FHA-approved Mortgagees must comply with regulations on IT security and consumer privacy requirements issued by federal and State(s)*agencies. Mortgagees are best positioned to assess their compliance with requirements issued by these agencies.
(*The term “State(s)” includes the several States, and Puerto Rico, the District of Columbia, Guam, the Commonwealth of the Northern Mariana Islands, American Samoa, and the Virgin Islands.)
Although FHA does not offer any specific guidance on information security, Mortgagees are reminded that the annual recertification process requires them to certify that they have not been sanctioned by any federal or state agency during the Certification Period. The scope of this annual certification statement applies to sanctions regarding IT security and data/consumer privacy issued by other agencies. There is no unique waiver or exemption of this requirement because the subject matter is IT security or data privacy. Mortgagees who have received such findings from other agencies are advised to follow the “Unable To Certify” procedure.
HQ Policy Determination