The Consumer Financial Protection Bureau issued final policy guidance on December 21, 2018, explaining how it will make available to the public data submitted by financial institutions under the Home Mortgage Disclosure Act (HMDA). The CFPB comprehensively revised HMDA reporting requirements in 2015, and extensive new data collection requirements became effective this year, with a reporting deadline of March 2019. With three months to go before that deadline, the CFPB could not have waited much longer to announce how it will publicly disclose the HMDA data while still protecting sensitive information.

Under the new HMDA requirements, reporting financial institutions must notify the public that the institutions’ data may be obtained on the CFPB’s website. The CFPB is then responsible for protecting applicant and borrower privacy, even as privacy risks evolve. The industry has expressed concern about the breadth of the data the CFPB will be collecting under the new HMDA reporting requirements, and about the increased reidentification risks that could arise upon making the data public (that is, the risk that someone could link an identified individual to his or her HMDA data). Commenters emphasized that if borrowers or applicants could be identified from the HMDA data, predators could target consumers for identity theft, fraudulently pose as the borrower's lender, or otherwise misuse the data.

However, the CFPB declined to follow the commenters’ requests to exclude from the public all the new data required to be reported under the 2015 HMDA final rule. The CFPB recognized the inherent reidentification risk, but determined that the benefits of certain data disclosure outweigh that risk. The CFPB determined that most of the HMDA data is not sensitive and does not substantially facilitate reidentification or create a risk of harm. The CFPB reportedly employed a balancing test, requiring that HMDA data be excluded from public disclosure or modified when the release of the unmodified data would create risks to applicant and borrower privacy interests that are not justified by the benefits to the public of that release.

Accordingly, at least for 2018 data, the CFPB will modify the HMDA loan-level data to exclude the following fields:

  • Universal Loan Identifier (ULI)
  • Date of application
  • Date of action taken
  • Property address
  • Credit score
  • NMLS mortgage loan originator unique identifier
  • Automated underwriting system (AUS) result
  • Race (free form text field*)
  • Ethnicity (free form text field*)
  • Credit scoring model (free form text field*)
  • Principal reason for denial (free form text field*)
  • AUS name (free form text field*)

(*Free-form text fields allow the reporting of any information, rather than certain specified types of numbers or codes.)

The CFPB will release modified values for the following fields:

  • Loan amount: Loan amount is not a new HMDA data field, but the CFPB determined that modifications to that field are necessary to reduce reidentification risk. Accordingly, the CFPB will disclose only the midpoint for the $10,000 interval into which the reported value falls (e.g., the CFPB would report $115,000 for all loans from $110,000 to $120,000). The CFPB also would disclose whether the loan is over the applicable Fannie Mae/Freddie Mac conforming loan limits.
  • Age: The CFPB will disclose the data in 10-year bins, with a bottom code for ages under 25 and a top code for ages over 74. The CFPB also will disclose whether the age is over 62.
  • Debt-to-income (DTI) ratio: The CFPB will disclose DTI unmodified for loans with DTIs greater than or equal to 36% and less than 50%. For other loans, the CFPB will disclose DTI in bins, with a bottom code for DTIs under 20% and a top code for DTIs of 60% or higher.
  • Property value: The CFPB will disclose the midpoint of the $10,000 interval.
  • Number of dwelling units: The CFPB will disclose in bins, bottom- and top-coded, and the percentage of units that are income-restricted under housing programs

The CFPB decided that it should and will provide public access to the remaining data elements without modification:

  • Borrower/applicant data: income, sex, race, ethnicity, and reasons for denial
  • Property data: state, county, census tract, occupancy type, construction method, manufactured housing secured property type, and manufactured housing land property interest
  • Loan data: loan term, loan type, loan purpose, whether the application was submitted directly to the financial institution, whether the loan was initially payable to the financial institution, whether a preapproval was requested, action taken, type of purchaser, lien status, prepayment penalty term, introductory rate period, interest rate, rate spread, total loan costs or total points and fees, origination charges, total discount points, lender credits, whether the loan was a high-cost mortgage under the Home Ownership and Equity Protection Act (HOEPA), balloon payment, interest-only payment, negative amortization, other non-amortizing features, combined loan-to-value ratio, open-end line of credit flag, business or commercial purpose flag, and reverse mortgage flag
  • Lender data: Legal Entity Identifier (LEI) and financial institution name

Access to that data will allow consumer advocates and other interested parties to conduct more accurate fair lending analyses than previously. However as indicated above, the public will not have access to credit score data — one of the most significant drivers of underwriting and pricing outcomes in home lending. Accordingly, the inferences the public will be able to draw from analyzing the HMDA data will still be quite limited.

Although the CFPB waited until nearly the last minute to issue final guidance on how it will exclude and modify HMDA data for public disclosure, it still indicated that it will start up again with a rulemaking in May 2019 to reconsider these issues. That rulemaking is in addition to the agency’s plans, which former acting director Mick Mulvaney announced last year, to reconsider nearly all aspects of HMDA reporting, including the institutions and transactions newly covered by the reporting obligations and all the new data points. The agency reportedly intends to issue that proposal in March 2019.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.