Adobe Stock

The implementation date of the Consumer Financial Protection Bureau's final Home Mortgage Disclosure Act Rule is fast approaching and the mortgage industry still has not received any answers in regard to their data privacy concerns.

While the privacy issue has been raised repeatedly by those in the mortgage industry, the CFPB has thus far avoided addressing the valid concerns and states that the bureau will use a "balancing test" to "determine whether and, if so, how HMDA data should be modified prior to its disclosure in order to protect applicant and borrower privacy while also fulfilling HMDA's disclosure purposes."

The CFPB simply states that at a later date, the bureau will provide a process for the public to provide input regarding the application of this balancing test to determine the HMDA data that will be publicly disclosed. That "later date" is rapidly approaching. Currently there is a lot of public data on the internet and more is added daily. The CFPB also publishes the HMDA data which they collect, and makes it all downloadable and searchable through their online HMDA tool. The National Mortgage Database, a separate joint project between the CFPB and the Federal Housing Finance Agency, is in the works and will also house a lot of loan-specific and possibly personally identifying data. Then there are online county records systems, such as the one used in the five boroughs of New York City, called Automated City Register Information System. All of these databases offer different, identifiable data points about a property and its owner.

As widely reported, the new rule will require lenders to provide more than the current data points in today's HMDA reporting. Some of the new data points include borrower age, credit score, a unique loan identifier, property value, application channel, points and fees paid, borrower-paid origination charges, discount points, lender credits, loan term, interest rate and loan originator identifier. The complete list of data points as well as their descriptions can be found on the CFPB's Summary of Reportable HMDA Data — Regulatory Reference Chart. The expansion of these data points expands the risk of possible disclosure of a borrower's personal information, and also opens lenders up to scrutiny surrounding their fair lending practices.

Currently, the mortgage industry has no idea how the CFPB is even utilizing the fact that information from multiple databases can be aggregated to re-identify a borrower.

The data being collected could be used for criminal purposes, and would also be extremely valuable if used to create marketing lists. The new data points contain personal identifiers that sales departments look for in leads to generate sales. Even competing mortgage companies would be interested in the data. With all the money that one can make compiling and parsing this data, you can be guaranteed someone will attempt to re-identify each applicant with whatever data is published. So the fact that the CFPB is not actively doing more to quell these concerns should distress not only the lenders who are collecting and reporting said data, but also anyone who plans to apply for a residential mortgage after 2018.

Since the lenders are the ones who will be collecting, storing and reporting this data, it's natural to assume that in the event of a data breach or identity theft resulting from the improper sharing or publishing of the data, borrowers will look to the mortgage industry for relief — which may result in increased litigation. The CFPB has stated that the liability of the data being improperly used would not lie with the lenders and those required to report under HMDA. But what they fail to consider is that no one can control who an individual can sue. It will not matter if the data was being collected for regulatory purposes when the resulting lawsuits are filed. Even if the complaints are meritless and can be defeated, the increase in complaints brought against mortgage lenders has a very real cost attached to them, no matter what the outcome of the litigation may be.

While the industry waits for direction on the data security issue, there are also the increased fair lending risks that come along with these new data points. When the rule is implemented the CFPB will be armed with more statistics to argue the presence of fair lending violations. The best approach to limit this risk is to get ahead of the rule early. Start collecting the data points as soon as possible and internally test for any evidence of disparate impact.

Craig Nazzaro is of counsel in Baker Donelson's Atlanta office and is a member of the Consumer Finance Litigation and Compliance Group.