Consumer privacy and data protection is all the rage, and it could have an impact on originators' ability to keep on top of and in touch with their clients
It’s been a little over a month since the California Consumer Privacy Act (CCPA) came into effect.
One of the rights that consumers in California now have is the Right to be Forgotten, i.e., the right to be removed from databases—including CRMs. Should consumers choose to exercise this right, they could have a negative impact on the way originators are able to keep track of and keep up with their clients.
It’s not just California, however; numerous states across the country are looking at consumer privacy legislation, and originators are having to adapt to consumers’ privacy concerns and the new rules around them.
Consumers are becoming much more aware that businesses are using and monetizing their data, and are concerned that they have very little idea or input on how that data is being used. Bruce Phillips is the SVP and chief information security officer at WFG National Title Insurance Company, and said that originators need to be able to articulate what they’re doing with their clients’ data beyond just using it for their loan process. If originators can’t explain it, then that’s a red flag for the consumer.
“Your systems now have to be able to be flexible enough to allow a consumer to say, ‘I don’t want you to collect that information, I don’t want you to use that information, and I want you to delete everything you know about me,’” Phillips said. “Business systems were never built with that concept in mind. So that’s the struggle we’re all going to have in this new generation of consumer privacy rights: how do we get to where we can easily meet those requirements that we’ve never had before?”
Apart from consent to collect and use data, mortgage companies will have to understand the kind of data that they need and are required to keep. Phillips says that if you don’t need to have it, then get rid of it.
“Following CCPA in California and some others that are close to being on the books, the big trend that we’re going to see for the next few years across multiple states is about privacy, and the key takeaway for that is two things: understand what it is you collect about a consumer and what are you using it for. If the answer is, I’m not using it for anything, you’re best off getting rid of it because it’s a risk,” he said.
For the information that is kept, owners have to figure out a way to not only protect the data, but make it difficult for someone else to access and misuse it. Once you have a good idea of what the regulatory requirements are, you can create an appropriate records retention policy and follow it “religiously,” Phillips said.
Regina Lowrie is the president and CEO of Dytrix, a company launched in 2019 to help lenders and closing agents leverage technology to manage and mitigate the risk of wire and identity fraud. Lenders are concerned about fraud and data protection not only because of the financial losses, she said, but also because of the reputational risks.
“Our portal now gives lenders the means to not only protect the consumer under this NY Shield act and the CCPA with the confidentiality agreement, but we also offer the lenders’ customer one year of LifeLock at no cost, which demonstrates to the regulators that they are doing what they can to protect the consumers information,” Lowrie said.
As with technology in general, Lowrie also said that consumers are leading the charge.
“Consumers have a better understand of this than some lenders do. Think about how much borrower information lenders share with third parties,” she said. “We realized early on that this portal provides an opportunity to help lenders comply with the privacy legislation that’s out there.”
Lowrie said that every lender should have a written agreement with any third-party provider that they share non-public information (NPI) data with, ensuring that that third-party also complies with the same legislation—something she says the industry is weak on.
Phillips said that one of the biggest challenges is that up until recently, more data was always better, and business could generate more revenue by collecting more data.
“That mindset has to change because one of the things that’s going to be the highest risk, I think, early on is, when you tell a consumer, ‘this is what I use your data for’ and they find out that you’re doing something else with it. That right there opens you up to lawsuits.”
Another thing that lenders and mortgage companies are also going to have to think about in the maybe-not-so-distant future is the issue of portability, something that has been addressed in GDPR legislation. Portability is the ability for consumers to take all their existing information with one lender and move it to another—and demand that information be deleted from the previous company’s database. Figuring out how to package the data and get rid of it is a new challenge that will need to be confronted, Phillips said.
“There’s a lot of things that we need to figure out as far as implementation of some of these laws,” Phillips said. “It is a source of risk and you have to come up with a way to value your data, then put appropriate controls in place to manage that data through its life cycle. Also, really get better at understanding your retention policies and that life cycle of data and make sure you follow that.”