Website Authorization Instructions for Mortgage Bankers, Mortgage Brokers, and Mortgage Loan Servicers

  1. The listed domain name(s) must not contain a sequence of letters spelling “bank,” “trust,” “saving,” or “guaranty,” as well as derivatives thereof.  In addition, a mortgage broker may not use a domain name containing the word “loan” or “lending.”  The U.S. Office of the Comptroller of the Currency also prohibits State licensed and registered mortgage entities from using the words “National” and “Federal.”  Domain names containing a combination of words and letters that are prohibited by 18 USC Section 709 of the U.S. Code will be denied.
  2. The Officer Name & Title and Entity Name on your website questionnaire must match the information on your broker/banker/servicer application or your registration/licensing certificate.  Private domains are not acceptable.
  3. The name and address on your website registration should match the same information on your broker/banker/servicer application or your registration/licensing certificate.
  4. Until your website is approved, you should not conduct New York regulated mortgage broker/banker/servicer business through the site.  We would prefer if you would place the site in "prototype" mode off line.  However, If you operate in other states and would like to use the site for this purpose, we ask that you temporally remove the legend "Registered Mortgage Banker (or Broker or Servicer) – New York State."  Where practicable, measures should be implemented which prevent New York State loans for New York property from being processed by an unlicensed or unregistered entity.
  5. If your company is planning to collect consumer information, you are required to establish a Safeguard Policy which incorporates the following five items which are contained in the FTC Rule 16 CFR 314. The safeguard program should include but not be limited to the following:
    • designate one or more employees to coordinate the safeguard program;
    • identify and assess risks to consumer data and information systems;
    • implement security measures on user access control, data encryption, software patch updates, server security, penetration testing, malicious code prevention, and intrusion detection systems;
    • exercise appropriate due diligence in selecting service providers, and ensure service providers have implemented adequate security controls to safeguard customer information;
    • review and update the safeguard program periodically (i.e.  semiannually, annually, and biannually).  Document this effort.
  6. We cannot accept a third party policy. You can incorporate the five items into your current policy or develop a stand-alone Safeguard policy. It must be your policy on your letterhead. We will hold you accountable for developing the policy, implementing it, and monitoring its day to day application to website activities. The five elements should be discussed not just listed.
  7. Generally, the use of social networking websites is not permitted on websites we authorize. They cannot be used to solicit which in our view includes collecting confidential consumer information. Those registrants who do use social networking sites need to have policies for their employees and loan officers that preclude solicitation on the networking sites. However, where there is an advertisement that directly links back to the company's website for complete details, then the advertisements would be treated similar to a print ad by the Department, subject to Part 38.2. Again, it must be an advertisement where the link once clicked goes directly to the company's approved website.
  8. Before the website is formally authorized:
    • ALL broker websites must contain the legend "Registered New York Mortgage Broker - All mortgage loans arranged with third party providers;"
    • ALL banker websites must contain the legend "Licensed New York Mortgage Banker;" and
    • ALL servicer websites must contain the legend "Registered New York Mortgage Loan Servicer."

For additional information regarding acceptable website practices, visit