CFPB Compliance and Your Microsoft 365 Environment: What Mortgage Lenders Must Configure

The CFPB made mortgages its highest enforcement priority in April 2025. That single sentence should change how every mortgage lender thinks about their Microsoft 365 configuration. The Bureau's supervision memo listed "inadequate controls to protect consumer information resulting in actual loss to consumers" as an explicit enforcement target. Your M365 tenant is where consumer financial data lives, moves, and gets shared. If it's misconfigured, the CFPB now has a documented reason to come looking.

Meanwhile, Fannie Mae's Information Security and Business Resiliency Supplement took effect in August 2025, requiring sellers and servicers to report cybersecurity incidents within 36 hours, align their security programs with NIST standards, and attest annually across 14 security domains. That's not a suggestion. It's a contractual obligation that directly affects your ability to sell loans.

Most mortgage lenders already run Microsoft 365. The question is whether your tenant is configured to meet the specific data handling, retention, and access control requirements that CFPB examiners and Fannie Mae auditors actually check. This article maps those requirements to concrete M365 admin center configurations.

How Your Microsoft 365 Configuration Impacts CFPB Compliance

CFPB compliance is not an abstract regulatory concept. It translates directly into how your Microsoft 365 tenant handles four categories of data:

• Consumer personally identifiable information (PII): Social Security numbers, financial account numbers, loan application data, credit reports, and income documentation flowing through Exchange Online, SharePoint, OneDrive, and Teams.
• Disclosure records: Loan Estimates, Closing Disclosures, adverse action notices, and fee change documentation that must be retained for specific periods with provable audit trails.
• Communication records: Borrower-facing emails, internal loan processing discussions, compliance review threads, and any electronic communication related to a consumer's mortgage file.
• Access and activity logs: Records of who accessed consumer data, when, from what device, and what they did with it.

If your M365 tenant has default retention settings, no DLP policies scoped to financial data types, and basic audit logging without extended retention, you have gaps in all four categories. Default M365 configurations were not designed for CFPB-regulated mortgage operations. They were designed for general business use.

CFPB Data Retention Requirements Mapped to M365

CFPB-regulated mortgage data has specific retention periods defined across Regulation Z (Truth in Lending Act), Regulation X (RESPA), and Regulation B (Equal Credit Opportunity Act). Your Microsoft 365 retention policies must align with the longest applicable period for each data type.

Retention Requirements by Record Type

M365 Configuration: Retention Policies

In the Microsoft Purview compliance portal, navigate to Solutions > Data Lifecycle Management > Retention Policies. Create policies that cover each data type above:

• Exchange Online retention: Set a minimum 5-year retention policy on mailboxes that send or receive mortgage disclosures, borrower communications, and compliance-related correspondence. Use adaptive scopes to target specific distribution groups (e.g., "Loan Processing," "Compliance," "Closers") rather than applying a blanket policy to all mailboxes.
• SharePoint/OneDrive retention: Apply 5-year retention labels to document libraries containing closing disclosures, loan files, and settlement records. Use auto-apply retention labels based on sensitive information types to catch documents that get saved outside the designated libraries.
• Teams retention: If your loan processors use Teams channels or chats for borrower-related discussions, those conversations are subject to the same retention requirements. Configure Teams retention to match your Exchange retention period.

The critical mistake is leaving M365 at its default retention settings. Default Exchange Online retention is 14 days for deleted items and no long-term retention policy. That means a processor who deletes an email containing a Loan Estimate delivery confirmation loses it in two weeks. An examiner asking for that record three years later will not accept "it was deleted" as an answer.

DLP Policies for Consumer Financial Data

Data Loss Prevention policies in Microsoft Purview stop consumer financial data from leaving your organization through unauthorized channels. For CFPB compliance, you need DLP rules that specifically address mortgage-related data types.

M365 Configuration: DLP Policy Setup

Navigate to Microsoft Purview > Data Loss Prevention > Policies > Create Policy. Start with the "U.S. Financial Data" template and customize it for mortgage operations:

• Sensitive information types to detect: Social Security numbers, U.S. bank account numbers, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and driver's license numbers. Add custom sensitive information types for loan numbers and NMLS IDs if your organization uses standardized formats.
• Locations to monitor: Exchange Online, SharePoint Online, OneDrive for Business, Teams chat and channel messages, and Endpoint (for organizations using Microsoft 365 E5 or the compliance add-on).
• Policy actions: Block external sharing of documents containing three or more sensitive information types. Show policy tips to users when they attempt to share files containing borrower PII outside the organization. Require business justification for sharing that overrides the policy. Generate incident reports for the compliance team.

Mortgage-Specific DLP Rules

Beyond the standard financial data template, configure rules for these mortgage-specific scenarios:

• Loan application data in email: Block emails containing combinations of SSN + property address + loan amount from being sent to external recipients without encryption. Borrowers sending this data to your team is fine. Your team forwarding it to a personal Gmail account is not.
• Disclosure documents as attachments: Flag outbound emails with PDF attachments matching naming conventions for Loan Estimates or Closing Disclosures (e.g., "LE_" or "CD_" prefixes) unless the recipient domain is on your approved list (eSign platforms, title companies, settlement agents).
• Teams external sharing: If your organization allows guest access in Teams, block sharing of files from channels tagged with sensitivity labels like "Borrower Data" or "Consumer PII" with external guests.

eDiscovery and Legal Hold for CFPB Examinations

When a CFPB examiner requests specific loan files, borrower communications, or compliance records, you need to produce them. Microsoft 365's eDiscovery tools are built for this. The problem is that most mortgage lenders have never configured them.

M365 Configuration: eDiscovery Setup

In the Microsoft Purview compliance portal, navigate to Solutions > eDiscovery. Microsoft 365 offers two tiers:

• eDiscovery (Standard): Available with E3 licensing. Allows content searches across Exchange mailboxes, SharePoint sites, and OneDrive accounts. Supports legal holds on specific mailboxes and sites. This is sufficient for most CFPB examination responses.
• eDiscovery (Premium): Available with E5 licensing or the E5 Compliance add-on. Adds custodian management, legal hold notifications, advanced analytics (near-duplicate detection, email threading), and review sets. Worth the investment if your organization handles frequent examination requests or litigation holds.

Pre-Examination Preparation

Do not wait for a CFPB examination notice to set up eDiscovery. Configure it now:

• Assign eDiscovery Manager roles: Designate at least two people (typically your compliance officer and IT administrator) as eDiscovery Managers in Microsoft Purview. This role is required to create cases, run searches, and export content.
• Create a standing search template: Build a saved search that covers all mortgage-related content locations (loan processing mailboxes, compliance SharePoint sites, borrower data OneDrive folders). When an examiner requests records for a specific borrower, you clone the template and add the borrower name and loan number as search terms.
• Test your search results: Run a test search quarterly. If the search returns zero results for a borrower you know has records, your content locations are misconfigured or your retention policies deleted the records prematurely.

Legal Hold During Active Examinations

When you receive a CFPB examination notification, immediately place legal holds on all relevant content locations. In eDiscovery (Standard), this means placing mailboxes and sites on hold within a case. In eDiscovery (Premium), you can use the custodian management workflow to issue hold notifications and track custodian acknowledgments.

Legal holds override retention policies. If your 5-year retention policy would otherwise delete a document that is subject to a legal hold, the hold wins. The document is preserved until the hold is released. This is by design, and it's the safety net that prevents accidental destruction of evidence.

Email Archiving and Communication Compliance

Mortgage lending generates a high volume of email. Borrower communications, rate lock confirmations, disclosure delivery records, internal underwriting discussions, and compliance reviews all flow through Exchange Online. Every one of these messages is potentially discoverable in a CFPB examination.

M365 Configuration: Archive and Journaling

• In-Place Archive: Enable archive mailboxes for all users who handle mortgage data. Navigate to Exchange admin center > Mailboxes > select user > Manage mailbox archive > Enable. Archive mailboxes provide unlimited storage (with E3/E5 licensing) and ensure emails that are moved out of the primary mailbox are still retained and searchable.
• Auto-expanding archive: For high-volume mailboxes (closers, loan officers, compliance), enable auto-expanding archiving. This prevents the archive mailbox from hitting its 100 GB limit and automatically provisions additional storage.
• Journaling (if required): Some compliance frameworks require a tamper-proof copy of every email. Microsoft 365 supports journal rules that send a copy of every message matching specific criteria to a journal mailbox or third-party archiving service. This is a belt-and-suspenders approach on top of retention policies.

Communication Compliance Policies

Microsoft Purview Communication Compliance monitors email and Teams messages for policy violations. For mortgage lenders, useful detections include:

• Unauthorized disclosure of rates or terms: Flag messages where loan officers share rate information through personal email accounts or unapproved channels.
• Consumer complaint indicators: Detect messages containing phrases like "CFPB complaint," "regulatory complaint," or "attorney general" to route them to compliance for review and documentation.
• Steering language: Monitor for language patterns that could indicate fair lending violations in borrower-facing communications.

Audit Trail and Access Logging

CFPB examiners expect to see who accessed consumer data, when, and what actions they took. Microsoft 365's Unified Audit Log captures this information, but only if you configure it correctly and retain the logs long enough.

M365 Configuration: Audit Log Settings

• Verify audit logging is enabled: Navigate to Microsoft Purview > Audit. For E3 tenants, audit logs are retained for 90 days by default. For E5 tenants, the default extends to one year. Neither default meets the 5-year retention requirement for closing disclosure records.
• Extend audit log retention: With E5 or the E5 Compliance add-on, create audit log retention policies that retain specific activity types for up to 10 years. At minimum, configure 5-year retention for: user login events, file access and sharing events in SharePoint/OneDrive, mailbox access events, and admin activity logs.
• Enable mailbox auditing for all users: Mailbox auditing is enabled by default in Microsoft 365, but verify it has not been disabled for specific mailboxes. Navigate to Exchange admin center > Mailboxes > select user > Manage mailbox auditing. Ensure "Owner," "Delegate," and "Admin" actions are all logged.

What Examiners Actually Ask For

During a CFPB examination focused on data handling, examiners typically request:

• Records of who accessed a specific borrower's loan file and when
• Evidence that former employees' access was revoked upon termination
• Logs showing failed login attempts or access from unusual locations
• Proof that sensitive data was not shared externally without authorization
• Documentation of admin changes to security policies, retention settings, or DLP configurations

If your audit log retention is 90 days and the examiner asks about activity from 18 months ago, you have nothing to show. That gap becomes a finding.

Common CFPB Compliance Gaps We Find in Mortgage Lender M365 Tenants

After configuring Microsoft 365 environments for hundreds of mortgage companies, these are the CFPB compliance gaps that appear most frequently. Each one is a configuration problem, not a licensing limitation.

• No retention policies beyond M365 defaults. The single most common gap. Mortgage data gets deleted on standard retention schedules that have nothing to do with CFPB requirements. Closing disclosure emails disappear after 14 days in the deleted items folder. Fix: Create retention policies aligned with the table in the Data Retention section above.
• DLP policies not scoped to mortgage data types. Many lenders have DLP policies that detect credit card numbers but nothing else. Loan application data containing SSN + income + property address flows freely to personal email accounts. Fix: Deploy the mortgage-specific DLP rules described in the DLP section.
• No eDiscovery cases or role assignments. When an examination notice arrives, nobody in the organization has the permissions to search for and export the requested records. Fix: Assign eDiscovery Manager roles and build standing search templates before you need them.
• Audit logging at default retention. E3 tenants lose audit logs after 90 days. Even E5 tenants lose them after one year unless custom retention policies are configured. Fix: Create audit log retention policies that match your longest regulatory retention period.
• Archive mailboxes not enabled. Loan officers delete old emails to manage mailbox size. Those emails are gone permanently after the deleted items retention period expires. Fix: Enable archive mailboxes for all mortgage-related users.
• No sensitivity labels on mortgage documents. Loan files, disclosures, and borrower documents are stored alongside general business documents with no classification. This makes DLP policies less effective and eDiscovery searches less precise. Fix: Create sensitivity labels for "Consumer PII," "Loan File," and "Disclosure" document types and train users to apply them.
• Legacy authentication still enabled. Older mail clients and third-party applications using basic authentication bypass Conditional Access policies, meaning access to mortgage data cannot be controlled or audited properly. Fix: Block legacy authentication in Conditional Access and migrate all clients to modern authentication.

Frequently Asked Questions

Next Steps

Start with the retention policy table. Compare each row to what your M365 tenant currently has configured. If you find gaps, the configuration steps in each section above will close them. If you're not sure what your current configuration looks like, that's the first problem to solve.

• Assess your current M365 compliance posture. MWS offers a free Microsoft 365 Security Assessment that evaluates your tenant configuration against mortgage compliance benchmarks, including CFPB data retention requirements, DLP policy coverage, and audit log configuration.
• Talk to a mortgage IT specialist. Schedule a conversation with our team to review your CFPB compliance configuration, identify gaps, and build an action plan before your next examination.