top of page
Black Metal

PRIVACY POLICY

Objective

To document MMCD’s policies and procedures for ensuring customer / consumer privacy.

 

Required Review

Review of and necessary changes to these policies and procedures are made pursuant to agency, regulatory and business requirements’ changes.

 

Scope

These policies and procedures apply to all MMCD employees.

​

Background

MMCD is bound by various laws to ensure consumer / customer privacy.

The primary law is Regulation P—Privacy of Consumer Financing Information, which implements relevant portions of the Gramm-Leach-Bliley Act.

Regulation P is concerned specifically with the protection of nonpublic information, which consists of:

  • Personally identifiable financial information that is not publicly available information.

  • Lists, descriptions, or other grouping of consumers (including publicly available information contained therein) that are derived using personally identifiable financial information that is not publicly available.

 

Regulation P restricts the disclosure of nonpublic personal information to nonaffiliated third parties. It also requires notification of the financial institution’s policies and practices regarding the disclosure of nonpublic personal information and whether a consumer is entitled to opt out of those disclosures. The disclosure responsibilities vary, depending on whether the individual is a “consumer” or a “customer”.

  • A “consumer”, for MMCD purposes, is a loan applicant—whether or not he/she closes the loan. (Simply said: has a one-time relationship with MMCD)

  • A “customer”, for MMCD purposes, is an individual who closes a loan with MMCD. (Simply said: has an on-going relationship with MMCD, assuming that we service the loan)

Note: At MMCD, the applicant is a consumer until he closes the loan; then, he becomes a customer until such time as MMCD transfers the servicing and ownership of the loan.

Fair and Accurate Credit Transactions (FACT) Act of 2003 (implemented by FTC) is another law that requires MMCD’s preservation of consumer privacy. It requires financial institutions and creditors to develop and implement written identity theft prevention programs (Red Flag Rules). Refer to MMCD's Red Flag Program'.

Standards for Safeguarding Customer Information. This rule was published by the FTC in 2002, in compliance with requirements established by sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act. Its aim is to establish standards relating to administrative, technical and physical information safeguards of financial institutions.

California Financial Privacy Information Act (“CFIPA”). This Act goes beyond the provisions or Regulation P by requiring financial institutions to provide customers and consumers with extended information to protect their nonpublic information.

California Consumer Privacy Act (“CCPA”). This Act was signed into law in June 2018 and became effective January 1, 2020. It grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that is collected, as well as additional protection for minors.

 

 

Important Prerequisite Understanding

  • MMCD has neither affiliates nor non-affiliates as defined by any of the privacy laws;

  • MMCD does not disclose nonpublic information to any one and does not reserve the right to do so; and

  • MMCD has both “consumers” and “customers” as defined by Regulation P. Refer to Annual

Disclosures below.

 

Compliance with Regulation P

MMCD provides an initial privacy notice to all applicants (consumers).

 

  • Contents: MMCD’s initial privacy notice (an abbreviated format—see Privacy Notice) includes:

  • Categories of information MMCD collects;

    • MMCD’s policies and practices with respect to protecting the confidentiality and security

of nonpublic information ; and

  • The fact that MMCD does not disclose nonpublic personal information about current and former customers to affiliated or nonaffiliated third parties.

  • Timing: MMCD includes the privacy notice with the early disclosures.

The applicant is a “customer” only for those loans serviced by MMCD. Any MMCD servicing is or will be conducted by a third party under a servicing agreement. Such agreement includes representations and warranties relating to the issuance of Regulation P’s annual privacy notice and prohibiting the disclosure of nonpublic information to any nonaffiliated third party, except as authorized by law.

 

Compliance with Fair and Accurate Credit Transactions (FACT) Act Of 2003

 

Refer to MMCD’s Preventing Money Laundering and Other Related Fraudulent Activities (AML, BSA, OFAC)

 

Compliance with Standards for Safeguarding Customer Information

“Customer information” means any record containing nonpublic personal information about a customer, whether in paper, electronic or other form. The Standards require that financial institutions develop, implement and maintain a comprehensive information security program that includes:

  • Physical safeguards for privacy

  • Operational safeguards for privacy

  • Electronic safeguards for privacy To that end, at MMCD:

  • Three employees are designated to coordinate MMCD’s information security program: the

compliance officer, EVP of Operations, and EVP of Information Technology.

  • MMCD has partially identified and mitigated internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.

  • MMCD’s physical and operational safeguards for privacy are outlined on Exhibit A.

  • MMCD maintains security breach policies and procedures. Refer to MMCD’s Security Breach

 

Policies and Procedures.

 

Compliance with California Financial Privacy Information Act (“CFIPA”)

MMCD complies with CFIPA by providing initial and on-going employee training regarding the

company’s responsibilities under the act.

 

Compliance with California Consumer Privacy Act (“CCPA”)

MMCD does not sell the personal information of our consumers. Refer to Exhibit B for the supplemental privacy policy surrounding this Act.

 

 

​

 

 

EXHIBIT A

MMCD Physical, Operational and Electronic Safeguards to Protect Consumer Privacy

 

 

Physical privacy

Important Note: MMCD’s loan records are electronic / paperless. Thus, the only consumer nonpublic information / documents that may be present in the environment are those that are in hard copy format prior to scanning for the loan record or are employee printed.

Identified risks: The misuse of consumers’ nonpublic information which may be visible and accessible in MMCD’s physical environment.

Specific MMCD physical areas that are modestly susceptible to breach of privacy:

  • Employee desks – where loan documents containing consumers’ nonpublic information may be displayed prior to scanning

  • Employee recycle boxes – where unnecessary consumer or file documentation is temporarily disposed of

  • Copy centers – where loan documents are scanned for company use

  • MMCD offices – from which nonpublic information may be removed

 

Safeguards:

Although MMCD’s loan records are electronic / paperless, the following safeguards exist in the event that nonpublic information / documents are in the pre-scanned stage:

  • Each site has a designated employee who performs the end of day inspection.

Note: Safeguarding nonpublic consumer hardcopy information on desks during the day is unnecessary, as employee desks are not visited during the day by non-employees.

  • MMCD has locked “shred bins” at each of its sites. Any hardcopy sensitive information is disposed of by placing the material in the shred bin. Typically, employees have a recycle box at their desks. These boxes are emptied into the shred bin at the end of each day. Each site has a designated employee who performs the end of day inspection.

  • Each copy center is inspected thrice daily for abandoned material. This inspection is performed by a designated employee at each site. Additionally, a large sign is posted in each area, reminding employees of need to maintain privacy.

  • Employees may not remove (by printing) hardcopy consumer documentation from MMCD’s physical site—for any purpose.

  • Each MMCD office is attended by an employee during the business hours. Each office is locked at the close of the business day. Individual offices that may contain sensitive information (human resources, accounting) are individually locked.

  • MMCD offices do not retain “shadow files.” All permanent loan files are electronic.

Note: Files assembled in MMCD’s pre-paperless history are retained in off-site storage. MMCD has contractual agreements with the off-site storage vendor regarding safeguards. These files can be retrieved when necessary.

 

Operational Privacy

Identified risks:

  • Service providers may breach privacy: Individuals or companies that provide necessary services for loan processing may pose risk to consumer privacy.

  • Employees may deliberately or inadvertently provide nonpublic consumer information to an unauthorized recipient.

  • MMCD’s support departments (e.g., accounting and human resources) may provide nonpublic employee or consumer information inadvertently.

  • Loans to employees may be accessed by unauthorized personnel.

  • MMCD may experience a security breach and must notify consumers of the breach.

 

Safeguards:

  • Contracts with service providers (credit report agency, shipping / courier services, file storage vendor) include provisions for information safety and warranty or bonding.

  • Employees receive periodic training regarding MMCD’s privacy policies, including specific examples of when information can be provided andwhen it cannot. Additionally, such training includes ensuring the identity of the information recipient.

  • MMCD has specific policy regarding the management of employee loan records. This policy includes the identity of those individuals who have access to these records.

  • MMCD’s human resource department performs background and reference checks on all new hires, to ensure the integrity of those individuals who will have access to sensitive information. Also, at hire, MMCD employees are required to acknowledge a confidentiality and security standards agreement.

  • Terminated employees are supervised on exit to ensure that sensitive information is not retained by the employee. Additionally, the human resource department retrieves any terminated employee access tools.

  • Authorization to consumer sensitive information is provided on a “need to know” basis.

  • Employees who disregard MMCD’s privacy and security policies and procedures are subject to disciplinary action.

  • MMCD’s compliance officer is responsible for notifying consumers in the event of a privacy breach. The compliance officer may be notified of a breach by any employee. Refer to MMCD’s Security Breach Policies and Procedure.

 

Electronic Privacy

Identified risks: Nonpublic or sensitive customer information may be lost, accessed without authority, destroyed, used improperly, modified without authority or disclosed.

Information assets referenced in this policy statement are user computers and servers/network.

 

Safeguards:

  • Computers (laptops/desktops) utilized in the field and at the branch level are secured by two levels of passwords: one to log into the physical laptop and another to access MMCD’s systems. Additionally, access to MMCD’s servers is done via an encrypted VPN.

Nonpublic borrower information is not stored on the local laptop hard drives. All of this information is stored on MMCD’s central corporate servers in San Ramon, CA.

  • Computers (laptops/desktops) used at the corporate site are secured with local level passwords and server access via encrypted VPM.

Nonpublic borrower information is not stored on the local laptop hard drives. All of this information is stored on MMCD’s central corporate servers in San Ramon, CA.

  • Third party applications that are not related to the mortgage process are not allowed to be installed. Third party applications include file sharing programs, which are gateways to virus/malware infections.

  • All SERVERS are centrally located in San Ramon, CA. These servers are secured behind two locked doors and are accessible only to executive management and IT. No third party vendor are allowed in this room unless accompanied by an IT staff member. Additionally, even with supervision, the only vendors who are permitted access are maintenance providers, investor auditors, or industry auditors.

  • Servers are all password protected with a unique revolving password that is changed monthly. Network devices that allow server access are also protected this way. Network equipment is locked down to physical access and cannot be remotely controlled via the internet.

  • The MMCD NETWORK is protected by a high-end Gateway firewall. All ports/connections are secured and available only to trusted sources on an “as- needed” basis.

  • Company policy mandates ENCRYPTION OF ANY COMMUNICATION / document that includes consumer nonpublic information that leaves the company electronically. Permitted encryption methods are: DocuSign, Encompass Secure Form Transfer, and ShareFile.

 

 

 

Exhibit B: California Privacy Policy

This PRIVACY POLICY FOR CALIFORNIA RESIDENTS supplements the information contained in the Privacy Policy Statement of Mason McDuffie Mortgage Corporation (collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act (“CCPA”). Any terms defined in the CCPA have the same meaning when used in this policy.

 

Under CCPA, California residents have the right to know about information collected disclosed or sold, the right to opt out of the sale of certain information, and a limited right to have businesses delete information a business has collected about the consumer. These rights extend only to California residents and information covered by CCPA. Because CCPA does not cover all consumer data in all situations, only certain consumer data subject to these rights.

 

Other laws may govern data we gather about you or you provide to us including, but not limited to:

 

  • Information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.

  • Information collected, processed, sold, or disclosed pursuant to the federal Gramm–Leach– Bliley Act (Public Law 106–102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code).

 

PLEASE NOTE: Any personal data collected in relation to a mortgage loan is exempt from the consumer rights to know, delete and opt-out created under CCPA because this information is governed by the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the California Financial Information Privacy Act or other state and federal laws which exempt this data from CCPA.

 

INFORMATION WE COLLECT

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). As described above, not all of the Personal Information collected below is subject to CCPA. All Personal Information collected pursuant to this notice that is subject to CCPA is collected for a Business Purpose and may be shared with service providers if necessary to perform a Business Purpose. We may have collected the following categories of personal information from consumers within the last 12 months:

privacy policy grid

We obtain the categories of personal information listed above from the following categories of sources:

 

  • Directly from you or your agents through the information or details you/your agent provide to us, to our loan officers, or through our Website(s).

  • Indirectly from our third-party service providers, through social media websites and other service providers that we connect with in order to conduct our business or provide services, government entities from which public records are obtained, or consumer data resellers. For example, we collect your personal information when you apply for a loan or give us your contact information, employment history, income information, or employment information.

  • We also collect your personal information from other entities, such as credit bureaus.

 

USE OF PERSONAL INFORMATION

We may use or disclose the personal information we collect for one or more of the following business purposes:

 

  • To fulfill or meet the reason for which the information is provided. For example, if you provide us with personal information in order to apply for a loan, we will use that information to review your application for approval.

  • To provide you with information, products or services that you request from us.

  • To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.

  • To improve our website and present its contents to you.

  • For testing, research, analysis and product development.

  • As necessary or appropriate to protect the rights, property or safety of us, our clients or others.

  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.

 

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

 

SHARING PERSONAL INFORMATION

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

 

In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose:

 

Category A: Identifiers.

Category B: California Customer Records personal information categories. Category C: Protected classification characteristics under California or federal law. Category I: Professional or employment-related information.

 

 

We disclose your personal information for a business purpose to the following categories of third parties:

 

Service providers.

Investors.

Government entities.

Marketing providers.

Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you.

 

DATA RETENTION

We will only retain Your personal data for as long as reasonably necessary to fulfil the purposes We collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain Your personal data for a longer period in the event of a complaint or if We reasonably believe there is a prospect of litigation in respect to Our relationship with You.

 

To determine the appropriate retention period for personal data, We consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of Your personal data, the purposes for which We process Your personal data and whether We can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements

 

YOUR RIGHTS AND CHOICES

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

 

Right to notice: You will be notified of the personal data we collect from you, the purpose of its collection, the third parties we share them with, and the rights you have in connection with the data. This right includes this Privacy Notice, as well as other disclosures made to you while applying for our services.

 

Right to access: You can request a copy of the personal information that we collect from you, and we will share the same with you once we have verified your identity.

 

Right to delete: You can request us to delete your information. However, we will not be in a position to honor your request if the information is needed to provide the service for which you have engaged with us, if we are required by regulatory authority to retain the data, or if the information is needed for any legal or regulatory purpose. You may be required to verify your identity and re-confirm that you want your data deleted (provided it does not fall under any of the exceptions mentioned above) in order for us to complete your request.

 

Right to opt out of sale of information: We do not sell your personal information as we understand that term to be defined by the California Consumer Privacy Act and its implementing regulations. As such, there is no financial incentive for encouraging you to opt in for sale of such information.

 

Right to equal services: We will not discriminate against you if you exercise any of the rights described herein. Exercise of these rights will not result in us denying goods or services to you; charging different prices or rates for goods or services, including through the use of discounts or other benefits or by imposing penalties; providing a different level or quality of goods or services to you; or suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

 

How you can exercise these rights

You can contact a customer service representative at (877) 275-6662 to exercise your rights. Alternatively, you can send us an email at compliance@masonmac.com or send us a postal mail at: ATTN: Compliance, 2430 Camino Ramon, Suite 300, San Ramon, CA 94583

 

You can also appoint an authorized agent to exercise these rights. “Authorized agent” means a natural person or a business entity registered with the Secretary of State that a consumer has authorized to act on their behalf subject to the requirements.

 

How we verify your identity

 

If you are calling us to exercise your rights, we will ask for information to verify your identity. We will proceed with your request only if your identity is verified uniquely based on the answer you have provided. In the event that we cannot do so, we will contact you for further information.

 

If you have contacted us to exercise your rights via email or postal mail, we request that you provide the following details for verification:

 

First name and last name;

The email address that you used to do business with us (if any); Contact telephone number

Date of birth

Address of current residence (including city, state, and zip code)

 

Based on the information you provide, we will identify you and proceed with your request, if appropriate. If we cannot identify you uniquely, we will contact you for further information.

 

When you use an authorized agent to submit a request, we may require that you: Provide the authorized agent written permission to do so; and

Verify your own identity directly with us.

However, if you have provided the authorized agent with power of attorney pursuant to California Probate Code sections 4000 to 4465, you will not need to abide by the above authorization procedure for your agent.

 

Please note that we may deny a request from an agent that does not submit proof that they have been authorized by you to act on your behalf.

 

Please note that we do not collect information for individuals below 16 years old and will not be able to entertain a request from such an individual.

 

For more information

If you have any questions about this Privacy Policy, or for assistance with accessibility to consumers with disabilities, please contact us at compliance@masonmac.om You can also contact us at the following address: ATTN: Compliance, 2430 Camino Ramon, Suite 300, San Ramon, CA 94583

 

This Privacy Policy was last updated on December 27, 2019.

Turn your homeownership dreams into reality. Get in touch with our team today and let us assist you in securing the perfect home loan for your needs.

bottom of page