Trump’s attempts to fire Lisa Cook expose mortgage data privacy concerns

Pulte alleges that Cook signed documents in 2021 listing more than one property as her primary residence. Cook has denied wrongdoing and filed suit against President Trump. The U.S. Department of Justice (DOJ) began examining the matter on Sept. 4 to determine whether she misrepresented the occupancy of three homes.

A central question is how Cook’s information reached FHFA investigators in the first place — an issue likely to surface as the case moves forward in court. If her loans were purchased by the government-sponsored enterprises (GSEs), they would have been subject to quality control processes such as random sampling and red-flag audits, where fraud must be reported even in post-closing reviews.

But new fraud-detection tools have also been developed under Pulte, who created a tip line. Fannie Mae, meanwhile, has launched an AI-powered crime detection unit and partnered with Palantir Technologies, founded by Peter Thiel, to identify fraud in seconds.

“Certainly, part of the defense in a criminal case would be that Cook was improperly targeted for investigation, but that’s a tough defense to succeed with,” said Benjamin Klubes, former acting general counsel at the Department of Housing and Urban Development (HUD) and founder of Klubes Law Group. “It certainly will be a topic of effort by defense counsel to probe. Ultimately, how successful they’ll be — that’s a little bit hard to tell.”

In an interview for CNBC, Pulte said he would not explain “sources and methods, where we get tips from, who our whistleblowers are.” A spokesperson for the FHFA hasn’t responded to HousingWire‘s request for comments.

Legal experts say it is unusual — and potentially problematic — to publicly disclose the referral letters and details about her loans. The letters included details such as loan amounts, part of the home address and ZIP codes. While physical addresses were redacted, these remaining data points can still be highly re-identifiable, especially when combined with outside information.

Typically, law enforcement avoids releasing such information to protect investigations and prevent reputational harm, especially when allegations may not result in charges.

Public versus private  

Some mortgage information is inherently public. Records such as deeds of trust or mortgages filed with county clerks typically disclose the borrower and lender’s names, property address, loan amount, refinancing activity and payoff status. Foreclosures, tax details and homestead exemptions are also available through public filings.

To detect occupancy fraud, these records can be cross-checked with other sources, including voter registration, vehicle registrations, professional licenses, social media activity, rental listings, utility usage or even commuting distances between a borrower’s home and workplace.

But “the vast majority of mortgage information is pretty much private,” said Ron Gapp, founding partner at Brody Gapp LLP. Also, information obtained after origination — such as through quality control reviews, post-closing audit or internal assessments — is generally not accessible to the public, he added.

James Brody, the firm’s managing partner and founder, noted that agencies such as Fannie Mae, Freddie Mac and FHFA serve as stewards of a vast amount of borrower data, which they use for risk management and oversight. “What they can’t do is selectively release it into the public domain,” he said.

Fannie and Freddie operate in a gray area

What Fannie Mae and Freddie Mac can share remains a gray area. 

“It’s not an easy, simple idea about what’s public and not public relating to land ownership or mortgages, because there’s no federal standard for this,” said James Shreve, a partner at Troutman Pepper specializing in data privacy,  noting that some jurisdictions still list Social Security numbers in filings. 

Two federal laws are most relevant. The Gramm-Leach-Bliley Act of 1999 restricts financial institutions from sharing nonpublic personal information but allows exceptions for information considered publicly available — a definition that’s not always clear. The Privacy Act of 1974 limits federal agencies’ disclosure of consumer financial data but may not cover the GSEs themselves, though their regulator, FHFA, is bound by it.

“Fannie and Freddie operate in a bit of a gray area, because usually there are privacy laws that apply to government entities and to private entities — and Fannie and Freddie are kind of between,” Shreve said. 

What’s clear is that the GSEs are subject to the Gramm-Leach-Bliley Act, while their quasi-governmental status leaves them in a “halfway house” between public and private entities, said Gapp.

In addition, the Right to Financial Privacy Act (RFPA) of 1978, which significantly limits when financial institutions may provide customers financial records to a government authority, defines financial institutions narrowly — banks, credit card issuers, trust companies — categories that don’t clearly include Fannie or Freddie. Attorneys compared their role to firms like a credit bureau: central to the lending process but not direct lenders, making it questionable whether the act applies.

The Office of the Comptroller of the Currency (OCC) recently sent an alert to financial institutions to ensure compliance with the RFPA before disclosing customer’s financial records. 

Privacy in the social media era

The 1978 RFPA generally bars disclosure of protected records without the individual’s consent, though it allows exceptions for requests from Congress, other agencies, the Comptroller General or a court order. Agencies must log disclosures and maintain employee codes of conduct, training and penalties to prevent misuse.

Social media complicates compliance. Agencies face pressure to respond quickly online, which can lead to “knee-jerk” disclosures that bypass required procedures.

Gapp said that public figures are not treated differently by the rules: “a consumer is a consumer.” The key question is always the source of the information. Publicly available data — such as those found through a Google search — may be fair game, but private mortgage records are not. 

According to Gapp, the mortgage industry depends on borrowers “knowing their personal financial information will be only used for legitimate business and regulatory purposes.”

“Basically, if that trust is undermined, it impacts not just one borrower, but the confidence of the whole system,” he added.