State and federal regulators have recently increased enforcement actions against mortgage brokers and nonbank lenders that fail to comply with the Gramm–Leach–Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule. The FTC’s updated Safeguards Rule requires all financial institutions–including mortgage brokers and lenders to implement a written information security program.

While GLBA applies nationwide, most states duplicate or expand upon the federal laws for licensees regulated by their Department of Financial Institutions (DFI), Department of Banking, or similar agency. Failure to maintain a plan can result in enforcement actions or license suspension. Companies have been fined for lacking written information security plans, encryption policies, or incident response procedures.

Penalties vary by state but typically include civil fines between $25,000 and $250,000 per violation. Enforcement actions can include cease-and-desist, consent orders requiring immediate corrective actions, required adoption and submission of a compliant information security plan, and mandated third-party audits for 12-24 months. A key violation is the absence of an incident response plan or breach notification procedure.

Common violations include the lack of a designated information security officer or program manager, employee training, weak encryption of sensitive data, and failure to oversee third-party vendors with access to customer data. Mortgage brokers should proactively implement a GLBA-compliant Information Security Program that includes a written policy, risk assessments, employee training, and vendor management controls. Plan updates and incident response records are critical for avoiding fines and maintaining state licensing.

Be a step ahead—

contact our office for a complimentary Risk Assessment Questionnaire