Gramm-Leach-Bliley: time for the industry to get compliant

What do the words Gramm-Leach-Bliley mean to you?

If you’re like many appraisers, you’re vaguely aware that GLB (as we’ll call it) is a law that deals with financial privacy.  You may have heard something about it being applicable to appraisers, but no one’s ever really pressed the issue, so like the vast majority of your colleagues, you’ve never really done anything about it.

No one ever really pressed the issue to title companies either.  That’s changed now that Kansas-based Nations Title Agency Inc.  has settled Federal Trade Commission (FTC) charges that it was careless with consumer information. (Kansas City Business Journal account)

A Kansas City TV station found discarded mortgage loan applications in an open, unsecured dumpster on Nations Title property.  That prompted the FTC, the agency that enforces GLB, to investigate.  The FTC found in addition that Nations Title had failed to secure its digitally-stored consumer information and it had been accessed by a hacker.

The settlement agreement, which you can see at this link (PDF), should be read as a cautionary tale by anyone who doesn’t take GLB seriously.

Among many other things, Nations Title must commission third party audits of its privacy and security programs every two years for 20 years.  The FTC may demand and receive any documents relating to Nations Title’s security and privacy program for the next five years, and supporting material for each third party audit for three years after each is completed.  Nations Title’s owner, Christopher Likens, must notify the FTC of changes to his employment status and place of business for the next 10 years.

Five, 10, 20 years – all are an awfully long time for a federal agency to be monitoring your business practices.  Hopefully, you’re not likely to discard private financial information in an open dumpster, but that’s why it’s important to realize that after investigation the FTC found several deficiencies with Nations Title’s digital data security.

Consumers, brokers and loan officers can’t sue you under GLB, but can certainly report you to the FTC.  They may do it because you’ve been careless with personal information, or they might do it for some other reason.  If it happens, your t’s had better be crossed and your i’s dotted.

Appraisers are subject to the rules

Appraisers are subject to GLB’s Safeguards Rule and Privacy Rule.  Lenders requested waivers during the development of the FTC’s rules for its vendors, including appraisers, and the request was rejected.  The FTC has time and again clarified publicly that appraisers must comply.  See for example 16 CFR 313.3 (text search for “appraiser”).

The size of your company or practice doesn’t matter.  It also doesn’t matter if a particular transaction is “federally related” or not as FIRREA contemplates.  The rules are applicable to you or your company overall, not specific assignments.

The “non-public personal information” (NPI) the law seeks to protect need not come directly from a consumer.  You are responsible for securing NPI you get from a client while it is in your possession.

You are responsible for determining whether information is “non-public.” It would be a mistake to assume a phone number or e-mail address – two kinds of NPI – is publicly listed.  It is best to assume none of it is.

GLB and its rules trump state law.  You can’t simply comply with your state’s privacy security laws and hope that squares you with federal law, too.

What you need to do

All appraisers must, at minimum, do the following:

• Secure the transmission, receipt, and storage of data relating to consumer NPI at all times, via passwords, encryption, and physical protection, backed by a written information security plan
• Provide easily understood privacy statements to any consumers who engage you directly, disclosing the gathering, sharing, and security of NPI data, as well as the methods the consumer may use to opt-out of sharing of the data with others.

Note that a privacy statement and opt-out procedure are only necessary when a consumer engages you directly.  The information safeguards required when you’re in possession of NPI are applicable at all times.

A detailed Best Practices document discussing these issues in depth is available from a la mode’s resources page at this link. The Best Practices document includes a discussion of the applicability of the rules to all appraisers and how generally to respond.  The second half is advice specifically for a la mode customers regarding how to use our tools to help you comply.

Further guidance is available from the Appraisal Foundation at this link, and from California’s OREA at this link (page 7 of the PDF).

GLB is a marketing opportunity

Your clients are required by law to work with vendors – like appraisers – who appropriately safeguard NPI.  Compliance isn’t difficult.  But you’re probably painfully aware that a lot of what you’re reading here is new to you and your colleagues.  Read up on GLB best practices, develop procedures to comply, then tell your clients you’ve done so.  Turn your efforts into a profit instead of just an expense.

Implementing a secure means to send and receive NPI – in appraisal orders, sales contracts and other financial documents, final reports, and even ad hoc e-mail with clients and other service providers – is a visible and marketable thing.  It shows not only your technology level, but your knowledge of and adherence to federal privacy security laws.

And almost needless to say, in this day and age, an airtight privacy policy easily communicated to the public is a big selling point.  Identity theft and fraud are huge issues.  Don’t be afraid – once you get up to speed on GLB and its requirements, and implement compliant policies – to tell potential customers the information they give you is going to be secure with you but maybe not with another appraiser who isn’t GLB compliant.

If you’re like most appraisers, you don’t like getting out there and touting how great you are.  A powerful marketing tool you need not feel “sales-y” about is distributing your privacy policy and a description of how you comply with the Safeguards Rule to all your clients and consumers you’ve worked for.  Do this annually as well as any time you change them.  They’ll see, in a subtle way, how professional and on top of things you are.

Panel discussion in Orlando

At our second annual Summer Convention in Orlando, June 6, we will have a luncheon panel discussion about these issues featuring a la mode Chairman Dave Biggers and Corporate Counsel Jennifer Sides.  We hope to see you there, and watch this space for a recap.