Important Notice for Employees Traveling Internationally

City 1st Mortgage Services, LLC (including DBA’s Clear Mortgage and Hancock Mortgage) places the highest priority on protecting consumer data and complying with federal, state, and international regulations.

The official company policy is that employees may not perform company work from outside the United States. International access to company systems is prohibited. 

If an employee nevertheless chooses to access company systems while abroad, they do so at their own risk and are personally liable for any resulting consequences. In such cases, the following safeguards are mandatory:

1. Secure Network Use
   

   • Only use a private, secure internet connection protected by a firewall.

   • Public/open Wi-Fi (including hotel, airport, or café networks) is strictly prohibited.

2. Device Security

   • Device must have current operating system and security patches.

   • Full-disk encryption must be enabled.

   • Antivirus/internet security software must be active and updated.

   • A firewall must be enabled.

   • Multi-factor authentication (MFA) is required for all company system access.

   • Shared or non-company devices may not be used.

3. VPN Requirements

   • You must connect through a VPN provider of your choice that has been reviewed and verified by the IT Department.

   • The company does not supply or reimburse VPN services.

4. Reporting Obligations

   • Employees must notify IT/Security before traveling internationally.

   • Any suspected compromise, device theft, or unauthorized account access must be reported to IT within 24 hours.

5. Access Limitations

   • High-risk activities (such as pulling credit reports or altering LOS data) are prohibited without executive authorization, even if general system access occurs abroad.

Liability & Compliance

Employees assume full responsibility for compliance when accessing systems internationally. Potential liabilities include:

• Federal Regulations: Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Bank Secrecy Act (BSA), and related consumer financial protection laws.

• State Laws: Privacy, data breach, and consumer protection laws in applicable states.

• International Regulations: EU General Data Protection Regulation (GDPR), Canada’s PIPEDA, and comparable foreign privacy laws.

• Contractual Liability: Vendor and credit bureau agreements often prohibit foreign access. Violations may result in contractual penalties.

• Civil & Criminal Liability: Unauthorized or negligent access, disclosure, or misuse of consumer information may result in lawsuits, fines, or criminal charges.

Employees must understand that liability may extend personally as well as to the company in cases of negligence or misconduct

Enforcement & Safeguards

• The company may implement geo-IP blocking and conditional access rules to enforce this policy.

• Limited-access “travel accounts” with reduced permissions may be issued only under exceptional, pre-approved circumstances.

Final Guidance

The company’s position is clear: out-of-country work is not permitted. If an employee nevertheless chooses to access systems abroad, they must comply with all safeguards listed above and accept full personal accountability for any resulting legal, regulatory, contractual, or financial consequences.