When Acting Director Russell Vought froze CFPB operations in February 2025 and proposed 90% staff reductions, many mortgage lenders breathed a sigh of relief. That relief was premature. HMDA reporting requirements survived untouched. The underlying statutes remain law. And state regulators moved fast to fill the federal gap.
Michigan's Attorney General reaffirmed enforcement under the state Consumer Protection Act. New York passed the FAIR Business Practices Act, expanding authority over unfair lending practices. California's DFPI accelerated investigations into mortgage origination. The Homebuyers Privacy Protection Act, signed September 2025, takes effect March 4, 2026, restricting trigger lead practices.
Your mortgage application interfaces need to handle HMDA data collection, fair lending documentation, and compliance evidence regardless of who enforces the rules. Here is how to build interfaces that satisfy any examiner who walks through the door.
The Home Mortgage Disclosure Act is a federal statute passed by Congress. The CFPB implements it through Regulation C, but the Bureau cannot eliminate the law through administrative action. The 2026 HMDA asset-size exemption threshold rose to $59 million, meaning more small lenders are exempt. Every lender above that threshold must still collect and report.
Regulation C requires mortgage lenders to collect data on loan applications, originations, and purchases. This includes borrower demographics, loan terms, property information, and denial reasons. Your application interface is where most of this data enters your system.
The CFPB Guidance Compendium covering October 2021 through January 2025 remains in effect. Reduced enforcement staff does not change the data reporting obligations.
As the federal backstop weakens, states are building their own enforcement capacity. A 2022 CFPB interpretive rule affirmed that state attorneys general can bring civil actions to enforce Consumer Financial Protection Act provisions, including UDAAP prohibitions. That delegation survives the current administration's policy shift.
Here is what is happening on the ground:
For multi-state lenders, this creates a patchwork of requirements. Your interfaces must capture the data that satisfies the strictest state, not just the current federal minimum.
Your mortgage application interface must capture HMDA-reportable data at the point of entry. Retrofitting data collection after the fact creates gaps that examiners will find.
Build these fields into your interface as required inputs. Do not allow loan officers to skip demographic collection or mark fields as "information not provided" without the borrower explicitly declining.
Fair lending compliance goes beyond HMDA data collection. Your interfaces must support consistent treatment across all applicants.
Build these safeguards into your application workflow:
Step 1: Map every data field to its regulatory source. Create a crosswalk document that ties each field in your application interface to the specific regulation requiring it. HMDA, ECOA, TILA, RESPA, and state-specific requirements should all be mapped.
Step 2: Validate data at entry. Do not wait for quality control to catch missing or inconsistent data. Build validation rules into the interface that prevent incomplete applications from advancing to the next stage.
Step 3: Lock completed fields. Once a borrower submits demographic information, that data should be protected from editing by loan officers. Create a tamper-evident audit trail showing the original entry plus any subsequent changes with timestamps and user IDs.
Step 4: Automate compliance checks against current thresholds. The 2026 HMDA asset-size threshold is $59 million. QM points-and-fees caps, HOEPA triggers, and APR-to-APOR spreads all update annually. Your interface should reference current values, not hardcoded numbers from last year.
Step 5: Generate examiner-ready reports on demand. State examiners now demand campaign archives, NMLS identifier verification, and fair lending data with short turnaround times. Build report templates that pull directly from your interface data.
Step 6: Test your interface against real examination scenarios. Run mock examinations quarterly. Have your compliance team play the role of a state examiner and request the data they would ask for. Fix gaps before a real examiner finds them.
Compliance experts at RiskExec Connect 2025 put it plainly: "You can't eliminate the CFPB by waving a wand. The statutes and rules still exist." Lenders who cut compliance spending during enforcement pauses become primary targets when the pendulum swings back.
Build your documentation trail to survive any enforcement environment:
Consistency is protection. Document decisions the same way whether enforcement is aggressive or quiet. When oversight returns, your records will speak for themselves.
No. HMDA is a federal statute that the CFPB implements through Regulation C but cannot repeal administratively. The 2026 asset-size exemption threshold is $59 million, and all lenders above that threshold must continue collecting and reporting HMDA data. Reduced CFPB enforcement does not change the underlying legal obligations for mortgage lenders.
California DFPI, New York AG, Michigan AG, Pennsylvania, and Illinois have expanded fair lending and servicing oversight. New York passed the FAIR Business Practices Act banning unfair acts. California finalized CCPA amendments requiring cybersecurity audits. Multi-state coordination through CSBS is standardizing examination formats, and former CFPB personnel now work within state agencies.
Mortgage interfaces must collect race, ethnicity, and sex data using standardized HMDA categories at the application stage. Fields should be required inputs that cannot be skipped unless the borrower explicitly declines. Collected demographic data must be protected from editing by loan officers, with tamper-evident audit trails recording original entries and any subsequent changes.
The Homebuyers Privacy Protection Act was signed into law on September 5, 2025, and takes effect March 4, 2026. It amends the Fair Credit Reporting Act to restrict how mortgage-related inquiry data is used in prescreening programs known as trigger leads. Lenders receiving trigger leads must have express consumer authorization or an existing relationship with the consumer.
The regulatory landscape did not simplify in 2025. It fragmented. Federal enforcement slowed, but state enforcement accelerated. The statutes remain law. The data requirements remain unchanged.
Your mortgage application interface is where compliance starts. Build it to capture the right data, generate the right reports, and produce the audit trail that any examiner expects.
Talk to a mortgage IT specialist about building compliance-ready interfaces for your lending operation.