For those in the title and legal industries, it can be more than a little annoying to have one’s role in representing lenders characterized as merely that of “third-party service provider.” Title agencies and law firms perform the same trusted services for the lending community today—handling confidential bank client information and millions of dollars of lenders’ funds, as they have day after day for the last half century!
That being the case, why are title agencies and law firms now being required to jump through hoops to prove they are in compliance with either newly imposed bank standards or ALTA Best Practices? Can anyone point to an explosion of cases where title agencies and law firms providing services to bank clients have been repeatedly harmed?
The short answer is “no”—currently there is no extensive list of data breach cases that could give rise to the conclusion that any sort of crisis has arisen from dealing with title agencies and law firms. For those two specific industries, there is almost nothing that lenders can point to and say, “That’s why we need to make every one of you prove that you are following existing law.” To the contrary, many in the title and legal industry want to tell the lending community, “We are doing a good job, and there is no reason to make us prove compliance when there is no proof of non-compliance.”
Unfortunately, there are some highly visible examples of other bank service providers who have caused the banking industry huge losses. The following is a list of fines that were levied on financial institutions, not because of what they did, but as a result of the compliance violations committed by third-party vendors hired by those financial institutions. The blog “Regulators Go After Banks for Vendor Management,” by Reed White, an associate in Bryan Cave’s Atlanta financial institutions practice, outlines the following examples of some of the levied fines:
- Consumer Financial Protection Bureau (CFPB): Discover Bank, $14 million civil penalty (September 2012)
- Office of the Comptroller of the Currency (OCC): American Express Bank, estimated $6 million in restitution (September 2012)
- CFPB: J.P. Morgan Chase, $309 million in restitution and $20 million civil penalty (September 2013)
- CFPB: American Express, $59.5 million in restitution and $9.6 million civil penalty (December 2013)
None of the misdeeds that gave rise to these jaw-dropping fines arose from any title agency or law firm. In spite of that fact, both the title and legal industries unfortunately have been classified as part of a broad generic category referred to as “third-party service providers.” At the same time, those companies that were found guilty of violations, and which caused their lender clients hundreds of millions of dollars in fines, have also been lumped into that same generic category.
Some argue that’s the root of the problem—title agencies and law firms are being subjected to a higher level of compliance merely because they fall into a broad category of service providers that includes a few vendors who have caused huge losses. Is that fair? Can it be argued that so long as there are no losses attributed to negligence or misdeeds of title agents or law firms, they should be allowed to operate without presenting proof of regulatory compliance? Should a lender be more lenient on those industry service groups that have performed without any documented evidence of violations?
These are all good questions, but in the end, as unfair as it may seem to some, title agencies and law firms are probably not going to be able to escape a lender’s demands for documented proof of respective compliance with existing laws, regulations, and written closing instructions. Financial institutions are not bound to adhere to the criminal law concept of “innocent until proven guilty.” Their recent experience with the size of potential fines and the anticipated incalculable losses arising from damage to a lender’s reputation are simply too high to allow a lender to tolerate even first violation.
I always thought that if a title agent or law firm attorney could take a step back and imagine this security and trust issue from a lender’s viewpoint, he or she might see the act of providing required proof of regulatory compliance differently. An NBC News article I read last week about a recent data breach might help title agents or law firms better understand the mindset of lenders they service. I encourage you to read “Data Breach at PIP Printing Company Leaks Thousands of Highly Sensitive Documents.” With the exception of the highly salacious disclosures discussed in the article, the overall fact pattern in this case generally mimics the relationship between a lender and a title agent or law firm, i.e., one party engages another to perform services for the benefit of the first party’s client.
In a real estate transaction, the lender decides to hire a title agent/law firm to provide a part of the overall services the lender offers to its banking customers. The lender could do the complete job but, for economic and efficiency reasons, decides to use a third-party service provider. In the course of delegating work, it is necessary to transfer sensitive client information for the title agent/law firm to perform its job. Implicit in the transfer of that information is an expectation of trust that such confidential information will only be used for the client’s benefit and remain confidential after the job is completed.
The PIP data breach article presents a similar fact pattern. In actuality, a law firm is familiar with the PIP Printing fact pattern since it also often uses outside printing services. Law firms are hired to represent clients in commercial transactions or lawsuits, or to provide advice and counsel. This business relationship is similar to bank customers who employ banks to facilitate their loans. Law firms often are faced with handling large amounts of confidential client data, depositions, and production of sensitive documents. Many times, handling of the engagement requires printing some of that confidential data. While this task could be accomplished within the law firm, because of the volume required or need for speed, such printing of those confidential documents is outsourced to a third-party service provider, such as a commercial printing company. Much like the lender’s hiring of a closing agent, implicit in the transfer of the law firm’s information to the printer is an expectation of trust that such confidential information would only be used for the client’s benefit and remain confidential after job completion.
In these scenarios, both the law firm and the lender have engaged the services of a third-party vendor, and both are justified in their expectation that the confidential information entrusted to that third-party will be securely processed and remain confidential. But now, when a law firm hires a copying service, the law firm has stepped into a role similar to that of the lender. With that mindset, as a lawyer hiring the copying company, try to answer the following questions:
- Does your law firm have an obligation to protect your client data when outsourcing to a third party like a printer?
- Is your law firm justified in its concern about the security of your client data when tendered to a third party?
- If the printing company was asked to provide some assurance about how your firm’s data would be protected, and the printing company refused, could continued use of this vendor be justified?
- How comfortable would you feel if the printer merely verbally expressed—without any third-party assurances—that it “protected your data?”
- Would your law firm feel inclined to do business with a different printer that could provide third- party assurance of the extent of its security procedures?
Too often a lender’s mention of the term “ALTA Best Practices” causes a title agent to immediately feel like the “victim” of the lender’s unreasonable demands. Yet, after that same title agent/law firm admits that it too has an obligation to protect its clients’ data, a lender’s request for third parties to provide proof of their security measures seems entirely justified.
In truth, the only reason a title agent/law firm may feel like a victim is that the title agent/law firm may fear it will have to pay for a future Best Practices assessment or is unsure it could pass one, if conducted. Those already certified as compliant with ALTA Best Practices don’t feel victimized; they are pleased to submit their certification documents and move on to their next closing.
I am the first to admit it takes a lot of internal time and effort to operate a firm in a compliant fashion, and there are costs associated with securing an assessment and certification of compliance with the ALTA Best Practices Assessment Procedures. The concept behind Best Practices is about doing what is expected by all of us as reasonable business partners–protecting each other’s confidential data and acting in a responsible manner–what everyone already purports to provide to each other daily. Unfortunately, while everyone “represents” that they operate in a responsible manner, we all recognize that some of our competitors, and those we use as third-party vendors, operate far below expectations. In a nutshell, that is why we, and the lenders we service, need an independent third-party assessment process to provide our clients with the protections that we each are obligated to provide and our respective clients have the right to expect.
So, back to the question initially posed in the blog title, “Is it fair to make title agents and law firms prove compliance with Best Practices?” Initially, it appears that what is “fair” may depend on your perspective—are you the one asking for proof or the one being asked? However, if you define the term “fair” as “reasonable,” the answer must be “yes.” In light of our unquestioned obligation to protect the confidentiality of our respective clients’ data, and the acknowledged variation in security measures employed by those in our industry, it is reasonable for everyone to ask for, and everyone to provide proof of, the steps taken to assure that data is being used and maintained in a secure, confidential fashion. We live in a time when the risks of a security breach are high, and therefore it is reasonable to both ask for, and receive, assurances of the employment of adequate security measures.
In closing, I submit the oft-quoted phrase from Forrest Gump…
(at least until the next blog).