By: Blaise Wabo, Senior Consultant at A-LIGN
In 2012 the Consumer Financial Protection Bureau (CFPB) released a bulletin related to service providers’ oversight, in which they expect supervised banks and nonbanks (lenders) to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interest of consumers and avoid consumer harm.
Lenders are vetting their vendors and taking stringent steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers.
In the effort to help Title Insurance and Settlement Companies, the American Land Title Association (ALTA) established a best practices framework and assessment procedures that can be used to help highlight policies and procedures in place to protect lenders and consumers, while ensuring a secure and compliant real estate settlement transaction.
It is a “jungle” out there and most Title Insurance and Settlement Companies are left unsure with what direction to take in order to meet regulatory compliances and continue being successful. In the vetting process of service providers, lenders are starting to ask Title Insurance and Settlement Companies to provide them with evidence that they have adopted the ALTA best practices framework and have implemented controls that will help mitigate the risk to consumers during the settlement of transactions.
Having an independent assessment performed by a certified public accounting firm would be one of the best ways for Title Insurance and Settlement Companies to provide assurance to lenders that their processes are in place and operating effectively in accordance with the ALTA best practices framework.
There are two main compliance examinations that Title Insurance and Settlement Companies can do in order to demonstrate to their stakeholders that their controls are in place and meet the ALTA best practices, the Statements on Standards for Attestation Engagements (SSAE) No. 16 and the Service Organization Control (SOC) 2 examination.
The SSAE 16 is the one of the most applicable compliance standards that could be used to attest to user entities that Title Insurance and Settlement Companies have policies and procedures designed (Type 1) and operating effectively (Type 2) in accordance with the ALTA best practices framework. The SSAE 16 report for controls at a service organization can be tailored to include all the seven pillars of the ALTA best practices and other relevant control areas that the service organization would like to include.
ALTA best practice number 3 focuses on Information Security and protecting Non-Public Information. This area seems to be the one lenders vet the most and want to get comfort on the infrastructure and procedures in place before doing business with a service provider. Title Insurance and Settlement Companies seem to struggle the most with this area, especially if they are a small to medium sized company and possibly outsource their Information Technology department to third parties. The SOC 2 report is an examination based on the existing SysTrust and WebTrust principles and is performed in accordance with AT 101. The SOC 2 report focuses on controls designed (Type 1) and operating effectively (Type 2) at a service organization as they relate to the following trust services principle:
- Security (ensuring the system is protected both logically and physically against unauthorized access),
- Availability (ensuring the system is available for operation and use as committed or agreed to),
- Processing Integrity (ensuring the system processing is complete, accurate, timely and authorized),
- Confidentiality (ensuring information that is designated as ‘confidential’ is protected as committed or agreed), and
- Privacy (ensuring personal information is collected, used, retained and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the AICPA).
The service organization can perform the SOC 2 engagement based on at least two trust services principles, security and any other based on their environment and user entities requirements.
A-LIGN has performed numerous SSAE 16 and SOC 2 engagements for Title Insurance and Settlement Companies. If you are part of a Title Agency and would like to receive a quote for a SSAE 16 or SOC 2 examination using the ALTA Best Practices as a base for the examination, please call 888-702-5446 or email us at [email protected].