PRMG’s John Ashley on cybersecurity and privacy

HousingWire Editor in Chief Sarah Wheeler sat down with John Ashley, chief information officer and chief information security officer at PRMG, to talk about what the company is building versus buying, and how regulators are ramping up privacy and security standards.

Sarah Wheeler: Tell me a little bit about your background and what you’ve done at PRMG.

John Ashley: I’ve collaborated with PRMG since late 2005 and my background was network infrastructure and security. In my career, I’ve swung between enabling technology and securing it at the same time.

Within mortgage, we’ve done everything here at PRMG: multiple lending platform LOS systems, multiple changes of those systems, multiple changes of pricing engines, marketing systems, marketing platforms, CRMs, infrastructure security systems moving to the cloud for most of our infrastructure — I’ve been behind all of that over the last 10 to 15 years.

SW: How many tech people do you guys have?

JA: Within the IT department, we have about 16. So, we’re not little, but we’re not big, like some of these companies with 500 developers. We have smaller teams, but they’re very effective.

SW: At PRMG, do you generally build or buy technology?

JA: We do both. We have a development team and so we have software developers, system analysts, business analysts, quality assurance testers, and people that manage deployments. So, we can and do build stuff, but we tend to try to find solutions just for the speed of getting things up and we find ourselves doing a lot of integration or extending systems that we have.

A great example of this is the Encompass platform, which has been around a long time. And while it’s kind of long in the tooth in many respects, ICE has done a fantastic job in building out their back-end developer, connecting their API and micro services. So now you can extend so much from the Encompass platform. And we’ve taken other products and hooked them to Encompass — we have a pretty innovative work queuing system for our fulfillment people, within operations, that’s all been enabled by using a different third-party product. We tend to lean towards buying and extending, but we do a lot of custom stuff as well.

SW: What’s been the biggest change since you started at PRMG in 2005?

JA: I was going back through some old PRMG stuff and they had “the five tenets of mortgage lending success” and it was: product, pricing, compensation, marketing, and fulfillment. Well, technology is now the sixth tenet, because you can’t do any part of the other ones without the technology and that’s where the big change has happened. People are just clamoring for technology to get an edge, especially now.

The biggest shifts are just in the last two or three years. Back in 2020 and into 2021, you could go out in the parking lot with a net and just catch loans. We put a huge amount of effort into building a fantastic CRM platform, but you couldn’t get anyone to touch it — they were all too busy simply getting loans. And then that changed fast. Now, if you’re in the wholesale business, you need to know what every broker is, what all their people are doing, what kind of loans each of them are doing, and what’s your wallet share with every lender.

Of course, if I had to go back and pick a point in time that really changed mortgage data, it was the 2008 mortgage crisis and the regulations that followed. Now every mortgage that’s recorded has a lender name and it’s got the originator’s NMLS number on every single loan. And that enables just a tremendous amount of data that’s available to be collected and used. That didn’t exist before.

That’s how I can take any lender, any broker shop anywhere in the country, and show you exactly what their mix of business is on different types of loans — purchase or refinance — and what percentage is PRMG. I actually have the data.

SW: Let’s talk about the CRM you mentioned. We know that the time to build is in a slower market, but what does that look like?

JA: Well, within the IT world, we’re just as busy now as we were before, even though the business is slower. Before, we were just trying to hang on and keep the rivets from popping out, just from everything going so fast. But now it’s all into rebuilding. So, there is a lot of work on CRM, marketing platforms, but increasingly quite a bit around compliance, especially around privacy. That’s really become a burden.

But I do agree this is a time to build new capabilities when you have this kind of an opportunity. And we’re looking at changing platforms, looking at new point of sale systems, trying on a lot of technology. I mean, I can’t tell you how many people we talk to, and how many products we look at and ideas that we’ve been getting exposed to.

SW: Is there a type of technology that you’re seeing now, that people are pitching you, that you think is new and really exciting?

JA: One good example is we changed our product and pricing engine. We’ve been using the big common one on the market, Optimal Blue, for so many years, since about 2016 when we changed from another one. We wanted to be able to get more out of our product and pricing engine, so we made a shift this year over to a new platform, which is called Polly X. A pricing engine is something no one ever really wants to have to change because the whole world is tied into that: every product, you’ve got every overlay and everything else. And we’re also looking at changes for our wholesale lending technology to help streamline that.

And when it comes to digital marketing, there’s nothing that’s off limits. I would say search engine optimization and customized websites for loan officers, those are areas where we’ve had some success.

The world of lead generation has really gotten tight, we’ve been looking at new ways to get better data there. We will get lower mortgage rates one day, right? So, we’ve been putting time into building and working on technology for call center tech, things of that sort.

And the CRM — we have our main CRM for retail and a different one for wholesale. But we were looking at actually doing some test implementations on a couple of other ones that are more interesting to really high producing loan officer teams.

And of course, lots of integrations — everywhere where you can build a connection. FinLocker is the company that we’ve been working with an integration to offer that kind of capability, they call it a financial locker for borrowers, where they keep all their data. And consumers can work and use tools to improve their credit and then one day they come back as a borrower or repeat borrower. Another company called Credit Evolve is a really legitimate credit counseling service and we try to move people there who need help.

So, we just try not to leave anything on the table. If somebody would have said two years ago, hey, we could have saved 59 loans out of the kazillion loans that we did, nobody would pay attention. But now it’s like, we could have saved 59 loans if we would have followed this process: it means something. It certainly means something in the pocket of those loan officers who can help those people get into a home.

SW: What do you see on the horizon that you think we should be paying attention to now?

JA: First, privacy is a huge area. In Europe, with GDPR, they’re pretty far ahead of us, but our government is catching up really fast. But the biggest thing is just the web of state regulations. Companies that learn how to navigate the privacy landscape are going to have a really strong competitive advantage. But it’s not an easy landscape to navigate. We wrangle with it every week.

For example, you have to have prior written consent from borrowers to do just about anything with their data. Even if you want to help them in some way — like referring them to a credit counselor or getting a homeowner’s policy — you have to have consent to do that. So, you’ve got to build that infrastructure into your system and then you can reuse that process over and over again on your different platforms.

Secondly, when you get into the security realm, that’s become very much a different world with the FTC — they’ve re-released a whole new set of safeguards, guidelines that fully took effect in June. And there are all kinds of new nationwide requirements for all mortgage lenders that are subject to that rule, things like using multifactor authentication, encrypting all of your data, a whole lot of requirements that I know a lot of smaller lenders are struggling with. We’re doing okay on it. But I know the trouble we’ve gone through to get to where we are, and I know how difficult it is, especially for lenders that maybe don’t have that experience.

SW: How does your background in security inform what you’re doing now at PRMG?

JA: I’d like to say it’s just kind of built into all my decision-making. If I was just a security officer, I would probably be more highly focused just there, but I’m also chief information officer, so we have to get things done and business has to move forward, so you have to find solutions.

There’s no perfection. I mean, if you think wow, I’m secure, all you need to do is go to a cybersecurity conference and listen to these guys get up there and tell you how you’re hosed. So there’s no perfection, there’s just best efforts and making sure that your choices are sound and you can document what you’re doing.

My background has served me well, but it’s a steady, long-term path toward building a secure company. It just doesn’t happen overnight or even in a year. It’s a multiyear plan.

SW: How do smaller companies cope with these kind of issues?

AJ: I think that’s going to be a real test now that the regulations are getting more teeth in them. Everyone’s getting into the game, every regulator, state and federal, and not just that, but all of your counterparties — your warehouse banks and the government sponsored entities, they all have their own audits and their own questionnaires. And they’re all checking the boxes and trying to ensure that everybody’s secure out there. So there is a lot of scrutiny and I think over time, smaller companies are going to remain at a disadvantage there.

SW: With your security background, what keeps you up at night?

JA: Actually, I sleep pretty good. But if I had to pick among the small things that bother me the most in the security world, I think it’s what everyone fears: these ransomware takedowns.

Everybody’s afraid of getting their systems encrypted, having someone get control of their data, and everybody has that same risk. And there are companies in the mortgage industry that have been taken down like that — I assume most of them had to pay the ransom.

And then beyond that is just any kind of large-scale data breach. I don’t see how you can really do business in this space without a strong cyber insurance policy, but I know there are companies out there that don’t have them because they can’t get them. We do. But that market is really tough and if you don’t have a good system, and good controls that you can demonstrate to the insurer, then you’re going to have a tough time getting coverage.

SW: What’s exciting about the future of technology and mortgage?

JA: There’s a lot of promise in artificial intelligence and machine learning. Just about everybody in this country is using that technology already — we have it in our cybersecurity systems. And I think the real promise in lending is what you can do to help speed the process: helping borrowers find the right product and helping underwriters in making decisions faster. I think that’s the exciting, fun part.