Mortgage companies handle the most sensitive financial data: SSNs, bank accounts, income verification, and large wire transfers. This makes you a prime target for both data theft and wire fraud schemes.
📋 Regulatory Requirements
- FTC Safeguards Rule: Mandatory security program with specific controls
- GLBA: Customer data protection requirements
- State Regulations: Ohio DFI and state-specific requirements
- Investor Requirements: Fannie Mae, Freddie Mac, HUD security expectations
Wire Fraud Prevention (Critical)
Closing Wire Security
- Verbal verification required for ALL wire instructions
- Callback on verified number (not from email)
- Dual authorization for wires over threshold
- Wire instruction changes require new verification
- Borrowers warned about wire fraud at application and closing
- Wire fraud awareness in borrower communications
Wire Fraud Reality: Mortgage transactions are the #1 target for wire fraud. FBI reports average losses of $150,000+ per incident. Always verify by phone using a known number—never trust wire instructions received by email alone.
FTC Safeguards Compliance
Required Controls
- Designated Qualified Individual for security
- Written Information Security Plan (WISP)
- Risk assessment documented and updated
- Multi-factor authentication on all systems with NPI
- Encryption of customer data at rest and in transit
- Access controls limiting data to job function
- Employee security training (ongoing)
- Vendor oversight program
- Incident response plan
- Annual security testing
Loan Origination System Security
LOS Protection
- MFA enabled on loan origination system
- Role-based access (MLOs see only their loans)
- Audit logging enabled and reviewed
- LOS vendor security reviewed (SOC 2 report)
- LOS data backed up independently
- Terminated employee access removed same day
Document Security
- Secure borrower document upload portal
- Documents not stored in regular email
- Document retention policy implemented
- Secure disposal of loan files
- eSign platform security verified
Email & Communication Security
- Advanced email threat protection enabled
- DMARC/DKIM/SPF configured (prevents spoofing)
- External email warning banners active
- Encrypted email for sensitive borrower communications
- Executive impersonation protection enabled
- Look-alike domain monitoring
Third-Party & Vendor Security
- Title company security practices verified
- Appraiser and vendor access controlled
- Investor/agency security requirements met
- Third-party integrations documented
- Vendor access reviewed quarterly
Title Company Coordination: Work with your title partners to establish secure communication channels for closing instructions. Many wire fraud schemes exploit the handoff between mortgage and title.
Mortgage Industry IT Security
Sabre IT Services provides FTC Safeguards-compliant IT solutions for mortgage companies. We understand the unique security needs of loan origination and closing workflows.
Schedule a Compliance Assessment →
(614) 683-0060
Save this checklist: Press Ctrl+P (Cmd+P on Mac) to save as PDF