The Consumer Financial Protection Bureau issued final policy guidance on December 21, 2018, explaining how it will make available to the public data submitted by financial institutions under the Home Mortgage Disclosure Act (HMDA). The CFPB comprehensively revised HMDA reporting requirements in 2015, and extensive new data collection requirements became effective this year, with a reporting deadline of March 2019. With three months to go before that deadline, the CFPB could not have waited much longer to announce how it will publicly disclose the HMDA data while still protecting sensitive information.
Under the new HMDA requirements, reporting financial institutions must notify the public that the institutions’ data may be obtained on the CFPB’s website. The CFPB is then responsible for protecting applicant and borrower privacy, even as privacy risks evolve. The industry has expressed concern about the breadth of the data the CFPB will be collecting under the new HMDA reporting requirements, and about the increased reidentification risks that could arise upon making the data public (that is, the risk that someone could link an identified individual to his or her HMDA data). Commenters emphasized that if borrowers or applicants could be identified from the HMDA data, predators could target consumers for identity theft, fraudulently pose as the borrower’s lender, or otherwise misuse the data.
However, the CFPB declined to follow the commenters’ requests to exclude from the public all the new data required to be reported under the 2015 HMDA final rule. The CFPB recognized the inherent reidentification risk, but determined that the benefits of certain data disclosure outweigh that risk. The CFPB determined that most of the HMDA data is not sensitive and does not substantially facilitate reidentification or create a risk of harm. The CFPB reportedly employed a balancing test, requiring that HMDA data be excluded from public disclosure or modified when the release of the unmodified data would create risks to applicant and borrower privacy interests that are not justified by the benefits to the public of that release.
Accordingly, at least for 2018 data, the CFPB will modify the HMDA loan-level data to exclude the following fields: