Privacy

Subscribe to Privacy

Last week — roughly 8 1/2 years after the CFPB published a letter to financial institutions promising to develop rules “expeditiously” — the CFPB held an information-gathering symposium on Section 1071 of the Dodd-Frank Act. Section 1071 amended the Equal Credit Opportunity Act to require that financial institutions collect and report information concerning credit applications made by women- or minority-owned businesses and by small businesses.

As we previously noted, once Section 1071 is implemented, institutions will be required to collect information regarding the race, sex, and ethnicity of the principal owners of small businesses and women- and minority-owned businesses. Collection of this information is designed to “facilitate enforcement of fair lending laws,” among other things. Applicants can refuse to provide required information, but the financial institution must retain the required demographic information that it collects and submit it to the CFPB. Section 1071 mandates that, where feasible, a financial institution’s underwriters, officers, employees, or affiliates involved in making credit determinations should not have access to this demographic information, and applicants must receive notice if those individuals do receive access to demographic information.

While the CFPB is responsible for drafting rules to implement Section 1071, it had not previously taken significant steps to meet that obligation other than reporting on some preliminary research it conducted in 2017. The CFPB had moved the Section 1071 rulemaking to “long-term” status. However, in its Spring 2019 rulemaking agenda, the CFPB indicated that it expected to resume pre-rulemaking activities related to Section 1071.
Continue Reading

Mayer Brown offers its Global M&A Podcast Series as an easy way to stay up-to-date on the latest M&A trends globally—legal issues and other related, timely topics. Available on iTunes, each episode draws on the perspective that our lawyers have gained from doing deals in various regions around the world.

In a recent episode, partners

The Consumer Financial Protection Bureau issued final policy guidance on December 21, 2018, explaining how it will make available to the public data submitted by financial institutions under the Home Mortgage Disclosure Act (HMDA). The CFPB comprehensively revised HMDA reporting requirements in 2015, and extensive new data collection requirements became effective this year, with a reporting deadline of March 2019. With three months to go before that deadline, the CFPB could not have waited much longer to announce how it will publicly disclose the HMDA data while still protecting sensitive information.

Under the new HMDA requirements, reporting financial institutions must notify the public that the institutions’ data may be obtained on the CFPB’s website. The CFPB is then responsible for protecting applicant and borrower privacy, even as privacy risks evolve. The industry has expressed concern about the breadth of the data the CFPB will be collecting under the new HMDA reporting requirements, and about the increased reidentification risks that could arise upon making the data public (that is, the risk that someone could link an identified individual to his or her HMDA data). Commenters emphasized that if borrowers or applicants could be identified from the HMDA data, predators could target consumers for identity theft, fraudulently pose as the borrower’s lender, or otherwise misuse the data.

However, the CFPB declined to follow the commenters’ requests to exclude from the public all the new data required to be reported under the 2015 HMDA final rule. The CFPB recognized the inherent reidentification risk, but determined that the benefits of certain data disclosure outweigh that risk. The CFPB determined that most of the HMDA data is not sensitive and does not substantially facilitate reidentification or create a risk of harm. The CFPB reportedly employed a balancing test, requiring that HMDA data be excluded from public disclosure or modified when the release of the unmodified data would create risks to applicant and borrower privacy interests that are not justified by the benefits to the public of that release.

Accordingly, at least for 2018 data, the CFPB will modify the HMDA loan-level data to exclude the following fields:
Continue Reading

The California legislature was active in 2018, enacting several new requirements and provisions applicable to the financial services industry. Those requirements include an important and comprehensive privacy regime (the California Consumer Privacy Act of 2018, or CCPA), which establishes new protections for personal information that covered commercial enterprises collect. The CCPA becomes effective January 1,

The American Financial Services Association (AFSA) gathers for its 2018 Annual Meeting in Marina del Rey, California on October  21 – 24. Mayer Brown partner Jon Jaffe, of the firm’s Financial Services Regulatory Enforcement Group, will present for the AFSA Law Committee on Mortgage Lending – Hot Topics. He also will help

Five Mayer Brown attorneys in the Financial Services Regulatory & Enforcement group presented at the American Bar Association Business Law Section Annual Meeting in Boston last week.

Ori Lev spoke on a panel discussing the CFPB’s enforcement track record.  The panel addressed a study by Professor Chris Peterson of the S.J. Quinney College of Law

A modern business conference phone, close-up of speaker unit

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) undertook its first data security enforcement action in a consent order against Dwolla, Inc., a payment network provider that allegedly made deceptive representations about its data security practices. The consent order makes clear that, going forward, consumer financial services companies will have to navigate another