Compliance for Mortgage Companies

Mortgage Compliance Made Simple: M365 Self-Audit Guide

Justin Kirsch | | 5 min read
Mortgage Compliance Made Simple: M365 Self-Audit Guide
Compliance for Mortgage Companies

Microsoft Purview Now Retains Audit Logs for 180 Days by Default

Microsoft expanded the default audit log retention period from 90 days to 180 days for all M365 tenants. For mortgage companies running E5 licenses, that extends to one year, with optional 10-year retention for high-risk data. These are the logs that capture every file access, email send, Teams message, and admin action across your tenant.

Most mortgage companies never look at them. According to the 2026 Zero Trust Report, 48% of organizations cite SaaS and cloud application governance as a top source of unauthorized access. The audit data is there. The question is whether your team knows how to use it.

This guide provides a five-step self-audit checklist for using M365 activity logs to validate broker conduct, detect anomalies, and produce the documentation examiners expect.

Why Mortgage Lenders Need M365 Self-Audits

Mortgage regulators expect evidence-driven answers. When a state examiner asks "Who accessed borrower Jones's loan file in the last 90 days?" you need a definitive answer, not a guess.

M365 audit logs capture a timestamped record of every user and admin action across Exchange, SharePoint, Teams, and OneDrive. For mortgage companies managing broker access to borrower data, loan files, and financial records, these logs are the difference between "we believe we're compliant" and "here is the evidence."

With CFPB enforcement reduced in 2025, state regulators now run the examinations. They expect the same level of documentation the CFPB did. California's finalized CCPA amendments require annual cybersecurity audits. New York's DFS cybersecurity regulation mandates access logging. Self-audits keep you ready for whichever examiner arrives first.

Step 1: Verify Audit Logging Is Active

Audit logging is enabled by default for most M365 tenants, but older tenants or those migrated from on-premises Exchange may not have it turned on. Verify before you rely on the data.

How to Check

Open the Microsoft Purview Compliance Portal. Navigate to Audit and verify the search interface loads. If you see a prompt to enable auditing, turn it on immediately.

For a command-line check, connect to Exchange Online PowerShell and run:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

A "True" result confirms logging is active. A "False" result means you have been operating blind.

Retention Settings to Verify

  • Standard licenses (E3, Business Premium): 180 days retention by default.
  • E5 or Compliance add-on licenses: One year by default. Custom retention policies can extend specific log types.
  • 10-year retention add-on: Available for long-term compliance requirements. Mortgage regulators may require evidence going back years.

Restrict audit log access to your compliance team. Review who holds the Audit Manager and Audit Reader roles. Remove access for anyone who does not need it.

Step 2: Monitor User Access Patterns

Use audit logs to track how brokers and staff interact with your systems. Look for patterns that indicate policy violations or security concerns.

Key Patterns to Monitor

  • Login anomalies. Sign-ins from unexpected locations, unusual hours, or devices not enrolled in your MDM solution. A broker logging in from outside approved geographies is a flag.
  • Failed authentication spikes. Multiple failed logins in a short window may indicate credential stuffing or a compromised password being tested.
  • Concurrent sessions. One account active on multiple devices simultaneously may signal credential sharing or compromise.
  • Access after hours. Borrower data accessed at 2 AM by an account that normally operates 9-5 deserves investigation.

Set automated alerts for these patterns. M365 supports alert policies that notify compliance officers when thresholds are breached.

Step 3: Audit File and Document Activity

Loan files in SharePoint and OneDrive contain the most sensitive borrower data. Audit every access, download, edit, and share event.

What to Watch For

  • Unauthorized access to client records. Did someone view a loan file they have no business reason to access?
  • External sharing without approval. Were borrower documents shared outside your organization? SharePoint sharing logs capture the recipient, timestamp, and sharing method.
  • Mass file downloads. A user downloading 50+ loan files in one session is either performing a legitimate bulk operation or exfiltrating data. Context matters.
  • File deletions. Track deletions of loan documents, compliance records, and communication logs. Deleted files may indicate evidence tampering.

Build SharePoint site-level permissions that restrict loan file access to authorized processors, underwriters, and closers. Audit permissions quarterly.

Step 4: Review Admin and Role Changes

Admin role changes affect your entire compliance posture. A single Global Admin assignment can grant unrestricted access to every mailbox, file, and setting in your tenant.

Audit These Admin Events

  • Role assignments and removals. Who was added to or removed from privileged roles? Was it authorized?
  • Conditional Access policy changes. Did someone modify MFA requirements or device compliance rules? These changes can silently weaken your security.
  • DLP policy modifications. Changes to Data Loss Prevention rules can allow sensitive data to flow outside your organization.
  • Mail flow rule changes. New mail forwarding rules can redirect borrower communications to external addresses.

Implement just-in-time admin access through Microsoft Entra PIM to reduce standing admin accounts. Every admin action should be traceable to an approved request.

Step 5: Build Your Evidence Chain

Examiners expect a defensible chain of evidence. Raw logs are a starting point, not the finish line.

Evidence Chain Requirements

  • Export relevant log subsets before the retention window closes. Do not rely on Microsoft to store your evidence. Download and archive.
  • Analyze logs for policy alignment. Confirm that broker actions match internal policies. Were anti-fraud and privacy rules followed?
  • Schedule quarterly self-audits. Review one quarter's worth of logs against your compliance policies. Document findings, remediation actions, and sign-off by compliance leadership.
  • Attach log evidence to incident reports. When issues arise, link the audit data directly to your investigation documentation.
  • Preserve offboarded user logs. When brokers or staff leave, their audit records must be retained for the period your regulatory framework requires.

Advanced Practices

Integrate with SIEM tools. Feed M365 audit logs into Microsoft Sentinel or a third-party SIEM for real-time correlation and alerting. This moves you from reactive investigation to proactive monitoring.

Automate report delivery. Schedule weekly or monthly compliance reports that summarize key metrics: failed logins, external shares, admin changes, and policy violations. Deliver them directly to compliance officers.

Track DLP policy effectiveness. Monitor how often DLP policies trigger and what data they catch. A DLP policy that never fires may be misconfigured. One that fires constantly may need tuning.

Monitor AI and Copilot activity. As mortgage companies adopt Microsoft Copilot and other AI tools, audit logs track what data these tools access. Ensure AI interactions with borrower data are logged and reviewed.

Frequently Asked Questions

Related Articles

How long does Microsoft 365 retain audit logs by default?

Microsoft 365 retains audit logs for 180 days by default for standard licenses. E5 and compliance add-on licenses extend retention to one year. A 10-year retention add-on is available for long-term compliance requirements. Mortgage companies should verify their retention settings and export critical logs before the retention window closes.

What M365 audit events should mortgage companies monitor?

Mortgage companies should monitor login anomalies including failed authentication attempts and off-hours access, file activity including downloads and external sharing of loan documents, admin role changes that affect security posture, and DLP policy triggers that may indicate data exfiltration. Setting automated alerts for these events enables proactive compliance monitoring.

How do I verify that M365 audit logging is enabled for my tenant?

Open the Microsoft Purview Compliance Portal and navigate to the Audit section. If the search interface loads, auditing is active. For command-line verification, connect to Exchange Online PowerShell and run Get-AdminAuditLogConfig with the UnifiedAuditLogIngestionEnabled parameter. A True result confirms logging is active for your tenant.

Can M365 audit logs satisfy state mortgage compliance examinations?

Yes. M365 audit logs provide timestamped records of user access, file activity, admin changes, and policy enforcement that state examiners review during compliance examinations. Export relevant log subsets, analyze them against internal policies, and maintain a documented evidence chain. Schedule quarterly self-audits to stay examination-ready year-round.

Start Your Self-Audit This Week

The audit data is already being collected. Microsoft 365 logs every file access, login event, and admin change across your tenant. The only question is whether your compliance team is reviewing it.

Start with Step 1: verify logging is active. Then work through the remaining steps at your own pace. A quarterly self-audit cadence keeps you ready for any examiner.

Talk to a mortgage IT specialist about automating your M365 compliance audit workflow.