed Document. Vendor technology should also include an audit trail for every signed document which will withstand scrutiny in court. The audit trail can prove: (1) who signed a document; (2) when they signed it; and (3) track the steps of the entire eSigning process. These steps include: emails and notifications sent to any signer; signers consent to use e-signatures; user authentication methods; documents viewed by each signer; signature creation (by each signer); party agreement to/acknowledgment of document; cancellations and opt outs; and changed party information.
- Multiple signers, sequential signing. Vendor technology should allow for separate authentication where there are multiple Signers. Title companies and lenders may want the ability to designate a particular signing order with a Signer Sequencing function. You may also want the ability to upload a document and add a Signer’s name and email for multiple Signers.
How does the eClose vendor technology verify the signer’s identity?
Vendor technology should provide a secure method for each signer to access the eClosing platform and securely eSign and eNotarize the documents. There are a number of ways vendor technology can authenticate the signing parties:
- ID Verification and Access Logs. Vendor technology should provide levels of authentication to access the system, which identify and verify the signer created the electronic signature. Title companies and lenders may want to require a more advanced level of authentication such as personal information (i.e., driver’s license or I.D. check or Social Security I.D.) rather than only an access code (i.e. email only) before the parties can access, view and sign documents to improve the risks related to identity of the signer. Any technology solution should have several authentication levels to determine that a document is signed by the person who claims to be signing it and not by a forger. Authentication levels (from low level to high level) include the following:
- Email Authentication Only. The Signer is provided an email with a link to the transaction. The Signer(s) clicks on the link and the eSign transaction continue.
- Text Message Authentication: The Signer receives a link to the transaction via email. Once the signer consents to use the e-Closing platform, the vendor sends them a text message containing a random, one-time password. The Signer is “authenticated,” if the Signer enters the code correctly and the transaction continues.
- Knowledge Based Authentication (KBA). The Signer receives a link to the transaction via email. The Signer is first prompted for the last four digits of their social security number and date of birth. If they provide the correct information, they’re prompted with a set of four multiple-choice questions (i.e. what type of car did you own in 1996). If the user successfully answers the challenge questions, then the Signer is “authenticated,” and the transaction continues.
Title companies and lenders should ensure any eClosing vendor technology is consistent with specific state requirements for the eNotary and Online/Remote Notary, as allowed by state law. These requirements may include specific hardware and technical requirements, as well as separate registration and education with the Secretary of State or state agency which regulates and licenses the notary.
Title companies and lenders need to consider cybersecurity in negotiation of the terms and conditions of eClosing vendor contracts.
Title companies and lenders may want to consider mitigating liability risks for cyber breaches through front end contractual liability provisions in the event of breach. Your legal department or attorney should review all indemnity and warranty protections in any vendor agreements. It is important for contracts to include provisions for data security and breach notifications if your company will use the eClosing vendor to store data or if the vendor will have access to data (for operational matters). eClosing vendor contracts should set out your expectations regarding vendor performance. They should also seek to mitigate risk and allocate liability in the event of a security breach. Each contract should be written to reflect your cybersecurity strategy and how you assess the risk for the type and size of the transaction. Contractual provisions will vary; however, each party has an interest in identifying and mitigating cybersecurity risks especially in light of the issuance of title insurance policies and duties thereunder.
What this means for you?
Ongoing management and compliance with cybersecurity regulations – as well as protecting consumer data and information – is critical as you move towards eClosing and eClosing integrations. Title companies and lenders should ensure any electronic signature technology has sufficient audit capability and full compliance with eSign and UETA, and it is important to review technology solutions for technical compliance with industry best practice standards, as well as state and federal law compliance.