Why do some Escrow Companies claim to have the highest level of security but when in reality, they do not? The truth explained.
The sale or purchase of a single family home is often the most significant financial transaction in a person’s lifetime. Escrow is not an option, it is a necessity. So, how does a buyer or seller make an informed decision on whom to use? In order to do that, you will want to select and use a licensed, qualified, and competitively priced independent escrow company. While the escrow process in California is not necessarily easily understood, it is the most commonly used procedure by which real estate is bought, sold, and refinanced. To most home buyers and sellers, escrow is more of an unclear process where sums of money and legal documents exchange hands, and real estate is magically transferred to another at the end or, “close” of escrow. That said, the rules of doing business in our new digital world have changed drastically. With the exponential growth in cyber-criminal activity; buyers and sellers can no longer afford to just accept deceiving and misleading marketing claims – from those entities or persons that are not personally at risk – of having the best, most secure, highest level of security.
How do you make sure you are working with trusted professionals that are looking out for you and your family’s best interest i.e. your sensitive information and your hard-earned money? The only way to confirm these grandiose statements is with an unbiased auditors report such as the AICPA SOC 1 type 2 and SOC 2 type 2 attestation the ISO 27001 or SOX section 404 report. These attestations assure the buyer and seller that the organization has policies, procedures, and systems in place to operate at the highest level of security, processing integrity, confidentiality and privacy.
In the good old days, the days without cyber criminals lurking, escrow companies played a pivotal role in the home buying process without much risk to buyer and seller. After all, carbon paper, pens and pencils, checks and paper files didn’t pose too much of a threat to their clients. What is the worst that could have happened? The office burns down. They lose a file because of a flood or a check is lost in the mail. Now fast forward to the present, all of those problems/situations have been replaced by wire fraud, ransomware, phishing and the list goes on… If your potential escrow company has not invested the time and resources into their security and adapting to the new world order, then, you should not use them. It is not that they are bad people, but bad things happen to those who don’t prepare for the worst. The only way to ensure that you are working with the most current or so-called, “best practices” is if they have earned a SOC 1 and SOC 2 Attestation.
I have only found a small handful of companies that truly possess the AICPA SSAE 18 SOC 1 Type 2 Audit and the SOC 2 Type 2 Audit. The frustrating matter at hand lies with shady operators claiming to have the AICPA attestation or just simply copying the logo from the AICPA and displaying it proudly on their website. There is no registry one can go to check if they actually have the attestation. You have to directly ask the company for their SOC report and make sure that it is current. The SOC report is prepared once a year after an exhaustive audit and is valid for 12 months following the date of the report. If the company cannot provide the correct dates when it was audited then it’s as though they never had an audit to begin with.
I happily state that the company I represent as the Chief Operating Officer, Granite Escrow & Settlement Services has maintained our AICPA SSAE 18 SOC 1 Type 2 and SOC 2 Type 2 attestations throughout the past several years. This year COSO (a joint commission to combat cyber crime) revamped 56 critical controls on the SOC 2 audit and I am happy to say Granite passed our SOC attestation with flying colors. I have an auditor’s official report to prove it.
So, to recap on the process, the choice of escrow is normally agreed upon by the principals to a real estate transaction and reflected in writing in the purchase contract. A seller may elect to choose, “ABC Company” and the buyer may choose, “DEF Company,” but both parties must ultimately agree, like they must on all terms and conditions of a sale. If a real estate broker is involved, it may be a common practice for the broker to recommend an escrow company, especially if the broker continually does business with a particular escrow officer or company. With a refinance transaction, if you are a borrower refinancing your property and working with a mortgage broker, it is usually the broker who will select and/or recommend an escrow provider for you.
However, while a real estate broker may suggest an escrow holder, he or she may not designate an escrow holder as a condition precedent to a transaction. Traditionally the listing agent recommends a particular Escrow company to the sellers but in today’s cyber-criminal intense world, the buyer is more at risk as their money sits in escrow for the longest period.
In my opinion it is incumbent that both the buyer and seller not only pick an independent escrow company, but more importantly choose an escrow company that has been audited and also obtained either the AICPA SOC 1 and SOC 2 attestations or ISO 27001 or SOX section 404 report. Do not take the agents word on the validity of the attestation, ask to see the report.
Would you buy a Rolex from the man in the parking lot who held up a sign saying real Rolex for sale? Your decision could take you from home ownership to homeless because you didn’t bother to ask the tough questions. Do not become an FBI statistic.