How can we help?

Search Results

LoanPro account security features overview

How LoanPro's security features help maintain operational security and regulatory compliance.


Both for regulatory compliance and your own operational security, it’s essential that your data is kept safe. To that end, LoanPro’s platform meets and exceeds the latest standards with protections in our UI, API, and other areas, with a special focus on sensitive financial information like payment methods and data.

This article gives a quick overview of the security measures protecting your data and borrowers in LoanPro. The articles linked throughout give more detail about setting up specific features.

Regulatory requirements and certifications

Before diving into the details on specific security measures, let’s do a quick role call of the different legal requirements and industry standards we adhere to:

  • LoanPro adheres to U.S. federal regulations like the GLBA safeguards rule, as well as international data rules like GDPR or PIPEDA and state or regional rules like the CCPA. 
  • LoanPro maintains AICPA (SOC 1 Type II & 2 Type II), PCI Council (PCI DSS Level 1), and ISO (ISO 27001 version 2022) reports/certifications to demonstrate compliance with these regulations. 
  • LoanPro undergoes at least annual audits for SOC 1 & 2 , PCI DSS Level 1, and ISO 27001 compliance.
  • LoanPro’s platform undergoes full internal and third-party penetration tests at least annually. Vulnerability scans are performed monthly by HackerGuardian and Veracode SCA. 

UI security

To ensure personally identifying information (PII) is only viewed by employees with an express need to do so, LoanPro allows you to restrict employees’ access to specific data and locations within the software. We offer several tools for restricting access, granting multiple layers of security with granular configuration.

Access can be restricted in the following ways:

 

Role-based access

Roles are sets of access settings assigned to groups of users; a user with an Admin role might be able to view and update data and settings that a user with a Servicing Agent role is unable to access.

Roles are fully customizable. LoanPro offers out-of-the-box configurations for common positions (e.g., Admin, Agent, Loan Servicing Manager,) and clients are able to use these, customize them, or create their own.

Editing an existing role lets you adjust access settings for all employees with that role, streamlining any security changes.

When configuring a role, you’ll also be able to control which API endpoints the user can access (see API security below).

 
 

Search restrictions

Search restrictions limit the accounts an agent can view. For example, you might limit third-party servicers to only viewing accounts they’ve been contracted to manage. You’d assign each account a portfolio marking it as one of theirs, and then assign each third-party servicer a set of search restrictions that limits them to only viewing accounts with that portfolio.

Search restrictions can be limited to a single factor, like the portfolio in that example, or a more complex combination of dynamic account and borrower information. Once those criteria are in place, you can restrict what kind of access the agent has in specific areas (view-only, full access, etc.).

 
 

Walkthrough groups

Agent Walkthroughs guide users through your processes; rather than manually navigating through an account, they follow a clear clickpath with instructions tailored to their task and the specific account. Complex processes like making an SCRA adjustment or verifying a bankruptcy become clear and streamlined, while minimizing the possibility of user error.

But to make sure those processes are only completed on the right accounts at the right time, Agent Walkthroughs have several security measures in place.

  • First, agent users are assigned to Walkthrough Groups. The group gives them access to some, all, or none of the Agent Walkthroughs in your tenant. 
  • Second, each Agent Walkthrough can be controlled with rules and validations, ensuring that an account meets specific criteria before an agent can begin the process.

It’s important to note that when using an Agent Walkthrough, a user is temporarily granted access to the screens and settings it navigates to. This lets you restrict agents’ access to sensitive information or tasks through their role, and only grant it when necessary through the rules and validations on the Agent Walkthrough. 

 
 

IP-based access

LoanPro can restrict access to your tenant based on the IP address an agent is using when they log on. You can restrict access through either whitelisting or blacklisting:

  • IP Address Whitelisting allows agents to access LoanPro only if they’re using a specific, approved IP address.
  • IP Address Blacklisting allows agents to access LoanPro from any IP address except a specific, restricted list.

These restrictions can be assigned on an individual basis, allowing you to control access by specific groups or employees rather than a single, across-the-board setting.

 
 

Technology and data security

Beyond the security features governing how agents interact with our UI, LoanPro safeguards your data and operations with security measures built into our technical infrastructure.

Cloud

LoanPro is cloud native, and employs several security measures to keep your data secure:

  • Amazon Web Services (AWS) security. All platform data is stored in AWS, with the primary AWS Northern Virginia region of the United States. Each LoanPro tenant's data is stored in a separate database. LoanPro undergoes both application and application network external and internal penetration testing at least annually. Additionally, we use infrastructure-as-code and serverless components to prevent any kind of data loss, corruption, or degradation during peak usage.
  • Encryption. Within LoanPro, all data is encrypted in transit and at rest. We use unique encryption keys that are regularly rotated using the AWS key management service. All web traffic is encrypted with HTTPS/TLS when the receiving end supports it. TLS v1.2 and 1.3 are supported. Block level encryption is used for VMs. Some data (PII for example) is also encrypted at the application level.
  • Code deployment. Clients are notified at least 90 days in advance of any change to the LoanPro platform that may impact service. We deploy changes using a CI/CD methodology for software and blue-green deployments for hardware, which require no downtime. If any downtime is anticipated, 90-days notice will be given.
 
 

API

LoanPro’s API security keeps safeguards access with granular controls, following the same role-based access structure and setup as the UI.

When configuring a role (see role-based access above), you’ll set up both UI and API permissions. You can grant and restrict access to specific endpoints and methods a user can send API requests to.

Each agent user with API access is granted their own API keys, which they can then use in the headers of API requests. The system keeps  a complete audit trail of all actions taken, by which user, and whether those actions were performed in the UI or through the API.

 
 

Webhook security

LoanPro also provides security measures through Advanced Connections, our webhook tool. When creating a webhook, you have the option to create an Authorization Token which is only used for that webhook configuration instance, or to use an existing authorization token.

To create a token at the webhook level, you can either enter a token that you have generated into the “Authorization Token” space, or you can select the “Generate Token” button for a secure token to be generated. This token must then be used in the webhook headers as the Authorization Token.
 

 
 

PCI-DSS and payment tokenization

Keeping payment information safe and in line with Payment Card Industry Data Security Standard (PCI-DSS) requirements is vital for your compliance strategy and borrower trust. At the same time, many of those standards can slow down day-to-day operations.

LoanPro’s solution is to cordon off any data that falls under PCI scope in a separate software system, Secure Payments. Built from the ground up to remain PCI compliant, Secure Payments stores and tokenizes all payment profile information, like borrowers bank accounts and card info. Your borrowers can save a new payment profile through an iframe on your customer website or application, and that data is passed into Secure Payments. From there, a unique token is linked to that borrower in LoanPro. This lets agents log payments through the LoanPro UI without handling sensitive card data that would require PCI compliance.

Once entered, payment profile information never leaves Secure Payments and can only be used through that token; sensitive information like card numbers and CCV codes can’t be exported or viewed in the Secure Payments UI.

Secure Payments has additional security measures to comply with PCI-DSS requirements, including automatic log outs after 5 minutes of inactivity, 90 day password expirations, API token changes, and field validations to ensure that sensitive information is not stored in unintended locations. These field validations are also in place in the LoanPro UI, preventing an agent from accidentally violating PCI-DSS requirements.
 


 

Unclassified Public Data