The company recognizes the sensitive nature of customer and borrower information. We protect the privacy of this information and the way that this information is used. The Privacy Policy and Information Safeguard Plan outlines the way in which our organization protects the confidentiality of this information and our security standards for handling this information. The President and officers of the Company are responsible for the enforcement of this Policy.
The Types of Customer Information Ross Mortgage Obtains
Ross Mortgage, hereafter referred to as 'the company', provides mortgage lender and brokering services for purchase and refinance transactions to the general public through a retail business channel. When a customer inquires or applies directly through the company for a mortgage the company obtains personal financial information as required on the Fannie Mae form 1003, Uniform Residential Loan Application. In addition, the company will obtain supporting documentation such as a credit report, pay stubs, W-2's, bank and other asset statements and income tax returns. Additional personal information such as divorce decrees, bankruptcy documentation and other legal documents may also be required based on investor underwriting criteria.
How do we use customer Information?
We will not disclose any Customer Information or customer provided information ("Customer Information"), to any organization, affiliated of non-affiliated entity unless this disclosure is either:
- Necessary to effect, administer, or enforce a transaction or service for which we have been contracted to perform; or
- Necessary to facilitate or consummate our business transactions with third parties. This will not involve selling information for the purpose of further solicitation.
In cases where information is shared with other companies that perform services on or behalf, the Customer Information provided is limited to the information that we, in our discretion, reasonably believe is needed to perform the contracted function. We also maintain contracts with these companies requiring them to keep this information secure and confidential.
How Do We Keep Customer Information Private?
We take steps to safeguard Customer Information. We maintain physical, electronic and procedural safeguards to guard against unauthorized access. We also utilize appropriate corrective action when needed to enforce employee compliance with our procedures with regard to privacy of information.
Procedural Safeguards
- All employees have received training (described below) before they are given authorization to receive or make phone calls to discuss Customer Information.
- The company is only authorized to request verification and validation of information needed to fulfill underwriting requirements as dictated by the investors.
- All captured information is required to be maintained on a secure server and not on individual PC’s. This is further discussed in the Information Systems Safeguard Section.
- All contract service vendors with access to Customer Information are required to supply their Privacy Policy and/or Information Safeguard Plans to the company prior to providing services for the Company. These Policies are reviewed to determine compliance and appropriate safeguards. However, under no circumstance should this paragraph be deemed to create a representation, guaranty or any duty by the Company relating to the safeguarding of Customer Information by third parties.
Physical Safeguards
- The entire office suite contains a sprinkler system in the event of a fire, as well as a fire alarm system which automatically contacts the fire department in the event of a fire.
- Branch offices contain sprinkler systems in the event of a fire, as well as fire extinguishers.
- All Customer Information is locked in the desk of the employee that is working on the information or locked in a filing cabinet. No Customer Information is left on desktops or out in the open after business hours.
- If the information needs to be returned to the customer, the Company returns the files in a taped envelope through nationally recognized courier services.
- Any Customer Information that needs to be disposed of is placed in locked shred bins located throughout the office.
- The Company employs a shredding company that enters the offices twice pre month during business hours. The company unlocks the shred bins, removes the bags and shreds the information at the business location of the Company in an industrial shredding machine.
Email and Message Encryption
All connections to our email server for sending and receiving messages will be secured using SSL.
Message encryption will be used based on company enforced policies by the use of an encryption appliance from CISCO. The encryption envelope service by which the recipient uses to access their message is managed by CISCO Corporation. They manage the access to the messages as well as the encryption keys tied to the recipients email address. CISCO is the first point of contact for any message recipients for problems registering or using their system.
Encryption on any message will be enforced based on the following conditions (in hierarchical order of items checked):
- If the sender forces encryption by use of "Secure:" in the subject line.
- If the message, or any attachment in the message, contains any information regarding ABA routing numbers, bank account numbers, credit card numbers or social security numbers.
- If none of the above is true, if the attachment is a Pre-Approval document, encryption will be bypassed.
- If none of the above is true, and if there is a PDF document attached to the message, then the message will be encrypted.
Step 4 above is the default setting for any PDF documents as imaged documents cannot be checked for content and therefore must be encrypted to ensure any consumer information is protected.
Use of any email address other than @rossmortgage.com for conducting business is prohibited. Exceptions to this policy are DBA's that have their email managed and hosted with Ross Mortgage; they can use their DBA email address for conducting business.
Information System Safeguards
- The network, and all computer systems and servers are secured with the use of a Watchguard firewall.
- A private password is needed to enter any computer. All passwords are at least 8 characters long and must be a combination of alpha and numeric. Computer passwords are changed every 0 days, or whenever an employee with knowledge of the computer passwords leaves. The computer automatically prompts the user to change his/her password,
- Any hardware that will no longer be in use will have the data erased off the hard drive by a qualified computer professional and then destroyed.
- All system information is backed up by Symantec Backup Exec. This back up occurs daily with monthly and yearly archives. All off site backup drives are stored at the I.T. Directors Home.
- All computers are protected with anti-virus software, which is updated automatically. In addition, every inbound email is scanned prior to reaching the email recipient’s destination.
- It is the policy of the Company that no personal customer information is to be stored on any laptop or PDA.
Employee Training
- Each employee is required to review the Company's Privacy Policy upon commencing employment. The employee is required to sign an acknowledgement that he/she has read, understand and will enforce the policy.
- Each employee is required to attend a training session that is held within 90 days of hire date and presented by a Manager of the corporation.
- The training includes a review of the Privacy Policy to understand the large scope. The Company’s procedures are reviewed so that each individual understands his/her role in protecting Customer Information. Each employee is informed of what information may be provided and to whom. If there is any doubt in the employees mind, a manager is to be consulted.
- Employees are required to verify any request for Customer Information in order to be certain that the person requesting the information has the right to receive it. This may be done by validating the phone number of the caller or knowing the caller. In the event this cannot be done, the employee is instructed to return the call to insure that the phone number is appropriate to the company or individual requesting the information.
- Employees are also trained in recognizing any fraudulent attempt to obtain Customer Information and the steps to take in the event fraudulent attempts are identified. A manager is informed of the possible attempt and is to notify the appropriate law enforcement agency in the event the attempt is confirmed.