Flagstar Bank Elements of a  Typical ISSPWhat are the following in Flagstar bank Violations of Policya. Procedures for Reporting Violationsb. Penalties for Violations Policy Review and Modificationa. Scheduled Review of Policyb. Procedures for Modification Limitations of Liabilitya. Statements of Liabilityb. Other Disclaimers
Flagstar Bank Elements of a Typical ISSP What are the following in Flagstar bank Violations of Policya. Procedures for Reporting Violations b. Penalties for Violations Policy Review and Modificatio
Develop an effective enterprise information security policy (EISP) and issue-specific security policy (ISSP) for Flagstar bank as it recently encountered a PII data breach due to a vulnerable third-party file sharing application Submitted by: Jubaida Silvi, Kunika Saxena, Melissa Page, Rikta Chakladar Last Updated Date: 09/30/2021 Table of Contents Introduction 2 EISP of Flagstar 4 The background of Flagstar 4 The organizational structure 5 The structure of the information security office: 5 The IT/IS infrastructure 5 1. Flagstar bank’s information security policies 6 2. Procedures 7 3.Programs 7 4.Control 7 5.Opening issues 7 The IISP of Flagstar 7 Federal, state, or local cybersecurity or computer laws and regulations, industrial standards 7 Access Control Telecommunications and Network Security Information Security Governance & Risk Management Software 8 Investigations and Compliance 9 References: 10 Appendix 1: Team Charter 11 Introduction On January 22nd US-based bank and mortgage lender Flagstar bank disclosed that they suffered a data breach after the Clop ransomware gang hacked their Accellion file transfer server in January of this year. In December, cybercriminals affiliated with the Clop ransomware gang began exploiting vulnerabilities in Accellion FTA used by organizations to share sensitive files with people outside of their organization. Accellion informed Flagstar of the incident on January 22, 2021, that their platform had a vulnerability and of the breach. Flagstar permanently discontinued the use of the file-sharing system after being informed of the issue. Researchers found that the threat group who stole Flagstar’s information from Accellion FTA was not using the December zero-day vulnerability, which had been patched, but rather used a new vulnerability that was discovered in January. After the data was stolen, Flagstar received a ransom note demanding payment in bitcoin or the data would be released to the public. Figure1- Example Accellion ransom note received by victims Ransom demands associated with Accellion attacks have ranged as high as $10 million in bitcoin. After Flagstar began notifying victims of the data breach, the Clop ransomware gang released screenshots of stolen data with a warning that it had stolen a lot more personal data. The shared screenshots illustrate the types of sensitive customer and employee information stolen, including social security numbers, names, addresses, phone numbers, and tax records. Figure2- Screenshots of Flagstar data shared on Clop ransomware site The ransomware gang has only shared a few screenshots of stolen data, as Flagstar is a bank and mortgage lender, it should be assumed that the threat actors stole further documents containing sensitive information. Based on the numerous Accellion data leaks published by the Clop gang, they are behind all of these attacks and will continue to publish stolen data as victim’s disclose their attacks. Unfortunately, this means we will likely see further data breaches associated with Accellion FTA hacks soon. Flagstar’s recent security breach was attributed to an exploitation of a vulnerability of Accellion, a partner of Flagstar that offers a secured file sharing product called FTA. Accellion on Dec 23 last year suffered a cyberattack, which it claimed to remediate using a patch update, notified its customers, added new fraud monitoring capabilities, and flagged attack anomalies. Accellion highlighted that FTA was a 20-year-old software and has constantly encouraged its customers to upgrade to its new software which has a robust security architecture. EISP of Flagstar The background of Flagstar Flagstar is headquartered in Troy, Michigan and has some branches in Ohio, Indiana, and Wisconsin. Flagstar Bank offers home loans, commercial, and retail banking services across all states through a network of wholesale brokers and 87 retail physical offices. It is a NYSE listed bank that has over 1.1 million borrowers. The business model of Flagstar is to maintain sustainable and predictable earnings to thrive with minimal impact in a fluctuating interest-rate environment through its mix of businesses. Where if interest rates are low, its other business units like mortgage originations, mortgage subservicing and warehouse lending compensates for the net-interest margins. On the other hand, when interest rates are high, business units like commercial and consumer lending offsets. The vision and STAR values highlighted below, guides them to serve their customers and employees through a set of principles and values. Figure 3- Vision and STAR values of Flagstar from their website The organizational structure Layers of administration – tellers, supervisors, managers, financial managers, branch manager, salespersons, IT technicians, security officers, CISO, CEO Number of departments Financial Department: Financial Department, IT Department, R&D Department, Credit Department, Corporate Banking, Risk Management Department, Audit & Inspection The relationship to the IS/IT department – different layers of administration work on different parts of the information systems and information technology. (i.e. managers (all of them) work with IT to increase sales and make plans to submit to higher ups (CEO) for company growth. This can include new equipment (computers, machines, tech needed for banking). IS department is related to employees such as IT techs, security officers, CISO (all of these have to do with keeping security and firewall protections up to date to help prevent attacks) The structure of the information security office: Infosec team is a centrally located team. CISO – chief information officer – responsible for implementing and developing an information security program (this includes procedures and policies designed to protect enterprise communications from internal and external threats) Information security managers – responsible for developing and managing information systems cyber security, including disaster recovery, database protection and software development Information security analysts – monitor their organization’s networks for security breaches and investigate a violation when one occurs. Information security staff – this includes IT technicians, IS officers (monitor IT system for threats to security and establish protocols for identifying and containing/removing threats, keeping software for antivirus up to date). The IT/IS infrastructure The type of network (e.g., Internet, internal network, wireless), – The Flagstar bank involves a dizzying array of things from employee laptops and desktops, software applications, customizable dashboards and self-service Kiosk, Flagstar also uses the mobile app to approve transactions and gain visibility to financial status. Flagstar exports activity data directly into financial management software applications. They have hosting networks to networking and cabling linking offices around the world, internet of things (loT) devices, sophisticated enterprise tools and data centers. The number of workstations – for each branch, there are multiple workstations. These include around 3-4 bank tellers, 1 or 2 financial advisors/managers for loans on homes and cars, the office of the branch manager. Salespersons, IT technicians, security officers also each probably have a designated workstation at headquarters but need to be able to have a “mobile” workstation to work at each branch when needed. CISO, CEO – these two each have an office at headquarters the software platform (e.g., the operating system) , major business applications, major database management systems and vendors of the technologies and the systems. IT/IS use Flagstar uses a third-party company called Accellion. They operate a file-sharing platform used by Flagstar (and other companies) to store sensitive information on customers and employees, such as social security numbers, phone numbers, and addresses. This helps Flagstar by giving the responsibility of this information to someone else, so that when a breach occurs, they are not the party at fault. It also is an example of using outside resources to better the company. Current information security services: 1. Flagstar bank’s information security policies Password Security Policy: Password protection and security is one of highest priorities for Flagstar bank. This policy establishes a standard for the creation of strong passwords and the protection of those passwords. Internet & Intranet Security Policy: Developed systems & procedures to ensure that internet is used only for business purposes in a secure manner without endangering the security of the Flagstar banks’ network. Information Security (IS) Incident Management Policy: Incident management policy maintained by Flagstar bank is to ensure that when an incident comes, they can respond quickly and effectively. Backup & Recovery Policy In order to safeguard information and computing resources from various business and environmental threats, systems and procedures have been developed for backup of all business data, related application systems and operating systems software on a scheduled basis and in a standardized manner across FB (Flagstar Bank) Security Awareness Policies: All employees of FB, contractors and third-party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. Data Security policies: FB uses encryption, firewalls and other technology and security procedures to help protect the accuracy and security of sensitive personal information and prevent unauthorized access or improper use. 2. Procedures Flagstar bank-built processes to identify cybersecurity threats and ensure their data and customer privacy are well-protected. These processes have been built in partnership with Flagstar’s Chief Risk Officer, Chief Information Officer, business unit leaders, and enterprise risk management team. Flagstar’s Chief Information Security and Privacy Officer (CISO) regularly conducts a comprehensive evaluation and testing of our information security program. The results are shared with the Board of Directors. In addition, the cybersecurity team conducts quarterly simulated phishing exercises and social engineering tests to make sure that employees and contractors are following policies and adhering to the proper standards. CISO also conducts cybersecurity training for many of FB’s community and nonprofit partners, and the bank joined the American Bankers Association. 3.Programs Flagstar offers many programs- personal banking, mortgage loans, auto loans, business banking, checking and savings accounts, money market accounts, personal loans. 4.Control Physical control Flagstar Bank maintains a restriction of physical access. They use CCTV cameras and alarm systems to provide complete oversight of the building and critical areas. Software and hardware are designed to work in combination with electronic door locks and authorization guidelines. Access control: Access control means only authorized people can access bank data if they need the data for their work. Flagstar set up a system to maintain authentication of identity. They use biometric and IDs with photographs to find out the authentication. They also have verifying access authorization of electronic devices like fingerprint and face detection. 5.Opening issues General issues The Banking industry has been exposed to a large number of cyber-attacks on their privacy and security such as frauds with online payments, ATM machines, electronic cards, net banking transactions, etc. These are the general issues that Flagstar bank has. Specific issue: Recently Flagstar bank faced a data breach in March 2021 where hackers gained unauthorized access of customers’ names, Social Security numbers and home addresses. The ISSP of Flagstar 1. Statement of Purpose a. Scope and applicability i. Flagstar’s key points of information security revolve around the values of identifying users/threats, protecting sensitive customer information, detecting threats, responding to threats and recovery of information breached. b. Definition of technology addressed i. Flagstar states on their website that they regularly run tests, such as simulated phishing exercises and social engineering tests, to make sure that employees and contractors are following proper procedures c. Responsibilities i. CISO conducts comprehensive evaluations and test on information security systems to make sure everything is running as it should. The responsibilities of the security policy are to protect employees but also the consumers who use Flagstar Bank. 2. Authorized users a. User access i. While all employees are expected to use bank devices and handle consumer information securely, it is the CISO, Chief Risk Officer, Chief information officer, business unit leaders and enterprise risk management team that are included in the upper management. When an attack occurs, they are the people who would follow the policy guidelines up the chain of command to assess the threat and discontinue it. ii. Not all employees have access to all information b. Fair and responsible use i. All employees handle sensitive information. It is their job to make sure that information is kept secure by checking for proper identification, account information, etc. ii. Personal work should not be done on organization equipment, limiting the sites that are explored on the systems handling sensitive information. c. Protection of privacy i. When creating an account with the bank, they ask for a lot of personal information, including but not limited to: 1. Name 2. Address 3. Date of Birth 4. Social Security Number 5. A form of picture ID to have on file ii. They then assign you account numbers. Once you have an account number, you can create online accounts which give the user complete access to their information. IT IS IMPERATIVE THAT THOSE SITES ARE KEPT SAFE in order to keep hackers from gaining access to thousands of people’s personal information. iii. The bank states they have three lines of defense to keep private information secure 1. First line of defense a. This includes responsibilities such as identifying, managing, and mitigating risks associated with directly conducting business in the bank. They help to implement and maintain processes and practices to ensure conformity with all applicable policies, laws and regulations b. Second line of defense is made up of the bank’s independent risk management. These units assess, report, and escalate risks and issues independent of First Line Defense and provide additional support when managing risks c. Third Line of Defense consists of internal audit and loan review, whose responsibilities can include providing timely, relevant, independent, and object enterprise-level perspectives regarding the effectiveness of governance, risk management, internal controls, and the quality of loan portfolios 3. Prohibited users a. Disruptive use or misuse I. This area includes using computers for personal work, use of cell phones while helping customers, trying to access information that is unauthorized, sharing of information with others that do not have authorization to access it. Ii. Cannot collect or store personal information about others iii. Impersonating any person, business, entity, or IP address Iv. Alter, damage, or delete any materials or content provided by flagstar v. There is a full list on this web page (https://www.flagstar.com/legal-disclaimers/terms-of-use.html) b. Criminal use i. Allowing outside hackers into the systems, transferring money from accounts without permission from the account owner, allowing access to unauthorized users c. Offensive or harassing materials i. Sharing of sensitive information d. Copyrighted, licensed, or other intellectual property i. These can include the name “Flagstar”, the design of their website, any imaging or symbols they use to help identify the business 4. Systems management a. Management of stored materials i. All computers, routers, Switches, wires, and any other equipment used is kept in a secure, safe place. They discuss in the privacy statement what information is collected and how it used, but there are some things you can opt out of. b. Employer monitoring i. Each employee is mandated to security training and policy reviews annually. 2020, 100% of employees completed this training. c. Virus protection i. As stated earlier, they run many tests on a regular basis to try and keep their networks as safe as possible d. Physical security i. Security guards are posted outside of banks, along with cameras. A lot of banks also have protective glass between consumers and tellers e. Encryption i. Information is encrypted that can be harmful to the consumer, especially when sharing information with other banks. Passwords and user names for online accounts to gain access, also two-step authentication has become more popular Federal, state, or local cybersecurity or computer laws and regulations, industrial standards ● California Consumer Privacy Act (“CCPA”): CCPA is applicable for California residents. The CCPA provides consumers with specific rights regarding their personal information. ● Federal Privacy Act (1974): Establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. ● Gramm-Leach Bliley (GLB) Act (1999): The act addressed to control the ways financial institutions deal with the private information of individuals. ● Consumer Financial Protection Bureau: The Consumer Financial Protection Bureau is a U.S. government agency that makes sure banks, lenders, and other financial companies treat customers fairly. ● Consumer Privacy Act (“CCPA”): CCPA is applicable for California residents. ● Federal and state laws and regulations that require all information to be kept private and secured. Industry Standards ● Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is applicable for those organizations who accept credit card payments. Access Control Telecommunications and Network Security Information Security Governance & Risk Management Software Development Security – applying developments to security involves many processes, including developing, adding, and testing security features on applications to help prevent against security vulnerabilities and threats. This is important to the company because it is a constant work in progress to keep out hackers and attackers from private information of citizens and employees. Without the changing development of security measures, hackers could easily learn a system and access information. This is especially important in a bank setting, due to the information that could become available for attacks, such as bank accounts, fraud, theft of money in accounts, home addresses of customers, identity theft from social securities, and so much more. Cryptography Security Architecture and Design Security Operations Business Continuity & Disaster Recovery Planning Legal Regulations, Investigations and Compliance There are many key roles involved in compliance and investigation of attacks when they happen. Some of those include having a responsible investigative authority, having a responsible investigator(s), and having legal counsel for when things go sideways. Having responsible investigators is important because when attacks do happen, we want them taken seriously. This ensures that a thorough investigation is done so that changes can be made, software can be stronger, and risk of attack decreases. You also want to have and investigative authority (person in charge) so that they can oversee the investigation. This prepares them for future attacks and helps them to learn better ways of handling situations. A company that believes they will never be attacked is a vulnerable one. In Flagstar’s case, they information hacked was through the third-party vendor used by them. The action of Flagstar should be to reevaluate whether that vendor is “good enough” to keep, or if they should restructure that part of their business plan. Legal counsel comes in here. It is always a good idea in a large corporation to have good legal counsel for when things go wrong. If someone isn’t doing their job correctly and efficiently, then legal counsel can help you get out of a contract for a security breach Physical (Environmental) Security -This would involve security guards around the premises and inside the building for each branch -It would also include security cameras in and around the building, including the drive through, ATM, each teller station, the bank vault, all entrances and exits, and the parking lot. System-specific Security Policy of Flagstar – This will go under systems mgmt IISP Acceptable use policy Information Reliability – All information acquired from the Internet must be considered suspect until confirmed by separate information from a reliable source. Users must not rely on the alleged identity of a correspondent through outside email or the Internet. The identity of a person or organization is confirmed through authoritative methods such as digital certificates granted by third party verification or digital signatures. More information can be obtained from the Enterprise IT Security Department. Downloading Software – Users must not install software from the Internet unless specifically authorized to do so by the Information Systems or Enterprise IT Security Department. Users may download data files from the Internet, but must check these files for viruses before using them. Copyright laws must be respected when downloading files. Sending Security Parameters – Users must not send any sensitive parameters such as credit card numbers, telephone calling card numbers, fixed passwords, or account numbers through the Internet unless the connection is encrypted end-to-end. International Transfer Of Data – The movement of private or research information such as human resources records or sensitive research across international borders in some countries is illegal. Before transferring any private or sensitive research information across a border, users must check with the BSU General Counsel to ensure that laws are not violated. Setting Up Extra Services – The establishment of any connection to the BSU network with a third party is forbidden unless the Enterprise IT Security Department has approved the controls associated with this connection. The establishment of electronic data interchange and other electronic business system arrangements is prohibited unless approved by both Enterprise IT Security Department and Information Systems Department. Information Security Reports – All users in receipt of information about system vulnerabilities must forward this information to the Enterprise IT Security Department, which will determine what action is appropriate. Users must not redistribute system vulnerability information. Network security policies Connection Approval Required – BSU computers or networks may be connected to third-party computers or networks only after the Enterprise IT Security Department has determined that the combined systems will be in compliance with BSU security requirements. Real-time connections between two or more in-house BSU computer systems must not be established unless Information Security has determined that such connections will not jeopardize the information security of sensitive data. Personal Computer Connections – Employees must not connect their own computers with BSU computers or networks without prior authorization from DIT. Personally- owned systems must not be used to process any BSU information unless the systems have been approved for use by Information Security. New Installations – Employees and vendors working for BSU must not make arrangements for, or actually complete, the installation of voice or data lines with any carrier unless they have obtained written approval from the Director of the Office of Telecommunications. Firewalls Required – All connections between BSU internal networks and the Internet or any other publicly accessible computer network must include an approved firewall or related access control system. The privileges permitted through this firewall or related access control system must be based on business needs and must be defined in an access control standard issued by the Enterprise IT Security Department (documentation available from the department). Third party access control policy Written Approval Required – Before third party users are permitted to reach BSU internal systems through real-time computer connections, specific written approval of the Enterprise IT Security Department Manager must be obtained. These third parties include information providers such as outsourcing organizations, business partners, contractors, and consultants working on special projects. Access Restrictions – Third-party information system vendors must be given only in-bound connection privileges when the DIT Systems Manager determines that they have a legitimate business need. These privileges must be enabled only for the time period required to accomplish previously defined and approved tasks. Third-party vendor access that will last longer than one day must be approved by the Enterprise IT Security Department. Only Public Information Posted – Unless the relevant information Owner has approved in advance, employees must not place anything other than BSU public information in a directory, on a server, or in any other location where unknown parties could readily access it. Third Party Security Requirements – As a condition of gaining access to the BSU computer network, every third party must secure its own connected systems in a manner consistent with BSU requirements. BSU must reserve the right to audit the security measures in effect on third party-connected systems without prior warning. BSU also must reserve the right to immediately terminate network connections with all third-party systems not meeting such requirements. Encryption Policy Default Protection Not Provided – The Internet and other public networks are not protected from wiretapping by default. In all but a few rare instances, if information is to be protected, then the user must take specific action to enable encryption facilities. Users who employ cellular or mobile phones must not store or discuss Sensitive (Confidential or Restricted) information unless they have taken steps to encrypt the information. Video conferences must not involve discussion of sensitive information unless encryption facilities are known to be enabled. When To Use Encryption – Whenever confidential information is sent over a public computer network like the Internet, encryption methods authorized by the Enterprise IT Security Department must be used to protect it. Whenever confidential information is stored in a computer, this storage must be with similar authorized encryption methods. For more information about these circumstances, “Data Classification Quick Reference Table.” Key Selection – Many encryption routines require that the user provide a seed or a key as input. Users must protect these security parameters from unauthorized disclosure, just as they would protect passwords from unauthorized disclosure. Rules for choosing strong seeds or keys must follow all rules for choosing strong passwords. SQL injection prevention policies Develop web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more. Additionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks: Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors. Utilize the principle of least privilege(link is external) when provisioning accounts used to connect to the SQL database. For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site’s database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts. Never allow your web application to connect to the database with Administrator privileges (the “sa” account on Microsoft SQL Server, for instance). Do not use shared database accounts between different web sites or applications. Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input. Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation Remediation policy Immediate action must be taken to address any confirmed SQL Injection flaws discovered: Once a person responsible for coordinating remediation is identified, please respond to the notice so that Information Security and Policy can work directly with the coordinator to ensure full remediation Coordinate an investigation of potentially vulnerable web pages and resources amongst developers or other stakeholders A review of web, application, and database logs may reveal the point of vulnerability and source of attacks Develop a plan to remediate any confirmed SQL Injection flaws and prevent future attacks References https://www.flagstar.com/esg/company-overview/our-business-overview.html https://www.bowiestate.edu/files/resources/information-security-public.pdf https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a Application Security https://www.vmware.com/topics/glossary/content/application-security https://www.compliance.com/resources/tips-preparing-conducting-compliance-investigations/ Information Security https://www.criminaljusticedegreeschools.com/careers/information-security-officer/#:~:text=Career%20Description%2C%20Duties%2C%20and%20Common,virus%20software%20to%20block%20threats. https://www.flagstar.com/esg/governance/data-security-and-customer-privacy.html https://www.flagstar.com/esg/governance/risk-management.html https://www.flagstar.com/legal-disclaimers/terms-of-use.html https://www.flagstar.com/legal-disclaimers/privacy-statement.html#2
Flagstar Bank Elements of a Typical ISSP What are the following in Flagstar bank Violations of Policya. Procedures for Reporting Violations b. Penalties for Violations Policy Review and Modificatio
While it’s mostly a numbers game that looks at your income, loan payment, and financial circumstances, you can help or hurt your chances of getting approved for a modification with your actions (or inaction) during the process. If you meet the program requirements and take all necessary steps, you’ll get one. Because your actions can be vitally important in getting your loan modified, it’s essential that you to learn the do’s and don’ts of the process. Do: Apply for a modification as soon as possible. To qualify for a modification, you’ll have to submit a complete “loss mitigation” application to your loan servicer. It’s best to submit your application as soon as you know you’ll have trouble making your payments or shortly after you fall behind. If you take several weeks or months to put your paperwork together, a foreclosure could start or continue, leaving you with less time to work out a foreclosure alternative. Send in all items the servicer requests. To get protection against dual tracking under federal and some state laws, you have to send your servicer a complete application. An application is complete once you’ve sent in everything that the servicer requested—like a financial worksheet, pay stubs, bank statements, information about your assets, tax returns, and a hardship statement. One of the main reasons that people often don’t get approved for a modification is because they fail to send in every document that the servicer requests. The servicer won’t make a decision your application until all of your items are in. If you leave out just one document—or send paperwork that’s outdated—the servicer will likely deny your request for a modification. Be sure to include every page of each required item. When you send your paperwork to the servicer, don’t omit any pages. For example, even if page three of your bank statement is blank, if the other pages say “Page 1 of 3” and “Page 2 of 3”, you need to send all three pages. Otherwise, the servicer will probably consider the document incomplete. Keep all correspondence you receive from the servicer. Be sure to retain all written communications you receive from the servicer, such as a confirmation letter that the servicer received your complete application or a letter telling you that certain items are missing. This information could be useful later on if you want to challenge a foreclosure by showing the servicer didn’t comply with servicing laws. (To learn what to do, and what not to do, in a foreclosure, see  foreclosure Learn about laws that protect you in the process. Servicers sometimes make mistakes when processing borrowers’ modification applications. Find out about the federal and state laws that protect you in the loss mitigation process so you can enforce your rights if the servicer fails to abide by the law. Don’t: Send illegible documents. When you send your paperwork to the servicer, be sure that all pages are legible. Otherwise, the servicer might deem them unacceptable and deny your application. Be aware that what you consider acceptable and what the servicer considers readable might be different. The servicer won’t put in a lot of effort to decipher words or numbers that are potentially unclear. It’s in your best interest to make it easy for the servicer to read the documents by submitting only clear, clean copies. Lose your cool if the process isn’t perfectly smooth. Stay calm, even if you have to resubmit paperwork you already sent in. Resend whatever item the servicer asks for, and send it as soon as possible. If you get irritated with the servicer and insist that you already submitted all required documents rather than resending them, you’ll only hurt yourself. Remember that your servicer is likely getting thousands of requests for modifications—don’t give the staff an easy reason to turn down your request. Be afraid to get clarification. Be sure that you’re clear on exactly what items you need to send in. The servicer might request two pay stubs assuming that covers one month of your income. But if you’re paid weekly, bimonthly, or monthly, you might have to send in more or fewer pay stubs. If you need clarification, ask your point of contact. (Under federal law, in most cases, by the time you’re 45 days’ delinquent, the servicer has to assign a single person or a team to help you with the loss mitigation process.) Forget to put your name, loan number, and contact information on each page of every document you turn in. Normally, you get a few options for sending your documents to the servicer: by regular mail, overnight mail, fax, or secure email. Paperwork sometimes gets lost, so the best option is secure email. Whatever option you choose, be sure to put your identifying information on every page of each document. Otherwise, the servicer might misplace one page and think your application is incomplete. When possible, send all of your application documents at one time, which significantly reduces the opportunity for items to get lost. Assume everything is on track, even after you’ve sent in your complete application. After you send in your paperwork, remain in touch with the servicer. Call at least one time each week to check on the status of your application. Keep notes detailing when you called the servicer, who you talked to, and what you discussed. Also, be sure to ask if the servicer needs any updated documents or information from you.




Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.