CFPB Must End Use of HMDA Data to Dox Consumers

Barron’s magazine and its reporter, Jacob Adelman, have admitted to using the Consumer Financial Protection Bureau’s (CFPB) public disclosure of Home Mortgage Disclosure Act (HMDA) data to identify individual Americans and investigate them. In an interview with The Change Company (Change), Adelman explained that he compares the CFPB’s redacted and “anonymous” information with data available for purchase from private companies and municipalities to identify borrower names and personal information contained in confidential mortgage applications. Adelman explained that he then reverse engineers the identities of homeowners, focusing on those who self-identified as Black or Hispanic/Latino (Hispanic), in their mortgage loan applications in order to uncover their identities – which HMDA mandates must be anonymous.

To date, Adelman has focused his investigations on loans made by community lenders who disproportionately serve minority and low-income borrowers. Barron’s actions threaten a chilling effect on underbanked Americans who already lack trust in financial institutions due to decades of mistreatment such as redlining.

Change performed an assessment of the accuracy of information gathered by Adelman as it pertains to Change’s borrowers. While Adelman accurately uncovered the names and other confidential information about several borrowers, much of Barron’s information about those borrowers contained material errors – including about the borrower’s ethnicity and income. In fact, in one instance, Adelman used his erroneous data to claim a borrower had lied about their own ethnicity. In another instance, Adelman used faulty assumptions and proxies to estimate borrowers’ incomes that resulted in indefensible errors. The inability of this Barron’s reporter to ensure the accuracy of his analysis or to validate the accuracy of his source data puts consumers at risk of having false and misleading information published about them.

For instance, Barron’s analysis commingled HMDA data with unsourced, TMZ-style information scraped from the internet. Barron’s questioned a minority borrower’s self-identified ethnicity based on a social media post indicating the borrower had some ancestors who were from Eastern Europe.

The risk of defamation spewing from Adelman’s analysis grew when Adelman insisted that a borrower with a “Korean” last name could not be both Asian and Hispanic – thereby ignoring a century of well documented Korean-Mexican immigration. Adelman also questioned another borrowers’ race and ethnicity based on internet photos. Most disturbingly, one homeowner Adelman believed to self identify as Hispanic/Latino reported being harassed by him during an unsolicited phone call when Adelman demanded to know why the borrower didn’t “sound Hispanic.”

Adelman’s approach would be illegal if Barron’s applied the methodology to their own employees that Adelman is using to unmask private homeowners. Both the EEOC and OFCCP have stated that self-identification is the preferred method of identifying the race and ethnicity information for an employee on the EEO-1 report, and that employers are in fact required to attempt to allow employees to use self-identification to complete the EEO-1 report. HMDA has the same requirements that lenders report borrower’s self-identification of their race and ethnicity with no adjustments or edits allowed by the lender. Comparatively, Adelman believes that Barron’s readers should just rely on him to determine the race, ethnicity, and gender of Americans he has unmasked based on internet photos, social media posts, and a surname.

Financial institutions are mandated to disclose consumer loan file data at least annually to the CFPB, a federal agency created as a single point of accountability for enforcing federal consumer financial laws and protecting consumers, pursuant to HMDA and Regulation C. In 2015, the CFPB comprehensively revised HMDA reporting requirements to extensively expand the amount of personal financial data about individual applicants and consumers that financial institutions must report. The CFPB unambiguously mandated that a financial institution, “…must report the ethnicity, race, and sex of an applicant as provided by the applicant. Therefore, a financial institution should not correct the race or ethnicity as reported by the applicant, even to correct spelling or other errors.” Under the new HMDA requirements, the CFPB is responsible for protecting applicant and consumer privacy, even as privacy risks evolve.

The CFPB downplayed the risks to consumer privacy the new rule posed despite outcry from consumer advocates and industry participants. Even before the advent of artificial intelligence such as ChatGPT, many grave concerns existed portending the inevitability that bad actors would reidentify HMDA data for perverse, harmful, and nefarious ends. A white paper funded by the Mortgage Bankers Association (“MBA”) entitled Personal Privacy of HMDA in a World of Big Data warned of such compromises to borrower privacy. Barron’s and Adelman have now validated MBA’s concerns and proven that the revised HMDA rule eviscerates any reasonable expectation of consumer privacy in financial transactions.

Adelman has not only ignored the consumer privacy issues with his techniques but is red flagging consumers based on their surnames and their desire to live in historically “white” neighborhoods. He attempts to blame financial institutions for following CFPB regulations and respecting borrower’s self-attestations rather than investigating the veracity of their claimed lineage.

Congress mandated the CFPB ensure the public disclosure of the HMDA database would not be misused to violate consumer privacy laws. We now know that Barron’s and Adelman are exploiting enhanced HMDA reporting requirements to violate the privacy of minority and low-income consumers nationwide by reverse-engineering HMDA and other data to identify borrowers and the private information in their mortgage loan applications. In an age of AI and big data, the ability to unmask HMDA data will only increase.

The CFPB can no longer ignore unethical, on-going violations of consumer privacy. It is the CFPB’s responsibility to protect the privacy of consumers and to take all steps necessary to prevent further violations of consumer privacy rights. This responsibility has been ignored by the CFPB and must be addressed.