In This Article
- The Regulatory Landscape in 2026
- Five Pillars of a Compliant IT Framework
- The Cost of Getting It Wrong
- Building the Evidence Trail Examiners Want
- Common Gaps That Trigger Findings
- NIST CSF 2.0 vs. CRI Profile vs. CIS Controls vs. CISA CPGs
- Why In-House IT Alone Isn't Enough
- A 90-Day IT Framework Hardening Plan
- Frequently Asked Questions
A single failed FFIEC examination costs the average mortgage company between $50,000 and $250,000 in remediation. That figure does not count the operational drag while your team scrambles to fix findings instead of closing loans. The FFIEC sunset its Cybersecurity Assessment Tool (CAT) on August 31, 2025, pushing lenders toward NIST CSF 2.0, the CRI Profile, and CIS Controls as the new baseline. If your IT framework has not caught up, examiners will notice.
Building a compliant IT framework is not about checking boxes on a spreadsheet once a year. It is about wiring compliance into the infrastructure so your systems stay audit-ready between examinations, not just during them. Most modern mortgage compliance obligations resolve to configuration inside Microsoft 365. Microsoft Entra ID is where examiners look for identity controls. Microsoft Purview is where they look for retention, audit, and data loss prevention evidence. The question is rarely whether the controls exist in your tenant. They do. The question is whether they are configured consistently, documented properly, and producing the kind of evidence an examiner will accept without a three-week scramble.
This guide breaks down what mortgage IT teams need to build, maintain, and prove to regulators in 2026, and how Access Business Technologies operates these Microsoft controls inside the M365 Guardian operating model for 750 plus financial institutions.
The Regulatory Landscape Mortgage Companies Face in 2026
Mortgage companies operate under overlapping federal and state regulations. The Dodd-Frank Act, RESPA, TILA, HMDA, and the Gramm-Leach-Bliley Act (GLBA) set the federal floor. State regulators add their own layers. The FTC Safeguards Rule, updated in 2023 and enforced aggressively since, requires specific technical controls that many lenders still have not fully implemented.
The biggest shift in 2025-2026 is the post-CAT compliance environment. The FFIEC retired the CAT and pointed institutions to industry-standard frameworks they can adopt based on size and risk profile:
- NIST Cybersecurity Framework 2.0 with its six core functions: Govern, Identify, Protect, Detect, Respond, Recover
- CRI Profile (formerly the FSSCC Cybersecurity Profile), maintained by the Cyber Risk Institute as a financial-sector overlay on NIST CSF that maps directly to FFIEC, OCC, FDIC, NCUA, and SEC requirements
- CISA Cybersecurity Performance Goals (CPGs) including sector-specific targets for financial services
- CIS Controls v8.1 providing prioritized technical safeguards ranked by implementation group
Fannie Mae's Information Security and Business Resiliency Supplement is now in force across every counterparty class. Sellers and servicers were bound August 12, 2025. Technology service providers were bound December 31, 2025. Document custodians joined the perimeter on April 1, 2026. Every counterparty must now maintain documented business continuity plans that specifically address cyber incidents, multi-factor authentication, least-privilege access, and a 36-hour incident reporting deadline to Fannie Mae after identifying any cybersecurity event. There is no remaining counterparty category that operates outside these requirements.
Five mortgage companies disclosed data breaches in early 2026 alone. Cornerstone First Mortgage reported SSN exposure from a 2023 breach only discovered in September 2025. Mortgage Educators and Compliance (MEC) found a rogue script siphoning credit card data through a hijacked Google Analytics account, with 24,000 individuals affected. Figure Technology Solutions lost 12,400 loan inquiry records to a phishing attack. These are not theoretical risks. They are happening to companies that assumed their frameworks were adequate.
For mortgage IT teams, this means the framework you built around the CAT five years ago is now outdated. Examiners expect to see alignment with one of the FFIEC-recognized frameworks, documented risk assessments, and evidence of continuous monitoring. A NIST CSF 2.0 readiness assessment maps where your current controls stand against the six core functions and produces a board-ready scorecard with prioritized remediation steps for credit unions, banks, and mortgage companies alike.
Five Pillars of a Compliant Mortgage IT Framework
A compliant IT framework for mortgage companies rests on five pillars. Skip one, and the whole structure wobbles during an exam. Three Microsoft platforms carry most of the technical load across all five: Microsoft Entra ID for identity and conditional access, Microsoft Purview for retention, audit, sensitivity labeling, and data loss prevention, and Microsoft Defender plus Microsoft Sentinel for threat detection and SIEM-grade incident timelines. The M365 Guardian operating model is how ABT configures, monitors, and documents that stack inside Mortgage Workspace tenants so every pillar produces evidence in the form examiners expect.
1. Identity and Access Management
Every compliance framework starts with controlling who can access what. For mortgage companies handling borrower PII, Social Security numbers, and financial records, weak access controls are the fastest path to a finding.
The technical requirements include:
- Multi-factor authentication (MFA) on all systems that touch borrower data, including your LOS, document management, and email
- Conditional Access policies that block legacy authentication protocols and enforce device compliance (see our 2026 Conditional Access policy guide for mortgage companies for the specific rules examiners look for)
- Role-based access control (RBAC) so loan officers see loan data, not payroll records
- Privileged access management for admin accounts, with time-limited elevation and full audit logging
Microsoft Entra ID handles all four when configured correctly. The gap most lenders face is not missing tools. It is incomplete configuration. Your tenant has the capabilities. The question is whether someone has turned them on, tied them to a documented policy, and tested them against the actual sign-in patterns of your loan officers, processors, and underwriters. Inside the M365 Guardian operating model, ABT runs Microsoft Entra ID Conditional Access in Grant mode (never Report-Only) for every Mortgage Workspace tenant, with named policies for loan officers, branch staff, executives, and third-party document services. Sign-in risk policies use Microsoft Entra ID Identity Protection signals to elevate authentication when behavior departs from the baseline rather than waiting for a quarterly review to surface the problem.
2. Data Protection and Encryption
The FTC Safeguards Rule explicitly requires encryption of customer information both in transit and at rest. That means TLS 1.2 or higher for all data transmission and AES-256 encryption for stored data.
Practical steps for mortgage companies:
- Enable BitLocker on all endpoints through Intune device compliance policies
- Configure Data Loss Prevention (DLP) policies in Microsoft Purview to prevent borrower SSNs and account numbers from leaving the organization via email or file sharing
- Set sensitivity labels for loan documents so they are encrypted and tracked throughout their lifecycle
- Verify your LOS vendor's encryption standards. If Encompass or Calyx data transits unencrypted between your network and their cloud, that is a finding waiting to happen.
Microsoft Purview is where the documentation lives. Purview DLP catches Social Security numbers, account numbers, and loan-application fields before they leave through email, Teams chat, SharePoint, or OneDrive. Purview Information Protection applies sensitivity labels that encrypt loan files and track them through their entire lifecycle, including to external counsel or warehouse lenders. Purview Audit (Premium) keeps the time-stamped trail for one year out of the box and extends to ten years with the add-on, which is the practical floor for most mortgage record retention obligations. M365 Guardian configures these Purview surfaces against ABT's mortgage-specific control catalog rather than leaving them at Microsoft default templates that were tuned for generic SMB workloads.
Microsoft's 2024 Digital Defense Report tracks more than 600 million identity-based attacks per day across the Microsoft cloud, with password-spray and credential-stuffing dominating the volume. Token theft and adversary-in-the-middle phishing are the fastest-growing categories targeting financial services tenants. The defenses Microsoft documents as effective against these patterns map directly to the FTC Safeguards and Fannie Mae supplement controls: phishing-resistant MFA, Conditional Access, token protection, and continuous risk-based sign-in evaluation in Microsoft Entra ID; data loss prevention, sensitivity labeling, audit retention, and communication compliance in Microsoft Purview; threat detection and SIEM aggregation in Microsoft Defender plus Microsoft Sentinel. As a Tier 1 Cloud Solution Provider primarily dedicated to financial services, ABT manages Microsoft 365 tenants for 750 plus banks, credit unions, and mortgage companies, with these surfaces configured inside the M365 Guardian operating model so every Mortgage Workspace tenant inherits the same audit-ready baseline rather than depending on a checklist that someone may or may not have run.
Source: Microsoft Digital Defense Report 2024, Identity and Social Engineering chapter
Document Custodian Requirements Are Now in Force
Fannie Mae's cybersecurity supplement is fully enforceable across every counterparty class as of April 1, 2026. If your IT framework has not been updated since the FFIEC CAT sunset, examiners and Fannie Mae attestations will surface the gap at your next review.
3. Continuous Monitoring and Threat Detection
Annual penetration tests are not enough anymore. The NIST CSF 2.0 Detect function expects continuous monitoring with automated alerting. For mortgage companies, that means real-time visibility into:
- Sign-in anomalies and impossible travel detections
- Changes to Conditional Access policies or admin role assignments
- External sharing of sensitive documents
- Endpoint compliance drift (devices falling out of compliance with Intune policies)
- Email authentication failures (SPF, DKIM, DMARC), which are the leading indicator of impersonation campaigns documented in our email security guide for mortgage lenders
Microsoft Defender for Office 365 and Defender for Endpoint provide the detection layer. Microsoft Sentinel can aggregate alerts across your environment. The challenge for mid-size lenders is having someone watching the dashboard. Alerts that fire into an unmonitored inbox are worse than no alerts at all because examiners will ask to see your response logs. The M365 Guardian operating model puts ABT's security operations team on the dashboard so the alerts actually get worked, with response evidence captured against the same case structure examiners want to see during a Regulation S-P or FFIEC incident review.
4. Incident Response and Business Continuity
Fannie Mae's 2025 supplement now requires documented incident response plans that specifically address cyber events. Examiners want to see three things:
- A written incident response plan that names roles, escalation procedures, and communication templates
- Tabletop exercises conducted at least annually, with documented results and corrective actions
- Backup and recovery testing proving you can restore loan data and resume operations within your stated recovery time objective (RTO)
The common failure point is testing. Many lenders have an incident response plan in a binder on a shelf. They have never run it. When examiners ask "When did you last test your IR plan?" the answer cannot be "never."
5. Vendor Risk Management
Mortgage companies rely on dozens of third-party vendors: LOS platforms, credit bureaus, appraisal management companies, document preparation services, and IT providers. Each vendor with access to borrower data extends your compliance boundary.
A compliant vendor management program includes:
- Due diligence questionnaires for every vendor with data access
- Annual SOC 2 report reviews (or equivalent attestations)
- Contractual requirements for breach notification timelines
- Access reviews confirming vendors only reach systems they need
The FFIEC's updated guidance specifically calls out concentration risk. If your LOS, email, file storage, and security tools all run on the same cloud provider, examiners want to see how you have assessed and mitigated that concentration.
The Cost of Getting It Wrong
Compliance failures in mortgage lending carry compounding consequences. The direct costs are measurable. The indirect costs (operational disruption, reputational damage, lost business) are harder to quantify but often larger.
That $5.56 million figure includes detection, notification, lost business, and post-breach response costs. But for mortgage companies, the damage extends further:
- Examination findings require documented remediation plans with deadlines. Your IT team stops building and starts fixing. Loan officers wait for system changes.
- FTC enforcement under the Safeguards Rule can impose civil penalties of up to $53,088 per violation under FTC Act sections 5(l), 5(m)(1)(A), and 5(m)(1)(B), the 2025 inflation-adjusted ceiling that remains in effect for 2026. The FTC also requires breach notification within 30 days for incidents affecting 500 or more consumers.
- Warehouse lender requirements are tightening. Some warehouse lenders now require cybersecurity attestations before extending credit lines. A failed exam can restrict your funding sources.
- GSE compliance is now non-negotiable. Fannie Mae's 36-hour incident reporting deadline means a breach that would have been quietly managed now becomes an immediate disclosure obligation.
The global average breach lifecycle in IBM's 2025 report is 241 days from intrusion to containment (158 days to identify plus 83 days to contain), a nine-year low, but still eight months of undetected exposure. For mortgage companies without mature detection capabilities, the actual lifecycle is likely longer. Cornerstone First Mortgage's 2023 breach was not discovered until September 2025, more than two years of exposure before anyone noticed.
"The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats. CSF 2.0 is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve."
Laurie E. Locascio, NIST Director, on the release of NIST CSF 2.0
Building the Evidence Trail Examiners Actually Want
Compliance is not just about having controls. It is about proving they work. The IT framework needs to generate evidence automatically because manual compliance tracking breaks down at scale.
Automated Compliance Reporting
Microsoft 365 compliance tools can generate most of the evidence examiners request. The key reports include:
- Microsoft Secure Score trending over time (shows continuous improvement, not just point-in-time snapshots, which is why we recommend using Secure Score as a starting baseline rather than a finish line)
- Microsoft Entra ID Conditional Access sign-in logs showing MFA enforcement rates and blocked legacy auth attempts
- Microsoft Purview DLP policy match reports demonstrating you are catching and blocking sensitive data leaks
- Device compliance reports from Intune showing encryption status, OS patch levels, and policy adherence
- Microsoft Purview Audit logs for admin actions, mailbox access, and SharePoint/OneDrive external sharing
The trick is setting up these reports before an exam, not scrambling to pull them when you get the notification letter. Build a monthly compliance dashboard that your CISO or compliance officer reviews. That review itself becomes evidence of governance. Inside M365 Guardian, ABT delivers that dashboard as a packaged monthly artifact rather than asking the lender's two-person IT team to assemble it from five different portals.
Policy Documentation That Passes Muster
Examiners read policies. They compare what the policy says to what the system actually does. The fastest way to fail an exam is having a policy that describes controls you have not implemented.
Write policies that match your actual environment. If your policy says "all endpoints are encrypted" but Intune shows 15% non-compliant devices, that is a finding. Update the policy to reflect reality, then close the gap.
Essential policy documents for mortgage companies:
- Information Security Policy (umbrella document covering all controls)
- Acceptable Use Policy
- Incident Response Plan
- Business Continuity and Disaster Recovery Plan
- Vendor Management Policy
- Data Classification and Handling Policy
- Change Management Policy
Fannie Mae's Information Security and Business Resiliency Supplement is now in effect for every counterparty class. Sellers and servicers crossed the line August 12, 2025. Technology service providers crossed December 31, 2025. Document custodians crossed April 1, 2026. The supplement requires a formal Information Security Program aligned with NIST or ISO 27001, multi-factor authentication, least-privilege access, regular account reviews, and a 36-hour incident reporting deadline. Mortgage companies that have not updated their documentation since 2024 are already operating outside the program rules.
Common IT Framework Gaps That Trigger Examination Findings
After working with hundreds of mortgage companies on compliance readiness, certain patterns emerge. These gaps show up repeatedly across lenders of all sizes.
Legacy Authentication Still Enabled
Legacy authentication protocols (POP3, IMAP, SMTP basic auth) bypass MFA entirely. Microsoft has deprecated them, but many tenants still allow them for "that one application" or "that one executive's old email client." Examiners check. Block legacy auth through Microsoft Entra ID Conditional Access. No exceptions.
No Centralized Logging
Loan officer workstations generate security events. Your LOS generates audit logs. Your email system generates sign-in data. If none of it feeds into a centralized view, you cannot demonstrate the continuous monitoring that NIST CSF 2.0 requires. Microsoft Sentinel or a similar SIEM tool centralizes these feeds.
Patch Management Gaps
The FTC Safeguards Rule requires timely patching. "Timely" in practice means critical patches within 14 days, high-severity within 30 days. Intune can enforce Windows Update compliance deadlines. The problem arises with line-of-business applications your LOS vendor patches on their own schedule.
Missing or Stale Risk Assessments
Every compliance framework requires a current risk assessment. "Current" means updated annually at minimum, or whenever significant changes occur (new LOS platform, office relocation, acquisition). A risk assessment from 2022 will not satisfy a 2026 examiner.
Inadequate Training Documentation
Staff training on security awareness and compliance is required by GLBA and the FTC Safeguards Rule. The gap is not usually the training itself. It is the documentation. Keep completion records, test scores, and training dates in a system you can query when examiners ask. A specific gap many lenders miss: CFPB-aligned configuration evidence inside the Microsoft 365 environment often does not get pulled into the same evidence binder as security training records, and examiners want both.
NIST CSF 2.0 vs. CRI Profile vs. CIS Controls vs. CISA CPGs: Which Framework Fits Your Lender
With the CAT retired, mortgage companies must choose a replacement framework. Each option serves a different organizational profile.
| Dimension | NIST CSF 2.0 | CRI Profile (FI overlay) | CIS Controls v8.1 | CISA CPGs 2.0 |
|---|---|---|---|---|
| Best for | Mid-to-large lenders with compliance staff | Lenders that want NIST CSF mapped to FFIEC, OCC, NCUA, SEC requirements out of the box | Smaller lenders wanting prioritized quick wins | Lenders needing minimal-baseline coverage |
| Structure | 6 functions, 22 categories, 106 subcategories | NIST CSF 2.0 plus 277 financial-sector diagnostic statements | 18 controls, 153 safeguards in 3 implementation groups | 37 cross-sector goals plus sector-specific additions |
| FI adoption picture | Most-cited successor to CAT in 2025 industry surveys | Used by larger banks and any FI that needs explicit regulator mapping | Wide use, especially IG1/IG2 for community lenders | Newer; growing use as a complement, not a primary framework |
| Examiner recognition | High. FFIEC has consistently pointed to NIST CSF as a baseline | High in the financial sector specifically; mapped to the supervisory frameworks examiners use | Accepted by most examiners | Growing but newer |
| Implementation effort | High. Requires mapping to your environment | Medium. Inherits NIST CSF 2.0 plus FI overlay | Medium. Prescriptive and actionable | Low. Designed as floor, not ceiling |
| Regulatory mapping | Strong. Maps to FFIEC, GLBA, FTC, SOX | Strongest for FIs. Maps to FFIEC, OCC, FDIC, NCUA, SEC, NYDFS, CFPB | Good. Maps to NIST CSF, PCI DSS | Limited. Newer framework |
Most mortgage companies will end up with NIST CSF 2.0 as the primary framework. Larger lenders and any institution that wants pre-built regulator mapping should layer the CRI Profile on top. The CIS Controls' three implementation groups (IG1, IG2, IG3) provide a natural roadmap: IG1 covers essential cyber hygiene that every lender needs, IG2 adds controls for organizations managing sensitive data, and IG3 covers advanced threats. A mid-size mortgage company should target IG2 compliance as the baseline.
Whichever framework you choose, document the decision, the rationale, and the mapping to your specific regulatory obligations. Examiners do not require a specific framework. They require a defensible choice backed by evidence.
The MSP Factor: Why In-House IT Alone Is Not Enough
Mid-size mortgage companies face a staffing problem. A full compliance program requires expertise in identity management, endpoint security, data protection, incident response, and vendor management. That is five specialties. Most lenders have an IT team of one to three people.
A managed service provider (MSP) with financial services expertise fills the gap. The right MSP brings:
- Pre-built compliance configurations for Microsoft 365 that map to NIST CSF 2.0 and CIS Controls
- 24/7 monitoring that your two-person IT team cannot provide
- Exam preparation support including evidence gathering, policy review, and examiner response coordination
- Continuous hardening that adapts as Microsoft releases new security features and as regulations change
The cost of a compliance-focused MSP is typically less than one additional full-time security engineer. The ROI becomes obvious the first time you pass an exam without findings. For mortgage companies navigating the post-CAT framework transition, going beyond Microsoft Secure Score with a managed security program provides the operational context that turns compliance metrics into actual security posture. ABT's distinction in this category is straightforward: as a Tier 1 Cloud Solution Provider primarily dedicated to financial services, ABT manages Microsoft 365 tenants for 750 plus banks, credit unions, and mortgage companies, and hosts the Azure environments behind Mortgage Workspace and Calyx PointCentral. The M365 Guardian operating model is how that footprint stays consistent across every lender.
A 90-Day IT Framework Hardening Plan
If your current framework has gaps, here is a prioritized 90-day plan to close the most common ones.
Days 1-30: Identity and Access
- Enable MFA for all users, including service accounts where possible
- Block legacy authentication via Microsoft Entra ID Conditional Access
- Audit admin role assignments and remove unnecessary privileged access
- Implement named Conditional Access policies (not just defaults) for each user group
Days 31-60: Data Protection and Monitoring
- Enable BitLocker enforcement through Intune compliance policies
- Deploy Microsoft Purview DLP policies targeting SSNs, account numbers, and loan application data
- Configure Microsoft Defender alerting and assign response owners
- Set up centralized audit logging with Microsoft Purview Audit (Premium) and a 90-day minimum retention floor
Days 61-90: Documentation and Testing
- Write or update your Information Security Policy to match actual controls
- Conduct a tabletop incident response exercise
- Test backup restoration and document RTO/RPO results
- Complete vendor risk assessments for your top 10 data-access vendors
- Build your monthly compliance dashboard in Power BI or Guardian Security Insights
How Does Your IT Framework Measure Up?
The FFIEC CAT is gone. Fannie Mae's cybersecurity supplement is enforceable. If your IT framework was built around the old assessment model, gaps are already accumulating. A 30-minute compliance gap assessment maps your current Microsoft Entra ID, Microsoft Purview, Microsoft Defender, and Microsoft Sentinel configuration against NIST CSF 2.0 and the M365 Guardian operating model before your next examiner does.
Frequently Asked Questions
The FFIEC retired the CAT on August 31, 2025 and pointed institutions to industry-standard frameworks they can adopt based on size and risk profile. The most-cited successors are NIST Cybersecurity Framework 2.0, the CRI Profile (the financial-sector overlay maintained by the Cyber Risk Institute), CISA Cybersecurity Performance Goals, and CIS Controls v8.1. Mortgage companies should align with at least one of these, document their risk assessments against its control categories, and be ready to show examiners the mapping in their next examination cycle.
The FTC Safeguards Rule requires mortgage companies to implement specific technical controls including encryption of customer data in transit and at rest, multi-factor authentication on all systems accessing customer information, continuous monitoring, and a written incident response plan. Non-compliance can result in FTC enforcement actions and state-level penalties that compound across jurisdictions. The civil penalty ceiling for consent-order or repeat violations is $53,088 per violation under FTC Act sections 5(l), 5(m)(1)(A), and 5(m)(1)(B), the 2025 inflation-adjusted figure that remains in effect for 2026.
A mortgage company's incident response plan must include named roles and responsibilities, escalation procedures with contact information, communication templates for regulators and affected borrowers, evidence preservation procedures, and recovery steps with documented recovery time objectives. The plan requires annual tabletop testing with documented results and corrective actions tracked to completion. Fannie Mae's 2025 supplement adds a 36-hour cybersecurity incident reporting deadline for sellers, servicers, and document custodians.
Mortgage companies should update IT risk assessments at least annually and whenever significant changes occur. Significant changes include deploying a new LOS platform, migrating to cloud infrastructure, opening or closing branch offices, merging with another company, or experiencing a security incident. A risk assessment older than 12 months will draw examiner scrutiny during any regulatory review.
The most common findings include legacy authentication protocols still enabled, missing or stale risk assessments, inadequate patch management documentation, lack of centralized security logging, incomplete vendor risk management programs, and policies that describe controls not actually implemented. Addressing these six areas before an examination eliminates the majority of typical findings for mortgage companies.
The CRI Profile is the financial-sector overlay on NIST Cybersecurity Framework 2.0 maintained by the Cyber Risk Institute (formerly the FSSCC Cybersecurity Profile). It adds 277 financial-sector diagnostic statements to NIST CSF and maps directly to FFIEC, OCC, FDIC, NCUA, SEC, NYDFS, and CFPB requirements. For mortgage companies that need an examiner-ready framework with the regulator mapping already done, the CRI Profile is the most efficient path. Smaller lenders typically use NIST CSF 2.0 directly; larger lenders and any institution facing multi-regulator scrutiny benefit from the CRI Profile overlay.
