Legislation and Market Forces PKI Drivers for the

Legislation and Market Forces: PKI Drivers for the U. S. Mortgage Industry November 27, 2006 R. J. Schlecht Director, Industry Technology – Security & Compliance

Secure Identity Services Accreditation Corporation SISAC • Develops baseline standards for auditing and accreditation of certificate/credential issuers » SISAC does not issue credentials, rather accredits Service Providers, e. g. , Veri. Sign, Geo. Trust, Mortgage entities, etc. • • Technical, Business and Legal requirements B 2 B model for authentication Wholly-owned subsidiary of MBA www. sisac. org

SISAC - Requirements • Standards developed by SISAC Advisory Group » Fannie Mae, Freddie Mac and mortgage participants » Advisory group is open to other entities » Standards drafted by Relying Parties • Aligned with PKI best practices » Federal Bridge (FBCA), OMB 0404, NIST, etc. • Business contract infrastructure » RA, Subscriber, Relying Party agreements » Defined obligations for all participants • Liability requirements » Credential Issuer Liable for Errors & Omission (E&O) • Not fraud or transaction » Basic ($1 M), Medium ($5 M), High ($10 M)

e. Mortgage Process Flow External Docs e. Origination & Underwriting Legal e. Docs (Land records, tax liens, other docs/affidavits ) e. Recording e. Doc Prep Service Ordering: Credit Flood Hazard Title MI Secondary Investor, Aggregator e. Closing e. Signatures e. Notarization Buyer Servicing e. Documents e. Vault Seller e. Note Data, Messaging & Control MERS® e. Registry (National e. Note Registry)

SISAC – Flexibility • Three levels of Assurance » Basic, Medium & High • Accreditation models » Full and outsourced providers » Independent or corporate providers • Types of Subscriber Certificates » User certificates • Individual or Organizational » Device certificates • Ability for Replying Parties to add requirements

Legislation • Uniform Electronic Transactions Act (UETA) • Electronic Signatures in Global and National Commerce Act (E-SIGN) • Gramm-Leach-Bliley Act • Regulations » Federal Financial Institution Examination Council (FFIEC) » Federal Trade Commission (FTC) • U. S. States » California Senate Bill 1386 (Security Breach) » Over 30 other States

MERS – National e. Note Registry • Designation of authoritative Promissory e. Note • Single source for Mortgage Industry of electronic Note » Notes are traded between primary, warehouse, secondary. • Launch production » April 26, 2004 • MERS Requirements » Tamper-evidence seal on envelope • SISAC Organizational Medium Assurance Cert » Individual Identity on specific Transactions • SISAC Individual Medium Assurance Cert

e. Note Registry

National Notary Association (NNA) • e. Notarizaiton of electronic records • State and County Recorders/Requirements • Strong authentication, with validation and revocation • Document integrity • Potential fraudulent exploitation of notaries • Non-proprietary model

Lessons Learned • Business infrastructure and liability • Relying parties are interested in complying with legislative and business requirements; not credential services • Legislation legalized electronic signatures and documents, and security controls for protecting personal information • Relying parties bear the risk and therefore should have a critical role in defining policy requirements • Ability to leverage existing CPs/CPSs and audit practices • Emergence of early industry adopters; e. Registry and e. Notarization services • Flexible model without compromise of standards

Addressing the PKI Adoption Issues • Poor or missing support for PKI in software applications; • High adoption costs; • Poor understanding of PKI among senior managers and end-users; • Too much focus on technology and not enough on business needs; and, • Interoperability problems.

Contact R. J. Schlecht Director, Industry Technology Security & Compliance Mortgage Bankers Association Washington, DC 20006 202 557 -2843 rschlecht@mortgagebankers. org