Over the past several years, the mortgage industry has grown leaps and bounds with respect to its use of technology and data. Consumers are being approved in minutes, some mortgages no longer require appraisals, online Webcam notaries are “at the closing table” and artificial intelligence (AI) is being discussed at every conference.
Companies have emerged with solutions to improve marketing personalization, optimize the customer application experience, create a more automated and efficient workflow management for employees, aspects of compliance and fraud detection are automated and, coming full circle, online behavioral data is available to identify customers who are back in the market for another loan allowing banks to recapture more business. The amount of data and technology involved in running a mortgage business today is substantially more than it was a decade ago.
Mortgage lenders collect a lot of data on consumers, directly and indirectly, and typically use many systems that talk to each other passing the data back and forth using APIs (application programming interface). Whether regarded as a “fintech” or “old-school,” lenders are relying on these technologies and leveraging data to make better decisions across the organization. With California’s recent privacy law enacted, the California Consumer Privacy Act (CCPA), businesses will now have to provide notice to consumers about what data is collected, how it is collected, and allow consumers the ability to request their data not be sold, or even be deleted if it is not in conflict with another law. This was a momentous privacy law passed by a state, and, in all likelihood, the first of many which will affect the way our industry does business.
What is the California Consumer Privacy Act (CCPA)?
The CCPA went into effect January 2020 and affects businesses that meet any one of the following criteria:
►Exceed $25 million in annual revenue;
►Collect, share, sell or receive information on 50,000-plus California consumers; or
►Fifty percent or more of revenue is from the sale of consumer information.
If your company meets any of those criteria, you are subject to California’s privacy law and must comply. First and foremost, you must notify California consumers of your data collection practices, including what you collect and how you collect it. You must also provide a “Do Not Sell My Information” link, allowing consumers to opt-out of their data being sold to a third party. California consumers now have the right to know what information lenders have about them and a request to delete the information assuming it isn’t in conflict with another law. Upon a consumer’s request, businesses have 30 days to respond with the allowance of an extension to 45 days, however, a response is required under the law. It’s important to note that there are laws and regulations that exist in lending requiring the retention of consumer information. When a retention requirement applies to the consumer request, businesses are still required to respond and should do so with the reason why their request cannot be fulfilled.
The California Attorney General’s office will be tasked with enforcing the CCPA as consumers do not have the private right of action which has plagued many banks and lenders with the Telephone Consumer Protection Act (TCPA) unless the consumer was affected by a data breach of which non-encrypted and non-redacted personal information was breached and the company did not take “reasonable security procedures and practices” to protect the consumer’s information.
As of the time of this writing, the California Attorney General is still finalizing the enforcement actions (they are expected any day now), however, enforcement actions are set to begin on July 1, 2020.
California is the first state, but certainly not the last
California took the first big leap by passing the CCPA, but there are many other states who have their own privacy laws in the works. It is likely other states will use the CCPA as the framework. Many are actually hoping for the federal government to provide a sweeping data privacy law to simplify the process of complying. After all, it’s easier to comply with one law than it is to comply with 50 variations that all have some slight difference from the others.
Time to update privacy policies and procedures
Lenders should have already updated privacy policies, notified Californians of their data collection practices, and enabled a method to make requests about what a business has collected on them, to opt-out of their information being sold to third parties, and to delete their information. But the time is right for mortgage lenders to dive deeper into their business and understand how the data on their consumers is passed between various systems, how it is stored, and where they may be vulnerable to cyberattacks that can lead to breaches.
Regardless of whether a lender is a technology-focused “fintech” or an “old-school” lender still using file folders (yes, they still exist), protecting a consumer’s private and sensitive information should be a top priority as data breaches have become more common and resulted in damaging headlines. Given the nature of our industry and amount of personal information that is required to complete a mortgage loan, lenders are a prime target for cyberattacks and we will certainly see companies in our industry, lenders and vendors who service them, fall victim to data breaches.
Lenders are not only reviewing their safeguards, but they are also reviewing the practices of their vendors as well. Jornaya is a data vendor in major-life purchase industries (mortgage, real estate, insurance, auto, etc.) providing proof of notice for CCPA and future privacy laws, proof of consent for TCPA, and the ability to monitor consumers for online behaviors that signal when they are back in-market for a mortgage, or other major purchases. This knowledge enables marketers to engage at the right time for the right product and convert more consumers. Many banks and lenders assume this is done via capturing and monitoring consumers personal information, however, it is done in a privacy friendly manner that doesn’t require clients to share any personal information. The consumers’ data is hashed, which is best described as one-way encryption. If there were a data breach, cyber attackers would only see something similar to “GY@90n^&Ik(YsT$375!joi734fg/Qn68,” which protects consumers. Some of the well-known platform vendors used for digital mortgage applications, whose purpose is to collect the consumers information, implement strong security practices to protect the data such as purging the data 30-90 days after collection to minimize the risk and exposure, unless otherwise requested by the lender. These are great examples of vendors who have strong security practices to protect their clients’ consumer data. You should be well informed on what your vendors are doing, or, more importantly, what they are not doing.
What steps can your company take to honor privacy?
Finally, consider the following action items to ensure your organization is truly honoring the consumer:
►Storage and access: Most businesses store data on multiple media types, each technology and format requiring its own type of protection. Understand storage and access.
►Solutions: Here at Jornaya, we recently extended our compliance product suite to assist companies in meeting the requirements of the CCPA, as well as potential future state and federal regulations.
Disclaimer: Any and all content provided (material, information, graphics, etc.), and any other versions and variations of the content (e.g. in PDF via e-mail or otherwise) is provided only for general information. It is not intended to serve as, or as a substitute for, legal or compliance recommendations, advise, or infer to be used in any particular way by you or your company, and not intended to be used as a basis for making business/commercial decisions.
Mike Eshelman is head of consumer finance at Jornaya, a data-as-a-service platform that delivers consumer journey insights to publishers, marketers, analytics and compliance professionals with the highest-resolution view of the consumer buying journey. Mike can be reached by e-mail at MEshelman@Jornaya.com.
This article originally appeared in the March 2020 print edition of National Mortgage Professional Magazine.