As consumer data protection has become a mainstream topic, a new alphabet soup of regulations is popping into existence. While federal and state regulators work (sometimes with, sometimes against each other) to address the headline concerns, complex preemption and poorly understood compliance rules risk stifling innovation and hamstringing workflows for financial service providers and their vendors.
In a recent panel hosted by National Mortgage News, Sagent CLO Wendy Lee moderated a conversation with four industry insiders to explore the current and future state of consumer data and privacy protections. This wide-ranging discussion dove deep into the impacts on the mortgage industry and the technology we use today along with a focus on what’s just around the corner.
The panel included MBA’s Director, State Government Affairs Kobe Pruitt and Regulatory Specialist Gabriel Acosta, Alston & Bird partner Amy Mushahwar, and Blackmarker’s founder Vic Diloreto. Their combined expertise represents a cross-section of regulation, legislation, and innovation within mortgage, so the conversation was chock-full of information. We highly recommend it for your listening queue (embedded below). But to make sure you can benefit from this hour-long session right away, we’ve recapped the session below to highlight the most valuable pieces of wisdom.
Gabriel Acosta began by explaining that both political parties have advanced their own bills to address the effects of “big tech” in our society. While these bills were developed to target companies like Google, the mortgage industry — considering the wealth and breadth of consumer data it collects and moves — is “caught in the crossfire” and will certainly be impacted.
The Democrats’ recently launched bill, the American Data Privacy and Protection Act (ADPPA), addresses consumer consent, existing and future rulemaking, and covered entities. A distinguishing component of the ADPPA is how it interacts with existing law — that is, federal preemption. Conflicts remain with regard to the application of the bill, so there are still questions about its impacts on the way current regulations, such as the Graham-Leach Bliley Act (GLBA), would be applied to our industry.
Meanwhile, Republicans are advancing the McHenry Bill. The McHenry Bill takes a different approach by amending the GLBA to include new covered entities (such as data aggregators) and increases disclosure requirements to ensure consumers have a meaningful understanding of what their data will be used for, as well as what privacy policies affect their data. The bills from both parties include opt-out provisions for consumers.
It’s uncertain whether either of them will pass given the short amount of time before the conclusion of the 117th Congress on January 3, 2023. Still, with the bipartisan work being done and the similarities between the two proposals, this is not an issue that’s going away. And, as Gabriel notes, the MBA would prefer to see a bill that includes federal preemption — even with very aggressive regulations — because of the complexities introduced by 50 different state-level laws.
Amy closed this segment by noting that most privacy actions happen at the agency level, and that the FTC has been very active this year, updating GLBA to expand the definition of financial institutions included in the Safeguards Rule. Considering that most viewers of this session are directly or contractually subject to GLBA, she had this to say about the effects on our industry:
Gone are the days that we can retreat, saying ‘Oh, well we’re not subject as an industry to comprehensive information security regulation.’
Kobe weighed in about state movements, saying that he expects 10-20 states to take action on data privacy laws in the next year, if not passing full overhauls of their laws, then focusing on details such as data-breach protections. From the MBA perspective, the more federal inaction that states observe, the more they begin to fill those gaps to serve their constituents. But unfortunately, they often focus on the headlines such as the Home Depot breach. So, while state legislators and policymakers focus on data brokers such as “the Googles,” the mortgage industry catches “a stray bullet” when it comes to these regulations.
This has resulted in a patchwork of state laws that, in some cases, prevents financial institutions from sharing borrower information with vendors that’s required as a basic part of their financial services. Some states (e.g. California) have taken an approach called a “data-level exemption” meaning that institutions are liable for the specific data they collect in that state. The MBA is concerned about this approach, so they’re pushing states to adopt full “entity-level” GLBA exemptions. This means that institutions who are compliant with GLBA would be exempt from state laws. Recently, this has been adopted by Colorado, Connecticut, Virginia, and Utah, and MBA hopes this signifies a trend.
Kobe also noted recent proposed legislation in the District of Columbia (B24-0558) colloquially known as “the algorithm bill” which would have restricted lenders from using algorithms when making financial services decisions. While our industry sees algorithms and related automation as a way to provide convenience to — and enhancement for — our customers, the legislators see it differently:
Their concern being that these algorithms would potentially have a disparate impact on people of color or communities that are traditionally underserved by their financial institutions. We’re likely to see more types of bills like that going forward.
Amy noted that CFPB has also opened hearings into AI transparency. And while our industry has enjoyed the benefits of AI-powered automations in originations and servicing, we have yet to provide a high level of transparency about how those algorithms operate. So, while the legislative problems across 50 states are front of mind, just around the corner may be even more compliance and operational issues that affect the way we implement automation into our workflows.
The AI discussion landed directly in Vic’s wheelhouse. His company offers a solution that uses machine learning to redact personal/sensitive information from various types of documents in preparation for court cases. For Blackmarker’s part, the training data regarding the types of information to be redacted is group-agnostic and transparent by nature. But Vic noted that it’s different when using AI for applications such as predicting loan-repayment propensity or credit scores. In such scenarios, we would need to consider outside testing, model monitoring, and careful consideration of the data that’s feeding the AI in order to build – and most importantly – maintain trust.
He went on to say that models and algorithms are quite prevalent now in terms of libraries and code to get results very quickly, which comes with a caveat:
So the temptation of good, fast results vs the responsible question of ‘How did we get here?’ comes into play.
Amy concluded the AI discussion by describing the concerns about AI and automation in general, saying that it falls into three levels of auditing: The training data used to test the algorithms, the algorithms themselves, and the output data. Anyone exploring the use of AI or machine learning needs to think through the entire end-to-end audit infrastructure and ask themselves, “Are you auditing sufficiently to really understand how they operate?”
Amy also pointed out that some recent legislation could hamper basic functions for originators and servicers because legislators are often far removed from our industry and don’t understand how data is used. So in the case of California-esque bills, data that would be used under the GLBA Joint Marketing Exception (for example) could be subject to state laws. In this case, compliance would prove very complex for any nationally operating organization which, as Gabriel and Kobe pointed out earlier, is why MBA is advocating for entity-level exemptions.
Amy kicked off this final segment by calling attention to the effect of international laws such as the GDPR (but also those in China, Japan, Latin America, etc.) on US-based companies. This can come into play when an organization is expanding beyond the US, for instance if a fintech is scaling internationally. But even when operating solely within the US, if subsidiaries or sister/holding companies are operating (or simply processing data) in another jurisdiction, those laws may apply. So, a global view of compliance is important for any aspiring mortgage-related company.
As you can see, this session was VERY deep and equally eye-opening about aspects of consumer data and privacy protection that affect our industry today — and will increasingly continue to do so throughout 2023 and beyond. There was so much we didn’t include in this short recap, so watch the session embedded here, then hit us with your questions below.