Most of us don’t think twice about security when using ATMs. Ditto when buying merchandise with credit or debit cards at stores and online. Maybe that’s why, when making one of the biggest financial decisions of a lifetime, not all homebuyers are aware of the possible financial dangers that could affect the transaction.
With so many consumers impacted by the recent Equifax breach, it’s a good time to consider just how secure all of your financial data really is–especially when buying or selling a home.
In case you weren’t aware, your security is at its most vulnerable during the last steps of the escrow process. That’s when, if you’re the buyer, the funds you’re using to purchase the property are electronically transferred from your lender to the seller’s financial institution of choice. It’s also when you and the seller are most likely to be victims of financial fraud, identity theft, and more–unless you’re using an escrow company that’s certified to combat cybercrime.
What are SOC1 and SOC2 (Service Organization Controls) certifications, and why are they so important to the escrow process? Jon Clark, Senior Vice President, Core Services, is happy to explain how and why our company is committed to investing in the certifications.
“An escrow company is required to be a financial reporting system for the Internal Revenue Service,” Jon said. “So when you buy a house, the escrow company that closes the transaction is required to report the sale to the IRS on behalf of the buyer and the seller. And in order for the escrow company to do that, we have to collect all their non-public personal information like Social Security numbers, date of birth, bank account numbers–all the information you don’t want Internet fraudsters to have.
“So the reason buyers and sellers should insist on having a SOC1- and SOC2-certified escrow company collect their non-public information is because their funds and their identity could be stolen. What many on both sides of a transaction don’t understand is that even if they close the transaction successfully, their personal information is still stored–in the cloud, on servers, and elsewhere–and that if access has been gained to any part of that information through malware, which is automated software that can collect your date of birth and save it, your security can be compromised. The hacker can wait for the last four digits of your Social Security number for a year, and then wait for your address, and then wait for your account numbers to all come through. So your identity could be stolen three, four, five years after you’d been associated with a company or a closing escrow company that hasn’t been certified to protect that information.”
Good examples or recent data breaches are Equifax, Yahoo, and Target, where this information is collected over a long period of time and then sold on the dark web, Jon said. So 10 years down the line, because you had a Yahoo or Equifax account, your identity could be stolen and you can’t trace it back to your real estate transaction because your agent had a Yahoo account.
Certification involves a third-party auditor, Jon said. “Under American Land Title Association (ALTA) best practices, the only way you can create security policies, and be tested against those policies, is the same way a financial auditor audits accounting. But in our business, they have to come in and first require us to produce policies that say, ‘This is how we go about protecting your financial information and reporting it to the IRS.’ They check those policies against standard business practices. And they also do it on the SOC2 report on whether our systems are locked down with the appropriate firewalls and safeguards, so our information can’t be hacked.”
The goal of SOC certification is to make an escrow company “bulletproof” against security breaches, Jon said. “The only way to prove that you are bulletproof is to have a third-party auditor, in this case a CPA firm that specializes in audits, to come in and test you–bombard your system, constantly go over your files, go over your policies, and actually test to see if you can be compromised. Then they write a report that says, ‘From this date to this date, we’ve tested your systems, and you’ve passed.’
“There are over 250 items that they check during an independent audit to make sure that we’re safe. Escrow companies that can’t show third-party certification can say, ‘Oh, yes, we follow best practices.’ But that means they’re self-certified, which is like asking our accounting department if their financial standards are correct.
“We pay hundreds of thousands of dollars to get our systems, our software, hardware, and policy procedures up to ALTA best-practices standards. And the annual audit costs between tens of thousands of dollars more. So you have to spend a lot of money to be bulletproof. You have to buy the firewalls, you have to make sure your routers are set up a certain way and your servers are co-location protected. A lot of escrow companies put their server in a closet, which means their data is not protected.
“If you put your server in a co-location like we do, which is basically a 24/7-protected nuclear bunker that can take a direct hit from a 747, that’s the standard you have to meet to protect your data. To reach the standards that are required to obtain the certification, you have to be industry-leading in your technology on being able to not get cracked, hacked, or have someone steal that data by gaining access to your office. Any information that’s shared unprotected is in danger of being used to finally get your money at the end of the transaction.”
How did the need for SOC certification and policy standards come about? It’s a complicated subject because it refers to federal law, Jon said. The Dodd-Frank Wall Street Reform and Consumer Protection Act was passed and took effect in July 2010. It requires lenders to be responsible for the entities that close a transaction, because buyers and sellers were confused about lenders’ practices. And they probably still are, Jon said.
Before Dodd-Frank, the standard in the industry was only what each individual company thought was their self-certified standards. Dodd-Frank is an attempt to certify nationally what’s required as the standard level of care. So, a company that is not SOC1- and SOC2-certified is not up to the best practices that are required by Dodd-Frank.
Now that you know how SOC certification can protect you, how do you insist on it when entering escrow? Plenty of small escrow firms can handle your transaction, but 95 percent of escrow companies are “mom-and-pop uncertified,” Jon said.
“Like everybody else, they don’t think they’ll make a mistake or that it will be the buyer’s or seller’s fault (if something goes wrong). We go overboard to the point of annoying our agents, and our buyers and sellers, to use our certified escrow partners, because we won’t send them any information that isn’t encrypted. An encrypted email, in 99.9 percent of cases, can’t be hacked.
“We even give our agents Office 365 to use because everything that goes in and out is encrypted on their clients’ computer, phone, or tablet. We assume that everybody’s email has been hacked, so we will never send back to an email that we suspect somebody is watching. And it doesn’t have to be somebody; it can be malware, something on a computer that’s running super-fast and taking bits of data.
“There are so many companies that aren’t safe and certified, so obviously the hackers go after them. We have not lost a penny of our clients’ monies, and we handle between $30 million and $50 million a day in our trust accounts. So the proof is in the results. But the competition’s lawsuits are piling up all over California and nationally.”
It’s clearly in an agent’s best interest to recommend to their buyers and sellers that they use a company that is SOC-certified, Jon said. “So what we ask them to do is, in the contract, where it says who the escrow provider is, they write in Pickford Escrow Company or The Escrow Firm, or an SOC1- and SOC2-certified provider. If the listing agent gets that and doesn’t counter it, that means they’ll use Pickford Escrow Company or The Escrow Firm, or they’ll have to find a provider that is certified.”
According to Jon, many agents have long-term relationships with non-certified escrow companies that will say, “Well, nothing has ever happened before.” Or that provider will say, “We work under best practices,” but can’t produce a document that says an independent third party has certified them. So that would force them per contract to come back into Pickford Escrow Company or The Escrow Firm.
What has happened over time, Jon said, is that agents write in “seller’s choice” for escrow company in the contract because they don’t want to antagonize the seller or the listing agent should they want to direct it to their escrow company or friend.
“More and more consumers are getting aware of this,” Jon said. “There’s been many billions of dollars lost. We work very closely with the FBI on fraud. They are telling us that twice a week in Los Angeles alone, funds are being misdirected away from escrow companies by hackers who get in between the buyers, the sellers, the agents, and the wiring instructions to get the money from the trust accounts in the escrow companies.”
How do you know who got hacked? There are forensic ways to follow who was intercepted, Jon said. “A hacker will come in and spoof someone to try to get their information or their username and password. Then they’ll be able to put in rules and block everybody out of the transaction, steal signatures, and make it look like they’re receiving information from one another, and everybody is confirming that’s the correct information. But the hacker’s doing all of it, everybody else can’t see it, and they send them a message that says, ‘These are your new wiring instructions. Wire $320,000 to this address.’ This happens all the time, so the courts are being filled with lawsuits where they sue the brokerage, the escrow, each other. The transaction doesn’t close, the agents don’t get their commissions, and it goes to court for four years. And insurance doesn’t cover it.
“Almost no buyer or seller chooses the escrow company. It’s almost always the agent. We’ve made a commitment to do the right thing, and we’ve put our money where our mouth is. Our managers are encouraged to tell their agents to recommend Pickford Escrow Company and The Escrow Firm. I pitch it as much as I possibly can. Pickford Escrow Company and The Escrow Firm are wholly owned by HomeServices of America. We have 16 offices and 80 employees. Any firm can use us, because we’re totally independent. Our managers have very close relations with our escrow officers because we have to be experts in these transactions.”
Escrow fees are charged to buyers and sellers. Pickford Escrow and The Escrow Firm take those fees at closing for their services. Because fees are different in each market, it’s a good idea to ask your agent up front what those fees will be.
Jon and our company certainly think so.
“At Berkshire Hathaway HomeServices California Properties, we’ve taken on the mantle of being the market leader,” he said. “We’re always going to do the right thing, we’re always going to protect the client the most, and spend the most money to protect the client. But can a mom-and-pop who doesn’t the spend the money on this undercut us on fees? Yes. Do you get what you pay for? Is it better to spend less with a mom-and-pop and get your identity stolen at some time in the future or during the transaction? Or is it better to go the safest possible route? I think that’s what it comes down to.
“Many of our competition doesn’t own their escrow company like we do, so it doesn’t matter to them which escrow company their agents use. They don’t have our philosophy of protecting the entire transaction for our clients. We offer one-stop shopping, protected from the beginning of the transaction to the end, and beyond.”