Legislation and Market Forces: PKI Drivers for the U. S. Mortgage Industry November 27, 2006

1
Legislation and Market ForcesPKI Drivers for
the U. S. Mortgage IndustryNovember 27, 2006

• R. J. Schlecht
• Director, Industry Technology
• Security Compliance

2
Secure Identity Services Accreditation
Corporation

• SISAC
• Develops baseline standards for auditing and
  accreditation of certificate/credential issuers
• SISAC does not issue credentials, rather
  accredits Service Providers, e.g., VeriSign,
  GeoTrust, Mortgage entities, etc.
• Technical, Business and Legal requirements
• B2B model for authentication
• Wholly-owned subsidiary of MBA
• www.sisac.org

3
SISAC - Requirements

• Standards developed by SISAC Advisory Group
• Fannie Mae, Freddie Mac and mortgage participants
• Advisory group is open to other entities
• Standards drafted by Relying Parties
• Aligned with PKI best practices
• Federal Bridge (FBCA), OMB 0404, NIST, etc.
• Business contract infrastructure
• RA, Subscriber, Relying Party agreements
• Defined obligations for all participants
• Liability requirements
• Credential Issuer Liable for Errors Omission
  (EO)
• Not fraud or transaction
• Basic (1M), Medium (5M), High (10M)

4
eMortgage Process Flow
Legal eDocs (Land records, tax liens, other
docs/affidavits)
eRecording
eClosing
eSignatures
eNotarization
Buyer
Seller
5
SISAC Flexibility

• Three levels of Assurance
• Basic, Medium High
• Accreditation models
• Full and outsourced providers
• Independent or corporate providers
• Types of Subscriber Certificates
• User certificates
• Individual or Organizational
• Device certificates
• Ability for Replying Parties to add requirements

6
Legislation

• Uniform Electronic Transactions Act (UETA)
• Electronic Signatures in Global and National
  Commerce Act (E-SIGN)
• Gramm-Leach-Bliley Act
• Regulations
• Federal Financial Institution Examination Council
  (FFIEC)
• Federal Trade Commission (FTC)
• U. S. States
• California Senate Bill 1386 (Security Breach)
• Over 30 other States

7
MERS National eNote Registry

• Designation of authoritative Promissory eNote
• Single source for Mortgage Industry of electronic
  Note
• Notes are traded between primary, warehouse,
  secondary.
• Launch production
• April 26, 2004
• MERS Requirements
• Tamper-evidence seal on envelope
• SISAC Organizational Medium Assurance Cert
• Individual Identity on specific Transactions
• SISAC Individual Medium Assurance Cert

8
eNote Registry
9
National Notary Association (NNA)

• eNotarizaiton of electronic records
• State and County Recorders/Requirements
• Strong authentication, with validation and
  revocation
• Document integrity
• Potential fraudulent exploitation of notaries
• Non-proprietary model

10
Lessons Learned

• Business infrastructure and liability
• Relying parties are interested in complying with
  legislative and business requirements not
  credential services
• Legislation legalized electronic signatures and
  documents, and security controls for protecting
  personal information
• Relying parties bear the risk and therefore
  should have a critical role in defining policy
  requirements
• Ability to leverage existing CPs/CPSs and audit
  practices
• Emergence of early industry adopters eRegistry
  and eNotarization services
• Flexible model without compromise of standards

11
Addressing the PKI Adoption Issues

• Poor or missing support for PKI in software
  applications
• High adoption costs
• Poor understanding of PKI among senior managers
  and end-users
• Too much focus on technology and not enough on
  business needs and,
• Interoperability problems.

12
Contact

• R. J. Schlecht
• Director, Industry Technology Security
  Compliance
• Mortgage Bankers Association
• Washington, DC 20006
• 202 557-2843
• rschlecht_at_mortgagebankers.org