Credit Technologies, Inc.

Urgent Update to Mortgage Security Breaches – Please Read The Entire Notice

 This notice contains,

• Critical information on the virus currently targeting mortgage brokers
• Steps Credit Technologies is taking to enhance security that may impact your access credit data.
• Immediate actions you should take to protect yourself from these attacks

On 4/2/2010, we issued an alert about an email based virus that was targeting mortgage brokers and lenders Nationwide. This “key logger” virus, continues to be sent to thousands of mortgage professionals. Once infected, the hackers are able to collect all information on the infected computer including access to your banking, credit card and credit reporting accounts – virtually anything that is accessed from that computer including access to your LOS and borrower files.  These attacks are continuing with alarming success. The hackers are finding that many mortgage professionals do not have adequate security in place and are able to access their computers and effect data breaches. To date, these breaches have impacted hundreds of mortgage professionals and thousands of consumers.

 Steps Credit Technologies Is Taking

 In order to assist our clients in combating these attacks, Credit Technologies is taking immediate action to enhance security procedures as it applies to protecting consumer credit data including, 

• Effective immediately – The default daily order limits have been reduced to 10 reports a day (per user login.) This can be adjusted on an as-needed basis.
• After Hours Web Access Restrictions – Effective April 12 2010, after hours web access will be available only to devices on which a security certificate has been installed (you are automatically prompted to install the security certificate the first time you access Credit Technologies.) This will not impact users that access through a LOS, FNMA or FMAC. Full web access will be available Monday-Friday, between the hours of 8:00AM and 10:00PM Eastern (5:00am-7:00PM Pacific.)

 We are currently developing additional security features including enhancements to the security certificate that will further protect your account from potential data breaches.

 Steps You Should Take immediately 

• Make sure you have anti-Virus and Anti-Spyware protection installed on EVERY computer that has access to the Internet and that it is set to automatically update not less than once per week. This simple solution will protect you from this ongoing attack. If you do not have Anti-Virus software installed, it must be installed and a full system scan completed prior to accessing consumer credit data. Credit Technologies does not endorse or require any specific brand of anti-virus software. There are numerous versions available including free versions such as Avast
• Make sure every computer with access to the Internet is protected by a Firewall. This protects your computer from hackers that scan the Internet looking for unprotected computers, then accesses your computer through an unlocked or open port. These types of intrusions can happen without you receiving any virus email or clicking on any link. Most operating systems (i.e. Microsoft Windows) have a built in Firewall, just make sure it is turned on. There are also numerous other firewall programs available, including a free version offered by ZoneAlarm
• Once you have current and up to date Anti-Virus and Spyware protection – complete a full system scan of all computers to confirm that no viruses are present. Once this scan is complete, we strongly suggest you evaluate all login credentials (not just those for accessing Credit Technologies) and select passwords that cannot be guessed or easily researched through the Internet or through background searches (the hackers are using cheap background searches to defeat security questions such as “Where Were You Born”, or “Parents Names”.)

We strongly urge you to share this information with every employee and promote the recommendations contained therein.  Credit Technologies will keep you apprised of any further developments regarding this issue.

Thank you for choosing Credit Technologies and for your swift adoption of these safeguards.

In recent days the credit bureaus and Federal law enforcement have seen a sudden and significant increase in the number of mortgage professionals falling victim to computer hackers resulting in data breaches and cases of identity theft. One example includes an e-mail claiming to be from UPS attempting to verify the user’s address for a delivery.  Here’s an example of one form of the virus email…

“UPS Delivery Problem NR.5660
UPS_Invoice_7892.zip
From: <Redacted>
Sent To: <Redacted>
Subject: Attachments:

From: Postal Manager Rogello Jewell [mallto:pan:el@ups.com] sent Sat 3/6/2010 10:27 AM
Subject: UPS Delivery Problem NR.5660

Dear Customer!

We were not able to deliver postal package you have sent on the 25th of January in time because the addressee’s address is incorrect.  Please print out the invoice copy attached and collect the package at our office. 

United Parcel Service of America.”

When the user clicks on the link, a “key logger” virus is installed (this happens in the background and is not noticeable to the user.)  This virus then tracks and records every key stroke made on that computer and sends the information to the hackers. Once the hackers have the users logins and passwords they have access to all user data including banking, credit card and credit reporting.

 These hackers appear to be specifically targeting mortgage brokers and seem to have knowledge of the mortgage banking industry and practices.  They have also been able to defeat the security certificate by “guessing” at secret questions that are far too easy or by using the Internet to research common answers to the secret question. Once they solve the secret question, they are able to gain full access to that users credit reporting account (in addition to any/all information accessible by that user.)

 To reduce the chance of falling prey to this virus and scam, (and to comply with Federal Laws and repository regulations regarding the protection of consumer credit data) Every user should immediately complete the following steps…

1.     Verify that all computers utilized are running anti-virus and anti-spyware software.
2.     Update all antivirus and anti-spyware software to insure you are using up-to-date virus detection models.
3.     Each computer should also be running an appropriate firewall service – with the default to block any unknown program or access. (i.e. Windows Defender or ZoneAlarm)
4.     Once updated, run a full antivirus/antispyware scan of your entire computer(s).
5.     Once confirmed that your computer is not infected, change your Credit Technologies password (and any other secure passwords to private information).
6.     Review any secret question/answer combination to insure the answer cannot be researched and located through the internet.

Additional best practices that can limit your risks of contracting a virus include,

 - Whenever possible limit personal internet usage on corporate computers
- Never open any e-mailed link or attachment that you were not expecting, even if you recognize the sending party.
- All computers should be set to automatically update antivirus software, and routinely install Microsoft Critical Updates (preferably automatically).

At the first sign of trouble – have your computer checked again and immediately contact your administrator or IT professional.  After an infection is found and removed a full review needs to be completed to locate any private information that may have been compromised.  Any credit card numbers should be cancelled, all passwords changed, etc immediately.

 Thank you for your immediate attention to this issue.

EasyRedFlag

The FTC has for the 4th time, issued an enforcement delay of the FACTA Red Flag rules until June 1, 2010. In fact, this is a “partial” delay. Not all entities required to comply with FACTA Red Flag benefit from the extension and not all of the FACTA requirements have been delayed. Here’s what happened… 

On October 20, 2009, the House of Representatives unanimously approved HR 3763, a bill which would exempt from the coverage of the Red Flags Rule any health care, accounting, or legal practice with twenty or fewer employees, as well as certain other businesses. For that reason, on October 29, 2009, certain members of Congress requested that the Commission further delay enforcement in order to allow Congress to finalize legislation. The Commission believes that such delay is warranted so that it does not begin to enforce a regulation that Congress plans to supersede. Accordingly, the Commission is extending its forbearance from bringing any enforcement action for violation of the Red Flags Rule against a financial institution or creditor that is subject to administrative enforcement by the FTC until June 1, 2010.

A few important notes regarding this partial enforcement delay -

• Only those governed by the FTC received the enforcment delay.  Entities such as Depository institutions (FDIC) or Credit Unions (NCUA) have been required to comply since 11/1/2008.
• Only section 114 of FACTA (pertaining to identity theft) is covered under this extension. Section 315 dealing with Reconciling addresses has been in effect since 11/1/2008
• Although the FTC granted this enforcement delay, many States (and lenders) are already including FACTA compliance in their requirements and auditing process. 

Here’s an excerpt from the FTC’s press release announcing the delay -

“At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.

 The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Commission previously delayed the enforcement of the Rule for entities under its jurisdiction until November 1, 2009. The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.”

The entire release is avialable on the Federal Trade Commission website at http://www.ftc.gov/opa/2009/10/redflags.shtm

A new catch-phrase has been created in the mortgage industry “Credit Score Phishing.” This is used to describe a process whereby a mortgage broker or lender, through their Credit Reporting Agency (CRA) reviews all available FICO score models, and then selects the highest of those scores for use on mortgage loan applications.

Both GSEs (Fannie Mae and Freddie Mac) have created policies stipulating the accepted FICO score models and have recently issued multiple memos to those submitting loans to FNMA and FMAC. These notices reiterate the requirement that only approved FICO score models be used. Similar warnings were sent to all participating CRAs. At present, the only credit scoring models approved by both GSEs are,

•Equifax Beacon 5.0
•TransUnion FICO Risk Score, Classic 04
•Experian/Fair Isaac Risk Model V2

It should be noted that while GSE underwriting systems (FNMA Desktop Underwriter and FMAC Loan Prospector) do not currently have the ability to detect/reject a loan based on  the credit score model submitted, both have warned against the use of any non-approved score models.

Despite these warnings, some CRAs are still providing brokers and lenders credit reports containing prohibited scoring models, in violation of GSE policies. Those submitting tri merge credit reports containing unapproved scoring models run the risk of penalties and sanctions by the GSEs that could include loan buy back, rejection of future loans and/or refusal to accept credit reports from credit reporting agencies found in violation of GSE policies.

More information on FNMA / FMAC credit score requirements are available at,

https://www.efanniemae.com/sf/technology/ou/du/pdf/ducreditscoremodel.pdf

http://www.loanprospector.com/about/crc.html

In an effort to stem the tide of mortgage fraud associated with misstated income, Fannie Mae announcement 09-19 tightens the requirements regarding the use of IRS tax transcripts to verify mortgage borrower income.

FNMA now “highly recommends” that 4506-T transcripts be obtained from the IRS (or designee) for the transaction prior to closing and is used to validate the income documentation provided by the borrower and used in the underwriting process.

Effective, September 1, 2009, Fannie Mae requires all lenders to:

• Obtain from the borrower(s) a completed and signed Form 4506-T at both loan application and closing.
• Include the execution of Form 4506-T to the lender’s written quality control plan.
• Verify that all loans selected for quality control review, whether under the random or discretionary sampling include, in addition to all current requirements, the execution and reconciliation of the transcript information with the income documents in the loan file.

These requirements have caused a significant increase in the number of lenders requiring brokers and correspondents to include executed 4506T transcripts with every loan package.

Credit Technologies is an authorized IRS designee and IVES (Income Verification Express Service) provider. Tax return, W-2 and 1099 transcripts are typically available in about 24 hours. More information is available at http://www.credittechnologies.com/4506_Lender.asp or call 800.445.4922.

Fannie Mae Memo 09-19 can be read in its entirety at https://www.efanniemae.com/sf/guides/ssg/annltrs/pdf/2009/0919.pdf

In addition to the increase in the use of AVMs associated with the Home Valuation Code of Conduct (HVCC), we’re seeing a trend of conforming lenders requiring the submission of an AVM on the subject property.  The lender then uses the AVM to support the valuation, often in lieu of obtaining a full desk review.  If the AVM does not support the stated value, or it does not accompany the application the lender may reject the application.

An AVM is an instant, computer generated residential property valuation report.  In seconds, AVM’s provide detailed data regarding the subject property including an estimate of value at a fraction of the cost of a traditional appraisal. In most cases, this is a cost born by the mortgage broker that cannot be passed to the consumer.  (View a sample AVM report)

It makes sense for mortgage brokers and correspondents to know the AVM valuation the lender will be using prior to submitting the file – especially when considering the delay in obtaining the full appraisal (compliments of HVCC.)  CT provides instant online access to the most often utilized AVM models at minimal costs and without any account set up or monthly minimum fees.

Visit http://www.credittechnologies.com/Automated_Valuation_Models_AVM.asp to learn more including setting up your free account or activating AVM access on an existing account.

Consumers needing a fast and accurate value on their, or any property can also access to the same AVM property valuations used by mortgage lenders, appraisers, Realtors^® and attorneys nationwide without having to establish an account at http://www.credittechnologies.com/avm.asp

• Initial Fees - Lenders may only collect a fee for the reasonable cost of a credit report prior to the issuance of the initial disclosures. Disclosures must be given before the consumer pays any fee, other than a bona fide and reasonable fee for obtaining the consumer’s credit history.
• Initial Disclosure Statement - Lenders must continue to issue disclosures 3 business days from application, however, the issuance of the initial TIL Statement now extends to “any extension of credit secured by the dwelling of a consumer” which includes refinance transactions and home equity loans.
• Notice of  “No Requirements to Complete” - The MDIA requires that the early disclosures contain a clear and conspicuous notice containing the following statement: “You are  not required to complete this agreement merely because you have received these disclosures or signed a loan application.”
• Revised APR  Three Business Day Notice - If the APR is out of tolerance, lenders must re-disclosure three business days prior to consummation. 
• Seven Business Days Prior to Consummation - Lenders must allow applicants to have a 7 business day waiting period after mailing or delivering the TIL prior to closing of the loan.  This timing is not based on receipt date (or assumed receipt date) by the consumer- the timing begins with the mailing or delivery by the lender.
• Waivers - Borrowers may waive both the seven-day and three-day waiting period to meet a bona fide personal financial emergency.   However, if the TIL Statement is out of tolerance, the waiver is no longer effective.  After re-disclosure, borrowers must submit a signed statement describing the emergency. 
• Denied or withdrawn applications - Lenders may determine within the three-business-day period that the application will not or cannot be approved on the terms requested.  If the consumer withdraws the application within the three-business-day period, the creditor need not make the disclosures under this ruling.
• Written application – RESPA defines a written application as the submission of a borrower’s financial information in anticipation of a credit decision relating to a Federally related mortgage loan.  An application is considered received when it reaches the creditor by mail, hand delivery, or through an intermediary agent or broker.

• Timeshare Transactions - Lenders must comply with the initial disclosure requirements; however, both the 3- and 7-day waiting periods do not apply.

Further complicating the mortgage process, Fannie Mae announcement 9-19 tightens the credit report expiration dates…

“The maximum age of credit documents is reduced from 120 days to 90 days for existing construction and from 180 days to 120 days for new construction. Credit documents include credit reports and employment, income, and asset documentation. The age of the documents is measured from the date of the document to the date the note is signed.”

These new requirements will likely lengthen average app-to-close times resulting in more credit reports expiring.  This will require new credit reports be obtained at additional cost to the borrower(s) and risk changes occurring in the report that may result in lower FICO scores – thereby endangering the deal or at very least causing yet additional delays and potentially lock expirations.

FTC Announces Expanded Business Education Campaign on ‘Red Flags’ Rule

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written identity theft prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.

The entire press release is available at http://www.ftc.gov/opa/2009/07/redflag.shtm

To learn more about Red Flag, or to register for an upcoming free EasyRedFlag webinar, please visit www.EasyRedFlag.com.

Critical data needed to help mortgage applicants improve their credit report and FICO scores is often hidden on tri-merge credit reports.

FICO^®scoring is the most misunderstood facet of credit reporting. Before undertaking any actions in an attempt to improve your borrower’s score, it’s important that you first understand “why they have the score they have.” The biggest surprise to most loan originators is that your tri merge report hides most of your borrower’s credit data.

“When reviewing a tri merge credit report, you are able to see only 1/3 of the consumer’s actual credit history.”

It’s difficult, (depending on your credit provider – it may be impossible) to accurately assess your borrower’s credit file based on reviewing a tri-merge report, as the logic used in creating the report, hides most (two thirds) of the consumer’s credit data.  Here’s an example,

Most creditors report data to all three repositories (Experian, Trans Union and Equifax.) Every tri-merge report contains data from all three sources, but you don’t want to see three examples of every trade line (three copies of each mortgage, car loan and credit card…) so CRAs employ a de-duping process we refer to as  “pick and choose logic.” Essentially, all examples of a given trade line are compared, and the most recent version containing the most derogatory data is selected and placed on your credit report. The other two versions of that item are suppressed and an abbreviation or code is added to the trade line to reflect which repositories contain data from that creditor. The problem with this method is readers assume that what they see on their tri-merge report is the same data that appears on the other “hidden” repositories – rarely is this the case.

This is why you can conduct a line-by-line review of a file that has significant differences in the FICO scores between the three repositories and be unable to determine “why” the scores are different. The answer is hidden in the 2/3rds of the data you cannot see. This is also the reason why so many rescoring attempts end in failure. Credit Technologies created a simple, free solution to this problem. With a single mouse click, we compare the data on all three repository files and highlights the variations. We call this the ability to see “the data behind the score”. This makes it simple for you to determine why the scores are different, and what steps are required to reach the needed score goals.

Adding to scoring frustration, loan originators often develop “tunnel vision’ when assessing an applicant’s credit and scores, focusing on any derogatory items that may appear. Very often, those items (especially if they are more than 24 months old) have little to do with the negative score result. The answers lie in the factors or comments listed directly below each score value. These comments are listed in order of what had the most negative impact to the score. To maximize score improvement, you should focus on the top listed items. Let’s look at an example…

SCORE: 629    Trans Union FICO Classic (04)
010 – Proportion of balances to credit limits is too high
014 – Length of time accounts have been established
005 – Too many accounts with balances
002 – Level of delinquency on accounts

This is a classic example of a file that often causes mortgage professionals to miss opportunities. This consumer has many prior delinquencies reported on their file but…they are all older (24+ months.) Because of the ages of the derogatory trade lines, they are having little impact on the consumer’s FICO score. As the factors indicate – the key to improving this consumer’s score is to avoid derogatory “tunnel vision” and focus on the issues affecting the consumer’s score – in this case, revolving ratios.

As with many things, the key to success is education – this is especially true with FICO scoring. To learn more about FICO scoring education and the advantages of rescoring, please visit http://credittechnologies.com/MortgageAlchemy.asp

Thomas P. Conwell III
President, Credit Technologies, Inc.^®
Director, National Credit Reporting Association (NCRA)

© Copyright 2009 , Credit Technologies, Inc. – All Rights Reserved.  FICO^® is a registered trademark of the Fair Isaac Company

“We’ve Never Seen a Legitimate Credit-Repair Operation” 
Steven Baker, director of the Federal Trade Commission’s Chicago regional office.

Credit repair can damage your credit report, FICO score and finances...

Despite the phenomenal claims made by most credit repair companies, all they do is dispute trade lines in the name of the consumer. The filing of a consumer dispute is the only method anyone other than the creditor, a credit reporting agency or the repository itself has to affect change in any repository file.  A credit repair company cannot do anything the consumer cannot do themselves for free and faster, in fact – they cannot even obtain a copy of the consumers’ credit report as credit repair companies are prohibited access to Experian, Trans Union and Equifax. 

Consumers can obtain free copies of all three repository files in minutes at AnnualCreditReport.com and if errors are found, dispute them online at no cost. They are also provided a toll-free number to reach a live person that can answer questions and assist them with the process if needed, including faxing documentation all at absolutely no cost. Except for credit rescoring, this is fastest method possibly of updating a consumer’s credit file.  

Here’s the step-by-step for the only free credit repair solution

Credit Repair poses real risks to Consumers…

Besides the monetary risks associated with credit repair, the actions of a credit repair company can damage your FICO score.  Most credit repair companies simply dispute every derogatory item appearing on your credit report. Those creditors that verify the disputed items often update the data reported to the repositories including the reporting dates. The result of frivolously disputing trade lines often results in lowering your FICO scores. The dispute process also means you are providing your current address to creditors, which can also result in new collection contacts and phone calls. Here are a few other warning signs to look out for…

Charging up-front fees in violation of Federal law
Many credit repair firms violate Federal law by requiring up-front fees often disguised as “account set-up” or analysis fees. Some require you to purchase a training manual for hundreds of dollars just to access “free” credit repair. Credit Repair Organizations Act – Public Law 90-321, 82 Stat. 164 “404. Prohibited practices. b) Payment in Advance. — No credit repair organization may charge or receive any money or other valuable consideration for the performance of any service which the credit repair organization has agreed to perform for any consumer before such service is fully performed.”  The entire text of the CROA is available at http://www.ftc.gov/os/statutes/croa/croa.shtm

Does not accept credit cards (or attempts to disguise PayPal^® as a merchant account)
This is an important warning sign, it often means the firm is unable to gain approval to process credit cards (a physical inspection and positive financial history is required). Companies with questionable pasts or practices instead will often require you pay using a third party credit card processing company, check by phone, ACH/direct debit or other means which may provide less protection in the event of fraud. Some will demand post-dated checks before providing any service (you’re expected to trust them with your confidential credit and banking information, but they don’t trust you for payment.) 

Web based, no physical location or allows contact by email only
Any company can provide a few positive references. Do your homework on any credit repair firm before sharing any confidential credit data or credit card information with them. You can verify how long their website has existed using any domain lookup tool such as  http://www.domaintools.com/ You will often find that although they may claim to have been in business for “decades”, in reality their websites are newly formed. Most credit repair companies found on the Internet are simply re-selling services provided by other companies – so you’re often unable to determine just who will have access to your personal information.

A Special Warning For Mortgage Professionals

In an attempt to help mortgage applicants qualify, (or as a means to generate additional income), we often see mortgage brokers and bankers recommending credit repair for their borrowers.  While there are usually options to assist consumers in improving their FICO scores (often in 24 hours) – credit repair is almost always a bad choice.  Aside from the problems identified above, credit repair presents a special risk to mortgage professionals. 

Engaging in credit repair is a violation of every repository contract – regardless of the credit reporting agency you utilize.

Over the years we have seen numerous audits conducted by the repositories that result in the termination of that broker or lenders access to credit data. These audits are often triggered by borrowers, who at the recommendation of credit repair companies, frivolously dispute items contained in a credit report provided to them by a mortgage professional. The repositories monitor patterns on frivelous disputes received, matching them to recent inquires into that consumer’s credit report.  All three repositories (Experian, Trans Union and Equifax) publish a monthly list of mortgage companies (and individuals) which are barred access to credit data through every credit reporting agency – Essentially putting that firm out-of-business.

Mortgage professionals – Before recommending your applicant dispute items on his/her credit report, either directly or through a credit repair company, it’s important that you understand how the data on your applicants credit report impacts their FICO score and the potential impact of any changes (see Mortgage Alchemy.) Because FICO scoring is often counter-intuitive (e.g. paying off a collection account usually results in lowering the consumers FICO score)  the best advice is to first talk to your credit reporting agency. Here are a few examples of how what you don’t know may be hurting your applicants…

• When reviewing a tri-merge report, it’s often difficult (depending on your credit provider, it may be impossible) to determine what is being reported by each repository. In many cases, you are unable to tell which items to dispute through which repository.  The merge logic used to produce the tri-merge is often responsible for errors on the tri merge report, in which case no dispute of the repositories is needed.
   
• If your borrower disputes any trade line, that item is locked from any further actions until the dispute is resolved. It might have been possible through re-scoring tools to correct the item in as little as 24 hours. This would no longer be an option once a dispute is lodged.
   
• There are other options that are much faster than filing a dispute (such as e-Oscar whereby the trade line can be updated in minutes.)
   
• It is possible that removing an item (even if that item contained derogatory data) can cause a drop in the FICO score, or worse yet – that item might have been part of the minimum required to produce the FICO score. Once removed – you’ve lost your FICO score entirely.

You can’t un-ring a bell, unless you are certain of what you’re dealing with and the resulting change (if any) to the credit score, it’s best to have your credit reporting agency confirm your actions will provide the expected results. If your credit reporting agency can’t provide these crucial services, you need a new CRA.

Thomas P. Conwell III
President, Credit Technologies, Inc.^®
Director, National Credit Reporting Association (NCRA)

© Copyright 2009, Credit Technologies, Inc. – All Rights Reserved.  *PayPal^® is a registered trademark of PayPal, Inc.