The cost of fraud to title and settlement services companies far exceeds the actual face value of a fraud incident, according to the 2022 LexisNexis True Cost of Fraud Study released recently.
The 57-page report provides information on current fraud trends in the mortgage, title and settlement industries and details some of struggles companies face in addressing fraud detection, prevention and customer experience.
In terms of the cost of fraud, research indicates that for every $1 lost in an actual fraud incident, the cost to a title company is $4.19 or four times that of the face amount of the loss. The number rises to $5.34 for originators.
According to the research, the additional cost is related to the labor required for fraud detection, plus the expense of investigation, reporting and recovery following an incident.
For title companies, the biggest cost is labor, with the actual breakout of related costs as follows:
- 35% attributed to labor costs
- 21% for detection, investigation and recovery
- 18% related to fines and legal fees
- 13% covering fees during application and processing
- 13% accounting for the face amount of the actual fraud
The actual cost is extraordinary, given that title companies reported a staggering 77% increase in fraud over the past three years. The growth in fraud is attributed in part to COVID, as a substantial portion of both mortgage and settlement services transactions moved to online and mobile-only transactions.
According to the LexisNexis report, although fraud originates largely in online and mobile-only transactions, it often the moves to the call center or phone-based point of interaction, which further adds to the risk, with the growth of remote workers handling these transactions.
For title companies working in the online and mobile transaction world, identity verification is the number one challenge.
“The challenge involves assessing digital identity attributes such as email and phone number,” the report states. “That is contributing to challenges with identifying malicious bots and the ability to determine the source of the transaction. Synthetic identities are a key driver of identity verification challenges, particularly among organizations that do not use fraud solutions that assess digital identities and behaviors.”
LexisNexis noted that the mobile channel especially is contributing to the high volumes in recent years.
“This channel brings device-related risks that are unique from online browser transactions (SIM card swapping, malware, SMS phishing). This allows fraudsters to gain entry through anonymous remote transactions at the very start of the mortgage process.”
Title companies walk a bit of a tightrope, determined to invest in strong fraud prevention, while striving to create a positive customer experience. Customers reportedly get frustrated with the passwords, qualifying questions and multiple identifiers it takes to get through the transaction and have been known to give up and drop out of online and mobile device-related processes out of frustration.
Balancing these two necessities of doing business has been challenging, but title companies that put forth the effort can dramatically reduce their exposure to fraud.
To help our agents assess their efforts, Alliant National released a white paper this year, titled Escrow Fraud/Social Engineering: Recent Schemes and Prevention Tips. The white paper provides agents with useful information, risk factors to consider, and practical action steps that will help you partner with consumers, real estate agents and lenders to defend against the fraudsters.
In addition, the LexisNexis report identifies four recommendations agents should consider, including remaining vigilant to increased fraud, increasing the use of technology, creating multi-layered solutions, and integrating cybersecurity and digital customer experience with your fraud processes.
Here are a few highlights from their list of recommendations:
- Accelerated movement to online/mobile transactions will continue to grow; therefore, title/settlement companies should continue to buildout and enhance the digital customer experience while protecting against fraud.
- Best practice fraud detection and prevention includes a multi-layered solutions approach, and the integration of fraud prevention with cybersecurity operations and the digital customer experience.
- Layering in supportive capabilities such as Social Media intelligence and AI/ML further strengthens fraud prevention.
While fraud prevention in the current environment is challenging, the report concludes that “firms which use a multi-layered solutions approach that is integrated with cybersecurity and digital customer experience operations can lower their cost and volume of successful fraud while improving identity verification and fraud detection effectiveness.”
We encourage agents to continue to explore and implement best practices as we all work together to combat fraud. Download our white paper – Escrow Fraud/Social Engineering: Recent Schemes and Prevention Tips – today to begin your own internal assessment.
To view the full LexisNexis study, click here.
Every wire fraud defense expert says the number one factor in recovering diverted funds is time. Every minute counts when fraud has been detected, and hesitations or delays can impede efforts to track down and restore lost funds.
That’s why a Wire Fraud Response Plan is imperative for every title agent.
Before you create your plan, or if you are undergoing a review of your current plan, we encourage you to download Alliant National’s recently updated Escrow Fraud/Social Engineering: Recent Schemes and Prevention Tips white paper. This 23-page guide provides an in-depth review of the current schemes and offers a wealth of tools and resources for building a strong defense against fraudsters.
Here are some things to consider when creating your response plan.
Elements of a Wire Fraud Response Plan
The first step in preventing wire fraud is to maintain policies and procedures for verification of wire instructions for the protection of everyone involved in the real estate transaction.
But should the unthinkable happen, remember that the most successful response strategies are those established well in advance and communicated to staff members and your bank.
Like a well-trained sports team, every member of your team must know their role and be prepared to leap into action.
- Establish a close relationship with your bank representatives and continually dialogue regarding updated fraud threats.
- Discuss wire retrieval scenarios and establish emergency contacts in the bank’s fraud department, whom you can call at a moment’s notice day or night.
- Download and fill in the Wire Fraud Contacts form in our Escrow Fraud/Social Engineering white paper and provide it to staff members charged with addressing suspected fraud.
- Notify management the moment suspicion arises that a wire may have been misdirected.
- If funds have been transferred to the receiving bank and cannot be recalled, ask your bank (the sending bank) to formally request that the receiving bank freeze the funds.
- Agents may also attempt to directly contact the receiving bank to ask that the funds be frozen.
- Contact local police in your jurisdiction and the jurisdiction of the receiving bank.
- Report the fraud immediately to your local FBI office.
- File a complaint with the FBI’s Internet Crime Complaint Center (IC3).
- Contact the underwriter involved in the transaction. Alliant National is available to help you evaluate the situation.
- Contact your corporate attorney to let him or her know about the events taking place.
- Depending on the nature of the fraud, contact the appropriate insurance provider (Cyber-Liability, Escrow Security Bond or Errors & Omissions).
Putting all of these resources in motion immediately can be extremely useful, as anyone of these professionals or organizations may have information that could assist you in recovering your funds.
IC3 may be one of your most important contacts. In 2018, IC3 established its Recovery Asset Team (RAT) to streamline communications with financial institutions and FBI field offices to assist freezing of funds for victims.
In 2021, RAT initiated the Financial Fraud Kill Chain (FFKC) on 1,726 Business Email Compromise (BEC) complaints involving domestic to domestic transactions with potential losses of $443,448,237. A monetary hold was placed on approximately $329 million, which represents a 74% success rate.
The efficiency of this organization’s work is largely dependent on the speed with which they are advised, so it’s critical that they be an important part of your Wire Fraud Response Plan.
Even the most vigilant companies may fall prey to fraud, but putting protocols in place can greatly reduce your exposure and give you a pathway to recovering lost funds.
As always, call your Alliant National underwriting team if you have any questions or concerns. We are here to help!
The Federal Trade Commission (FTC) is updating a key data security rule, and the changes will place new compliance requirements on nonbank financial institutions including title, escrow and settlement agents. Among other things, the Safeguards Rule amendments finalized October 27 will require covered institutions to beef up their information security programs (ISPs). The changes are a response to widespread data breaches and attacks that have caused significant consumer harm in recent years, the FTC said.
Before surveying the changes, it may be helpful to review the state and federal compliance framework of which the Safeguards Rule is an important element.
GLBA, state law and the Safeguards Rule
The 1999 Gramm-Leach-Bliley Act (GLBA), codified as amended at 15 U.S.C. Chapter 94: Privacy, establishes basic privacy standards for “financial institutions,” including title insurers, title agents, and settlement/escrow agents. Unique in their role as third-party vendors to lenders, real estate settlement service providers also have a separate obligation to comply with the GLBA on behalf of the obligations owed by their lenders.
As long as states afford consumers the same or greater protection as GLBA, they can enact their own privacy laws, and they have all done so to different degrees and standards. Asserting their own authority, many states have privacy laws that substantially mirror GLBA, while others have their own, distinctive laws; and still others simply point to GLBA and mandate compliance with it.
Typically, state privacy laws and the federal GLBA overlap in the following general categories of privacy protections:
- Disclosure Protections consisting of a privacy notice, “Opt Out” or “Disclosure Authorization” notice, and limits on what types of disclosures of Nonpublic Personal Information (NPI) may be made by a nonaffiliated third party who receives the information from a “financial institution”;
- Security Protections consisting of a written security program, including administrative, technical and physical safeguards;
- Security Breach Notification Requirements consisting of laws requiring a business to send out notice of any improper disclosure of NPI in its possession or control.
The FTC’s Safeguards Rule (16 CFR Part 314) is one of the federal regulations that implements the GLBA by requiring a written security program; the FTC offers guidance on its website regarding compliance with the “Safeguards Rule.” The rule provides “elements” in 16 CFR 314.4 to develop, implement, and maintain the Information Security Program (ISP), including risk assessment, management and control, oversight of service providers, evaluation and adjustment.
On October 27, 2021, the FTC issued a news release announcing that the agency was updating the Safeguards Rule to provide better protection against breaches and cyberattacks; it includes a link to the Final Rule containing the amendments (beginning on page 123) and the proposed text of what you can expect to see upon publication in the Federal Register.
In recent days, there have been numerous newsletters and blog articles buzzing about the final rule’s new requirements. Davis Wright Tremain LLP has a particularly good blog that summarizes the key requirements of the final rule.
There is a lot to talk about, and while the amended final rule is much more prescriptive in its approach, it is also drafted to provide flexibility and clarity. In particular there are helpful suggestions and information about alternative security options for small businesses who may qualify for limited exemptions discussed above. It also makes it clear that the ISP is intended to protect information in both its digital and physical forms.
The final rule contains tons of commentary, including discussion regarding stakeholder input and the commission’s rationale behind its final decisions. Some noteworthy highlights, as abbreviated, are:
- designating a single, Qualified Individual as responsible for overseeing, implementing, and enforcing the ISP;
- base the ISP on a written risk assessment which includes specific criteria described in the amendment;
- designing and implementing safeguards, including:
- system inventory (i.e. knowing where the data is kept, and how everything is connected);
- secure development practices for in-house developed applications, and security assessments for externally developed applications (reference applications involving customer information);
- multi-factor authentication;
- disposing of customer information which hasn’t been used for two years (unless required for a legitimate business purpose);
- periodically reviewing record retention policies to minimize unnecessary retention of information;
- change management procedures;
- monitoring and logging user activity;
- biannual vulnerability testing on information systems, and additional assessments when there is an elevated risk of new vulnerabilities (e.g. when there are material changes to operations or business arrangements, and those changes will have a material impact on the ISP);
- implementing policies and procedures – which include training, updating, and verification requirements – and ensuring qualified personnel are available to enact the ISP;
- overseeing service providers, requiring them by contract to implement and maintain appropriate safeguards;
- evaluate and adjust the ISP due to circumstances which may have a material impact upon it;
- establish a written incident response plan which addresses specific areas described in the amendment;
- required regular reporting, in writing, by the Qualified Individual – at least annually – to the board of directors, or to a senior officer (when there is no board of directors) responsible for the ISP, concerning 1) the overall status of the ISP and its compliance with the final rule; and 2) material matters related to the ISP; and
- exemptions for financial institutions which handle the information of fewer than 5,000 customers, from the requirements of (referring to sections of 16 CFR Part 314, as amended by the final rule):
- 314.4(b)(1) – a written risk assessment
- 314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
- 314.4(h) – a written incident response plan
- 314.4(i) – an annual report by the Qualified Individual
The anticipated date of publication in the Federal Register is not yet known, but that date will control the effective date(s) of the amendments. The effective date is one year after the publication for the following amendment provisions (referring to sections of 16 CFR Part 314, as amended by the final rule):
- 314.4(a) – appointment of a qualified individual
- 314.4(b)(1) – conducting a written risk assessment
- 314.4(c)(1)-(8) new elements of the ISP
- 314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
- 314.4(e) – training for personnel
- 314.4(f)(3) – periodic assessment of service providers
- 314.4(h) – a written incident response plan
- 314.4(i) – annual written reports from the qualified individual
The remainder of the final rule’s amendments are effective 30 days after publication in the Federal Register.
This article is for informational purposes and does not contain or convey legal advice. Any opinions, or perceived opinions, are strictly those of the authors and should not be construed as legal advice or a legal opinion. Consultation with an attorney for specific advice based upon the reader’s situation is recommended.
Over the weekend, cloud-hosting and data security provider Cloudstar fell victim to a sophisticated ransomware attack. Alliant National was not impacted, however the attack has affected many agents across the country.
As a valued partner of Alliant National please know that we will make every effort to assist you and your agency if you have been impacted by this ransomware attack. During this challenging time, we are being as pro-active as possible by contacting customers and offering assistance.
Major title software vendors including Qualia, RamQuest, and SoftPro are offering hosting services to those affected by the Cloudstar attack, and there are other third-party vendors that may be able to help as well.
We have provided Alliant National forms packages to the major escrow software providers so they can be loaded quickly and easily into your environment if needed. The National Operations Center of Alliant National is on standby should you need assistance issuing individual Closing Protection Letters outside of your operating environment. We have our agency teams standing by to help you find a closing solution should you need a closing done to mitigate your reputational risk. In short, if you have a need, please reach out today to your Alliant National contact.
Please know that Alliant National will do anything possible to assist you and your agency if you are affected by this attack.
Additional information about this industry wide outage can be found here.
The Future is Here; Let’s Embrace It
The adoption and implementation of remote online notarization (RON) received a tremendous boost during the COVID-19 pandemic. Buyers, sellers and title agents are looking to close transactions in the safest way possible. According to the American Land Title Association (ALTA), “Forty-eight states and the District of Columbia have either passed a RON law or issued an executive order pertaining to remotely notarizing documents. Some have done both.”
In December of 2020, ALTA reported that RON use had increased 547 percent during the year compared to 2019. If you are a “Star Trek” fan, the lightning-fast adoption of RON – as well as alternative remote closing methods such as Remote Ink-Signed Notarization (RIN) – has felt like the title industry has gone from cruising to warp speed in a nanosecond. It can even feel tempting to utter one of the show’s classic lines like “Beam me up, Scotty!” when thinking about such transformative change.
But let us back up a bit. As the automobile was invented and became a commonplace form of transportation, society built an accompanying infrastructure – including roads, highways, bridges and tunnels. The same is needed for RON. However, it takes time to develop secure and accessible technology that everyone can use. It requires effort to garner the acceptance of the county recorders who must be ready, willing and able to record native electronic instruments. Creating uniform laws to ensure interstate legal recognition and consumer confidence is also no easy matter.
Properly building out RON infrastructure necessitates the continuous collaboration of numerous parties, including individuals, industries and organizations. For example, MISMO, the Mortgage Industry Standards Maintenance Organization, has been working on standards concerning credential analysis, borrower identification, audio-visual requirements (including the recording of the electronic notarization process) and audit trails. PRIA, the Property Record Industry Association, has been developing national standards and best practices for the land records industry. ALTA and the Mortgage Bankers Association (MBA) have also joined forces to establish model RON legislation. Finally, there are numerous other stakeholders not identified here who have, and are, tirelessly working to enable the requisite RON infrastructure.
Currently, the federal Senate bill (SB) 3533, the Securing and Enabling Commerce Using Remote and Electronic Notarization Act of 2020 (otherwise known as the SECURE Notarization Act), is pending. If passed in 2021, the SECURE Notarization Act will permit RON across the nation and provide for minimum standards and interstate recognition. To track the progress of the SECURE Notarization Act, click on the link provided for SB 3533.
Another good resource for tracking the evolution of RON is the DLA Piper financial services alert, which is constantly updated. You can also subscribe to their mailing list to receive alerts via email.
During this time of rapid transition, it is important to keep abreast of the latest RON developments, to “boldly go” forth and not end up like another classic science fiction show: “Lost in Space.”
The future is here; let’s embrace it!