New Administrative Rules

R162-2c-301a  - Unprofessional Conduct (Effective date: 08/08/2023)

(2)(a)(iii) Clarifies that a lending manager, if acting as a PLM or BLM, must exercise reasonable supervision over each sponsored mortgage loan originator and unlicensed staff member, including each sponsored mortgage loan originator or unlicensed staff member teleworking.

(2)(a)(vii) Requires lending managers to establish, maintain, and enforce written policies and procedures to ensure customer privacy, customer information security, encryption of data, and password management, including a cyber security policy that provides that each teleworking employee and sponsored originator must use a secure virtual private network maintained by the sponsoring mortgage entity.

(2)(a)((viii)(B) Clarifies that an LM remains personally responsible and accountable for adequate supervision of sponsored mortgage loan originators, unlicensed staff, and entity operations throughout all locations, including persons teleworking.

(3)((a)(ii) Clarifies that a mortgage entity shall keep and dispose of records and customer information according to R162-2f-302.

(3)(a)(vi) Requires mortgage entities to notify, in writing and without unreasonable delay, each affected customer of a suspected breach of the mortgage entity’s security system, if misuse of the customer’s personal information occurs or is likely to occur as a result of the suspected security breach.


R162-2c-302 - Requirements for the Security, Retention, and Disposal of Records and Customer Information. (Effective date 08/08/2023)

(1)(a) requires an entity licensed under the Utah Residential Mortgage Practices Act to maintain and safeguard for the period set forth in Section 61-2c-302 the following records and customer information:

(xv) customer information acquired in the application or lending process.

(1)(d) requires an individual who terminates sponsorship with an entity to turn over to the entity any records and customer information in the individual’s possession when the sponsorship is terminated.

(2) requires a person who disposes of records and customer information at the end of the retention period to destroy the records and customer information, including any personal information by shredding, erasing, or otherwise making the information indecipherable.

(3)(a) If a licensed entity is actively engaged in the business of residential mortgage loans, the PLM is responsible for proper retention, maintenance, safeguarding, and disposal of records and customer information.

(3)(b) If a licensed entity stops doing business in Utah, the control persons as of its last day of operation are responsible for proper retention, maintenance, safeguarding, and disposal of records and customer information.