The implementation date of the CFPB's final Home Mortgage Disclosure Act (HMDA) Rule is fast approaching and the mortgage industry still has not received any answers in regards to their data privacy concerns. As widely reported, the new rule requires lenders to provide more data points in their HMDA reporting. Some of the new data points include borrower age, credit score, automated underwriting system information, a unique loan identifier, property value, application channel, points and fees paid, borrower-paid origination charges, discount points, lender credits, loan term, prepayment penalty, non-amortizing loan features, interest rate and loan originator identifier. The complete list of data points as well as their descriptions can be found on the CFPB's Summary of Reportable HMDA Data – Regulatory Reference Chart. The expansion of these data points also expands the risk of possible disclosure of a borrower's personal information.
While the privacy issue has been raised repeatedly by those in the mortgage industry, the CFPB has thus far avoided addressing the valid concerns and states that the Bureau will use a "balancing test" to "determine whether and, if so, how HMDA data should be modified prior to its disclosure in order to protect applicant and borrower privacy while also fulfilling HMDA's disclosure purposes."
The CFPB simply states that at a later date, the Bureau will provide a process for the public to provide input regarding the application of this balancing test to determine the HMDA data to be publicly disclosed. That "later date" is fast approaching. Currently there is a lot of public data on the internet and more is being added daily. The CFPB publishes HMDA data and makes it all downloadable and searchable through their online HMDA tool. And don't forget the National Mortgage Data Base, a separate joint project between the CFPB and the Federal Housing Finance Agency (FHFA) that is in the works and will also house a lot of loan specific and possibly personally identifying data. There are also online county records systems, such as the one used in the five boroughs of New York City, called Automated City Register Information System (ACRIS). All these databases offer different identifiable data points about a property and the owner. Currently, the mortgage industry has no idea how the CFPB is even utilizing the fact that information from multiple database's can be aggregated to re-identify a borrower.
The data being collected could not only be used for criminal purposes, but it would also be extremely valuable if used to create marketing lists. Remember the new data points contain things like age, credit score, combined loan to value (CLTV) ratio and debt-to-income (DTI) ratio – all of which are personal identifiers that sales departments look for in leads to generate sales. Even competing mortgage companies would be interested in the data. With all the money that one can make compiling and parsing this data, you can be guaranteed someone will attempt to re-identify each applicant with whatever data is published. So the fact that the CFPB is not actively doing more to quell these concerns should distress not only the lenders who are collecting and reporting said data, but also to anyone who plans to apply for a residential mortgage post 2018.
Since the lenders are the ones who will be collecting, storing and reporting this data, it's natural to assume that in the event of a data breach or identity theft resulting from the improper sharing or publishing of this data, borrowers will look to the mortgage industry for relief…which may result in increased litigation. The CFPB has stated that the liability of the data being improperly used would not lie with the lenders and those required to report under HMDA. But what they fail to consider is that no one can control who an individual can sue. It will not matter if the data was being collected for regulatory purposes when the resulting lawsuits are filed. Even if the complaints are meritless and can be defeated, the increase in complaints brought against mortgage lenders has a very real cost attached to them, no matter what the outcome of the litigation may be.
As we always advise, the best approach to limit your institution's liability is to get ahead of any new rule promulgated by the CFPB early. As we previously reported, outside of the data security issues raised above there is still the concern that these data points will increase your institutions exposure to fair lending issues. If you can start collecting the data points as soon as possible and internally test for data integrity or any evidence of disparate impact, you can begin to limit that risk exposure by proactively remediating any identified issues.