July 20th, 2017

Should mortgage lenders maintain and test a documented Disaster Recovery/Business Continuity Plan?

Yes, it is not only a best practice recommendation but also a requirement to be maintained and tested by many state regulators and the GSEs (Fannie Mae and Freddie Mac).  A formal Business Continuity Plan (“Plan”) should instruct employees who are the key contacts, what steps need to be taken, when to execute each step, where to go, and how to do so in the event of a significant incident or natural disaster that disrupts daily business.  The Plan should include detailed steps outlining where employees relocate for business resumption.  In many cases they may only need a computer and an internet connection.  A phone call tree and how employees can access a list of vendors and contacts critical to keeping the business running should also be a part of the disaster recovery component of the Plan.

The Plan needs to speak to the method utilized by the mortgage lender to ensure that, in the event of a data loss or security compromise to the main systems, the information is capable of being quickly recovered in the exact format as it was prior to the event.  If a physical backup facility is used it is recommended to be at least 25 miles from the main office in case a natural or man-made disaster affects an entire region.  At a minimum, the Plan should be tested annually.