State Regulatory Developments

Arkansas Data Security Requirements for Mortgage Licensees

Arkansas recently enacted new data security provisions in the Arkansas Fair Mortgage Lending Act (AFMLA), analogous to the FTC’s Safeguards Rule.

The data privacy provisions will apply to mortgage brokers, mortgage bankers, and mortgage servicers licensed under the AFMLA, although there is an exception for smaller licensees who do not maintain more than a specified number of consumer records.

Licensees must develop, implement, and maintain a comprehensive information security program (Program). It must be written and contain administrative, technical, and physical safeguards commensurate with the size of the financial institution as well as the scope of its activities and sensitivity of the customer information it maintains.

Some of the key elements the Program will need to contain are: (i) designating a qualified individual to oversee the Program and submit written reports to the board of directors (or similar body) annually; (ii) conducting a risk assessment; (iii) implementing safeguards to control identified risks; (iv) testing and monitoring of the safeguards; (v) implementing policies and procedures for personnel to enact the Program; (vi) overseeing service providers; and (vii) evaluating and adjusting the Program due to testing results or other changes impacting the Program.

Licensees will need to have a written incident response plan in case there is a security event that affects the confidentiality, integrity, or availability of customer information as well as a written business continuity and disaster recovery plan.

Lastly, a licensee will have to notify the Arkansas Securities Commissioner no later than 45 days after discovering the acquisition of unencrypted customer information without customer authorization.

AFMLA licensees should review their current Program, incident response plan, and business continuity and disaster recovery plans to ensure those documents cover all of the requirements imposed by this new data security and privacy law.  The new provisions are anticipated to be effective in early August 2025.