Protecting yourself during the Loan Process

Phillip Rumple
November 12, 2022

Let's face it, the loan process is very daunting for most users - and while Soar Lending does everything it can to make the process simple, affordable, and easy for users, there's still SOME information that we require that could potentially put you at risk.

Protected Personal Information

PPI, otherwise known as protected personal information, is the industry term for any private information that is protected - or that could be used to hurt you if it were ever released to unauthorized parties. The most common types of PII that Soar Lending Collects:

  • Names
  • Emails
  • Addresses
  • Credit Information
  • Banking Information
  • Employment Information
  • Asset and Liabilities Information

All of these are needed to process a loan on your behalf, and from time to time, you will be asked to provide the required information to your fulfillment team or loan officer.

But how do you protect yourself when providing this information?

WHAT NOT TO DO

Many loan companies require you to reply to an email with the above information - but an email is not safe. Even if the email were ENCRYPTED, it still is not safe - as it relies on you sending that through a means that usually isn't secure, to begin with, or storing it on a server that's beyond your control. For the most part, if someone asks you to EMAIL PII, you shouldn't do it. There are better ways out there to handle sending PII to users.

WHAT TO DO

Secure Uploads

The most common type of service loan and banking companies offer is some secure portal, where users can upload the information directly from their device to the company's control. In our case, we use the FLOW service or the Secure Docs service.

FLOW SERVICE

When you start your loan with Soar Lending, you are doing it within our FLOW application - this allows us to track your loan from start to finish across all departments. In addition, when you upload documents, required information, and loan information to FLOW, it is stored and encrypted both in transit and at rest. This is important because not only do you want to be sure that your documents are not intercepted, but you also want to ensure that wherever they are being stored is protected.

On top of that, the FLOW system restricts WHO from seeing the information; only authorized persons on your loan can see the report at any time.

FLOW Service: https://my.soarlending.com

SECURE DOCS

The secure docs service is similar to FLOW but is more targeted to the fractional delivery of certain documents - okay, so that was a bit confusing - let me fix that for you:

Secure Docs allows Soar Lending to request and send certain information to borrowers, banks, other lenders, and other services without compromising the security of the documents in question.

Requests

When we request documents from borrowers via Secure Docs, the system sends a secure upload link to the borrower - and the borrower must authenticate with the passphrase/code that the MLO sends out to them. Then they upload the needed documents, provide an encryption passphrase, to protect it, and return the passphrase to the MLO. Once the MLO receives notice(s) that the files have been dropped off, they go into the Secure Docs system, find the user, enter the encryption passphrase, and download the documents.

Drop Offs

Similar to the above, users can also drop off files for MLOs and others in Soar Lending - the process is pretty much the same, but you are asked WHO you wish to drop off files for. Once you enter that information, the user receives the drop-off notification and can download the data uploaded to them.

Protected at Rest and in Transit

Like our other service (FLOW), the data is protected in transit and at rest. And, as this is specifically designed to PROTECT YOU as the user, it also does the fractional and quantum breaking of the files over various nodes. If you upload a single document, it may break it into tens of thousands of small files, split across multiple nodes so that no one actor can ever put that file back together without knowing the passphrase - even if they get access to the node.

We also ensure that when uploading and downloading, all the information is encrypted - not only is it protected by SSL/TLS, but it's also sent in an encrypted form to the users.

YOUR RIGHTS

And remember, regardless of the type of PII you submit and who you are working with, especially if you are in the UK, California, Indiana, or even New York, you have rights to the information you provide. It is, after all, your information.

Right to Inspection

You have the right to inspect all information we know about you, including all documents that we know about you or have on you. The only difference here is that you DO NOT, even in the UK, have the right to see internal documents about you, credit information that we are not authorized to show you, or lender decisions that we are not allowed to show. So MOST information is available to you, but some information, by law, cannot be disclosed, regardless of jurisdiction.

Right to Removal

You have the right to remove information from our systems about you - however, if you do this, you understand that we may not be able to service any loans on your behalf, and any active loans cannot have your information removed - meaning if you have an active loan with us, we will remove any documents we can about the loan that we are allowed to remove while the loan is being serviced -otherwise, per regulatory requirements, we must keep some information about you.

Right to be Informed

You have the right to know to whom we send your PII, who handles it, and why - however, for internal processes that you are not allowed to know about, you do not have that right. So, for example, you are allowed to see that we work with Equifax, but you are not allowed to know, for example, who in Equifax works with the file.

Right to Correction

After you have accessed your right to inspection, you have the right to correct/amend information that we have on file with you - it is, after all, your information. If you see something wrong that needs to change, please get in touch with our support, fulfillment, or MLO teams and have that information corrected. NOTE, if the information is critical to the processing or servicing of your loan, there may be ramifications to the loan process or the loan product once amended/changed.

Data Portability, Right to be Forgotten, Right to Restrict Processing of Information, and Rights for Automated Decision Making

While the GDPR and CCPA, and other US Shield laws grant you these, there are industry-specific restrictions that we must follow - for example. At the same time, you have the right to be forgotten; if you have an active loan with us, a secured loan, or a loan that you submitted but never closed, we are required, by law, to keep that information for some time. The right to be forgotten cannot supersede that requirement.

The same applies to Portability, Processing, and Decision Making - you have the right to know who the processors are, but under the current regulatory restrictions for the industry, you have little say on who can process the information, what we can do with the information, or how the information is used for internal processes - with the exception that we will always give you the final decision on Loan Products, and services that you are allowed to choose.

Remember that while the law gives you many rights, the INDUSTRY and SECTOR of the business may require tighter regulations than the data processing rights above allow - and that is permitted as exclusions under the law. So, always be aware of your rights, how your information is used, and what information you are entitled to.

System and Personal Security

Above all, while it is the responsibility of the controlling party to keep the information about users safe, it is also the USER's responsibility to keep themselves safe. Unfortunately, we can only do so much. We can hardly be liable if your computer is hacked and your information is stolen. Why? Because you forgot to protect yourself at the most fundamental level.

Protecting your Computer

At the bare minimum, you should have Antivirus software on your computer, Anti-malware software, and security updates turned on at all times.

Antivirus Software: For most users, the most common type of antivirus software is the software that comes with their operating system. Windows, for example, has Defender. And this is fine. However, you should always check any additional software available; to you and make sure that you only have ONE antivirus software running at any time.

Antimalware Software: Soar Lending, and the industry in general, as well as most IT professionals, agree that you need to keep an anti-malware software active - this software protects you while online, monitors your computer for malware related activity (worms, tracking, etc.), and stops it from happening.

We HIGHLY recommend you use Malwarebytes Antimalware on all your devices (not just your home computer): https://www.malwarebytes.com/.

Firewalls: For most users, the firewall that comes with your computer and router is enough to keep you safe. Always have it on and set to the default permissions that came with your computer. Here are some resources for you: https://www.iskysoft.com/data-recovery-tips/how-to-enable-or-disable-windows-firewall.html

For advanced users, you may wish to have more of a secure firewall, such as a packet state firewall - and that's fine; remember not to have too many running at one time and always keep an eye on the connections to ensure that you are not opening services/applications to the internet when you don't need to be.

VPNs: A virtual private network (VPN) is always a safe bet when working online or with secure information - but keep one thing in mind: NEVER USE A BROWSER-BASED VPN TO PROTECT YOU. It doesn't matter what they promise you; a browser-based VPN can never fully protect you. After all, the information is STILL routed from your browser to the base connection on your computer, so any malware/virus or hacking applications running on the base connection can still intercept the browser traffic - thus defeating the purpose of the VPN.

Soar Lending recommends the Express VPN service: https://www.expressvpn.com/.

Not only is it the safest VPN to use, as they don't track your personal information, but it can also be run on all of your devices, even your router, to ensure that all of your information stays protected.

The general rule of thumb for VPN connections:

  • If you are in a public place, use a VPN
  • If you are not at home, use a VPN
  • If you are at a friend's house, use a VPN
  • If you are at home but don't have access to your primary connection, use a VPN
  • If you are going to be sending secure documents, PII, and banking information, use a VPN

Is it required? No, but is it good practice? Absolutely!

Device Encryption

Most devices (mobile and computer) come with device encryption these days - for the most part, you should always turn it on. Apple, for example, uses Disk Encryption (file vault) to ensure that the computer is protected, and if it's ever stolen, the information on the drive cannot be compromised. It must be wiped before it can be used again (or unlocked with a key only the owner knows). Windows do the same thing with BitLocker, and most mobile devices also have some form of Encryption. Make sure you are always enabling Disk Protection.

A resource to use: https://geekgirltech.com/how-to-enable-disk-encryption-on-mac-and-windows-o-s/

Physical Security

Virtual security is one thing, but so is physical security. After all, you can protect your computer all you want, but if you leave your laptop in the car and it gets stolen...........how in the world have you protected yourself?

Your physical security is everything - so be aware of your surroundings, be mindful of who you are talking to through the loan process - get to know your players (loan officers, fulfillment team, who you are emailing, etc.), and get to know what is expected of you, and the loan team. After all, the best way to protect yourself is to know who you are supposed to work with and how they work/communicate with you.

Knowing the above will allow you to spot spoofed emails, hijacked communication patterns, etc., and processes designed to trick you out of your information.

Rule of Thumb for email communications: If you are not expecting the email, you don't know the person who sent it to you, or you do not understand WHY you received that email, DONT OPEN IT. It is not worth the risk!

After all, if it were that important, the person sending it to you would have told you beforehand. Even automated emails are things you should be aware of. Your MLO/Fulfillment team will generally do stuff in the FLOW application that triggers emails to you - but those will usually NOT require you to do any actions - display information for you. If it DOES require effort, it'll specifically tell you what to do, and your team member would have already told you to expect that action.

Email Protection

  • Check the Sender.
  • Check the Subject.
  • Check the Body for spelling/grammar issues.
  • Always hover over the links or long-press them on mobile to preview where they go.
  • Never open emails that you don't know why you received them.
  • Never open attachments if you don't know who and why you sent them.
  • If the sender doesn't match the links, or the Body is not what you were expecting, delete the email and notify the team member you were working with. Verify they are the ones who sent it. Chances are, they were not.

Phone Safety

Email is one thing; the phone is another. Most systems will give you access to check on your loan status or process via the phone, and most companies will talk to you via phone to start, continue, or finish a loan operation. But you should know who you are talking to, the authorized phone numbers that the company is using, and your team's information. If you receive a phone call from a number you don't know, claiming to be from XYZ company, but you have never talked to that company before or don't know why they are calling you? Don't bother answering or engaging. Reach out to the team member in question, and ask if it were them.

Make them prove it: Scammers don't like it when people try to make them prove who they are - if they are calling to ask you for personal information or loan information, ask them to verify something on your account with you - get a security code, a token, a passphrase that you tell your team member, and they must repeat it back. Many loan platforms have features like this. Or, even the most straightforward process: If someone claims to be a loan member, thank them for their time, let them know you will call them back, call back the main office, and ask for them. If they answer, ask if they just called you - if they did, continue your conversation; if they didn't, then you both know something fishy is going on.

Know where to get your information

Knowing WHERE to get your information is critical when starting a loan or working with the company online or in person. After all, if you are unsure how to contact the company, how can you be sure that the company is legit or that the people calling you/interacting with you from that company are legit? You can't. Simple as that. In the old days, we had business cards - these days, we have virtual business cards and websites!

If you are working with a company online, make sure you are on their official website - if you are not sure, approach one of the team members, or look them up in an authorized directory. Don't interact with the service if you still cannot find something authoritative telling you the website is valid.

In Summary

Safety is your responsibility just as much as the responsibility of the people you work with. Keeping your information safe is a full-time job for both of us, so always remember who you are talking to, why they are talking to you, and how to get back in touch with them. Keep your digital and physical life safe, and remember that the information is yours - even if it's processed.

Phillip Rumple

Leave a Reply

Your email address will not be published. Required fields are marked *

where mortgages take flight

SOAR LENDING HEADQUARTERS
C/O RISING TIDE INNOVATION CENTER
443 Central Ave., FL 4, St. Petersburg FL, 33701

(727) 310-0955
© Soar Lending LLC   |   We Support Equal Housing Opportunity   |   NMLS ID 1492187   |    Legal www.nmlsconsumeraccess.org