Andrew Martinez/National Mortgage News
Mortgage players could be harming consumers in tech practices recently flagged by regulators, experts caution.
One of the practices, known as dark patterns, could be the “new rage” in the regulatory space, said David Shirk, a mortgage banking lawyer and managing member of Washington, D.C.-based Shirk Law. PLLC. Shirk and Tom Clerici, chief technology officer at Freedom Mortgage, discussed dark patterns and new cybersecurity regulatory concerns Monday during the Mortgage Bankers Association Annual conference in Nashville.
Dark patterns are described by the Federal Trade Commission as design practices that can manipulate consumers into buying products or services or compromising their privacy, according to a September advisory. The actions can range from misleading advertisements, difficult-to-cancel charges or key items and junk fees buried in lengthy disclosures.
The prohibition of dark patterns is already codified in at least two state consumer data privacy acts in California and Colorado, experts said. A common practice that could be considered a dark pattern is forcing a consumer to share their email address or property location to view interest rate price comparisons, Shirk said.
“If you’re relying on consent that’s buried in some document on page 87 of your closing package, that’s not going to be a valid consent for the purpose of privacy specifically in California right now,” said Shirk. “More generally I think that we’re going to see the FTC and the CFPB say no, that’s a dark pattern.”
California’s new modification to its consumer privacy act also has language that shifts some liability to lenders that were previously exempt under the Gramm Leach Bliley Act, he said. The practice could also be considered a violation of the Consumer Financial Protection Bureau’s Unfair, Deceptive and Abusive Acts Practices, or UDAAP in the future, he added.
Experts also called attention to a CFPB advisory from August in which the bureau said insufficient data protection or information security could constitute an unfair practice under the Consumer Financial Protection Act. The CFPB listed multi-factor authentication, adequate password management practices and timely software updates as counters to unfair practice claims.
“It’s kind of forewarning that you can expect examiners to start looking for that,” said Shirk. “They’re going to want to see that you have a policy that covers at least those elementary things and probably goes beyond and they’re going to want to see that you have implemented it somehow.”
Lenders should apply the same vigilance around dark patterns and cybersecurity standards to vendors, experts said. Regulators, in the wake of a cybersecurity incident, will call on lenders rather than vendors, and vendors could leave their partners hanging regarding financial repercussions.
Consumers impacted in data breaches have also sued lenders for allegedly failing to protect their information in incidents at their partners. A data breach at mortgage insurance firm Overby-Seawell Company this summer affected KeyBank and Fulton Bank clients, who have since sued the depositories, along with OSC, for allegedly failing to protect their personally identifiable information. The banks have yet to respond to the lawsuits in federal courts.
Companies must discuss security standards and incident response plans with vendors in contract negotiations, experts said. Response plans include legal, public relations, regulatory and cyber insurance actions. Many firms haven’t shared the plans with their vendors, experts said. Simple cybersecurity exercises to test plans could cost a company just $7,000 to $10,000, Clerici said.
Tabletop exercises could also test responses to ransomware attacks in which hackers hold data hostage. Law enforcement won’t pay hackers, experts said, and payments to foreign threat actors could violate U.S. Treasury Department laws, according to an advisory last September by the Office of Foreign Assets Control.
“It’s amazing what you see when some of these groups scramble, because they’re not prepared and the thought of not having their loan origination system is such a foregone conclusion that they wouldn’t know what to do in the event that that happens,” Clerici said. “It’s important to work through that.”
