Entries tagged with compliance

Entry tags:

compliance,
mls

IDX & VOW Compliance Reviews Done Better

One of the core functions of MLS is to help subscribers cooperate and making sure all subscribers follow the MLS rules designed to minimize participant conflict is a key part of this function. One of the places conflicts play out most publicly is in arguments over IDX and VOW displays. Yet, a number of MLSs do not have a compliance program in place, and others are uncertain of their compliance practices. I think that’s why, when Clareity recently surveyed MLSs asking which of our services they planned to use in 2015, one of their most common responses was our IDX and VOW compliance services. Compliance is growing increasingly difﬁcult, especially since MLS rules seem increasingly out of touch with innovations such as social media and installed apps. Following are some tips to help MLSs do a better job with IDX and VOW compliance reviews. Some of these may already be on the radar for my regular readers, but there are some new tips as well.

First of all, hard as it may be to shake off the habit, let’s not call these things “compliance audits” anymore, at least with subscribers. Using the word “audit” brings up bad memories people may have of certain government agencies and an inquisitorial way of doing things. Let’s call them “compliance reviews,” which is a much more neutral way of referring to them.

In keeping with this spirit, it’s important that, as far as possible, reviews be conducted consistently, not just in response to a perceived problem. “Complaint-based” reviews often lead to accusations of unfairness and even persecution. If MLSs consistently review sites and apps within a speciﬁc time period after they go live, and at speciﬁc times after that, it is harder for complaints such as, “the MLS picks on me because I am a discount broker,” to stick. If an MLS is just implementing a compliance program, I usually suggest that the leadership’s sites be reviewed ﬁrst. After all, nothing is worse than having an antagonistic subscriber who is able to retort, “The MLS president’s site does it the same way – she’s out of compliance but you’re not doing anything about her!”

It is important for an MLS not just to have rules, but also a formal legal agreement with brokers governing VOWs and IDXs. The agreement is where the “rubber meets the road,” the last word on mutual rights and responsibilities. It’s the best place to clarify any vague parts of an MLS’s VOW/IDX policy and describe auditable criteria. The agreement sets out rules and responsibilities; the times when reviews may take place; how compliance and other costs are accounted for; what it takes to comply; the time during which a compliance problem can be remedied (“cure period”) and what happens then; and the criteria on which a site will be reviewed. The agreement will also have all the standard legal clauses concerning assignment, governing law, notices, and severability, and other required language. Many of the IDX and VOW agreements Clareity sees from MLSs lack much of the speciﬁcity required to be successful with a compliance program. This is an area to consult both with your business consultant and your attorney.

Again, VOW and IDX policies can be vague, and give rise to disputes if not speciﬁed more clearly.

For example, how should acceptance of the Terms of Service be handled? There is a spectrum of options that range from having a document linked to from inside a signup form all the way to having a text area with the terms where the user is forced to scroll to the bottom and nominally read them before she can check off a box marking her acceptance and move forward. What options are acceptable, and are you enforcing them consistently?

What is “appropriate security protection?” For which security criteria are sites tested? APIs have opened up a huge new area of vulnerability. What criteria apply to them? What issues can be let slide, and what issues must be ﬁxed?

What does it mean to have “anti-scraping” protection and monitoring? Scrapers have grown radically more sophisticated with time, and measures you may be writing into your agreement, and which you may be offered by some IDX vendors, may only protect against the kinds of attacks that were common years ago.

There are also many areas where the IDX and VOW rules need to be updated and ambiguity decreased. What does it mean for the display of IDX data to be a “Participant’s display?” Ambiguity in this area is causing signiﬁcant conflict in the industry these days. Who is a “Consumer”? I know at least one company that would say that a federal agency and other businesses are their “Consumer” – certainly not what was intended by policy writers.

Technology marches forward, creating increasing conflict with our aging rules. For an installed “app”, does the VOW process of email conﬁrmation make sense, and should an installed app require the VOW username / password each time the app is opened? What’s reasonable? Consumers are becoming used to signing up for sites & apps using their social media login, which flies in the face of many of the VOW rules related to signups and logins. Do we need to engage with both NAR and DOJ to make changes to VOW rules?

The items above are just a few of many areas where MLSs must take care when implementing an IDX and VOW compliance practice. As they say, the devil is in the details! But, throughout the process of IDX and VOW compliance reviews, also keep the big picture in mind: attitude is everything. Be friendly and respectful to all subscribers and their vendors. Be merciful to the very occasional and obviously accidental violators. Remind them that rule compliance reviews are an MLS service to make sure that everyone is playing by the same rules in order to reduce conflict among subscribers. If you follow this guidance, you will be more successful with your compliance program.

Entry tags:

VOW and IDX Rules: Security Compliance in the Trenches

As a consultant often called on by MLSs for help with VOW and IDX compliance audits as someone who is always pushing for improved information security in the real estate industry, I love that information security is featured prominently in the VOW rules, section 19.5: “A Participant’s VOW must employ reasonable efforts to monitor for, and prevent, misappropriation, ‘scraping’, and other unauthorized use of MLS listing information. A participant’s VOW shall utilize appropriate security protection, such as ﬁrewalls, as long as this requirement does not impose security obligations greater than those employed concurrently by the MLS.” The last part of that rule is also reflected in optional IDX rule section 18.3.14. Auditing these rules has allowed me to help many brokers improve their VOW and IDX security and reduce the risk of an information security incident.

I’ve already written about guidelines for anti-scraping and monitoring and, although anti-scraping is a constantly evolving challenge, that article provides at least a baseline for evaluating VOW rule compliance.

But, what else should MLSs be looking for when evaluating VOW and IDX security?

First, as speciﬁcally mentioned in the rule, appropriate ﬁrewall protection must be established. When I audit a VOW, I look to make sure that there are only a few speciﬁc network ports open on the server – 80 and 443 as needed for the web server to function, and ports needed to provide a secure method of server administration, such port 22 – or 989 and 990. If ports like 21 and 3389 are open and actually used to administer the website, it should be a big compliance red flag because they are common security incident causes – and issues I see the majority of the time when auditing a VOW or IDX site.

Second, you want to verify that all the web server software is up to date and properly conﬁgured. That means checking the web server (IIS, Apache, etc.) version, the operating system version (when possible) and the platform (.NET, JSP, ColdFusion, WordPress, etc.) version, making sure that those are the most current versions or that newer versions don’t have ﬁxes for signiﬁcant security vulnerabilities. You might think that keeping systems patched would be second nature for a technology provider, but in my experience, it seems not to be the case.

Third, you want to evaluate any externally obvious security misconﬁgurations of the server and platform. Every server and platform has its own security conﬁguration guidelines and it’s reasonable to expect that obviously poor conﬁgurations should not be visible to an external evaluator.

Fourth, and probably the most complicated part of evaluating VOW security, you want to evaluate application security – at least the OWASP Top 10 Vulnerabilities: Injection, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery, Security Misconﬁguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufﬁcient Transport Layer Protection, and Unvalidated Redirects and Forwards. I usually evaluate Information Leakage and Improper Error Handling as well. Some of these items can’t be easily validated externally (i.e. Insecure Cryptographic Storage) though I’m always glad to hear that a web developer has encrypted the passwords and so cannot technically be compliant for VOW rule 19.3b. (“The Participant must at all times maintain a record of the name, email address, user name, and current password of each registrant.”). I’ve seen every one of these OWASP vulnerabilities while auditing VOWs and many times there are half a dozen issues on a single VOW.

If you’re a staff person at an MLS and a lot of the preceding read like gobbledy-gook to you or you don’t know how to audit security, you may want someone like me auditing VOWs and IDX sites for you, or at least auditing the security and anti-scraping related portions. It has been a blessing for the industry that the VOW and IDX rules give MLSs the opportunity to ensure that at least some reasonable security best practices are in place for VOW sites. I’ve had brokers tell me they were actually grateful someone was keeping an eye on their technology provider in this area, since they lacked the capacity to do so themselves and just ﬁgured that all appropriate measures had been taken.

Please keep in mind that website security is the smallest portion of overall brokerage security. Taking appropriate steps in terms of policies and contracts, physical security, account management and password controls, internal networking and computing, mobile device security, and internal web applications are all important. The NAR sponsored security workshops and security articles and blogs that I write, and which many MLSs and Associations reprint, are helping me reach some brokers and agents – but it’s a very difﬁcult task to try to improve information security in this industry and I hope that I can count on my readers to act as security allies and spread the word.

Entry tags:

compliance,
mls

Reﬂections on MLS Compliance

Earlier this year, Clareity surveyed MLS executives about areas where they would appreciate some new articles/blogs from us. One of the most asked-for areas was “IDX & VOW compliance audits”. I’ve spoken on this subject in some depth several times in recent years at Clareity’s MLS Executive Workshop, which left me pondering what new angle I could take in a blog. Then, at the recent Council of MLS conference, there was a great session where Jeff Lasky (MRED) and Brad Bjelke (CRMLS) were talking about MLS compliance (listing and otherwise), and Brad mentioned how such calls are the “hardest customer service calls”. That got me thinking.

I’d ﬁrst like to deal with one particular area of MLS compliance: IDX & VOW compliance reviews. I’ve got some basic rules that I’ve validated over the past 4–5 years reviewing sites on behalf of my MLS clients:

Don’t call them “audits.” No one likes to be “audited.” An “audit” makes people think of an IRS audit, which is a scary thing. Call them “rule compliance reviews.” It’s a little thing, but language matters.

Be systematic about choosing sites for compliance review. Ideally, perform a full review ASAP on all new sites, to avoid the “But we’ve been doing it like this for years, and our users are used to it this way” issue. Repeat site reviews on a consistent, regular basis, and let your subscribers know the anticipated schedule. It’s okay to review a site for a speciﬁc issue based on a subscriber’s complaint, but if that’s all you do, it will likely result in the site owner claiming they are being “picked on” and ﬁnding examples of similar issues on other sites to throw back in your face. They might ﬁnd such issues anyway —issues do crop up between reviews—but you can say to a complainer that you would have caught that in a month when that other site was due for review and their very welcome complaint has just moved the review for the other site up a bit.

Be thorough in your review. Review sites for every rule that that can be reviewed. Spend some time ensuring that you are interpreting each rule in a consistent manner. If you can’t describe exactly how you interpret “prominent location,” for example, you are heading for trouble. And what does it mean for the Participant to require each Registrant to “review and afﬁrmatively to express agreement to terms of use”? Does a checkbox next to a linked term of use really fulﬁll “require … to review” or just “require … to express agreement”? What about if several lines of the terms are visible in a text area or iframe? Should the user be forced to scroll through the entire agreement, requiring them to actually review the terms before they can express agreement? I’m not going to say what’s right, here. The important thing is that you’re consistent with your subscribers. On that subject, if you change an interpretation later, communicate this back to your subscribers.

There are many, many more details when it comes to IDX & VOW compliance reviews – this is just a starting point.

But there is some broader advice that applies to compliance calls generally and not just website reviews. The most important thing is to be prepared to position the compliance review as an important MLS service. Your compliance staff needs to have absolute conﬁdence in this. Ensuring that everyone is playing by the same rules is central to the MLS maintaining broker cooperation and avoiding conflict. And, if your MLS has a mostly automated process for ﬁnding listing issues, let the rule violator know this so that they don’t think a person made the decision to start “picking on them.” When it comes to data compliance, sometimes rule violators also need to be reminded that compliance checking is what maintains the great data that creates professional value, compared with the free-for-all that happens on sites where sellers post their own ads.

Obviously, MLS subscribers sometimes make mistakes. And, when it comes to their websites, they may be working with a vendor that didn’t understand the rules or your interpretation of them. Being friendly and respectful to all subscribers and their vendors and being merciful to the very occasional and obviously accidental violators is important. Sometimes the difﬁcult phone call with the regular rule violator can’t be avoided. Sometimes it has to be “kicked upstairs” to the executive level or even to a committee that is ready to support the staff with regard to MLS rule violations and not put up with any guff from the violator. But, if you set up your compliance efforts so that there is an understanding that your process is fair and that your staff really is there to help the subscribers maintain a wonderful, cooperative MLS environment, hopefully the bad cases will be few and far between.

I leave you with a few quotes from brokers and software vendors. Follow my advice and you can start collecting these too!

“Thanks for all your help with this. You made this very easy to implement and helped us ﬁnd some things with our site we did not know about.” – Broker
“I wanted to thank you for the awakening call you’ve given us.” – VOW Provider
“Thanks for all your patience!” – VOW Provider
“Many thanks for all of your assistance.” – Broker
“Thank you for your patience and willingness to work with us under such pressure.” – VOW Provider
“Thank you for your time today. Your work is very much appreciated.” – VOW Provider
“I can relax on my vacation thanks to you!” – VOW Provider