Best Practices Update Targets Agent Oversight of People, Processes and Technology
The American Land Title Association has published its ALTA Best Practices Framework version 4.0, featuring several significant updates to Pillars 2, 3 and 4 in response to what the trade group identified as a changed environment, including new laws, increasing fraud threats, and more complex technology.
On a recent ALTA webinar explaining the changes, the association listed a litany of ways the industry has changed over the past decade, including earnest money apps, remote workers, an explosion of new technology, remote online notarization, more sophisticated fraud, real time payments, and a growing technology environment that includes a complex web of third-party integrations.
Because of the drastically different environment in which title agents are now working, ALTA has broadened its focus to address increasing complexity in operations, including safety, customer experience and efficiency.
“These revisions have been made with the specific objective of allowing agents and direct operations to continually improve their practices and procedures to ensure financial, data security and operational stability, and to provide lenders and other constituents with the assurances that their needs are being fulfilled by these efforts,” ALTA said in its official release of version 4.0 on January 23.
For Alliant National agents, it is important to note that the implementation date of May 23 will affect assessments and renewals, which if conducted after that date, must be based on the 4.0 framework.
Let’s take a look at some of the most significant changes.
Pillar 2: Escrow Accounting:
ALTA made several changes to Pillar 2, including updating the treatment of non-settled funds and outstanding file balances, use of fintech applications, escrow funds training, and wire transfers.
Loss of Funds
The Pillar 2 purpose section was updated to note that the loss of funds in a transaction may fall outside of E&O coverage and could become the responsibility of the title agency.
In addition to having policies and procedures in place that prohibit or control the use of ACH transactions and internal wire transfers, agents must also ensure procedures are in place for electronic/digital receipt of funds from web-based fintech applications.
When using a third-party earnest money deposit or disbursement platform that facilitates digital transfer of escrow account receipts and disbursements, the agent must ensure the platform meets good funds law requirements and is not subject to the Electronic Funds Transfer Act (EFTA), which would allow for reversal of consumer payments.
On the ALTA webinar, association representatives noted that one of the most important changes agents should pay attention to is the requirement that they carefully vet platforms they are using to receive incoming funds to make sure those platforms do not allow for reversal of funds.
Along those same lines, in the previous versions of the Best Practices, agents were absolutely prohibited from accepting and wiring out funds before they had cleared.
Recognizing that agents were sometimes taking this risk in extenuating circumstances, the new language provides some leeway, saying that agents should ensure that undue risk is not being undertaken for deposits that are not fully settled.
As an example, a title agent may accept a check after a closing for an inconsequential amount – $20 for example – but are prohibited from incurring the risk of accepting a substantial amount of money and wiring out before it has cleared. The level of risk should be commensurate with the amount of money being risked and the company’s size and ability to assume that risk, and that threshold must be determined by each company.
Given growing security concerns over the vulnerability of wire transfers, agents are now required to have documented procedures to verify wire transfer instructions independent of the initial communication, and those verification procedures should include multi-factor authentication (MFA). (See ALTAs Outgoing Wire Preparation Checklist)
Best practices were also updated to recommend the use of wire verification services, with the caveat that those providers should be vetted to assess risk of use, security protocols and the provider’s ability to protect consumer data.
ALTA pointed out during the webinar that companies can have the most sophisticated policies to protect themselves against wire fraud but may still find themselves exposed to risks due to human error. Wire verification services, where they are available, efficient and economical, should be used as another tool to prevent fraud.
While the original best practices required agents to get background checks only on employees who had access to customer funds, the updated procedures extend that requirement to all employees at the time of hire with updates every three years thereafter.
Aging Escrow Balances
Procedures are updated to require that managers review and approve any activity in aging escrow file balances.
Pillar 3: Privacy and Information Security Programs to protect NPI
ALTA made important updates to many aspects of an agent’s responsibility to protect NPI, including physical protection, cloud security, and the agent’s incident response plan.
Written Information Security Plan (WISP)
One of the most extensive changes to Pillar 3 is the requirement for a written information security plan (WISP) and a privacy plan to protect NPI as required by local, state and federal law. Specifics of the updated procedure include:
- The use of MFA for access to systems containing NPI
- A password management plan that requires unique login names and system passwords to access systems containing NPI
- System passwords must meet minimum standards, which include:
- reentry of the password after system idling
- passwords that expire after a certain period of time
- difficult-to-guess passwords that include upper- and lower-case letters, special characters and a minimum length of eight total characters
- Timely software updates, which when left outdated, can result in data breaches, cyberattacks, ransomware attacks and other NPI exposure
One additional requirement is that access to the company’s information systems must be granted only to authorized employees and authorized service providers who have undergone background checks.
This extends to physical access as well, with version 4.0 adding the caveat that only authorized employees and authorized service providers who have undergone background checks should be allowed access to desk, cabinets or storage areas where NPI is housed.
Other changes to Pillar 3 include:
- Extending network security requirements to use of cloud systems, virtual equipment, data centers and third-party hosting
- Updating the disaster recovery and business continuity plan to specifically include a compromise of systems or facilities
- Adding language that notes the inclusion of continuity of operation for consumer settlements and timely notification to all parties in case of any delays due to a disaster
- Noting that the written incident response plan should follow the recommendations of the ALTA Cybersecurity Incident Response Plan
- Specifying that service provider policies are to be consistent with the company WISP – including IT consultants, outsourcing company employees and third-party software employees. Software tools and resources are also to be consistent with WISP
Pillar 4: Settlement
Pillar 4 updates increase an agent’s responsibility for vetting internal and external signing professionals and for selection of remote notarization platforms, as state law and underwriter guidelines have changed dramatically since the pandemic. As part of the new consumer focus, changes were also implemented related to staff training and consumer notifications.
Pillar 4 is updated to include training for staff to provide a framework for:
- Minimizing errors
- Enabling a timely response to concerns raised following a settlement
- Addressing consumer complaints
This updated requirement for improved training calls for agents to created a formalized training program for every aspect of the title and escrow process. While it may have been sufficient in the past to ask a new hire to shadow another employee for a few days to learn the procedures, ALTA has now determined an informal approach can lead to inconsistencies and errors.
A formal training program can ensure everyone within the agency is handling each aspect of the process in exactly the same way. It also overrides the dangers of a new employee from going rogue and “doing it the way we did it at my previous agency.”
Most importantly, the updated Best Practices framework encourages agents to document every aspect of the training so that all managers within the agency follow the same protocols when training a new employee.
Remote Online Notarization (RON)
Agents whose employees will be notarizing documents via remote notarization are required to select a platform authorized by the state in which the notary is located and one that is approved by the agent’s title underwriter. Returning once again to the issue of NPI, the updates require the agent to ensure the platform is capable of meeting the minimum requirements of the state, including retention of the video and safeguarding NPI. This same level of oversight is required if the agent engages a third-party to notarize documents via RON.
As with RON oversight, responsibility is placed on the agent to verify signing professionals have state and contractually required licensing and insurance. In addition, agents must perform background checks for signing professionals employed by the company and ensure that third-party signing professionals have the required professional designation, insurance and bond.
Pillar 4 includes several other miscellaneous updates, including:
- A requirement to provide an affiliated business relationship disclosure in compliance with state and federal law
- Guidance for additional procedures to follow when using an e-recording vendor
- New guidance in the payment of fees or tax for escrow trust accounts
Pillars 5, 6 and 7
Only one update was made to Pillar 6, which is a new mandate to review cyber, crime, and E&O coverage limits and exceptions annually.
No substantive changes were made to Pillars 5 and 7.
As part of this revision, ALTA also published the following ALTA Best Practices Framework documents, available at https://www.alta.org/best-practices/.
- The Best Practices Assessment Procedures
- Internal Assessment Report and Letter
- Third-Party Assessment Report
Alliant National agents are encouraged to carefully review current policies and procedures in light of these important best practices updates. This is especially critical for agents who are facing assessments after the May 23 implementation date.
Please contact your Alliant National underwriting counsel if you have any questions or concerns as you review and implement these new policies.
Tags: ALTA, best practices, cybersecurity