12 CFR § 1008.305 - Data security.

---
identifier: "/us/cfr/t12/s1008.305"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "12 CFR § 1008.305 - Data security."
title_number: 12
title_name: "Banks and Banking"
section_number: "1008.305"
section_name: "Data security."
chapter_name: "CONSUMER FINANCIAL PROTECTION BUREAU"
part_number: "1008"
part_name: "S.A.F.E. MORTGAGE LICENSING ACT—STATE COMPLIANCE AND BUREAU REGISTRATION SYSTEM (REGULATION H)"
positive_law: false
currency: "2026-04-05"
last_updated: "2026-04-05"
format_version: "1.1.0"
generator: "[email protected]"
authority: "12 U.S.C. 5101-5116; Pub. L. 111-203, 124 Stat. 1376."
regulatory_source: "76 FR 78487, Dec. 19, 2011, unless otherwise noted."
cfr_part: "1008"
---


# 1008.305 Data security.

(a) To the extent that CSBS, AARMR, or their successors maintain the NMLSR, CSBS, AARMR, and their successors, as applicable, must complete a background check on their employees, contractors, or other persons who have access to loan originators' Social Security Numbers, fingerprints, or any credit reports collected by the system.

(b) To the extent that CSBS, AARMR, or their successors maintain the NMLSR, CSBS, AARMR, and their successors as applicable, must keep and adhere to an appropriate information security and privacy policy. If the NMLSR forms a reasonable belief that a security breach has occurred, it shall notify affected parties, as soon as practicable, including the Bureau, any loan originator or registrant whose data may have been compromised, and the employer of the loan originator or registrant, if such employer is also licensed through the system.