The implementation date of the Consumer Financial Protection Bureau's final Home Mortgage Disclosure Act Rule is fast approaching and the mortgage industry still has not received any answers in regard to their data privacy concerns.
While the privacy issue has been raised repeatedly by those in the mortgage industry, the CFPB has thus far avoided addressing the valid concerns and states that the bureau will use a "balancing test" to "determine whether and, if so, how HMDA data should be modified prior to its disclosure in order to protect applicant and borrower privacy while also fulfilling HMDA's disclosure purposes."
The CFPB simply states that at a later date, the bureau will provide a process for the public to provide input regarding the application of this balancing test to determine the HMDA data that will be publicly disclosed. That "later date" is rapidly approaching. Currently there is a lot of public data on the internet and more is added daily. The CFPB also publishes the HMDA data which they collect, and makes it all downloadable and searchable through their
Currently, the mortgage industry has no idea how the CFPB is even utilizing the fact that information from multiple databases can be aggregated to re-identify a borrower.
The data being collected could be used for criminal purposes, and would also be extremely valuable if used to create marketing lists. The new data points contain personal identifiers that sales departments look for in leads to generate sales. Even competing mortgage companies would be interested in the data. With all the money that one can make compiling and parsing this data, you can be guaranteed someone will attempt to re-identify each applicant with whatever data is published. So the fact that the CFPB is not actively doing more to quell these concerns should distress not only the lenders who are collecting and reporting said data, but also anyone who plans to apply for a residential mortgage after 2018.
Since the lenders are the ones who will be collecting, storing and reporting this data, it's natural to assume that in the event of a data breach or identity theft resulting from the improper sharing or publishing of the data, borrowers will look to the mortgage industry for relief — which may result in increased litigation. The CFPB has stated that the liability of the data being improperly used would not lie with the lenders and those required to report under HMDA. But what they fail to consider is that no one can control who an individual can sue. It will not matter if the data was being collected for regulatory purposes when the resulting lawsuits are filed. Even if the complaints are meritless and can be defeated, the increase in complaints brought against mortgage lenders has a very real cost attached to them, no matter what the outcome of the litigation may be.
While the industry waits for direction on the data security issue, there are also the increased fair lending risks that come along with these new data points. When the rule is implemented the CFPB will be armed with more statistics to argue the presence of fair lending violations. The best approach to limit this risk is to get ahead of the rule early. Start collecting the data points as soon as possible and internally test for any evidence of disparate impact.
Craig Nazzaro is of counsel in Baker Donelson's Atlanta office and is a member of the Consumer Finance Litigation and Compliance Group.
