As lenders look ahead to 2020, they can thank a well-known whistleblower for the next big compliance challenge
the industry will face.
Not the whistleblower currently dominating headlines but rather Edward Snowden, who in 2013 leaked highly classified information and exposed, among other things, that U.S. intelligence was paying technology companies for access to systems in order to conduct espionage, including spying on allies.
Those revelations provided significant momentum for passage of Europe’s General Data Protection Regulation, which significantly tightened rules around collection and use of individuals’ personal data. While those rules had limited impact on the U.S. mortgage industry, the effective import of those kinds of restrictions will commence on Jan. 1, when the California Consumer Privacy Act takes effect.
The new law stands to force a broad reassessment for the industry, which is increasingly digitalizing and aggressively buttressing its data collection and access capabilities.
For those companies doing business for California residents, they’ll soon be obligated by law to document and disclose all personal data on their customers or face financial violations for each person in their system. Exactly what the rules will obligate companies to do is not yet completely clear — final regulations are actually still being worked out. But the general principles are fairly clean-cut and this won’t be a movement confined to California — the CCPA quickly becomes a template for a growing list of states considering similar consumer protections.
Some basics on the act: To fall under its provisions, businesses need to hit one of three parameters: They either need $25 million in annual gross revenue, earn more than half of its annual revenue from selling consumers’ personal information, or have possession of 50,000 personal data points.
California residents will have the right to know and access what information businesses collect about them and have that data expunged by request. If their data gets sold, the consumer will now be privy to the transaction and to where it gets sold to. They’ll also have the option to say no to any sale of their information without discriminatory retaliation.
If a company loses data through theft or breach, it’s liable for penalties up to $750 per individual’s information lost. If the company fails to comply with any of the statutes, it’ll be subject to fines up to $7,500 per violation.Data security regulations
have been reactionary to an evolving digital world. Makers of the California Consumer Privacy Act set out to have their new law be retroactively proactive.
“I don’t think people understand the gravity of the situation,” said Ike Kavas, founder and CEO of Ephesoft. “Once the consumers are educated about this and then a few companies are punished — because the punishment is really high — then the actual recognition of this act will take place. I think we’ll see big waves in the next two years of consumers making the mortgage companies accountable and mortgage companies making the software vendors accountable.”
As new generations of borrowers entered the fray, the antiquated ways of getting a mortgage needed modernizing. That meant switching out paperwork and physical touchpoints to keep up with a rapidly digitized landscape. Data capture systems were put in place so personal information could be uploaded and saved. It would then be automated to streamline the process, saving time for both the lender and customer.
Over time, data accumulation surged. Lenders would then spread it around to a growing bullpen of technology partners providing artificial intelligence, bots and electronic notarization, further lessening the idle spells and monotonous clerical work.
While this global technological evolution across industries aided the lending process, it left incalculable amounts of personal information out in the ether. An added emphasis on data security
and the GDPR in Europe set the impetus for the act. Its goal is to reduce the power Big Data has in society and shift it back to people.
In theory, the Gramm-Leach-Bliley Act prepared institutions for what’s to come, assuming they’ve been meeting requirements. As long as personal information is collected, processed, sold, or disclosed in accordance with the GLBA, the CCPA probably doesn’t apply. However, it’s not blanket coverage and a great deal of the information collected on a day-to-day basis won’t be shielded by it. Lenders could easily get tripped up by thinking that everything they collect is exempt.
While this lightens the compliance burden for mortgage lenders, it doesn’t do away with the need to track how they use individuals’ information, create pathways for communicating that to Californian consumers and deleting information upon request.
“CCPA refers to “personal information” while GLBA refers to the more narrowly defined nonpublic information and personally identifiable financial information,” said Paula Tuffin, general counsel and chief compliance officer at Better.com.
“The gulf between GLBA’s narrow definition of nonpublic information and the CCPA’s broader personal information means that lenders will have to make judgment calls on whether the CCPA applies to each piece of information consumers share in the process of obtaining a mortgage. Each of those calls is akin to a blind leap into the privacy enforcement pool. A wrong call could have damaging reputational consequences as well as the risk of fines. For example, the CCPA may apply to leads who have not yet become ‘consumers’ within the GLBA definition. Of concern for digital lenders, information collected about Californian website visitors who are not ‘consumers’ under GLBA may be subject to the CCPA.”
Lenders and servicers need to have all their customer information organized and accounted for if they haven’t done so. Businesses already prepared for GDPR compliance had an exercise in good practice. But this is a new act, with bolstered protections and more control given to consumers.
“Begin mapping your data. If you are a mortgage originator, you obtain lots of information that’s required under various origination statutes in the URLA of a loan application,” said Sanford Shatz, council at McGlinchey Stafford. “If the loan is sold, you transferred it to the new owner. If it’s not sold, you hold it in case the loan origination ever becomes separate of regulatory review or litigation. And if it doesn’t, at some point in time you can get rid of it, no problem. But if the borrower asks you for it or you need it for that purpose, where is it and what are you doing with it?”
The onset of 2020 initiates the CCPA’s regulations with a 12-month look back period. Any California resident can inquire what data businesses have on them, what categories they fall under, where it’s gone and for a copy of the history, dating back to Jan. 1, 2019. A business must then provide the information in a readable, transportable form to the consumer.
It won’t matter if the lender is domiciled in another state or abroad. As long as it conducts business in California, the rules apply. Inversely, the law still kicks in for business outside of the Golden State as long as a California resident is involved.
“The most onerous item is you need to provide a disclosure to the consumer which talks about the categories of information and what particular personal information you are collecting from them before they give it to you,” said Mike Barone, executive director of compliance to MQMR. “So before they tell you anything that’s personal and private, you have to give them a disclosure and make them aware they have these rights under your privacy policies.”