Is your credit union ready to begin violating Regulation P?
This post is excerpted and adapted with permission from its original version.
There has been a good deal of chatter regarding the potential changes to the Consumer Financial Protection Bureau with the appointment of a new director, Mick Mulvaney, a known critic of the agency and how it has conducted business. At the top of the credit union industry’s “wish list” should be amendments to the Home Mortgage Disclosure Act’s expansion and dissemination of private financial information that will be exposed to the public beginning in September 2019.
There’s plenty of concern about the exponentially expanded fair lending analysis these new data points present, not to mention the potential exposure to data breaches and resulting litigation. But even more confounding is that some of the information required to be publicly disclosed will expose confidential consumer financial information that, if disclosed in any other form by financial institutions, would violate Regulation P (privacy).
On Oct. 28, 2015, the CFPB amended Regulation C, which implements HMDA to, among other things, expand the information that must be reported each year on the loan/application register. In September 2019, submitted LAR information will be made public on the Federal Financial Institutions Examination Council’s website regarding the expanded data submitted in 2018 for each mortgage lender that meets the HMDA reporting threshold requirements (which are adjusted annually).
LARs are used by the Federal government to determine whether financial institutions are serving the housing needs of consumers, whether government resources are allocated appropriately, and whether mortgage lenders are engaging in potentially discriminatory lending practices.
In addition to the list of information that credit unions must begin to record in 2018 for reporting in 2019, the property address and the automated underwriting system mortgage lenders used to evaluate applications must be reported and will be disclosed. The CFPB stated in its October 2015 final rule it anticipated this information will not be in the publicly-released data, but has not yet made this official.
It won’t be too difficult to connect the dots to determine which consumers obtained a financial service from your credit union, which is considered “nonpublic personal information” under Regulation P. It is doubtful many home-buying consumers are aware their private financial information is going to be exposed to the world, and that the CFPB (the supposed consumer watchdog) has—as of yet—done nothing to ensure this information will be kept private.
Commenters making a similar argument when these data points were proposed were told in a footnote to the final rule that the CFPB understands some of this information “may create privacy concerns sufficient to warrant some degree of modification, including redaction, before public disclosure, but it has determined that all of the data required to be compiled and reported under the final rule significantly advance HMDA’s purposes.”
While a good deal of information regarding a home sale can be found online (e.g., sale price, home size and projected value), what business is it of anyone to know your gross income, how much you are borrowing, your debt-to-income and combined-loan-to-value ratios, your credit score, the interest rate you pay, your total loan and origination charges levied, your age, and/or why you may have been denied a mortgage loan?
As the CFPB stated in its October 2015 HMDA final rule, the agency adopted a “balancing test to determine whether and how HMDA data should be modified prior to its disclosure to the public in order to protect applicant and borrower privacy while also fulfilling the disclosure purposes of the statute.” The agency also stated it intends to provide “a process for the public to provide input on the application of the balancing test to determine the HMDA data to be publicly disclosed.
This rule has been finalized for over two years, with no action taken to protect nonpublic personal consumer information. No regulation should require the violation of another, and your members’ private financial information should not be exposed. The CFPB has yet to listen effectively regarding these concerns. Perhaps with a new director, they will. The time to act is now.
Veronica Madsen is an associate attorney with Howard & Howard, Royal Oak, Mich., where she specializes in financial institution regulatory compliance. Before joining Howard & Howard, she served as the VP/compliance/chief compliance officer with an emerging fintech platform helping small and medium-sized businesses secure financing and working capital solutions. She also owned a compliance consulting company, ESTEE Compliance, LLC, that assisted credit unions with their regulatory compliance needs.
Get a link to our monthly "On Compliance" column delivered to your email inbox when you subscribe to our weekly CUES Advantage e-newsletter.
Hear the presentation "Why Credit Unions Get Sued and How You Can Help Your Credit Union Avoid It" during CUES' Execu/Summit, March 11-16, Big Sky, Mont.