Privacy Policy

The purpose of this Policy is to implement consumer privacy requirements as required by the United States statutes, the Federal Reserve, and related requirements administered by the agencies and others.

1.1 Goals and Objectives

The standards set forth in this Policy represent minimum requirements based on applicable legal and regulatory guidance and apply throughout Castle Mortgage Corporation, dba Excelerate Capital (Excelerate Capital). These requirements are intended to prevent Excelerate Capital, its employees, third-party vendors and clients from violating federal regulations related to mortgage lending and consumer compliance.

1.2 Board Oversight

The Senior Management team has the responsibility to approve and exercise general Compliance Management System. This Policy shall be presented, approved and incorporated within the minutes of the Meeting of the Executive Board annually.

The Vice President of Compliance for Excelerate Capital is responsible for the enforcement and general oversight of this Policy. The Consumer Privacy Policy is evaluated and updated no less than annually to reflect any legal or regulatory changes. Any necessary industrywide or regulatory changes made to this Policy are reported in a quarterly report to senior management.

1.3 Required Review

Excelerate Capital requires this Policy be reviewed no less than annually.

  • Last Date of Review – 4/2021
  • Next Due for Review – 4/2022 The required annual review includes testing the compliance of this Policy with current law, regulation or directive, the procedural implementation of this Policy within the then current scope of Excelerate Capital business lines and operations, and any responses or changes 2

which may be appropriate in consideration of internal audit results receive during the previous year, then current industry trends or regulatory guidance.

Notwithstanding the required annual review, Excelerate Capital examines current laws in relation to business strategies, goals and objectives on an ongoing basis and maintains a compliant consumer privacy policy.

Chapter 2 Monitoring and Quality Control

Excelerate Capital requires that this Policy and all requirements referenced herein have a monitoring and quality control component. Ongoing adherence to these policies shall be documented such that execution with policy can be audited or reviewed for accuracy, compliance, inefficiency or failure. Excelerate Capital requires that its organization, its employees, and its third-party vendors comply with all requirements of this Policy and all underlying regulations as they exist or, from time to time, may be amended.

Chapter 3 Training

Excelerate Capital requires initial and ongoing training designed to improve the knowledge, performance and skills of its employees and to ensure compliance with consumer privacy requirements and this Policy. The Vice President of Compliance ensures new employees are provided a broad overview of consumer privacy requirements within 30 days of hire.

Records are maintained and include training dates, attendance, who conducted the training, content of the training and any test or performance results.

Chapter 4 Privacy Agreements

Excelerate Capital complies with federal and state regulations pertaining to consumer privacy. Privacy agreements are executed between Excelerate Capital and vendors and service providers to ensure information received by the business entities is not disclosed to any third party, sold to marketing companies or list distributors, or engaged in any act that violates the Gramm-Leach-Bliley Consumer Privacy Act (GLBA). Included in the privacy agreement between Excelerate Capital and its vendors and service providers is a provision for the proper destruction of documents. Any vendor or service provider of Excelerate Capital found disposing of credit reports or any income, asset, or liability information of consumers in any outside or publicly accessible area is subject to the termination of its contract.

Privacy agreements are executed between Excelerate Capital and all third-party service providers -contracted to conduct credit investigations, background checks, certain asset or income verifying procedures, and pre- and post-funding quality control reviews on behalf of Excelerate Capital. The agreements require the third party to maintain the confidentiality of the information to at least the same extent Excelerate Capital maintains confidentiality under the Gramm-Leach-Bliley Act and prohibits the service provider from disclosing or using the information other than to carry out the purposes for which the third party is contracted in the ordinary course of business. Third party service providers are required to disclose and detail their electronic security measures for review and as part of the vendor management approval procedures. A sample agreement is included in Chapter 9 Appendix.

Chapter 5 Consumer Privacy Requirements and Disclosure

Generally, GLBA prohibits the disclosure of nonpublic personal information (NPI). NPI consists of:

  • Any information an individual provides to Excelerate Capital to obtain a financial product or service (i.e. name, address, income, Social Security number or other information on an application);
  • Any information about an individual resulting from a transaction involving our financial products or services (i.e. the fact that an individual is Excelerate Capital’s consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
  • Any information obtained about an individual in connection with providing a financial product or service (i.e. information from court records or from a consumer report). NPI does not include information that is “publicly available.” Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures in the public domain (i.e. information in a telephone book or publicly recorded document, such as a mortgage or securities filing). Excelerate Capital collects, retains and uses information about individual customers only when the information collected is pertinent (and permitted by law) in order to handle requests made by our customers for specific services, comply with federal or state regulations, or conduct business. Non-public information about our customers is collected from the following sources:
    • Information submitted to Excelerate Capital on applications and other disclosure forms;
    • Information about transactions with us or others; and Information received from a consumer reporting agency or other outside source regarding verification of information provided by the consumer or from which the consumer has expressly given permission to Excelerate Capital to obtain. Excelerate Capital requires all employees, third party originators and service providers to comply with GLBA regarding the disclosure of their privacy policies and practices. GLBA 7

requires the privacy disclosure provided to customers to contain language with respect to information sharing with third parties on financial products for personal, family and household purposes. The disclosure applies to all consumers who apply for a financial product, regardless of whether the credit is extended by Excelerate Capital. Excelerate Capital’s policy pertains to web-based, telephone or written mortgage applications.

Excelerate Capital, its employees, and service providers are required to comply with GLBA for information sharing with any of the following:

  • Credit agencies.
  • Appraisers.
  • Delegated underwriters.
  • Mortgage insurance companies.
  • Mortgage investors.
  • Document preparation companies.
  • Closing agents.
  • Electronic business-to-business portals.
  • Outsource quality control firms.
  • Third-party service providers. Excelerate Capital does not disclose any NPI about customers or former customers to anyone, except as permitted by law. There are instances when Excelerate Capital is required to share financial information. For example, Excelerate Capital is required to share financial information with parties named in a lawsuit or administrative action when served with a subpoena or court order, and with federal or state regulatory authorities, such as the Internal Revenue Service, as authorized by federal or state law.

5.1 Privacy Notice

The Consumer Privacy Notice (see Chapter 9 Appendix) contains language informing the customer that personal information will not be shared with third parties and is provided to the consumer as part of the initial disclosure package.

Excelerate Capital’s Privacy policy is also available on the company’s website at www.exceleratecapital.com/privacy-policy. Chapter 6 Closing Agent Authority Under the Consumer Privacy Act

The following are authorized activities for real estate settlement agents as published by the Federal Reserve Board:

  • Review the status of the title in the title commitment, resolve any exceptions to the title, and review the purchase agreement to ensure compliance with any specific requirements.
  • Provide real estate abstracting services (e.g. conduct title search and prepare abstract of title).
  • Verify the payment of existing loans secured by the real estate and verify and calculate the prorating of special assessments and taxes.
  • Obtain an updated title insurance commitment to the date of closing, prepare the required checks, deeds, affidavits, and obtain any authorization letters needed.
  • Establish a time and place for the closing, conduct the closing, and ensure all parties properly execute all appropriate documents and meet all commitments.
  • Collect and disburse funds for the parties, hold funds in escrow pending satisfaction of certain commitments, prepare the Closing Disclosure, the deed of trust, mortgage notes, and purchaser affidavit forms.

• Record the appropriate documents as required by law.

Chapter 7 Safeguarding Confidential Information

7.1 Confidential Information

Safeguarding confidential information is of utmost importance to Excelerate Capital. For purposes of this Policy, confidential information includes, but is not limited to:

7.2

Information regarding personnel who are currently or formerly employed by Excelerate Capital.

Procedures for computer access and passwords of Excelerate Capital employees and system users.

Any information pertaining to mortgage borrowers who have closed loans with Excelerate Capital.

Any information regarding mortgage applicants whose loans were closed for incompleteness, withdrawn, denied or canceled when a counter-offer was not accepted.

Prospect information concerning potential customers of Excelerate Capital.

Any other information relating to Excelerate Capital’s research, marketing, operations, investors, warehouse lenders and secondary marketing agencies.

Refinancing Applications of Existing Customers

Integral to the success of the mortgage industry is the business of refinancing loan applications of existing customers. Many consumers prefer to save time, and in certain cases, the expense of appraisals and other verification documents and request the review and re-use of their prior mortgage file. In these instances, Excelerate Capital requires the consumer sign a Consumer Privacy Notice (see Chapter 9 Appendix). Employees may obtain access to confidential information about Excelerate Capital’s customer database, but employee access is limited to those with a business reason for needing access to the information. All loan originators, processors and other staff-members referencing file documents from former customers for the purposes of evaluation and processing and application must adhere to the policies set forth regarding use and re-use of consumer information and information-sharing.

7.3 Direct Marketing of Prior Consumers

For direct marketing purposes, prior consumers may be approached by a representative of Excelerate Capital, and the consumer may be unaware of what information, and the extent of information, that has been made available to the company representative, who may be a different loan originator. In those cases, caution is exercised to assure the consumer that access to their information was duly authorized and in compliance with privacy regulations. A best practice for safeguarding consumer information is to mark all e-mails and correspondence as “Confidential”.

Chapter 8 Document Destruction

Credit reports, mortgage applications, financial statements, tax returns, paystubs, W-2 forms, retirement income documentation, etc. and numerous other documents that contain the borrower Social Security numbers, names of financial institutions, account numbers, etc. must be destroyed using any of the following:

  • Commercially built mechanical shredder.
  • On-site services provided by a shredding service company (such as Shred-It or other licenses commercial provider). Wrinkling of documents, tearing into sections and disposing into the office trash is not acceptable, if there is any confidential information that can be retrieved. Original loan documents that are removed from the office for the purpose of at-home work must be kept in a safe, secure area during travel and at the off-site location. Any lost or misplaced confidential documents must be reported to the SVP of Post Close and Investor Relations immediately. Any employee, representative or third-party service provider of Excelerate Capital found disposing of credit reports or any income, asset, or liability information of consumers in any outside or publicly accessible area is subject to disciplinary action, including termination.

Chapter 9 Appendix

9.1 Confidentiality Agreement for Third Party Service Provider

CONFIDENTIALITY AGREEMENT FOR THIRD PARTY SERVICE PROVIDER Re: Information Sharing and Disclosure of Consumer Information

This agreement shall be effective on the date of services provided by the Third Party (Service Provider) and remain in effect for the duration of all contracts or service agreements between Excelerate Capital and the Service Provider. In accordance with the Gramm-Leach-Bliley Act (Consumer Privacy Act) Service Provider agrees to maintain the confidentiality of the information provided by its client for the purposes related to ________________________________________ mortgage transactions.

Service Provider acknowledges that information included in residential mortgage files contains non-public personal information. Excelerate Capital authorizes Service Provider to handle and/or review documents as necessary to result in the qualification, approval, funding, closing, servicing or post-funding quality control review in accordance with the requisites of _______________________ and/or secondary market investor, insurer or loan servicer.

Service Provider agrees to not disclose or re-use the information provided by the client other than for the purposes for which the service provider is contracted. Service Provider shall not copy, duplicate or distribute any confidential information, except in accordance with this agreement. Service Provider agrees to establish and maintain appropriate administrative, physical and technical safeguards to ensure the confidentiality of documents. Service Provider agrees to follow all federal regulations in the handling and destruction of confidential documents.

Service Provider agrees to cooperate with its client at any time for the examination of the firm’s facilities and operations to ensure requirements of this agreement are followed. Service Provider acknowledges that any violation of this agreement authorizes ___________________ to terminate existing service contracts or agreements.

Service Provider acknowledges that processing and servicing transactions necessary to effect, administer or enforce a transaction requested or authorized by the consumer in connection with certain servicing, processing, securitization or secondary market functions

is exempt from Initial Disclosure and Opt Out requirements of the Consumer Privacy Act and Service Provider makes no representation with regard to the proper initial or annual disclosure to consumers (or customers) by the client and any applicable originating broker or loan servicer.

Acknowledged and Agreed to by: Lender

9.2 Consumer Privacy Notice

Excelerate Capital Consumer Privacy Notice

Thank you for trusting your important mortgage application with Excelerate Capital. In order to process your loan we must review personal credit and financial information that you have provided to us with your loan application as well as supporting documents. Credit reports, deposit and income verification and other information about you will be reviewed during the course of processing, approval and closing of your loan.

It is Excelerate Capital’s policy to not share any personal information pertaining to all borrowers and co-borrowers. Information shared by our organization is specifically limited to third parties and affiliates engaged for the purpose of funding your loan transaction. Access is restricted to employees and agents involved in the timely approval and closing of your loan.

Excelerate Capital uses paper and electronic resources and we comply with federal regulations to safeguard your personal information. This policy applies to our customers and former customers. Our policy is in compliance with the Gramm-Leach-Bliley Consumer Privacy Act, Federal Regulation [16 CFR Part 313] implemented by the Federal Trade Commission.