In translating the JOBS Act into final regulations, the SEC sought to protect investors in myriads ways: limiting certain opportunities to accredited investors, implementing caps on the annual amount certain investors may invest, and requiring certain disclosures, among other things. Understandably, the bulk of crowdfunding regulations seek to protect investors and are aimed at fraud and other investment-related concerns. With regard to privacy concerns, the JOBS Act provides only that crowdfunding platforms “take such steps to protect the privacy of information collected from investors as the Commission shall, by rule, determine appropriate”. Aside from this, the JOBS Act and its ensuing regulations do not specifically address privacy concerns, and to the extent they do, they are investor and not sponsor centric. Instead, crowdfunding platforms must look to other statutes for guidance on how to best protect both their borrowers and investors.
It seems obvious enough that private information should not be shared online. While conceptually related, “privacy” relates to information that is and is not disclosed (and when such information may be disclosed) and “information security” refers to ways information is stored and protected. Though the bulk of media coverage on the topic revolves around information security breaches at major companies (even though small companies are targets), privacy is just as important.
Laws Governing the Disclosure of Sponsor or Borrower Credit Data
Crowdfunding platforms, including those that focus on marketplace lending, must be conscientious in the disclosure of an individual’s (a guarantor in the case of a debt offering or sponsor in the case of an equity offering) credit information or FICO score. In this context, the use (and disclosure) of consumer credit data is governed at the federal level primarily by the Fair Credit Reporting Act and Gramm-Leach-Bliley Act of 1999.
Fair Credit Reporting Act (“FCRA”)
The FCRA not only mandates that consumer credit data be kept private, it also prescribes that online lenders implement policies and procedures designed to prevent and mitigate the effects of identity theft (typically known as a “Red Flags Program”).
Gramm-Leach Bliley Act (“GLBA”)
The GLBA regulates financial institutions and their collection, use and storage of non-public personal information (“NPI”). The GLBA includes the Financial Privacy Rule, which is implemented through Regulation P and which sets forth notice and disclosure requirements, as well as the Safeguards Rule, which requires the creation of a Safeguards Program to protect the storage of NPI.
The GLBA governs financial institutions, which it defines as entities that are significantly engaged in financial activities, such as entering into financing transactions with consumers or taking assignment of financing agreements. Even platforms that operate solely as commercial loan originators and/or servicers may be subject to aspects of the GLBA to the extent that transactions involve individuals (e.g. personal guarantors) who may be viewed as consumers under the GLBA.
Disclosure of individual credit data for crowdfunding platforms is generally not permissible unless the identity of the individual has been sufficiently anonymized. If credit data is disclosed alongside information that could lead to the identity of an individual, that individual’s credit data cannot be disclosed on a platform.
Platforms that require personal guarantees of the individuals that own businesses or real estate development projects need to be particularly sensitive to this issue. The guarantors of investment properties funded by these websites are put at risk due to the information trail that leads back to their personal identity, even if the an individual’s name isn’t associated with a loan on the crowdfunding website.
Regulatory and contractual hurdles
Two hurdles, regulatory and contractual, need to be overcome before a crowdfunding platform may post individual credit scores.
Regulatory compliance must first be squared away with a platform’s legal team. Platforms must ensure that their reporting practices are lawful. The GLBA governs the permissibility of public releases of consumer credit information by financial institutions – including crowdfunding platforms. Underscoring the GLBA is a strong public policy in favor of protecting the personal information of consumers. Section 501(a) states that “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” In addition to the GLBA, crowdfunding platforms must also be compliant with state privacy laws and identity theft laws, including the Red Flag monitoring prescribed by the FCRA.
If a platform is able to meet regulatory requirements, contractual requirements present an additional hurdle. With a few exceptions, the three major credit bureaus have been reluctant to allow the disclosure of FICO scores on crowdfunding platforms. In most cases, the credit bureaus have no knowledge that a platform publishes or intends to publish the FICO score online. Further, credit scores are constantly in flux and may vary across credit bureaus. That’s why some platforms that currently do have permission to disclose credit data publish a credit score range instead of a static credit score.
Application in the Consumer Lending Context
Early on, Prosper and Lending Club posted a plethora of information about their borrowers, including name, loan purpose, and even the phone number of the borrower. As these two consumer marketplace lending platforms have matured over nearly a decade, both have largely standardized the data made available to investors and have sufficiently anonymized the identities of their borrowers. For example, although Prosper publishes borrower FICO scores, they only publish information pertaining to the identity of the borrower regarding location (at the state level), employment status, income range, and occupation. These pieces of information are sufficiently broad such that the viewer would not be able to pin down the specific identity of this borrower.
For example, see the image below: you nor I would be able to identify the specific identity of a borrower from California who has been employed for two years in the retail industry and makes $25,000-$49,999 annually—there are potentially thousands or tens of thousands of people in California who fit this exact profile.
Application in the Small Business Loan Context
Disclosure of credit data in the context of business loans presents additional complexity. Here, the subject individual is not the borrower (an entity), but more likely a guarantor that owns the company, either wholly or partially. In the U.S., certain business information is public record, often with the Secretary of State where that business is incorporated. Thus, marketplace lenders that make business loans must make a decision as to whether they prefer to disclose the actual business name or its guarantor’s credit information. Disclosure of both does not sufficiently anonymize the guarantor’s identity because any person could use the business name to search business records on that state’s Secretary of State website. They could then request information as to authorized signatories–often the owner of the business—who would most likely be the guarantor of the loan.
Funding Circle, for example, made the choice of displaying a guarantor’s credit score instead of disclosing the borrower’s business name. They choose to disclose the state of the business, years of operation, NAICS code, industry, state of incorporation, number of employees, and a short description of the business. As is the case with Prosper’s listings, a state is a wide enough geographical area so as to make identification of the individual business all but impossible from the available information.
Disclosure of credit data for real estate loans
It is also unlikely that real estate marketplace lenders may be permitted to disclose the credit data of their guarantors. In the United States, real estate ownership information is public record. If a platform discloses the borrower’s name, the analysis is the same as described in the section above. Even if the borrower’s name is not disclosed — assuming that a platform only discloses the property address and guarantor’s credit information — someone could easily check publish records to find information leading to the identity of the guarantor or borrower’s owners. Thus, when a real estate lending platform discloses both a property address and guarantor’s credit score, it indirectly publishes the identity of the individual tied to that credit score on the internet for anyone to see.
Imagine being that borrower—now your friends, dates, business partners, employers, and even complete strangers can simply take certain pieces of information and, through Google, come to know your credit score at a certain moment in time. Private, personal information has become public, creating potential embarrassment and emotional distress as well as possible legal liability for the platform who exposed the information.
Platform Maturity from a Privacy Perspective
We predict that over the coming years, as platforms mature and gain greater understanding of key laws and regulations affecting nuances of their business, this practice will subside and platforms will increasingly adopt an eye towards privacy. If they do not, platforms will increasingly subject themselves to a high amount of legal and reputational risk stemming not just from borrower lawsuits, but also investors, shareholders, the Federal Trade Commission, and the credit reporting bureaus.
Crowdfunding platforms can still protect their borrowers and guarantors while continuing to provide investors enough information to make informed investment decisions. The younger crowdfunding and marketplace lending companies will, we predict, mature in all aspects of their compliance and operations by leaps and bounds over the next few years. In the meantime, crowdfunding platforms must be cognizant of the fact that the online world is vast and increasingly so. Each piece of information shared could cause a domino effect, leading to potential violations of privacy laws and opening the door to serious legal liability.
In light of this, crowdfunding and marketplace lending platforms must be conscientious about the type of personal or financial information they disclose. Depending on the particular measures employed to protect the individual’s identity, the website may end up publishing very sensitive information in violation of strong public policies in favor of identity protection. Each platform must carefully evaluate the risks associated with privacy rights and balance protection of an individual’s credit information with the need to offer investors enough information to evaluate risk. This is not only necessary to remain within the law and avoid breaching contracts, it is also the right thing to do if we truly want to give our borrowers the best experience possible.
Amy Wan, Esq., CIPP/US is Principal at The Law Office of Amy Wan, Esq., where she advises on startup and crowdfunding law. Formerly, she was General Counsel at Patch of Land, a real estate marketplace lending platform. While there, Amy pioneered the industry’s first payment dependent note that is secured pursuant to an indenture trustee and designed to be bankruptcy remote, and advised the company on its $20.4M Series A funding round. She was recognized as a Finalist for the Corporate Counsel of the Year Award 2015 by LA Business Journal. Amy also brings extensive experience in legal innovation and rethinking the delivery of legal services. She is the founder and co-organized of Legal Hackers LA, and was named one of the one of ten women to watch in legal technology by the American Bar Association Journal in 2014. Prior to joining Patch of Land, Amy worked in enforcement and compliance at the U.S. Department of Commerce, where she represented the United States at the WTO and participated in free trade agreement negotiations on regulatory coherence and technical barriers to trade. Amy also spent time at the U.S. Department of State and U.S. Department of Transportation as a Presidential Management Fellow. She holds an LL.M. in Public International Law from the London School of Economics and Political Science, a JD from the University of Southern California Gould School of Law, and a BA in Biological Sciences from the University of Southern California.