Extrapolating is an innate human tendency. So when people read in the papers that a small group of mortgage brokers failed to protect client data, it damages the reputation of the entire broker channel.
The Privacy Commission’s report last Tuesday will likely prompt that sort of extrapolation. In a nutshell, the report documents how five brokerage offices inadvertently allowed “rogue” agents (criminals) access to sensitive customer data. Hundreds of consumer credit reports were compromised. (These events happened in 2008.)
In addition to careless storage of paper files, Assistant Privacy Commissioner Elizabeth Denham said: “None of the brokers we audited had performed sufficient tests on their IT systems to allow them to say with any certainty that their computer networks—and all personal information stored on them—were secure.”
The actions of these brokers should make every mortgage professional’s blood boil. The reputation our industry works so hard to uphold has been marred by needless carelessness. Even if this only means a loss of a few deals per broker (because a client decides that dealing with a financial institution is safer), that is hundreds or thousands of dollars in lost revenue per agent.
Fortunately, as the Canadian Association of Accredited Mortgage Professionals (CAAMP) states, “the vast majority of mortgage professionals have implemented stringent and effective privacy standards.” We believe that. Speaking personally, we’ve never met a broker who didn’t employ the standard security precautions, including monitored alarm systems, secure offices, locking file cabinets, secure computer logins, etc.
On a corporate level, brokerage compliance departments have taken this matter profoundly seriously. New measures will be set industry-wide because of this report. Unsecure client data storage, weak privacy policies, and laid-back hiring practices will all be under fire. We can only hope that regulators add more manpower to audits in this area, and dish out penalties to those who don’t comply. There must be more of a deterrent factor, so a few agents don’t ruin the reputation of many.
Our industry is also fortunate to have various checks and balances. When personal data leaks occur, it is standard practice to bring them to light. The Privacy Commissioner provided one such example when it noted: “The mortgage brokers we audited were proactive and contacted our office to determine how to contain and mitigate the breaches, and also notified those affected by the breach.”
When all else fails, provincial licensing regulations are an extra safety buffer for consumers. To obtain a license in most provinces (and access your data), brokers and agents must meet training and educational requirements, pass a licensing examination, undergo a criminal background check, submit to reference checks, and fulfill certain other requirements, as established by regulators including: FSCO (ON), RECA (AB), FICOM (BC), and others.
Despite these safeguards, our industry—like most—is unavoidably imperfect. That’s why this wake-up call is constructive. The Privacy Commissioner’s audit report is a warning to the brokerage industry and it has done mortgage professionals a long-term service.
The Personal Information Protection and Electronic Documents Act (PIPEDA) requires that brokers be responsible for safeguarding the information they collect and protecting against unauthorized access to it. That is one of our highest responsibilities as brokers, and this experience should ingrain that in all of us.
_____________________________________________________
Sidebar: In coming days, we’ll examine a few offshoot issues stemming from this report: collecting social insurance numbers and retaining customer information.
Last modified: April 26, 2014