TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/1228068
M R EP O RT | 37 QUICK INSIGHTS ON: DATA Data Privacy for Mortgage Lenders: CCPA and Beyond The California Consumer Privacy Act brings many compliance concerns to the table, and other states are likely to follow in its footsteps. Here's what you need to know. By Mike Eshelman T his year has wasted little time in disrupting data regulations—specifically with the introduction of the California Consumer Privacy Act (CCPA). For mortgage lenders that have any interaction with consumers in California, the legislation is creating a list of new compliance considerations. And with other state legislation in the works, many in the mortgage industry are trying to understand changes that they need to make now that will also support what is likely to come in the future. Since CCPA's initial rollout on January 1, mortgage lend- ers who conduct business with Californians have been trying to reach full compliance before en- forcement actions are scheduled to begin on July 1. For most, work- ing with a technology partner, es- pecially a data-as-a-service (DaaS) company, can be monumental in navigating the ins and outs of the new compliance standards. Let's take a look at some of the concerns related to CCPA compli- ance, as well as what mortgage lenders should keep in mind as privacy legislation spreads to other states. Top Takeaway Concerns D ata privacy is the cornerstone of the CCPA. However, there are several nuances that still need to be ironed out for mortgage lenders as they navigate the new legislation. Identity Theft Identity theft is a huge concern for mortgage lenders. One com- ponent of the CCPA is the ability for consumers to request the information a business has about them and to learn how that data is being used. Handling these re- quests, however, may be a greater challenge than initially expected. Lenders need to ensure they are not responding to these consumer requests without reasonable verifi- cation that the consumer making the request is the actual consumer in question and not a bad actor trying to steal consumer informa- tion. If I request access to what my mortgage servicer knows about me, it would be reasonable for them to post that information to my account and require me to login and view their response. I'd be understandably concerned if that response was simply emailed to me given the nature of the data that could be involved. It is recommended that lend- ers hire a compliance vendor or outside counsel well informed on CCPA to make these situations more navigable. These partners act as a referee, offering valuable third-party input to verify a safe and compliant process is in place. This partnership can provide a paper trail (if needed) to docu- ment that the required data usage and privacy notices were com- municated to consumers. Data Deletion Since CCPA has gone into effect, another concern that affects mortgage lenders, in particular, is issues regarding data deletion re- quests. Mortgage lenders are held to certain data storage require- ments, and these regulations may conflict with the consumer's right to deletion under the CCPA, leav- ing lenders confused about what course of action to take. For example, when a consumer completes a mortgage application and, a week later, requests that the lender delete their information, lenders cannot fulfill this request due to record retention rules, in case the CFPB audits the company. Although the lender is still required to respond, the request itself can't be fulfilled given the requirement to retain the information. What's Next for Data Privacy Regulations? A s CCPA goes into effect, many other states are looking to it as a blueprint for creating their own data privacy laws. Nevada, New York, Texas, and Washington are just a few states where legislators are starting to follow California's lead by introducing new privacy bills. These laws are trying to provide transparency about what data is being collected on a consumer and how it is being collected, as well as allowing the consumer to be in the driver's seat as to how that data is going to be used. Anchoring all of this is notifications: informing the consumer what's being collected, why, how it's being used, if it's being sold, what the benefits are to the consumer for that data being sold, and giving the consumer more control. Proof and accountability is at the cornerstone of all of these regulations, and working with a compliance partner to implement procedures and documenting notice to, and subsequent com- munications with, consumers will help tremendously. . MIKE ESHELMAN, is the head of consumer finance at Jornaya, a data-as-a-service platform that delivers consumer-journey insights to publishers, marketers, analytics and compliance professionals with the highest-resolution view of the consumer buying journey. With over 14 years' experience in consumer finance, Eshelman has extensive knowledge in lead generation, lead management, and leveraging data sets to deliver desired results in the Mortgage and Personal Loans industries. "If I request access to what my mortgage servicer knows about me, it would be reasonable for them to post that information to my account and require me to login and view their response. I'd be understandably concerned if that response was simply emailed to me given the nature of the data that could be involved."