Business Continuity

Cloud-Based Loan Origination: Obstacles and Opportunities

Ed Ponte
Security & Governance Team Lead
December 25, 2020

RevCult is now OwnBackup Secure! In 2021, OwnBackup acquired RevCult, enhancing the cloud data protection platform with proactive data security. With OwnBackup Secure, you will strengthen security posture by understanding data exposure risks and proactively taking action to protect and secure your data -- all within Salesforce.

Major banking and lending institutions have relied on tech-enabled loan origination processes for decades and have long had to abide by strict security standards implemented by industry regulators. So what’s so different about loan origination in 2020?

Well, what’s not different about 2020?

In the wake of a global health crisis, consumer lending and corporate borrowing has surged as the government scrambles to keep companies afloat with PPP loans and as business leaders weigh their options. Amid it all, a large portion of lenders will be relying on a cloud solution like nCino loan origination software, which runs on the Salesforce platform.

For many of them, that’ll be different.

Historically, smaller institutions (under $10 billion in assets) have procured their infrastructures from major vendors that also provided security. Because these firms also tend to employ fewer technology staff members (security or otherwise) than regional or national competitors, an MSP-type solution often makes sense. But securing legacy on-premise or MSP-provided systems and securing data in the cloud are different exercises.

Even for many larger banks, cloud-based loan origination is a relatively new phenomenon, and lenders of all sizes face serious personnel and knowledge deficiencies in terms of cloud security. Some underestimate the level of effort required to implement and maintain a secure a cloud solution. Others have never heard of a “shared responsibility model” and are unaware of their responsibilities in this model.


What Are the Barriers to Cloud Adoption in Financial Services?

The rush to cloud adoption has made lending institutions more agile and more efficient. Unfortunately, that has come at a cost for some firms. For many enterprise customers, the primary focus during the technology procurement and implementation process is on aligning solutions with traditional business capabilities and integrating them with existing systems. Securing the environment? Not so much.

Smaller firms might also be especially susceptible to budgeting errors. They might have allocated dollars to the migration, but lack the resources to hold up their end of the shared responsibility model that governs relationships with providers. We’ll get to that in just a moment. The point is that regardless of why security gets overlooked, dealing with the consequences won’t be easy, cheap, or quick. Simply put, banking and lending institutions that do not implement a secure foundation today face a rapidly growing risk profile that will be significantly harder to remediate in the future.

Here’s How OwnBackup Can Help

1. Comprehensive data identification and classification.

Salesforce is one of the most popular platform-as-a-service solutions on the market and often represents a company’s first foray into the cloud. While many financial services firms might have started using Salesforce for its CRM capabilities, the platform is constantly evolving. Today, it can handle customer experience across lines of business (e.g., wholesale, treasury, commercial lending, SME, and retail) while also running core business applications (i.e., lending).

These robust capabilities, combined with a developer-friendly interface and its vertical approach to financial services, have made Salesforce an emerging player in the sector. However, lenders are also storing mind-boggling amounts of sensitive data on the platform, often under the assumption that data is secure because, well, “it’s Salesforce.” While the platform does provide powerful security controls, understanding how those controls have been implemented in your specific configuration can be a challenge.

When you work with OwnBackup, we start from the beginning — identifying and classifying what data you have stored in Salesforce across your organization and then mapping classified data to the proper controls. We’ll help you establish access management protocols that give you and your staff the resources and functionality they need from Salesforce while mitigating risks of data loss or theft.

2. Expert guidance on shared responsibility.

Most bank security and compliance leaders are probably familiar with the rules established by the Gramm-Leach-Bliley Act, the California Consumer Privacy Act, and other legislation and regulatory bodies, and almost every company using Salesforce has some kind of security policy in place. However, few organizations possess the legal expertise, technical understanding, and internal processes to know whether their data is properly classified and protected in accordance with these standards. In the event of a data breach, that ignorance can prove very costly.

The shared responsibility model governing agreements between enterprise buyers and cloud technology providers places responsibility for data protection squarely on the shoulders of the customer. Salesforce is responsible for keeping its platform secure and offers plenty of built-in security features for you to take advantage of, but ultimately won’t be held liable if your data is mismanaged.

OwnBackup works with clients to ensure that they understand exactly what portions of the shared responsibility agreement they’re responsible for. From there, we’ll collaboratively identify the right security controls to implement in order to ensure compliance.

3. Unrivaled vulnerability detection and remediation planning.

OwnBackup’s Salesforce Security Risk Assessment engagement and OwnBackup Secure will uncover all the gaps in your existing posture across six security dimensions: data protection, data loss prevention, integration, security model-authorization, monitoring and insights, and access control and authentication.

Data can disappear from anywhere — especially when it’s stored seemingly everywhere. That’s why we’ll evaluate internal security policies, organization-wide sharing practices, high-risk permission usage, coding practices, and a multitude of other factors when searching for gaps in your security posture.

In the event that vulnerabilities are found, we’ll provide a risk-adjusted, prioritized remediation road map so that you can address them quickly, minimizing the potential for disruption of user experiences on live applications. In addition to these services, we offer products that enable the initial implementation of improved security controls and facilitate the practical maintenance of your security posture over time.

Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.

Business Continuity
Business Continuity
Business Continuity
Cloud Migration

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo