FAQs About ALTA Best Practices


Do I need to have ALTA Best Practices policies and procedures in place and have a CPA give assurance on my compliance to mortgage lenders?

It is your business decision; this is not a government mandate. However, if you are committed to being in the business for the long haul, it is highly recommended to get it done. In accordance with Consumer Financial Protection Bureau (CFPB) Bulletin 2012-03, mortgage lenders are expected to have an effective process in place for managing the risks of their third-party service providers, e.g. residential settlement agents and title companies. Mortgage lenders have always looked to CPA firms to give them assurance on third-party information as a way to meet their risk management guidelines.

How does the CFPB want the mortgage lenders to manage these relationships?

Mortgage lenders will conduct due diligence by requesting and reviewing the service provider’s documentation on their policies and procedures to support that they are in compliance with federal consumer financial laws. In response to the CFPB and to help mortgage bankers monitor their settlement attorneys and title companies’ compliance, ALTA developed its Best Practices Framework for title industry professionals to use as a guideline to meet these requirements.

What does “mortgage lenders to manage these relationships” mean for settlement agents and title companies?

Settlement agents and title companies will need to provide their mortgage lenders with some form of assurance that they are in compliance with federal consumer financial laws, allowing mortgage lenders to document for the CFPB that they have developed a process to monitor their service providers and are verifying compliance.

What is my risk if I am not able to provide that level of assurance to my mortgage lenders?

Pursuant to federal consumer financial laws, mortgage lenders may face fines and enforcement action from the CFPB if they cannot show that they are properly managing their third-party relationships. For settlement agents and title companies, lack of compliance can lead to severe/catastrophic business disruption, as mortgage lenders will do business only with compliant third parties to avoid penalties and reduce risk.

How can I get guidance on the policies and procedures that I need to have in place?

ALTA has issued its Best Practices Framework and Assessment Procedures for settlement firms and title companies. Many financial institutions and the CFPB have indicated they support ALTA’s efforts in developing these Best Practices.

Why will my lender be asking for information on my policies and procedures, E&O insurance, complaint log and other items?

Your lenders will ask for these items to determine where you are in the process of becoming compliant and following the requirements of CFPB Bulletin 2012-03.

What is considered Non-public Personal Information (NPI)?

NPI is considered to be any personal and confidential consumer information that does not reside in the public domain.  Per ALTA’s Best Practices Framework, this includes personally identifiable data such as information provided by a customer on a form or application, information about a customer’s transactions, or any other information about a customer which is otherwise unavailable to the general public. NPI includes first name or first initial and last name coupled with any of the following: social security number, driver’s license number, state-issued ID number, credit card number, debit card number or other financial account numbers.

What if a customer only gives you the last four digits of a social security number or account number? Is this considered Non-public Personal Information?

Yes, this is considered NPI.  Although not complete, it is still partial information of what would be considered NPI and should be safeguarded.

Should a company run a background and credit check for all employees?

Background checks should be required on all personnel having access (direct or indirect) to escrow/trust account funds and NPI.  Best Practices indicate that it is up to the company whether credit checks should be run.  It is recommended that credit checks be performed on all personnel who have direct access to the escrow/trust account(s), and it can be considered for personnel having indirect access, providing the proper segregating controls are in place.  Ongoing periodic background and credit checks of the same individuals should be considered as part of your company’s policies, procedures and internal control structure.

What constitutes a complaint?

Establish your own parameters within reason. Make guidelines for employee(s) that will take the complaint and file it within the guidelines. The relevant complaints that should be considered would pertain to issues of premium calculations, disclosures, policy/title issues, mortgage payoff issues, non-public information (NPI) and general closing practices, as well as how timely these concerns are addressed.

What is cyber insurance?

Cyber insurance is coverage purchased that is specifically tailored and available with a business owner’s policy to protect small businesses with essential coverage related to the inherent cyber threats a business is perceived to have.  The determination of the level of insurance and rates come after an analysis performed by the insurance carrier to assess the risk threat level within the various business processes of the company.

What happens if you have cyber protection and security on your computer and you accept an email from someone who sends non-public information (NPI) to you without encryption?

The cyber protection and controls a company may have in place on their internal systems do not extend to external entities who would transmit email without encryption.  This means there is a risk of information breach if another company transmits an unencrypted email containing NPI.

What is the difference between a review and an examination attestation engagement?

A review is a cost effective option for the small title agent to provide CPA assurance on whether they are compliant with ALTA Best Practices. In a review engagement, the title agent performs ALTA’s assessment procedures using HA&W’s toolkit, and we perform high-level procedures to determine compliance. An examination is designed for medium-to-large title agents and is akin to an onsite audit of financial statements, providing a high degree of assurance based on HA&W performing ALTA’s assessment procedures using AICPA professional guidelines.

What is the difference between a small agent and a medium-to-large agent?

Industry professionals have defined a small title agent as one who performs approximately 300 or less closings per year, has one to two offices, one to two escrow bank accounts and less than 10 employees. Based on mortgage lender risk profiles, small agents are considered less risky due to fewer dollars going through their escrow bank accounts. In comparison, medium-to-large title agents have higher risk profiles due to the sizable amount of funds flowing through their escrow bank accounts. Consequently, based on mortgage lender risk management policies, medium-to-large title agents will require greater CPA assurance to ensure compliance with ALTA Best Practices.

What is the first step in the process to becoming ALTA Best Practices compliant?

The first step is to determine your current level of compliance through HA&W’s Compliance Benchmark Readiness Assessment and develop a plan to remediate any deficiencies. HA&W has developed its ComplianceSuccess® Program as a fast track to compliance with ALTA Best Practices by assessing your current level of compliance. HA&W will provide you with a gap analysis and remediation plan in as little as five business days and review it with you to create a customized plan of action.

Before I engage HA&W for a Compliance Benchmark Readiness Assessment, what should I prepare?

The Compliance Benchmark Readiness Assessment can be completed without any advance preparation. This will give you the most objective evaluation of your agency’s current level of compliance using ALTA’s Best Practices Assessment Procedures Framework as the benchmark.

How long does it take to complete the Compliance Benchmark Readiness Assessment?

The Compliance Benchmark Readiness Assessment will take no longer than an hour to complete.

How long does the remediation phase take?

Based on the suggested remediation steps generated by the gap analysis and how far along your company is in documenting its policies and procedures in accordance with ALTA Best Practices, the remediation phase can take anywhere between a few days to a few months to complete.

Once I have completed the remediation phase and policies and procedures are in place and being followed, what is next?

Per ALTA’s Best Practices, you will need to demonstrate compliance with those policies and procedures for a minimum period of three months prior to testing. Once this has been achieved, you are ready to have HA&W begin the testing process.

How long does the testing process take?

From planning to the issuance of the compliance report, field work will take anywhere from a few days to a few weeks, depending on the type of attestation report being issued.

Will the compliance testing phase of the engagement be performed onsite at my office?

This depends on your engagement type. For a review engagement, no onsite visit is required. For examination engagements, an onsite visit of one to three days is necessary, depending on the number of locations and if there are common procedures at all locations. The remaining compliance testing will be conducted electronically over a secure network portal and will cause minimal disruption to the daily business of your agency.

Who will perform the necessary onsite procedures?

HA&W personnel will schedule time to perform all necessary onsite procedures.

What happens if deficiencies in compliance are found during testing?

Being a part of HA&W’s ComplianceSuccess Program from the beginning reduces the likelihood deficiencies will be noted during the compliance testing stage. If any deficiencies are found during the engagement, we would notify you immediately. We would provide you with a referral for remediation assistance of at least two independent resources that could help with your remediation needs. We would then resume compliance testing.

What will I be given as a deliverable to show my mortgage lenders that I am compliant?

You will receive a report (review or examination) that outlines the procedures performed and a certificate of compliance that can be given to your mortgage lenders. In addition, you will receive a digital seal that can be displayed on your website, in your email signatures, etc.

Now that I have an attestation report, what should I do with it?

Make your lenders aware. It is to your advantage to have them know of the strides your agency has made to meet regulatory standards. Mortgage lenders will be reducing the number of title agents they use to reduce their own business and regulatory risks. You can use this report to gain a competitive advantage, retain current mortgage lender relationships and grow new relationships to increase market share.

How often will I be required to go through an assessment process?

Documenting your policies and procedures and documenting compliance is a daily process. The frequency of assessments will be up to your mortgage lenders’ requirements and risk management policies, but ALTA recommends a 24-month cycle. Future attestation reports will be much less time consuming than the initial compliance process, so long as your policies and procedures remain consistent and no issues of noncompliance are noted.

How can I be sure I’m staying compliant with ALTA Best Practices?

Staying in compliance is a dynamic process and not a one-time event. Stay updated on regulatory changes with our ongoing monitoring program to keep you in compliance.

Will the lenders develop one standard of compliance reports required?

While formal requirements are still to come from lenders, HA&W issues Best Practices compliance reports that adhere to the AICPA’s attestation standards. We have discussed our reporting options for review and examination attestation engagements with the major mortgage lenders, and they are confident it will enable them to comply with CFPB guidelines and meet their risk management policies. In addition, HA&W offers SOC 1 (SSAE16) and SOC 2 reports, as well as ISO 27001 certifications. Because CPAs have historically provided financial and nonfinancial information to banks to mitigate their business risk, it is our belief that banks will continue to embrace the reputable quality of CPAs and the AICPA as providers of this nonfinancial information as well.

What is the approximate cost of the review and examination engagements?

Depending on the number of closings, locations, escrow accounts and other company demographics, the cost of a review engagement starts at $4,000, and the examination engagement starts at $14,000. To get started, our Compliance Benchmark Readiness Assessment will gauge your current level of compliance with the ALTA Best Practices Framework. The Benchmark, which consists of the gap analysis consultation and remediation plan, is $1,000. Preferred underwriter pricing is available.

Why should I choose HA&W’s ComplianceSuccess Program to provide my ALTA Best Practices testing and reporting?

HA&W was the first CPA firm in the nation to perform ALTA Best Practices compliance benchmarking and assurance reporting through its ComplianceSuccess Program. With over 400 current clients and preferred provider status to the underwriters that make up 80 percent of the market, HA&W’s ComplianceSuccess Program provides independent third-party assurance using CPA professional standards on attestation reporting, trusted by banking and financial instructions. To ensure our ComplianceSuccess Program is in lock-step with industry standards and requirements, HA&W is actively involved at the highest levels with ALTA, the American Institute of Certified Public Accountants, underwriters, the Mortgage Bankers Association and most importantly, our clients.