CFPB Walks the Data Privacy Tightrope on Public HMDA DisclosuresIn the wake of the Equifax data breach, consumers, companies, and regulators alike are cognizant of the potential exposure of personal information, and many companies are looking at ways to decrease the risk of unauthorized disclosure of personal data. In creating effective data privacy policies and procedures, companies must also analyze requirements under certain statutes which require companies to disclose material information to regulators. One such regulation is the Home Mortgage Disclosure Act (HMDA), which requires many lenders to report and disclose to the public certain information about their mortgage lending activities.

In a timely release, the Consumer Financial Protection Bureau (CFPB) issued guidance to clarify how the bureau would release essential consumer mortgage lending activity data to the public under HMDA. The guidance sets forth the CFPB’s analysis of information and the related risks associated with individual loan level consumer data, as well as data aggregates, which could identify individual consumers.

The CFPB is responsible for collecting this data and then posting it publically so that users of the HMDA database can extrapolate trends in consumer mortgage lending. In its current form, the HMDA database contains data about residential homebuyers and applicants that may allow users of the data to identify individual consumers, transactions, and properties. With this latest guidance, the CFPB is taking steps to diminish the risk that individuals could be identified by users of the HMDA database. Some of the specific measures the CFPB proposes include:

  • Excluding certain data points from the HMDA database, including the universal loan identifier; the date the application was received; the date of action taken by the financial institution on a covered loan or application; the address of the property securing the loan; and the credit score relied on in making the credit decision.
  • Excluding free-form text fields used to report applicant or borrower race; applicant or borrower ethnicity; the name and version of the credit scoring model used to generate each credit score or credit scores relied on in making the credit decision; the principal reason or reasons the financial institution denied the application, if applicable; and the automated underwriting system name.
  • Modifying the public loan-level HMDA data to reduce the precision of most values reported, including rounding the amount of the covered loan, and the value of the property securing the loan, to the nearest $10,000 interval; reporting borrowers’ ages in ranges (i.e., 25 to 34, 35 to 44, 45 to 54, 55 to 64, and 65 to 74); reporting borrowers’ total monthly debt to income ratios in making credit decisions in ranges, unless the consumer’s debt to income ratio is between 40 to 50 percent, in which case it will be reported as submitted by the financial institution.

What it means for financial services providers

The CFPB appears to be focused on not only the underlying purpose of the legislation, but in ensuring consumer privacy is protected. The CFPB’s guidance provides a clear analysis of what the bureau considers to be information, alone or when combined with other information, which may pose a risk to customers if the information is exposed to the public domain. This guidance is a positive step towards closing a potential opening that cyber criminals could exploit to steal, misuse, sell, or manipulate consumer data. The guidance also serves as a roadmap for what the CFPB believes is information about consumers that may be harmful or sensitive if disclosed, and provides a window into the CFPB’s expectations for financial services companies that can be used to internally analyze a company’s data privacy program.

The CFPB’s guidance reflects the seriousness and breadth of cybersecurity threats facing any institution that uses or stores a consumer’s personal information. Consumer real estate transactions have been in the public record in many jurisdictions for years, but the potential for widespread digital abuse of that data has resulted in the federal government and certain states limiting public access to that data. As a result, it is imperative that financial institutions understand the key elements of a robust data privacy program, including the types of data the company collects, where the data is stored, who has access to the data, how the data flows internally within the organization, how the data is submitted outside the organization, security controls at each access point, and data classification and sensitivity levels. Likewise, training, education, table-top and privacy risk exercises should be conducted by companies to prepare for potential threats.

As the landscape continues to change and regulators focus on increased regulation and enforcement of state and federal data privacy laws, companies must continue to reassess and build robust data privacy programs.