FTC Enforces Gramm-Leach-Bliley Act's Safeguards Rule Against Mortgage Companies
November 17, 2004
Agency Alleges Companies Failed to Protect Customers' Personal Information
As part of a nationwide compliance sweep, the Federal Trade Commission has charged two mortgage companies with violating the agency's Gramm-Leach-Bliley (GLB) Safeguards Rule by not having reasonable protections for customers' sensitive personal and financial information. In an administrative action filed against Nationwide Mortgage Group, Inc. (Nationwide) and its president John D. Eubank, the FTC alleged that the Fairfax, Virginia-based mortgage broker failed to implement safeguards to protect its customers' names, social security numbers, credit histories, bank account numbers, income tax returns, and other sensitive financial information. Sunbelt Lending Services, Inc. (Sunbelt), a subsidiary of Cendant Mortgage Corporation with headquarters in Clearwater, Florida, has agreed to settle similar FTC charges. The settlement with Sunbelt will bar future violations of the Safeguards Rule and require biannual audits of Sunbelt's information security program by a qualified, independent professional for 10 years. These are the FTC's first cases enforcing the Safeguards Rule.
The Safeguards Rule, which implements the security requirements of the GLB Act, requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information. The "financial institutions" covered by the Rule include not only lenders and other traditional financial institutions, but also companies providing many other types of financial products and services to consumers. These institutions include, for example, payday lenders, check-cashing businesses, professional tax preparers, auto dealers engaged in financing or leasing, electronic funds transfer networks, mortgage brokers, credit counselors, real estate settlement companies, and retailers that issue credit cards to consumers.
The Rule is intended to be flexible to accommodate the wide range of entities covered by GLB, as well as the wide range of circumstances companies face in securing customer information. Accordingly, the Rule requires financial institutions to implement a written information security program that is appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its program, each financial institution must also: (1) assign one or more employees to oversee the program; (2) conduct a risk assessment; (3) put safeguards in place to control the risks identified in the assessment and regularly test and monitor them; (4) require service providers, by written contract, to protect customers' personal information; and (5) periodically update its security program.
The FTC targeted Nationwide and Sunbelt as part of a nationwide sweep of automobile dealers and mortgage companies to assess compliance with the Rule. Although the sweep showed compliance by many of the companies targeted, it also showed significant failures to comply by Nationwide and Sunbelt. According to the FTC's complaints, both companies failed to comply with the Rule's basic requirements, including that they assess the risks to sensitive customer information and implement safeguards to control these risks. In addition, Nationwide failed to train its employees on information security issues; oversee its loan officers' handling of customer information; and monitor its computer network for vulnerabilities. Sunbelt also failed to oversee the security practices of its service providers and of its loan officers working from remote locations throughout the state of Florida.
Finally, the complaint alleges that both companies violated the GLB Privacy Rule, which requires financial institutions to provide consumers with privacy notices describing how they use and disclose consumers' personal information. According to the complaints, Nationwide did not provide the privacy notices to its customers, and Sunbelt did not provide the notices to its online customers.
The proposed consent order with Sunbelt bars the company from future violations of the Safeguards Rule and the Privacy Rule. In addition, the company must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within six months and every other year thereafter for 10 years. The order also contains standard recordkeeping provisions to allow the FTC to monitor Sunbelt's compliance.
The Commission votes to issue the administrative complaint against Nationwide and to accept the consent agreement with Sunbelt were 5-0.
The FTC will publish an announcement regarding the agreement with Sunbelt in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through December 15, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: The Commission issues a complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondents have actually violated the law. Such action marks the beginning of a proceeding in which the allegations will be ruled upon after a formal hearing.
NOTE: The consent agreement for Sunbelt is for settlement purposes only and does not constitute an admission by the defendant of a law violation.
Copies of the Commission's complaints and proposed consent order are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
Contact ALTA at 202-296-3671 or firstname.lastname@example.org.