Risk
12/27/2017

Privacy Concerns Remain as HMDA Implementation Date Arrives

Craig Nazzaro
Partner
Brad Rustin
Partner
Elizabeth DeVos


CFPB-12-27-17.pngAfter more than three years, the implementation date for the Consumer Financial Protection Bureau’s amendment to Regulation C of the Home Mortgage Disclosure Act (HMDA) has finally arrived. While much has been written about the increased data points to be collected and reported under the rule, and the regulatory risks this presents to covered entities, the data privacy issues have been largely overlooked and are still being debated at this late stage.

HMDA data is not only public, but the CFPB provides tools that allow anyone to explore this data. The CFPB also allows the raw data to be exported with ease to spreadsheets and other data analysis programs. The fact that the data is so easily analyzed, combined with the increase in data points collected under the new rule, drove the financial industry to repeatedly raise privacy concerns to the CFPB. As early as 2015, covered entities questioned why the rule failed to establish a method to mask certain data fields that would protect an applicant’s identity. The CFPB didn’t directly address these concerns, stating only that the bureau will use a balancing test—a subjective test to explore a legal or regulatory issue—to “determine whether HMDA data should be modified prior to its disclosure in order to protect applicant and borrower privacy while also fulfilling HMDA’s disclosure purposes.”

The results of this balancing test were finally announced in September 2017, when the CFPB published guidance in the Federal Register. Not surprisingly, the guidance was met with criticism and further concern from the industry, as evidenced by a recent comment letter submitted by several industry trade groups. The CFPB’s guidance proposes to modify the public loan-level HMDA data to only exclude:

  • the universal loan identifier,
  • the date of the application,
  • the date action was taken by the financial institution,
  • the address of the property securing the loan,
  • the credit score or scores relied on in making the credit decision,
  • the Nationwide Mortgage Licensing System and Registry Identifier (NMLS ID),
  • the result generated by the underwriting system, and
  • free-form text fields used to report applicant or borrower race and ethnicity, name and version of the credit scoring model used, principal reason for denial (if applicable), and the name of the automated underwriting system.

As the comment letter points out, this leaves all other data points available to the public, including the borrower’s income, age, sex, race and ethnicity; the census tract, county and state; and the interest rate, combined loan-to-value ratio (CLTV), loan purpose and term, as well as many other data points. This makes applicant identification by the public not only possible, but probable. The data being collected and reported can be used for criminal purposes such as identity theft, but will also be extremely valuable to third-party marketing services. In an age where the mining and aggregation of personal information creates valuable data sets, it is reasonable to believe that the reported HMDA data will be analyzed to exploit anyone applying for a mortgage in 2018 and beyond.

Those involved in mortgage lending should be concerned with their applicants’ data privacy, given the litigation and reputational risks that accompany any successful attempt to improperly utilize or re-identify an applicant through reported HMDA data. Consumers are becoming increasingly attuned to their privacy and the need to protect it. Once it is determined that HMDA data was used for an unauthorized or possibly criminal purpose, covered entities should expect a flurry of lawsuits filed and public backlash against whatever institutions were involved in the collection and reporting—not necessarily the CFPB that promulgated the rule and guidance. Given that it is a regulatory requirement to do so, HMDA covered entities will likely avoid liability for this disclosure, but at that point the reputational price and legal costs will already be incurred. Banks and other lenders must start collecting this data effective January 1, 2018, which will be scheduled for publication by the CFPB a year later. The risk presented to not only applicants and lenders through the public disclosure of this data is real, and it must be addressed by the CFPB. There is still more than a year before this data will be publicly reported. All mortgage lenders and industry groups should continue to push for a more conservative plan in regards to the publication of said data, with a greater focus on the data privacy risks to borrowers and the risk exposure to the lenders.

WRITTEN BY

Craig Nazzaro

Partner

Craig Nazzaro is a partner at Nelson Mullins Riley & Scarborough LLP.  He advises a variety of entities on all regulatory and compliance issues that impact the financial services industry including banks, non-bank lenders, servicers, investors, third party payment processors and debt collectors.  He defends clients against charges of liability and regulatory violations. 

 

Prior to joining Nelson Mullins Riley & Scarborough LLP, Mr. Nazzaro served as a vice president and assistant general counsel with J.P. Morgan Chase, where he managed and coordinated a team of over 20 senior legal officers and attorneys in responding to and resolving consumer lending issues presented by state attorneys generals, Housing and Urban Development, Consumer Financial Protection Bureau, Office of the Comptroller of the Currency, state banking departments and Congressional inquiries.  He also served as the chief compliance officer for Chemical Bank, a $23 billion bank headquartered in Michigan from 2018 until 2019 when Chemical Bank merged with TCF National Bank.

WRITTEN BY

Brad Rustin

Partner

Brad Rustin is a partner at Nelson Mullins Riley & Scarborough LLP.  He chairs the firm’s financial services regulatory practice.  His career began as a litigator focusing on consumer financial services litigation and defense of regulatory claims against chartered and non-chartered financial institutions, finance entities and money services business.  Following in the wake of the fiscal crisis, he began working with financial institutions, state-licensed lenders, money transmitters, non-traditional lenders, check cashers and mortgage brokers on issues of regulatory compliance.  As the regulatory environment facing financial institutions has changed and increased in complexity, he now spends most of his time counseling financial institutions in regulatory matters, including strategic agreements, product development and operational compliance. 

 

Mr. Rustin is a certified anti-money laundering specialist (CAMS) by ACAMS and a certified regulatory compliance manager (CRCM) by the American Bankers Association. 

Elizabeth DeVos