Arkansas Joins $20M Multistate Settlement with Bayview Over Data Breach
Summary
The Arkansas Securities Department joined 52 state financial regulatory agencies in a $20 million settlement with Bayview Asset Management LLC and three affiliates (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings) for deficient cybersecurity practices and failing to comply with examination authority following a data breach impacting 5.8 million customers. This is the first collective multistate enforcement action by state regulators for a mortgage company data breach. In addition to the monetary penalty, the Bayview Companies must implement corrective actions, undergo independent assessments, and provide three years of additional reporting to states.
What changed
The Arkansas Securities Department and 52 state financial regulatory agencies reached a $20 million settlement with Bayview Asset Management LLC and three affiliates (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings) for deficient cybersecurity practices and failure to comply with examination authority. The data breach affected 5.8 million customers. State regulators found that Bayview's information technology and cybersecurity practices did not meet federal or state requirements and that the companies delayed the supervisory process by failing to respond to state requests in a timely manner.
Nonbank mortgage companies and financial services firms should note this settlement establishes precedent that state regulators will take coordinated enforcement action against cybersecurity deficiencies. Regulated entities must ensure their cybersecurity measures meet state requirements, protect consumer data, and comply promptly with state supervisory demands. The three-year reporting requirement signals ongoing regulatory scrutiny for Bayview and may serve as a model for future multistate actions.
What to do next
- Implement specified corrective actions to improve cybersecurity programs
- Undergo independent cybersecurity assessments
- Provide three years of additional reporting to states
Penalties
$20 million settlement
Archived snapshot
Apr 18, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Arkansas Securities Department joins $20 million multistate data breach settlement with nation’s largest nonbank servicing company
Posted On: Jan 08, 2025
LITTLE ROCK, Ark. (January 8, 2025) – The Arkansas Securities Department and 52 state financial regulatory agencies have taken coordinated action against mortgage company Bayview Asset Management LLC and three of its affiliates, Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings (collectively the Bayview Companies), for deficient cybersecurity practices and failing to comply with their examination authority following a data breach that impacted 5.8 million customers.
The $20 million settlement and corrective plan is the first collective multistate enforcement action by state regulators for a mortgage company data breach. The enforcement action underscores the importance of meeting state requirements to protect consumer data and complying with state supervisory demands.
“This settlement demonstrates that appropriate cybersecurity measures designed to protect consumers’ confidential information are a paramount requirement for regulated financial institutions in Arkansas,” said Securities Commissioner Susannah T. Marshall. “This Order sets a precedent for all licensees and ensures that the Bayview Companies will adopt new corporate policies and data security processes to deter data breaches like this one in the future.”
State regulators in California, Maryland, North Carolina, and Washington State led the multistate effort, which found that Bayview Companies’ information technology and cybersecurity practices did not meet federal or state requirements. Furthermore, the Bayview Companies delayed the supervisory process by failing to comply with state requests in a timely and complete manner in the early stages of the examination.
In addition to the monetary penalty, the Bayview Companies have agreed to take specified corrective actions, improve cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to the states.
State financial regulators license and supervise more than 33,000 nonbank financial services companies through the Nationwide Multistate Licensing System (NMLS), including mortgage companies, money services businesses, consumer finance providers, and debt collectors.
Arkansas residents who have questions about the settlement should contact the Arkansas Securities Department at www.securities.arkansas.gov or at 800-981-4429. Residents can also visit NMLS Consumer Access to verify that a company is licensed to do business in Arkansas, and they may also view past enforcement actions.
Related changes
Get daily alerts for AR Mortgage Regulation
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from AR Securities Dept.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when AR Mortgage Regulation publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.