ALTA’s Best Practices offers banks the guidance to know your service providers. The ALTA Best Practices help banks and service providers navigate the requirements of the Memo. ALTA has also provided a mechanism for the banks to verify compliance.
ALTA has offered 7 questions that each bank should ask its service providers. Every service provider may be measured by 7 standards called the ALTA Best Practices (http://ALTA.org/BestPractices) that can be summarized with 7 routine questions, which are:
ALTA Best Practice #1 – Licensing
- Are they properly licensed?
ALTA Best Practice #2 – Escrow Account Controls
- Do they have proper controls in place to safeguard the millions of dollars that your bank sends through their trust/escrow accounts?
ALTA Best Practice #3 – Protect Confidential Info
- Do they have proper controls in place to safeguard the bank customers’ personal information from identity theft and cyber fraud?
ALTA Best Practice #4 – Follow Federal & State Consumer Laws
- Do they know and follow the consumer laws that are required to protect the bank’s customers?
ALTA Best Practice #5 – Deliver Policies on Time
- Do they have procedures in place to make sure that title matters are concluded in a timely fashion?
ALTA Best Practice #6 – Maintain Appropriate Insurance
- Do they maintain the appropriate levels of insurance to protect the bank’s interests and the bank customers’ interests in the event that things do not go according to plan?
ALTA Best Practice #7 – Address Consumer Complaints
- Do they address the bank’s complaints and the bank customers’ complaints (if any) in a timely and professional manner?
An elementary evaluation of the service provider relationships would prompt one to ask these seven routine questions. The CFPB is now requiring that banks (i) ask these questions, (ii) be assured that the service providers’ policies are appropriate for the circumstances, (iii) be assured that the service provider follows its own policies and (iv) have mechanisms to be aware and address failures when the service provider does not follow its own policies for the protection of the bank and the bank’s customers.
Compliance with some of the ALTA Best Practices can be as simple as asking: “Does the service provider have a proper license?” Others like Escrow Account Controls, for example, are more complex. But one thing your bank and a service provider both agree on is that the bank’s money and the bank customers’ money must be protected. How the money is to be protected may bring about some differences of opinion. ALTA Best Practice #2 should help resolve those differences with definitive guidance.
Best Practice #3 requires that confidential information be kept confidential. The bank goes to great lengths to guard confidential information. When the bank hands that information to a service provider, the bank needs assurances that confidentiality extends into those respective offices. Gramm-Leach-Bliley (“GLB”) set forth the rules for protection of Non-Public Personal Information (“NPI”). GLB has been in place for 14 years without substantial change. ALTA Best Practices #3 merely requires banks and service providers follow the existing laws regarding confidential information. These rules speak to digital security of NPI (encryption technology), physical security of NPI (clean desk policy) and proper disposal security of NPI (shredding and decommissioning of digital storage). This Best Practice seeks to offer the bank a sense of security that when the bank gives the service provider a customer’s valuable personal information, that it is protected.
With respect to these Best Practices, ALTA has developed an assessment standard, so that service providers may earn a certification from their title underwriter and/or qualified third party accountant confirming they have substantially met the standards. ALTA took the lead by defining the expectations contained in the Memo and providing a way to measure compliance. Using compliant service providers will not eliminate the bank’s responsibility to perform due diligence and know their service providers, but it gets a lot of due diligence questions answered for the bank without the expense of performing the due diligence themselves.
One of the concerns banks have raised is that their trusted service providers will not be compliant and the bank will have to stop using them. While in many cases the compliance bar has been raised, with proper preparation the compliance standards are within every good service provider’s reach. The first step is AWARENESS, the second is PREPARATION. Start by sharing this information with your service providers so that they can prepare themselves to comply with the CFPB Memo, ALTA Best Practices and your newly heightened expectations.
Jonathan Biggs is the Vice President for Risk Management at Investors Title Insurance Company and a member of the ALTA Best Practice Task Force.