Push for Transparency in MBS Raises Data Security Fears
Recent data and security breaches in the mortgage industry and elsewhere in the business world highlight a challenge for those pushing to improve transparency in securitizations.
Disclosing and verifying loan-level data will be crucial to rebuilding investor confidence in mortgage-backed securities, market participants say. However, doing so raises the possibility that sensitive customer information protected by privacy law could be exposed.
"Nobody wants to be the bank that has their customer's information pasted all over some website just because a borrower got a loan with them," says Chris Killian, managing director and head of the Securities Industry and Financial Markets Association in New York.
Members of his group and the Financial Services Roundtable have voiced such concerns in response to asset-level disclosure requirements in the Securities and Exchange Commission's proposed Regulation AB2. The rule would set new offering, disclosure, and reporting requirements for asset-backed securities, including mortgage bonds.
The SEC was originally planning to release a final version of Reg AB2 at a meeting in February, but after cancelling that meeting it released a staff memorandum proposing a tweak to the asset level disclosure.
The memo suggests issuers might be better protected from privacy rule concerns if they use their websites to disseminate certain specific asset-level data and other information investors may need. A previous proposal suggested the SEC's public EDGAR system could serve as the vehicle for the asset-level data distribution.
The original deadline for comments on the memo was March 28. That day, the SEC extended the comment period another 30 days.
SIFMA members feel they need more information about the latest version of the Reg AB2 rule rather than more time, Killian says. "I think there was a view it didn't represent a complete exploration of what all of the issues are, privacy law related and otherwise, and that the market would benefit from at least reproposing the asset-level disclosure fields."
Sellers of mortgage-backed securities sellers generally want transparency limited to trusted business partners because rules allow them to send otherwise-private data to counterparties for business purposes, so there is less risk of running afoul of privacy concerns.
Reg AB2 calls for broader distribution, though.
"The situation here in Reg AB2 is that this would apply to every single securitization and you would have to grant access to any potential investor, whether you talked to them or not," Killian says. "So the legal concerns are heightened."
High-profile data breaches compound such concerns.
"I think equal to the legal concerns is looking at what's happened with Target and other retailers that have had data breaches in the last year or two. There's a big reputational component," Killian says.
Even a recent distributed denial of service attack that temporarily incapacitated origination technology provider Ellie Mae's systems adds to reputational risk in this area. Although there was no data breach, it shows technology can be vulnerable, Killian says.
However, automation protects data in some ways manual processes may fail to.
"Relying on compliant business rules programed into your system removes some of the human decisions that can cause errors," says Susan McKinnon, manager of mortgage compliance content at Wolters Kluwer Financial Services consulting firm.
Many loan-level technology efforts, including the SEC's proposal, have sought to work around privacy rule concerns while still providing pertinent data to investors by trying to avoid exposing personally identifiable information in ways that violate those rules. A seller of securities could state that a borrower's credit score falls within a certain range rather than giving the exact score on the Edgar system, for example.
However, there are other concerns. The SEC proposal calls for securities sellers to provide all "material information" without a clear definition of what the term means or whether there would be a conflict with privacy rules in fulfilling that requirement, says Killian.
Disclosure of loan-level information in isolation may be allowed under privacy rules, but there is concern that a third party could combine it with other available data in a way that it exposes personal information, says Laurie Goodman, director of the Urban Institute's Housing Finance Policy Center in Washington.
Despite such concerns, most market participants feel more widespread distribution of fully detailed and verified loan-level information is inevitable regardless of whether it is done using the SEC's Edgar system or some other private market vehicle.
"Every aggregation hides the true market effect," says Les Parker, a senior vice president at LoanLogics, a vendor of loan performance analytics and pricing software in Fort Washington, Pa. "The more you summarize, the more you lose accuracy. The future for the market requires that all stakeholders have loan information. The issue is who is going to control it."