The Consumer Financial Protection Bureau issued final policy guidance on December 21, 2018, explaining how it will make available to the public data submitted by financial institutions under the Home Mortgage Disclosure Act (HMDA). The CFPB comprehensively revised HMDA reporting requirements in 2015, and extensive new data collection requirements became effective this year, with a reporting deadline of March 2019. With three months to go before that deadline, the CFPB could not have waited much longer to announce how it will publicly disclose the HMDA data while still protecting sensitive information.

Under the new HMDA requirements, reporting financial institutions must notify the public that the institutions’ data may be obtained on the CFPB’s website. The CFPB is then responsible for protecting applicant and borrower privacy, even as privacy risks evolve. The industry has expressed concern about the breadth of the data the CFPB will be collecting under the new HMDA reporting requirements, and about the increased reidentification risks that could arise upon making the data public (that is, the risk that someone could link an identified individual to his or her HMDA data). Commenters emphasized that if borrowers or applicants could be identified from the HMDA data, predators could target consumers for identity theft, fraudulently pose as the borrower’s lender, or otherwise misuse the data.

However, the CFPB declined to follow the commenters’ requests to exclude from the public all the new data required to be reported under the 2015 HMDA final rule. The CFPB recognized the inherent reidentification risk, but determined that the benefits of certain data disclosure outweigh that risk. The CFPB determined that most of the HMDA data is not sensitive and does not substantially facilitate reidentification or create a risk of harm. The CFPB reportedly employed a balancing test, requiring that HMDA data be excluded from public disclosure or modified when the release of the unmodified data would create risks to applicant and borrower privacy interests that are not justified by the benefits to the public of that release.

Accordingly, at least for 2018 data, the CFPB will modify the HMDA loan-level data to exclude the following fields:
Continue Reading

The California legislature was active in 2018, enacting several new requirements and provisions applicable to the financial services industry. Those requirements include an important and comprehensive privacy regime (the California Consumer Privacy Act of 2018, or CCPA), which establishes new protections for personal information that covered commercial enterprises collect. The CCPA becomes effective January 1,

The American Financial Services Association (AFSA) gathers for its 2018 Annual Meeting in Marina del Rey, California on October  21 – 24. Mayer Brown partner Jon Jaffe, of the firm’s Financial Services Regulatory Enforcement Group, will present for the AFSA Law Committee on Mortgage Lending – Hot Topics. He also will help

Five Mayer Brown attorneys in the Financial Services Regulatory & Enforcement group presented at the American Bar Association Business Law Section Annual Meeting in Boston last week.

Ori Lev spoke on a panel discussing the CFPB’s enforcement track record.  The panel addressed a study by Professor Chris Peterson of the S.J. Quinney College of Law

A modern business conference phone, close-up of speaker unit

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) undertook its first data security enforcement action in a consent order against Dwolla, Inc., a payment network provider that allegedly made deceptive representations about its data security practices. The consent order makes clear that, going forward, consumer financial services companies will have to navigate another