201 CMR 17 Compliance Checklist for Mortgage Brokers! Are you in compliance?

Posted by admin Business

If you are a mortgage broker or mortgage originator doing business in Massachusetts, you need to understand how MGL93H and Regulation 201.CMR.17 affect how you need to handle personal information and run your business in the future. As of March 1, 2010, licensed mortgage brokers are responsible for the security of the personal information of Massachusetts residents that you or your staff collect, handle, or store. Your mortgage business must have a written plan, known as WISP’s “Written Information Security Plan,” implemented and followed, not only to protect the security of your customers’ personal information, but also to protect your business. Below is a checklist to help you get organized and develop the plan you’ll need to stick to.

The Commonwealth of Massachusetts enacted MGL 93H, which defines security breaches and standards for the protection of personal information of any Commonwealth of Massachusetts resident. Regulation 201 CMR 17.00 implements the provisions of the law and describes what you must have to achieve compliance.

What does 201 CMR 17 mean for my mortgage business?

201 CMR 17.00 establishes the minimum standards for the protection of the personal information of any Massachusetts resident. Whether this personal information is stored in a filing cabinet, desk drawer, or in your network database, you are responsible for its security under 201 CMR 17. Massachusetts, like many states, is responding to the growth identity theft and is holding those companies (such as a mortgage broker) accountable for following a set of requirements to effectively protect personal data from those who might use it inappropriately or illegally. As a mortgage broker, these regulations affect how you do business and who you do business with. If your originators, processing staff, or even other people who may be involved in a loan transaction, such as a lawyer, real estate agent, or credit bureau, have access to or store personal information about your borrowers or prospects (which reside in Massachusetts), as their name, along with:

  • Direction
  • Social Security number
  • Credit card number
  • Driver’s License Information
  • Other state-issued identifying information

then these regulations will affect them as well and you are responsible for taking steps to comply with and control the collection, handling, storage and distribution of this personal information. This means that you should protect yourself and your company and only share personal data with companies that you verify are 201 CMR 17 compliant.

This regulation is not just about customers and consumers. If you are in the Commonwealth of Massachusetts and have employees who are Massachusetts residents and you maintain job applications, a copy of a driver’s license, personnel file, or payroll information, then 201 CMR 17 applies to you and you must comply.

So what steps do I need to take to be in compliance?

The key to CMR 201 17.00 is the development, implementation, maintenance, and monitoring of a comprehensive written Information Security Plan (WISP). This WISP is intended to address the handling and storage of any records that contain personal information. In addition to creating and maintaining a WISP, you will need to identify the components of the program. This includes:

  • Designation of one or more employees to maintain the wISP.
  • Identify and assess reasonably foreseeable internal and external risks to the security and confidentiality of any personal information you handle or store
  • Develop security policies and procedures for employees and the handling of personal information.
  • Limit the amount of personal information collected to what is necessary to complete the transaction.
  • Identify all areas, storage, and devices used to store personal information and develop a plan for its security.

201 CMR 17.00 goes further to address computer system security requirements. The Commonwealth of Massachusetts has outlined the technology requirements to comply. These requirements should be discussed with an IT professional. They affect not only your server, but also desktop computers, laptops, network scanners, and copiers. Things to discuss include:

  • Protection of user authentication protocols
  • Ensuring access control measures that restrict access to records and manage passwords and users.
  • Encrypt data during transmission, as well as any data on mobile devices such as laptops and PDAs.
  • Make sure there are up-to-date versions of security software, such as antivirus, on the systems.
  • Train employees on information security.

The media has tied a lot of publicity about the theft of personal information to laptops. Personal information can be compromised and stolen while it’s stored on computers or transmitted electronically, but this critical data can also be stolen while it’s sitting at a desk or in an unlocked paper filing cabinet. It’s even important to consider how you dispose of this information, since you are responsible even for what you throw away. Shredding and disposal service is a key component of any effective mortgage company WISP. The goal of MA MGL 93H and 201 CMR 17.00 is to change the way a business views personal information and the important steps that must be taken for its proper collection, use, storage, transportation, and destruction.

Securing personal information not only protects your customers, but also your business against fines and laws, and be sure to comply with 201 CMR 17 and develop and implement a Mortgage Company WISP now.

Leave a Reply

Your email address will not be published. Required fields are marked *