Mortgage Company IT Security Checklist

Closing Wire Security

• Verbal verification required for ALL wire instructions
• Callback on verified number (not from email)
• Dual authorization for wires over threshold
• Wire instruction changes require new verification
• Borrowers warned about wire fraud at application and closing
• Wire fraud awareness in borrower communications

Required Controls

• Designated Qualified Individual for security
• Written Information Security Plan (WISP)
• Risk assessment documented and updated
• Multi-factor authentication on all systems with NPI
• Encryption of customer data at rest and in transit
• Access controls limiting data to job function
• Employee security training (ongoing)
• Vendor oversight program
• Incident response plan
• Annual security testing

LOS Protection

• MFA enabled on loan origination system
• Role-based access (MLOs see only their loans)
• Audit logging enabled and reviewed
• LOS vendor security reviewed (SOC 2 report)
• LOS data backed up independently
• Terminated employee access removed same day

Document Security

• Secure borrower document upload portal
• Documents not stored in regular email
• Document retention policy implemented
• Secure disposal of loan files
• eSign platform security verified

• Advanced email threat protection enabled
• DMARC/DKIM/SPF configured (prevents spoofing)
• External email warning banners active
• Encrypted email for sensitive borrower communications
• Executive impersonation protection enabled
• Look-alike domain monitoring

• Title company security practices verified
• Appraiser and vendor access controlled
• Investor/agency security requirements met
• Third-party integrations documented
• Vendor access reviewed quarterly