Consumer Compliance Outlook > 2025 > First Issue 2025

Consumer Compliance Outlook: First Issue 2025

Top Federal Reserve System Compliance Violations in 2024: Home Mortgage Disclosure Act

By Kenneth Benton, Principal Consumer Regulations Specialist, Federal Reserve Bank of Philadelphia

The Home Mortgage Disclosure Act (HMDA), as implemented by Regulation C, requires specified depository and nondepository financial institutions to collect, record, report, and make publicly available certain data points on applications, originations, and purchases of covered loans, a term defined in the regulation that covers most consumer-purpose, dwelling-secured loans and certain commercial-purpose, dwelling-secured loans.¹ The data are used for different purposes, including:

• to help determine whether financial institutions are serving the housing needs of their communities;
• to assist in identifying possible discriminatory lending patterns and enforcement of federal fair lending laws; and
• to help public officials in distributing public-sector investments and encourage reinvestment in certain areas.²

As discussed in this issue’s article about the top-cited violations and consumer complaints in 2024, Regulation C violations constituted 38 percent of the violations. Because examiners rely on HMDA data to conduct CRA performance evaluations, to assist in fair lending examinations, and to inform public policy and research, it is important for financial institutions subject to HMDA to ensure they comply with the regulation’s granular requirements and to address the root causes of systemic violations.

The first part of this article lists the most frequent violations of Regulation C and discusses common procedural breakdowns that may contribute to the root cause of those violations. The second part provides sound practices and other strategies an institution can use to enhance its HMDA data collection and reporting practices.

FREQUENT VIOLATIONS AND ROOT CAUSES

All of the top-cited HMDA violations in 2024 involve failing to properly report the information required in the following data fields:

• The universal loan identifier and the application received date required under §1003.4(a)(1)(i) and (ii), respectively
• Loan purpose required under §1003.4(a)(3)
• Action taken required under §1003.4(a)(8)
• Census tract in which the property is located required under §1003.(4)(a)(9)(ii)(C)
• Borrower information required under §1003.(4)(a)(10)

Here is our review of the regulatory requirements and root causes.

REGULATORY REQUIREMENTS

Universal Loan Identifier and Application Received Date: 12 C.F.R. §1003.4(a)(1)

The data collected shall include:

“(i) A universal loan identifier (ULI) … for the covered loan or application. ... The financial institution shall assign and report a ULI that: …

(B)(3) Must not include any information that could be used to directly identify the applicant or borrower. …

(ii) Except for purchased covered loans, the date the application was received or the date shown on the application form.” (Emphasis added.)

The violations of 12 C.F.R. §1003.4(a)(1) involved two issues. First, examiners cited institutions for not reporting the correct date that the application was received, as 12 C.F.R. §1003.4(a)(1)(ii) requires. The violations occurred because staff failed to use the regulation’s definition of application to determine the date that must be reported. Regulation C defines application as “an oral or written request for a covered loan [i.e., a mortgage loan subject to HMDA] that is made in accordance with procedures used by a financial institution for the type of credit requested.”³ Thus, policies and procedures should ensure that staff use this definition to determine the correct application date.

A related challenge for compliance with 12 C.F.R. §1003.4(a)(1) is that the regulation distinguishes between preapprovals, which are reported on the loan/application register (LAR), and prequalifications, which are not considered applications for the purposes of Regulation C and are therefore not reported. The Official Staff Commentary to 12 C.F.R. §1003.2(b) notes that interpretations of the definition of application under the Equal Credit Opportunity Act (ECOA), as implemented by Regulation B, generally apply to the definition of application under Regulation C.⁴ However, an exception applies for prequalification requests: “Regulation C does not require an institution to report prequalification requests on the loan/application register, even though these requests may constitute applications under Regulation B for purposes of adverse action notices.”⁵ Thus, institutions must ensure they are relying on Regulation C’s definition of application to determine if an application is reported.

The Official Staff Commentary to Regulation C further clarifies the distinction between prequalifications and preapprovals. A prequalification occurs when prospective loan applicants seek a preliminary determination of whether they “would likely qualify for credit under an institution’s standards, or for a determination on the amount of credit for which the prospective applicant[s] would likely qualify.”⁶

Conversely, an application submitted in a preapproval program is reported on the LAR because it involves a written commitment to finance a home purchase loan up to a specified amount after a comprehensive review of an applicant’s creditworthiness. If HMDA compliance staff do not understand this distinction between preapprovals and prequalifications, they may erroneously report prequalifications on the LAR, which should not be reported, or fail to report preapprovals, which must be reported.

The date reported for preapprovals, as with other applications for covered loans, is the date the application was received or the date shown on the application form.⁷ Comment 4(a)(1)(ii)-1 offers additional guidance, noting that an institution’s reporting approach “should be generally consistent (such as by routinely using one approach within a particular division of the institution or for a category of loans).” When an institution has multiple versions of the application form, it reports the date listed on the first application.

The second issue under 12 C.F.R. §1003.4(a)(1) pertained to the ULI field.⁸ The ULI is a unique number a financial institution assigns to a covered loan or application. It must begin with the institution’s Legal Entity Identifier, followed by up to 23 additional letters or numbers the institution assigns, and end with a two-character check digit.⁹ The ULI cannot include information that could be used to identify the applicant or borrower directly, such as the borrower’s name or date of birth. Examiners cited institutions for reporting information that could be used to identify the applicant or borrower, such as partially redacted names of the consumer or business.

The root causes of these violations included the absence of compliance-related procedures and controls to ensure the compliance department is reporting accurate information and does not include applicant information it should not report.

REGULATORY REQUIREMENTS

Loan Purpose: 12 C.F.R. §1003.4(a)(3)

Data collected shall include:

“Whether the covered loan is, or the application is for, a home purchase loan, a home improvement loan, a refinancing, a cash-out refinancing, or for a purpose other than home purchase, home improvement, refinancing, or cash-out refinancing.”

Examiners cited institutions for selecting the wrong loan purpose field. In some instances, institutions incorrectly reported loans as home improvement when they had multiple purposes of both refinance and home improvement. The Official Staff Commentary clarifies that when a covered loan is both a home improvement loan and a refinancing/cash-out refinancing, but is not a home purchase loan, the loan should be reported as a refinancing or a cash-out refinancing, as appropriate.¹⁰

Examiners also cited institutions for reporting the loan purpose as refinancing when the loans were cash-out refinancings. The reverse issue was also cited: reporting refinance loans as cash-out refinance loans when no cash-out was made to the borrower.

Regulation C defines refinancing as “a closed-end mortgage loan or an open-end line of credit in which a new, dwelling-secured debt obligation satisfies and replaces an existing, dwelling-secured debt obligation by the same borrower.”¹¹ On the other hand, a loan is designated as a cash-out refinancing “if it is a refinancing as defined by §1003.2(p) and the institution considered it to be a cash-out refinancing in processing the application or setting the terms (such as the interest rate or origination charges) under its guidelines or an investor’s guidelines.”¹² (Emphasis added).

Thus, whether a loan is reported as a cash-out refinance depends on the creditor’s internal standards instead of a specific regulatory definition. For example, one institution may establish a relatively high threshold for a loan to be considered a cash-out refinance, such as a refinance loan in which the borrower receives $25,000 or more at closing, while another institution may define it with a lower threshold, such as a loan providing the borrower $1,000 or more at closing. See Comments 4(a)(3)-2.i–2.iii for examples.

The root causes of these violations included manual input errors and weaknesses in the bank’s secondary review process. Training and policies and procedures could explicitly incorporate the examples provided in Comments (4)(a)(3)-2.i–2.iii to provide staff with additional clarifying guidance.

REGULATORY REQUIREMENTS

Action Taken: 12 C.F.R. §1003.4(a)(8)

Data collected shall include:

“(i) The action taken by the financial institution, recorded as one of the following:

(A) Whether a covered loan was originated or purchased;

(B) Whether an application for a covered loan that did not result in the origination of a covered loan was approved but not accepted, denied, withdrawn by the applicant, or closed for incompleteness; and

(C) Whether a preapproval request that did not result in the origination of a home purchase loan was denied or approved but not accepted.

(ii) The date of the action taken by the financial institution.”

Institutions were cited for incorrectly reporting the action taken. The root causes included:

• weaknesses in internal controls;
• data entry errors;
• failing to conduct secondary reviews;
• weaknesses in the overall compliance management system;
• failing to provide compliance procedures to aid staff in ensuring accuracy before filing the LAR; and
• failing to understand the regulatory requirement.

Comments (4)(a)(8)(i)-1–14 specify in detail how to report the action taken in the following circumstances:

• (4)(a)(8)(i)-1: covered loan originated
• (4)(a)(8)(i)-2: covered loan purchased
• (4)(a)(8)(i)-3: application approved but not accepted
• (4)(a)(8)(i)-4: application denied
• (4)(a)(8)(i)-5: application withdrawn
• (4)(a)(8)(i)-6: file closed for incompleteness
• (4)(a)(8)(i)-7: preapproval request denied
• (4)(a)(8)(i)-8: preapproval request approved but not accepted
• (4)(a)(8)(i)-9: counteroffers
• (4)(a)(8)(i)-10: rescinded transactions
• (4)(a)(8)(i)-11: purchased covered loans
• (4)(a)(8)(i)-12: repurchased covered loans
• (4)(a)(8)(i)-13: conditional approvals
• (4)(a)(8)(i)-14: pending applications

The full text of these comments contains granular details to clarify the requirements of reporting the action taken and could be directly incorporated into training and policies and procedures so staff could readily reference them.

REGULATORY REQUIREMENTS

Borrower Information: 12 C.F.R. §1003.4(a)(10)

Gross Annual Income

“(iii) Except for covered loans or applications for which the credit decision did not consider or would not have considered income, the gross annual income relied on in making the credit decision or, if a credit decision was not made, the gross annual income relied on in processing the application,” shall be collected.

Demographic Information of Co-applicants

The instructions for demographic data collection in Appendix B to Part 1003 provide the requirements for reporting co-applicant information:

“5. If there are no co-applicants, you must report that there is no co-applicant. If there is more than one co-applicant, you must provide the ethnicity, race, and sex only for the first co-applicant listed on the collection form. A co-applicant may provide an absent co-applicant’s ethnicity, race, and sex on behalf of the absent co-applicant. If the information is not provided for an absent co-applicant, you must report ‘information not provided by applicant in mail, internet, or telephone application’ for the absent co-applicant.”

Gross Annual Income

Examiners cited several different errors for the way in which institutions reported the gross annual income field.

First, institutions reported the gross annual applicant income for covered loans to employees, which should be reported as “NA” even if the bank relied on the applicant’s income in the credit decision. These errors occurred because staff did not understand the requirements for reporting income for bank employees.

Second, institutions reported the incorrect amount of gross annual applicant income: This should be reported based on the gross annual income relied on in making the credit decision; if a credit decision was not made, the gross annual income relied on in processing the application should be used.

These errors resulted from using earlier underwriting data, whereas the final underwriting data recorded the income relied upon for the credit decision. Comment 4(a)(10)(iii)-1 helps to clarify a related issue of reporting only the income upon which the lender relied in making the credit decision when the lender excludes some types of income from the credit decision. For example, if a creditor does not include an applicant’s commission because it was earned for less than 12 months, the commission income should be excluded from the reported income.

Demographic Information of Co-applicants

As noted, Appendix B to Part 1003 specifies the requirements for collecting the applicant’s demographic information, including co-applicants. If the loan has more than one co-applicant, only the demographic information about the first co-applicant must be provided, in accordance with the directions in Appendix B.

Examiners cited institutions for reporting incorrect demographic information about the co-applicants’ ethnicity, race, sex, and age. The root cause was weaknesses in training, policies and procedures, and internal controls. A secondary HMDA review would have identified the errors and is therefore a sound practice to mitigate this risk along with training.

REGULATORY REQUIREMENTS

Census Tract Location: 12 C.F.R. §1003.4(a)(9)(ii)(C)

“The following information about the location of the property securing the covered loan or, in the case of an application, proposed to secure the covered loan” shall be collected: …

“(C) Census tract if the property is located in a county with a population of more than 30,000 according to the most recent decennial census conducted by the U.S. Census Bureau.” 

For the property address and location fields, examiners frequently cited errors recording the incorrect census tract code. Examiners also cited institutions reporting census tract data when they should have reported “NA” because specific property information was not available when the loan decision was made.

The root causes included:

• failing to conduct secondary reviews that would validate the reported data by cross-referencing the geocoding information with the website of the Federal Financial Institutions Examination Council;
• input errors;
• failing to understand regulatory requirements; and
• deficiencies in the procedures.

SOUND PRACTICES TO MITIGATE HMDA RISKS

Part 1 of this article provided analyses of specific HMDA data collection and reporting inaccuracies. Part 2 identifies sound practices and possible enhancements to a bank’s compliance management system that can help ensure compliant HMDA data collection and reporting. The guidance shared below draws substantially from the CCO article “HMDA Data Collection and Reporting: Keys to an Effective Program,” by Allison Burns and Angelo Parker (Fourth Issue 2020), which also discussed sound HMDA data collection and reporting practices.

The table identifies the policies, procedures and controls that examiners have frequently observed at institutions with effective and compliant HMDA data collection and reporting processes.

Sound HMDA Practices

Most institutions can implement these practices regardless of the size and structure of the institution’s HMDA program. It is important for an institution to determine its risk profile, assess the level of knowledge within the institution, commit the necessary resources to the compliance process, and apply the practices best suited for its level of risk and resources.

Institutions can implement the following additional examples of sound practices for three of the processes identified — training, tools, and data verification — to promote effective compliance with HMDA requirements.

Training

Regular in-depth training is an effective tool for an institution to help its staff understand the HMDA reporting requirements and to help ensure that the institution applies data collection procedures consistently. Effective training is tailored to an individual’s role in the collection process and provides sufficient detail to aid staff in identifying the transactions to be reported and the data to be collected.

Effective training also helps staff to better understand regulatory requirements and the institution’s internal HMDA procedures and can be particularly beneficial for explaining the nuanced data fields discussed in this article. Regulation C has been amended several times in recent years, which makes regular training even more important to ensure that employees are up to date on the data collection requirements.

For example, the 2010 Dodd–Frank Act amended HMDA to add data points, directed the Consumer Finance Protection Bureau (CFPB) to amend Regulation C to implement the changes, and provided the CFPB with discretionary authority to create additional data points. In 2015, the CFPB issued a final rule to implement the Dodd–Frank Act amendments.¹³

But in 2018, Congress enacted the EGRRCPA, as discussed in Endnote 8, which exempted certain HMDA filers from collecting many of the data fields added in the 2015 final rule if they originated fewer than 500 closed-end mortgage loans or 500 home-secured open-end lines of credit in each of the two preceding calendar years.¹⁴ Similarly, while a May 2020 final rule amended Regulation C to increase the threshold for collecting and reporting data about closed-end mortgage loans from 25 to 100 loan originations,¹⁵ a September 2022 court ruling vacated that portion of the rule, which reverted the collection and reporting threshold for closed-end mortgage loans to 25 loan originations.¹⁶ Regular training can help an institution’s compliance staff stay up to date on the rules and create consistency in compliance among business lines and staff involved in the HMDA process.

Tools

Providing staff with tools, such as flowcharts, data field worksheets, and guidance prepared for industry, can improve accuracy by aiding an institution’s staff throughout the data collection process. For example, flowcharts can help staff determine whether a transaction is covered and HMDA reportable.

HMDA data field worksheets are another effective way to help ensure that staff collect data on all the key data fields during the loan application process. Worksheets can include references on where to find information in the loan file or reminders about HMDA’s requirements. For example, the worksheet may indicate where to find the verified gross income in the loan file based on loan type, and could include a reference of when income should be reported as “NA.” Worksheets can also guide staff on how to accurately geocode the collateral securing the loan. Providing staff with copies of guidance prepared to assist industry in HMDA compliance, such as A Guide to HMDA Reporting: Getting It Right! or the Home Mortgage Disclosure (Regulation C) Small Entity Compliance Guide, can help staff to better understand HMDA data collection requirements, especially for unfamiliar or complex covered transactions.

Finally, an automated collection process can reduce the burden of compiling HMDA data. Software programs are available to automate the collection process using the information entered during loan origination as the source documentation for reporting HMDA data points. Some financial institutions use their loan origination software to determine geocodes, while others use data collection software to compile the entire LAR.

Data Verification

Comprehensively reviewing HMDA data before submission by comparing and verifying the data collected with the data contained in the source files can help staff identify and correct errors, which increases the accuracy of the data submitted. Depending on the volume of HMDA data an institution collects, this process may involve testing and verifying through sampling. An effective verification process also provides an institution with an opportunity to measure the accuracy of its data collection and reporting processes and promptly identify weaknesses. The verification process can also test the effectiveness of processes that the institution uses to identify all applicable loans and non-originated applications covered by HMDA.

Institutions can conduct data reviews internally or through a reputable third-party vendor. The strength of the institution’s data collection processes can help determine the scope and frequency of the review. For example, the risk of HMDA noncompliance may be greater for institutions with a high loan origination volume or a decentralized collection process, which may merit more frequent reviews. Such reviews may uncover errors that can range from simple typographical mistakes to more significant procedural errors that could lead to systemic reporting violations, data scrubs, and the need for resubmission. Identification of errors or weaknesses during the review gives an institution the opportunity to correct the data before submission, assess the severity of the weaknesses, and take appropriate corrective actions to address the root cause of identified weaknesses. A thorough data verification process provides a much-needed last line of defense for HMDA reporters.

CONCLUDING REMARKS

The federal banking agencies frequently cite violations of HMDA data collection and reporting requirements. Institutions can benefit from reviewing and validating their data collection and reporting processes to ensure they are accurately collecting and reporting HMDA data. Specific issues and questions about HMDA requirements should be raised with your primary regulator.

Top-Cited Regulation C Violations in 2024

In the three years for which CCO has published annual data for violations identified by Federal Reserve examiners, the most common violation identified by far has been institutions’ failure to properly collect and report the HMDA data fields for “covered loans” as §1003.4(a) of Regulation C requires. As noted in the CCO article “HMDA Data Collection and Reporting: Keys to an Effective Program,” by Allison Burns and Angelo Parker (Fourth Issue 2020), HMDA data collection and reporting can be challenging because HMDA reporters must collect multiple data fields, some of which have nuanced requirements. The CCO article “Top Federal Reserve Compliance Violations in 2022: Data Collection and Reporting Requirements of the Home Mortgage Disclosure Act,” by Kenneth Benton and Alinda Murphy (Second/Third Issue 2023), elaborated further on the specific challenges underlying several of these §1003.4(a) violations.

The following are the top 10 data fields underlying the §1003.4(a) violations the Federal Reserve System cited in 2024.

Subsection	Description
12 C.F.R. §1003.4(a)(10)	Ethnicity, race, sex, age, and gross annual income of the applicant or borrower
12 C.F.R. §1003.4(a)(9)	The property address or other information about the location of the property securing the covered loan
12 C.F.R. §1003.4(a)(8)	The action taken by the financial institution and the date of the action
12 C.F.R. §1003.4(a)(3)	Whether the covered loan or application is for a home purchase loan, a home improvement loan, a refinancing, a cash-out refinancing, or another purpose
12 C.F.R. §1003.4(a)(1)	A universal loan identifier and the date for the covered loan or application
12 C.F.R. §1003.4(a)(25)	The scheduled number of months after which the legal obligation will mature or terminate or would have matured or terminated
12 C.F.R. §1003.4(a)(23)	The ratio of the applicant’s or borrower’s total monthly debt to the total monthly income relied on in making the credit decision
12 C.F.R. §1003.4(a)(31)	The number of individual dwelling units related to the property securing, or proposed to secure, the covered loan
12 C.F.R. §1003.4(a)(7)	The amount of the covered loan or the amount applied for
12 C.F.R. §1003.4(a)(15)	The credit score or scores relied on in making the credit decision and the name and version of the scoring model used to generate each credit score

ENDNOTES

¹ See 12 C.F.R. §1003.2(e). A consumer-purpose, dwelling-secured closed-end mortgage loan or open-end line of credit is reported unless an exemption or exclusion in 12 C.F.R. §1003.3 applies. A commercial-purpose, dwelling-secured closed-end mortgage loan or open-end line of credit is reported only if it “is a home improvement loan under §1003.2(i), a home purchase loan under §1003.2(j), or a refinancing under §1003.2(p)” and no other exclusion applies. See 12 C.F.R. §1003.3(c)(10).

² See Revised Interagency Examination Procedures for the Home Mortgage Disclosure Act (2019) at p. 1.

³ 12 C.F.R. §1003.2(b)(1).

⁴  Comment 2(b)-1.

⁵ Comment 2(b)-2.

⁶ Comments 2(b)-1, -2, and -3.

⁷ 12 C.F.R. §1003.4(a)(1)(ii).

⁸ HMDA reporters eligible for the partial exemption in the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) are not required to report the ULI. See EGRRCPA, §104 (Pub. L. 115–174, 132 Stat. 1296 (May 24, 2018))(codified at 12 U.S.C. §2803(i)(1), (2)). This provision is implemented in Regulation C at 12 C.F.R. §1003.3(d)(1)(iii). Institutions eligible for the partial exemption must still report a non-universal loan identifier (NULI). The NULI must be composed of up to 22 characters to identify the covered loan or application and cannot include information that could be used to directly identify the applicant or borrower. See 12 C.F.R. §1003.3(d)(5).

⁹ 12 C.F.R. §1003.4(a)(1)(i)(A)–(C).

¹⁰ Comment 4(a)(3)-3.

¹¹ 12 C.F.R. §1003.2(p).

¹² Comment 4(a)(3)-2.

¹³ 80 FR 66128 (October 28, 2015).

¹⁴ 83 FR 45325 (September 7, 2018).

¹⁵ 85 FR 28364 (May 12, 2020), vacated in part by National Community Reinvestment Coalition v. Consumer Financial Protection Bureau, No. 20-cv-2074, 2022 WL 4447293 (D.D.C. September 23, 2022).

¹⁶ See Consumer Affairs letter 23-1, “Changes to Home Mortgage Disclosure Act (HMDA) Loan Volume Reporting Threshold for Closed-End Mortgage Loans” (January 31, 2023); 87 FR 77980 (December 21, 2022).