MortgageWorkSpace

Using Loan Origination Software Encompass and Calyx for Mortgage Success

Justin Kirsch | | 14 min read
Using Loan Origination Software Encompass and Calyx for Mortgage Success
MortgageWorkSpace mortgage industry

In This Article

The FBI's Internet Crime Complaint Center logged $275.1 million in real-estate cybercrime losses across 12,368 complaints in 2025, up from $173 million and roughly 9,359 complaints the year before. Every one of those losses started with a borrower record, a closing wire, or a payoff instruction that lived inside a loan origination system.

The Mortgage Bankers Association projects $2.2 trillion in single-family mortgage originations in 2026, an 8 percent increase that puts an estimated 5.8 million loans through the lending pipeline this year. Each of those loans flows through one of two dominant loan origination platforms, Encompass by ICE Mortgage Technology or Calyx Point. Both platforms do their jobs well. Both also create IT obligations that mortgage executives still underestimate.

This article covers what each platform does, where they differ in 2026, what your IT infrastructure needs to support them safely, and how Microsoft 365 controls administered by a Tier 1 Cloud Solution Provider sit underneath every defensible LOS deployment.

$275.1M
Real-estate cybercrime losses reported to the FBI in 2025 across 12,368 complaints, a year-over-year jump of roughly $100 million. Most of those losses originated from data, wires, or borrower communications mediated by a loan origination system.
Source: FBI Internet Crime Complaint Center (IC3), 2025 Annual Internet Crime Report, released April 2026, ic3.gov

The 2026 Real-Estate Fraud Wave Hitting Loan Origination

The wire fraud and business email compromise problem in mortgage closing has crossed a line in 2025 and 2026. Three data points define the current threat picture for credit unions, banks, and mortgage companies operating on Encompass or Calyx:

  • IC3 2025 Annual Report (April 2026). Total cybercrime losses across all sectors reached $20.877 billion, a 26 percent year-over-year increase, with more than 1 million complaints filed for the first time. Business email compromise losses, most often resulting from wire fraud, topped $3 billion globally.
  • Fundingshield Q1 2026 mortgage analytics. Of more than $106.7 billion in live mortgage transactions analyzed during the first quarter of 2026, more than 43 percent were flagged with wire or title fraud risk indicators, often with multiple control defects on a single loan.
  • Fortra BEC Global Insights Report, April 2026. Wire-transfer scam volume rose 262 percent month-over-month, with average requested amounts around $60,723 and cryptocurrency-routed BEC incidents averaging $2.7 million per case.

The takeaway is not that LOS vendors are failing. Encompass and Calyx both invest heavily in application-level security. The takeaway is that application security alone is no longer enough. The attack surface is the surrounding infrastructure: identity, endpoints, email, audit, and the third-party integrations stitched into your LOS. A loan originator who clicks a phishing link in Tampa on a Tuesday can put a Friday closing wire into a fraudster's account by Wednesday morning. The LOS does not stop that. The hosting environment, the identity controls, and the email security stack stop it.

What Loan Origination Software Actually Does

Loan origination software manages every step from application intake through closing and investor delivery. It handles data entry, document collection, automated underwriting submissions, disclosure generation, compliance checks under TRID and HMDA, and closing coordination. Modern LOS platforms also drive eClose workflows, eNote registration with the MERS eRegistry, and post-close data delivery to GSE counterparties.

Without an LOS, mortgage lenders track loans in spreadsheets and email chains. That approach breaks down at any meaningful volume and produces the audit gaps examiners flag. An LOS centralizes the loan file, enforces workflow rules, and creates the audit trail that regulators, GSE counterparties, and warehouse lenders expect on every loan.

The two platforms that dominate the United States mortgage market each approach the problem differently. Encompass is the enterprise standard. Calyx serves brokers, small lenders, and mid-size lenders with a different price point and a different operational model. Both ship with deep integration networks, both manage closing compliance, and both create real IT obligations that mortgage executives underestimate at their peril.

Encompass by ICE Mortgage Technology in 2026

Encompass is the enterprise standard for U.S. residential mortgage lending. Industry reporting through 2025 and 2026 continues to position Encompass as the dominant LOS, processing roughly 40 percent of U.S. residential mortgage originations. ICE Mortgage Technology, the platform's parent, has spent 2025 and early 2026 consolidating adjacent products into a single mortgage technology stack following the Black Knight acquisition.

What Encompass does well in 2026:

  • End-to-end coverage. Application, processing, underwriting, closing, post-close, and secondary market delivery happen inside one platform.
  • The ICE Marketplace. Described by ICE as the mortgage industry's largest partner network, the Marketplace hosts hundreds of integrations spanning credit, title, appraisal, flood, pricing, and compliance services. Access to the partner ecosystem is one of the strongest arguments for Encompass at enterprise scale.
  • Built-in compliance engine. Automated TRID timing, HMDA data collection, RESPA validation, and state-specific disclosure generation are baked into the platform.
  • eClose capabilities. eNote, eSign, and eVault flow through ICE eClose and the MERS eRegistry, with broad acceptance from GSE and investor counterparties.
  • Product and pricing engine. ICE PPE connects directly to investor rate sheets for real-time lock pricing.
  • Platform consolidation underway. ICE announced the sunset of Encompass CRM (formerly Top of Mind) in late 2024, with customer self-migration to Surefire beginning January 2025. Top of Mind has been fully absorbed into ICE Mortgage Technology, and topofmind.com now redirects to mortgagetech.ice.com. Lenders on the older CRM should have their migration plan in motion if they are not already migrated.
  • Active analytics product line. ICE Mortgage Monitor and the First Look monthly mortgage data series, published through mortgagetech.ice.com, signal a sustained investment in mortgage data analytics adjacent to the origination platform.

Where Encompass creates IT obligations:

  • Infrastructure demands. Hosted Encompass deployments require substantial compute, memory, and SSD storage per concurrent user, with low-latency network paths to ICE infrastructure. Undersized environments cause the slow performance that loan officers complain about during peak month-end submission windows. Our Encompass cloud hosting configuration guide walks through the sizing math for a typical mid-size lender.
  • Plugin management. Hundreds of available plugins mean hundreds of potential conflicts. Each plugin consumes memory and can degrade performance if not managed. Plugin governance is its own discipline at any meaningful scale.
  • Update coordination. ICE pushes platform updates on its own cadence. Your hosting environment, custom plugins, and third-party integrations all need testing before updates promote to production.
  • Security configuration. Encompass handles borrower Social Security numbers, bank statements, tax returns, and wire instructions. The hosting environment needs encryption at rest and in transit, multi-factor authentication, conditional access policies, and audit logging that satisfy the FTC Safeguards Rule and applicable state regulators.
  • Identity sprawl. Encompass plus the ICE Marketplace plus your CRM plus your servicing system plus your eClose vendor plus your warehouse portal can produce eight to twelve credentials per loan officer. Without centralized identity and single sign-on, password fatigue becomes the attacker's friend.

ABT Partner Insight

Tier 1 Microsoft Cloud Solution Provider (CSP)

ABT manages Microsoft 365 tenants for more than 750 credit unions, banks, and mortgage companies, hosts Calyx PointCentral environments on Microsoft Azure for the lenders who use it, and operates the Guardian managed Microsoft 365 footprint that backs every LOS we support. The Microsoft 365 stack does the heavy lifting that no LOS vendor can do for you: Microsoft Entra ID Conditional Access and mandatory multi-factor authentication for all LOS access paths, Microsoft Defender for Office 365 protecting the borrower email exchanges where most wire-fraud attempts begin, Microsoft Purview Audit Premium retaining LOS access logs for the regulatory examination window, Microsoft Intune enforcing device compliance for the laptops and phones touching borrower data, and Microsoft Sentinel SIEM correlating LOS infrastructure signals with identity and endpoint telemetry. Encompass and Calyx secure the application. Microsoft 365, administered by a Tier 1 CSP, secures everything around it.

Source: ABT internal deployment data plus Microsoft Learn product documentation, 2026.

Calyx Point and PointCentral in 2026

Calyx Software has served brokers and small-to-mid-size lenders since 1991. Calyx remains an actively maintained, actively marketed product line in 2025 and 2026. The company publishes two flavors of its LOS, Calyx Point as a single-user desktop product and Calyx PointCentral as a multi-user, server-based platform that several Tier 1 Microsoft Cloud Solution Providers host on Microsoft Azure for credit unions, banks, and mortgage companies.

What Calyx does well in 2026:

  • Affordable entry point. Lower licensing costs than Encompass make Calyx accessible for brokers, smaller lending shops, and community institutions running modest volumes.
  • Broker-friendly workflows. Calyx is built for the way brokers actually work, with streamlined interfaces for rate shopping and wholesale submissions.
  • Hundreds of vendor integrations. The Calyx integration network spans credit, appraisal, title, automated underwriting, pricing, doc prep, MI, compliance, eSign, eClose, flood, and verification services covering the core categories a small or mid-size lender needs to run.
  • Calyx Zip. The online borrower application that feeds directly into the LOS, with branded customization for the lender.
  • Compliance form updates. Calyx pushes regulatory form updates automatically, keeping disclosures current with state and federal requirements.
  • PointCentral for multi-user operations. Calyx positions PointCentral as the enterprise edition of Point, with a centralized database that lets an entire team work the same loan files simultaneously. PointCentral is the right answer for any lender running multiple loan officers, multiple branches, or both.

Where Calyx creates IT obligations:

  • Desktop vs. cloud decision. Calyx Point runs locally on a workstation. Calyx PointCentral runs on a server, with most regulated institutions in 2026 deploying it on a private Microsoft Azure tenant operated by a Tier 1 Cloud Solution Provider. Migrating between Point and PointCentral is not seamless, and some lenders run both during transition periods.
  • Scaling considerations. Single-user Calyx Point fits brokers and very small shops. Multi-branch operations with shared loan pipelines belong on PointCentral, not on individual Point installations stitched together with file shares.
  • Integration depth. Calyx integrations cover the major categories, and the breadth has improved year over year, but custom integrations into core banking systems or specialized CRM platforms may require more development work than the equivalent Encompass connector.
  • Reporting capabilities. Calyx's built-in reporting is functional. Lenders who need advanced analytics often export data to Microsoft Power BI or another business intelligence tool to build the dashboards their executive teams want.
  • Hosting selection matters. PointCentral is only as resilient as the cloud infrastructure underneath it. Hosting on a generic shared environment yields generic shared performance. Hosting on a private Azure tenant administered by a Tier 1 CSP yields predictable performance, examiner-ready logging, and a single accountable partner. Multi-branch lenders specifically face scaling decisions for Calyx that desktop Point cannot solve on its own.
2026 comparison of Encompass by ICE Mortgage Technology and Calyx Point and PointCentral covering target customer, integration scale, deployment model, eClose readiness, and infrastructure demand, with Microsoft 365 security overlay called out as the common implementation layer.
Encompass versus Calyx Point and PointCentral in 2026, with the Microsoft 365 security stack as the common implementation layer underneath both. Source: ICE Mortgage Technology, Calyx Software, and ABT deployment data, May 2026.

Common IT Challenges With Both Platforms

Regardless of which LOS you run, four IT obligations appear consistently across mortgage operations in 2026. None of them are optional. Examiners read the same playbook regardless of LOS vendor.

Wire and email fraud defense. Closing wires and borrower communications are the single largest fraud target in 2025 and 2026. Fundingshield's Q1 2026 analysis of more than $106.7 billion in live mortgage transactions flagged more than 43 percent for wire or title fraud risk indicators. Wire fraud defense lives outside the LOS. It lives in your email security platform, your identity provider's Conditional Access policies, your endpoint compliance stack, and your callback verification process. Configuring Microsoft 365 email correctly for a mortgage office is the foundation, not an afterthought.

Security and compliance. Both Encompass and Calyx handle data protected by the Gramm-Leach-Bliley Act, the FTC Safeguards Rule, the NYDFS Cybersecurity Regulation for New York-licensed entities, and state privacy regimes that landed between 2024 and 2026. Your IT environment must enforce encryption in transit and at rest, multi-factor authentication, role-based access controls, and audit logging that meets the longest applicable retention window for your record categories. The LOS vendor handles application-level security. Your IT team or managed services provider handles infrastructure-level security, identity, endpoint, email, and audit. Examiners assume both layers exist.

Integration maintenance. Integrations break. Vendors update APIs. Credit bureaus change data formats. Title companies switch platforms. Investor portals reshape their post-close delivery files. Every integration requires monitoring and maintenance, and a single broken connection can halt loan processing. Industry pressure is pushing LOS vendors and their partner ecosystems toward modern API-based integration by the end of 2026, retiring older SDK-based connectors that were never designed for the volume and security posture today's lenders need. The transition window is real, and lenders who manage their LOS-core integration strategy proactively will hit fewer surprises.

Performance management. Slow LOS performance costs money. When loan officers wait thirty seconds for screens to load, they process fewer loans per day. Performance problems usually trace back to undersized infrastructure, network latency, unmanaged plugin conflicts, or database maintenance that has not kept pace with loan volume growth. The fix is not magic. It is sizing the environment for peak month-end volume rather than average daily load and monitoring the actual bottleneck rather than guessing.

Business continuity and disaster recovery. Your LOS contains every active loan file. If the system goes down, origination stops. Business continuity plans must include LOS-specific recovery procedures with tested failover and documented recovery time objectives that align with closing commitments. Backup retention, recovery testing cadence, and geographic separation of the backup target from the production environment are all examiner-facing decisions in 2026.

The Three-Clock Problem Now Touches Every LOS

An incident inside your LOS or its surrounding infrastructure can simultaneously trigger the FTC Safeguards Rule 30-day clock (16 CFR Part 314.5, effective May 13, 2024, 500-consumer threshold), the NYDFS Part 500 72-hour clock for any New York-licensed lender or servicer (Section 500.17(a)), and individual state breach-notification clocks as short as 30 days from discovery. Your written incident response plan must assume all three fire on the same incident. A breach affecting loan officers in Reno, borrowers in California, and one New York-licensed servicing relationship can put your designated security officer in front of three regulators by the end of the same week.

The Compliance Hierarchy Behind Your LOS

Most LOS articles treat compliance as a checkbox. The reality in 2026 is that four overlapping regulatory frameworks govern how mortgage data flows through Encompass or Calyx, and a defensible LOS deployment maps cleanly to each one.

  1. Gramm-Leach-Bliley Act (GLBA). The foundational statute governing how financial institutions, including mortgage lenders and servicers, handle nonpublic personal information. The FTC Safeguards Rule operationalizes GLBA for non-bank financial institutions under the FTC's jurisdiction.
  2. FTC Safeguards Rule (16 CFR Part 314). The 2021 amendments, effective June 9, 2023, locked in nine required safeguards: a written information security program, a designated Qualified Individual, a written risk assessment, access controls, encryption in transit and at rest, multi-factor authentication, monitoring with annual penetration tests and semiannual vulnerability scans, employee training, service provider oversight, and a written incident response plan. The 2023 breach-notification amendment, effective May 13, 2024, added a 30-day notification requirement to the FTC for unauthorized acquisition of unencrypted customer information affecting 500 or more consumers (16 CFR Part 314.5). The FTC published clarifying FAQ guidance in June 2025 covering motor vehicle dealers, with broader applicability to non-bank financial institutions.
  3. NYDFS 23 NYCRR Part 500 Second Amendment. Phased compliance landed in three waves on November 1, 2023, November 1, 2024, and November 1, 2025. As of 2026, every Second Amendment obligation is in force, including universal multi-factor authentication (Section 500.12), the asset inventory requirement (Section 500.13), the strengthened third-party service provider provisions tied to encryption and MFA (Section 500.11, reinforced by the NYDFS Industry Letter of October 21, 2025), enhanced CISO and board reporting (Section 500.4), and the 72-hour reportable cybersecurity event notification (Section 500.17(a)) plus the 24-hour and 30-day extortion payment reporting obligations (Section 500.17(c)). If your institution is licensed in New York or services New York-secured loans, the Second Amendment applies.
  4. State privacy regimes and GSE counterparty standards. The 2024 through 2026 window brought a dozen new state privacy laws into force across Texas, Oregon, Florida, Montana, Delaware, Nebraska, New Hampshire, Iowa, Tennessee, Minnesota, Maryland, and Indiana. Most include a GLBA carve-out for the loan file itself, but they apply to marketing data, vendor management records, employee data, and certain business-to-business contexts. Fannie Mae, Freddie Mac, and Ginnie Mae layer additional cybersecurity and data handling expectations onto every approved seller and servicer relationship, with annual attestations that mirror the federal framework.

The reason this matters for your LOS choice is that none of these frameworks know or care which platform you run. They impose obligations on the lender, with the LOS and its surrounding infrastructure as the implementation surface. A mortgage IT partner who can map each obligation to the corresponding Microsoft 365 control, then operate that control at the standard examiners expect, removes the largest source of regulatory friction from your origination pipeline. Our Microsoft 365 self-audit guide for mortgage compliance covers the exact controls and the evidence that satisfies an examiner request.

2026 LOS compliance hierarchy mapping GLBA, FTC Safeguards Rule, NYDFS Part 500 Second Amendment, and state privacy plus GSE counterparty obligations to the Microsoft 365 controls used to satisfy them, including Microsoft Entra ID Conditional Access and MFA, Microsoft Defender for Office 365, Microsoft Purview Audit Premium, Microsoft Intune device compliance, and Microsoft Sentinel SIEM correlation.
The 2026 compliance hierarchy behind a loan origination system, with each regulatory layer mapped to the Microsoft 365 control that operationalizes it. Source: FTC, NYDFS, GSE counterparty guidance, and Microsoft Learn documentation, May 2026.

Why LOS Management Needs a Mortgage-Focused IT Partner

Generic managed services providers can run servers and networks. LOS environments need more than that. They need a partner who understands Encompass plugin architecture, the Calyx Point and PointCentral deployment split, ICE Marketplace integration patterns, eClose and MERS eRegistry interactions, GSE counterparty data delivery expectations, and the compliance frameworks that apply to borrower data on every loan.

ABT serves more than 750 financial institutions, including credit unions, banks, and mortgage companies running both Encompass and Calyx. As a Tier 1 Microsoft Cloud Solution Provider with SOC 2 Type 2 attestation, ABT manages Microsoft 365 tenants, hosts Calyx PointCentral environments on Microsoft Azure for the lenders who use it, operates the Guardian managed Microsoft 365 footprint that secures both LOS deployments, and provides the mortgage-specific operating discipline that examiners and warehouse counterparties expect on every loan file.

The difference between a generic provider and a mortgage-focused one shows up at 4 p.m. on the Friday before a Monday closing. The mortgage-focused partner knows the LOS, knows the ICE or Calyx support contacts, knows the GSE delivery deadline that depends on the loan funding, and knows exactly what is at stake when a wire instruction fails verification. Generic providers manage infrastructure competently and stop there. A mortgage IT partner manages the closing itself.

Encompass and Calyx secure the application. Microsoft 365, administered by a Tier 1 Cloud Solution Provider, secures everything around it. Mortgage executives who treat LOS choice as the whole IT decision are designing for the application and ignoring the eighty percent of the attack surface that lives outside it.

Need a 30-day LOS infrastructure check before your next closing peak?

ABT's mortgage IT specialists will assess your Encompass or Calyx environment against the FTC Safeguards Rule, NYDFS Part 500 Second Amendment, and GSE counterparty expectations, then map every gap to the Microsoft 365 control that closes it. No commitment, no sales pressure.

Talk to a mortgage IT specialist See Calyx PointCentral hosting options

Frequently Asked Questions

Before deploying any loan origination system, lenders need reliable network connectivity with under 50 milliseconds of latency to the platform's data centers, endpoints that meet the LOS vendor's minimum specifications, Microsoft Intune device compliance enforced on every endpoint touching borrower data, a tested backup and disaster recovery plan with documented recovery time objectives, identity centralized in Microsoft Entra ID with Conditional Access and mandatory multi-factor authentication, and user permissions aligned to MISMO role definitions. Sizing the environment for peak month-end volume rather than average daily load prevents the performance drops that derail closings and frustrate loan officers.

Calyx Point and Calyx PointCentral offer lower licensing costs and a simpler operational model for credit unions, banks, and mortgage companies running modest volumes or single-branch operations. Encompass provides the largest partner integration network, more advanced compliance automation, and stronger scaling for multi-branch enterprises and high-volume retail lenders. Mid-size lenders choosing between them should evaluate total cost of ownership including hosting, integration maintenance, and dedicated mortgage IT support rather than licensing fees alone. The right deployment model for either platform is a private Microsoft Azure tenant administered by a Tier 1 Cloud Solution Provider rather than a generic shared host.

LOS hosting environments must satisfy the Gramm-Leach-Bliley Act, the FTC Safeguards Rule (16 CFR Part 314) including the May 13, 2024 breach-notification amendment requiring 30-day notice to the FTC for unauthorized acquisition of unencrypted customer information affecting 500 or more consumers, the NYDFS Part 500 Second Amendment for any New York-licensed lender or servicer with the 72-hour reportable cybersecurity event clock under Section 500.17(a), individual state privacy regimes that landed between 2024 and 2026, and GSE counterparty standards from Fannie Mae, Freddie Mac, and Ginnie Mae. Required controls include encryption of borrower data in transit and at rest, mandatory multi-factor authentication, role-based access controls, audit logging retained for the longest applicable record-category window, and a written incident response plan. Record retention windows vary by record category and regulator. Consult your specific regulator and record category rather than relying on a single blanket figure.

Encompass performance during month-end typically degrades because the hosting environment was sized for average daily usage rather than peak submission volume. Additional causes include excessive plugins consuming memory, network latency above 50 milliseconds to ICE Mortgage Technology servers, and database maintenance that has not kept pace with loan volume growth. Monitoring CPU utilization, memory usage, plugin behavior, and network latency during slow periods identifies the specific bottleneck. A mortgage IT partner familiar with Encompass plugin architecture can validate hosting sizing against actual peak load and tune the environment before the next month-end submission wave.

Microsoft 365 controls operate around the LOS rather than inside it. Microsoft Entra ID Conditional Access policies and mandatory multi-factor authentication govern who can sign in to the LOS, from which devices, and under which conditions. Microsoft Defender for Office 365 protects the borrower email exchanges where most wire-fraud attempts begin. Microsoft Purview Audit Premium retains LOS access logs and tenant activity through the regulatory examination window, with up to ten-year retention available as a tenant add-on. Microsoft Intune enforces device compliance on every endpoint accessing borrower data, including BYOD devices. Microsoft Sentinel correlates LOS infrastructure signals with identity and endpoint telemetry into a single examiner-defensible audit timeline. Administered by a Tier 1 Cloud Solution Provider, these controls give a mortgage lender the operational discipline examiners and warehouse counterparties expect on every loan.

Mortgage-specialized IT providers understand LOS vendor ecosystems, compliance requirements specific to lending, GSE counterparty obligations, and the business impact of system downtime during closing periods. Generic managed services providers manage infrastructure competently but typically lack experience with Encompass plugin architecture, Calyx Point and PointCentral deployment, ICE Marketplace integrations, eClose and MERS eRegistry workflows, and regulatory frameworks like the FTC Safeguards Rule, NYDFS Part 500 Second Amendment, and GSE seller and servicer attestations. The operational risk of working with a provider unfamiliar with mortgage technology often exceeds any cost savings.

$275.1M

Real-estate cybercrime losses in 2025

Find out if your LOS infrastructure can withstand the 2026 fraud wave.

Get your Microsoft 365 Security Grade in minutes, then talk with an ABT mortgage IT specialist about hardening your Encompass or Calyx environment against wire-fraud, BEC, and examiner findings before the next closing peak.

Get my Microsoft 365 Security Grade Talk to a mortgage IT specialist
Justin Kirsch

Justin Kirsch

CEO, Access Business Technologies

Justin Kirsch has built mortgage technology infrastructure for credit unions, banks, and mortgage companies since 1999. As CEO of Access Business Technologies, the largest Tier 1 Microsoft Cloud Solution Provider dedicated to financial services, he helps more than 750 lenders operate Encompass and Calyx environments on examiner-ready Microsoft 365 and Microsoft Azure foundations, defended by the Guardian managed Microsoft 365 footprint and operated to the SOC 2 Type 2 standard.