Residential MortgageCompliance Monitor

FHFA & FHFA-OIG Privacy Act Implementation: An Overview of the Interim Final Regulation

by Margaret Wright, Esq.
Associate Counsel
margaret@bankersadvisory.com

The Federal Housing Finance Agency (FHFA) has issued an interim final regulation implementing changes to its Privacy Act policies and procedures under which an individual may make a request for information contained in a FHFA or FHFA Office of Inspector General (FHFA-OIG) system of records.  Under the Privacy Act, the FHFA is required to publish regulations describing its Privacy Act policies and procedures.

In 2009, when the FHFA issued their original final regulation on the Privacy Act, the FHFA-OIG was not yet in existence. In 2010, the FHFA-OIG was established to provide evaluation and review of FHFA’s programs relating to FHFA’s supervision and regulation of Fannie Mae, Freddie Mac and the Federal Home Loan Banks.  The current interim final regulation has been issued to amend FHFA’s previous Privacy Act regulation to include policies and procedures as applicable to the more recently established FHFA-OIG.  

Per the Federal Register notice:  “The changes… primarily cover how the FHFA-OIG will implement the Privacy Act and make clarifying and general updates to the existing regulation, but do not fundamentally change the regulation’s nature or scope.” (76 FR 51869)

Privacy Act Compliance

The Interim Final Regulation will revise 12 CFR Part 1204, Privacy Act Implementation. The purpose of the regulation is to:

  • Implement the Privacy Act as required for Federal agencies which collect and maintain private information about individuals;
  • Establish rules applicable to FHFA and FHFA-OIG’s systems of records and procedures for requesting information or amendment;
  • Inform potential requestors of the automatic processing of a request for record access; and
  • Inform potential requestors that the only information and services provided by the FHFA or FHFA-OIG under this section are those as entitled to under the Privacy Act.


Privacy Act Request Procedure

Sections 1204.3 through 1204.7 explain the procedures to be followed when a valid request for records or information is made by an individual under the Privacy Act.  The information requested must be contained in the FHFA or FHFA-OIG’s system of records which is “a group of records… from which information is retrieved by the name of an individual or by… other identifying particular assigned to the individual.” (76 FR 51872)

A valid request can only be made on the requestor’s own behalf, on behalf of another as their legal guardian or on behalf of another with their written consent authorizing the requestor to do so.   The requestor’s identity must be verified. The request must be made in writing and must describe the record requested with specific details to allow the FHFA or FHFA-OIG to reasonably locate the applicable information.

Basic information to include on a record request is:

  • Time period of the record;
  • Name of the system of records in which requested information is kept;and
  • The date, title, author, recipient or subject matter of the record.

A request may also be made to amend or correct a FHFA or FHFA-OIG record.  The procedures for requesting an amendment or correction are the same as a request for information; however the request must also describe the amendment or correction and include information as to why the record is not correct or why amendment is needed.  Additional documentation may be submitted along with the request to support the need for the requested change.

Privacy Act Response Procedure

Using the information provided in the record request, the FHFA or FHFA-OIG will search the applicable system of records to locate the requested record or to determine if the record is not available. The FHFA or FHFA-OIG will generally respond within 20 days of receipt of a valid record request, or in the case of an amendment or correction request, within 10 days after receipt.  The regulation allows for the response time periods to be extended if additional time is needed under certain circumstances, including obtaining records which are not stored locally.

Once the FHFA or FHFA-OIG has completed the applicable review and record search, the written response will contain:

  • Determination to grant or deny the request and the supporting reasons;
  • The amount of the fee charged, if any, as per section 1204.6;
  • If access is granted, the record will be made available; and
  • If amendment or correction is granted, the description of the changes will be included and notification of the right of the requestor to obtain a copy of the record.

An adverse determination may also be issued in which the record requested will not be made available.  An adverse determination occurs when:

  • The requested record is withheld in whole or in part;
  • The amendment or correction request is denied in whole or in part;
  • Request to provide an accounting of disclosures is declined;
  • The requested record does not exist or cannot be located; or
  • The record requested is not subject to the Privacy Act.  

In the written adverse determination response, the FHFA or FHFA-OIG must also identify the person responsible for the adverse determination, state that the adverse determination is not a final action of the FHFA or FHFA-OIG and notify the requestor that they may appeal the determination.

Section 1204-5 outlines the appeal procedure and the FHFA or FHFA-OIG required response.   Appeals must be made in writing by the requestor within 30 days of the date of the adverse determination notice.  The appeal must clearly identify the adverse determination which is being contested.  Once a complete appeal is received, the FHFA or FHFA-OIG will generally respond within 30 days.  The FHFA or FHFA-OIG response will include a determination of whether the appeal is granted or denied and the supporting reasons for the decision.  If the appeal is granted, the response will be same as a granted request as outlined above.  If the appeal is denied, the response will advise the requestor of the right to file a Statement of Disagreement within 30 days of the denial.  The Statement of Disagreement will be placed in the system of records that contains the disputed record.  If the disputed record is subsequently disclosed, the Statement of Disagreement will also be provided along with the record. (76 FR 51874)

Privacy Act Exemptions

Under the Privacy Act, the FHFA and the FHFA-OIG are authorized to exempt information or records from some Privacy Act requirements.  Potential exemptions include records containing information compiled for the purpose of criminal law enforcement investigations or the purpose of “determining suitability, eligibility or qualifications for Federal civilian employment or Federal contracts” where “revealing the identity of a confidential source could impede future cooperation by sources, and could result in harassment or harm to such sources.” (FR 76 51875). If an exemption has been claimed “the system of records notice will identify the exemption and the provisions of the Privacy Act from which the system is exempt.” (76 FR 51874).

Employee Responsibility under the Privacy Act

Section 1204.10 outlines the responsibilities of a FHFA or FHFA-OIG employee under the Privacy Act. The employee shall:

  • Collect only relevant information about an individual from the individual directly;
  • Inform individuals from whom information, including social security numbers, is collected of:
  • The legal authority to collect the information and whether providing is voluntary or mandatory;
  • The principal purpose of the collection of the information;
  • The use the FHFA or FHFA-OIG will make of the information;
  • The effects, if any, on the individual of not providing the information.
  • Ensure that a system of records is not maintained without public notice and notify the appropriate officials of the existence or development of a system of records;
  • Maintain records with accuracy, relevance, timeliness and completeness to ensure fairness and to ensure that the record is accurate before release;
  • Maintain accounting where required;
  • Prevent unauthorized disclosure of records; and
  • Notify the appropriate official of any record that contains information that the Privacy Act does not permit the FHFA or FHFA-OIG to maintain. (76 FR 51875)

    • Section 1204.8 requires the FHFA and FHFA-OIG “establish administrative and physical controls to prevent unauthorized access to their systems of records, unauthorized or inadvertent disclosure of records and physical damage of destruction of records.” (76 FR 51875)

    Interim Final Regulation Effective Date and Comment Period

    The Privacy Act Implementation Interim Final Regulation is effective as of August 19, 2011. Comments on the regulation will be accepted by the FHFA until October 18, 2011.

    The FHFA list system of records may be viewed here:
    http://www.fhfa.gov/webfiles/21682/List%20of%20Government%20Wide%20System%20of%20Records%20Notices%20July%202011.pdf

    , Federal Mortgage Regulations | Comments Off on FHFA & FHFA-OIG Privacy Act Implementation: An Overview of the Interim Final Regulation

    • 781-402-6443

    Margaret Wright, JD, is regulatory compliance director with CLA. She is a graduate of Stonehill College and earned her juris doctor at Suffolk University Law School. She is admitted to the Massachusetts Bar.

    Comments are closed.

    Subscribe to Blog   

    Residential Mortgage Compliance Monitor is an educational resource for financial institutions, providing announcements, legislative summaries, and policy changes issued by state and national regulators. Announcements also cover mortgage lending rules of HUD, Fannie Mae, Freddie Mac, and other mortgage agencies.