• 07.18.19  •  

Two New Mortgage Compliance Trends to Watch: Consumer Privacy and Cybersecurity

So far, 2019 has appeared to be quiet when it comes to new mortgage compliance initiatives. However, lenders should closely watch the trends related to consumer privacy and cybersecurity.

After tracking trends rising from the GDPR laws in Europe, along with new state laws, investor changes and new federal agency rules, we believe these two issues will drive the next wave of regulatory changes at the federal level. Even now, lenders are having to address privacy and cybersecurity with additional rules in certain states. Here is a quick look at these two trends and their regulatory impact.

Consumer Privacy

Our industry has always worked to protect the consumer’s personal identifying information (PII) and paid close attention to data security. Security breaches have occurred in the past, but in the future, they may prove to be much more costly for financial services companies.

We saw this trend begin to emerge last year with the implementation of the European Union’s new data protection law, the General Data Protection Regulation (GDPR).

Technically, this generally applies only to companies established in the EU or companies handling the personal data of natural persons within the EU, but the requirement has filtered down from the large global banks and has impacted -- and will continue to impact -- the way all financial services companies treat their data.

One area where GDPR is having an influence is in changing the way our own lawmakers treat this issue. Last year, California legislators wrote and quickly passed the California Consumer Privacy Act of 2018 to prevent voters from facing a similar ballot initiative in last November’s election.

The new California law is still coming into focus as state regulators work to implement the regulations. In most respects, this new law is like GDPR in that it requires new privacy disclosures to consumers, letting them know what type of information the company is collecting and what it plans to do with that data. Under the new law, companies must also give consumers the opportunity to have that information deleted. The new law goes into effect on January 1, 2020.

While both actions occurred last year, we see them as evidence of a trend that will see the industry facing additional consumer privacy compliance requirements in the years ahead.


Both consumers and government regulators are losing patience with companies that collect sensitive consumer information but fail to protect it. We expect to see some evidence of this in fines levied by the EU for failure to comply with GDPR.


It could be worse here if we don’t see federal regulation to standardize the rules before the various states take their own actions to harden data security. Complying with 50 different sets of rules, either for consumer privacy or data security, would be a heavy burden.

Could that happen? New York State’s Financial Services agencies recent Cybersecurity Regulation suggests that it could. We’ve already seen South Carolina’s Insurance Data Security Act, passed last May. We could see similar laws extend into the home finance industry.

Both trends warrant watching. You can count on Docutech’s compliance experts to remain vigilant on your behalf.