Mortgage players could be harming consumers in tech practices recently flagged by regulators, experts caution.
One of the practices, known as dark patterns, could be the "new rage" in the regulatory space, said David Shirk, a mortgage banking lawyer and managing member of Washington, D.C.-based Shirk Law. PLLC. Shirk and Tom Clerici, chief technology officer at Freedom Mortgage, discussed dark patterns and new cybersecurity regulatory concerns Monday during the Mortgage Bankers Association Annual conference in Nashville.
Dark patterns are described by the Federal Trade Commission as design practices that can manipulate consumers into buying products or services or compromising their privacy, according to a
The prohibition of dark patterns is already codified in at least two state consumer data privacy acts in California and Colorado, experts said. A common practice that could be considered a dark pattern is forcing a consumer to share their email address or property location to view interest rate price comparisons, Shirk said.
"If you're relying on consent that's buried in some document on page 87 of your closing package, that's not going to be a valid consent for the purpose of privacy specifically in California right now," said Shirk. "More generally I think that we're going to see the FTC and the CFPB say no, that's a dark pattern."
California's new modification to its consumer privacy act also has language that shifts some liability to lenders that were previously exempt under the Gramm Leach Bliley Act, he said. The practice could also be considered a violation of the Consumer Financial Protection Bureau's Unfair, Deceptive and Abusive Acts Practices, or UDAAP in the future, he added.
Experts also called attention to a CFPB advisory from August in which the bureau said insufficient data protection or information security
"It's kind of forewarning that you can expect examiners to start looking for that," said Shirk. "They're going to want to see that you have a policy that covers at least those elementary things and probably goes beyond and they're going to want to see that you have implemented it somehow."
Lenders should apply the same vigilance around dark patterns and cybersecurity standards to vendors, experts said. Regulators, in the wake of a cybersecurity incident, will call on lenders rather than vendors, and vendors could leave their partners hanging regarding financial repercussions.
Consumers impacted in
Companies must discuss security standards and incident response plans with vendors in contract negotiations, experts said. Response plans include legal, public relations, regulatory and cyber insurance actions. Many firms haven't shared the plans with their vendors, experts said. Simple cybersecurity exercises to test plans could cost a company just $7,000 to $10,000, Clerici said.
Tabletop exercises could also test responses to ransomware attacks in which hackers hold data hostage. Law enforcement won't pay hackers, experts said, and payments to foreign threat actors could violate U.S. Treasury Department laws,
"It's amazing what you see when some of these groups scramble, because they're not prepared and the thought of not having their loan origination system is such a foregone conclusion that they wouldn't know what to do in the event that that happens," Clerici said. "It's important to work through that."
