On My Soapbox—Is it Fair to Make Title Agents and Law Firms Prove Compliance with Best Practices?

soapbox speakerFor those in the title and legal industries, it can be more than a little annoying to have one’s role in representing lenders characterized as merely that of “third-party service provider.”  Title agencies and law firms perform the same trusted services for the lending community today—handling confidential bank client information and millions of dollars of lenders’ funds, as they have day after day for the last half century!

That being the case, why are title agencies and law firms now being required to jump through hoops to prove they are in compliance with either newly imposed bank standards or ALTA Best Practices?  Can anyone point to an explosion of cases where title agencies and law firms providing services to bank clients have been repeatedly harmed?

The short answer is “no”—currently there is no extensive list of data breach cases that could give rise to the conclusion that any sort of crisis has arisen from dealing with title agencies and law firms.  For those two specific industries, there is almost nothing that lenders can point to and say, “That’s why we need to make every one of you prove that you are following existing law.”  To the contrary, many in the title and legal industry want to tell the lending community, “We are doing a good job, and there is no reason to make us prove compliance when there is no proof of non-compliance.”

Unfortunately, there are some highly visible examples of other bank service providers who have caused the banking industry huge losses.  The following is a list of fines that were levied on financial institutions, not because of what they did, but as a result of the compliance violations committed by third-party vendors hired by those financial institutions.  The blog “Regulators Go After Banks for Vendor Management,” by Reed White, an associate in Bryan Cave’s Atlanta financial institutions practice, outlines the following examples of some of the levied fines:

  • Consumer Financial Protection Bureau (CFPB): Discover Bank, $14 million civil penalty (September 2012)
  • Office of the Comptroller of the Currency (OCC): American Express Bank, estimated $6 million in restitution (September 2012)
  • CFPB: J.P. Morgan Chase, $309 million in restitution and $20 million civil penalty (September 2013)
  • CFPB: American Express, $59.5 million in restitution and $9.6 million civil penalty (December 2013)

Continue Reading

“Beeeeeeeeeep… This Is a Test.”

Ahhh…the jolting sound that sometimes interrupts our prime-time television programming: This is a test.  For the next thirty seconds, this station will conduct a test of the Emergency Broadcast System.  This is only a test.

EBS ScreenThough they are prickly interruptions, we tolerate these tests because they are brief and, perhaps most importantly, we understand that should a real emergency occur, the Emergency Broadcasting System (EBS) would keep us informed.  As it should, system testing takes place before an actual emergency to ensure that notifications function properly before the need is dire.  In the same way, emergency preparedness for a cyberattack should occur before an attack happens.  This blog will concentrate on testing your emergency plan in advance of an attack and analyzing your established insurance policies to see if you would be covered for inevitable financial costs associated with such an attack.

The EBS and its predecessor notification programs have been operating almost the same way since 1951.  When we take a look at why, several underlying principles become apparent:

  1. It’s critical to anticipate a wide variety of potential disasters.
  2. It’s important to have plans in place to deal with such disasters before they occur.
  3. It’s critical that the plans can be implemented in a timely fashion to minimize loss.
  4. It’s crucial to get people’s attention, so the established plans are repeatedly tested.

Continue Reading

LexBlog