Supporting Statement A_Renumb Attach #9--ASMB 60-day PRA Comment Letters

ASMB 60-Day PRA Notice—Comment #1 of 2
Date:
Name:
City:
State:
Organization:
Government Agency:
Rule Number:
Federal Register Citation:

11/10/2015
DR DWIGHT SANDERS SE
CINCINNATI
OHIO
U.S. DEPARTMENT OF STATE
FEDERAL HOUSING FINANCE AGENCY
2015-N-11
80 FR 69664

Comment
FEDERAL HOUSING AND THE PROGRAM NEED A MANDATE OF ACTION FROM A 10 YEAR
OVERHAUL FRM IT STAKEHOLDER!

ASMB 60-Day PRA Notice—Comment #2 of 2

American Bankers Association
American Financial Services Association
American Land Title Association
Consumer Bankers Association
Consumer Mortgage Coalition
Credit Union National Association
Housing Policy Council of the Financial Services Roundtable
Independent Community Bankers of America
Mortgage Bankers Association
National Association of Federal Credit Unions
January 11, 2016

Federal Housing Finance Agency
Eighth Floor
400 7th Street, S.W.
Washington, D.C.
20219 [email protected]
v
Re:

Proposed Collection; Comment Request
National Survey of Existing Mortgage Borrowers

Dear Federal Housing Finance Agency:
The undersigned trade associations appreciate this opportunity to comment jointly on the Federal
Housing Agency’s (“FHFA”) proposed collection of information relating to the National Survey of
Existing Mortgage Borrowers (“NSEMB”), a periodic, voluntary survey of individuals who currently
have a first mortgage loan secured by single-family residential property. The survey is, in effect, an
updated version of FHFA’s existing National Survey of Mortgage Borrowers.
According to the proposal, the collection of information will use a questionnaire consisting of
approximately 80 to 85 questions intended to elicit information from mortgage borrowers about their
loans. The data from the survey is to be included in a National Mortgage Database (“Database”) project
which, when complete, will include detailed information about more than 10 million borrowers.
The stated goal of the Database is to support policymaking and research efforts to understand emerging
mortgage and housing market trends. We believe it is appropriate for the Government to better
understand the residential mortgage markets, as greater understanding of the current trends and forces
impacting homebuyers is critical to the development of policies that foster a safe and sound marketplace.
We are concerned, however, that the Database (1) is overly extensive; (2) poses a significant danger to
consumer privacy through reidentification; and (3) is duplicative of other databases. As such, we
believe the Database should not be introduced until several steps are taken. These steps include
consultation with the Consumer Financial Protection Bureau (“CFPB”) to ensure that the FHFA and

Joint Paperwork Comment Letter on NSEMB
January 11, 2016
Page 2 of 9

CFPB data cannot bresult in reidentification of consumers. The steps should also include soliciting
additional input on the survey topics and questions. We understand that FHFA is required by law to
survey and collect data, but we strongly urge FHFA to make consumer privacy and data collection
efficiency its top considerations as this survey develops. FHFA’s proposal mentions that FHFA is
required by statute to “compile a database of . . . mortgage market information to be made available to
the public.” This implies that the new survey data will be public at least in some part.
I.

The Database is Overly Extensive, Creating Privacy and Data Security Concerns

As indicated, information collected through the NSEMB will become a part of the Database project.
The Database is a joint effort by the FHFA and the CFPB to create a single resource that includes
detailed, loan-level data about mortgages dating back to 1998 that captures data from one of every 20
mortgage loans.
Records in the Database include loan-level demographic data about individual borrowers, mortgages,
real estate transactions, physical characteristics of the house and neighborhood, performance data on the
mortgage and all credit lines (credit cards, student loans, auto loans, other loans reported to credit
bureaus) of the mortgage borrower and all those associated with the mortgage. Specifically, records in
the system may include without limitation:
•

Borrower/co-borrower information including
o Name
o Address
o Telephone number
o The borrower’s marital status
o Birthdate
o Gender
o Language
o Religion
o Social Security number
o Education
o Race
o Work status
o Veteran status
o Income
• Financial Information
o Account number
o Financial events in the last few years
o Life events in the last few years
o Other assets/wealth
• Mortgage Information
o Current balance
o Current monthly payment
o Delinquency grid

Joint Paperwork Comment Letter on NSEMB
January 11, 2016
Page 3 of 9

•

•

•

•

o Refinanced amount
o Bankruptcy information
Credit Card/Other Loan Information
o Account type
o Credit amount
o Account balance
o Account past due amount
o Account minimum payment amount
o Account actual payment amount
o Account high balance amount
o Account charge off amount
o Second mortgages
Household Composition
o Marital status
o Presence of children by age categories
o Number of wage earners in the home
o Household income
o Credit score(s) of borrower/co-borrower at origination
o Deceased indicator
Property Attributes
o Property type
o Number of bedrooms and bathrooms
o Square footage
o Lot size
o Year build/age of structure
o Units in structure
o Most recent assessed value
o Effective age of structure
o Assessors parcel number
o Neighborhood name
o Project name
• Real Estate Transaction Attributes
o Sales price
o Down payment
o Occupancy status (own/rent)
o New versus existing home
o County
o Census tract/block
o Latitude/longitude
o Date purchased
Mortgage Characteristics Attributes
o Mortgage product and purpose
o Origination date
o Acquisition date

Joint Paperwork Comment Letter on NSEMB
January 11, 2016
Page 4 of 9

•

o Amount of mortgage
o Interest rate of mortgage
o Source of mortgage/mortgage channel
o Mortgage insurance type
o Loan to value ratio at origination
o Origination amount/credit limit
o Originator
o Current servicer
o Debt to income ratio at origination
o Number of borrowers
o Number of units in mortgage
o Presence of prepayment penalty
o Origination points paid by borrower
o Discount points paid by borrower
o Balloon payment date/amount
o Percent of downpayment
o Secondary market indicator
And, finally, information collected from consumers as part of surveys, randomized trials, or
through other mechanisms (including the NSEMB).

According to FHFA’s Notice of revision to an existing system of records, a “routine use” of the
Database includes providing access to a broad spectrum of individuals and entities, including academic
researchers, regulated entities, “contract personnel, grantees, volunteers, interns, and others performing
or working on a contract, service, grant, cooperative agreement, or project for the FHFA.”1
The FHFA’s technical report from August 2015, however, reveals that the FHFA and CFPB have not yet
established policies of access or determined who may obtain access, but does state that the existing
contract allows access to the Database “to be extended to employees of other federal agencies, the
Federal Reserve System, Fannie Mae and Freddie Mac, and Federal Home Loan Banks…” provided, of
course, that users sign a “terms of use agreement” that states they will not attempt to learn the identity of
any borrower.2
Considering the extent of the Database and the number of individuals who will be allowed access, as
well as the seemingly boundless capabilities of hackers and other intruders, there is a very strong
likelihood that, even under the best circumstances, data from the system could be leaked or breached and
could result in harm to consumers.

1

79 Fed. Reg. 21458, 21460 (April 16, 2014); see routine use (7).
National Mortgage Database Technical Report 15-01 (August 27,
2015). http://www.fhfa.gov/PolicyProgramsResearch/Programs/Documents/NMDB_Technical_Report_1501_082715.pdf
2

Joint Paperwork Comment Letter on NSEMB
January 11, 2016
Page 5 of 9

II.

Reidentification of Borrowers is a Risk

Clearly, the information contained in the Database is broad and highly sensitive. While any breach
would be a serious problem, the problem of reidentification is even more serious. Data in the Database
can be pieced together with data from other private and public databases to identify individual borrowers
and associate an even greater amount of confidential information with them. There would be great harm
to consumers if the information were to be released carelessly or unwittingly, or if it were to be accessed
by individuals aiming to do harm.
Moreover, the threat of reidentification is growing; it is far greater today than when the FHFA first
developed its National Survey of Mortgage Borrowers a few years ago. The Office of Personnel
Management recently suffered a significant hack into personal information. We now know that key
government institutions are not immune to data breach and cyber-attack and that any database of
sensitive information is at risk. Moving forward, it is critical that any proposal to establish a database of
consumer information be judiciously established with sufficient protections.
Congress Prohibited Release in Identifiable Form
Congress was aware that the large-scale collection of consumer data introduces the threat of possible
reidentification of individuals. Accordingly, while the legal authority for the NSEMB, Housing
Economic and Recovery Act of 2008 (“HERA”)3 requires FHFA to conduct mortgage market surveys,
Congress also included the requirement that FHFA must “ensure” that the survey data are “not released
in an identifiable form [.]”4 Congress defined “identifiable form” broadly to mean “any representation
of information that permits the identity of a borrower to which the information relates to be reasonably
inferred by either direct or indirect means.”5
Congress used the word “identifiable” rather than “identified.” Accordingly, the statute prohibits release
of data that could make consumers reidentifiable, even if consumers are actually deidentified in FHFA’s
Database or in any release. Unfortunately, the proposal does not address the Congressional mandate
against reidentification risk at all. We do not know if, or how, FHFA will protect against releasing data
that could permit the public to infer a borrower’s identity by direct or indirect means.
Compliance with the Congressional standard, in our view, would require FHFA to consider the extent to
which consumers surveyed would be at risk of reidentification using any public information, including

3

12 U.S.C. § 4544(c) (emphasis added), as amended by the Housing and Economic Recovery Act of 2008 (“HERA”), Pub.
L. No. 110-289, § 1125(b), 122 Stat. 2654, 2693-95.
4

FHFA must make data public—
“provided that the Director may modify the data released to the public to ensure that the data–
(A) is not released in an identifiable form; and
(B) is not otherwise obtainable from other publicly available data sets.”
12 U.S.C. § 4544(c)(3) (emphasis added).
5
12 U.S.C. § 4544(c)(4) (emphasis added).

Joint Paperwork Comment Letter on NSEMB
January 11, 2016
Page 6 of 9

the CFPB’s complaint database,6 Home Mortgage Disclosure Act (“HMDA”) data, social media, and
other private databases.
Additionally, the Paperwork Reduction Act requires agencies to “protect respondents’ privacy”7 and
requires that collections of information be “consistent with applicable laws, including laws relating
to . . . privacy and confidentiality [.]”8
We urge that FHFA test its data for reidentification risk before expanding the existing database to
include new survey information, and before making any of the data public. Testing should include
systematically attempting to reidentify individuals by using public information of all types. Importantly,
such testing should be ongoing because reidentification risk today will increase in the future, such as
through release of new HMDA data.
FHFA should be prepared to remove from its public database, and stop collecting, any data that present
a reasonable risk of potential reidentification, regardless of how or when that risk arises. FHFA will
also need to consider future reidentification risks because once data are released, they cannot be
retrieved when a new method or source of reidentification becomes possible.
We suggest soliciting public input on how agencies can prevent reidentification risk in the future using
any government databases. The current approach is for each agency to consider the risks of each
database alone, and if one database does not explicitly identify a consumer, to treat consumers’ identities
as undisclosed. Consumers need a comprehensive look at how the various sources of information
together create new risks of reidentification. There should be one uniform privacy protection standard
for all the federal agencies.
Consumers’ Consent to Release of Their Data Should Be Fully Informed
We strongly urge FHFA to inform consumers, before they decide to respond to the survey, that their
response data may or will be public, and that this could permit reidentification of survey respondents.
FHFA should provide consumers examples of how reidentification may occur, including through use of
HMDA data, CFPB complaint data, and public land records.
Attached to this letter is a comparison of the information consumers receive about their privacy when
they submit online complaints to the CFPB and to the Federal Trade Commission (“FTC”). The FTC
6

Congress requires the CFPB to maintain its complaint database, and permits the CFPB to provide access to that database
only to certain government agencies that maintain “the standards applicable to Federal agencies for protection of the
confidentiality of personally identifiable information and for data security and integrity.” Dodd Frank Act Wall Street
Reform and Consumer Protection Act, Pub. L. No. 111-203, § 1013(b)(3)(D), 124 Stat. 1376, 1969, codified at 12 U.S.C.
§ 5493(b)(3)(D) (emphasis added). The CFPB does not have authority to make its complaint database available to the public,
or even to government agencies that do not meet the privacy and information security standards applicable to federal
agencies. Additionally, like the HERA standard applicable to FHFA, the privacy standard for the CFPB’s complaint database
requires protection of personally identifiable information, not merely information that has identified a consumer directly.
7
44 U.S.C. § 3506(e)(3).
8
44 U.S.C. § 3501(8).

Joint Paperwork Comment Letter on NSEMB
January 11, 2016
Page 7 of 9

provides more meaningful information to consumers about risks to their privacy. However, neither fully
informs consumers about risk of reidentification.
III.

Duplication of Data

A hallmark of the Paperwork Reduction Act is its design to reduce regulatory burden, such as
duplicative collections of information. The Paperwork Reduction Act requires agencies to certify that
its collection of information “is not unnecessarily duplicative of information otherwise reasonably
accessible to the agency [.]”9 A collection of information that largely duplicates information already
available is inconsistent with the Paperwork Reduction Act.
The proposal states that:
“While the quarterly NSMB provides information on newly-originated mortgages, it does not
solicit borrowers’ experience with maintaining their existing mortgages; nor is detailed
information on that topic available from any other existing source.”10
Notwithstanding, Fannie Mae and Freddie Mac (the “GSEs”) (and FHFA), CFPB, the Department of
Housing and Urban Development, Federal Housing Administration, Veterans Affairs, Treasury
Department, and the Federal Reserve already have much of this information. The GSEs, for example,
pull much of these data from loan applications and from origination disclosures. Many of the proposed
data points are captured and reported, or will be, under HMDA. In addition, other valuable datasets
exist that provide insight into important income, demographic, and housing shifts including the
American Community Survey, American Housing Survey, and the Census.
The Treasury Department publishes quarterly reports of servicers’ and mortgage loan performance. In
producing these reports, Treasury collects information about servicer-borrower communications that the
surveys would also cover. Additionally, the Comptroller of the Currency publishes exhaustive
information about mortgage loan performance at national banks and federal thrifts in its quarterly
Mortgage Metrics Report.
The FHFA did review and assess the merits of some of these resources in its recent Technical Report,
including the HMDA database, the Federal Reserve Bank of New York’s Equifax Consumer Credit
Panel, the CoreLogic property database, the servicing databases owned by CoreLogic and Black Knight
Financial Services, and data available from the three national credit repositories, Experian, Equifax, and
TransUnion, as well as public surveys like the American Housing Survey.11 The FHFA indicates that
these resources are insufficient for various reasons including delays in data release, lack of information
about the borrowers, or mortgage performance.
We urge the FHFA to revisit all of these resources, and others, to gain a better understanding of just how
much of the information that can be collected in the Database already exists. We would also point out
9

44 U.S.C. § 3506(c)(3)(B).
80 Fed. Reg. 69664, 69665 (November 10, 2015).
11
National Mortgage Database Technical Report 15-01 (August 27, 2015).
10

Joint Paperwork Comment Letter on NSEMB
January 11, 2016
Page 8 of 9

that many of the gaps in these other resources identified by the FHFA will be filled with the release of
the new HMDA data as required by the recently finalized HMDA rule. These data will not be available
immediately but a delay in including such data would give the FHFA and CFPB an opportunity to
finalize the necessary security procedures considering the sensitive information in the Database.
IV.

The Proposed Survey Should be Reissued for Comment When It is More Complete

Finally, while we appreciate the opportunity to provide feedback on this proposal, we are concerned that
this notice was published before the proposal is sufficiently developed.
Despite the use of much of the content from FHFA’s existing National Survey of Mortgage Borrowers,
it is clear that the NSEMB survey is still in its early stages of development.
The survey as proposed includes only 66 questions even though the proposal states that the survey could
include as many as 85 questions. The proposal also states that FHFA plans to use focus groups and
continue to revise the survey. We urge FHFA to solicit additional public input on the substance of the
survey when it is complete and before FHFA puts it into use. This would help ensure the questions are
not duplicative, are relevant, and are subject to accurate consumer responses.
V.

Conclusion

We are profoundly concerned about large-scale uncoordinated data collection by the Government that
creates real risk for consumers. We strongly encourage the FHFA to review the goals of this proposed
survey, identify genuinely unique data points not otherwise captured by existing surveys, utilize focus
groups and, ultimately, reissue a more complete survey for comment.
We also urge FHFA to again review existing surveys and data collection efforts to identify redundancies
and to assess working with other agencies, to identify methods to research residential mortgage markets
that would not pose risks to consumer privacy.
Most importantly, we urge FHFA to coordinate with other agencies to reduce the risk of consumer
reidentification and consumer harm across databases. In this connection, we believe the FHFA should
first meet with the CFPB as it considers similar data and privacy concerns under HMDA.
Should the FHFA decide to move forward with the survey, we strongly urge the FHFA to reissue a more
complete survey for comment. We believe it is important to provide an opportunity for further
meaningful feedback on the content and phrasing of questions as well as the survey’s structure before
the survey is distributed to homebuyers and the data made available to the public.
Beyond that, we urge that federal agencies jointly solicit robust public input on the important issues in
protecting consumer privacy and information security before new public databases are created. Input on
whether consumers provide informed consent to the risk of reidentification would be especially helpful.

Joint Paperwork Comment Letter on NSEMB
January 11, 2016
Page 9 of 9

We would appreciate an opportunity to discuss these matters with you. Thank you for your
consideration of our views.
Sincerely,
American Bankers Association
American Financial Services Association
American Land Title Association
Consumer Bankers Association
Consumer Mortgage Coalition
Credit Union National Association
Housing Policy Council of the Financial Services Roundtable
Independent Community Bankers of America
Mortgage Bankers Association
National Association of Federal Credit Unions
Attachment

How Much Do Consumers Know About Access to Their Personal Information?
A Comparison of the CFPB and the FTC Approaches to Consumer Consent in Complaints

CFPB Complaint Process

FTC Complaint Process

The consumer goes to a webpage to submit a complaint. This
page, under “How will you use my information?” states that
“We forward the information you provide so the company can
identify you and address your issue. We also share complaint
data with state and federal agencies who oversee financial
products and services, and we publish a database of nonpersonal complaint information so the public knows what kinds
of complaints we receive and how companies respond.”

The consumer goes to a webpage to submit a complaint. This
page, under “How We Handle Your Info[,]” states that “It’s up
to you to determine how much personal information you
want to provide. Providing your contact information will make
it easier if we need to reach you to obtain additional information
about your complaint. Please read our Privacy Policy to learn
more about how we safeguard your personal information.”
(Emphasis in original.) This statement includes an obvious link
to the FTC’s privacy policy.

If the consumer clicks “Learn more[,]” the consumer goes to
a second webpage. This webpage describes what the CFPB
does with complaints. It states, “We publish complaints in the
Consumer Complaint Database (without personal information).”
It also lists “Data that stays private to the consumer and the
company[.]” This lists, “All personal information, such as
names, contact information, account numbers, social security
numbers, and supporting documents help the company identify
the consumer. This information is not published.”
This is misleading because it ignores potential re-identification.
Data that the CFPB does not publish directly does not
necessarily “stay[ ] private to the consumer and the company” as
the CFPB states.

If the consumer clicks on this link to the FTC’s privacy policy,
the consumer goes to a second webpage that contains a wealth of
information about the FTC’s privacy policies. This webpage
details what information the FTC collects and why, where that
information goes and why, lists contact information for the
FTC’s Chief Privacy Officer, provides links to information about
identity theft and online issues, lists additional FTC privacyrelated information, including on the FTC’s use of cookies and
third-party services, and has links to the FTC’s privacy
impact assessments and its Privacy Act system of records. The
FTC’s webpage also has a list of frequently asked questions,
including about how the FTC protects personal information.

1

CFPB Complaint Process

FTC Complaint Process

To submit a mortgage complaint, consumers can go to
a webpage that requests several items of information. If a
consumer happens to scroll all the way to the bottom of this
page, and happens to notice, in a very small, pale green font, the
words “Privacy act statement” and clicks, the consumer sees a
statement that, “We may also share your complaint or inquiry
(but not your personally identifiable information) with the public
through a public complaint database.” This link is hard to find.
Even for consumers who happen to find it, it gives the
impression that the CFPB does not permit public access to the
consumer’s identity, while the CFPB does create a risk of
consumer re-identification.

To submit a mortgage complaint, consumers can go to this
FTC webpage. The FTC first asks about the complaint, and
then asks for information about the consumer. On the page for
supplying consumer information, at the top, the FTC reiterates,
“It’s up to you to determine how much personal information
you want to provide. Providing your contact information will
make it easier if we need to reach you to obtain additional
information about your complaint. Please read our Privacy
Policy to learn more about how we safeguard your personal
information.” This is a redundant link to the FTC’s privacy
statement.
Nowhere does the FTC imply that providing information does
not create re-identification risk. The FTC does not hide its
privacy statement, but makes extensive privacy information

2