top of page
Search

Baseball, Nachos, and Borrower Data: What Could Go Wrong?

Modern mortgage teams don’t work in tidy, controlled environments anymore. They work from minivans, coffee shops, front porches, and airport gates. And that’s where mobile mortgage security becomes more than an IT talking point. 


Consumer expectations pushed the industry toward instant responsiveness, and lenders followed. But as mobility increased, so did exposure. Today’s biggest operational risks aren’t always found in the LOS; they’re found in the places your people are accessing it.


mortgage pro using laptop outdoors

A Real-World Example From the Bleachers

Let me start with a true story from the mortgage trenches.


A few years ago, a loan officer was sitting at their kid’s baseball game. Sun out, nachos in hand, life good. Then the LO got a call about a mortgage application — and took it. Right there in the bleachers. In earshot of parents, snack shack volunteers, and one very observant stranger who apparently had no trouble relaying the borrower’s private business to the wrong people.


A denial was overheard. It led to a complaint. And because this is mortgage lending, the complaint turned into a lawsuit.


That was before we handed out mobile apps to everyone. Today, the problem looks a little different — but the risk hasn’t changed.


Now we have loan officers processing applications on personal phones, checking DU results from the bleachers, updating closing timelines in grocery store lines, and discussing wire instructions at Starbucks. And somewhere across the field is a bad actor who only needs to hear one thing:


“We’re closing Friday.”

“They just got clear-to-close.”

“I’ll send over wiring instructions.”


That’s enough to trigger a fraud attempt — and in more than a few lenders’ cases, it has resulted in lost earnest money, stolen down payments, and a very long conversation with the borrower, the warehouse bank, and… well, sometimes the CFPB.


Welcome to lending in the age of mobile everything — a world where mobile mortgage security determines whether convenience becomes risk.


Mobile Mortgage Security: Why Unsecured Access Is the Real Problem

Consumer-direct lending is no longer confined to an office or a desk. Let’s be honest — sometimes it’s not even confined to a reliable Wi-Fi signal.


Lenders want responsiveness. LOs want flexibility. Borrowers expect speed.

So no, telling your sales team to “never use a cell phone” isn’t realistic. Most lenders know this. Most compliance teams know this. Yet the policies often stop at:


  • “Don’t discuss borrower info in public.”

  • “Use your best judgment.”

  • “Avoid unsecured Wi-Fi networks.”


Great advice. Almost universally ignored.


Because people work where they are. And if where they are happens to be a Little League field, the risk travels with them. That’s why we must build mobile mortgage security around behavior, not just devices.


What Regulators Expect (But Rarely Say Out Loud)

Here’s the regulatory backdrop that gets glossed over in the bleachers:


GLBA Safeguards Rule

The Gramm-Leach-Bliley Act (GLBA) requires access controls, device protections, encryption, and ways to detect unauthorized access. Yes — this applies even when the access point is an LO’s iPhone.


FTC Data Security Expectations

“Reasonable security” includes preventing unauthorized disclosure. A public conversation about a mortgage file may not be a classic “breach,” but regulators don’t love nuance when consumer harm occurs.


UDAAP

If a borrower loses money because the lender didn’t protect their information, you’ve crossed into potential “unfairness” territory according to Unfair, Deceptive, or Abusive Acts or Practices (UDAAP).


State Privacy Laws

CA, CO, CT, VA, and others expect you to implement technical and administrative safeguards, including when employees are using mobile devices outside controlled environments.


None of these rules forbid mobile lending. But they do forbid mobile lending without guardrails — which brings us to the uncomfortable middle ground where most lenders live today.


Company Phones: The Most Loved (and Hated) Solution in the Industry

Mention “company-issued phones” to operations leadership, and you’ll get two reactions:


  1. “Thank you — finally.”

  2. “Absolutely not — the LO rebellion would be swift and merciless.”


Both reactions are fair. But here’s the truth:


Company-issued phones solve a problem that personal devices simply can’t.


A company phone can be:

  • Locked down (MDM controls)

  • Monitored (security logs)

  • Restricted (no rogue apps)

  • Encrypted consistently

  • Wiped remotely if lost


A personal phone?


You may be negotiating with someone who downloaded five emoji keyboards, two shopping apps, and a mysterious VPN called “Pineapple Breeze.”


Are company phones perfect? No.

Are they politically easy? Definitely not.

Are they becoming necessary? Increasingly, yes.


Especially when you consider the alternative: Uncontrolled devices with access to NMLS data, AUS results, credit reports, and closing timelines.


That’s a lot of risk to leave in a glove compartment — and a direct challenge to mobile mortgage security.


But This Isn’t Just About Phones. It’s About Access.

“If they don’t use a phone, they’ll use a laptop. And they’ll bring that laptop to the same baseball game.”


Exactly. This conversation isn’t about hardware. It’s about where someone can access your systems, under what conditions, and with what level of verification.


If the tech stack is wide open (logins from personal phones, personal laptops, public Wi-Fi, unknown IP addresses), then the device is the least of your problems.


You need guardrails, not guidelines.

Why Training Falls Flat — and How to Make It Actually Matter

Loan officers get required security training multiple times a year ... and many sleepwalk through it.


Not because they don’t care. Not because they’re reckless. But because after a while, every required course starts to feel like a box to check, not a principle to live by. And that’s the opportunity.


When people forget the “why” behind the rules, the rules stop mattering. They forget:


  • Why GLBA matters

  • Why protecting borrower data isn’t optional

  • Why one overheard comment can turn into a fraud attempt

  • Why the LO is often the final line of defense between the borrower and a bad actor


If the training doesn’t connect those dots, it becomes noise. Great security programs don’t just teach rules. They teach purpose.


When someone says, “Don’t access borrower files on public Wi-Fi,” that’s a rule.


When someone explains, “We’ve had borrowers lose down payments because criminals overheard closing timelines,” that’s purpose.


Purpose sticks. Purpose changes behavior.

A Practical Checklist for Operations Leaders

Focused on real-world operational challenges and what exam teams expect to see — all through the lens of stronger mobile mortgage security.


1. Require Multi-Factor Authentication for All Systems

If an LO can get into LOS, POS, CRM, and email with a single password, the game is already over.


2. IP Restrictions (Where Possible)

Even partial restrictions reduce exposure significantly.


3. Mobile Device Management (MDM)

For company devices or personal phones enrolled in a managed profile.


4. Prohibit Public Conversations About Borrower Files

Yes, put it in writing. Yes, reinforce it regularly.


5. Require VPN or Zero-Trust Network Access

Especially for laptops used outside the office.


6. Train on Wire Fraud Red Flags — Again

The scams evolve. Your training should, too.


7. Review Your Safeguards Rule Compliance Annually (At Minimum)

Documentation is your friend.


The Real Point: Mobility Is Inevitable. Insecurity Doesn’t Have to Be.

Mobility has reshaped mortgage lending for the better. Borrowers get faster responses, loan officers can work wherever they are, and leadership benefits from the flexibility that previous generations didn’t have.


But confidence — from regulators, borrowers, and your own internal teams — only exists when thoughtful, enforceable security controls support mobility. Mobile mortgage security isn’t about restricting productivity; it’s about making sure productivity doesn’t create unnecessary risk.


Strong controls don’t slow teams down. They make borrowers feel safer, exams go more smoothly, and leadership sleep better. And in a world where every lender promises convenience, the ones who also deliver security will stand apart.


If You Want a Second Set of Eyes …

Loan Risk Advisors reviews policies, access controls, system configurations, and training practices for lenders nationwide. If you want to strengthen your mobile security posture (without designing a system that LOs will revolt against), we can help you find the balance.


Because the bleachers should be for baseball, not borrower data.


Call us today for a free, no-pressure conversation about what keeps you up at night. We’re here to help.

Comments

bottom of page