top of page

PRIVACY POLICY

Objective

To document MMCD’s policies and procedures for ensuring customer / consumer privacy.

 

Required Review

Review of and necessary changes to these policies and procedures are made pursuant to agency, regulatory and business requirements’ changes.

 

Scope

These policies and procedures apply to all MMCD employees.

​

Background

MMCD is bound by various laws to ensure consumer / customer privacy.

The primary law is Regulation P—Privacy of Consumer Financing Information, which implements relevant portions of the Gramm-Leach-Bliley Act.

Regulation P is concerned specifically with the protection of nonpublic information, which consists of:

  • Personally identifiable financial information that is not publicly available information.

  • Lists, descriptions, or other grouping of consumers (including publicly available information contained therein) that are derived using personally identifiable financial information that is not publicly available.

 

Regulation P restricts the disclosure of nonpublic personal information to nonaffiliated third parties. It also requires notification of the financial institution’s policies and practices regarding the disclosure of nonpublic personal information and whether a consumer is entitled to opt out of those disclosures. The disclosure responsibilities vary, depending on whether the individual is a “consumer” or a “customer”.

  • A “consumer”, for MMCD purposes, is a loan applicant—whether or not he/she closes the loan. (Simply said: has a one-time relationship with MMCD)

  • A “customer”, for MMCD purposes, is an individual who closes a loan with MMCD. (Simply said: has an on-going relationship with MMCD, assuming that we service the loan)

Note: At MMCD, the applicant is a consumer until he closes the loan; then, he becomes a customer until such time as MMCD transfers the servicing and ownership of the loan.

Fair and Accurate Credit Transactions (FACT) Act of 2003 (implemented by FTC) is another law that requires MMCD’s preservation of consumer privacy. It requires financial institutions and creditors to develop and implement written identity theft prevention programs (Red Flag Rules). Refer to MMCD's Red Flag Program'.

Standards for Safeguarding Customer Information. This rule was published by the FTC in 2002, in compliance with requirements established by sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act. Its aim is to establish standards relating to administrative, technical and physical information safeguards of financial institutions.

California Financial Privacy Information Act (“CFIPA”). This Act goes beyond the provisions or Regulation P by requiring financial institutions to provide customers and consumers with extended information to protect their nonpublic information.

California Consumer Privacy Act (“CCPA”). This Act was signed into law in June 2018 and became effective January 1, 2020. It grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that is collected, as well as additional protection for minors.

 

 

Important Prerequisite Understanding

  • MMCD has neither affiliates nor non-affiliates as defined by any of the privacy laws;

  • MMCD does not disclose nonpublic information to any one and does not reserve the right to do so; and

  • MMCD has both “consumers” and “customers” as defined by Regulation P. Refer to Annual

Disclosures below.

 

Compliance with Regulation P

MMCD provides an initial privacy notice to all applicants (consumers).

 

  • Contents: MMCD’s initial privacy notice (an abbreviated format—see Privacy Notice) includes:

  • Categories of information MMCD collects;

    • MMCD’s policies and practices with respect to protecting the confidentiality and security

of nonpublic information ; and

  • The fact that MMCD does not disclose nonpublic personal information about current and former customers to affiliated or nonaffiliated third parties.

  • Timing: MMCD includes the privacy notice with the early disclosures.

The applicant is a “customer” only for those loans serviced by MMCD. Any MMCD servicing is or will be conducted by a third party under a servicing agreement. Such agreement includes representations and warranties relating to the issuance of Regulation P’s annual privacy notice and prohibiting the disclosure of nonpublic information to any nonaffiliated third party, except as authorized by law.

 

Compliance with Fair and Accurate Credit Transactions (FACT) Act Of 2003

 

Refer to MMCD’s Preventing Money Laundering and Other Related Fraudulent Activities (AML, BSA, OFAC)

 

Compliance with Standards for Safeguarding Customer Information

“Customer information” means any record containing nonpublic personal information about a customer, whether in paper, electronic or other form. The Standards require that financial institutions develop, implement and maintain a comprehensive information security program that includes:

  • Physical safeguards for privacy

  • Operational safeguards for privacy

  • Electronic safeguards for privacy To that end, at MMCD:

  • Three employees are designated to coordinate MMCD’s information security program: the

compliance officer, EVP of Operations, and EVP of Information Technology.

  • MMCD has partially identified and mitigated internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.

  • MMCD’s physical and operational safeguards for privacy are outlined on Exhibit A.

  • MMCD maintains security breach policies and procedures. Refer to MMCD’s Security Breach

 

Policies and Procedures.

 

Compliance with California Financial Privacy Information Act (“CFIPA”)

MMCD complies with CFIPA by providing initial and on-going employee training regarding the

company’s responsibilities under the act.

 

Compliance with California Consumer Privacy Act (“CCPA”)

MMCD does not sell the personal information of our consumers. Refer to Exhibit B for the supplemental privacy policy surrounding this Act.

 

 

​

 

 

EXHIBIT A

MMCD Physical, Operational and Electronic Safeguards to Protect Consumer Privacy

 

 

Physical privacy

Important Note: MMCD’s loan records are electronic / paperless. Thus, the only consumer nonpublic information / documents that may be present in the environment are those that are in hard copy format prior to scanning for the loan record or are employee printed.

Identified risks: The misuse of consumers’ nonpublic information which may be visible and accessible in MMCD’s physical environment.

Specific MMCD physical areas that are modestly susceptible to breach of privacy:

  • Employee desks – where loan documents containing consumers’ nonpublic information may be displayed prior to scanning

  • Employee recycle boxes – where unnecessary consumer or file documentation is temporarily disposed of

  • Copy centers – where loan documents are scanned for company use

  • MMCD offices – from which nonpublic information may be removed

 

Safeguards:

Although MMCD’s loan records are electronic / paperless, the following safeguards exist in the event that nonpublic information / documents are in the pre-scanned stage:

  • Each site has a designated employee who performs the end of day inspection.

Note: Safeguarding nonpublic consumer hardcopy information on desks during the day is unnecessary, as employee desks are not visited during the day by non-employees.

  • MMCD has locked “shred bins” at each of its sites. Any hardcopy sensitive information is disposed of by placing the material in the shred bin. Typically, employees have a recycle box at their desks. These boxes are emptied into the shred bin at the end of each day. Each site has a designated employee who performs the end of day inspection.

  • Each copy center is inspected thrice daily for abandoned material. This inspection is performed by a designated employee at each site. Additionally, a large sign is posted in each area, reminding employees of need to maintain privacy.

  • Employees may not remove (by printing) hardcopy consumer documentation from MMCD’s physical site—for any purpose.

  • Each MMCD office is attended by an employee during the business hours. Each office is locked at the close of the business day. Individual offices that may contain sensitive information (human resources, accounting) are individually locked.

  • MMCD offices do not retain “shadow files.” All permanent loan files are electronic.

Note: Files assembled in MMCD’s pre-paperless history are retained in off-site storage. MMCD has contractual agreements with the off-site storage vendor regarding safeguards. These files can be retrieved when necessary.

 

Operational Privacy

Identified risks:

  • Service providers may breach privacy: Individuals or companies that provide necessary services for loan processing may pose risk to consumer privacy.

  • Employees may deliberately or inadvertently provide nonpublic consumer information to an unauthorized recipient.

  • MMCD’s support departments (e.g., accounting and human resources) may provide nonpublic employee or consumer information inadvertently.

  • Loans to employees may be accessed by unauthorized personnel.

  • MMCD may experience a security breach and must notify consumers of the breach.

 

Safeguards:

  • Contracts with service providers (credit report agency, shipping / courier services, file storage vendor) include provisions for information safety and warranty or bonding.

  • Employees receive periodic training regarding MMCD’s privacy policies, including specific examples of when information can be provided andwhen it cannot. Additionally, such training includes ensuring the identity of the information recipient.

  • MMCD has specific policy regarding the management of employee loan records. This policy includes the identity of those individuals who have access to these records.

  • MMCD’s human resource department performs background and reference checks on all new hires, to ensure the integrity of those individuals who will have access to sensitive information. Also, at hire, MMCD employees are required to acknowledge a confidentiality and security standards agreement.

  • Terminated employees are supervised on exit to ensure that sensitive information is not retained by the employee. Additionally, the human resource department retrieves any terminated employee access tools.

  • Authorization to consumer sensitive information is provided on a “need to know” basis.

  • Employees who disregard MMCD’s privacy and security policies and procedures are subject to disciplinary action.

  • MMCD’s compliance officer is responsible for notifying consumers in the event of a privacy breach. The compliance officer may be notified of a breach by any employee. Refer to MMCD’s Security Breach Policies and Procedure.

 

Electronic Privacy

Identified risks: Nonpublic or sensitive customer information may be lost, accessed without authority, destroyed, used improperly, modified without authority or disclosed.

Information assets referenced in this policy statement are user computers and servers/network.

 

Safeguards:

  • Computers (laptops/desktops) utilized in the field and at the branch level are secured by two levels of passwords: one to log into the physical laptop and another to access MMCD’s systems. Additionally, access to MMCD’s servers is done via an encrypted VPN.

Nonpublic borrower information is not stored on the local laptop hard drives. All of this information is stored on MMCD’s central corporate servers in San Ramon, CA.

  • Computers (laptops/desktops) used at the corporate site are secured with local level passwords and server access via encrypted VPM.

Nonpublic borrower information is not stored on the local laptop hard drives. All of this information is stored on MMCD’s central corporate servers in San Ramon, CA.

  • Third party applications that are not related to the mortgage process are not allowed to be installed. Third party applications include file sharing programs, which are gateways to virus/malware infections.

  • All SERVERS are centrally located in San Ramon, CA. These servers are secured behind two locked doors and are accessible only to executive management and IT. No third party vendor are allowed in this room unless accompanied by an IT staff member. Additionally, even with supervision, the only vendors who are permitted access are maintenance providers, investor auditors, or industry auditors.

  • Servers are all password protected with a unique revolving password that is changed monthly. Network devices that allow server access are also protected this way. Network equipment is locked down to physical access and cannot be remotely controlled via the internet.

  • The MMCD NETWORK is protected by a high-end Gateway firewall. All ports/connections are secured and available only to trusted sources on an “as- needed” basis.

  • Company policy mandates ENCRYPTION OF ANY COMMUNICATION / document that includes consumer nonpublic information that leaves the company electronically. Permitted encryption methods are: DocuSign, Encompass Secure Form Transfer, and ShareFile.

 

 

 

Exhibit B: California Privacy Policy

This PRIVACY POLICY FOR CALIFORNIA RESIDENTS supplements the information contained in the Privacy Policy Statement of Mason McDuffie Mortgage Corporation (collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act (“CCPA”). Any terms defined in the CCPA have the same meaning when used in this policy.

 

Under CCPA, California residents have the right to know about information collected disclosed or sold, the right to opt out of the sale of certain information, and a limited right to have businesses delete information a business has collected about the consumer. These rights extend only to California residents and information covered by CCPA. Because CCPA does not cover all consumer data in all situations, only certain consumer data subject to these rights.

 

Other laws may govern data we gather about you or you provide to us including, but not limited to:

 

  • Information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.

  • Information collected, processed, sold, or disclosed pursuant to the federal Gramm–Leach– Bliley Act (Public Law 106–102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code).

 

PLEASE NOTE: Any personal data collected in relation to a mortgage loan is exempt from the consumer rights to know, delete and opt-out created under CCPA because this information is governed by the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the California Financial Information Privacy Act or other state and federal laws which exempt this data from CCPA.

 

INFORMATION WE COLLECT

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). As described above, not all of the Personal Information collected below is subject to CCPA. All Personal Information collected pursuant to this notice that is subject to CCPA is collected for a Business Purpose and may be shared with service providers if necessary to perform a Business Purpose. We may have collected the following categories of personal information from consumers within the last 12 months:

© 2022 Ski Haus Lending Team, a division of Pinnacle Home Loans.

NMLS #1141

​

Not a commitment to lend. Rates and terms subject to change without notice. Licensed by the California Department of Financial Protection and Innovation under the California Residential Mortgage Act No. 4130968; AL #22653; AR #32700; AZ #1015403; Colorado regulated by the Division of Real Estate; DE #019623; FL #MLD819; Georgia Residential Mortgage Licensee #20924; ID #MBL-5861; Kansas Licensed Mortgage Company #MC.0025601; KY: #MC701698; MD: #16927; Mississippi Licensed Mortgage Company Licensed by the Mississippi Department of Banking and Consumer Finance;Licensed by the Minnesota DOC #MN-MO-1141; Licensed by the NJ Department of Banking and Insurance; NC: L-152867; NV: #3681; OK: #ML012358; Licensed by the Oregon Division of Financial Regulation #ML-3808; PA: #37008; TN: #112513; Licensed by the Virginia State Corporation Commission #MC-5579, WV: #ML-31523/MB31759. NMLS #1141. www.nmlsconsumeraccess.org

© 2025 by Pinnacle Home Loans. All rights reserved.  Privacy Policy

​

bottom of page