The American Land Title Association (ALTA)’s Best Practices 4.0 took effect on Tuesday, May 23, 2023. ALTA’s Product Director, Steve Gold, sat down with Qualia’s Head of Information Security, Alex Hamlin, to discuss the revisions, how they may impact operations for title & escrow companies, and what these agencies can do to incorporate the updated guidance into their daily operations.
With this update, ALTA seeks to elevate the Best Practices from a set of regulatory guidelines to an operational excellence and process optimization framework. Gold noted that, “ALTA 1.0 to 3.5 were all about making sure our organizations were in compliance with banks and title insurers, and that’s matured. 4.0 updated some language, but it also includes material additions related to operational efficiency, safety of funds, and safety of customer data.”
As more of the closing process moves online and instances of fraud become ever more prevalent, ALTA urges agencies to harness technological advancements to keep up with growing risks to data security and create durable safeguards against fraud. Notably, ALTA Best Practices 4.0 marks the first time that specific guidance has been provided around innovative technology such as cloud-based systems and Remote Online Notarization (RON), both of which have gained significant traction since ALTA last updated its best practices in 2019.
Industry shifts that led to ALTA 4.0
Gold cited modern consumer demand for efficient, digitally-friendly closing experiences as the primary driver of changes to how title & escrow companies operate. “While it’s great to be able to provide [a] tech-forward transaction experience, it certainly introduces new risk into the transaction by inviting new parties to ‘touch’ the data.”
Indeed, the real estate industry has seen a continued increase in cases of fraud over the last year:
- The FBI Internet Crime Complaint Center (IC3) received IC3 received 21,832 complaints of Business Email Compromise (BEC) in 2022, resulting in $2.7B+ in adjusted losses
- Wire verification service providers for the title industry reported a 145% year-over-year increase in reported wire fraud instances in 2022
- 56% of security professionals say insider threats have become more frequent in the last 12 months, according to a report published by AT&T
ALTA Best Practices 4.0 provides a framework for developing a proactive security strategy that leverages technology to help detect and mitigate potential fraud. For Gold, “the opportunity presented is how to harness that new technology in a way that is not only compliant but also operationally sound.”
Material updates to ALTA Best Practices Pillars 2, 3, and 4
Revisions to ALTA Best Practices Pillar 2 revolve around opportunities for bolstering escrow account security. ALTA now recommends utilizing positive pay/reverse positive pay whenever available for the payment type, as well as maintaining a daily cadence for two-way reconciliations.
ALTA also recommends against the use of three potentially risky forms of transaction: international wire transfers, ACH, and funds transferred using web-based FinTech applications. ACH and web-based FinTech transaction types in particular pose a higher risk due to the potential of being ‘clawed back’ (i.e. reversed) before clearing. Title companies looking to leverage web-based FinTech transfers—such as third-party Earnest Money Deposit or disbursement platforms—need to ensure that the platform doesn’t open them up to undo risk. Before using this type of payment solution, title companies should determine whether funds would be subject to the Electronic Funds Transfer Act (EFTA). If so, Hamlin warns, “know that those funds are not settled and therefore present some degree of risk to you. If you were to disburse off those unsecured funds, and if that payment is reversed, you could be on the hook for the difference.”
The other big change to Pillar 2 concerns wire transfer protocols. “ALTA Best Practices are all about documenting and enhancing processes. So go review your wire protocols, make sure you have processes well documented, and take the opportunity to update some processes.” Specifically, Hamlin highlights the use of multi-factor authentication (MFA) to mitigate the risk of wire fraud, as well as the use of a vetted wire verification service provider.
Looking at Pillar 3 revisions, the primary focus is on protecting nonpublic information (NPI). Central to this is the creation of a Written Information Security Plan (WISP). Hamlin shared that the first step towards drafting a WISP is identifying the individual who is going to be accountable for the security of your organization. That individual is then responsible for defining what it means for your organization to operate securely.
A WISP is typically made up of several different policies that together define what it means to operate your business securely. Every company has its own specific security needs and practices, so there is no “one-size-fits-all” when it comes to what goes into a WISP. That said, it may include an Acceptable Use Policy, a Vendor Management Policy, a Disaster Recovery Plan, and similar documentation. Once title companies have defined their WISP, Hamlin recommended they conduct a risk assessment wherein they take inventory of all their assets—employees, computers, servers, systems, vendors, etc.—and evaluate these assets against the company’s updated security policies.
When reviewing and developing security procedures, Pillar 3 recommends that title & escrow agencies differentiate between physical and network security controls:
Physical security refers to matters related to your agency’s office space. It’s “an older problem that doesn’t necessarily get as much attention but is still extremely important,” according to Hamlin. If title companies have customer NPI stored in paper records, on computers, or on servers, it’s vital to restrict physical access to those items by ensuring that doors are locked and that leadership understands who has a key or badge.
Network security relates to the systems on which your data is stored. While the Best Practices revisions contain a number of recommendations for network security controls, Hamlin pointed to the use of multi-factor authentication as the most important. “A traditional password is a single factor, something you know. Multi-factor adds something else—either something you have, like a phone, or something you are, like a fingerprint.” The most common form of multi-factor authentication is a code sent via text message to your device. However, there are many other forms. Authenticator apps, like Google Authenticator, Twilio Authy, or Duo are even more secure and don’t require cell service.
While using MFA may seem like an inconvenience, Hamlin pointed towards recent research from Microsoft showing that it blocks more than 99.9% of account hacks.
Additional updates to Pillar 3 Best Practices recommendations also include:
- Enforcing passwords that are long (8+ characters), complex (using a mix of lowercase, uppercase, numeric, and/or special characters), and unique
- Performing timely software updates
- Updating your software regularly, whether using on-prem, hosted, or cloud service
- Vetting all vendor’s privacy policies to ensure adherence with the title agency’s WISP
The latter, according to Gold, should happen during the initial contract negotiation and any future review cycles. Title companies must ask questions, including whether they’re Best Practices compliant, what their approach is to security, what their responses are in the event of a breach, and how they prevent loss of data.
In fact, proper due diligence is the basis of updates to Pillar 4, which are, according to Gold, “all about your settlement policies and procedures, with updates around codifying your document creation processes and specific additions related to the technology available to you to augment that experience for homebuyers/sellers.” Gold urged that all title companies write down their policies to help protect business continuity.
He also highlighted the title agency’s responsibility of ensuring that all third-party notaries have the proper licensure, carry insurance, and follow all requirements by state law or title insurer. “This also applies to any RON platforms you select, if not more so. RON is a new addition to the ALTA Best Practices. It is your responsibility to vet this platform (as with all other platforms and services) to ensure congruence with your data protection and privacy policies and meets all legal requirements.”
Making one final point on vendor due diligence, Gold pointed out the Pillar 4 guidance for leveraging an e-Recording platform, where he says it is also your responsibility to ensure that the vendor complies with local laws and requirements. He encourages having a written contract in place with your vendor and paying particular attention to how they handle NPI to ensure their practices align with your agency’s WISP.
Turning policy into practice
When it comes to actually implementing the ALTA Best Practices, Hamlin recommended thinking of the updates in terms of people, process, and technology in that specific order. “Unless you have the people and process in place, the technology isn’t going to work by itself.”
This means first educating employees on the new ALTA Best Practices and training staff on any updates to policies and procedures resulting from these revisions. Then, review existing processes to:
- Assess agency risk tolerance for reversible payment methods
- Review and update physical security guidelines
- Update written procedures for document preparation and closing processes, wire verification, and daily reconciliation and accounting policies
- Review all vendor and service provider contracts
Finally, assess how technology is being used to support your people and your processes:
- Confirm EMD / payment platforms comply with Good Funds laws
- Use a wire fraud detection service provider
- Implement multi-factor authentication
- Use strong and unique passwords
- Update software regularly
- Assess point solutions
Qualia’s integrated suite of products and services is built to comply with ALTA Best Practices, offering:
- Multi-factor authentication
- Built-in accounting with positive and reverse-positive pay
- A reconciliation dashboard
- Wire fraud detection
- A secure communication portal
Qualia is SOC 2 Type 2 assessed and ISO 27001 certified. Our system is designed to consolidate operations and keep data secure.
Click below to watch the free recording.
To learn more about data security best practices, visit Qualia’s Trust Center.