Building a Compliant IT Framework for Mortgage Companies

A single failed FFIEC examination costs the average mortgage company between $50,000 and $250,000 in remediation. That figure doesn't count the operational drag while your team scrambles to fix findings instead of closing loans. The FFIEC sunset its Cybersecurity Assessment Tool (CAT) on August 31, 2025, pushing lenders toward NIST CSF 2.0 and CIS Controls as the new baseline. If your IT framework hasn't caught up, examiners will notice.

Building a compliant IT framework isn't about checking boxes on a spreadsheet once a year. It's about wiring compliance into the infrastructure so your systems stay audit-ready between examinations, not just during them.

This guide breaks down what mortgage IT teams need to build, maintain, and prove to regulators in 2026.

The Regulatory Landscape Mortgage Companies Face in 2026

Mortgage companies operate under overlapping federal and state regulations. The Dodd-Frank Act, RESPA, TILA, HMDA, and the Gramm-Leach-Bliley Act (GLBA) set the federal floor. State regulators add their own layers. The FTC Safeguards Rule, updated in 2023 and enforced aggressively since, requires specific technical controls that many lenders still haven't fully implemented.

The biggest shift in 2025-2026 is the post-CAT compliance framework. The FFIEC retired the CAT and now points institutions toward three alternatives:

• NIST Cybersecurity Framework 2.0 with its five core functions: Identify, Protect, Detect, Respond, Recover
• CISA Cybersecurity Performance Goals (CPGs) including sector-specific targets for financial services
• CIS Controls v8.1 providing prioritized technical safeguards ranked by implementation group

Fannie Mae added to the pressure with its Information Security and Business Resiliency Supplement, effective August 2025. Sellers and servicers now need documented business continuity plans that specifically address cyber incidents.

For mortgage IT teams, this means the framework you built around the CAT five years ago is now outdated. Examiners expect to see alignment with one of the FFIEC-endorsed frameworks, documented risk assessments, and evidence of continuous monitoring.

Five Pillars of a Compliant Mortgage IT Framework

A compliant IT framework for mortgage companies rests on five pillars. Skip one, and the whole structure wobbles during an exam.

1. Identity and Access Management

Every compliance framework starts with controlling who can access what. For mortgage companies handling borrower PII, Social Security numbers, and financial records, weak access controls are the fastest path to a finding.

The technical requirements include:

• Multi-factor authentication (MFA) on all systems that touch borrower data, including your LOS, document management, and email
• Conditional Access policies that block legacy authentication protocols and enforce device compliance
• Role-based access control (RBAC) so loan officers see loan data, not payroll records
• Privileged access management for admin accounts, with time-limited elevation and full audit logging

Microsoft Entra ID handles all four when configured correctly. The gap most lenders face isn't missing tools. It's incomplete configuration. Your tenant has the capabilities. The question is whether someone has turned them on and tested them.

2. Data Protection and Encryption

The FTC Safeguards Rule explicitly requires encryption of customer information both in transit and at rest. That means TLS 1.2 or higher for all data transmission and AES-256 encryption for stored data.

Practical steps for mortgage companies:

• Enable BitLocker on all endpoints through Intune device compliance policies
• Configure Data Loss Prevention (DLP) policies in Microsoft Purview to prevent borrower SSNs and account numbers from leaving the organization via email or file sharing
• Set sensitivity labels for loan documents so they're encrypted and tracked throughout their lifecycle
• Verify your LOS vendor's encryption standards. If Encompass or Calyx data transits unencrypted between your network and their cloud, that's a finding waiting to happen.

3. Continuous Monitoring and Threat Detection

Annual penetration tests aren't enough anymore. The NIST CSF 2.0 Detect function expects continuous monitoring with automated alerting. For mortgage companies, that means real-time visibility into:

• Sign-in anomalies and impossible travel detections
• Changes to Conditional Access policies or admin role assignments
• External sharing of sensitive documents
• Endpoint compliance drift (devices falling out of compliance with Intune policies)
• Email authentication failures (SPF, DKIM, DMARC)

Microsoft Defender for Office 365 and Defender for Endpoint provide the detection layer. Microsoft Sentinel can aggregate alerts across your environment. The challenge for mid-size lenders is having someone watching the dashboard. Alerts that fire into an unmonitored inbox are worse than no alerts at all because examiners will ask to see your response logs.

4. Incident Response and Business Continuity

Fannie Mae's 2025 supplement now requires documented incident response plans that specifically address cyber events. Examiners want to see three things:

• A written incident response plan that names roles, escalation procedures, and communication templates
• Tabletop exercises conducted at least annually, with documented results and corrective actions
• Backup and recovery testing proving you can restore loan data and resume operations within your stated recovery time objective (RTO)

The common failure point is testing. Many lenders have an incident response plan in a binder on a shelf. They've never run it. When examiners ask "When did you last test your IR plan?" the answer can't be "never."

5. Vendor Risk Management

Mortgage companies rely on dozens of third-party vendors: LOS platforms, credit bureaus, appraisal management companies, document preparation services, and IT providers. Each vendor with access to borrower data extends your compliance boundary.

A compliant vendor management program includes:

• Due diligence questionnaires for every vendor with data access
• Annual SOC 2 report reviews (or equivalent attestations)
• Contractual requirements for breach notification timelines
• Access reviews confirming vendors only reach systems they need

The FFIEC's updated guidance specifically calls out concentration risk. If your LOS, email, file storage, and security tools all run on the same cloud provider, examiners want to see how you've assessed and mitigated that concentration.

Building the Evidence Trail Examiners Actually Want

Compliance isn't just about having controls. It's about proving they work. The IT framework needs to generate evidence automatically because manual compliance tracking breaks down at scale.

Automated Compliance Reporting

Microsoft 365 compliance tools can generate most of the evidence examiners request. The key reports include:

• Microsoft Secure Score trending over time (shows continuous improvement, not just point-in-time snapshots)
• Conditional Access sign-in logs showing MFA enforcement rates and blocked legacy auth attempts
• DLP policy match reports demonstrating you're catching and blocking sensitive data leaks
• Device compliance reports from Intune showing encryption status, OS patch levels, and policy adherence
• Audit logs for admin actions, mailbox access, and SharePoint/OneDrive external sharing

The trick is setting up these reports before an exam, not scrambling to pull them when you get the notification letter. Build a monthly compliance dashboard that your CISO or compliance officer reviews. That review itself becomes evidence of governance.

Policy Documentation That Passes Muster

Examiners read policies. They compare what the policy says to what the system actually does. The fastest way to fail an exam is having a policy that describes controls you haven't implemented.

Write policies that match your actual environment. If your policy says "all endpoints are encrypted" but Intune shows 15% non-compliant devices, that's a finding. Update the policy to reflect reality, then close the gap.

Essential policy documents for mortgage companies:

• Information Security Policy (umbrella document covering all controls)
• Acceptable Use Policy
• Incident Response Plan
• Business Continuity and Disaster Recovery Plan
• Vendor Management Policy
• Data Classification and Handling Policy
• Change Management Policy

Common IT Framework Gaps That Trigger Examination Findings

After working with hundreds of mortgage companies on compliance readiness, certain patterns emerge. These gaps show up repeatedly across lenders of all sizes.

Legacy Authentication Still Enabled

Legacy authentication protocols (POP3, IMAP, SMTP basic auth) bypass MFA entirely. Microsoft has deprecated them, but many tenants still allow them for "that one application" or "that one executive's old email client." Examiners check. Block legacy auth through Conditional Access. No exceptions.

No Centralized Logging

Loan officer workstations generate security events. Your LOS generates audit logs. Your email system generates sign-in data. If none of it feeds into a centralized view, you can't demonstrate the continuous monitoring that NIST CSF 2.0 requires. Microsoft Sentinel or a similar SIEM tool centralizes these feeds.

Patch Management Gaps

The FTC Safeguards Rule requires timely patching. "Timely" in practice means critical patches within 14 days, high-severity within 30 days. Intune can enforce Windows Update compliance deadlines. The problem arises with line-of-business applications your LOS vendor patches on their own schedule.

Missing or Stale Risk Assessments

Every compliance framework requires a current risk assessment. "Current" means updated annually at minimum, or whenever significant changes occur (new LOS platform, office relocation, acquisition). A risk assessment from 2022 won't satisfy a 2026 examiner.

Inadequate Training Documentation

Staff training on security awareness and compliance is required by GLBA and the FTC Safeguards Rule. The gap isn't usually the training itself. It's the documentation. Keep completion records, test scores, and training dates in a system you can query when examiners ask.

The MSP Factor: Why In-House IT Alone Isn't Enough

Mid-size mortgage companies face a staffing problem. A full compliance program requires expertise in identity management, endpoint security, data protection, incident response, and vendor management. That's five specialties. Most lenders have an IT team of one to three people.

A managed service provider (MSP) with financial services expertise fills the gap. The right MSP brings:

• Pre-built compliance configurations for Microsoft 365 that map to NIST CSF 2.0 and CIS Controls
• 24/7 monitoring that your two-person IT team can't provide
• Exam preparation support including evidence gathering, policy review, and examiner response coordination
• Continuous hardening that adapts as Microsoft releases new security features and as regulations change

The cost of a compliance-focused MSP is typically less than one additional full-time security engineer. The ROI becomes obvious the first time you pass an exam without findings.

A 90-Day IT Framework Hardening Plan

If your current framework has gaps, here's a prioritized 90-day plan to close the most common ones.

Days 1-30: Identity and Access

• Enable MFA for all users, including service accounts where possible
• Block legacy authentication via Conditional Access
• Audit admin role assignments and remove unnecessary privileged access
• Implement named Conditional Access policies (not just defaults) for each user group

Days 31-60: Data Protection and Monitoring

• Enable BitLocker enforcement through Intune compliance policies
• Deploy DLP policies targeting SSNs, account numbers, and loan application data
• Configure Microsoft Defender alerting and assign response owners
• Set up centralized audit logging with 90-day minimum retention

Days 61-90: Documentation and Testing

• Write or update your Information Security Policy to match actual controls
• Conduct a tabletop incident response exercise
• Test backup restoration and document RTO/RPO results
• Complete vendor risk assessments for your top 10 data-access vendors
• Build your monthly compliance dashboard in Power BI

Frequently Asked Questions

Technical Reference

NIST CSF 2.0: The National Institute of Standards and Technology Cybersecurity Framework version 2.0, released February 2024, organizes cybersecurity activities into five core functions (Identify, Protect, Detect, Respond, Recover) with implementation tiers and profiles for different organizational maturity levels.

FFIEC CAT: The Federal Financial Institutions Examination Council Cybersecurity Assessment Tool, a self-assessment framework used by financial institutions from 2015 through August 2025, now retired in favor of NIST CSF 2.0, CISA CPGs, and CIS Controls.

FTC Safeguards Rule: Part of the Gramm-Leach-Bliley Act implementation, requiring non-banking financial institutions including mortgage companies to maintain comprehensive information security programs with specific technical, administrative, and physical safeguards.

Conditional Access: A Microsoft Entra ID feature that enforces access policies based on user identity, device compliance, location, and risk level, enabling zero-trust access control without additional third-party tools.

DLP (Data Loss Prevention): Microsoft Purview policies that detect and block sensitive information (SSNs, account numbers, loan data) from being shared outside the organization through email, Teams, SharePoint, or endpoint file transfers.