On November 12, 2019, the U.S. Senate introduced S.2834 that would amend the Federal Credit Union Act (FCUA) to exclude loans to veterans from the definition of a member business loan (MBL). The U.S. House reintroduced a similar bill, H.R. 2305, in an effort to provide greater access to loans that may be inaccessible due to a credit union’s MBL cap. Both bills have obtained bipartisan support, increasing the odds of passage.
​
Both bills have been widely praised by the industry and credit union trade associations. However, this bill could have the unforeseen consequence of impacting access to veteran loans if a number of credit unions have as yet avoided implementing a costly commercial loan program, or impose new loan program and compliance expenses 180 days after the enactment of the FCUA amendment to provide a needed service to veteran members.

If veteran loans are excluded from the MBL definition, business loans to veterans would naturally become commercial loans under the law. The National Credit Union Administration (NCUA) would be required to amend the definition of “commercial loan” under Part 723.1 to include veteran loans, without the ability to provide the flexibility to include them as MBLs.

[As an aside, the NCUA should take the opportunity to fix the mistake made after the passage of the 2018 Economic Growth Act where non-occupied, investment property loans were excluded as MBLs, but not included as commercial loans (see ESTEE Compliance Blog dated 6/11/2018).]

Part 723.4 imposes a number of commercial loan program requirements for business loans that fall outside the MBL definition. However §723.1(b) excludes credit unions from the commercial loan policy, and the board and management requirements of the rule if all of the following conditions are met:   

• Less than $250 million in assets;
• A commercial loan portfolio plus commercial loans sold but serviced less than 15 percent of total net worth; and
• In any given calendar year has originated and sold and no longer services commercial loans that in aggregate are less than 15 percent of net worth

At the time Part 723 was revised in February 2016, NCUA MLB Final Rule Summary estimated 660 smaller credit unions, representing 30 percent of credit unions with MBLs, would receive this exemption. According to the NCUA’s Industry at a Glance, as of March 31, 2019, the average credit union asset size is $283 million, which represents a likely reduction in the number of these exemptions since the passage of the 2016 MBL rule revision.
Some credit unions falling outside this exemption without the proper resources or staff experience have decided not to write commercial loans to avoid the expense and compliance burdens associated with a commercial loan program. These bills may force their hand or risk a reduction in access to business loans for veterans.

Before the celebration of removing veteran loans from the MBL cap begins, there are some questions to be answered:

• Will an NCUA regulation require credit unions to inquire about veteran status at the application stage?
• How will this amendment impact existing commercial loan policies (e.g., trade area, concentration, underwriting, risk ratings, etc.)?
• Will this FCUA amendment require a commercial loan program to write veteran business loans?
• Will an NCUA regulation include penalties for evading the commercial loan requirements if the loans continue to be written as MBLs?
• If a commercial loan program would be required, is there a sufficient demand for business loans from veterans that would justify the added expense and compliance risk?
• If a commercial loan program would be required, and your credit union cannot or does not want to invest the resources, is your credit union willing to take the reputation risk of having to say: “We don’t write commercial loans; we write MBLs, but you don’t qualify for one as a veteran”?

Now is the time to consider the implications of an FCUA amendment and begin preparations that may impact your staff and budget for 2020 – despite the drama and many distractions occurring in Congress that will likely delay passage of this bipartisan legislation – to ensure our veterans receive the services they need from the industry. 

Veronica Madsen
 
PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2019
 

The California Attorney General recently released its proposed regulation to the California Consumer Protection Act (CCPA). The CCPA, a privacy statute, was enacted in 2018 and takes effect on January 1, 2020.  Text of the CCPA can be found here, and text of the proposed regulation can be found here. Comment is due by December 6, 2019.

Two items to note regarding the law and the proposed regulation. First, if your institution meets the coverage criteria below, the law’s exemption for financial institutions is not a blanket exemption. Second, the proposed regulation imposes a substantial burden regarding website disclosures for those that are covered under the law.

CCPA Coverage

The CCPA applies to each business that collects personal information about consumers. A “business” is defined as follows:

• A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners
• …that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information
• …that does business in the State of California
• …and that satisfies one or more [Emphasis added] of the following thresholds:
  • Annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to the State of California;
  • Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; and/or
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

“Personal information” includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…” such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, Internet browsing history, geolocation data, and employment-related information.

The CCPA exempts the collection, processing, selling or disclosure of a consumer’s personal information pursuant to a specified federal law relating to “banks, brokerages, insurance companies…,” which would be covered under the Gramm-Leach-Bliley Act (GLBA). However, the GLBA only protects nonpublic personal information of consumers and customers used for “personal, family or household use,” and you will note the CCPA definition is more expansive.

What does this mean? Institutions covered by the CCPA would remain covered for personal information collected from sole proprietors, prospective employees, independent contractors, and (potentially) website visitors.

CCPA Proposed Disclosure Requirement

The proposed CCPA regulation would require the privacy notices to be “accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.” These notices have to be seen before a business collects the information, so if the website is the first contact with a consumer, the website would be required to provide accommodations. 

What the proposed regulation fails to provide is a definition of “disabilities,” or any guidance on what the minimum requirements would be. Taking into account the various forms of disability, compliance with this requirement would be quite burdensome.  

Many financial institutions will not be required to comply with the CCPA. However, it is still worth reviewing, as fourteen other state legislatures have introduced bills to provide greater privacy protections than the (GLBA) provides. The International Association of Privacy Professionals (IAPP) maintains an updated state privacy law comparison chart, which can be found here. In the event additional states pass such laws, the CCPA could well be the model used to draft them.  
 
 Veronica Madsen

​PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC © 2019 
 

On August 28, 2019, the Eleventh Circuit Court of Appeals published its opinion in Regions Bank v. Legal Outsource PA regarding whether a guarantor is considered an “applicant” under the Equal Credit Opportunity Act (ECOA). The Eleventh Circuit handles federal appeals arising from cases tried in Alabama, Georgia and Florida.
​
Legal Outsource PA, a law firm wholly owned by Charles Phoenix, defaulted on a Regions Bank loan that triggered the default of a loan and mortgage Regions issued to Periwinkle Partners, LLC, an entity wholly owned by Phoenix’s wife, Lisa Phoenix.

In the Regions Bank actions to enforce its rights under the loan and mortgage, Lisa Phoenix filed a counterclaim that Regions discriminated against her and Charles based on their marital status by demanding Charles Phoenix and Legal Outsource guarantee the Periwinkle loan.

The district court ruled Lisa Phoenix’s counterclaims failed because she lacked standing, as a guarantor is not an “applicant” under the ECOA entitled to anti-discrimination protections. The Eleventh Circuit affirmed this decision.

Phoenix argued Regulation B § 202.2(e), which implements the ECOA, provides the term “applicant” includes guarantors, and §202.7(d)(1) prohibits the signature of a spouse, other than a joint applicant, on any credit instrument if the applicant independently qualified as creditworthy.

The appeals court reasoned the “applicant” under the ECOA is defined as “any person who applies to a creditor directly for…credit, or applies to a creditor indirectly by use of an existing credit plan for an amount exceeding a previously established credit limit.” The court ruled it did not need to defer to the Regulation B definition because the statute’s definition is unambiguous.

This ruling differs from the Sixth Circuit Court of Appeals decision in RL BB Acquisition, LLC v. Bridgemill Commons Dev. Grp, which held the definition of “applicant” under the ECOA was ambiguous and, therefore, deferred to the Consumer Financial Protection Bureau’s interpretation under Regulation B that guarantors are “applicants.” The Sixth Circuit handles federal appeals arising from cases tried in Kentucky, Michigan, Ohio and Tennessee.

This case could go to the U.S. Supreme Court. Why? Not only are the appeals courts split, this issue already was tried before the Supreme Court. On March 22, 2016, the Court upheld the Eight Circuit Court of Appeals decision in Hawkins v. Community Bank of Raymore that spousal guarantors could not bring a discrimination claim against creditors under the ECOA because the guarantors did not qualify as “applicants.” 

However, the Supreme Court’s decision was 4-4, which means the issue is only affirmed and precedential in the Eighth Circuit. The Eighth Circuit handles federal appeals arising from cases tried in Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota and South Dakota.

While we can speculate as to how a full court would rule, it remains to be seen whether a writ of certiorari will be filed to appeal this Eleventh Circuit decision.   

Veronica Madsen
PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2019
 
 

The Eleventh Circuit Court of Appeals released its opinion in Federal Deposit Insurance Corporation v. R. Charles Louderman, Sr., et al on July 22, 2019. The court upheld the District Court for the Northern District of Georgia’s decision finding the directors of the shuttered Buckhead Community Bank jointly and severally liable for negligence.

The Federal Deposit Insurance Corporation (FDIC) closed a failing Georgia bank in 2009 after it suffered millions of dollars in losses due to bad loans. After the FDIC was receiver of the failed bank, the agency sued the directors and officers for negligence and gross negligence for approving ten risky loans resulting from the failure to conduct proper research. The District Court awarded the FDIC nearly $5 million in damages.

The directors were unsuccessful in advancing their arguments that the District Court should have apportioned the director liability because not all of the directors attended the board meetings where the loans were presented and approved. Aside from Georgia law precluding such an argument, the Bank’s quorum-approval policy allowed the Directors’ Loan Committee members “to act as agents for each other.” The policy required unanimous consent for loans to be approved, and at no time did any member - present or absent from the meeting - object to the approval of the loans at issue. As the court stated, “...the absent members, by not exercising their veto power, allowed the quorum to speak for them.”

Lending credence to the negligence claim was the fact that the loan packet information was unreliable. For one of the loans at issue, the loan packet included an appraisal for the land, with the incorrect assumption the land had been rezones at the time of the appraisal. Another loan packet failed to include information related to creditworthiness, but did contain irrelevant information the applicant belonged to a country club.

What can be learned from this case? First, a review of the board policies is in order to determine whether actions taken by those present at meetings can negatively impact those not present when important decisions are made. Second, loan packets should be audited/reviewed before they are presented to the board committee for approval, ensuring all board members receive the information in a sufficient amount of time before the approval vote. Third, board members must be actively engaged by carefully reviewing all submitted information, asking questions, and ensuring all policy requirements have been met before approving any request.

Veronica Madsen
PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018

The courts deciding issues under the Telephone Consumer Protection Act (TCPA) in 2018 did little to provide greater clarity on how callers can effectively avoid liability for telephone calls and text messages to consumers. Until the Federal Communications Commission (FCC) issues another TCPA Order in light some of these court decisions, Congress passes amendments to the law, and/or the U.S. Supreme Court addresses the conflicting decisions of the various appeals courts, compliance with the TCPA will depend on where you do business.
 
What is an “Automated Telephone Dialing System”?
 
Perhaps the area of greatest confusion and risk of liability lies with the issue of how an automated telephone dialing system (ATDS) is defined.
 
The FCC 2015 Order interpreted an ATDS to include equipment that has the potential ability to dial randomly or sequentially, including by the modification of equipment or adding software to provide these capabilities in the future.
 
A number of entities, including ACA International, requested judicial review of the 2015 Order. On March 16, 2018, the D.C. Circuit Court of Appeals in ACA International v. FCC rejected the FCC’s 2015 interpretation of an ATDS. The court ruled it is unreasonable to conclude a smartphone qualifies as an ATDS “because they have the inherent ‘capacity’ to gain ATDS functionality by downloading an app.” The focus, the court ruled, should be on “how much is required to enable the device to function as an autodialer.”
In response to this decision, the FCC sought the following comment on TCPA interpretations:

• What is an “automatic telephone dialing system”?
• What should “capacity” mean in light of the court’s ruling that smartphones are not included?
• How much effort should be required to enable the device to function as an ATDS? Flipping a switch?
• How “automatic” must dialing be for equipment to qualify as an ATDS?
• Does the word “automatic” envision non-manual dialing of telephone numbers?
• Must such a system dial numbers without human intervention?
• Must it dial thousands of numbers in a short period of time? If so, what is a “short period of time”?
• Can it be an ATDS if the equipment cannot itself dial random or sequential numbers?
• Does the prohibition apply if the call doesn’t use the automatic function?
• Does the “called party” refer to “the person the caller expected to reach”? Or does it refer to the party the caller reasonably expected to reach? Or does it refer to “the person actually reached, the wireless number’s present-day subscriber after reassignment”? Or does it refer to a “customary user” (such as a close relative on a subscriber’s family calling plan), rather than the subscriber him/herself”?
• How can a called party may revoke prior express consent to receive robocalls?
• What opt-out methods would be sufficiently clearly defined and easy to use such that “any effort to sidestep the available methods in favor of idiosyncratic or imaginative revocation requests might well be seen as unreasonable”?

Comment had ended on June 28, 2018, but the FCC reopened its comment call after the Ninth Circuit Court of Appeals expanded its interpretation of an ATDS in its Marks v. Crunch San Diego, LLC decision dated September 20, 2018. In this case, gym operator Crunch was alleged to have violated the TCPA by sending promotional text messages using an ATDS without consent.

The Ninth Circuit ruled the TCPA’s language was “ambiguous on its face” regarding whether the phrase “using a random or sequential number generator” modifies both “store” and “produce.” The court interpreted the TCPA to mean an ATDS is “not limited to devices with the capacity to call numbers produced by a ‘random or sequential number generator’ but also includes devices with the capacity to stored numbers and to dial store numbers automatically.” 

Note: The Ninth Circuit covers Arizona, California, Idaho, Nevada, Montana, Oregon and Washington.

As a result of the Marks decision, the FCC requested comment on the following questions:

• To the extent the statutory definition is ambiguous, how should the FCC exercise its discretion to interpret such ambiguities here?
• Does the interpretation of the Marks court mean that any device with the capacity to dial stored numbers automatically is an automatic telephone dialing system?
• What devices have the capacity to store numbers?
• Do smartphones have such capacity?
• What devices that can store numbers also have the capacity to automatically dial such numbers?
• Do smartphones have such capacity?
• In short, how should the FCC address these two court holdings?
• We also seek comment on any other issues addressed in the Marks decision that the FCC should consider in interpreting the definition of an “automatic telephone dialing system.”

 
This comment period ended on October 24, 2018.

On October 30th, the Ninth Circuit denied the defendant’s Petition for Rehearing En Banc. Crunch has 90 days to submit a Petition for Writ of Certiorari with the Supreme Court. Given the different appellate court rulings on the ATDS definition, it is highly likely this issue will go before the U.S. Supreme Court regardless of how the FCC rules.

For example, on June 26, 2018, the Third Circuit Court of Appeals in Dominguez v. Yahoo ruled in light of the D.C. Circuit’s ACA International decision, a plaintiff must prove a phone system has the present capacity (and not the potential capacity) to generate random and sequential telephone numbers and dial those numbers.

In Dominguez, the consumer received approximately 27,800 text messages in 17 months from Yahoo on his used smartphone alerting him to Yahoo emails he was receiving. Because the prior owner of the phone had enrolled the number in Yahoo’s text messaging notification system, Yahoo responded to his request to stop the messages that the service could only be stopped if the former owner of the phone disabled it himself. The court ruled Yahoo’s Email SMS Service did not have the present capacity to function as an ATDS. 

Note: The Third Circuit Court of Appeals covers Delaware, New Jersey, Pennsylvania and the Virgin Islands.  

On June 29, 2018, the Second Circuit Court of Appeals in King v. Time Warner Cable sided with the ACA International decision that the term “capacity” means a device’s present functions, and remanded the case back to the District Court to determine whether TWC’s systems had the ability to perform the functions of an ATDS when it made the calls to King. King, the plaintiff and a customer of Time Warner Cable (TWC), agreed to receiving telephone calls, including automated messages. King sued TWC after receiving over 150 automated voice message collection calls for another customer who had owned her cell phone number, even after requesting the calls cease.

Note: The Second Circuit Court of Appeals covers Connecticut, New York and Vermont.  

Who is the “Called Party”?
 
The ACA International Court affirmed the 2012 Seventh Circuit Court of Appeals decision in Soppet v. Enhanced Recovery Company, LLC that the “’called party’ means the person subscribing to the called number at the time the call is made.”
 
While neither King nor Dominguez were the intended parties called or texted, neither case addressed the meaning of the “called party” as an issue.
 
Revocation of Consent
 
In 2018, the courts treated the issue of consent revocation differently as well.
 
After receiving a number of calls with prior express consent, the plaintiff in McMillion v. Rash Curtis & Associates told the defendant: “I told you guys to stop called [sic] me, but you guys keep calling me…I asked you nicely to stop calling and that I didn’t have anything that you needed at the moment but if I do come across it I’ll definitely give you guys a call. But you guys are not supposed to be calling me.” The U.S. District Court for the Northern District of California on February 2, 2018 denied the defendant’s argument that revocation of consent must “clearly express his or her desire not to receive further calls,” and held in that service of a legal complaint operates as revocation as a matter of law.
 
However, the U.S. District Court for the Northern District of Ohio ruled on April 30, 2018 in Barton v. Credit One Financial that the plaintiff could not orally revoke consent when the contract specifically required a revocation in writing. The court held the plaintiff could not “unilaterally alter the terms of the agreement to claim that his oral revocation of consent was valid.”
 
The FCC’s 2015 Order provides a different standard. The order provides revocation must be reasonable, which is determined by the totality of the circumstances. Callers cannot may not designate a method of opting out in ways that make it difficult or impossible to revoke consent.
 
The D.C. District Court in ACA International held callers “have every incentive to avoid TCPA liability by making clearly-defined and easy-to-use opt-out methods.”
 
On March 28, 2018, the U.S. District Court for the District of New Jersey ruled in Rando v. Edible Arrangements that the Plaintiff’s efforts were not reasonable. Edible Arrangements instructed consumers to reply “STOP” to cease future text messages. The Plaintiff instead texted: (1) “Take my contact info off please”; (2) “I want to confirm that I have been removed off your contacts”; (3) “I asked to be removed from this service a few times. Stop the messages ; and (4) “Again I want to stop this service thank you.”   
 
On October 26, 2018, the Ninth Circuit ruled in Epps v. Earth Fare, Inc. that the plaintiff’s attempt to stop text messages from the defendant with texts such as “I would appreciate if we discontinue any further texts” and “Thank you but I would like the texts messages to stop can we make that happen” were not reasonable because it was communicated to just text “Stop.”

Congressional Action

Both the U.S. House of Representatives and the U.S. Senate have drafted legislation amending the TCPA. The “Stopping Bad Robocalls Act” (H.R. 6026 and S. 3078), would add a new definition of “robocall” in place of an ATDS. The new term would include devices that making calls using “numbers stored on a list” (in addition to dialing random or sequential numbers). The new definition clarifies robocalls do not include using equipment where “substantial additional human intervention” is required to place the call.
 
The bills would also require the FCC to establish a nationwide database of reassigned telephone numbers. Voice providers would have to ensure information is accurate and prevent calls from connecting where caller ID verification cannot be made. The bills would also extend the statute of limitations for FCC enforcement of TCPA violations from 1 year to 4 years.
 
It remains to be seen whether either bill will pass out of committee to a full vote.
 
Veronica Madsen
PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018
 

The Consumer Financial Protection Bureau has amended Regulation Pto implement changes to the Gramm-Leach-Bliley Act regarding the conditions under which financial institutions—including credit unions—need not provide annual privacy notice to consumers.

The final rule provides an exception to the requirement to provide an annual notice to “customers,” as defined in Regulation P §1016.3(i), herein referred to as “members.” To qualify for the annual privacy notice exception, the following two conditions must be met:

1. The credit union must not share nonpublic personal information about members, except as described in certain statutory exceptions that do not require an opt-out (i.e., §1016.13, §1016.14 and §1016.15); and
2. The credit union must not have changed its policies and practices with regard to disclosing nonpublic personal information from those the institution disclosed under §1016.6(a)(2) through (5) and (9) in the most recent privacy notice it sent. 

Credit unions that provide an opt-out on a voluntary basis for permitted sharing would still meet the exception. Additionally, any opt-out required under the Fair Credit Reporting Act that is contained in the privacy notice will have no bearing on the availability of the annual privacy notice exception.

However, credit unions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under the FCRA, if applicable, though they are not required annually. Credit unions can provide these disclosures through other methods, for example, through their initial privacy notices in most circumstances. 
When the Exception No Longer AppliesUnder the final rule, when the exceptions are no longer met, an annual privacy notice must be provided. The timing of the required annual notice differs, depending on whether the change that causes the credit union to no longer qualify for the annual notice exception also triggers a requirement under Regulation P to deliver a revised notice. 

Section 1016.8 requires credit unions to provide revised notices to members before nonpublic personal information is shared with a nonaffiliated third party if their sharing would be different from what was described in the initial notice delivered. After delivering the revised notice, the credit union must also give the member a “reasonable opportunity” to opt out of any new information sharing beyond the Regulation P exceptions before the new sharing occurs. 

When an annual notice is required, it must be provided ‘‘at least once in any period of 12 consecutive months.’’ A credit union may define the 12-consecutive-month period but must apply it to the customer on a consistent basis. 

When the annual notice requirement is triggered, credit unions must deliver the annual notice within 100 days after the change that caused the exception to be lost.  The final rule provides an example for when a credit union must provide an annual notice after it no longer meets the exception.  

The example assumes that a credit union changes its policies or practices effective April 1 of year one and defines the 12-consecutive-month period as a calendar year. The regulation states the credit union must provide an annual notice by December 31 of year two if the credit union was required to provide a revised notice prior to the change and provided that revised notice on March 1 of year one in advance of the change. The credit union must provide an annual notice by July 9 of year one if the credit union was not required to provide a revised notice prior to the change. 

When the credit union once again meets the exception after having to provide annual notices, the annual notice would no longer be required. 
Alternative Delivery Method Effectively Eliminated Previously under Regulation P, credit unions using the alternative delivery method were required to mail annual notices to members who requested them by telephone. Credit unions were also required to include a clear and conspicuous statement of availability at least once a year on an account statement, coupon book, or a notice or disclosure the credit union issued under any provision of law. 

The final rule has eliminated the alternative delivery method for providing the annual privacy notice. Credit unions that meet the conditions to use the alternative delivery method will also meet the conditions of the annual privacy notice exception.

Credit unions that qualify for the new annual notice exception may still choose to post privacy notices on their websites, and/or deliver privacy notices to members upon request. Such activities will not affect the eligibility for the new exception. 

This final rule became effective on Sept. 17, 2018.

The Economic Growth, Regulatory Relief, and Consumer Protection Act (SB 2155), among other regulatory relief provisions, amended the 2015 Home Mortgage Disclosure Act to provide partial exemptions from the collection and reporting of the expanded 2015 HMDA data points. 
While the law lowers the number of institutions reporting sensitive financial information of mortgage loan applicants, it does not go far enough in that it does not address the issue of keeping certain HMDA data points from being made public. Given the ongoing data security concerns at the Consumer Financial Protection Bureau, the privacy issue must be addressed in a manner that goes much further than what the CFPB proposed in its July 5 statement. 
SB 2155 Amendments to 2015 HMDA Rule
In part, the 2015 HMDA rule added 25 new data points on the loan/application register for both closed-end and open-end lines of credit. This rule requires reporting of the new HMDA data points for mortgage-lending institutions that originated at least 25 closed-end mortgage loans or at least 500 open-end lines of credit in each of the two preceding calendar years (i.e., calendar years 2018 and 2019). 
SB 2155 amends the exemption threshold for both closed-end mortgage loans and open-end lines of credit to fewer than 500 such loans and lines of credit in the preceding calendar year. Note: The current CFPB HMDA summary provides the open-end lines of credit exemption will be reduced to 100 such lines of credit beginning on Jan. 1, 2020, unless the CFPB takes “further action.” SB 2155 appears to make this 500 open-end lines of credit exemption threshold permanent.  
Under SB 2155, for mortgage lenders meeting the closed-end mortgage loans or open-end lines of credit reporting exemption, the requirements of HMDA §304(b)(5) and (6) will not apply.
What this means is that mortgage lenders meeting the closed-end and open-end thresholds will not have to record and report the new HMDA data points, but must still record and report the original 21 HMDA data points on the LAR, which are as follows:

1. Rate Spread (only if above threshold) 
2. HOEPA Status 
3. Action Taken 
4. Action Taken Date 
5. Reasons for Denial (optional, up to 3 reasons) 
6. Income
7. Type of Purchaser 
8. Loan Type 
9. Loan Purpose 
10. Loan Amount
11. Property Type
12. Occupancy Type
13. Lien Status
14. Property Location (MSA or MD, State, County, Census Tract, and Census Tract Number) 
15. Application Date
16. Application/Loan Number 
17. Reporter ID
18. Preapproval Request
19. Sex
20. Ethnicity
21. Race

The exempted lenders will still use the updated LAR. However, the CFPB plans to release exemption codes later this summer for the fields the exempted lenders do not have to report. 
CFPB Proposal Regarding Privacy of HMDA Data
Also anticipated is the final HMDA rule proposed by the CFPB in September 2017 regarding the data that will be made available to the public beginning in 2019 for mortgage lenders that exceed the exemption thresholds provided by SB 2155. 

• Under the proposed rule, the following information data would not be made public:
• The universal loan identifier;
• The date the application was received or the date shown on the application form (whichever was reported);
• The date of the action taken on the application;
• The property address;
• The credit score(s);
• The Nationwide Multistate Licensing System & Registry identifier for the mortgage loan originator;
• The automated underwriting system result; and
• The free form text fields for the following (though the standard fields reported would be disclosed):
  • The applicant’s race and ethnicity;
  • The name and version of the credit scoring model;
  • The principal reason(s) for denial; and
  • The automated underwriting system name.

​The loan amount, age of the applicant, the applicant’s debt-to-income ratio and the property value each would be disclosed as a range or an interval. Loan amounts would be reported in intervals of $10,000 as opposed to the nearest $1,000.  
Data Security Concerns
More will need to be done to protect non-public personal information from being disseminated to the public, as there continue to be data security concerns at the CFPB.
For example, the October 2017 Audit of the CFPB’s Information Security Program conducted by the Office of Inspector General found the agency did not mandate the use of personal identity verification credentials for its privileged and non-privileged users, which “poses an increased risk of unauthorized access to the CFPB’s information systems.” Additionally, CFPB “has not ensured that background checks are completed for contractor personnel performing IT work.”  
The OIG’s January 2018 Audit of the CFPB’s Encryption of Data on Mobile Devices found “the CFPB has not been able to provide a full accounting of all laptops that have been assigned to users since the establishment of the agency.”   
In his April 11, testimony presenting the “2018 Semi-Annual Report of the Bureau of Consumer Financial Protection” to Congress, then CFPB Director Mick Mulvaney told lawmakers that the CFPB had suffered 240 data security "lapses" and another 800 "incidents.” Though none have been deemed a major security breach, concerns remain regarding whether the sensitive financials of mortgage loan applicants and home buyers should be transmitted, stored and shared.  
Until greater consumer protections are provided, we will have to settle for fewer institutions reporting this data.  
Veronica Madsen is CEO at ESTEE Compliance, LLC in the Detroit area. Note: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018