Why Haven’t Loan Officers Been Told These Facts?
THE CFPB ASSERTS THAT MORTGAGE ORIGINATION ORGANIZATIONS THAT FAIL TO COMPLY WITH THE FTC SAFEGUARDS RULE VIOLATE THE TITLE X UDAAP PROVISIONS (Unfair, Deceptive, and Abusive Acts or Practices, 12 U.S.C. 5536(a)(1)(B))
On August 11, the CFPB posted a new circular regarding violations of the FTC Safeguards Rule.
From the CFPB
Excerpts from the Consumer Financial Protection Circular 2022-04
Insufficient data protection or security for sensitive consumer information
Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA Title X of Dodd-Frank, which includes prohibitions against UDAAP) when they have insufficient data protection or information security?
Yes. In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the Gramm-Leach-Bliley Act (GLBA), “covered persons” and “service providers” must comply with the prohibition on unfair acts or practices in the CFPA. Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12 U.S.C. 5536(a)(1)(B).
Inadequate authentication, password management, or software update policies or practices are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers, and financial institutions are unlikely to successfully justify weak data security practices based on countervailing benefits to consumers or competition. Inadequate data security can be an unfair practice in the absence of a breach or intrusion.
Widespread data breaches and cyberattacks have resulted in significant harms to consumers, including monetary loss, identity theft, significant time and money spent dealing with the impacts of the breach, and other forms of financial distress. Providers of consumer financial services are subject to specific requirements to protect consumer data. In 2021, the Federal Trade Commission (FTC) updated its Safeguards Rule implementing Section 501(b) of GLBA, to set forth specific criteria relating to the safeguards that certain nonbank financial institutions must implement as a part of their information security programs. These safeguards, among other things, limit who can access customer information, require the use of encryption to secure such information, and require the designation of a single qualified individual to oversee an institution’s information security program and report at least annually to the institution’s board of directors or equivalent governing body. The federal banking agencies also have issued interagency guidelines to implement Section 501 of GLBA.
In certain circumstances, failure to comply with these specific requirements may also violate the CFPA’s prohibition on unfair acts or practices. The CFPA defines an unfair act or practice as an act or practice: (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition.
A practice causes substantial injury to consumers when it causes significant harm to a few consumers or a small amount of harm to many consumers. For example, inadequate data security measures can cause significant harm to a few consumers who become victims of targeted identity theft as a result, or it can cause harm to potentially millions of consumers when there are large customer-base-wide data breaches. Information security weaknesses can result in data breaches, cyberattacks, exploits, ransomware attacks, and other exposure of consumer data.
Further, actual injury is not required to satisfy this prong in every case. A significant risk of harm is also sufficient. In other words, this prong of unfairness is met even in the absence of a data breach. Practices that “are likely to cause” substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.
Consumers cannot reasonably avoid the harms caused by a firm’s data security failures. They typically have no way of knowing whether appropriate security measures are properly implemented, irrespective of disclosures provided. They do not control the creation or implementation of an entity’s security measures, including an entity’s information security program. And consumers lack the practical means to reasonably avoid harms resulting from data security failures.
Where companies forgo reasonable cost-efficient measures to protect consumer data, like those measures identified below, the Consumer Financial Protection Bureau (CFPB) expects the risk of substantial injury to consumers will outweigh any purported countervailing benefits to consumers or competition. The CFPB is unaware of any instance in which a court applying an unfairness standard has found that the substantial injury caused or likely to have been caused by a company’s poor data security practices was outweighed by countervailing benefits to consumers or competition. Given the harms to consumers from breaches involving sensitive financial information, this is not surprising.
WHAT TO DO?
1. Multi-factor authentication
Multi-factor authentication (MFA) is a security enhancement that requires multiple credentials (factors) before an account can be accessed. Factors fall into three categories: something you know, like a password; something you have, like a token; and something you are, like your fingerprint. A common MFA setup is supplying both a password and a temporary numeric code in order to log in. Another MFA factor is the use of hardware identification devices. MFA greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. MFA solutions that protect against credential phishing, such as those using the Web Authentication standard supported by web browsers, are especially important.
If a covered person or service provider does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent, it is unlikely that the entity could demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability.
2. Password Management
Unauthorized use of passwords is a common data security issue. Username and password combinations can be sold on the dark web or posted for free on the internet, which can be used to access not just the accounts in question, but other accounts held by the consumer or employee.
If a covered person or service provider does not have adequate password management policies and practices, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability. This includes failing to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords (including notifying users when a password reset is required as a result), and includes use of default enterprise logins or passwords.
3. Timely Software Updates
Software vendors regularly update software to address security vulnerabilities within a program or product. When patches are released, the public, including hackers, become aware of the prior vulnerabilities. Therefore, when companies use commonly available software, including open-source software and open-source libraries, and do not install a patch that has been released for that software or take other mitigating steps if patching is not possible, they neglect to fix a security vulnerability that has become widely known. As noted in the CFPB’s complaint against Equifax, Equifax’s 2017 failure to patch a known vulnerability resulted in hackers gaining access to Equifax’s systems that exposed the personal information of nearly 148 million consumers.
If covered persons or service providers do not routinely update systems, software, and code (including those utilized by contractors) or fail to update them when notified of a critical vulnerability, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability. This includes not having asset inventories of which systems contain dependencies on certain software to make sure software is up to date and highlight needs for patches and updates. It also includes the use of versions of software that are no longer actively maintained by their vendors.
THE NEW CFPB CIRCULARS
Consumer Financial Protection Circulars are issued to all parties with authority to enforce federal consumer financial law. The Consumer Financial Protection Bureau (CFPB) is the principal federal regulator responsible for administering federal consumer financial law, see 12 U.S.C. 5511, including the Consumer Financial Protection Act’s prohibition on unfair, deceptive, and abusive acts or practices, 12 U.S.C. 5536(a)(1)(B), and 18 other “enumerated consumer laws,” 12 U.S.C. 5481(12). However, these laws are also enforced by state attorneys general and state regulators, 12 U.S.C. 5552, and prudential regulators including the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the National Credit Union Administration. See, e.g., 12 U.S.C. 5516(d), 5581(c)(2) (exclusive enforcement authority for banks and credit unions with $10 billion or less in assets). Some federal consumer financial laws are also enforceable by other federal agencies, including the Department of Justice and the Federal Trade Commission, the Farm Credit Administration, the Department of Transportation, and the Department of Agriculture. In addition, some of these laws provide for private enforcement.
Consumer Financial Protection Circulars are intended to promote consistency in approach across the various enforcement agencies and parties, pursuant to the CFPB’s statutory objective to ensure federal consumer financial law is enforced consistently. 12 U.S.C. 5511(b)(4). Consumer Financial Protection Circulars are also intended to provide transparency to partner agencies regarding the CFPB’s intended approach when cooperating in enforcement actions. See, e.g., 12 U.S.C. 5552(b) (consultation with CFPB by state attorneys general and regulators); 12 U.S.C. 5562(a) (joint investigatory work between CFPB and other agencies).
Consumer Financial Protection Circulars are general statements of policy under the Administrative Procedure Act. 5 U.S.C. 553(b). They provide background information about applicable law, articulate considerations relevant to the Bureau’s exercise of its authorities, and, in the interest of maintaining consistency, advise other parties with authority to enforce federal consumer financial law.
See the entire Circular here: Consumer Financial Protection Circular 2022-04
BEHIND THE SCENES – THE FEDERAL HOUSING FINANCE AGENCY FIGHTS TO LIMIT LANGUAGE BARRIERS IN MORTGAGE FINANCING
MANDATORY IMPLEMENTATION OF THE GSEs SCIF FORM 1103
FHLMC/FNMA 1103 MANDATORY USE
Back in May of 2022, the FHFA announced the mandatory use of the Supplemental Consumer Information Form (SCIF). This form further enables the federal government’s capacity to erect additional fair lending benchmarks, similar to HMDA data.
Failure to make reasonable accommodations for applicants with Limited English Proficiency (LEP) could violate both the ECOA and the Fair Housing Act.
FROM THE FHFA
FHFA Announces Mandatory Use of the Supplemental Consumer Information Form
The Federal Housing Finance Agency (FHFA) today announced that Fannie Mae and Freddie Mac (the Enterprises) will require lenders to use the Supplemental Consumer Information Form (SCIF) as part of the application process for loans that will be sold to the Enterprises. The purpose of the SCIF is to collect information about the borrower’s language preference, if any, and on any homebuyer education or housing counseling the borrower received, so lenders can better understand borrower needs during the home buying process.
Specifically, the changes announced today will require lenders to present the SCIF questions to borrowers and to report any data collected from the SCIF to the Enterprise purchasing the loan. Lenders will be required to adopt these changes and reporting requirements for loans with application dates on or after March 1, 2023. Response by borrowers to the preferred language question in the SCIF will remain voluntary.
“Collecting language preference and housing counseling information provides mortgage applicants with an additional method to inform lenders of their needs, enabling the industry to more fully respond to the nation’s growing diversity,” said FHFA Acting Director Sandra L. Thompson. “These steps will contribute to an equitable housing finance system that welcomes all qualified borrowers.”
“The CFPB welcomes the FHFA’s announcement today. As those lenders and financial companies that already collect the language preference of applicants and borrowers know, this information allows lenders to serve their customers better. The collection of applicants’ language preference does not violate the Equal Credit Opportunity Act or its implementing regulations,” said CFPB Director Rohit Chopra. “The CFPB is eager to see advances in broader language access to better serve all borrowers.”
The SCIF will be available via Mortgage Translations later this Summer. Created by FHFA, Fannie Mae, and Freddie Mac, Mortgage Translations provides resources to assist lenders, servicers, housing counselors, and others in helping mortgage borrowers who have limited English proficiency. The site contains documents and resources available in English, Spanish, traditional Chinese, Vietnamese, Korean, and Tagalog. Mortgage Translations is part of FHFA’s Language Access Multi-Year Plan.
In July 2022, the Federal Housing Finance Agency, Fannie Mae, and Freddie Mac added the updated Supplementary Consumer Information Form (SCIF) (Fannie Mae/Freddie Mac 1103) to the Mortgage Translations website. The SCIF helps industry professionals collect borrower information with standardized questions about homeownership education, housing counseling, and language preference. Additionally, the revised Mortgage Assistance Application, Borrower Solicitation Letter, Forbearance Servicer Script, and a Servicer Script for Homeowners with a Resolved COVID-19 Hardship were also added. All of the documents are now available in English, Spanish, Chinese, Vietnamese, Korean, and Tagalog.
The lender or borrower should complete the education and counseling sections of the form if required by the Selling Guide, B2-2-06, Homeownership Education and Housing Counseling. This section can also be completed if the borrower obtained education or counseling even if not required for the specific transaction.
The lender must present the form to the borrower to provide a preferred language preference. The borrower is not required to select any of the language options in the “Language Preference” and may leave this section blank. As a result, there may be instances where the form in the loan file only includes the loan identifier information and the borrower name. The lender may inform the borrower that the answer will NOT negatively affect the mortgage application and explain the instructions and other information provided for use of the form.
Mandatory Adoption Date is March 1, 2023
If lenders are not already using this form, they may begin doing so immediately. A copy of the form must be maintained in the loan file for all loans with application dates beginning March 1, 2023 and any data provided must be shared with us via Desktop Underwriter® (DU®) when a loan is submitted for underwriting.
See the Lender Letter (LL-2022-03) here: FNMA Lender Letter (LL-2022-03)
See the FHFA Announcement here: FHFA Supplemental Consumer Information Form Announcement
See the FHFA video here: For Industry Pros, Mortgage Translations Video
Tip of the Week – Go get those loans!
This last week, I walked by the seashore with my wife and daughter. A fisherman was there, casting his lure out on the water. Cast after cast, same spot, same retrieve. Same result too. No fish.
About an hour later, we circled back to where the fisherman had been casting his lure into the water. He hadn’t moved an inch. No fish yet, just the fisherman. Just the fisherman and probably a few old memories of catching fish at that spot or catching fish on that lure.
He’s probably not fishing for his livelihood, I thought to myself. He’s not that hungry, either. If he were, he’d have already walked the quarter mile to where I was walking, where the water was filled with breaking fish and patches of bait.
Psychological anchors often cause people to pursue the path of past gratification and success. Accordingly, it is possible to become blind to the fact that what used to work is not working anymore. So stop waiting for the fish to arrive. Instead, move. Take a walk down the shore and go catch them up.