Top Six Questions to Ask About Your Loan Sales Platform Cybersecurity
In case you missed it, Envision Credit Union recently agreed to a class action settlement to resolve claims it failed to protect consumer info from a 2021 data breach. If the thought of a data breach keeps you up at night, don’t overlook security when you’re considering an online platform for selling distressed commercial real estate (CRE) loans. You may be putting customer data at risk without even realizing it.
When you’re a CRE lender, you know data security laws that apply to your institution apply to any vendors that support your transactions, too. While you can delegate some processes to a vendor, you can’t delegate the responsibility for their data security practices—that’s still on you.
So, when you’re considering using an online auction or wholesaler site, or an open marketplace platform like Xchange.Loans to sell your non-performing CRE loans, some cybersecurity due diligence is in order. As explained further below, one critical aspect to look for is “zero knowledge” security, a new concept in which no one–including the platform provider and their security vendors–has access to any of your data except you.
The following are six questions to ask your platform vendor.
1. How and where are buyer and seller data and documents stored?
Often, security breaches occur because data is stored on a company server—or a server controlled by a transaction partner or a vendor—that is not adequately protected against unauthorized users.
For loan sales, where buyer and seller information must by law remain private, a more sophisticated approach is essential. At Xchange.Loans, we decided that the best way to ensure our users’ data privacy and security was to incorporate Zentinel, an end-to-end encryption data protection platform.
One advantage of this approach is that Xchange.Loans does not keep buyer or seller data or documents on its own servers. Instead, buyer and seller information is stored with Zentinel, which uses innovative technology to store sensitive data in highly secure, individualized containers accessible only by those granted permission —more on that in question #2—far better than any solution we could have implemented on our own.
2. Who has access to buyer or seller data and documents?
In a robust cybersecurity framework, access to data and documents is strictly controlled. It’s not just a matter of having a unique username and a complex password—hackers have many means of uncovering usernames and passwords. A stronger approach is a system in which only data owners can grant access to individual requesters, using unique digital security tokens.
In an Xchange.Loans transaction, Zentinel creates a unique digital vault for each buyer and seller on its secure servers. It’s like having your own personal vault inside a larger vault. That is, Zentinel does not have access to your personal digital vault, and neither does Xchange.Loans–in contrast to conventional security approaches found on other loan sales platforms.
Of course, at some point during a transaction, you need to sign forms electronically, provide documentation or complete other tasks that require access to the other party’s digital vault. If you need to give the other party access to your vault, Zentinel generates a digital token for both of you then the two tokens must virtually “shake hands” for your vault to open.
3. What is your digital rights management process?
Digital rights management (DRM) is a technology that originally arose to protect copyrighted content. However, it’s useful for financial transactions, too. It involves applying software code to documents to prevent unauthorized users from editing, saving, sharing, forwarding, printing or taking screenshots, among other controls.
In financial transactions, DRM means buyer and seller documents can’t fall into the wrong hands. For example, documents involved in Xchange.Loans transactions are automatically encrypted via DRM technology, providing another layer of protection in addition to the digital vaultswe covered in question #2.
4. How do you protect data and documents during transmissions to/from buyers and sellers?
Email is notoriously easy to hack, which is why many financial institutions use programs like Microsoft SharePoint and Citrix ShareFile. Surprisingly, not all loan sales platforms are as careful about document transmission—even though sharing documents as email attachments is notoriously insecure because email is relatively easy to hack.
A better approach is email encryption, in which a message is transformed from plain text into unreadable ciphertext before or during transmission. Once the message is received, it’s transformed back into readable text either by the recipient’s machine or by a central server that first validates the recipient’s identity.
Not all encryption methods are the same, however. At Xchange.Loans, we use 256-bit encryption for the most secure possible emails. Long story short, encryption involves software that creates digital encryption “keys” used to encrypt and de-encrypt messages. The longer the key, the more difficult it is for a hacker to figure it out. The 256-bit encryption is almost impossible to crack—the world’s most powerful supercomputers would need years of guessing to get it right.
5. What happens to your data and documents after someone has viewed them? What happens when the transaction is closed?
Viewing data and documents on a computer creates another security risk, because a copy of the information may be saved on the user’s computer or on a server. To avoid that risk, the Xchange.Loans platform uses technology that makes documents automatically disappear when closed, so no copy can be saved. It’s part of our strategy to avoid keeping any buyer or seller data and documents on our computers or our servers.
6. Is the platform compliant with OFAC and any other relevant state or federal regulations?
The technology platforms you use probably have some security protections, such as requiring login credentials to access your account. However, you should never assume that online auction or listing platforms are designed for compliance with the many data privacy and security regulations that apply to financial transactions. They probably aren’t.
One reason we selected Zentinel as our cybersecurity partner was because it was built to be always-compliant with the latest data privacy and security regulations. Zentinel also tracks the U.S. Dept. of Commerce’s National Institute of Standards and Technology (NIST) framework, considered to be the gold standard for cybersecurity. Its sophisticated compliance and security structure means that, if you’re a lender, you can be confident that you are reducing the risk of regulatory fines.
In our era of international data hacks and cybercriminals, you might assume that any online transaction platform for commercial mortgage lenders would have top-notch cybersecurity. You’d be wrong. When even a small data breach can expose a lender to lawsuits, you can’t take data security for granted. Instead, take a closer look and ask the right questions to protect your institution and its reputation.
Thinking of a loan sale, but not sure where to start? Book a discovery call with our loan sale advisors to learn your best exit strategy, potential buyer profiles, and the cash value of your loan.
