Revision to ALTA Best Practices Published as Final
September 17, 2024
Revisions to the ALTA Best Practices have completed a review period and are now available here.
The ALTA Best Practices Framework is the guiding document for agents and direct operations to both optimize and improve their business. These revisions have been made with the objective of allowing agents and direct operations to continue to optimize their practices and procedures to ensure financial safety, data security and operational stability, and to provide lenders with the assurances that their needs are being fulfilled by improved operations. The revisions address password management (Pillar 3) and closing transactions not involving state regulated title insurance policies (Pillar 4).
Password Management Revision: Alignment to NIST Password Reset Requirements (Pillar 3)
The National Institute of Standards and Technology (NIST), which sets the requirements for federal agencies but is often adopted by industry, had revised their recommendations on changing user passwords to include incidents when there is a known or suspected compromise of the security of the password. This change is found in NIST SP 800-63B in section 5.1.1.2 as shown below:
The previous Best Practices language below did not reflect a forced password change if there is evidence of a password compromise:
Because of this discrepancy, this Best Practice has been revised to align with NIST mandates (which are defined by words such as “Can not,” “Shall not,” or “Shall”), would be modified as follows (underlined words are additions):
- “passwords that expire after a certain period of time;
andor upon a triggering event as reflected in the National Institute of Standards and Technology guidelines (https://www.nist.gov); and”
Recommended Due Diligence: Closing Transactions Not Involving State Regulated Title Insurance Policies (Pillar 4)
When performing closing transactions that do not involve state regulated title insurance policies, there may be additional risks that should be assessed to ensure alignment with risk tolerance. There was no language in the previous version of Best Practices that addressed assessment and analysis of the potential risks. The following language has been added to Pillar 4 so companies may identify and analyze the risk:
- “Perform due diligence and analyze risk profile when providing functions that fall outside of the Title Agency’s relationship with the Title Insurer and when not issuing a title insurance policy for the transaction. These functions may include (1) collection and/or disbursement of premiums, escrows, security deposits or other funds, (2) handling escrow or Settlement, and/or (3) recording documents. If engaging in these functions Company should:
- Review its state licensing requirements to determine if it is legally allowed to engage in the function. Some states have additional licensing requirements to hold funds in escrow. Other states only authorize a company to conduct a settlement when the company is issuing a title insurance policy.
- Review closing instructions with company management to confirm that management approves any risk assumption, liability and other matters identified in the closing instructions.
- Review state laws, including case law, to understand the duties and responsibilities that may be imposed by law when engaging in these functions.
- Evaluate whether, in the event of a loss or claim, the company will continue to be solvent. Such evaluation may include determining whether a loss or claim may be covered by the company’s professional liability insurance including E&O and cybersecurity insurance.”
Additional Guidance
Additional resources will be published to provide guidance on issues already addressed within Best Practices. These items will include:
- Pillar 3—WISP Guidance Document: As creation and use of a WISP has become an important cornerstone of Best Practices and safety of operations, many entities have asked for additional information about creating and implementing this document. In addition to the general guidance that we have provided in the FAQs, webinars and presentations, the Best Practices Executive Committee has teamed up with the ALTA Information Security Work Group to provide a document providing specific guidance on the importance and process of creating a WISP for a Company’s operations. This document will be published in the third quarter of 2024.
- Pillar 2—Additional FAQ Guidance on “Undue Risks”: There has been industry discussion on issues of deposit timing that, if ignored, could potentially lead to refund of non-settled deposits. This is addressed within the current Pillar 2 Framework language in guiding that “undue risks” in disbursement from Escrow Trust Accounts should not be taken for funds that are not fully settled or reversible, but the FAQ will discuss this issue in further detail.
Contact ALTA at 202-296-3671 or [email protected].