Mortgage fraud, wherein false information is provided on mortgage applications to secure a loan, is a rapidly growing problem. The latest fraud report from credit ratings agency Experian found that 34 mortgage applications in every 1,000 in 2011 were fraudulent – up from just 15 in 2008.
This blight on the mortgage lending industry is one of the reason's why property services company Countrywide recently decided to achieve certification in ISO:27001, the international standard that demonstrates management oversight of information security.
"When you look at the statistics about mortgage lending fraud, risk management as a whole needs to be tackled proactively," explains Paul Brook, business services director at Countrywide. "The certification is a statement that we are proactive in our approach – we are the first in our industry that has got it."
Brook says Countrywide already considered its information security policies to be in line with ISO:27001 before seeking accreditation. For example, the company uses only lockable bins to ensure that sensitive information is disposed of appropriately.
What is more, Countrywide conducts regular security awareness and training exercises to make sure its staff understand what they need to do and why.
"We use classroom sessions, email communications and our company intranet, and post key messages online such as 'Make sure you lock your screen' or 'Make sure you know what you are faxing'," explains Brook. "And we test our staff every few months using our online assessment tool to ensure they have got a good level of understanding."
In preparation for certification, Countrywide focused its staff training and assessments on some of the specific requirements of the standard. It also aligned security policies across its three operating divisions.
The audit was conducted by independent testing company SGS. "There are two phases of the audit," says Brooks. "Stage one is making sure your policies and procedures are all up to scratch. In stage two they spent a fortnight visiting our office, speaking to our staff, looking at technical controls, making sure we do what we say we do."
The cost of undergoing certification was not tied to any specific return on investment, Brooks explains. Instead, Countrywide sees maintaining information security as part of the cost of doing business.
Brooks believes that achieving certification demonstrates to customers, partners and employees that Countrywide handles their information with care. "This is a pretty strong message to send out that we're handling all our information appropriately."
Whether or not it will confer competitive advantage remains to be seen. "Because we're the first company in our sector to do this, that's a bit of an unknown."
In fact, says Brooks, he would rather Countrywide's competitors took the same measures. "With mortgage lending fraud on the rise, we feel that ISO:27001 should be a standard across our industry."