Privacy Concerns Remain as HMDA Implementation Date Arrives


CFPB-12-27-17.pngAfter more than three years, the implementation date for the Consumer Financial Protection Bureau’s amendment to Regulation C of the Home Mortgage Disclosure Act (HMDA) has finally arrived. While much has been written about the increased data points to be collected and reported under the rule, and the regulatory risks this presents to covered entities, the data privacy issues have been largely overlooked and are still being debated at this late stage.

HMDA data is not only public, but the CFPB provides tools that allow anyone to explore this data. The CFPB also allows the raw data to be exported with ease to spreadsheets and other data analysis programs. The fact that the data is so easily analyzed, combined with the increase in data points collected under the new rule, drove the financial industry to repeatedly raise privacy concerns to the CFPB. As early as 2015, covered entities questioned why the rule failed to establish a method to mask certain data fields that would protect an applicant’s identity. The CFPB didn’t directly address these concerns, stating only that the bureau will use a balancing test—a subjective test to explore a legal or regulatory issue—to “determine whether HMDA data should be modified prior to its disclosure in order to protect applicant and borrower privacy while also fulfilling HMDA’s disclosure purposes.”

The results of this balancing test were finally announced in September 2017, when the CFPB published guidance in the Federal Register. Not surprisingly, the guidance was met with criticism and further concern from the industry, as evidenced by a recent comment letter submitted by several industry trade groups. The CFPB’s guidance proposes to modify the public loan-level HMDA data to only exclude:

  • the universal loan identifier,
  • the date of the application,
  • the date action was taken by the financial institution,
  • the address of the property securing the loan,
  • the credit score or scores relied on in making the credit decision,
  • the Nationwide Mortgage Licensing System and Registry Identifier (NMLS ID),
  • the result generated by the underwriting system, and
  • free-form text fields used to report applicant or borrower race and ethnicity, name and version of the credit scoring model used, principal reason for denial (if applicable), and the name of the automated underwriting system.

As the comment letter points out, this leaves all other data points available to the public, including the borrower’s income, age, sex, race and ethnicity; the census tract, county and state; and the interest rate, combined loan-to-value ratio (CLTV), loan purpose and term, as well as many other data points. This makes applicant identification by the public not only possible, but probable. The data being collected and reported can be used for criminal purposes such as identity theft, but will also be extremely valuable to third-party marketing services. In an age where the mining and aggregation of personal information creates valuable data sets, it is reasonable to believe that the reported HMDA data will be analyzed to exploit anyone applying for a mortgage in 2018 and beyond.

Those involved in mortgage lending should be concerned with their applicants’ data privacy, given the litigation and reputational risks that accompany any successful attempt to improperly utilize or re-identify an applicant through reported HMDA data. Consumers are becoming increasingly attuned to their privacy and the need to protect it. Once it is determined that HMDA data was used for an unauthorized or possibly criminal purpose, covered entities should expect a flurry of lawsuits filed and public backlash against whatever institutions were involved in the collection and reporting—not necessarily the CFPB that promulgated the rule and guidance. Given that it is a regulatory requirement to do so, HMDA covered entities will likely avoid liability for this disclosure, but at that point the reputational price and legal costs will already be incurred. Banks and other lenders must start collecting this data effective January 1, 2018, which will be scheduled for publication by the CFPB a year later. The risk presented to not only applicants and lenders through the public disclosure of this data is real, and it must be addressed by the CFPB. There is still more than a year before this data will be publicly reported. All mortgage lenders and industry groups should continue to push for a more conservative plan in regards to the publication of said data, with a greater focus on the data privacy risks to borrowers and the risk exposure to the lenders.

How Poor Communication Practices by Directors Increase Cyber Risk


cyberrisk-10-9-17.pngThe role of a corporate director is continuously expanding, particularly in the banking space. Beyond growing profits, today’s directors are also responsible for ensuring corporate ethics, social responsibility, cybersecurity and more. Unfortunately, many directors are still using their old communication tools. A recent report from the New York Stock Exchange and Diligent found that the communication practices of directors and executives are potentially increasing their company’s level of cyber risk for the sake of personal convenience.

These findings are particularly alarming in the context of recent regulatory pressures on boards to be held accountable for data privacy and cyber breaches—including a recent ruling by the New York State Department of Financial Services applicable to all financial services firms conducting business in New York, and the impending impact of the European Union’s General Data Protection Regulation for every company that serves EU customers. (For further details about the New York regulations, see “New Rules for Financial Firms in New York Put New Onus on Boards.”)

The NYSE/Diligent report noted that while directors and executives have access to sensitive data, they operate with little-to-no direct oversight by the company’s IT/data security teams, and are therefore not restricted to using only secure communication channels when discussing board business. In fact, of the 381 corporate directors of publically traded companies surveyed for the report:

  • Ninety-two percent use personal email accounts (outside corporate firewalls) at least occasionally to conduct board business.
  • Fifty percent regularly download confidential company documents onto personal devices or computers.
  • Sixty-two percent are not required to undergo cybersecurity training.
  • Forty percent “didn’t know” if the board had ever conducted a security audit.

So what what are some best practices for secure board communication that banks and financial institutions can employ to mitigate cyber risk and prepare their directors and executives to meet the challenge?

Training and Assessments
Cyber threats can change at a moment’s notice, and regulatory requirements in the cybersecurity space continue to evolve. Regular training is imperative for board members, especially experienced directors who need refreshers or may not be aware of the latest risks. Customize the training to include a review of the practices your company expects from directors to ensure they are handling sensitive information appropriately, and continue to revisit these on an annual basis.

Bring the data security team into the boardroom to conduct an audit of directors’ communication practices. By ensuring that directors are handling documents only through secured and encrypted channels, your company can minimize exposure to some of the worst penalties of the new regulations.

Also, leverage the annual board evaluation by making cybersecurity a key component of board success. Query directors on their level of readiness to handle a material data breach or leak, and their understanding of the board’s responsibility versus the roles of IT and the management team. From there, the company can identify areas where further education and training are needed.

Keep Business and Personal Separate
Free email service provider use has been the center of too many corporate cyber incidents in recent years—yet directors continue to use personal email as a primary communications method rather than adopting more secure technology. Why? While internal emails and servers typically have heightened security and stronger encryption, many directors reject company-issued email accounts because they serve on multiple boards, which could lead to a single director having to check multiple inboxes and multiple calendars to conduct board work.

But what directors gain in convenience by using personal email, they lose in increased risk. The better solution? Give up on email altogether and opt for a secure messaging tool.

Secure and Convenient Technology
Select a secure messaging tool that is designed specifically for director communication and can be integrated into your existing governance software. There are a number of considerations to keep in mind. Do your directors prefer to use mobile? Do they want to make digital edits while reviewing board docs? What level of protection and encryption do you need?

These platforms can alert directors’ mobile phones when messages arrive and allow them to login with biometrics—while still enabling the data security team and corporate secretary to control record retention and data encryption. It not only facilitates convenient board communication, but can also be a last line of defense in case devices are stolen in transit, lost on planes or impacted by viruses/malware while connected to unsecure Wi-Fi.

Six Best Practices to Help Customers Achieve True Data Privacy


data-7-24-17.pngWith today’s constant news stream of ransomware threats, denial of service attacks and data breaches, data privacy is more of a concern than ever. But, what exactly do we mean by data privacy, and how can we convey its importance to customers?

At its root, data privacy is the concept of implementing appropriate controls related to the sensitivity of data. There are two key components of data privacy: data classification and data protection.

Data classification simply means understanding the sensitivity level of data. There are three main categories: public, sensitive and confidential. Any data, even that which is publically available, can be collected and used by a criminal to profile their prey. The numbers tell the story: Through July 6, 2017, according to the nonprofit Identify Theft Resource Center, we’ve seen a total of 791 breaches and 12.39 million compromised records across all major industries.

Data classification helps determine the level of protection warranted, with confidential data justifying the most:

  • Confidential data, such as social security numbers, bank details, or other personally identifiable information—whether in transmission or storage—should be encrypted, and devices used to store and transmit it should be secured as well. When disposing of this data, whether electronically or in a tangible format, the data records should be fully destroyed through shredding (electronic or physically). In some cases, entire storage devices should be destroyed.
  • Sensitive data, such as religious or relationship information, or private business plans, is similar to confidential data in that the owner does not wish to share it with others. As such, sensitive data often is protected similarly to confidential data. The only differentiator is the amount spent to protect it.
  • Public data is that which is publically available, like where a person attended high school.

With greater access to information, coupled with the increased rate and publicity of compromise, many consumers are numb to the severity of a data breach, even though strengthening the environments in which they store or transmit data should be top of mind.

Below are six best practices you can convey to your customers to help them achieve real data privacy:

  • Employ data encryption for both storage and transmission. One advantage of encrypting all data is that a decision doesn’t have to be made regarding classification when it comes to encryption. A second benefit is that a criminal doesn’t know what to target when all data is encrypted.
  • Avoid accessing data such as emails, cloud storage, and the like on a public computer or network, which are easily compromised. If a public network must be used, virtual private network (VPN) encryption is necessary when sensitive or confidential data is being accessed. Keep in mind, passwords aren’t always transmitted in an encrypted format, so a criminal could intercept the password. Public computers should be used only as a last resort, and never to access confidential or sensitive data.
  • Ensure your computer is patched and protected with a firewall and up-to-date anti-malware solution. Further, even careful users should periodically have their machine inspected for malware and cleaned by a trusted technician; with the sophistication of malware today, even the most cautious and educated can still end up compromised.
  • When possible, implement multi-factor authentication, which entails using more than one means of authentication, such as passwords and authentication codes. This is one of the most promising ways to ensure data and accounts remain secure, yet even these systems aren’t foolproof. Avoid receiving texts of access codes when possible, as this is a weaker form of multi-factor authentication. Use authentication applications, phone calls or a secure email account instead, and remember that codes sent to a device are only as secure as the device itself.
  • Use strong passwords that are changed at least every 90 days. Passwords should, when allowed, be at least 15 characters in length and complex in nature, including letters, numbers and symbols. Also, password safes like KeyPass are useful for storing them. And remember, treat your password like your toothbrush: never share it and change it often.
  • Consider the sensitivity of the data you store in the cloud. Utilizing a cloud service means entrusting a company to protect your data, so ensure the provider is equipped to protect the data to the same degree that you would. Another alternative is encrypting the data with your own encryption key before storing it in the cloud, which helps mitigate risk.

While one of banks’ most important tasks is protecting customer data, educating customers to respond in kind goes a long way toward a common goal.