Legislation and Market Forces: PKI Drivers for the U. S. Mortgage Industry
November 27, 2006
R. J. Schlecht Director, Industry Technology – Security & Compliance
�Secure Identity Services Accreditation Corporation
SISAC
• Develops baseline standards for auditing and accreditation of certificate/credential issuers
» SISAC does not issue credentials, rather accredits Service Providers, e.g., VeriSign, GeoTrust, Mortgage entities, etc.
• • • •
Technical, Business and Legal requirements B2B model for authentication Wholly-owned subsidiary of MBA www.sisac.org
�SISAC - Requirements
• Standards developed by SISAC Advisory Group
» Fannie Mae, Freddie Mac and mortgage participants » Advisory group is open to other entities » Standards drafted by Relying Parties » Federal Bridge (FBCA), OMB 0404, NIST, etc.
• Aligned with PKI best practices
• Business contract infrastructure • Liability requirements
» RA, Subscriber, Relying Party agreements » Defined obligations for all participants
» Credential Issuer Liable for Errors & Omission (E&O)
» Basic ($1M), Medium ($5M), High ($10M)
• Not fraud or transaction
�eMortgage Process Flow
External Docs
Legal eDocs (Land records, tax liens, other docs/affidavits )
eRecording
Servicing
eOrigination & Underwriting
eDoc Prep
eClosing
Secondary Investor, Aggregator eDocuments
eSignatures Service Ordering: Credit Flood Hazard Title MI eNotarization Buyer Seller
eVault
eVault
eNote Data, Messaging & Control
MERS® eRegistry (National eNote Registry)
�SISAC – Flexibility • Three levels of Assurance
» Basic, Medium & High
• Accreditation models
» Full and outsourced providers » Independent or corporate providers
• Types of Subscriber Certificates
» User certificates • Individual or Organizational » Device certificates
• Ability for Replying Parties to add requirements
�Legislation
• Uniform Electronic Transactions Act (UETA) • Electronic Signatures in Global and National Commerce Act (E-SIGN) • Gramm-Leach-Bliley Act • Regulations
» Federal Financial Institution Examination Council (FFIEC) » Federal Trade Commission (FTC)
• U. S. States
» California Senate Bill 1386 (Security Breach) » Over 30 other States
�MERS – National eNote Registry
• Designation of authoritative Promissory eNote • Single source for Mortgage Industry of electronic Note • Launch production
» April 26, 2004 » Notes are traded between primary, warehouse, secondary.
• MERS Requirements
» Tamper-evidence seal on envelope
» Individual Identity on specific Transactions
• SISAC Organizational Medium Assurance Cert • SISAC Individual Medium Assurance Cert
�eNote Registry
�National Notary Association (NNA)
• eNotarizaiton of electronic records • State and County Recorders/Requirements • Strong authentication, with validation and revocation • Document integrity • Potential fraudulent exploitation of notaries • Non-proprietary model
�Lessons Learned
• Business infrastructure and liability • Relying parties are interested in complying with legislative and business requirements; not credential services • Legislation legalized electronic signatures and documents, and security controls for protecting personal information • Relying parties bear the risk and therefore should have a critical role in defining policy requirements • Ability to leverage existing CPs/CPSs and audit practices • Emergence of early industry adopters; eRegistry and eNotarization services • Flexible model without compromise of standards
�Addressing the PKI Adoption Issues
• Poor or missing support for PKI in software applications; • High adoption costs; • Poor understanding of PKI among senior managers and end-users; • Too much focus on technology and not enough on business needs; and, • Interoperability problems.
�Contact
R. J. Schlecht Director, Industry Technology Security & Compliance Mortgage Bankers Association Washington, DC 20006 202 557-2843 rschlecht@mortgagebankers.org
�