How Encryption Can Help with CFPB Compliance

June 25, 2015

By Matt Sack

Purchasing a home is one of the scariest and most exciting decisions a person can make. One of the most terrifying aspects of homebuying is the amount of personal financial information a potential homeowner must disclose to a team of strangers. The mountain of paperwork required in a home settlement is passed across the table to the real estate agent, the buyer and seller, the real estate lawyer and the title agency. In addition, prior to closing, a homeowner might be sending all sorts of paperwork via email, from HUD documents to loan applications.

Given how vulnerable a consumer can be during a home transaction, there are several measures in place to protect homeowners and sellers from data privacy breaches, as well as being slammed with hidden fees. While in the twentieth century, most of these protections could be found scattered across multiple laws and agencies, they’ve since been consolidated under the authority of the Consumer Financial Protection Bureau (CFPB).

The Importance of CFPB Compliance

One of the largest safeguards protecting consumer data privacy is the Consumer Financial Protection Bureau. Title agents and other professionals who handle housing transactions must maintain CFPB compliance, or else they face steep financial penalties. Between July and December 2014, CFPB compliance regulations led to over $19 million in remediation paid out to more than 92,000 consumers.

But what does CFPB entail, and how can title agencies and other entities working with home settlement protect their clients and their businesses?

NPI and TILA-RESPA: Two Arms of CFPB Compliance

Two of the most important aspects of maintaining CFPB compliance are protecting the security and privacy of non-public information (NPI) and keeping your agency in line with TILA-RESPA, a pair of laws that work to ensure that users have helpful, transparent access to information pertaining to their home settlements, including any costs and fees associated with the final transaction.

The Truth in Lending Act (TILA), was passed in 1968 to help manage costs related to consumer credit transactions by requiring disclosures and transparency from lenders. One of the most important aspects of TILA is the requirement of standardized forms so that consumers can easily understand and compare the costs of taking out a loan or mortgage. The Real Estate Settlement Procedures Act (RESPA) was passed in 1974 and promises a similar slate of protections to TILA, but with its own set of forms.

For improved consumer clarity and enforcement, both of these acts were brought together under the Dodd-Frank Act to integrate consumer disclosures and consolidate forms, all under the authority of the CFPB. With that integration, TILA-RESPA became a crucial component of maintaining CFPB compliance.

What Protecting NPI Entails

Protecting NPI like Social Security numbers or bank information is an important part of maintaining CFPB compliance. To help agencies better equip themselves to protect sensitive consumer data, the American Land Title Association (ALTA) has issued a number of guidelines surrounding NPI best practices:

  • Restrict access to NPI only to those who need to access it, when they need to access it. Also ensure that all employees undergo background checks before being granted access. After an agency no longer has reason to access the data, it should be disposed of thoroughly.
  • The use of removable data devices, like thumb drives, should be either prohibited outright or strictly controlled via an organization-wide policy.
  • NPI should only be delivered via secure methods
  • Create a disaster management plan in case things go wrong. This could be as straightforward as a security breach, or even just a server or network failure that impacts business continuity.
  • Establish and follow procedures to audit your organization for CFPB compliance, and review those procedures to ensure that the audits themselves don’t leak NPI.
  • Ensure that your agency is well informed of your state’s security breach notification laws, and is prepared to follow them in case of a data leak.

TILA-RESPA Compliance and Consumer Privacy

To facilitate TILA-RESPA compliance for businesses that deal in home settlements, the CFPB has released a guide to the TILA-RESPA Integrated Disclosure Rule. While the main focus of TILA-RESPA is on transparency, there are several mentions of data privacy in the full text of the law. Because the forms necessary to close on a house differ significantly from those required prior to TILA-RESPA, it can introduce confusion as to who has access to what information. To maintain CFPB compliance without violating consumer privacy or causing a breach of NPI, it’s crucial that title agents provide proper training with everyone on staff so that, say, a Closing Disclosure doesn’t end up on the wrong person’s desk—or in their inbox.

Consumer Privacy and CFPB Compliance

Jeffrey Grant is an attorney licensed in Florida to practice real estate, probate and trust administration law. We met with him to discuss how CFPB compliance and TILA-RESPA relate to consumer data privacy, and whether email encryption is a necessary component of protecting NPI.

  1. With the introduction of TILA-RESPA in CFPB compliance, how have things changed? There has been a tremendous amount of change already, with an extreme emphasis towards the implementation of the ALTA’s best practices, rumor has it, that several lenders will begin requiring a self-certification of your best practices materials.
  2. How is the industry reacting to the new regulation? There is a lot of uncertainty at the moment, as the regulations constitute a large change in the manner in which business is conducted. Only a few of the largest lenders in the business (lenders will be making the bulk of the implementation decisions regarding the new CFPB regulations) have indicated the manner in which they will be operating, though the industry and its vendors are continuing to adapt in the face ever fluid conditions.
  3. What do you consider NPI in the industry? We would consider any document that has social security numbers, dates of births or bank account numbers to be NPI., in addition to other pertinent and private communications received from clients.
  4. How did you manage NPI before? We had the ability to send documents securely through our practice management software and would frequently use that when transmitting NPI.
  5. Where is NPI usually stored? Do you keep physical copies of anything? Will that change? We keep physical copies of all of our files for at least seven years. Additionally, our data is scanned to our server and is backed up regularly.
  6. How often is NPI transmitted over email? It’s possible for NPI to be transmitted over email several times per week, and this is typical for the industry.
  7. What are some of the best practices you use to protect NPI? We use a secure document access solution and also ensure all PDFs that are transmitted containing NPI are password protected.
  8. Do some states have additional regulation? If so, does this impact transactions occurring across state lines? Almost all of our transactions are Florida specific. However, I am aware that the Bar Associations of other states require attorneys to encrypt their email.
  9. Do you think encryption is an important part of protecting NPI? Yes. Encryption allows you to transmit NPI securely, while minimizing the inconvenience to our staff as well as to the consumer.
  10. Do you think the CFPB will expand its rules to require encryption specifically in the future? I don’t know if the CFPB will ever get that specific. In general, their regulations have been left open for interpretation, and include some room to operate for both large and small entities based on the volume of business and level of complexity for the organization.

Email Encryption: Your Secret Weapon for CFPB Compliance

While CFPB compliance doesn’t explicitly require email encryption, ALTA best practices require that you only transmit consumer NPI via secure methods, and at least one Florida real estate attorney recommends using email encryption to preserve the convenience of email without sacrificing privacy or security. If your agency isn’t currently using email encryption to protect your email messages and attachments, it’s time to make the switch.

Matt Sack works at Virtru, a company that provides end-to-end email encryption add-ons for tools like Outlook, Gmail, and Google Apps. Contact Matt at, and read more about his team's work at the Virtru Blog.

Contact ALTA at 202-296-3671 or