Privacy Act of 1974; System of Records

AGENCY:

Office of the Assistant Secretary for Housing—Federal Housing Commissioner, HUD.

ACTION:

Notice of a modified system of records.

SUMMARY:

Home Equity Conversion Mortgage loan servicing is provided by the Home Equity Reverse Mortgage Information Technology (HERMIT). Under the Privacy Act of 1974, as amended, the Department of the Housing and Urban Development (HUD) is issuing a public notice of its intent to modify the Deputy Assistant Secretary for Finance and Budget, Federal Housing Administration, Office Systems and Technology, Office of Housing Privacy Act system of records, Home Equity Reverse Mortgage Information Technology (HERMIT), this system of records is being revised to make clarifying changes within system of records, system location, system manager, authority for maintenance of the system, purpose of the system, categories of individuals covered by the system, categories of records in the system, records source categories, routine uses of records maintained in the system, retrieval of records, retention and deposal of records, records access, contesting of records, and notification sections.

DATES:

This notice action shall be applicable immediately, which will become effective December 20, 2021.

Comments will be accepted on or before: December 20, 2021.

ADDRESSES:

You may submit comments, identified by docket number by one method:

Federal e-Rulemaking Portal: http://www.regulations.gov. Follow the instructions provided on that site to submit comments electronically;

Fax: 202-619-8365;

Email: www.privacy@hud.gov;

Mail: Attention: Privacy Office; LaDonne White, Chief Privacy Officer; The Executive Secretariat; 451 Seventh Street SW, Room 10139; Washington, DC 20410-0001.

Instructions: All submissions received must include the agency name and docket number for this rulemaking. All comments received will be posted without change to http://www.regulations.gov. including any personal information provided.

Docket: For access to the docket to read background documents or comments received go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

LaDonne White, Chief Privacy Officer, 451 Seventh Street SW, Room 10139, Washington, DC 20410, telephone number 202-708-3559 (this is not a toll-free number).

SUPPLEMENTARY INFORMATION:

The Department of Housing and Urban Development (HUD), Office Systems and Technology, Office of Housing maintains the “Home Equity Reverse Mortgage Information Technology” system of records. HUD is publishing this revised notice to establish a new and modified routine use and to reflect updated information in the sections being revised. The modification of the system of records will have no undue impact on the privacy of individuals and updates follow the records collected.

The previous SORN updates include:

1. System Number: Updated to classify new system of records number designation to alignment with HUD's system of records inventory.

2. System Location: Replaced former locations with locations of where the system is maintained. HERMIT is maintained at: The business service providers, Reverse Market Insight, Inc. at these primary locations: 2101 Gaithersburg Road, Rockville MD 20850; and 4100 Smith School Road, Austin Texas 78744.

3. System Manager: Identified new system manager expected to operate under this system of records.

4. Authority for Maintenance of the System: Listed existing HUD authority and missing authority section that permits the collection of social security numbers: The Housing and Community Development Act of 1987 (42 U.S.C. 3543(a)); and The Debt Collection Act of 1982, Public Law 97-365.

5. Purpose of the System: Applied non-substantive changes to identify system functions with clarity and conciseness for public awareness.

6. Categories of Individuals Covered: Added existing system user groups and purpose the user group serves.

7. Categories of Records in the System: Removed “Loan Production HERMIT loan production records include personally identifiable information (PII) data pertaining to HECM Housing Counseling data: Full name of HECM housing counselor, HECM Certificate of Counseling, HECM counselor ID numbers, and borrowers' full names, property addresses, birthdates, Social Security numbers, and phone numbers.” These records were not collected and determined not needed for HERMIT's business process. These records instead were incorporated under the HUD loan underwriting and origination process.

8. Records Source Categories: Updated to cover all record sources for system programs.

9. Routine Use of Records in System:

(a) Added new routine uses to facilitate data sharing to support agency dispute resolution process between HUD and General Service Administration.

(b) Updated routine use for breach remediation efforts to extend agency data sharing when relevant for breach remediation efforts to appropriate agencies.

(c) Removed routine use “To housing counselors to comply with new HECM housing counseling policies to include training and certification”, these records were determined not needed for HERMIT business process.

(d) Reorganized routine uses and incorporated HUD's 2015 blanket routine uses publication as part of this system of records.

10. Records Retention and Disposition: Updated to describe retention and disposal requirements.

11. Policy and Practice for Retrieval of Records: Updated to include minor changes and format.

12. Records Access, Contesting, and Notification Procedures: Updated to include Federal requirements and HUD office to which the individuals' request should be directed.

SYSTEM NAME AND NUMBER:

Home Equity Reverse Mortgage Information Technology (HERMIT), HOU-31.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The systems are hosted by the business service providers, Reverse Market Insight, Inc. at these primary locations: 2101 Gaithersburg Road, Rockville MD 20850; and 4100 Smith School Road, Austin Texas 78744.

SYSTEM MANAGER(S):

Juanita Johnson, System Manager, Office of Systems and Technology, 451 Seventh Street SW, Room 2242, Washington, DC 20410, telephone number (202) 402-5348.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Section 255 of the National Housing Act of 1934 (12 U.S.C. 1715z-20) covers the Federal Housing Administration (FHA) reverse mortgage program for the elderly, the Home Equity Conversion Mortgage (HECM) program. The Housing and Community Development Act of 1987 (42 U.S.C. 3543(a)) and the Debt Collection Act of 1982, Public Law 97-365.

PURPOSES OF THE SYSTEM:

HERMIT is a conversion mortgage loan servicing technology, operated by Federal Housing Administration (FHA) for Home Equity Conversion Mortgage (HECM) Programs including insurance Endorsed loans and Secretary-held Assigned Notes. HECM Program personnel operate HERMIT to collect, store, present, and deliver core reverse mortgage data, including all borrower and loan characteristics required to manage HECM Program obligations and performance such as loan setup, servicing actions, compliance monitoring, default management, asset sale transfers, claims processing, payment reporting's, and lender portfolio management. Records collected are utilized to analyze and assess the health of the program, its impact on FHA operations, and program participants compliance with specific Federal requirements.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

HECM mortgagors (homeowners) including borrower, co-borrower, and non-borrowing spouse; FHA-approved HECM business partners including mortgagee (lender) originators, servicers, and investors; and HECM personnel for Home Equity Conversion Mortgages insured under HUD's HECM mortgage insurance program.

CATEGORIES OF RECORDS IN THE SYSTEM:

Categories of records in HERMIT include:

System Users: Full name (first, middle, last), telephone number, email address, user id, user passcode, lender id.

Borrowers (Mortgagors): Full names (first, middle, last), property address, social security numbers (SSNs), driver license, telephone number, email address, marital status, gender, birth, and death dates including death notification details; financial account information including bank accounts and routing numbers, debits and credits to HUD accounts based on transaction events; and details about the mortgage loan, including loan application and appraisal documents.

Non-Borrower Spouses: Full name (first, middle, last), SSN, date of birth; and details about the mortgage loan including loan application documentation.

FHA-approved HECM business partners: (mortgagees/investors): Full name (first, middle, last), SSN, tax identification number (TIN), lender id; organization name; and banking information (institutional information, routings account numbers, and account types); telephone number, fax number, email address, and FHA Case Number (For HECM loans reported to HUD, the FHA case number represents the lender requested case number).

Borrowers' property inspections: Full name (first, middle, last), SSN; property inspections; property address, annual occupancy certification and recording of assigned notes.

Borrowers' claims information: Full name (first, middle, last), property address, SSN, driver license, email address, date and death dates, gender, marital status; assisted living and healthcare details; disposition information including deed-in-lieu, short sale, foreclosure, and appraisal claim; property protection and preservation details; loan application and payment details; financial account information including bank accounts and routing numbers, debits and credits to HUD accounts based on transaction events.

Borrowers of Investors (Purchasers) asset sales information: Full name (first, middle, last), property address, SSN, birth, and death dates) and loan balance details

Borrowers' death indications: Full name (first, middle, last), social security number, date of birth, and date of death.

RECORD SOURCE CATEGORIES:

Records in this system are provided on behalf of the borrowers (mortgagors) from individuals (FHA HECM approved mortgagee and Business Service Provider) and HUD personnel.

Existing HUD information systems: F17/Computerized Homes Underwriting Management System (CHUMS), A80S/Single Family Acquired Asset Management; Single Family Asset Sales by Secure File Transfer Protocol, P269/Reporting and Feedback System. Information is also shared with Federal information systems Social Security Administration Death Master File (DMF), and U.S. Department of Treasury's Pay.gov and Secure Payment System.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

Besides those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information in this system may be disclosed outside of HUD as a routine use under 5 U.S.C. 552a(b)(3):

General Service Administration Information Disclosure Routine Use:

(a) To the National Archives and Records Administration (NARA) and the General Services Administration (GSA) for records having sufficient historical or other value to warrant its continued preservation by the United States Government, or for inspection under authority of Title 44, Chapter 29, of the United States Code.

(a) To the National Archives and Records Administration, Office of Government Information Services (OGIS), to the extent to fulfill its responsibilities in 5 U.S.C. 552(h), to review administrative agency policies, procedures, and compliance with the Freedom of Information Act (FOIA), and to facilitate OGIS's offering of mediation service to resolve disputes between persons making FOIA requests and administrative agencies.

(2) Congressional Inquiries Disclosure Routine Use:

To a congressional office from the record of an individual, in response to an inquiry from the congressional office made at the request of that individual.

(3) Health and Safety Prevention Disclosure Routine Use:

To appropriate Federal, State, and local governments, or persons, under showing compelling circumstances affecting the health or safety or vital interest of an individual or data subject, including assisting such agencies or organizations in preventing the exposure to or transmission of a communicable or quarantinable disease, or to combat other significant public health threats, if upon such disclosure appropriate notice was transmitted to the last known address of such individual to identify the health threat or risk.

(4) Prevention of Fraud, Waste, and Abuse Disclosure Routine Use:

To Federal agencies, non-Federal entities, their employees, and agents (including contractors, their agents or employees; employees or contractors of the agents or designated agents); or contractors, their employees or agents with whom HUD has a contract, service agreement, grant, cooperative agreement, or computer matching agreement for: (1) Detection, prevention, and recovery of improper payments; (2) detection and prevention of fraud, waste, and abuse in major Federal programs administered by a Federal agency or non-Federal entity; (3) detection of fraud, waste, and abuse by individuals in their operations and programs, but only if the information shared is necessary and relevant to verify pre-award and prepayment requirements before the release of Federal funds, prevent and recover improper payments for services rendered under programs of HUD or of those Federal agencies and non-Federal entities to which HUD provides information under this routine use.

(5) Research and Statistical Analysis Disclosure Routine Uses:

(a) To contractors, grantees, experts, consultants, Federal agencies, and non-Federal entities, including, but not limited to, State and local governments and other research institutions or their parties, and entities and their agents with whom HUD has a contract, service agreement, grant, or cooperative agreement, when necessary to accomplish an agency function, related to a system of records, for statistical analysis and research supporting program operations, management, performance monitoring, evaluation, risk management, and policy development, or to otherwise support the Department's mission. Records under this routine use may not be used in whole or in part to make decisions that affect the rights, benefits, or privileges of specific individuals. The results of the matched information may not be disclosed in identifiable form.

(b) To a recipient who has provided the agency with advance, adequate written assurance that the record provided from the system of records will be used solely for statistical research or reporting purposes. Records under this condition will be disclosed or transferred in a form that does not identify an individual.

(6) Information Sharing Environment Disclosure Routine Uses:

(a) To contractors, grantees, experts, consultants and their agents, or others performing or working under a contract, service, grant, or cooperative agreement with HUD, when necessary to accomplish an agency function related to a system of records. Disclosure requirements are limited to only those data elements considered relevant to accomplishing an agency function. Individuals provided information under these routine use conditions are subject to Privacy Act requirements and disclosure limitations imposed on the Department.

(b) To FHA-approved HECM servicing mortgagees to give notice of miscalculations or other errors in subsidy computation, to pay claims, or for compliance or other servicing-related functions.

(c) To taxing authorities, insurance companies, homeowners' associations, or condominium associations for maintaining the property while HUD is the servicer of record to ensure property taxes, insurance payments, and/or homeowners/condominium association fees are current.

(d) To the U.S. Department of the Treasury for collection and disbursement transactions ( Pay.gov, Automated Clearing House (ACH), Secure Payment System (SPS)).

(e) To title insurance companies or financial institutions to allow HUD to respond to inquiries for payoff figures on HECM assigned loans.

(f) To recorders' offices for recording legal documents and responses to bankruptcy courts or other legal responses required during the servicing of the insured loan to allow HUD to release mortgage liens, respond to bankruptcies or deaths of mortgagors to protect the interest of the Secretary of HUD.

(g) To the Federal Bureau of Investigation to investigate possible fraud revealed while servicing efforts to allow HUD to protect the interests of the Secretary of HUD.

(h) To an Administrative Law Judge and to the interested parties to the extent necessary for conducting administrative proceedings where HUD is a party.

(i) To welfare agencies for fraud investigation to allow HUD to respond to state government inquiries when a HECM mortgagor is committed to a nursing home.

(j) To requestors, as required by the FOIA, records that have been frequently requested” and disclosed under the FOIA within the meaning of that Act, as determined by the HUD, are provided to the public for routine inspection and copying.

(7) Data Testing for Technology Implementation Disclosure Routine Use:

To contractors, experts and consultants with whom HUD has a contract, service agreement, or other assignment of the Department, when necessary to utilize data to test new technology and systems designed to enhance program operations and performance.

(8) Data Breach Remediation Purposes Routine Use:

To appropriate agencies, entities, and persons when:

To another Federal agency or Federal entity, when HUD determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

To appropriate agencies, entities, and persons when (1) HUD suspects or has confirmed there has breached the system of records, (2) the HUD has determined that because of the suspected or confirmed breach there is a risk of harm to individuals, the HUD (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist with the HUD's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(9) Disclosures for Law Enforcement Investigations Routine Uses:

(a) To appropriate Federal, State, local, tribal, or governmental agencies or multilateral governmental organizations responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, or license, where HUD determines that the information would help to enforce civil or criminal laws.

(b) To third parties during a law enforcement investigation, to the extent to obtain information pertinent to the investigation, disclosed such information is appropriate to the proper performance of the official duties of the officer making the disclosure.

(10) Court or Law Enforcement Proceedings Disclosure Routine Uses:

(a) To a court, magistrate, administrative tribunal, or arbitrator while presenting evidence, including disclosures to opposing counsel or witnesses in civil discovery, litigation, mediation, or settlement negotiations; or in connection with criminal law proceedings; or in response to a subpoena or to a prosecution request when such records to be released are specifically approved by a court provided order.

(b) To appropriate Federal, State, local, tribal, or governmental agencies or multilateral governmental organizations responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, or license, where HUD determines that the information would help to enforce civil or criminal laws.

(c) To third parties during a law enforcement investigation to the extent to obtain information pertinent to the investigation, provided disclosure is appropriate to the proper performance of the official duties of the officer making the disclosure.

(d) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency that maintains the record, specifying the portion desired and the law enforcement activity for which the record is sought.

(11) Department of Justice for Litigation Disclosure Routine Use:

To the Department of Justice (DOJ) when seeking legal advice for a HUD initiative or in response to DOJ's request for the Start Printed Page 81840information, after either HUD or DOJ determine that such information relates to DOJ's representatives of the United States or any other components in legal proceedings before a court or adjudicative body, provided that, in each case, the agency also determines before disclosure that disclosure of the records to DOJ is a use of the information in the records compatible with the purpose for which HUD collected the records. HUD on its own may disclose records in this system of records in legal proceedings before a court or administrative body after determining that disclosing the records to the court or administrative body is a use of the information in the records compatible with the purpose for which HUD collected the records.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Paper and Electronic.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by name, Social Security Number, Tax Identification Number, FHA case number, location and contact information (home address, telephone number, personal email address).

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

The policies and practices for retention and disposal of records includes:

GRS 5.2, item 20, Collections, Disbursements, Servicing, and Asset management records. This schedule covers records created by FHA and its approved business partners to administer HECM Program loans granted, serviced, assigned, or claims related submission. Destroy upon verification of successful creation of the final document or file, or when no longer needed for business use, whichever is later.

GRS 1.1, item 010, HECM Premiums, Notes, and Claims Records. This schedule covers records created by FHA and its approved business partners to perform financial management responsibilities. Destroy 6 years after final payment or cancellation, but longer retention is authorized if required for business use.

GRS 3.2, item 031, Correspondence, Emails, Non-financial Transactions, and Reports. This schedule supports user account management and administration. Destroy 6 years after password is altered or user account is terminated, but longer retention is authorized if required for business use.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

FHA ensures the protection of program participants' PII and mortgagee business sensitive information by ensuring HERMIT's compliance with Federal requirements and HUD's security and privacy standards.

Administrative Controls: Data backups secured off-site; access granted only to authorized personnel; periodic security audits; regular monitoring of users' security practices. HUD access is safeguarded according to rules and policies, including all applicable automated processes according to security and privacy safeguard policies.

Physical Controls: Key card, controlled access, security guards, and identification badges and secure data physical methods are used to ensure only authorized users have access to PII; Periodic security audits, regular monitoring of system users' behavior are conducted; Primary and recovery facilities control physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

Technical Controls: Biometrics, firewalls, role-based access controls, virtual private network, use of privileged (Elevated Roles), external certificate authority certificates, PIV cards and intrusion detection system. The system sends and receives data through HUD Security File Transfer Protocol (SFTP), which encrypts the data. SSNs are encrypted during transmission to protect session information and at rest. System incorporates least privilege access, user identification and passwords.

RECORD ACCESS PROCEDURES:

Individuals seeking to determine whether this System of Records contains information on themselves should address written inquiries to the Department of Housing Urban and Development 451 7th Street, SW Washington, DC, 20410-0001. For verification, individuals should provide full name, current address, and telephone number. In addition, the requester must provide either a notarized statement or an unsworn declaration made under 28 U.S.C. 1746, in the following format:

If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (Date). (Signature)

If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (Date). (Signature).”

CONTESTING RECORD PROCEDURES:

The HUD rule for accessing, contesting, and appealing agency determinations by the individual concerned are published in 24 CFR part 16 or may be obtained from the system manager.

NOTIFICATION PROCEDURES:

Individuals seeking to determine whether information about themselves is contained in this system should address written inquiries to the Department of Housing Urban Development Office of Systems and Technology, 451 7th street SW, Washington, DC 20410-0001. For verification, individuals should provide full name, office or organization where assigned, if applicable, and current address and telephone number. In addition, the requester must provide either a notarized statement or an unsworn declaration made under 28 U.S.C. 1746, in the following format:

If eLadoxecuted outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. executed on (Date). (Signature).”

If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. executed on (Date). (Signature).”

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

The SORN History includes HSNG/HWAT.01:

• 81 FR-33690 (May 27, 2016)
• 77 FR-61620 (October 10, 2012)