What Title Companies Need to Know about Pillar 3 Best Practices

  If you are in the title business, you’ve likely heard about the ALTA Best Practices framework.  It’s becoming the standard for Lenders, Mortgage companies and Title companies.  And unlike the old saying, “what you don’t know won’t hurt you”, your diligence in complying with these best practices will only help you compete more successfully and avoid potential problems down the road. Essentially, the American Land Title Association (ALTA) advises title insurance and settlement companies to adopt, establish and maintain their seven Best Practices Pillars in order to prepare for the CFPB August 2015 regulations.  They’ve developed these best practices to address the 7 main areas of lending. The 7 Best Practices Pillars are: Pillar #1 Licensing; Pillar #2 Escrow Trust Accounting; Pillar #3 Protecting NPI; Pillar #4 Settlement Processes; Pillar #5 Policy Production; Pillar #6 Insurance Coverage; Pillar #7 Consumer Complaints This guide specifically addresses the 3rd Pillar:  Protecting NPI (non-public information) which typically covers your computer, IT and document security. While adhering to ALTA’s best practices – including Pillar 3 for IT Security – is voluntary, there are many benefits to Title companies complying with and demonstrating compliance to lenders who need to meet regulatory requirements regarding oversight of their 3rd party service providers (such as title agencies).

  • Guarded protection against privacy breaches and identify any potential issues or risks that might create potential problems.

While no security is 100% guaranteed, Title companies find that by going through the process of 3rd party Pillar 3 assessments, they find issues that may have been hidden and can address them before they become problems.  There’s truth to the old saying, “an ounce of prevention is worth more than a pound of cure”.

  • Confidence with your clients and buyers that you take their security seriously.

As security continues to make the headlines, consumers are well aware of breaches and have become skeptical of companies that don’t make a concerted effort to guard their privacy and information.

  • Assurance to Lenders and Mortgage Companies. Title agencies who follow the Pillar 3 guidelines will find it easier to develop, expand and solidify their lender relationships than those who choose not to follow the recommended framework.

Lenders have to comply with Consumer Financial Protection Bureau (CFPB) and other regulatory requirements regarding oversight of their third-party service providers, which include title companies. In Bulletin 2012-03, the CFPB emphasized its expectation that mortgage lenders manage the risk of their service provider relationships in order to protect consumers from financial harm.  The ALTA Best Practices Framework outlines Assessment Procedures for title agents to help determine and demonstrate their compliance to lenders.

  • Proof of your industry competence will give you an advantage over your competition in your market. Demonstrating your leadership in your geographic area sets you apart from the pretenders.

Pillar 3 is about Protecting NPI (non-public information).  It addresses adopting and maintaining a written privacy and information security plan to protect Non-Public Personal Information (NPI) as required by local, state and federal law. Title agencies should consider establishing or strengthening their IT/computer security program and policies, including the following:

  • Intrusion detection and protection procedures
  • Incident response procedures
  • Security breach notification procedures
  • Change management procedures
  • Backup procedures and business continuity plan
  • Vendor management procedures
  • Privacy policy and procedures
  • Record retention and disposal procedures
  • Encryption policy
  • Clean desk policy
  • Access provisioning
  • Physical and environmental security
  • Background policy
  • User awareness and training
  • Testing of the information security controls
  • Risk assessment procedures

How should Title Companies respond to ALTA’s Pillar 3 Best Practice?

Assess. Find out where your current benchmark is for IT, computer and information security – preferably by a non-related, objective 3rd party. If you find that you pass with flying colors, great.  But if your assessment uncovers issues, that’s even better.  You can address and remedy those issues before something more nefarious results. Remedy. Address issues, document policies, close IT security holes, and button up procedures. From simple tweaks to more involved solutions, you’ll know what needs to be remedied and be able to plan to tighten up your security. Maintain. Every 6 months to a year, you’ll want to do another quick review of your systems to make sure that your title company still complies, retrain on your policies and ensure any changes to your business are covered by your procedures and conform to Pillar 3. Think of it as a tune-up.


We help Title companies and other financial institutions Assess, Remedy and Maintain their IT security for Pillar 3 Compliance. If you need assistance, guidance, or an objective 3rd party assessment, we can help you too.  Contact us today for more Pillar 3 resources or to talk to an expert about helping you become Pillar 3 compliant.