A single failed FFIEC examination costs the average mortgage company between $50,000 and $250,000 in remediation. That figure doesn't count the operational drag while your team scrambles to fix findings instead of closing loans. The FFIEC sunset its Cybersecurity Assessment Tool (CAT) on August 31, 2025, pushing lenders toward NIST CSF 2.0 and CIS Controls as the new baseline. If your IT framework hasn't caught up, examiners will notice.
Building a compliant IT framework isn't about checking boxes on a spreadsheet once a year. It's about wiring compliance into the infrastructure so your systems stay audit-ready between examinations, not just during them.
This guide breaks down what mortgage IT teams need to build, maintain, and prove to regulators in 2026.
Mortgage companies operate under overlapping federal and state regulations. The Dodd-Frank Act, RESPA, TILA, HMDA, and the Gramm-Leach-Bliley Act (GLBA) set the federal floor. State regulators add their own layers. The FTC Safeguards Rule, updated in 2023 and enforced aggressively since, requires specific technical controls that many lenders still haven't fully implemented.
The biggest shift in 2025-2026 is the post-CAT compliance framework. The FFIEC retired the CAT and now points institutions toward three alternatives:
Fannie Mae added to the pressure with its Information Security and Business Resiliency Supplement, effective August 2025. Sellers and servicers now need documented business continuity plans that specifically address cyber incidents.
For mortgage IT teams, this means the framework you built around the CAT five years ago is now outdated. Examiners expect to see alignment with one of the FFIEC-endorsed frameworks, documented risk assessments, and evidence of continuous monitoring.
A compliant IT framework for mortgage companies rests on five pillars. Skip one, and the whole structure wobbles during an exam.
Every compliance framework starts with controlling who can access what. For mortgage companies handling borrower PII, Social Security numbers, and financial records, weak access controls are the fastest path to a finding.
The technical requirements include:
Microsoft Entra ID handles all four when configured correctly. The gap most lenders face isn't missing tools. It's incomplete configuration. Your tenant has the capabilities. The question is whether someone has turned them on and tested them.
The FTC Safeguards Rule explicitly requires encryption of customer information both in transit and at rest. That means TLS 1.2 or higher for all data transmission and AES-256 encryption for stored data.
Practical steps for mortgage companies:
Annual penetration tests aren't enough anymore. The NIST CSF 2.0 Detect function expects continuous monitoring with automated alerting. For mortgage companies, that means real-time visibility into:
Microsoft Defender for Office 365 and Defender for Endpoint provide the detection layer. Microsoft Sentinel can aggregate alerts across your environment. The challenge for mid-size lenders is having someone watching the dashboard. Alerts that fire into an unmonitored inbox are worse than no alerts at all because examiners will ask to see your response logs.
Fannie Mae's 2025 supplement now requires documented incident response plans that specifically address cyber events. Examiners want to see three things:
The common failure point is testing. Many lenders have an incident response plan in a binder on a shelf. They've never run it. When examiners ask "When did you last test your IR plan?" the answer can't be "never."
Mortgage companies rely on dozens of third-party vendors: LOS platforms, credit bureaus, appraisal management companies, document preparation services, and IT providers. Each vendor with access to borrower data extends your compliance boundary.
A compliant vendor management program includes:
The FFIEC's updated guidance specifically calls out concentration risk. If your LOS, email, file storage, and security tools all run on the same cloud provider, examiners want to see how you've assessed and mitigated that concentration.
Compliance isn't just about having controls. It's about proving they work. The IT framework needs to generate evidence automatically because manual compliance tracking breaks down at scale.
Microsoft 365 compliance tools can generate most of the evidence examiners request. The key reports include:
The trick is setting up these reports before an exam, not scrambling to pull them when you get the notification letter. Build a monthly compliance dashboard that your CISO or compliance officer reviews. That review itself becomes evidence of governance.
Examiners read policies. They compare what the policy says to what the system actually does. The fastest way to fail an exam is having a policy that describes controls you haven't implemented.
Write policies that match your actual environment. If your policy says "all endpoints are encrypted" but Intune shows 15% non-compliant devices, that's a finding. Update the policy to reflect reality, then close the gap.
Essential policy documents for mortgage companies:
After working with hundreds of mortgage companies on compliance readiness, certain patterns emerge. These gaps show up repeatedly across lenders of all sizes.
Legacy authentication protocols (POP3, IMAP, SMTP basic auth) bypass MFA entirely. Microsoft has deprecated them, but many tenants still allow them for "that one application" or "that one executive's old email client." Examiners check. Block legacy auth through Conditional Access. No exceptions.
Loan officer workstations generate security events. Your LOS generates audit logs. Your email system generates sign-in data. If none of it feeds into a centralized view, you can't demonstrate the continuous monitoring that NIST CSF 2.0 requires. Microsoft Sentinel or a similar SIEM tool centralizes these feeds.
The FTC Safeguards Rule requires timely patching. "Timely" in practice means critical patches within 14 days, high-severity within 30 days. Intune can enforce Windows Update compliance deadlines. The problem arises with line-of-business applications your LOS vendor patches on their own schedule.
Every compliance framework requires a current risk assessment. "Current" means updated annually at minimum, or whenever significant changes occur (new LOS platform, office relocation, acquisition). A risk assessment from 2022 won't satisfy a 2026 examiner.
Staff training on security awareness and compliance is required by GLBA and the FTC Safeguards Rule. The gap isn't usually the training itself. It's the documentation. Keep completion records, test scores, and training dates in a system you can query when examiners ask.
Mid-size mortgage companies face a staffing problem. A full compliance program requires expertise in identity management, endpoint security, data protection, incident response, and vendor management. That's five specialties. Most lenders have an IT team of one to three people.
A managed service provider (MSP) with financial services expertise fills the gap. The right MSP brings:
The cost of a compliance-focused MSP is typically less than one additional full-time security engineer. The ROI becomes obvious the first time you pass an exam without findings.
If your current framework has gaps, here's a prioritized 90-day plan to close the most common ones.
The FFIEC retired the CAT on August 31, 2025 and now endorses three alternatives: NIST Cybersecurity Framework 2.0, CISA Cybersecurity Performance Goals, and CIS Controls v8.1. Mortgage companies should align with at least one of these frameworks and document their risk assessments against its control categories. Examiners expect to see framework alignment in your next examination cycle.
The FTC Safeguards Rule requires mortgage companies to implement specific technical controls including encryption of customer data in transit and at rest, multi-factor authentication on all systems accessing customer information, continuous monitoring, and a written incident response plan. Non-compliance can result in FTC enforcement actions and state-level penalties that compound across jurisdictions.
A mortgage company's incident response plan must include named roles and responsibilities, escalation procedures with contact information, communication templates for regulators and affected borrowers, evidence preservation procedures, and recovery steps with documented recovery time objectives. The plan requires annual tabletop testing with documented results and corrective actions tracked to completion.
Mortgage companies should update IT risk assessments at least annually and whenever significant changes occur. Significant changes include deploying a new LOS platform, migrating to cloud infrastructure, opening or closing branch offices, merging with another company, or experiencing a security incident. A risk assessment older than 12 months will draw examiner scrutiny during any regulatory review.
The most common findings include legacy authentication protocols still enabled, missing or stale risk assessments, inadequate patch management documentation, lack of centralized security logging, incomplete vendor risk management programs, and policies that describe controls not actually implemented. Addressing these six areas before an examination eliminates the majority of typical findings for mortgage companies.
NIST CSF 2.0: The National Institute of Standards and Technology Cybersecurity Framework version 2.0, released February 2024, organizes cybersecurity activities into five core functions (Identify, Protect, Detect, Respond, Recover) with implementation tiers and profiles for different organizational maturity levels.
FFIEC CAT: The Federal Financial Institutions Examination Council Cybersecurity Assessment Tool, a self-assessment framework used by financial institutions from 2015 through August 2025, now retired in favor of NIST CSF 2.0, CISA CPGs, and CIS Controls.
FTC Safeguards Rule: Part of the Gramm-Leach-Bliley Act implementation, requiring non-banking financial institutions including mortgage companies to maintain comprehensive information security programs with specific technical, administrative, and physical safeguards.
Conditional Access: A Microsoft Entra ID feature that enforces access policies based on user identity, device compliance, location, and risk level, enabling zero-trust access control without additional third-party tools.
DLP (Data Loss Prevention): Microsoft Purview policies that detect and block sensitive information (SSNs, account numbers, loan data) from being shared outside the organization through email, Teams, SharePoint, or endpoint file transfers.