Mortgage Info for Homes and Small Business Financing

Tag Archives: Privacy

The Disposal Rule | Your Privacy in Settlement and Servicing

The Disposal Rule

In 2003, Congress made amendments to FCRA under the Fair and Accurate Credit Transactions Act (FACTA).  One of the amendments was the creation of a mandate for the proper disposal of consumer information derived from consumer reports.  FACTA directed the FTC, the federal banking agencies, and the NCUA to promulgate rules for the proper disposal of records.

disposal rule shredding for compliance

Along with several other consumer groups, The Privacy Rights Clearinghouse (PRC) participated in the rule making proceedings for the Disposal Rule.  In a letter encouraging the adoption of strong regulations to fight identity theft, PRC described the reasons that strong disposal rules are important:

Irresponsible handling of sensitive consumer data has long been cited as a contributing factor to identity theft.  A practice known as “dumpster diving” is often claimed by thieves themselves as the source of the data that allowed them to commit the crime.

Sensitive data discarded by a financial institution provides a prime opportunity for a crook to access another person’s personal data. [1]

The FTC’s rule on the Disposal of Consumer Report Information and Records (Disposal Rule) became effective in June 2005.  Following is a review of the requirements of the Rule.

Definitions Related to the Disposal Rule

The following definitions are helpful in understanding the provisions of the Disposal Rule.

Consumer:  An individual.

Consumer Report:  Information obtained from a consumer reporting agency or other reports that are used, or expected for use, in establishing a consumer’s eligibility for credit, employment, insurance, or other such purposes.

Disposal:  The discarding or abandonment of consumer information, or the sale, donation, or transfer of a computer, or other equipment or material on which consumer information is stored.

General Information on the Disposal Rule

Purpose of the Disposal Rule

The purpose of the rule is to protect consumer privacy and to prevent fraudulent actions, such as identity theft, from occurring as a result of the improper disposal of consumer information.

Information Protected by the Disposal Rule

The Disposal Rule applies to consumer reports and to information derived from consumer reports.

Institutions Covered by the Disposal Rule

The rule applies to any person over which the FTC has jurisdiction, and who maintains or possesses consumer information for a business purpose.  The rule therefore applies to mortgage brokers.

Requirements of the Disposal Rule

The Rule requires “… reasonable measures to protect against unauthorized access to, or use of, information in connection with its disposal.” (16 CFR Section 682.3(a))  The Rule suggests the following examples of disposal methods, noting that there may be other acceptable means of disposal:

  • Burning, pulverizing, or shredding papers to ensure that the information cannot be read or reconstructed
  • Requiring the destruction or erasing of electronic media containing consumer information to ensure that the information cannot be read or reconstructed
  • Entering into a contract with a business that carries out record destruction, monitoring its compliance with the Disposal Rule.  The Rule requires due diligence in selecting a disposal company, meaning that it is necessary to evaluate its competency and integrity.
  • Monitor compliance policies and procedures to ensure that service providers dispose of consumer information in compliance with the Rule

The Safeguards Rule promulgated pursuant to the GLB Act and the Disposal Rule share some similar requirements.  The Safeguards Rule specifically requires performance of a risk assessment that includes consideration of “… information processing, storage, transmission and disposal….” (emphasis added) (16CFR Section 313.4(b)(2))  The FTC suggests that financial institutions that are subject to both rules “… should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires.” [2]

Record Retention in Virginia

In the Commonwealth of Virginia, a mortgage broker would be able to dispose of the homeowner’s records three years after a mortgage loan is made.  They have the option of completing the disposal of information themselves, by shredding paper documents and eliminating information stored electronically, or they could rely on a third party to destroy the records so that they could not be recreated.

C. Each mortgage broker required to be licensed under this chapter shall retain for at least three years after a mortgage loan is made the original contract for his compensation, a copy of the settlement statement, and an account of fees received in connection with the loan, and such other papers or records as may be required by regulation.[3]

Relying on a third party is only advisable if due diligence is conducted to identify a disposal company that meets the standards created in the Disposal Rule.  The mortgage broker should also have a contractual arrangement with the disposal company which includes provisions stating it will assume liability for any breach of privacy or confidentiality that results during the performance of its contractual responsibilities.

Disposal Rule – Real Life Application

In 2010, a United States District Court entered a settlement agreement with a mortgage broker that the FTC cited for failing to properly dispose of his clients’ financial records. [4] Using a dumpster that was accessible to the public, the broker disposed of 40 boxes of records that included mortgage applications and supporting documentation such as tax returns, bank statements, credit reports, and copies of credit cards and drivers’ licenses.  The charges against the broker included failing to use disposal methods that are acceptable under the FTC Disposal Rule and misrepresenting to clients that the mortgage company used appropriate methods for the disposal of personal financial information.  As a result of these actions, the District Court entered a stipulated order with the mortgage broker that requires:

  • Payment of penalties of $35,000
  • Use of a security program to protect the personal information of clients
  • Cooperation with an annual review, by a third party security professional, of the broker’s security program for the next ten years

[1] Federal Deposit Insurance Corporation (FDIC).  FDIC Federal Register Citations.  May 21, 2008.

[2] Federal Trade Commission. “FACTA Disposal Rule Goes Into Effect June 1.” 1 June 2005.

[3] Code of Virginia.  § 6.2-1609. Retention of books, accounts and records.

[4] Privacy Rights Clearinghouse. “Comments on FACTA Disposal Rule.” 12 July 2004.



How The Fair Credit Reporting Act Protects You | FCRA

The use of consumer credit reports is integral to the processing and approval of mortgage loan applications.  Enacted in 1970, the Fair Credit Reporting Act (FCRA) was one of the first laws to protect consumers from unauthorized access to the use of consumers’ personal information. Accuracy, Fairness, and Privacy Congress enacted the FCRA to ensure… Continue Reading

Credit Bureaus Make Money Selling Your Personal Data

There are over 200 million consumer credit files stored by the three major credit bureaus, Equifax, Experian and TransUnion according to the Consumer Financial Protection Bureau (CFPB).  Those 200 million plus files represent about 63% of the U.S. population. The credit bureaus major source of revenue is to sell information from those files to just… Continue Reading

Credit Reporting Bureaus Track More than Your Credit History

Besides tracking your credit history including payment history, how much debt you have and your use of revolving credit, Credit Reporting Agencies (CRAs) track much more information that has nothing to do with your credit history. While this data is tracked it has nothing to do with calculating FICO credit scores, a component of all… Continue Reading

Tips, Tricks and Mortgage MoJo
Get the latest content first.
Your privacy is always respected.