QuestSoft Compliance Cafe Blog

Sign up to receive our monthly newsletter!

How the CFPB is Addressing HMDA Privacy Concerns

Sep 26, 2017 by Brian Arnesen

The CFPB recently addressed how it planned handle the privacy concerns of its new HMDA reporting and collection requirements. The number of submitted fields is nearly tripling, and all of this data must be stored by both financial institutions and the CFPB. With the recent security breaches at Equifax and the SEC, the privacy and security of this expanded dataset is a major concern. 

The CFPB plans to exclude certain fields from appearing on the data that it publishes; among them:  the Universal Loan Identifier (ULI), the Application Date, action taken, property address, credit scores, NMLSR ID, AUS Result, free form Government Monitoring Information (GMI) and the denial reason(s). But is this enough?

data security

The CFPB is also considering using age ranges to reduce precision and make it harder to identify individual consumers with their loans. Instead of using loan amounts, they will round the number up every $5,000. This same tactic will be used for property values as well.

While these steps may prevent the average consumer from identifying his neighbor’s loan application, it won’t prevent people and advocacy groups from obtaining sensitive information about individuals. The information will be collected and stored on government servers, which have been exploited numerous times at other agencies. Until the CFPB takes steps to further safeguard this stored data, or change the data that is collected, this is just a band-aid solution to the even bigger problem of data security. The Bureau needs to do more to assure consumers that their data will be private and if breeched, not be as catastrophic as the Equifax hack.

According to the Bureau’s website:

The Bureau is seeking public comment on the proposal issued today, and will carefully consider any feedback received through the comment process before announcing the final policy guidance. The public comment period will be open for 60 days following publication in the Federal Register.

The proposed policy guidance is available at: 

We urge lenders to make their voices heard. The future of lending privacy is at stake.