For mortgage companies struggling with compressed margins, complying with consumer protection laws is a constant high-wire act. In this precarious environment, privacy laws like GDPR and CCPA represent a looming threat that could knock small and regional lenders right off the tightrope.
Four experts tackled the subject of emerging privacy laws at the Mortgage Bankers Association Tech Conference on Monday: Daniel Hoye, head of privacy at Citizens Bank, Justin Antonipillai, CEO of Wire Wheel, Erin Barry, associate vice president at the MBA, and Jonathan Liu, partner, consumer finance at PwC.
The consensus — from the stage and from the room — was that there are no easy answers.
Consumer privacy became an important compliance issue with the GDPR law implemented last May, but that was merely the vanguard of a whole slew of consumer privacy laws taking shape at the international, federal and state levels.
“The rest of the world has noticed that when it comes to information, most information is being processed and most software companies are U.S.-based,” said Antonipillai, who served as the under secretary of commerce for economic affairs under President Obama. “When you go around the world, the narrative is that why the U.S. is winning in data processing and cloud computing — it’s because U.S. companies don’t follow the rules, where other countries do.”
In reaction, and in a vacuum of leadership from the U.S. on the issue, countries like Japan, Singapore, Canada and Brazil have all proposed or passed consumer privacy laws that recognize an individual’s fundamental right to control their own data.
Following a number of data breaches, the concern for consumer privacy has also reached a cultural tipping point, prompting U.S. legislators and regulators to take up the charge.
There are serious moves being made by a number of congressional committees to pass laws that give consumers more control over their data. Barry said the committee most likely to get something passed in this area is the Senate Banking, Housing and Urban Affairs Committee, where there is bipartisan support for passing legislation on consumer privacy.
But having one federal mandate — as onerous as that might be — would be a pipe dream compared to the difficulty of navigating individual state laws on the issue. Ironically, those state laws — particularly the California Consumer Privacy Act — are already making it difficult for the federal government to step in.
“A national standard would have to be really strong,” Barry said. “The Democrats on the House side, particularly from California, don’t want to weaken a California standard. From their perspective, they’re going to be protecting that framework.”
The CCPA gives consumers four basic rights:
1. The right to know what personal information a business is collecting about them, where they got it, what it’s being used for, whether it’s being disclosed or sold, and to whom.
2. The right to opt out of allowing a business to sell their personal information.
3. The right to have a business delete their personal information.
4. The right to receive equal service and pricing from a business even if they exercise these privacy rights.
Companies are scrambling to meet the deadline for CCPA compliance, which take effect Jan. 1, 2020, but 11 more states have similar legislation in the works, each with their own unique requirements.
The panelists noted the incredible difficulty of ensuring these rights, especially in an industry that is leveraging massive amounts of personal consumer data for its sales and marketing efforts, much of it from third parties.
As Antonipillai noted, “When it comes to privacy, you have to find [the information] in every system, every data point, all of the vendors — everywhere.”
How do lenders even begin the process? The panelists said one starting point is to look at what lenders have already done to comply with GBLA regulations, and noting gaps there, as they may already have some parts of the new privacy laws covered. Another suggestion was to look at the personal data of non-customers first.
Lenders can also leverage their own tech stack and mine their vendor risk profiles and cloud security tools to help track what data they’ve acquired from third-party SaaS providers.
As one of the first steps at Citizens Bank, Hoye established an implementation steering committee with the chief marketing officer and the chief data officer to make sure the effort had solid executive sponsorship and bring in the critical stakeholders early in the process. From there they took implementation and broke it into working teams that decided how they would handle intake requests from consumers, and how privacy compliance would be baked into their policies and training.
The panel identified some of the most challenging aspects of complying with the new privacy laws:
- The U.S. concept of public information versus the international perception of personal information
- The First Amendment right to free speech versus the “right to be forgotten” in newspapers and other public records
- With increasing cloud adoption, the complexity of matching where data is actually stored with applicable state, federal and international laws
- How to validate whether it is a consumer with a legitimate claim to these rights or other non-legitimate parties seeking access or correction, especially when so much data collection is done and mapped by device, not by a person’s name
Perhaps the biggest concern is one that surfaces with any compliance issue: the competitive advantage of size. While the smallest institutions will likely be exempted, mid-size lenders will face an avalanche of new requirements without the deep pockets to pay for them.
"What worries me is that the small banks can't compete with the big banks," Antonipillai said. When it comes to legislation on privacy, he's "hoping for something meaningful but simple."