HMDA Amendments a Good Start, But Not Enough

The Economic Growth, Regulatory Relief, and Consumer Protection Act (SB 2155), among other regulatory relief provisions, amended the 2015 Home Mortgage Disclosure Act to provide partial exemptions from the collection and reporting of the expanded 2015 HMDA data points. 

While the law lowers the number of institutions reporting sensitive financial information of mortgage loan applicants, it does not go far enough in that it does not address the issue of keeping certain HMDA data points from being made public. Given the ongoing data security concerns at the Consumer Financial Protection Bureau, the privacy issue must be addressed in a manner that goes much further than what the CFPB proposed in its July 5 statement. 

SB 2155 Amendments to 2015 HMDA Rule

In part, the 2015 HMDA rule added 25 new data points on the loan/application register for both closed-end and open-end lines of credit. This rule requires reporting of the new HMDA data points for mortgage-lending institutions that originated at least 25 closed-end mortgage loans or at least 500 open-end lines of credit in each of the two preceding calendar years (i.e., calendar years 2018 and 2019). 

SB 2155 amends the exemption threshold for both closed-end mortgage loans and open-end lines of credit to fewer than 500 such loans and lines of credit in the preceding calendar year. Note: The current CFPB HMDA summary provides the open-end lines of credit exemption will be reduced to 100 such lines of credit beginning on Jan. 1, 2020, unless the CFPB takes “further action.” SB 2155 appears to make this 500 open-end lines of credit exemption threshold permanent.  

Under SB 2155, for mortgage lenders meeting the closed-end mortgage loans or open-end lines of credit reporting exemption, the requirements of HMDA §304(b)(5) and (6) will not apply.

What this means is that mortgage lenders meeting the closed-end and open-end thresholds will not have to record and report the new HMDA data points, but must still record and report the original 21 HMDA data points on the LAR, which are as follows:

1. Rate Spread (only if above threshold) 
2. HOEPA Status 
3. Action Taken 
4. Action Taken Date 
5. Reasons for Denial (optional, up to 3 reasons) 
6. Income
7. Type of Purchaser 
8. Loan Type 
9. Loan Purpose 
10. Loan Amount
11. Property Type
12. Occupancy Type
13. Lien Status
14. Property Location (MSA or MD, State, County, Census Tract, and Census Tract Number) 
15. Application Date
16. Application/Loan Number 
17. Reporter ID
18. Preapproval Request
19. Sex
20. Ethnicity
21. Race

The exempted lenders will still use the updated LAR. However, the CFPB plans to release exemption codes later this summer for the fields the exempted lenders do not have to report. 

CFPB Proposal Regarding Privacy of HMDA Data

Also anticipated is the final HMDA rule proposed by the CFPB in September 2017 regarding the data that will be made available to the public beginning in 2019 for mortgage lenders that exceed the exemption thresholds provided by SB 2155. 

• Under the proposed rule, the following information data would not be made public:
• The universal loan identifier;
• The date the application was received or the date shown on the application form (whichever was reported);
• The date of the action taken on the application;
• The property address;
• The credit score(s);
• The Nationwide Multistate Licensing System & Registry identifier for the mortgage loan originator;
• The automated underwriting system result; and
• The free form text fields for the following (though the standard fields reported would be disclosed):
  • The applicant’s race and ethnicity;
  • The name and version of the credit scoring model;
  • The principal reason(s) for denial; and
  • The automated underwriting system name.

The loan amount, age of the applicant, the applicant’s debt-to-income ratio and the property value each would be disclosed as a range or an interval. Loan amounts would be reported in intervals of $10,000 as opposed to the nearest $1,000.  

Data Security Concerns

More will need to be done to protect non-public personal information from being disseminated to the public, as there continue to be data security concerns at the CFPB.

For example, the October 2017 Audit of the CFPB’s Information Security Program conducted by the Office of Inspector General found the agency did not mandate the use of personal identity verification credentials for its privileged and non-privileged users, which “poses an increased risk of unauthorized access to the CFPB’s information systems.” Additionally, CFPB “has not ensured that background checks are completed for contractor personnel performing IT work.”  

The OIG’s January 2018 Audit of the CFPB’s Encryption of Data on Mobile Devices found “the CFPB has not been able to provide a full accounting of all laptops that have been assigned to users since the establishment of the agency.”   

In his April 11, testimony presenting the “2018 Semi-Annual Report of the Bureau of Consumer Financial Protection” to Congress, then CFPB Director Mick Mulvaney told lawmakers that the CFPB had suffered 240 data security "lapses" and another 800 "incidents.” Though none have been deemed a major security breach, concerns remain regarding whether the sensitive financials of mortgage loan applicants and home buyers should be transmitted, stored and shared.  

Until greater consumer protections are provided, we will have to settle for fewer institutions reporting this data.  

Veronica Madsen is CEO at ESTEE Compliance, LLC in the Detroit area. Note: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018

Also by Madsen, read “New HMDA Data Point Recording Begins Jan. 1” and “On Compliance: New European Data Protection Reg Will Impact Your CU.”

Privacy will be at issue in the session “T Minus 10—How to Build an Incident Response Mission Control” at CUES’ Execu/Net, Aug. 19-22 in Sedona, Ariz.