Fraud in the mortgage industry is rampant. I'm not talking about those mortgage brokers that engage in illicit conduct by way of fraudulent transactions, or that very small number that intentionally neglects best consumer outcomes in favour of their own financial gain; I'm referring to the higher-end fraud that results in the emptying of customer bank accounts as a result of dealing with a broker that enlists offshore processing services. For some reason, it's one of those topics that nobody seems to want to acknowledge or talk about.
Crimes associated with loan processing aren't committed immediately. In fact, there's normally a gap of several months between loan processing and crimes that may take place locally. The modus-operandi takes many forms but it's usually connected with a simple identity theft predicated upon the weakest areas of identity protection. While the theft can be enacted via digital means, we've found that the most common method (at least until quite recently) involved simply hijacking a mobile phone account and then resetting Netbank or other online passwords.
In the last week I switched our company cellphones from one provider to another. When I didn't have two particular phones necessary for the transfer (Vodafone now sensibly requires a return SMS as verification of a transfer) the salesgirl sent me across to the local Optus store for a sim-swap, providing an opportunity to experience the process myself. Now, while I understand that identity is normally required for the re-issue of a sim card, it wasn't asked of me on this occasion. Instead, the entire process of swapping over three of my sim cards took no more than a few minutes and it required nothing more than a phone number, my name, and my date of birth. Simple. My primary handset ceased operating almost immediately and the custodian of the new sim card now (thankfully it was me) had the capacity to immediately reset about every online service I owned - including gaining access to my bank accounts via an SMS-based password reset. For occasions where an SMS is required for two-factor authentication that facility would immediately be available.
In my case Optus clearly and carelessly violated every expectation placed upon them for client security. However, the experience did illustrate how quickly and easily the transfer might have occurred if an agent acting under the instruction of an offshore control might have hijacked my services. Of course, this fraudulent transaction would be an easy task given that any malicious actor would likely hold hundreds of points of identification in their possession.
While the experience on the Vodafone end was a pleasant one, they too didn't ask for any of my personal identification. The whole experience was - for lack of a better word - frightening.
The process I've described is just one of many methods. However, whatever nefarious technique is employed the outcome is almost always the same.
While some 'marketing' agencies, and some of those that like to call themselves 'coaches', might like to think of offshore processing as a means of mitigating your time-poor business (and, in a sense, it is), the most suitable solution is always one sourced locally with quality assurances in place by way of direct oversight, and one that is required to operate in compliance with Australian law. Of course, the most scalable processing option is one that is 'self-hosted' and operated internally. Data processing is the epicentre of the broking universe, and those brokers that invest in their own business support services (operating on our end of the clock) will always do better than those that blindly relegate the task outside of their control. Of course, we have a number of workable solutions we make available to our clients that are seeking administrative support, but they all come with an Australian accent.
Every time you send a client file offshore for processing you're potentially introducing your customer to massive risk of identity theft. While there are genuine services available out of the country, is it really worth the risk? Is the cost of having the loan processed locally really that prohibitive that you're prepared to compromise on data security? The Australian Privacy Principles - foundational pillars of the Privacy Act, 1988 - requires offshore processing be fully disclosed to a client but is often ignored. How would your client respond if they knew you were sending their information to a dingy processing office in Calcutta?
When borrowers gravitate towards brokers they don't expect a lesser degree of service than the banks (in fact the opposite applies), and they certainly don't expect their data to be shared internationally to unknown entities. What's the use of trust if we abuse it?