PHOENIX’s Analytics division has upheld SOC 1 Type 2 and SOC 2 Type 2 compliance for our MSR valuation services since 2018.

Dedication to Data Security

Several prominent companies within our industry have recently fallen victim to data breaches and cyber security attacks. These incidents exposed the personal information of millions and compromised the affected organizations’ ability to deliver services and maintain operations. Kroll reports that the financial services industry surpassed the healthcare industry in the number of data breaches. This surge in cyber threats underscores the urgency for organizations not only to secure their own systems but also to have confidence in the security measures adopted by their vendors and third-party service providers, safeguarding sensitive data and maintaining robust process controls.

The financial sector is an attractive target for cyber criminals not only for the immediate financial gain but also due to the wealth of sensitive customer information it holds. –KROLL

The most effective means to attain peace of mind is to ensure that your vendor adheres to SOC (System and Organizational Controls) compliance. SOC reports serve as a testament to an organization’s dedication to data security and process controls. They affirm the identification of potential threats to clients’ data and the organization’s operations, along with the implementation of a comprehensive control framework to mitigate these threats.

SOC compliance is governed by the AICPA (American Institute of Certified Public Accountants), and a SOC attestation is a signed report generated by an independent CPA. This report delineates the processes and controls outlined by the organization and includes the auditor’s evaluation of these controls. There are two main SOC attestations:


  • Focus: Internal controls related to financial reporting.
  • Critical for MSR Valuations: Validates your third-party provider’s ability to deliver accurate and timely MSR valuations, anchored in governance around data integrity and model assumption oversight.


  • Scope: Broader, addressing internal controls around sensitive data.
  • Framework: Based on Trust Services Criteria (TSC), covering security, availability, processing integrity, confidentiality, and privacy.

Type 1 vs Type 2

Type 1: Identifies controls at a specific point, ensuring alignment with outlined risks.

Type 2: More thorough than Type 1, evaluates control effectiveness over a defined period, providing ongoing assurance.

If you are utilizing a third-party valuation provider, it is now more imperative than ever to ensure the safety of the data entrusted to your vendor and the consistency of the valuation you receive, with thorough checks and balances around its production. With PHOENIX, you can rest assured of an unwavering dedication to data security and an MSR valuation that is defensible, transparent, and tightly governed.

Secure your MSR valuations with confidence. Contact us to learn more about our commitment to SOC compliance and how PHOENIX can elevate your data security standards.