12 minute read
Here's Why State of the Art Mortgage Lending Now Relies on CloudBased Services
Here’s Why State of the Art Mortgage Lending Now Relies on Cloud-Based Services
By Eric Drattell, Roostify
The decision to move to the digital mortgage application processing seems like it should be an easy one, never more so than today when the benefits of a digital mortgage platform have never been clearer. However, once mortgage company executives have made the decision to go digital, they are faced with a new set of questions, the answers to which have broad-based implications. Should they leverage the ubiquitous public cloud or elect instead for the private cloud option? Should they build or should they buy?
This article explores the key questions mortgage executives, including the heads of the mortgage business, the CIO and the CFO, have to consider, and suggests how some of these questions can be best answered.
THE HEAD OF MORTGAGE
This executive is concerned primarily with making sure the move from paper-based mortgage applications and a loan officer-driven process to a digital mortgage platform drives customer satisfaction, creates stickiness with customers who are able to access the lenders non-mortgage products, including personal and auto loans, and reduces origination costs.
The improvement to customer satisfaction is, to coin a phrase, the greatest no-brainer in the history of mankind. After all, how many customers have said they enjoyed the process of copying all
of their docs, scanning them, and emailing them to the loan officer? None, I am certain. The head of mortgage will sleep better knowing that the customer will have a friction-free experience being able to submit all required documents by merely clicking a button to enable the digital platform to pull in key documentation, including verification of incomes, assets, and employment docs. This state-of-the-art process will appeal especially to millennials, who are currently less than 10 percent of the homebuying population, and who have lived online virtually their entire lives.
The head of mortgage will also be a hero because a ‘single-window’ platform through which a customer can get a first mortgage loan, HELOC, car loan, or personal loan enables customers to satisfy all of their loan needs from a single lender, something that has been nearly impossible without the customer having to navigate multiple, often inconsistent channels. For example, a surprising percent of homebuyers also buy a car at the same time. Imagine offering the customer the ability to get a car loan or personal loan (‘I will also need window treatments’) in the same portal without the customer having to again upload docs.
And, of course, there are the cost savings in the origination process that result from reducing dependence on loan officers and processors. The reduction in costs that comes with the process is obvious: Technology provides everyone involved in originating a mortgage, the real estate agents to the loan officers and beyond, with a seamless, more efficient experience. THE CIO
The CIO has a number of issues to consider. No doubt the CIO has already concluded that the cloud is the right way to go. No more on-premises data centers that are particularly susceptible to manmade and natural disasters. Anyone remember Superstorm Sandy and what that storm did to New York metro area data centers? No more data centers that could be taken down by a ransomware attack.
Perhaps the question that most often keeps the CIO awake at night is whether the lender’s data is secure. Not only is the CIO concerned about data breaches where data is exfiltrated, they are also concerned about malware and ransomware that corrupts or locks down data, but they're also worried about meeting legal requirements when customers exercise their rights under privacy laws such as the California Consumer Privacy Act.
The virtual environment in which we now operate is fraught with cyber threats from brazen attackers. While in the past these malevolent individuals were known to brandish tools such as malware and spyware, they are increasingly turning to ransomware as they seek to extort payments from lenders to regain access to their data. A Verizon Business 2018 Data Breach Investigations report disclosed ransomware as the fifth-highest overall cybersecurity threat during the previous year, more prevalent than traditional malware and spyware.
The number and sheer boldness of cyber
threats is growing. Barclays and other banks recently went for an extended time without the ability to make foreign currency conversions for customers when Travelex was hit by ransomware. The BBC reported that the hackers demanded $6 million.
And it’s not just financial services that are the targets for ransomware attacks. Across the breadth of industries and services, companies and even government bodies have been victimized. The New York Times has reported on attacks on the New Orleans’s city government, a maritime cargo facility, hospitals, and small businesses.
So how does a CIO mitigate the growing risk of cyber threats? There is no simple answer. However, many CIOs have come to recognize that outsourcing to a best-in-class SaaS vendor running on a public cloud service provider, such as AWS, Azure, or Google, can significantly reduce the risk. This is largely because privacy and security of their clients' data is absolutely core to the business of these firms, whereas lending and servicing loans is absolutely core to the business of the lender. And as visionary organizational theorist and management consultant, Geoffrey Moore, observed, a firm should focus on what truly distinguishes the firm in the eyes of its customers (i.e., ‘core’) and consider outsourcing to others what is otherwise necessary to run its business (also known as ‘context’). No lender has ever said that prospective borrowers should choose it because it runs world class data centers.
Every reputable SaaS vendor of lending platforms has the typical certifications, including the ISO 27001 and SOC-2 certifications. These certifications attest to their ability to manage security risks consistent with ISO requirements and have in place controls addressing security, availability, and processing integrity. The SOC 2 certification, in particular, is only a ‘point-intime’ certification. More sophisticated vendors obtain a SOC 2, Type II certification that attests to the quality of the vendor’s practices over a period of time. Why do vendors get these certifications and spend a lot of money each year to maintain them? Because without these certifications, their customers have no objective, third-party assurances that their data will be safe, and that threats of ransomware and other forms of malware are appropriately mitigated and managed.
THE CFO
The CFO is, as always, worried about the cost of building instead of buying a SaaS solution. And the factors considered are not limited only to the initial costs.
For example, if a lender were to build its own lending platform, it likely would have to capitalize those costs, amortizing them over the useful life of the platform. On the other hand, contracting with a SaaS vendor for the platform will be an operating expense, which many CFOs find preferable.
Even if capex vs. opex were not a factor, there’s the costs of building the platform. A well-architected platform, using microservices as building blocks, likely costs in the tens of millions of dollars, and that’s not even accounting for enhancements and upgrades. Moreover, for a web-based platform to meaningfully enhance customer satisfaction by making it seamless for the borrower to pull in documents from third parties, the platform will need integrations with VOA/E/I vendors, credit services, and a raft of other data and information providers. That work, while not necessarily technically challenging, takes a lot of time.
Then there is the cost to have in place world-class privacy and security capabilities. Companies that operate their own infrastructure often find out about nascent threats only when they are affected. SaaS vendors, however, often are able to spot threats before they pose a risk to their clients because of the vast networks they manage and maintain. MBM
CLOSING THE GAPS IN YOUR CONTINGENCY PLAN
BY FELECIA BOWERS, HOMEOWNERS FINANCIAL GROUP
Does anyone remember the Seinfeld series and the “close talker”? Jerry ended up wearing the unflattering puffy shirt as a result of his experience with this individual. Close talking has been replaced with a new phrase, social distancing. I have a feeling that this phrase and its implications will not end when this pandemic is over.
We received a few COVID-19 emails in January and February with our email folder exploding in March. By now you have probably all activated your contingency disaster plans or if you had no plan, you quickly punted to develop and roll out a plan. Who would have thought that our contingency plan would need to include the following? • Addressing recording the security instrument for our transaction because of county closures, inability to e-record, or delayed recordings. • Dusting off gap insurance with the title insurance industry. • Inability to verify continued employment 10 days before COE due to businesses across the country shutting down. Flexibility has been granted by the Agencies as I write this, but we have yet to fully see
the repercussion in the employment data since public-facing information is running behind. We continue to exhibit deterioration in the job market via job loss or hours being cut.
Appraisers not being allowed to access homes to complete interior inspections.
Thankfully the agencies issued some flexibility with property waivers, desk reviews, and drive-by appraisals.
The repercussion of what happens if one or more investors pull out of a specialized market; for instance, non-QM, and you have no source in which to sell these loans. Do we risk reputational damage or the wrath of our regulators?
The construction industry has been impacted with lenders deploying a remote workforce, sales office visitors drastically cut with people sheltering-in-place, security instruments can’t be recorded, inspectors are off or back-logged, etc.
IT staffers are also working remotely and trying to handle incident problems with a remote workforce.
These are but a few of the current challenges we are facing. So, why am I reminding you of these things? These issues and others that continue to pop up should be noted and incorporated into what is sure to be, future modifications in your contingency disaster plans. Now is the time to identify weaknesses in the current plan and how to ensure those weak points do not occur again and how to close the gaps. Now is also the time to look at your plan to ensure you have covered other possible hiccups that may occur. Let me give you some examples of what I’ve had to build into plans or experienced: Who are they key players in planning and deployment? Now is not the time for someone to attempt to take the “savior” role with no clue on what or how to implement the plan. These plans require the whole team. Prioritization of the workload. Deploying a remote workforce causes additional strains on systems as well as home systems especially when families are sharing the internet with kids gaming, streaming movies, and cell phones. Staggered hours with the remote workforce may be needed. Weather and natural disasters such as tornadoes, blizzards, flooding, mudslides, avalanches, extreme heatwaves, volcanoes, and earthquakes. Heatwaves? The last main heatwave was in 1936 with temperatures reaching 121 degrees. Think about how far we have progressed since 1936 with computers. Then think about what would happen of an electrical grid failure and the impact on AC units in the office or server rooms. Fire. I’m certain the Town of Paradise, CA did not plan for their entire town to be impacted by wildfires in the area, but it happened. Do you have one or more offices located near railway tracks? While at a former employer, the tracks ran through our back parking lot. We had to have an evacuation plan in place, plans for hazardous spills, and derailments. Trains carry a lot of unknown cargo also. I was unfortunate enough to experience one such disaster in 1973 in Roseville, CA. A freight train with 20 cars carrying live bombs caught on fire. For over five hours,
bombs were exploding, ripping through homes and businesses, and completely leveling the area immediately surrounding the railyard. Evacuations were mandatory because shrapnel was everywhere. The impact of the explosions caused some unexploded bombs to be driven deep into the ground creating more issues trying to locate and detonate those bombs. As drastic as this sounds,no one lost their life. That was a blessing. Do you have back-up generators and how often are they tested? At a former employer, we had an electrical hiccup causing our back-up generator to kick in. About two hours later, we had a visit from several environmental agencies as well as the fire department. It seems our generator leaked gasoline into a creek, a salmon habitat, and the gas flowed down the creek to the next town about 15 miles away. The fire department walked back up the creek to the source of the gasoline, our bank. Environmental clean-ups are not cheap, and negligence is not covered by insurance. We also found out we could not suit up and clean the creek ourselves. Have you ever had your office surrounded by the police? Been there, done that. We were in a meeting in a beautiful atrium room when we received word there was a shooter on the roof. The funny part of this story is that all the men in the room jumped up and ran into the hallway closing the door behind them. I was standing in the atrium with the other two women, dumbstruck when I decided to loudly state, “So much for women and children first motto!” The door slowly open and we were allowed into the inner sanctum of the hallway. Will an event create the need to contact a state licensing agency to seek emergency licensing for a new office? Are your back-up servers far enough in distance that one disaster will not impact all back-up servers? Have you identified essential and nonessential personnel by levels? At a former employer, we even had travel limitations, meaning no more than two executives could be on the same plane or car. HIPPA privacy should be of concern such as the one involving this pandemic. WARN Act implications? Ensure your cyber insurance coverage is current and reviewed frequently as the company expands or contracts with staff, new processes, new vendors, etc. Do you have a centralized place for employees to get updates when the plan is deployed? Phone or a texting tree? Identified critical third-party vendors? Who will be responsible for communicating to employees and vendors, state agencies, GSEs, the CDC, or OSHA issues?
Your plans need to focus on the immediate need, what to do if something goes wrong and the long-term impact. And, don’t forget that usually, the rest of the demands on your organization are still popping up such as filing annual reports with state SOS offices, annual state reports, MCR filings, HMDA filings, business license renewals, CE requirements, exams, etc. There is so much to consider and the best way to address these suggestions, plus any that are significant to your organization, is to create a task force, identify the possible situations and break things down into small pieces. And don’t forget to test and update frequently. I suspect that very few of us had a world-wide pandemic in our contingency plan. MBM
