The Rising Cost of Originating Mortgages. Let’s Stop the Madness!
By:Maria Moskver
September 19, 2019

Data Is the New Oil. And It’s Leaking All Over Fintech

An Economist article in 2017 made the claim that data is the new oil, arguing that data is now the most valuable resource available to businesses. While the validity of that claim has since been debated, there’s no question that data is an incredibly valuable asset – just look at the volume of regulations that protect how companies must store and transmit customers’ personally identifiable information (PII).

The problem in the world of mortgage technology is that too many startups have failed to comply with those regulations. As a result, customers are vulnerable to a variety of preventable incidents (from theft of funds to identity theft) and the companies themselves are left paying fines for their lapses, and losing customers’ trust.

Here’s a look at the three-pronged reason data security continues to be a problem among fintech startups (including mortgage technology companies) and how we as an industry can improve the landscape.

Security Lapses at Financial Companies

You don’t have to dig too deep to find security lapses at financial companies.

Take the infamous Equifax data breach of 2017: the 118-year-old credit reporting bureau was responsible for a breach that affected 147 million Americans. Because of a security flaw the company reportedly knew about for at least two months before the incident happened, sensitive data like social security numbers was left exposed.

If the company had acted faster to address the vulnerability, the breach (a violation of protections laid out by the Gramm-Leach-Bliley Act) might never have happened.

But Equifax is an old company. It was founded in an era before television, never mind the internet. While company leaders were almost certainly aware of their duties under the GLB Act’s regulations, the company itself clearly didn’t have the tech- and security-first culture necessary to respond to threats on an ongoing basis.

Compliance Lapses at Tech Companies

On the other hand, there are also plenty of examples of the reverse: compliance lapses at tech companies hoping to serve the financial industry.

In January of this year, for example, a breach at the data and analytics firm Ascension led to the exposure of 24 million financial and banking documents dating back to 2008. The breach happened because a server was left without a password protecting it, meaning anyone on the public internet could conceivably find its contents, which included a variety of PII.

What’s notable about the breach is that Ascension specifically targets its services to the financial and mortgage industries. Because of that, its leaders should be well aware of the stringent regulations that exist in this space and should have taken much more rigorous measures to protect the customer data.

The breach, by exposing borrower information to the general public, could conceivably amount to a violation of FTC Act for those banks and lenders that worked with Ascension. 

Unfortunately, these and other violations of industry regulations are not uncommon in fintech startups. Often, they result when tech leaders try to disrupt a highly regulated space without an adequate understanding of the nuanced ways those spaces are regulated. Someone with a tech background may mistakenly believe that, because their company only touches one part of the mortgage lending process, for example, they only have to worry about regulations that specifically touch that part.

In reality, all fintech companies must be invested in the bigger framework of regulations and security.

Target and the Trust Network

This reality was most memorably illustrated by the infamous Target data breach of 2013. The box store’s payments system was breached when a hacker managed to get login credentials for an HVAC company that had access to Target’s system.

Target’s system was secure. The payments system was secure. But because the HVAC company had a weak point, hackers had an entry point.

The lesson was clear: it’s not enough for companies to build and maintain a system that adheres to data security rules and complies with relevant regulations; they must also ensure that the companies they work with (and connect their systems with) are secure and compliant. And, this goes double for anyone in a highly regulated space like mortgage tech.

The Solution: Starting with Compliance and Security

The only way to ensure the security and compliance of a company in the fintech or mortgage tech space is to approach service offerings with a security- and compliance-first attitude. This means designing for security and compliance rather than retrofitting systems, in other words, ensuring that there are early hires in leadership positions with backgrounds and experience in technical security and regulatory compliance.

Without security and compliance infrastructure built into the fabric of a mortgage or mortgage-adjacent startup, adjusting to changing regulations and a shifting technological landscape becomes too burdensome. And, as soon as a company falls behind on security and compliance, it risks not just the security of end users but also its viability, as partners avoid working with companies that put them at risk.

Data will continue to fuel the world of mortgage lending; startups in the space that hope to thrive must demonstrate to customers and industry partners that they respect their data by making data security and information privacy top priorities.

Watch 2 Minute Guided Demo Tour

Want to reduce closing costs and close more loans faster? Watch a 2 minute guided demo tour and see why the top U.S. lenders trust Cloudvirga as their digital mortgage technology provider.

Recommended Blogs



By: Jason SmithJune 22, 2022By:Jason SmithJune 22, 2022I have been called a lot of things in my life- some good, some not so pleasant and many that I can’t repeat here due to corporate filters. However, the grand consensus has always been that I more than likely...

read more
Not Free Enough

Not Free Enough

By: Jason SmithJune 2, 2022By:Jason SmithJune 2, 2022  A few years back I was offered free tickets to a St. Louis Cardinals baseball game as part of a large group, and my friend Tony asked if I was planning on going. My response, “Hmm, I don’t think so” surprised...

read more
Were We All Rickrolled?

Were We All Rickrolled?

By: Jason SmithMay 25, 2022By:Jason SmithMay 25, 2022  While walking around my neighborhood this morning, it occurred to me that I commonly think to myself (albeit selfishly) things like, “Ha, I paid less than you,” or “Our house has more square footage at the...

read more