The CFPB recently announced a new policy guidance concerning the data required to be collected, reported, and disclosed by financial institutions to the public under the Home Mortgage Disclosure Act (HMDA). The guidance is intended to supplement the sweeping changes made by the CFPB to HMDA in 2015 when it expanded the amount of loan-level information required to be disclosed by financial institutions to include new data points such as borrower age, credit score, property value, unique loan identifier information, along with other information. The effective date of the proposed guidance and rule is January 1, 2018.
HMDA is the regulation governing financial institutions to report and publicly disclose information about mortgages and mortgage lending activities. The CFPB states that the purpose of HMDA is "to determine whether financial institutions are serving the housing needs of their communities … and [assist] in identifying possible discriminatory lending patterns and enforcing discrimination statutes." With the new rule set to take effect in under three months, recent data breaches have created concerns that expanding the amount of information being disclosed under HMDA could be combined with other information to discover the identity of applicants and/or borrowers.
As part of the new rule, financial institutions will disclose HMDA data directly to the CFPB, who will be in charge of disclosing the information to the public. At the time the 2015 changes were announced, the CFPB did not identify which loan-level data would or would not be disclosed to the public. However, under the recently proposed guidance, the following data would be excluded:
- Universal loan identifiers
- The date the application was received
- The date of action taken by the financial institution on the loan or application
- The address of the property securing the loan
- The identifier assigned by the NMLS
- The credit score(s) relied upon in making a credit decision; and
- The result generated by the automated underwriting system used to evaluate the application
The guidance also proposes to exclude free form text fields which may identify the borrower or applicant's race or ethnicity, the name and version of the credit scoring model used to generate credit scores, and the principal reason the financial institution denied the application.
In addition to excluding certain information, the CFPB also proposes to modify certain loan-level data in order to reduce the precision in publicly disclosed data, which could lead to privacy breaches. These modifications include:
- Disclosing the midpoint for the $10,000 interval for the reported loan value (rather than the nearest $1,000)
- Indicating whether the reported value exceeds the loan limits for Freddie Mac and Fannie Mae
- Compartmentalizing the age of an applicant or borrower into specified age ranges (i.e., 25 to 34, 35 to 44, etc.)
- Disclose whether the reported age of the applicant is 62 years of age or older
- New categories for disclosing the applicant's or borrower's debt-to-income ratio
On the heels of the Equifax data breach and continued cybersecurity threats, the CFPB's guidance is a clear attempt to alleviate concerns regarding identity theft and information security. However, significant privacy concerns persist that the increase in the amount of data that is being disclosed for the first time will make it easier to discover the identity of applicants and borrowers. Furthermore, as the CFPB will become the sole purveyor of sensitive HMDA data prior to public disclosure, there are heightened concerns about the strength of the CFPB's own information security systems, which have been previously criticized by the Office of Inspector General.
As the effective date of the new HMDA disclosure rule draws near, financial institutions subject to the rule should be familiar with the new data points to be included in the disclosures to the CFPB. A comprehensive review of the institution's data privacy program is also recommended to understand the data being received from applicants or borrowers, how that data is collected, how it is stored, and how the required information is collated before being disclosed to the CFPB. At the very least, the CFPB's guidance provides insight as to what information the CFPB believes is sensitive if disclosed and could be a focal point during any examination. As privacy issues continue to be at the forefront of concerns by both regulators and the public, it is imperative for financial institutions to place an increased focus on its internal data privacy controls in order to eliminate potential threats and manage risk in the marketplace.