This feature originally appeared in the April issue of MReport.
This year has wasted little time in disrupting data regulations—specifically with the introduction of the California Consumer Privacy Act (CCPA). For mortgage lenders that have any interaction with consumers in California, the legislation is creating a list of new compliance considerations. And with other state legislation in the works, many in the mortgage industry are trying to understand changes that they need to make now that will also support what is likely to come in the future.
Since CCPA’s initial rollout on January 1, mortgage lenders who conduct business with Californians have been trying to reach full compliance before enforcement actions are scheduled to begin on July 1. For most, working with a technology partner, especially a data-as-a-service (DaaS) company, can be monumental in navigating the ins and outs of the new compliance standards. Let’s take a look at some of the concerns related to CCPA compliance, as well as what mortgage lenders should keep in mind as privacy legislation spreads to other states.
Top Takeaway Concerns
Data privacy is the cornerstone of the CCPA. However, there are several nuances that still need to be ironed out for mortgage lenders as they navigate the new legislation.
Identity theft is a huge concern for mortgage lenders. One component of the CCPA is the ability for consumers to request the information a business has about them and to learn how that data is being used. Handling these requests, however, may be a greater challenge than initially expected. Lenders need to ensure they are not responding to these consumer requests without reasonable verification that the consumer making the request is the actual consumer in question and not a bad actor trying to steal consumer information. If I request access to what my mortgage servicer knows about me, it would be reasonable for them to post that information to my account and require me to login and view their response.
I’d be understandably concerned if that response was simply emailed to me given the nature of the data that could be involved. It is recommended that lenders hire a compliance vendor or outside counsel well informed on CCPA to make these situations more navigable.
These partners act as a referee, offering valuable third-party input to verify a safe and compliant process is in place. This partnership can provide a paper trail (if needed) to document that the required data usage and privacy notices were communicated to consumers.
Data Deletion Since CCPA has gone into effect, another concern that affects mortgage lenders, in particular, is issues regarding data deletion requests. Mortgage lenders are held to certain data storage requirements, and these regulations may conflict with the consumer’s right to deletion under the CCPA, leaving lenders confused about what course of action to take. For example, when a consumer completes a mortgage application and, a week later, requests that the lender delete their information, lenders cannot fulfill this request due to record retention rules, in case the CFPB audits the company. Although the lender is still required to respond, the request itself can’t be fulfilled given the requirement to retain the information.
What's Next for Data Privacy Regulations
As CCPA goes into effect, many other states are looking to it as a blueprint for creating their own data privacy laws. Nevada, New York, Texas, and Washington are just a few states where legislators are starting to follow California’s lead by introducing new privacy bills. These laws are trying to provide transparency about what data is being collected on a consumer and how it is being collected, as well as allowing the consumer to be in the driver’s seat as to how that data is going to be used.
Anchoring all of this is notifications: informing the consumer what’s being collected, why, how it’s being used, if it’s being sold, what the benefits are to the consumer for that data being sold, and giving the consumer more control. Proof and accountability is at the cornerstone of all of these regulations, and working with a compliance partner to implement procedures and documenting notice to, and subsequent communications with, consumers will help tremendously.