State Regulatory Developments

Utah Amends Mortgage Entity Employee Supervision and Customer Privacy Regulations

Utah’s Residential Mortgage Regulatory Commission recently amended its regulations relating to employee supervision and safeguarding consumer information.

The amendment clarifies that the supervision exercised by principal lending managers and branch lending managers extends to sponsored loan originators and unlicensed staff members who are teleworking.  Additionally, principal lending managers are responsible for establishing, maintaining, and enforcing written policies and procedures to ensure consumer privacy, customer information security, encryption of data, and password management, including by establishing a cyber security policy that requires teleworking employees and sponsored loan originators to use a secure virtual private network maintained by the sponsoring mortgage entity.

The amendment also requires mortgage entities to notify affected customers, in writing and without unreasonable delay, of any suspected breach of the mortgage entity’s security system if misuse of the customer’s personal information occurs or is likely to occur as a result of the suspected security breach. 

Additionally, the amendment adds customer information acquired in the application or lending process to the record that a licensed entity must maintain and safeguard for the record retention period and must dispose of at the end of that record retention period.

The amendment went into effect on August 8, 2023.