It’s Not Just the GSEs: Why Every Mortgage Lender Must Master GLBA
In our previous discussions, we’ve spent a lot of time diving into the rigorous compliance world of Fannie Mae and Freddie Mac. For many mortgage lenders, meeting the Seller/Servicer guidelines of these Government-Sponsored Enterprises (GSEs) is the "North Star" of their operations. But what if you aren’t selling to Fannie or Freddie? Or what if you are a non-bank lender operating entirely outside that ecosystem?
It’s easy to fall into the trap of thinking that if you aren’t answerable to the GSEs, your regulatory burden is light. In reality, there is a federal heavyweight that applies to you regardless of where your loans end up: the Gramm-Leach-Bliley Act (GLBA).
It’s Not Just for Banks
The most common misconception about the GLBA is that it only applies to traditional "banks." In the eyes of the Federal Trade Commission (FTC), the definition of a "financial institution" is surprisingly broad. If you are significantly engaged in providing financial products or services, you are in the crosshairs.
This includes:
● Independent mortgage lenders and brokers.
● Non-bank "fintech" lenders.
● Independent car dealerships that offer in-house financing.
● Real estate appraisers and professional tax preparers.
Essentially, if you handle "financial information"—which includes Social Security numbers, income history, credit scores, and even the mere fact that someone is your customer—you are legally obligated to protect it under the GLBA.
The FTC Safeguards Rule: A New Era of Reporting
For non-GSE lenders, your primary regulator is often the FTC. Under the updated Safeguards Rule, the requirements have become much more prescriptive. It is no longer enough to have a vague "security policy" in a drawer. Examples of some of the new requirements:
1. Designate a Qualified Individual to oversee your security program.
2. Conduct Written Risk Assessments to identify where data might be vulnerable.
3. Report to the FTC: As of May 2024, covered entities must notify the FTC of any security event involving the unencrypted information of at least 500 consumers.
The Bottom Line
Whether you’re a boutique mortgage shop or a high-volume independent lender, the GLBA isn’t optional. While Fannie and Freddie have their own sets of rules, the FTC's Safeguards Rule is the baseline for the entire industry.
Don't wait for a data breach to find out if your program is compliant. If you handle consumer money or the data that follows it, the GLBA is your reality. It's time to ensure your "financial information" safeguards are as strong as the loans you're originating.
Kevin Robinson, CISSP, DDN.QTE, Associate C|CISO, is Head of Cybersecurity Services for The Commonwealth Group. He has a 20 year career in cybersecurity, risk assessment, intelligence and counterintelligence. His previous employers include Thornburg Investment Management, Los Alamos National Laboratory, L3Harris, and the Central Intelligence Agency.