In This Article
- How CFPB Enforcement Has Changed in 2025-2026
- Five CFPB Violation Categories That Start with Bad Systems
- How Interface Design Drives or Destroys Compliance
- Why MortgageExchange Is the Interface Layer That Feeds Clean Data Into the LOS, Servicing, and CRM
- M365 Guardian and Microsoft Purview: The Governance Layer for the Whole Pipeline
- Building CFPB Compliance Into Your Mortgage Workflows
- Turning Compliance from Cost Center to Competitive Advantage
- The ABT Tier-1 CSP Advantage for Mortgage Companies
- Frequently Asked Questions
A mortgage company that gets a CFPB finding rarely gets it because someone decided to break the rules. The finding starts with bad systems. A loan officer skips a required Home Mortgage Disclosure Act demographic field because the loan origination system lets them save the file without it. A truth-in-lending disclosure sits in an outbox while the loan moves to processing because the LOS does not talk to the disclosure-generation tool. A piece of marketing copy goes out from the customer relationship management platform that contradicts the rate sheet in the LOS because the two systems are not connected. By the time the examiner arrives, the company is reconstructing history out of three different data stores that never agreed in the first place. Access Business Technologies is a Tier-1 Microsoft Cloud Solution Provider that manages Microsoft 365 tenants for more than 750 financial institutions, and the lesson the CFPB enforcement record keeps repeating is that the compliance problem upstream is almost always an interface problem.
Why CFPB Compliance Resolves to an Interface and Governance Problem
- Bad data entered once leaks into every downstream report. When loan officers retype borrower information into the LOS, the CRM, and the servicing platform separately, the three systems drift apart. Required HMDA fields, TILA disclosure timing, and ECOA notification dates all fall behind the truth of what happened in the file.
- A clean interface layer eliminates the manual reentry that drives most violations. When loan-stage events, borrower data, and document deadlines flow automatically between the LOS, the servicing system, the CRM, and Microsoft 365, the system enforces the rule rather than asking the loan officer to remember it.
- Governance has to wrap the whole pipeline, not just the LOS. Microsoft Purview applies retention, sensitivity labels, and data-loss-prevention policies across Outlook, SharePoint, OneDrive, Teams, and the LOS-connected document library so the audit trail covers every surface a CFPB examiner can reach.
- MortgageExchange is the interface layer. M365 Guardian is the governance layer. Microsoft Purview is the evidence layer. ABT runs all three for mortgage companies as a single managed service so the examiner-ready posture is a byproduct of the daily operation, not a six-month scramble before each examination.
The CFPB dismissed most of its enforcement actions in early 2025 and revoked nearly 70 guidance documents by May. The Bureau cut examinations by 50 percent and shifted toward targeting fraud against servicemembers and veterans. Some mortgage companies read that news and relaxed. That is the wrong response. The enforcement actions that did go through tell a different story. Draper and Kramer Mortgage paid $1.5 million and received a five-year lending ban for Equal Credit Opportunity Act violations. Bank of America paid $12 million for HMDA data accuracy failures. Fay Servicing owed $7 million in penalties and was forced to invest $2 million in technology upgrades. The CFPB updated TILA, CLA, and FCRA thresholds for 2026. The rules did not go away. The enforcement priorities shifted. The cases that get pursued share one feature: the violation is documented in the company's own records, because the systems produced inconsistent, incomplete, or contradictory data the examiner could point at.
How CFPB Enforcement Has Changed in 2025-2026
The CFPB restructured its enforcement approach starting in February 2025. The Bureau reduced examinations by 50 percent, prioritized large banks over nonbank lenders, and shifted toward cases involving clear consumer harm. The December 2025 Fair Lending Report signaled a pivot toward intentional discrimination cases with identified victims rather than disparate impact analysis. But a shift in strategy is not a relaxation of standards. Every terminated consent order required the company to pay full penalties and consumer redress before closure. The Fay Servicing order was not just a fine. It included mandatory technology investments to fix the systems that caused violations in the first place.
For mortgage companies, the compliance risk has become more focused, not smaller. The Bureau is prioritizing cases with clear evidence of harm. The fastest way to create clear evidence of harm is to run compliance-critical processes on systems that do not enforce the rules automatically and that produce inconsistent records across the LOS, the servicing platform, the CRM, and the document library. Our guide to Building a Compliant IT Framework for Mortgage Companies goes deeper on this.
Five CFPB Violation Categories That Start with Bad Systems
Five categories of CFPB violations recur across the enforcement record. Each one starts with a system design problem rather than a willful act, and each one resolves to a question about how the LOS, the CRM, the servicing system, and Microsoft 365 share data.
| Violation Category | System Design Failure Behind It |
|---|---|
| RESPA referral fee violations (Rocket Homes pattern) | Marketing partnerships managed in the CRM and referral compensation tracked in the LOS, with no shared definition of where co-marketing ends and prohibited compensation begins. |
| HMDA data accuracy failures (Bank of America $12 million pattern) | Required demographic fields can be left blank in the LOS. Loan officers do not always ask the questions, the system does not require the answer, and the HMDA submission is wrong by the time it leaves the company. |
| Fair lending pattern violations (Trident Mortgage $24.4 million redlining settlement) | Pricing, underwriting, and marketing distribution operate in separate systems with no centralized monitoring. The pattern develops invisibly until someone runs the report after the fact. |
| UDAAP disclosure failures | Marketing materials are created in the CRM or a separate marketing platform. Compliance review happens in a different system. The two never see the same draft, and misleading communications get published that nobody intended to mislead. |
| TILA timing violations | Disclosures generated in one tool sit waiting while the loan advances through pipeline stages in the LOS. The two systems do not exchange timing events, and the loan crosses a stage threshold before the disclosure is delivered. |
The pattern in that table is the point. Most modern CFPB violations resolve to a question about the seam between the LOS, the CRM, the servicing system, and Microsoft 365. The question is not whether the company means to comply. The question is whether the systems produce consistent, complete, time-stamped records of the work, and whether the company can hand the examiner a single picture of what happened to a borrower across every surface that touched the file.
How Interface Design Drives or Destroys Compliance
Every screen, dropdown, required field, and workflow step in a mortgage company's systems either supports compliance or undermines it. There is no neutral position. When the interface makes the compliant path the easiest path, compliance happens naturally. When compliance requires extra clicks, separate screens, or manual cross-referencing between systems, shortcuts become inevitable. Not because the team is lazy. Because humans choose the path of least resistance under production pressure.
Three properties separate interfaces that support compliance from interfaces that destroy it.
Data validation at point of entry. The LOS interface should validate borrower information in real time. If a Social Security number format is wrong, the system flags it immediately. If an income figure is inconsistent with employment data, the system prompts the loan officer to verify. Catching errors at entry costs seconds. Catching them during a CFPB examination costs millions.
Workflow enforcement versus workflow guidance. There is a meaningful difference between a system that suggests the next step and one that requires it. Suggestion-based workflows let busy loan officers skip steps under deadline pressure. Enforcement-based workflows make it structurally impossible to advance a loan without completing required compliance checks.
Audit trail automation. Every action across every system should create an auditable record without anyone thinking about it. When the CFPB requests documentation of who did what and when, the answer should come from automated logs that span the LOS, the CRM, the servicing system, and the Microsoft 365 document library, not from asking employees to recall actions from six months ago.
The CFPB examiner does not care which system produced the record. The examiner cares whether the records agree. Interface design is what makes them agree.
Why MortgageExchange Is the Interface Layer That Feeds Clean Data Into the LOS, Servicing, and CRM
The interface layer is the part of the stack most mortgage companies underbuild. The LOS is purchased and licensed. The CRM is purchased and licensed. The servicing platform is purchased and licensed. The connections between them are usually a patchwork of vendor APIs, scheduled CSV exports, and manual reentry workflows that drift out of sync between Tuesday afternoon and Friday morning. That patchwork is where the compliance problem lives. A borrower's loan status changes in the LOS at 9:14 a.m. The CRM does not see the change until the overnight sync at 2 a.m. The servicing handoff happens in between. The loan officer sends a customer notification based on the stale CRM picture. The notification is technically wrong. The examiner finds the inconsistency a year later.
MortgageExchange is the integration product Access Business Technologies operates that closes that gap. It is the largest interface product ABT runs, with bidirectional data flow between Microsoft 365, the loan origination system, the servicing platform, and the CRM the company uses. When a borrower's status changes in Encompass, Calyx Point, or another LOS, MortgageExchange surfaces the change inside Microsoft 365 where the loan officer's email, calendar, and document folder already live. When the loan officer adds a note in Outlook or marks a milestone in a SharePoint list, MortgageExchange writes the relevant context back to the LOS and the servicing system so the downstream processor, underwriter, and servicing rep are not working from a stale picture. The company gets one pipeline of truth across every system that touches the file, which means the HMDA demographic record, the TILA timing event, the ECOA notification date, and the marketing message content all sit on the same set of facts.
The integration question is the one most CFPB compliance projects skip. Nonbank mortgage lenders now service 66 percent of federally backed mortgages, up from 27 percent in 2014, according to a February 2026 Government Accountability Office report. As nonbank originators handle more volume, the integration requirement between the LOS, the servicing system, the CRM, and Microsoft 365 only gets more complex. An LOS that does not connect cleanly with the downstream systems creates data silos, manual workarounds, and compliance blind spots that show up in CFPB and state-examination findings later. The interface layer is the upstream fix for the downstream finding.
A mortgage company runs Encompass, a vertical mortgage CRM, and a servicing platform from three vendors. Each system has its own database. Loan officers retype borrower data into the CRM after capturing it in the LOS intake form. Disclosures generated in a fourth system sit in an outbox while pipeline stages advance. Six months in, a CFPB examiner asks for the loan-level HMDA file. The compliance team pulls a report from the LOS, a report from the servicing platform, and a report from the CRM. The three reports do not agree. The exam stretches into a second sweep, and the company receives a finding for inconsistent recordkeeping.
The same company runs the same LOS, CRM, and servicing platform with MortgageExchange wired between them and Microsoft 365. Borrower data is entered once and propagates in real time across every system. Loan-stage events fire from the LOS into Microsoft Power Automate workflows that trigger the right disclosure, the right customer notification, and the right document hold inside SharePoint at the right moment. The CFPB examiner asks for the loan-level HMDA file. The compliance team produces one report across all four systems that agrees with itself. The exam closes on time. The company has no finding on this surface.
M365 Guardian and Microsoft Purview: The Governance Layer for the Whole Pipeline
A clean interface layer answers half the CFPB question. The other half is governance: who saw what, who changed what, who deleted what, and when. Microsoft Purview is the layer inside Microsoft 365 that produces that answer. Purview Audit provides the time-stamped audit log across Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Microsoft Entra ID. Purview Audit Premium extends retention to one year with the option to extend to ten, which matches the practical retention floor for mortgage records under most state-level and federal expectations. Retention policies bind tamper-evident retention to mailboxes, document libraries, and Teams channels. Data Loss Prevention policies block borrower Non-Public Information from leaving the tenant boundary through email, attached file shares, or unmanaged endpoints. Sensitivity labels mark borrower-NPI documents so the protections travel with the file. Communication Compliance lets the company sample, classify, and review business communications for off-channel behavior, undisclosed marketing claims, or policy-flagged content before a CFPB examiner finds it. For ABT's fuller take, see Is Your Interface CFPB-Proof? What Mortgage Teams Need to Know About HMD.
The hesitation most chief compliance officers and IT leads raise about a Microsoft-365-centered compliance posture is the right one: the controls have to be configured, documented, and monitored, not just licensed. An out-of-the-box Microsoft 365 tenant ships with the controls available, not applied. Default audit retention is 90 days, not the year or ten years a mortgage record retention obligation calls for. Default DLP is off. Default sensitivity labels are not configured for borrower NPI. Default Conditional Access does not enforce Multi-Factor Authentication on every sign-in. The configuration work is governance work, and it is where most mortgage compliance projects underinvest because the work does not show up on a vendor demo.
M365 Guardian is the operating model ABT applies on top of the Microsoft baseline to close that governance gap for mortgage companies. The components are Microsoft tools the company already licenses: Microsoft Purview for retention and DLP, Microsoft Defender for Office 365 and Microsoft Defender for Endpoint for detection, Microsoft Sentinel for the security operations center incident view, Microsoft Entra ID Conditional Access for Multi-Factor Authentication and device compliance, and Microsoft Intune for endpoint posture. The Guardian layer is the configuration, the documentation, and the monitoring that makes those tools enforce GLBA, FTC Safeguards Rule, CFPB record-keeping expectations, and state privacy rules in a form a CFPB examiner accepts. Guardian wraps the whole pipeline, not just the LOS, so the audit trail covers every surface a regulator can reach: the email correspondence in Outlook, the document library in SharePoint, the meeting transcripts in Teams, the LOS-connected document hold, and the marketing message review. We cover Conditional Access Policies for Mortgage Companies in a companion piece.
The CFPB compliance posture for a mortgage company resolves to three layers working together. MortgageExchange is the interface layer that feeds clean, attested data into the LOS, the servicing platform, the CRM, and Microsoft 365 so the systems agree with each other. Microsoft Purview is the evidence layer that produces the time-stamped audit trail, retention, DLP, sensitivity labels, and Communication Compliance review records examiners ask for. M365 Guardian is the operating model that configures Microsoft Purview, Microsoft Defender, Microsoft Entra ID, Microsoft Intune, and Microsoft Sentinel against the company's specific regulatory profile and documents the configuration as a vendor-oversight artifact that satisfies CFPB and state third-party-service-provider expectations. The three layers are operated together. The examiner-ready posture is the byproduct.
Building CFPB Compliance Into Your Mortgage Workflows
Start with the interface layer between the LOS, the servicing system, the CRM, and Microsoft 365. Map every place borrower data is entered today. Identify the manual reentry steps. Replace them with bidirectional integration through MortgageExchange so the data flows once and propagates everywhere. The HMDA, TILA, and ECOA evidence trail starts there.
Make required fields genuinely required. Audit the LOS configuration. Identify which compliance-critical fields can currently be left blank or bypassed at submission. Lock them down at the system level so the loan officer cannot advance a file without completing the demographic record, the disclosure-timing event, and the documented borrower communication.
Implement real-time compliance dashboards. A centralized Power BI dashboard on top of the MortgageExchange-integrated data should show how many loans have pending disclosures, which applications have incomplete HMDA data, and where pipeline timing requirements approach deadlines. When the compliance officer sees the entire operation from one screen, problems surface before they become violations.
Apply Microsoft Purview retention, DLP, and sensitivity labels across every surface. Exchange Online for email correspondence. SharePoint and OneDrive for the loan document library. Microsoft Teams for the call and meeting record. The LOS-connected document hold. The audit trail covers every surface the examiner can reach, with retention durations tuned to CFPB and state-level expectations.
Connect marketing and compliance review. The UDAAP and RESPA patterns both start with marketing activities that compliance teams cannot monitor in real time. When the CRM, the email platform, and the content management system share data with Microsoft Purview Communication Compliance, promotional materials get reviewed before reaching borrowers, and the review record is in a form a CFPB examiner accepts.
Document the vendor oversight relationship. A CFPB examination of a third-party-supported workflow looks at whether the company can demonstrate oversight of the vendor. A Tier-1 CSP-managed Microsoft 365 tenant under a Granular Delegated Administrative Privileges relationship, with documented Guardian configurations and quarterly access reviews, is the form of oversight the examiner expects.
Turning Compliance from Cost Center to Competitive Advantage
Mortgage companies that build compliance into their system architecture gain advantages beyond avoiding fines.
Faster processing. When compliance checks run automatically inside the MortgageExchange-integrated workflow rather than as separate review steps, loans move through the pipeline faster. No waiting for manual reviews. No returned files for missing fields. No disclosure timing violations that require restart procedures.
Lower operational costs. Automated compliance reduces the headcount required for manual oversight. The $2 million Fay Servicing invested in technology upgrades after the enforcement action would have prevented the $5 million in penalties and consumer redress had it been invested proactively.
Stronger borrower trust. Borrowers notice when their experience is smooth, transparent, and professional. Compliant processes treat borrowers fairly and provide complete information. The result is reflected in satisfaction scores, online reviews, and referral business.
Easier examinations. When the systems produce complete, agreed-upon audit trails across the LOS, the servicing system, the CRM, and Microsoft 365, regulatory examinations become documentation exercises rather than defensive operations. The difference between producing automated compliance records and scrambling to reconstruct history determines whether an examination takes two weeks or six months.
The ABT Tier-1 CSP Advantage for Mortgage Companies
Access Business Technologies manages Microsoft 365 tenants for more than 750 financial institutions under Tier-1 Direct-Bill Cloud Solution Provider status with Microsoft. The footprint covers mortgage bankers, independent mortgage brokers, community banks, credit unions, and broker-dealers across regulated lines of business. For mortgage companies addressing CFPB compliance, the conversation ABT has most often starts with a MortgageExchange and Microsoft Purview review rather than a compliance-vendor demo. The review produces a baseline of how borrower data flows today, where the interfaces drop or duplicate the record, what Microsoft Purview is or is not configured to capture across the pipeline, and what the Guardian operating model would put in place to close the gap.
ABT applies M365 Guardian on every managed tenant. Guardian is the layered configuration of Microsoft Purview, Microsoft Defender, Microsoft Entra ID, Microsoft Intune, and Microsoft Sentinel that ABT tunes for GLBA, FTC Safeguards Rule, CFPB record-keeping, and state privacy expectations. With Guardian in place and MortgageExchange wiring the LOS, the servicing system, the CRM, and Microsoft 365 together, the company operates one pipeline of truth across every system that touches the file. The audit trail is automatic. The retention is tamper-evident. The DLP is enforced. The Conditional Access blocks borrower NPI from unmanaged devices. The CFPB examiner gets a single picture of the work, and the company gets the productivity unlock of not running compliance as a parallel manual operation on top of the loan production team.
Audit the Mortgage Compliance Pipeline Before the Next CFPB or State Examination
ABT runs the Tier-1 CSP-managed Microsoft 365 + MortgageExchange + Microsoft Purview + M365 Guardian pattern described in this article for mortgage bankers and independent mortgage brokers. A 30-minute conversation maps the current data flow across the LOS, the servicing system, the CRM, and Microsoft 365, identifies the interface gaps that drive the recurring HMDA, TILA, ECOA, RESPA, and UDAAP findings, surfaces the governance configuration work required to make the audit trail examination-ready, and outlines what an ABT-managed deployment would cover. No commitment, no quote, no obligation.
Key Takeaway
CFPB compliance for a mortgage company resolves to two operational questions. Do the systems that touch a borrower's file agree with each other across the LOS, the servicing platform, the CRM, and Microsoft 365? And is there a documented governance layer wrapping the whole pipeline that produces the audit trail an examiner accepts? MortgageExchange is the interface layer ABT operates that makes the systems agree. M365 Guardian and Microsoft Purview are the governance and evidence layers ABT operates that produce the audit trail. The two run together as a single managed service, which is how a Tier-1 Microsoft CSP-managed mortgage company turns the next CFPB or state examination into a documentation exercise rather than a six-month defensive operation.
Frequently Asked Questions
Fair lending, RESPA, and HMDA accuracy violations produce the largest penalties in the recent enforcement record. The Trident Mortgage redlining settlement reached $24.4 million. Bank of America paid $12 million for HMDA data accuracy failures. Rocket Homes faces ongoing litigation over alleged RESPA referral compensation violations. Fay Servicing owed $7 million in penalties and was required to invest $2 million in technology upgrades. The cases share a common thread, which is that the violation was documented in the company's own records because the LOS, the servicing system, the CRM, and Microsoft 365 produced inconsistent or incomplete data the examiner could point at. The fix is upstream in the interface and governance layer rather than downstream in the compliance review.
MortgageExchange is the integration product Access Business Technologies operates that connects the loan origination system, the servicing platform, the CRM, and Microsoft 365 with bidirectional data flow. It is the largest interface product ABT runs. For CFPB compliance, MortgageExchange reduces risk by eliminating the manual reentry steps that drive most HMDA accuracy, TILA timing, ECOA notification, RESPA boundary, and UDAAP marketing-review violations. Borrower data entered once propagates in real time across every system that touches the file. The HMDA demographic record, the TILA disclosure timing event, the ECOA notification date, and the marketing-message content all sit on the same set of facts, which means the compliance officer can produce a single picture of the work across every surface the examiner reaches.
Microsoft Purview is the governance layer inside Microsoft 365 that produces the records a CFPB examiner asks for. Purview Audit produces the time-stamped audit trail of every create, modify, and delete action across Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Microsoft Entra ID. Purview Audit Premium extends retention to one year with an option to extend to ten. Retention policies bind tamper-evident retention to the mailboxes, document libraries, and Teams channels where mortgage records live. Data Loss Prevention blocks borrower Non-Public Information from leaving the tenant boundary. Sensitivity labels mark NPI documents so the protections travel with the file. Communication Compliance lets the company sample, classify, and review business communications for off-channel behavior or undisclosed marketing claims before an examiner finds them. The Guardian operating model configures Purview against the company's specific regulatory profile.
M365 Guardian is the operating model Access Business Technologies applies on top of the Microsoft baseline for regulated financial services companies. The components are Microsoft tools the company already licenses, including Microsoft Purview for retention, DLP, and Communication Compliance, Microsoft Defender for Office 365 and Microsoft Defender for Endpoint for detection, Microsoft Sentinel for incident timeline aggregation, Microsoft Entra ID Conditional Access for Multi-Factor Authentication and device-compliance enforcement, and Microsoft Intune for endpoint posture. The Guardian layer is the configuration, the documentation, and the monitoring that makes those tools enforce GLBA, FTC Safeguards Rule, CFPB record-keeping, and state privacy expectations in a form a CFPB or state examiner accepts. Guardian wraps the whole pipeline rather than the LOS alone, so the audit trail covers email, the document library, the meeting transcripts, the LOS-connected document hold, and the marketing message review.
No. The Bureau shifted toward pursuing cases with clear evidence of intentional violations and identifiable consumer harm and cut examinations by 50 percent, but the rules did not change. Every terminated consent order required full penalties and consumer redress before closure, and several included mandatory technology upgrades to fix the systems that caused the violation in the first place. State attorneys general have also stepped up enforcement in parallel. Mortgage companies with weak interface and governance layers still generate the inconsistent records and documentation gaps that produce enforcement targets. The right response is to invest in the interface layer that prevents the violation at the point of action through MortgageExchange and the governance layer that produces the audit trail through Microsoft Purview and M365 Guardian, rather than relying on after-the-fact compliance reviews.
Audit which required fields in the LOS can currently be left blank or bypassed, and audit how borrower data flows between the LOS, the servicing system, the CRM, and Microsoft 365. Making genuinely required fields mandatory at the system level prevents the most common HMDA, ECOA, and TILA documentation failures and costs almost nothing to implement. Replacing manual reentry across systems with a real-time bidirectional integration through MortgageExchange eliminates the data drift that drives most recurring findings. Layering Microsoft Purview retention, DLP, and Communication Compliance across Exchange Online, SharePoint, OneDrive, and Microsoft Teams under the Guardian operating model produces the audit trail an examiner accepts. The three steps together compound. The interface fix prevents the violation, and the governance fix produces the evidence.