Industry News

Proposed Revisions to ALTA’s Best Practices in Public Comment Period

July 18, 2024

ALTA’s Board of Governors approved proposed revisions to the ALTA Best Practices during a meeting on June 11.

The proposed changes are now in a public comment period until Aug. 12. Comments can be emailed to [email protected].

The revised version of the Best Practices is expected to be published during the third quarter of 2024.

The ALTA Best Practices Framework is the guiding document for agents and direct operations to both optimize and improve their business. These revisions have been made with the objective of allowing agents and direct operations to continue to optimize their practices and procedures to ensure financial safety, data security and operational stability, and to provide lenders with the assurances that their needs are being fulfilled by improved operations. The ALTA Best Practices materials are available here.

The proposed changes in the Best Practices 4.1 Framework include:

Password Management Revision: Alignment to NIST Password Reset Requirements (Pillar 3)

The National Institute of Standards and Technology (NIST), which sets the requirements for federal agencies but is often adopted by industry, had revised their recommendations on changing user passwords to include incidents when there is a known or suspected compromise of the security of the password. This change is found in NIST SP 800-63B in section 5.1.1.2 as shown below:

The current Best Practices 4.0 language is as follows and does not reflect a forced password change if there is evidence of a password compromise:

Because of this discrepancy, the Best Practices Executive Committee has recommended a change to the existing Best Practice language. The proposed revision to the Best Practices Framework 4.1, intended to be modified to align with NIST mandates (which are defined by words such as “Can not,” “Shall not,” or “Shall”), would be modified as follows (underlined words are additions):

• “passwords that expire after a certain period of time; and or upon a triggering event as reflected in the National Institute of Standards and Technology guidelines (https://www.nist.gov); and”

Recommended Due Diligence: Closing Transactions Not Involving State Regulated Title Insurance Policies (Pillar 4)

When performing closing transactions that do not involve state regulated title insurance policies, there may be additional risks that should be assessed to ensure alignment with risk tolerance. There is no current language in the Best Practices 4.0 Framework to address assessment and analysis of the potential risks. The Best Practices Executive Committee has recommended the addition on the following language in Pillar 4 so that companies may identify and analyze the risk:

• “Perform due diligence and analyze risk profile when providing functions that fall outside of the Title Agency’s relationship with the Title Insurer and when not issuing a title insurance policy for the transaction. These functions may include (1) collection and/or disbursement of premiums, escrows, security deposits or other funds, (2) handling escrow or Settlement, and/or (3) recording documents. If engaging in these functions Company should: 
  • Review its state licensing requirements to determine if it is legally allowed to engage in the function. Some states have additional licensing requirements to hold funds in escrow. Other states only authorize a company to conduct a settlement when the company is issuing a title insurance policy.
  • Review closing instructions with company management to confirm that management approves any risk assumption, liability and other matters identified in the closing instructions.
  • Review state laws, including case law, to understand the duties and responsibilities that may be imposed by law when engaging in these functions.
  • Evaluate whether, in the event of a loss or claim, the company will continue to be solvent. Such evaluation may include determining whether a loss or claim may be covered by the company’s professional liability insurance including E&O and cybersecurity insurance.”

Additional Content

Additional resources will be published to provide guidance on issues already addressed within Best Practices. These items will include:

1. Pillar 3—WISP Guidance Document: As creation and use of a WISP has become an important cornerstone of Best Practices and safety of operations, many entities have asked for additional information about creating and implementing this document. In addition to the general guidance that we have provided in the FAQs, webinars and presentations, the Best Practices Executive Committee has teamed up with the ALTA Information Security Work Group to provide a document providing specific guidance on the importance and process of creating a WISP for a Company’s operations.  This document will be published in the third quarter of 2024.
2. Pillar 2—Additional FAQ Guidance on “Undue Risks”: There has been industry discussion on issues of deposit timing that, if ignored, could potentially lead to refund of non-settled deposits. This is addressed within the current Pillar 2 Framework language in guiding that “undue risks” in disbursement from Escrow Trust Accounts should not be taken for funds that are not fully settled or reversible, but the FAQ will discuss this issue in further detail.

Contact ALTA at 202-296-3671 or [email protected].