ALERT: New State Privacy Requirements for Mortgages Funded After December 1, 2021As of yesterday, any new Freddie Mac mortgage funded will need to comply with state Address Confidentiality Program (ACP) requirements. ACPs are state-sponsored programs designed to protect victims of crimes such as domestic abuse, sexual assault, stalking, or human trafficking from further harm. Recently ACPs have been extended to other individuals, such as healthcare workers and public health officials. Although ACPs have been in effect since at least 1991, with Washington state being the first to adopt such a law, they have largely flown under the radar within many privacy compliance programs. However, these lesser known statutes are now gaining recognition in the world of corporate compliance.

By keeping a victim’s home, work, and/or school address confidential, ACPs act as a shield to prevent perpetrators from finding – and continuing to harm – their victims. ACPs operate by providing a “designated address” for victims to use instead of their physical (or actual) address. When used properly, the designated address diverts a victim’s mail to a confidential third-party location (often a P.O. Box and/or a “lot number”), after which a state agency forwards the mail to the victim’s actual address. Additionally – and perhaps most importantly – ACPs prohibit those with knowledge of a victim’s location information from disclosing it to other parties. In this way, ACPs seek to protect the physical location and safety of victims.

While the obligation to accept and use ACP “designated addresses” (and the corollary designation to keep actual addresses confidential) only applies to government entities in many states, there are a handful of states that apply these obligations to private entities as well.

Some private companies, however, have chosen to expand state ACP law protections to all customers who identify as victims, regardless of whether the underlying state law requires these obligations. Likewise, Freddie Mac, opting to broaden the scope of these obligations, released a bulletin on September 1, 2021 requiring all sellers to inform Freddie Mac of a borrower’s substitute ACP mailing address. Additionally, within five business days after the funding date the seller must email Freddie Mac with the following information:

  • Freddie Mac loan number
  • Borrower name
  • Borrower ACP mailing address (including, when applicable, any lot number or required uniquely identifiable number)

Previously, Freddie Mac did not have a process for identifying borrowers participating in an ACP. Freddie Mac stated in its bulletin that the new guidance was in response to questions regarding its process regarding victim borrowers.

Freddie Mac also updated its delivery instructions for ULDD Data Point Borrower Mail To Address Same As Property Indicator (Sort ID 572) to specify that “false” should be selected when the mailing address is not the same as the mortgaged premises and to add a reference to the notification requirement (see guide impacts: Sections 1301.2 and 6302.9).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.

Photo of Leah M. Campbell Leah M. Campbell

Leah Campbell is a senior attorney in the Banking and Financial Services Practice Group. Leah has significant experience representing financial services and insurance company clients in both federal and state courts, as well as before state regulators. She has advised national mortgage servicers…

Leah Campbell is a senior attorney in the Banking and Financial Services Practice Group. Leah has significant experience representing financial services and insurance company clients in both federal and state courts, as well as before state regulators. She has advised national mortgage servicers on FDCPA claims, loan finance companies on UDAAP claims, and banks on OFAC- related issues.

In addition, Leah has provided intellectual property guidance in M&A and corporate structuring matters and advised on GDPR implementation and cross-border encryption issues.