Updates to ALTA Best Practices Go Into Effect in January

November 21, 2019

Updates and modifications to ALTA's Title Insurance and Settlement Company Best Practices will go into effect Jan. 2, 2020. The changes address wire transfer procedures, multifactor authentication, data security and cyber liability insurance, affecting Pillars 2, 3 and 6. The updated Best Practices Framework and Assessment Procedures can be accessed under Key Documents on the ALTA Best Practices web page.

The changes were approved by ALTA's Board of Governors in June and went through a 60-day comment period that closed Sept. 15.

The changes for each of the pillars are in bold below.

Fraud Prevention/ Wire Fraud

Best Practices Pillar 2: Adopt and maintain appropriate written procedures and controls for Escrow Trust Accounts allowing for electronic verification of reconciliation.

Purpose: Appropriate and effective escrow controls and staff training help title and settlement companies meet client and legal requirements for the safeguarding of client funds. These procedures help ensure accuracy and minimize the exposure to loss of client funds. Settlement companies may engage outside contractors to conduct segregation of trust accounting duties.

Procedures to meet this best practice:

  • Escrow funds and operating accounts are separately maintained.
    • Escrow funds or other funds Company maintains under a fiduciary duty to another are not commingled with Company’s operating account or an employee or manager’s personal account.
  • Escrow Trust Accounts are prepared with Trial Balances.
    • On at least a monthly basis, Escrow Trust Accounts are prepared with Trial Balances (“Three-Way Reconciliation”), listing all open escrow balances.
  • Escrow Trust Accounts are reconciled.
    • On at least a daily basis, reconciliation of the receipts and disbursements of the Escrow Trust Account is performed
    • On at least a monthly basis, a Three-Way Reconciliation is performed reconciling the bank statement, check book and Trial Balances.
    • Segregation of duties is in place to help ensure the reliability of the reconciliation and reconciliations are conducted by someone other than those with signing authority.
    • Results of the reconciliation are reviewed by management and are accessible electronically by Company’s contracted underwriter(s).
  • Escrow Trust Accounts are properly identified.
    • Accounts are identified as “escrow” or “trust” accounts. Appropriate identification appears on all account-related documentation including bank statements, bank agreements, disbursement checks and deposit tickets.
  • Outstanding file balances are documented.
  • Transactions are conducted by authorized employees only.
    • Only those employees whose authority has been defined to authorize bank transactions may do so. Appropriate authorization levels are set by Company and reviewed for updates annually. Former employees are immediately deleted as listed signatories on all bank accounts.
  • Unless directed by the beneficial owner, Escrow Trust Accounts are maintained in Federally Insured Financial Institutions.
  • Utilize Positive Pay or Reverse Positive Pay, if available in the local marketplace, and have policies and procedures in place that prohibit or control the use of Automated Clearing House transactions and international wire transfer blocks.
  • Background Checks are completed in the hiring process. At least every three years, obtain Background Checks going back five years for all employees who have access to customer funds.
  • Ongoing training is conducted for employees in management of escrow funds and escrow accounting.
  • A written wire transfer procedure is in place and tested at least annually.
    • For outgoing wire transfers, this includes a procedure to verify wire transfer instructions independent of the initial communication.
    • For incoming wire transfers, this includes a procedure to alert consumers regarding the risks of wire fraud and guidelines to mitigate losses.
  • A written wire fraud response procedure, which includes the recommendations of the ALTA Rapid Response Plan, is in place and is updated at least annually.

Multifactor Authentication

Best Practice Pillar 3: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law.

Purpose: Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes the procedures they employ to protect Non-public Personal Information. The program must be appropriate to Company’s size and complexity, the nature and scope of Company’s activities, and the sensitivity of the customer information Company handles. A Company evaluates and adjusts its program in light of relevant circumstances, including changes in Company’s business or operations, or the results of security testing and monitoring.

Procedures to meet this best practice:

  • Establish a written information security plan designedtoprotectnonpublic personal information in the Company’s possession and detectlossofnonpublic personal information based on the size and complexity of the Company’s operations.
    • Physical security of Non-public Personal Information.
      • Restrict access to Non-public Personal Information to authorized employees who have undergone Background Checks at hiring.
      • Prohibit or control the use of removable media.
      • Use only secure delivery methods when transmitting Non-public Personal Information.
    • Network security of Non-public Personal Information.
      • Maintain and secure access to Company information technology
      • Develop guidelines for the appropriate use of Company information technology.
      • Ensure secure collection and transmission of Non-public Personal Information.
  • Establish a written plan for the disposal and maintenance of Non-public Personal Information.
    • Federal and state laws require companies that possess records containing Non-public Personal Information to maintain and dispose of such records (including electronically-stored records) in a manner that protects against unauthorized access to or use of the Non-public Personal Information.
    • Companies must securely maintain and dispose of records containing Non-public Personal Information pursuant to an established timeframe for retaining records, as documented in Company’s information security program, that takes into consideration the appropriate legal, regulatory, and business requirements.
  • Establish a written disaster management and business continuity plan outlining procedures to recover to maintain information and business functions in the event of disruption.
  • Manage and train employees to help ensure compliance with Company’s information security program.
  • Oversee service providers, including third-party signing professionals, to help ensure compliance with Company’s information security program.
    • Companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding Non-public Personal Information.
  • Audit and oversee testing procedures to help ensure compliance with Company’s information security program.
    • Companies should review their privacy and information security procedures to identify reasonably foreseeable internal and external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of Non-public Personal Information.
  • Establish a written incident response plan designed to promptly respond to, and recover from, a breach that compromises the confidentiality, integrity, or availability of Non-public Personal Information in the Company’s possession.
    • Establish internal and service provider processes for determining the size, nature and scope of any incident.
    • Establish document and reporting procedures for actions taken to respond to an incident.
    • Notification of security breaches to customers and law enforcement in accordance with applicable federal and state law.
  • Utilize multifactor authentication for all remotely-hosted or remotely accessible systems storing, transmitting or transferring Non-public Personal Information.
  • Post Company’s privacy policy on their websites or provide information directly to customers in another useable form.

Data Security

Best Practice Pillar 3: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law.

Purpose: Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes the procedures they employ to protect Non-public Personal Information. The program must be appropriate to Company’s size and complexity, the nature and scope of Company’s activities, and the sensitivity of the customer information Company handles. A Company evaluates and adjusts its program in light of relevant circumstances, including changes in Company’s business or operations, or the results of security testing and monitoring.

Procedures to meet this best practice:

  • Establish a written information security plan designed to protect nonpublic personal information in the Company’s possession and detect loss of nonpublic personal information based on the size and complexity of the Company’s operations
    • Physical security of Non-public Personal Information.
      • Restrict access to Non-public Personal Information to authorized employees who have undergone Background Checks at hiring.
      • Prohibit or control the use of removable media.
      • Use only secure delivery methods when transmitting Non-public Personal Information.
    • Network security of Non-public Personal Information.
      • Maintain and secure access to Company information technology
      • Develop guidelines for the appropriate use of Company information technology.
      • Ensure secure collection and transmission of Non-public Personal Information.\
  • Establish a written plan for the disposal and maintenance of Non-public Personal Information.
    • Federal and state laws require companies that possess records containing Non-public Personal Information to maintain and dispose of such records (including electronically-stored records) in a manner that protects against unauthorized access to or use of the Non-public Personal Information.
    • Companies must securely maintain and dispose of records containing Non-public Personal Information pursuant to an established timeframe for retaining records, as documented in Company’s information security program, that takes into consideration the appropriate legal, regulatory, and business requirements.
  • Establish a written disaster management and business continuity plan outlining procedures to recover to maintain information and business functions in the event of disruption.
  • Manage and train employees to help ensure compliance with Company’s information security program.
  • Oversee service providers, including third-party signing professionals, to help ensure compliance with Company’s information security program.
    • Companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding Non-public Personal Information.
  • Audit and oversee testing procedures to help ensure compliance with Company’s information security program.
    • Companies should review their privacy and information security procedures to identify reasonably foreseeable internal and external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of Non-public Personal Information.
  • Establish a written incident response plan designed to promptly respond to, and recover from, a breach that compromises the confidentiality, integrity, or availability of Non-public Personal Information in the Company’s possession.
    • Establish internal and service provider processes for determining the size, nature and scope of any incident.
    • Establish document and reporting procedures for actions taken to respond to an incident.
    • Notification of security breaches to customers and law enforcement in accordance with applicable federal and state law.
  • Utilize multifactor authentication for all remotely-hosted or accessible systems storing, transmitting or transferring Non-public Personal Information.
  • Post Company’s privacy policy on their websites or provide information directly to customers in another useable form.

Insurance

Best Practice Pillar 6: Maintain appropriate insurance and fidelity coverages.

Purpose: Appropriate levels of professional liability insurance or errors and omissions insurance to help ensure title agencies and settlement companies maintain the financial capacity to stand behind their professional services. In addition, state law and title insurance underwriting agreements may require a company to maintain professional liability insurance or errors and omissions insurance, fidelity coverage or surety bonds. Cyber Liability Insurance and crime coverage is highly recommended as additional protection.

Procedures to meet this best practice:

  • Company maintains professional liability insurance or errors and omissions insurance
  • Company complies with requirements for professional liability insurance, errors and omissions insurance, fidelity coverage or surety bonds, as provided by state law or title insurance underwriting
  • Company is highly recommended to obtain cyber liability insurance and crime coverage in amounts appropriate to the company size and settlement volume.


Contact ALTA at 202-296-3671 or [email protected].