Security,
At a la mode, we take the
job of protecting your data and that of your customers very seriously. We
have implemented systems and policies to ensure that your data is safe and
compliant. Mortgage XSites fully comply with the FTC regulations
regarding the Gramm-Leach-Bliley Act. The following document
describes the areas affected and falling under the Act along with a description
of how we safeguard data and maintain compliance.
Protection
from unauthorized access during the application entry process
Loan
applications submitted by borrowers using the Mortgage XSites FlexApp 1003 are double protected by both a 128bit SSL
connection on the page that loads the loan application program and by a 128bit SSL
connection from the loan application program to the web services that load and
save data.
Protection
from unauthorized access while in our custody
Once in our
custody, electronic access to the data is restricted to key personnel who
develop and maintain the systems. We implement a hardware firewall
solution that prevents direct access to any of the database servers from
outside the building without using an encrypted VPN connection.
Physical
access to the data is protected in our network operations center by multiple
layers of security. Physical access from outside the building to the
general offices is secured by electronic card access. Anyone without a
security badge is not even able to enter the general offices. Once inside
the general offices, access to the network center itself is again limited by
card access to key personnel who maintain the systems. Logs are kept of
all access to any door.
Use
of loan application data by a la mode
Under no
circumstances does a la mode, sell, convey, share or disseminate in any way,
any data associated with your Mortgage XSite or clients' loan
applications. We are in the business of providing software solutions for
the real estate industry and have been a conscientious and trustworthy
custodian of customer data since 1985.
As part of
a la mode's process of continued enhancements and upgrades to the
Mortgage XSites and FlexApp 1003 products,
we monitor and compile various statistics on the habits of consumers
filling out the loan application. These statistics such
as which fields are left blank, most common stopping
points, most common data entry formats and various
other user habits, don't contain
any confidential consumer information but provide us with a wealth
of information we need to improve the product. In addition
we reserve the right to aggregate certain data points for the
purposes of measuring the level of growth of our products and tracking
trends industry wide in the habits of consumers.
Protection
while exporting loan applications to a loan origination system (LOS)
Mortgage
XSites supports exporting loan applications to a number of popular LOS systems
such as Calyx Point, Encompass, Contour, Genesis 2000, BytePro,
and many others. Depending on the specific LOS, the export methods
vary. For Encompass, Contour and Genesis 2000, the export occurs using a
direct interface to Ellie Mae's ePass network.
This interface occurs across an encrypted SSL connection to
their back end servers. Likewise for BytePro,
an encrypted SSL
connection from the BytePro desktop software is made
directly to the a la mode servers. Various other LOS systems such as
Calyx Point utilize the Fannie Mae DO/DU 3.2 format for importing loan
applications, in this case the DO/DU file is
downloaded from the a la mode servers to your local computer over a secure HTTPS
connection.
Protecting
data from power failure and disaster
Mortgage
XSites are hosted at a la mode's state of the art data center located in
USA PATRIOT Act
Compliance
Although Mortgage Brokers do not specifically or officially fall under the
guidelines of the USA
PATRIOT Act, upstream lenders and other financial institutions involved in
the mortgage transaction do and as the origination point of the loan, the
mortgage broker will be expected to assist in gathering the necessary
information from consumers for upstream lenders and institutions to be
compliant. Unlike other compliance requirements, there are no disclosure
forms to distribute to the borrower. Rather, section 326 of the Act
provides that institutions implement a customer identification program (CIP) in
order to verify the identity of borrowers prior to engaging in a financial
transaction. In this case, that means opening a new mortgage loan. Mortgage
XSites provide mortgage brokers with the tools for implementing a CIP.
Specifically, the online loan application has fields and other tools for
gathering all the required information from a borrower including (name, date of
birth, address and taxpayer identification number). In the event the
borrower is not a U.S. resident, a passport number and country of issuance,
alien identification card number, or number and country of issuance of any
other government-issued document evidencing nationality or residence and
bearing a photograph or similar safeguard is required. Because of the
many variances of these forms of identification, having a borrower use DirectFax
to include a copy of this ID is one of the best ways to fulfill the
requirements of the act.
Definitions
DirectFax
An exclusive technology of a la mode that allows borrowers to send paper based
documents using any fax machine. The documents are converted to a digital
PDF file and attached to the loan file automatically using a special bar coded
cover page. Any hard copy document can be sent such as pay stubs, tax
returns or even drivers license, passport or other official ID.
Gramm-Leach-Bliley
The Gramm-Leach
Bliley (i.e.,
(Hypertext
Transfer Protocol over Secure Socket Layer, or HTTP
over SSL) is a Web protocol, developed by Netscape, built into browsers, that
encrypts and decrypts user page requests as well as the pages that are returned
by the Web server. HTTPS is the use of Secure Socket Layer (SSL) as a sub-layer
under its regular HTTP application layering. (HTTPS uses port 443 instead of
HTTP port 80 in its interactions with the lower layer,
Secure
Sockets Layer. Used by most commerce servers on the World Wide Web, this
high-level security protocol protects the confidentiality and security of data
while it is being transmitted through the internet. Based on RSA Data
Security's public-key cryptography, SSL is an open protocol that has been
submitted to several industry groups as the industry security standard. Denoted
by the letters HTTPS in the URL.
Enacted by the U.S. Congress in response to the
A virtual
private network (VPN) is a private network constructed across a public network
such as the Internet. A VPN can be made secure, even though it is using
existing Internet connections to carry data communication. Security measures
involve encrypting data before sending it across the Internet and decrypting
the data at the other end. An additional level of security can be added by
encrypting the originating and receiving network address.