The Consumer Financial Protection Bureau issued final policy guidance on December 21, 2018, explaining how it will make available to the public data submitted by financial institutions under the Home Mortgage Disclosure Act (HMDA). The CFPB comprehensively revised HMDA reporting requirements in 2015, and extensive new data collection requirements became effective this year, with a reporting deadline of March 2019. With three months to go before that deadline, the CFPB could not have waited much longer to announce how it will publicly disclose the HMDA data while still protecting sensitive information.

Under the new HMDA requirements, reporting financial institutions must notify the public that the institutions’ data may be obtained on the CFPB’s website. The CFPB is then responsible for protecting applicant and borrower privacy, even as privacy risks evolve. The industry has expressed concern about the breadth of the data the CFPB will be collecting under the new HMDA reporting requirements, and about the increased reidentification risks that could arise upon making the data public (that is, the risk that someone could link an identified individual to his or her HMDA data). Commenters emphasized that if borrowers or applicants could be identified from the HMDA data, predators could target consumers for identity theft, fraudulently pose as the borrower’s lender, or otherwise misuse the data.

However, the CFPB declined to follow the commenters’ requests to exclude from the public all the new data required to be reported under the 2015 HMDA final rule. The CFPB recognized the inherent reidentification risk, but determined that the benefits of certain data disclosure outweigh that risk. The CFPB determined that most of the HMDA data is not sensitive and does not substantially facilitate reidentification or create a risk of harm. The CFPB reportedly employed a balancing test, requiring that HMDA data be excluded from public disclosure or modified when the release of the unmodified data would create risks to applicant and borrower privacy interests that are not justified by the benefits to the public of that release.

Accordingly, at least for 2018 data, the CFPB will modify the HMDA loan-level data to exclude the following fields: Continue Reading CFPB Issues Final Guidance on Public Disclosure of HMDA Data

The California legislature was active in 2018, enacting several new requirements and provisions applicable to the financial services industry. Those requirements include an important and comprehensive privacy regime (the California Consumer Privacy Act of 2018, or CCPA), which establishes new protections for personal information that covered commercial enterprises collect. The CCPA becomes effective January 1, 2020, with implementing regulations due July 1, 2020.

However, many new California provisions become effective on January 1, 2019, including new foreclosure protections (and the reinstatement of certain protections from the California Homeowner Bill of Rights) and the exclusion of reverse mortgage loans from certain successor-in-interest protections. A new requirement to provide mortgage loan modification disclosures in the language in which they are negotiated (e.g., in Spanish, Chinese, Tagalog, Vietnamese, or Korean) becomes effective for covered entities once the regulator develops those disclosures.

California also imposed new restrictions and requirements applicable to debt collectors and a new licensing obligation for servicers of student loans, and expanded certain financial protections for servicemembers.

Read more about California’s active legislature in Mayer Brown’s recent Legal Update.

The American Financial Services Association (AFSA) gathers for its 2018 Annual Meeting in Marina del Rey, California on October  21 – 24. Mayer Brown partner Jon Jaffe, of the firm’s Financial Services Regulatory Enforcement Group, will present for the AFSA Law Committee on Mortgage Lending – Hot Topics. He also will help coordinate a roundtable discussion on Privacy and Security.

Five Mayer Brown attorneys in the Financial Services Regulatory & Enforcement group presented at the American Bar Association Business Law Section Annual Meeting in Boston last week.

Ori Lev spoke on a panel discussing the CFPB’s enforcement track record.  The panel addressed a study by Professor Chris Peterson of the S.J. Quinney College of Law at the University of Utah that provided an empirical analysis of the CFPB’s enforcement cases and Ori’s analysis of the CFPB’s use of its new abusiveness authority.

Matthew Bisanz moderated, and Jeff Taft participated on, a Banking Law Committee panel discussion of current cybersecurity issues for large financial institutions, including the regulatory and enforcement posture of the federal banking agencies; examiner expectations; government response to cyber events at financial institutions; and the relevance of the CFPB’s consent order against Dwolla to larger banking organizations.

David Beam moderated a panel on legal issues presented by various applications of blockchain technology, particularly in connection with consumer financial products.  Panelists included representatives of American Express Company, Capital One, and the Federal Trade Commission.

Alicia Kinsey spoke on a panel discussing BSA/AML compliance challenges for community banks, which included a discussion of FinCEN’s new customer due diligence rule, NYDFS AML/sanctions rule on transaction monitoring and filtering programs, as well as observations on AML compliance issues from regulators from the FRB and NCUA.

A modern business conference phone, close-up of speaker unit

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) undertook its first data security enforcement action in a consent order against Dwolla, Inc., a payment network provider that allegedly made deceptive representations about its data security practices. The consent order makes clear that, going forward, consumer financial services companies will have to navigate another set of regulatory expectations as they work to secure consumer data against cyber threats.

On April 21, 2016, from 11:00 a.m. – 11:30 a.m. EDT, please join Mayer Brown lawyers Ori Lev, Stephen Lilley and David Tallman for a discussion of the CFPB’s Dwolla enforcement action and its implications for the consumer financial services sector.  Further information and a link for registration can be found here.