In July of this year, Fannie Mae announced an update to the Agency’s Seller and Servicer Guidelines to include requirements that mortgage loan sellers and servicers comply with state address confidentiality programs (ADCONs), and to enter coding for borrowers who identify themselves as participants in such programs (SEL-2022-06; SVC-2022-05). Fannie Mae’s announcement followed a similar announcement by Freddie Mac in December 2021 (Bulletin 2021-29).

What are ADCONs, and what do banks, lenders, and servicers need to know about them?

ADCONs are state-sponsored programs designed to protect certain crime victims “participants”) by keeping participants’ home, work, and/or school addresses (“shielded information”) confidential. All states and the District of Columbia have some form of ADCON law, except for Alaska, Utah, South Carolina, South Dakota, and Wyoming. There are a variety of types of ADCONs, but all programs operate by providing a participant with an alternative address (a “designated address”) to use in place of the participant’s physical home address (or “actual address”). Each ADCON has a state-level administrator who processes applications to participate in the ADCON, forwards mail received at the designated address, and accepts service of process for participants.

As originally promulgated, ADCON obligations applied only to government agencies such as state DMVs or county registrars. In recent years, however, 21 states have enacted ADCONs that explicitly extend these obligations to private entities. Five states require private entities such as financial services companies to use the designated address in correspondence, and to not disclose the participant’s shielded information. These five mandatory states are Indiana, Iowa, Maryland, Minnesota, and Wisconsin. Two other states, Michigan and Ohio, prohibit financial services companies from disclosing the shielded information of employees who are participants. In other states, financial services companies are prohibited from obtaining an individual’s actual address if the company is aware the individual is a participant.

Even if an ADCON law does not explicitly require private companies to comply, all state administrators encourage voluntary compliance by private companies. See, for example, the Montana Safe at Home training video for private businesses (note that various states refer to ADCONs as “Safe at Home” programs).

What do Fannie Mae and Freddie Mac want sellers and servicers to do?

First, the agencies want sellers and servicers to notify them if a borrower is a participant. That means sellers and servicers must enter a unique code for existing loans and future transferred loans, flagging the borrower as an ADCON participant. Freddie Mac also requires sellers to inform it of the designated address for participants.

Second, Fannie Mae also wants sellers and servicers to comply with the state laws. This means that servicers should send borrower statements and other correspondence to the designated address; not disclose the actual address without a participant’s specific consent; and, where applicable, not seek the actual address from public records for known participants. Notably, even though the agencies’ announcements brought ADCON laws to the surface, these obligations existed prior to the agencies’ announcements.

The deadline for Fannie Mae compliance was September 21, 2022, and the deadline for Freddie Mac compliance was December 1, 2021.

How can financial services companies comply with ADCONs?

Most financial institutions and servicers face two basic challenges regarding ADCON compliance. First, they may not have processes in place to flag participants in account opening or loan onboarding and, as a result, they may not know about existing participant accounts currently in their portfolio. Second, in loan origination and account opening, they may not have processes, policies, and procedures in place to identify participants and handle participants’ accounts once they are opened. This same problem may exist for active loan servicing.