Financing for Homes and Small Businesses

The Disposal Rule | Your Privacy in Settlement and Servicing

The Disposal Rule

In 2003, Congress made amendments to FCRA under the Fair and Accurate Credit Transactions Act (FACTA).  One of the amendments was the creation of a mandate for the proper disposal of consumer information derived from consumer reports.  FACTA directed the FTC, the federal banking agencies, and the NCUA to promulgate rules for the proper disposal of records.

Along with several other consumer groups, The Privacy Rights Clearinghouse (PRC) participated in the rule making proceedings for the Disposal Rule.  In a letter encouraging the adoption of strong regulations to fight identity theft, PRC described the reasons that strong disposal rules are important:

Irresponsible handling of sensitive consumer data has long been cited as a contributing factor to identity theft.  A practice known as “dumpster diving” is often claimed by thieves themselves as the source of the data that allowed them to commit the crime.

Sensitive data discarded by a financial institution provides a prime opportunity for a crook to access another person’s personal data. [1]

The FTC’s rule on the Disposal of Consumer Report Information and Records (Disposal Rule) became effective in June 2005.  Following is a review of the requirements of the Rule.

Definitions Related to the Disposal Rule

The following definitions are helpful in understanding the provisions of the Disposal Rule.

Consumer:  An individual.

Consumer Report:  Information obtained from a consumer reporting agency or other reports that are used, or expected for use, in establishing a consumer’s eligibility for credit, employment, insurance, or other such purposes.

Disposal:  The discarding or abandonment of consumer information, or the sale, donation, or transfer of a computer, or other equipment or material on which consumer information is stored.

General Information on the Disposal Rule

Purpose of the Disposal Rule

The purpose of the rule is to protect consumer privacy and to prevent fraudulent actions, such as identity theft, from occurring as a result of the improper disposal of consumer information.

Information Protected by the Disposal Rule

The Disposal Rule applies to consumer reports and to information derived from consumer reports.

Institutions Covered by the Disposal Rule

The rule applies to any person over which the FTC has jurisdiction, and who maintains or possesses consumer information for a business purpose.  The rule therefore applies to mortgage brokers.

Requirements of the Disposal Rule

The Rule requires “… reasonable measures to protect against unauthorized access to, or use of, information in connection with its disposal.” (16 CFR Section 682.3(a))  The Rule suggests the following examples of disposal methods, noting that there may be other acceptable means of disposal:

  • Burning, pulverizing, or shredding papers to ensure that the information cannot be read or reconstructed
  • Requiring the destruction or erasing of electronic media containing consumer information to ensure that the information cannot be read or reconstructed
  • Entering into a contract with a business that carries out record destruction, monitoring its compliance with the Disposal Rule.  The Rule requires due diligence in selecting a disposal company, meaning that it is necessary to evaluate its competency and integrity.
  • Monitor compliance policies and procedures to ensure that service providers dispose of consumer information in compliance with the Rule

The Safeguards Rule promulgated pursuant to the GLB Act and the Disposal Rule share some similar requirements.  The Safeguards Rule specifically requires performance of a risk assessment that includes consideration of “… information processing, storage, transmission and disposal….” (emphasis added) (16CFR Section 313.4(b)(2))  The FTC suggests that financial institutions that are subject to both rules “… should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires.” [2]

Record Retention in Virginia

In the Commonwealth of Virginia, a mortgage broker would be able to dispose of the homeowner’s records three years after a mortgage loan is made.  They have the option of completing the disposal of information themselves, by shredding paper documents and eliminating information stored electronically, or they could rely on a third party to destroy the records so that they could not be recreated.

C. Each mortgage broker required to be licensed under this chapter shall retain for at least three years after a mortgage loan is made the original contract for his compensation, a copy of the settlement statement, and an account of fees received in connection with the loan, and such other papers or records as may be required by regulation.[3]

Relying on a third party is only advisable if due diligence is conducted to identify a disposal company that meets the standards created in the Disposal Rule.  The mortgage broker should also have a contractual arrangement with the disposal company which includes provisions stating it will assume liability for any breach of privacy or confidentiality that results during the performance of its contractual responsibilities.

Disposal Rule – Real Life Application

In 2010, a United States District Court entered a settlement agreement with a mortgage broker that the FTC cited for failing to properly dispose of his clients’ financial records. [4] Using a dumpster that was accessible to the public, the broker disposed of 40 boxes of records that included mortgage applications and supporting documentation such as tax returns, bank statements, credit reports, and copies of credit cards and drivers’ licenses.  The charges against the broker included failing to use disposal methods that are acceptable under the FTC Disposal Rule and misrepresenting to clients that the mortgage company used appropriate methods for the disposal of personal financial information.  As a result of these actions, the District Court entered a stipulated order with the mortgage broker that requires:

  • Payment of penalties of $35,000
  • Use of a security program to protect the personal information of clients
  • Cooperation with an annual review, by a third party security professional, of the broker’s security program for the next ten years

[1] Federal Deposit Insurance Corporation (FDIC).  FDIC Federal Register Citations.  May 21, 2008.

[2] Federal Trade Commission. “FACTA Disposal Rule Goes Into Effect June 1.” 1 June 2005.

[3] Code of Virginia.  § 6.2-1609. Retention of books, accounts and records.

[4] Privacy Rights Clearinghouse. “Comments on FACTA Disposal Rule.” 12 July 2004.



Want Quicker Mortgage Approvals with Fewer Conditions? Use Pictures

A friend showed us pictures of her mom when she was a younger woman.  These portraits were brought into the hospital room where her mother was staying after a fall which required medical attention.  In doing this, my friend hoped the hospital staff would come to know and appreciate how special and vibrant her mom… Continue Reading

Preparing for the New Loan Estimate and Closing Disclosure

The Dodd Frank Act directed the Consumer Financial Protection Bureau (CFPB) to implement regulations to combine the disclosures required under the Truth in Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA). The purpose of these changes was to simplify the required information provided and increase consumer understanding.  To that end, the CFPB… Continue Reading