The big red herring: the Home Mortgage Disclosure Act (HMDA) will help predators identify you!
In 1975, Congress passed the Home Mortgage Disclosure Act (HMDA) to make the lending marketplace more transparent by requiring lenders to publicly disclose data on the race, gender, and income of their borrowers. With HMDA data, federal regulators, community-based organizations, local public sector agencies, and other stakeholders can determine if lenders are meeting credit needs responsibly or are engaged in illegal discrimination. Laws like HMDA are designed to make the lending marketplace fairer and more equitable.
Let’s stop right here. I have a quiz for Shelterforce readers:
Which was more responsible for privacy breaches in 2017–HMDA data or Equifax?
If you guessed Equifax, you would be correct. Equifax, a credit bureau that collects credit history data on behalf of lending institutions and other paying clients, experienced a hack that compromised the personal data, including Social Security numbers and credit history, of 143 million Americans in 2017. That’s half the country.
Now, guess how many consumers had their privacy violated by HMDA in 2017? Zero. In fact, no federal agency has reported a single instance of an invasion of privacy in over forty years of HMDA’s existence. There has been no federal agency report or Congressional testimony citing the danger of HMDA data to borrower privacy.
So how can an economics professor from George Washington University claim with a straight face that HMDA can facilitate large-scale identity theft? Dr. Yezer tacitly admits that the HMDA data does not have information like Social Security numbers and property addresses that would identify individual borrowers. Instead, Dr. Yezer asserts that HMDA data can be linked to county deed records that can lead to compromising borrower privacy.
County deed records are publicly available records that include the mortgage of the borrower complete with the name of the lender, the property address, information about the interest rate, whether the borrower is in default, and other aspects of the loan. Deed records are public in part because lenders and other members of the public will check to see whether there are liens on a property and/or defaults before conducting business with a household. Tax property records are also publicly available and tell interested parties whether a household is current with their property taxes and how much they paid in the most recent year and past years.
Dr. Yezer’s contention is that by using the name of the lender, the loan amount, and the census tract, an adversary (a person or entity seeking to peddle abusive loans or otherwise cause harm—which is criminal behavior) can match HMDA data to data in county deed records. By linking the two databases, the adversary has an extensive profile of financial data on individual homeowners with which to mislead, deceive, and exploit individuals. For example, Dr. Yezer asserts that by linking HMDA and deed records, an adversary can contact elderly borrowers, gain their trust by seeming to know details of their financial situations, and then hoodwink them into buying useless and/or harmful products.
Dr. Yezer contends that because HMDA data was expanded by the Consumer Financial Bureau (CFPB), criminals can gain details like debt-to-income ratios, creditworthiness, and property values that were not previously available. Linking the new-and-improved HMDA data to county deed records is supposedly the magic ticket to developing a full and comprehensive dossier about individual households.
But Dr. Yezer’s arguments are a big red herring.
He presents a case study to purportedly demonstrate how easy it is to link HMDA data with county deed records. His analysis focuses on using HMDA data to illustrate how an adversary might identify unique entries in HMDA to achieve a 75 to 100 percent match rate with county deed records. He does not, however, take the next step to actually match HMDA data with county deed records. He doesn’t do this because this step is quite labor intensive and would likely dissuade criminals from using HMDA data.
County deed records are not amenable to being used with HMDA data because they usually cannot be downloaded readily from county websites. County websites typically let a user look at a few data records at a time and do not allow downloads, most likely to thwart wide-scale ID theft. Contrary to Dr. Yezer’s assertions, county deed records are not “searchable and scrapable.” Moreover, the United States has about 3,100 counties—all likely to vary greatly in how they present county deed records. It’s doubtful that criminals can use HMDA data and deed records from a number of counties to engage in harmful activities in a single metropolitan area, let alone several states.
More likely, criminals bent on privacy invasion and exploitation will use other readily available private sector databases that can reveal sensitive information about individuals. For a few cents a record, one such database will provide a property street address, if it is in foreclosure, the lender name, various loan terms and conditions, loan-to-value ratio, property characteristics, and other information. In addition, data brokers will sell databases with detailed information without binding clients to careful privacy controls.
Dr. Yezer argues that HMDA data will harm borrowers and expose them to predatory lending through privacy invasions. Yet, the largest-scale incidence of abusive lending occurred in the late 1990s through the mid 2000s in the years leading up to the financial crisis, and those criminals did not use HMDA data to target vulnerable consumers.
The rationale behind the improved HMDA data is to spot abusive lending trends earlier, enabling public agencies, community groups, and lenders to work together to stop abuses before they cause a financial crisis. HMDA is the key to preventing predatory behavior, not the cause of it.
The financial industry used Dr. Yezer’s paper as their key argument in a comment letter to the CFPB regarding HMDA data and privacy. Since their case rests on a red herring, it must not be regarded as persuasive by the CFPB. Let’s go back to the record in 2017 regarding privacy breaches. Here the highest score loses: Equifax 143 million, HMDA 0. The big red herring must not become the big lie squashing attempts to shed greater sunlight on lending practices.
This piece originally appeared in Shelterforce on February 21, 2018.