CFPB Walks Data Privacy Tightrope On Mortgage Disclosures

In the wake of the Equifax data breach, consumers, companies and regulators alike are cognizant of the potential exposure of personal information, and many companies are looking at ways to decrease the risk of unauthorized disclosure of personal data. It has become imperative that companies review their incoming and outgoing data processes, the type of data stored, maintained, and utilized in day-to-day operations, as well as the processes and controls in place to ensure that data is protected in the most reasonable and cost-effective manner.

In creating effective data privacy policies and procedures, companies must also analyze certain laws which require companies to disclose material information to regulators. One such law is the Home Mortgage Disclosure Act, and Regulation C, which requires many lenders to report and disclose to the public certain information about their residential mortgage lending activities.

In a timely release, the Consumer Financial Protection Bureau issued guidance to clarify how the bureau would release essential consumer mortgage lending activity data to the public under HMDA. The guidance sets forth the CFPB’s analysis of information and the related risks associated with individual loan level consumer data, as well as data aggregates, which could identify individual consumers.

The CFPB is responsible for collecting this data and then posting it publicly so that users of the HMDA database can extrapolate trends in consumer mortgage lending. In its current form, the HMDA database contains data about residential homebuyers and applicants that may allow users of the data to identify individual consumers, transactions and properties. The access to this consumer data could pose a risk to consumers, an issue the CFPB has recognized with its most recent guidance. With this latest guidance, the CFPB is taking steps to diminish the risk that individuals could be identified by users of the HMDA database. Some of the specific measures the CFPB proposes include:

• Excluding certain data points from the HMDA database, including the universal loan identifier; the date the application was received; the date of action taken by the financial institution on a covered loan or application; the address of the property securing the loan; and the credit score relied on in making the credit decision.

• Excluding free-form text fields used to report applicant or borrower race; applicant or borrower ethnicity; the name and version of the credit scoring model used to generate each credit score or credit scores relied on in making the credit decision; the principal reason or reasons the financial institution denied the application, if applicable; and the automated underwriting system name.

• Modifying the public loan-level HMDA data to reduce the precision of most values reported, including rounding the amount of the covered loan, and the value of the property securing the loan, to the nearest $10,000 interval; reporting borrowers’ ages in ranges (i.e., 25 to 34, 35 to 44, 45 to 54, 55 to 64, and 65 to 74); reporting borrowers’ total monthly debt-to-income ratios in making credit decisions in ranges, unless the consumer’s debt-to-income ratio is between 40 to 50 percent, in which case it will be reported as submitted by the financial institution.

What It Means for Financial Services Providers

The CFPB appears to be focused on not only furthering the underlying purpose of the legislation, but doing so while ensuring that consumer privacy is protected. The CFPB’s guidance provides a clear analysis of what the bureau considers to be personally identifiable information, alone or when combined with other information, which may pose a risk to customers if exposed to the public domain. This guidance is a positive step toward closing a potential opening that cybercriminals could exploit to steal, misuse, sell or manipulate consumer data. The guidance also serves as a road map for what the CFPB believes is information about consumers that may be harmful or sensitive if disclosed, and provides a window into the CFPB’s expectations for financial services companies that can be used to internally analyze a company’s data privacy program. The guidance indicates the CFPB’s recognition that as it increases its enforcement of unfair and deceptive acts surrounding data privacy and cybersecurity, as an agency, it must also recognize that the collection of nonpublic personal information and data poses the same types of risks it wishes to eliminate in the marketplace.

The CFPB’s guidance reflects the seriousness and breadth of cybersecurity threats facing any institution that uses or stores a consumer’s personal information. Post-Equifax, data breaches have become front and center for regulators, including the CFPB. In fact, just last month the CFPB announced that it was considering embedding regulators in the three main credit reporting agencies. In a live CNBC interview, CFPB Director Richard Cordray stated, “We're going to have monitoring in place that's preventive. It's going to be a different regime than we're used to," he said. "In the past they dealt with these problems on their own. They did the best they could. ... That's not good enough." Although there have been other high-profile breaches, Cordray said the Equifax hack was "far beyond" what had happened at Target and Home Depot several years ago and demanded a strong reaction.

Consumer real estate transactions have been in the public record in many jurisdictions for years, but the potential for widespread digital abuse of that data has resulted in the federal government and certain states limiting public access to that data. As a result, it is imperative that financial institutions understand the key elements of a robust data privacy program, including the types of data the company collects, where the data is stored, who has access to the data, how the data flows internally within the organization, how the data is submitted outside the organization, security controls at each access point, and data classification and sensitivity levels. Likewise, training, education, table-top and privacy risk exercises should be conducted by companies to prepare for potential threats.

As the landscape continues to change and regulators focus on increased regulation and enforcement of state and federal data privacy laws, companies must continue to reassess and build robust data privacy programs. It is also important that these privacy programs exist outside of the “pen and paper” policies and procedures within an organization. A robust program should also include initial and continued training and testing, board and upper management monitoring, review and participation in table-top exercises, and close coordination with internal and outside legal, information technology, executive management, compliance and innovation departments, as well as general data privacy education, awareness and culture within the organization.

Republished with permission. This article first appeared in Law360 on October 25, 2017.