If you're anything like me you're wondering:
- What does G-L-B have to do with ME?
- Hasn't that been around for a long time?
- Why is it a HOT topic now?
What is the Gramm-Leach Bliley Act?
The Gramm-Leach-Bliley Act, passed in 1999 and fully effective in July, 2001, addressed overall financial industry reforms as well as emerging consumer privacy and security issues. Officially called the “Financial Modernization Act of 1999”, it affects the technology and information system policies used by anyone engaged in providing financial services either directly or indirectly to consumers.
Under the Safeguards Rule, secure the transmission, receipt, and storage of data relating to any consumer’s NPI at all times, via passwords, encryption, and physical protection, backed by a written information security plan Under the Privacy Rule, provide easily understood privacy statements to any consumers who engage the appraiser directly, disclosing the gathering, sharing, and security of NPI data, as well as the methods the consumer may use to opt-out of sharing of the data with third parties Compliance is not terribly difficult, but it does require understanding of the rules and the methods available.
Why is this just now coming up?
GLB has been in force since mid-2001, so it isn’t new. But with the combination of the mortgage boom and the post-9/11 focus on other areas of banking, GLB compliance took a back seat at most institutions, large and small. Recently however, with identity theft and mortgage fraud both capturing headlines, GLB is now squarely in the spotlight. As a provider of technology products directly to mortgage lenders and brokers, we (a la mode, inc.) were naturally asked by our customers in that market segment to carefully research GLB and ensure that our mortgage products were fully compliant. In the process, we were surprised to find the clear references to appraisers and the lack of exceptions to the rules. Like most in the appraisal industry, we were not aware of the applicability to appraisers, nor the scope of the changes needed to comply. Since we are now aware that most appraisers are not in compliance, and we are a service provider ourselves to appraisers who operate as financial institutions under the law, we feel we are obligated to notify appraisers of the relevant issues and to help them transition their businesses to practices consistent with the law.GLB compliance is therefore now an integral part of our overall compliance support for appraisers, and part of our Best Practices series of documents.
What’s the risk if I ignore it [G-L-B]?
This is an era of substantial litigation with respect to privacy and security of data, in all industries. There are also increasingly broad state and federal investigations of specific mortgage-related fraud activity, with appraisers being fairly or unfairly caught in the middle of thousands of cases. The FBI lists mortgage-related fraud as its single fastest growth area of concern.
Perhaps most worrisome of all, action against an appraiser for violating GLB rules can also come from individuals, and could be used as settlement leverage by plaintiffs filing lawsuits over valuation disputes. The environment becomes rich for these types of suits as markets slow down, foreclosures go up, and lawyers for both consumers and lenders get involved.
GLB-related liability is always present. Don’t increase legal exposure by ignoring it any more than ignoring USPAP. Compliance is much easier than it appears on the surface, much easier than USPAP, and much easier than responding to an investigation or lawsuit after the fact. It’s by no means necessary to panic, but it would be unwise for appraisers to treat compliance with these rules lightly.
What non-public personal information (“NPI”) am I receiving?
NPI includes loan terms, lender or mortgage broker name, sales concessions, co-borrower, unpublished phone numbers, other contact information, and of course more sensitive information as well. Even the fact that a particular consumer is engaged with a particular lender, at the time of the appraisal, is considered to be NPI if it has not been recorded in the public record yet or disclosed in some other way. Whether or not some of the data might eventually be disclosed post-closing through recording of deeds and mortgages is irrelevant. At the time it is provided, it must be treated as NPI and accorded all of the security and privacy controls under the law. Perhaps more importantly, the burden is on the appraiser to determine whether the data provided is public information or not. The institution – the appraiser – is required to have a “reasonable basis to believe” that the data is publicly available. In other words, research must have been done to determine its public availability first. One could not assume that a phone number or an e-mail address is publicly listed without verifying it. To be safe, anything about a particular borrower or individual, which is not absolutely known to be public at the specific moment the appraiser receives the information, should be strictly treated as NPI, and subjected to the appraiser’s implementation of both the Safeguards and Privacy Rules.
It’s safest to simply assume that an appraiser receives NPI on every assignment, and therefore, the Safeguards Rule precautions must be taken on every assignment. The Privacy Rule also applies at all times, but the actions the appraiser must take vary depending on whether the appraiser was directly engaged by the individual.
It’s also important to note that the appraiser may not fall back on any state regulations which are less protective than the federal regulations. Only those state laws offering greater protection of the consumer’s NPI, in the eyes of the FTC, are considered to apply.
Does it really apply to me?
GLB applies to financial institutions of all sizes. While appraisers may not think of themselves as a “financial institution”, the Code of Federal Regulations [§ 4(k)(4)(F); 12 C.F.R. § 225.28] specifically defines appraisers as such: “A personal property or real estate appraiser is a financial institution because real and personal property appraisal is a financial activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act.” Like all laws, opinions differ as to the level of applicability in particular circumstances (lawyers are, after all, paid to argue both sides). When evaluating whether or not a law applies, it’s valuable to look at the intent of the legislators and regulators implementing it. In the case of GLB, the rules were submitted for industry comment by the FTC prior to adoption. The commission noted specifically that lenders requested specific waivers for the hundreds of thousands of appraisers, attorneys, and accountants in the settlement services chain. The commission rejected the request, replying that the security of NPI must be maintained at every link in the chain and that lenders could not abdicate the responsibility of the Safeguards Rule at any point. The FTC considered the case of appraisal transactions specifically, and clarified in the public record that the rules do indeed apply to appraisers. Throughout the FTC’s official business guides to the two rules, posted on its website, appraisers are specifically listed up front as being covered by each particular rule.
The FTC guidance is also very clear that size of the company is not an exception. A one-person appraisal shop is an “institution” under GLB and is bound by the law exactly to the same extent as any other institution. It’s important to note that the GLB rules apply to the institution, not the transaction, since the consumer’s NPI is held by the institution and unrelated to a transaction’s “federally related” status. A transaction also does not have to be successfully completed for the rules to apply. The consumer information merely has to be provided to any “financial institution” in the performance of financial services, such as appraising. Just as FIRREA resulted in the creation of USPAP, the GLB act resulted in the creation of the Safeguards Rule and the Privacy Rule. Both are sets of rules created by federal agencies as a direct implementation of federal law, and both are non-optional in any appraisal firm’s overall regulatory compliance obligations.
The practical application of the two rules in any size appraisal shop can be summarized this way:
- The Safeguards Rule always applies to appraisers. A consumer’s NPI must be securely handled at all times, regardless of where it originated, how it is held, or what type of transaction prompted it.
- The Privacy Rule only applies when the appraiser is directly engaged by an individual consumer.
GLB is just as applicable as USPAP to every appraiser. Appraisers handle NPI on virtually every appraisal, and should implement GLB compliance using simple, unbending rules. At the bare minimum, all transmissions with NPI, including the order and the final appraisal, must be via secure methods.
Realize that USPAP is talked about frequently among appraisers because it guides numerous individual valuation decisions, on a daily basis. But GLB similarly guides numerous individual data handling decisions, especially as related to e-mails to and from clients, on orders and final reports. It must become part of the appraiser’s daily regimen. As an analogy, most appraisers have encountered privacy hurdles attached to medical information under HIPAA. Medical providers, from dentists to insurance companies, are now required to provide additional disclosures to patients, cannot provide information even to other family members, and must provide checks and balances even in person to ensure only authorized access is granted to information. It changed everything related to how privacy of medical information is implemented. It affected virtually every aspect of any medical provider’s daily interaction with the public, from phone calls to e-mails to paper storage. GLB is effectively the financial counterpart to HIPAA, and its impact on even the most low-level tasks conducted in the completion of an appraisal should be considered no less sweeping.
Click here for the full article by a la mode Other Blog Resources: