Is Your Interface CFPB-Proof? What Mortgage Teams Need to Know About HMDA Compliance

The CFPB Stepped Back in 2025. State Regulators Did Not.

When Acting Director Russell Vought froze CFPB operations in February 2025 and proposed 90% staff reductions, many mortgage lenders breathed a sigh of relief. That relief was premature. HMDA reporting requirements survived untouched. The underlying statutes remain law. And state regulators moved fast to fill the federal gap.

Michigan's Attorney General reaffirmed enforcement under the state Consumer Protection Act. New York passed the FAIR Business Practices Act, expanding authority over unfair lending practices. California's DFPI accelerated investigations into mortgage origination. The Homebuyers Privacy Protection Act, signed September 2025, takes effect March 4, 2026, restricting trigger lead practices.

Your mortgage application interfaces need to handle HMDA data collection, fair lending documentation, and compliance evidence regardless of who enforces the rules. Here is how to build interfaces that satisfy any examiner who walks through the door.

HMDA Reporting Survives the CFPB Downsizing

The Home Mortgage Disclosure Act is a federal statute passed by Congress. The CFPB implements it through Regulation C, but the Bureau cannot eliminate the law through administrative action. The 2026 HMDA asset-size exemption threshold rose to $59 million, meaning more small lenders are exempt. Every lender above that threshold must still collect and report. We cover CFPB Compliance and Your Microsoft 365 Environment in a companion piece.

Regulation C requires mortgage lenders to collect data on loan applications, originations, and purchases. This includes borrower demographics, loan terms, property information, and denial reasons. Your application interface is where most of this data enters your system.

The CFPB Guidance Compendium covering October 2021 through January 2025 remains in effect. Reduced enforcement staff does not change the data reporting obligations.

State Enforcement Is Expanding Fast

As the federal backstop weakens, states are building their own enforcement capacity. A 2022 CFPB interpretive rule affirmed that state attorneys general can bring civil actions to enforce Consumer Financial Protection Act provisions, including UDAAP prohibitions. That delegation survives the current administration's policy shift.

Here is what is happening on the ground:

• New York passed the FAIR Business Practices Act. It bans unfair acts, not just deceptive ones. It raises fines and empowers both the AG and city-level enforcement.
• California finalized CCPA amendments requiring automated decision-making technology disclosure and annual cybersecurity audits for businesses handling high-risk personal data.
• Multi-state coordination through CSBS is moving toward "One Company, One Exam" frameworks that standardize examination formats.
• Former CFPB staff are joining state agencies, bringing federal-level expertise to local enforcement.

For multi-state lenders, this creates a patchwork of requirements. Your interfaces must capture the data that satisfies the strictest state, not just the current federal minimum.

Interface Data Collection Requirements for HMDA

Your mortgage application interface must capture HMDA-reportable data at the point of entry. Retrofitting data collection after the fact creates gaps that examiners will find.

Required HMDA Data Points

• Applicant demographics: race, ethnicity, sex collected using standardized HMDA categories
• Loan characteristics: loan type, purpose, amount, interest rate, loan term
• Property information: location, occupancy type, construction method
• Underwriting data: DTI ratio, CLTV, credit score model used
• Action taken: originated, approved not accepted, denied, withdrawn, incomplete
• Denial reasons: captured and reported for every denied application

Build these fields into your interface as required inputs. Do not allow loan officers to skip demographic collection or mark fields as "information not provided" without the borrower explicitly declining.

Fair Lending Fields Your Interface Must Capture

Fair lending compliance goes beyond HMDA data collection. Your interfaces must support consistent treatment across all applicants.

Build these safeguards into your application workflow:

• Standardized pricing disclosures that present rate options consistently to every borrower, regardless of demographic characteristics.
• Automated adverse action notices triggered by denial decisions, citing specific reasons from a pre-approved list.
• Exception tracking that logs every time a loan officer overrides automated pricing or underwriting recommendations. Examiners compare exception rates across demographic groups.
• Communication logs capturing what information was provided to each applicant and when. Disparate treatment claims often hinge on whether similarly situated borrowers received the same guidance.

MortgageExchange: The Clean-Data Interface Layer

MortgageExchange is the clean-data interface layer that eliminates the data-quality patterns that drive HMDA, ECOA, TILA, and RESPA examination findings. Most lenders fail compliance not because the rules are unclear, but because data flowing between the loan origination system, the document engine, the servicing platform, and the HMDA submission file picks up gaps, transformations, and silent overwrites along the way. The borrower's race and ethnicity are entered correctly at intake, then a downstream system maps them to a different category. The denial reason is captured in the LOS, then the adverse-action notice cites a different reason because the document engine pulled from a stale field. The APR-to-APOR spread is calculated correctly at lock, then a re-disclosure recalculates it and the original number is lost. Each of those gaps is an examiner finding waiting to happen.

MortgageExchange sits between your origination system and every downstream platform that touches loan data, enforces a single source of truth for every HMDA-reportable field, and preserves the original entry plus every subsequent transformation in a tamper-evident audit trail. ECOA adverse-action notices pull from the same field that recorded the denial decision. TILA disclosures pull from the same rate and fee tables that drove the original lock. RESPA-required service-provider data flows through one validated mapping rather than three inconsistent ones. The interface layer itself becomes the evidence that your data is clean, consistent, and traceable from intake through close to examiner production.

6 Steps to Make Your Interface Audit-Proof

Step 1: Map every data field to its regulatory source. Create a crosswalk document that ties each field in your application interface to the specific regulation requiring it. HMDA, ECOA, TILA, RESPA, and state-specific requirements should all be mapped.

Step 2: Validate data at entry. Do not wait for quality control to catch missing or inconsistent data. Build validation rules into the interface that prevent incomplete applications from advancing to the next stage.

Step 3: Lock completed fields. Once a borrower submits demographic information, that data should be protected from editing by loan officers. Create a tamper-evident audit trail showing the original entry plus any subsequent changes with timestamps and user IDs.

Step 4: Automate compliance checks against current thresholds. The 2026 HMDA asset-size threshold is $59 million. QM points-and-fees caps, HOEPA triggers, and APR-to-APOR spreads all update annually. Your interface should reference current values, not hardcoded numbers from last year.

Step 5: Generate examiner-ready reports on demand. State examiners now demand campaign archives, NMLS identifier verification, and fair lending data with short turnaround times. Build report templates that pull directly from your interface data.

Step 6: Test your interface against real examination scenarios. Run mock examinations quarterly. Have your compliance team play the role of a state examiner and request the data they would ask for. Fix gaps before a real examiner finds them. This connects closely to DLP and the Role of Technology in Modern Mortgage Compliance.

Building a Documentation Trail Examiners Trust

Compliance experts at RiskExec Connect 2025 put it plainly: "You can't eliminate the CFPB by waving a wand. The statutes and rules still exist." Lenders who cut compliance spending during enforcement pauses become primary targets when the pendulum swings back. For ABT's fuller take, see TRID Compliance IT Checklist for Mortgage Lenders.

Build your documentation trail to survive any enforcement environment:

• Retain application data for at least 5 years with loan-level detail sufficient to reconstruct any decision.
• Log every interface interaction with timestamps, user identification, and IP addresses.
• Store denial reasons alongside the data that supported each decision.
• Archive disclosures as they were presented to borrowers, including version history when forms change.
• Maintain audit trails showing who accessed what data and when.

Consistency is protection. Document decisions the same way whether enforcement is aggressive or quiet. When oversight returns, your records will speak for themselves.

Microsoft Purview Audit and M365 Guardian: The Compliance Evidence Layer

Microsoft Purview Audit and M365 Guardian sit on top of the interface layer as the compliance evidence layer that examiners actually grade. Clean data inside the interface is the first half of the answer. The second half is the time-stamped, tamper-evident, immediately-producible evidence trail that proves who accessed what, when, and why across every Microsoft 365 mailbox, SharePoint site, OneDrive folder, and Teams channel where loan files and supervisory correspondence live. Microsoft Purview Audit is the surface inside Microsoft 365 that meets that bar. Purview Audit Premium extends retention to one year and (with the add-on) up to ten, with the same time-stamped audit-log structure that federal and state mortgage examiners expect to see when they ask who touched a HMDA file or an adverse-action notice. Microsoft Purview retention policies bind tamper-evident retention to the Exchange Online mailboxes, SharePoint sites, and Teams channels where mortgage records live, and Microsoft Purview Communication Compliance lets the compliance team sample, classify, and review business communications for off-channel behavior or other policy-flagged content.

ABT operates Microsoft 365 tenants for 750+ financial institutions including mortgage lenders. M365 Guardian is ABT's operating model on top of the Microsoft 365 footprint, tuned for regulated mortgage operations. The Guardian layer applies mortgage-specific Microsoft Purview retention policies aligned to HMDA, ECOA, TILA, and RESPA recordkeeping floors, mortgage-specific data loss prevention policies for borrower NPI and adverse-action data, Conditional Access policies in Microsoft Entra ID tuned to branch geography and loan officer behavior, a Microsoft Sentinel deployment tuned to mortgage attack patterns and exam-ready incident timelines, and a 24/7 security operations center that watches the Sentinel and Microsoft Defender signals. The lender keeps its Microsoft 365 licensing and its tenant ownership. ABT manages the tenant under Granular Delegated Administrative Privileges with least-privilege role grants and an executed vendor oversight agreement that satisfies state and federal third-party oversight expectations. The result is a clean MortgageExchange interface layer feeding a Microsoft Purview evidence layer, both managed under the M365 Guardian operating model. That is the operating stack that survives any examination environment, federal or state.

Frequently Asked Questions