HMDA Redux Is an Invasion of Borrower's Privacy, Lenders Say

Register now

Mortgage lenders are raising alarms about the Consumer Financial Protection Bureau's expansion of data gathered under the Home Mortgage Disclosure Act. Some are even going so far as to call the recently released final rule a massive data grab and an invasion of borrowers' privacy.

Home loan borrowers will be shocked, mortgage experts and lawyers say, when they learn just how much personal information the government plans to collect on mortgage applicants and borrowers. Whether that warning is a fair policy challenge or hyperbole is debatable, but this much is certain: the CFPB's final rule expanding HMDA will be hotly contested over the next two years. A key concern for the industry is how much of the data will ultimately be publicly disclosed. The pushback by the lending industry has already begun.

"Basically every piece of information that is relevant about someone who buys a house will be in the government's hands," said Leonard Ryan, president of QuestSoft, a Laguna Hills, Calif., provider of HMDA reporting and fair lending compliance software. "They want nearly every detail that you would give to a bank to get a loan. It's a lot of very personal data and the only way to avoid being in the CFPB's new database will be to pay cash for a house."

Ryan has discussed the expanded HMDA requirements with hundreds of lenders. When they see the new list of data fields, many express concerns that "it is a big data grab, almost like the NSA database," he said, referring to the National Security Agency's collection of consumer phone records.

The CFPB's 797-page rule makes sweeping changes to Regulation C, which implements HMDA, and was mandated by the Dodd-Frank Act. The final rule requires that financial institutions report 48 data fields on each borrower, including total points and fees and the borrower's age, credit score and property value.

Currently, publicly released HMDA data is primarily broken down by geography, race, gender and whether an applicant was approved, or denied, for a loan. But denial rates have always been tough to interpret without more information, researchers say.

Ultimately, lenders are concerned about how the government plans to use this raft of data. Many believe that with so much more information on mortgages, the data will be used as a basis for filing more fair lending and discrimination lawsuits against banks and mortgage lenders. Nonbanks in particular are likely to get caught in regulators' cross-hairs.

Though one of the purposes of HMDA data is to identify possible discriminatory lending patterns, the data alone has not been used as the basis for such claims, lawyers say.

"The government has always used the HMDA data as a targeting tool, a starting point, to look at whether there's a problem," said Paul Hancock, a partner in Miami at the law firm K&L Gates.

"Now there's a shift where they say HMDA can be the basis for filing a disparate impact claim. Are they now going to take this data and say we don't need any more information, we're going to sue you based on the data?"

Leonard Chanin, a partner in San Francisco at the law firm Morrison & Foerster, said there is "little doubt that [the CFPB] and Department of Justice will use this data to carefully scrutinize lending."

By collecting more granular information on mortgage applicants, regulators could better determine who is getting loans — and who isn't. The data is expected to provide more insight into why blacks and Hispanics have been turned down for home loans at nearly three times the rate of white borrowers.

"With the new data set you can simply use an Excel spread sheet without much skill and pinpoint pricing, points and fees, rates, ethnicity — and you can see if any protected classes are being declined," said John Vong, the co-founder and president of ComplianceEase, a Burlingame, Calif., software company that updates 20 different loan origination systems currently in use. "For plaintiff lawyers and class-action lawyers, it could be a gold mine."

The expanded data will allow regulators to better analyze pricing information including total origination charges and total discount points. The myriad fees baked into a 30-year mortgage have long been a source of contention for consumers and regulators. Regulators could potentially be able to slice the data and compare pricing and rates among lenders.

"This is a bit of a game-changer because it's the first time there's a view of the cost of mortgage credit at the front end of the business," said Faith Schwartz, a senior vice president of government and public affairs at CoreLogic. "This hasn't been transparent other than inside [a lenders'] own shop."

Key Changes

To be sure, the mortgage industry scored a couple of victories with the CFPB's final rule, released Oct. 15. The effective date for new HMDA requirements was pushed back by a year to Jan. 1, 2018. Lenders will collect the new information in 2018 and then report the information by March 1, 2019.

Warren Traiger, counsel in the New York office of BuckleySandler, said he is advising banks and mortgage lenders to use the next two years to prepare.

"I might advise clients to internally treat 2017, maybe even 2016, as the effective date and see what the data would show under the new rules," Traiger said.

"That would give them an opportunity to explain or address any disparities that would flow from those numbers."

The final rule adds 25 new data points and modifies 14 others in addition to the existing nine data fields that lenders were already required to report under HMDA.

Though the agency dropped four datasets it initially proposed to collect last year, some lenders said the final rule was still going to be overly burdensome, particularly for smaller institutions. The bureau dropped a proposed requirement to detail whether a loan is a qualified mortgage.

It also scrapped plans for lenders to report the initial draw period on an open-end line of credit; the risk-adjusted, prediscounted interest rate, and the metropolitan statistical area.

Still, the Independent Community Bankers Association claims the CFPB is exceeding its authority under Dodd-Frank and had urged the bureau to only adopt new HMDA data specifically required by the statute.

Among other things, the final rule requires lenders to report specifics on the property value, loan terms, the applicant's debt-to-income ratio, discount points charged on the loan and the duration of any teaser interest rates.

It also requires lenders to provide data on other loans tied to a home, such as reverse mortgages and open-end lines of credit, down to the address of the property.

The final rule also mandates a change to the data format for HMDA reporting. The current format stores and presents data in a simply layout known as a "flat file." The new HMDA format will use a relational database that follows the Mortgage Industry Standards Maintenance Organization's data dictionary.

Perhaps the biggest victory for financial institutions came from the dropped reporting requirements for commercial transactions.

The final rule limits HMDA reporting to loans or lines of credit that are for personal, family or household purposes, including closed-end home-equity loans, home equity lines of credit and reverse mortgages. The final rule also excludes unsecured home improvement loans.

The CFPB's initial proposal would have significantly expanded HMDA reporting to include loans for business or commercial purposes if the loan was secured by a residential structure, which would have included apartment buildings.

The CFPB also added a standardized reporting threshold so small lenders with low loan volumes are exempted from reporting HMDA data.

The agency estimates that this new threshold will reduce the number of lenders who have been required to report HMDA data by 22%, or 1,400 small lenders.

Consumer Privacy

The CFPB essentially punted in its final rule on how much of the expanded data will be disclosed publicly, but it will continue to explore the issue and accept public comment.

The bureau plans to apply a so-called balancing test, to determine whether and how HMDA data should be modified prior to being publicly disclosed, mostly to protect borrower privacy. The CFPB said it will set up a process "at a later date" for public comment to balance privacy concerns with the underlying purpose of HMDA.

Some lending experts think the inclusion of a borrower's age, credit score and property information could easily be combined with public data to identify specific consumers. The CFPB has said that property addresses will not be publicly released. Data experts are still concerned that individual borrowers could be identified using HMDA data.

"Mortgage customers as the cream of the crop because they have a lot of assets, so marketers will try to reverse engineer the data, and pinpoint the individuals they want to cross-sell everything from auto loans to credit cards," said Vong.

Chanin, at Morrison & Foerster, suggests that some borrower information may have to be redacted, or data like credit scores may have to be put in ranges, or tiered, for researchers to analyze.

"These are really thorny issues," Chanin said. "We don't know what they're going to come up with in terms of privacy selection and data security."

Pete Mills, senior vice president of residential policy and member engagement at the Mortgage Bankers Association, said lenders need to focus on any security risks in transferring the data to the CFPB.

He also is concerned about potential data breaches. For example, if the HMDA data is given to academics, consumer advocacy groups or even private researchers, who will determine if there is security to protect consumer privacy.

"How is the bureau going to make sure they can protect the data?" said Mills. "It's a little spooky."

Since 2011, the CFPB has completed 12 large-scale collections of consumer financial data including data on 173 million mortgage loans from a data aggregator, according to a study last year by the federal Government Accountability Office.

The GAO found that the CFPB has taken actions to protect consumer data and has established an information security program. But the GAO also found some weaknesses including in how service providers protect consumer data.

In its final rule, the bureau said is takes strong measures to mitigate security risks and is development improvements to the HMDA data submission process, including "further advancing encryption if necessary to protect data."

The CFPB went even further by stating that it does not believe a financial institution could be held legally liable for the exposure of data "due to a breach at a government agency or for reporting data to a government agency if the institution was legally required to provide the data to the agency."

Start Planning Now

Amy Downey, a product manager and regulatory expert in consumer compliance at Wolters Kluwer, has been trying to raise awareness among banks and lenders about the sheer magnitude of the expanded HMDA changes.

"This is much bigger than people think," Downey said. "Giving data to your regulator is much harder than giving it to anybody else."

Downey is advising lenders to start planning, budgeting and "getting executive buy-in now."

From January to March, most lenders will focus on their next HMDA submissions. The expanded HMDA reporting can easily take six months or more, including training, she said.

Most of the work will need to be done updating loan origination systems with the new HMDA data fields. Some loan origination system platforms do not allow certain data like credit scores to be pulled and exported.

Other information, like a borrower's income, may have to be reverified. There are many technical rules on how to report the data so the addition of all the new data fields will be a challenge.

"There is an operational complexity to this," Downey said. "It may not be a dollar cost, but it's [information technology] and you to schedule it and get it done."

The accuracy of a lender's data will be paramount.

"Even the best institutions have challenges with data accuracy," said Schwartz at CoreLogic.

"It's going to be a challenge to make sure the systems talk to one another. It's important to have good information, accurate data and good quality control, so you know your own book of business better than everybody else," added Schwartz.

For reprint and licensing requests for this article, click here.