After more than three years, the implementation date for the Consumer Financial Protection Bureau's amendment to Regulation C of the Home Mortgage Disclosure Act (HMDA) has finally arrived. While much has been written about the increased data points to be collected and reported under the rule, and the regulatory risks this presents to covered entities, the data privacy issues have been largely overlooked and are still being debated at this late stage.
HMDA data is not only public, but the CFPB provides tools that allow anyone to explore this data. The CFPB also allows the raw data to be exported with ease to spreadsheets and other data analysis programs. The fact that the data is so easily analyzed, combined with the increase in data points collected under the new rule, drove the financial industry to repeatedly raise privacy concerns to the CFPB. As early as 2015, covered entities questioned why the rule failed to establish a method to mask certain data fields that would protect an applicant’s identity. The CFPB didn’t directly address these concerns, stating only that the bureau will use a balancing test—a subjective test to explore a legal or regulatory issue—to "determine whether HMDA data should be modified prior to its disclosure in order to protect applicant and borrower privacy while also fulfilling HMDA's disclosure purposes."
The results of this balancing test were finally announced in September 2017, when the CFPB published guidance in the Federal Register. Not surprisingly, the guidance was met with criticism and further concern from the industry, as evidenced by a recent comment letter submitted by several industry trade groups. The CFPB’s guidance proposes to modify the public loan-level HMDA data to only exclude:
- the universal loan identifier,
- the date of the application,
- the date action was taken by the financial institution,
- the address of the property securing the loan,
- the credit score or scores relied on in making the credit decision,
- the Nationwide Mortgage Licensing System and Registry Identifier (NMLS ID),
- the result generated by the underwriting system, and
- free-form text fields used to report applicant or borrower race and ethnicity, name and version of the credit scoring model used, principal reason for denial (if applicable), and the name of the automated underwriting system.
As the comment letter points out, this leaves all other data points available to the public, including the borrower’s income, age, sex, race and ethnicity; the census tract, county and state; and the interest rate, combined loan-to-value ratio (CLTV), loan purpose and term, as well as many other data points. This makes applicant identification by the public not only possible, but probable. The data being collected and reported can be used for criminal purposes such as identity theft, but will also be extremely valuable to third-party marketing services. In an age where the mining and aggregation of personal information creates valuable data sets, it is reasonable to believe that the reported HMDA data will be analyzed to exploit anyone applying for a mortgage in 2018 and beyond.
Those involved in mortgage lending should be concerned with their applicants’ data privacy, given the litigation and reputational risks that accompany any successful attempt to improperly utilize or re-identify an applicant through reported HMDA data. Consumers are becoming increasingly attuned to their privacy and the need to protect it. Once it is determined that HMDA data was used for an unauthorized or possibly criminal purpose, covered entities should expect a flurry of lawsuits filed and public backlash against whatever institutions were involved in the collection and reporting—not necessarily the CFPB that promulgated the rule and guidance. Given that it is a regulatory requirement to do so, HMDA covered entities will likely avoid liability for this disclosure, but at that point the reputational price and legal costs will already be incurred. Banks and other lenders must start collecting this data effective January 1, 2018, which will be scheduled for publication by the CFPB a year later. The risk presented to not only applicants and lenders through the public disclosure of this data is real, and it must be addressed by the CFPB. There is still more than a year before this data will be publicly reported. All mortgage lenders and industry groups should continue to push for a more conservative plan in regards to the publication of said data, with a greater focus on the data privacy risks to borrowers and the risk exposure to the lenders.