Mortgage Lending Regulatory Update 2025: Compliance, Cyber, and AI Updates

Regulatory change is hitting mortgage lending on many fronts — from the CFPB's latest agenda to Fannie Mae's new cybersecurity requirements to an influx of evolving state regulations. Staying compliant requires financial institutions (FIs) to stay updated on the latest developments. 

To help you navigate the changing regulatory landscape, we've compiled the latest must-know updates for mortgage lenders. For a deeper dive into these topics, watch our webinar. 

Stay informed: For the latest mortgage industry updates — and more tailored notifications relevant to your FI — check out Ncomply. 

Table of Contents

• Fannie Mae Updates
  
• Federal and State Regulatory Activity
• Trending Topics: AI & Complaint Management

Fannie Mae Updates

With cyber threats escalating, Fannie Mae published its Information Security and Business Resiliency Supplement outlining new business resiliency and cyber requirements.  

Effective August 12, 2025, these requirements apply to single-family sellers and servicers, multifamily lenders, technology service providers, and document custodians.  

Here’s an overview of the three main obligations covered: 

• InfoSec Program Requirements: Lenders must establish a formal InfoSec program aligned with Fannie Mae guidance and NIST standards, appoint a senior executive to oversee the program, and provide annual officer attestation covering all 14 security domains.  
• Cyber Breach Requirements: Lenders must report any cybersecurity incident — including ransomware, denial of service (DDoS) attacks, business email compromise, or other events impacting services or loans — within 36 hours of identification.  
• Business Continuity Management: Lenders must implement a dual recovery approach (i.e., address both business continuity and disaster recovery), with preparation, coordination, and regular testing of plans tied directly to Fannie Mae obligations. 

Takeaway: Fannie Mae isn’t reinventing the wheel — these requirements mirror broader industry standards — but the supplement makes clear that business continuity and disaster recovery must be tightly aligned with Fannie Mae’s contractual obligations, including annual validation and board-level accountability. 

Federal and State Regulatory Activity

Homebuyers Privacy Protection Act Limits Trigger Leads

The Homebuyers Privacy Protection Act (HPPA), passed in September 2025 and taking effect March 4, 2026, represents a significant shift in how mortgage lenders can access and use consumer credit information for marketing purposes. 

Federal Requirements

The law restricts credit reporting agencies (CRAs) from sharing consumer credit reports for unsolicited marketing, allowing access only for legitimate mortgage offers.  

One example is a trigger lead. A trigger lead is when credit bureaus sell your loan inquiry to other lenders so they can market competing offers. Third parties receiving this information must obtain explicit consumer consent unless they are the consumer’s current mortgage originator, loan servicer, or have an established banking relationship.  

While the law primarily targets CRAs, financial institutions must continue to comply with other federal rules, including Fair Credit Reporting Act (FCRA) opt-outs, pre-screen solicitations, and Do Not Call regulations. 

State-Level Restrictions

Many states are tightening rules on trigger leads, with requirements and exemptions varying by jurisdiction. For example, Arkansas exempts only institutions that hold or service existing debt. Some states also require consumer notices when a trigger lead is received, clarifying that the institution is not affiliated with the lender where the consumer originally applied. 

Rulemaking

The Consumer Financial Protection Bureau (CFPB) has an active rulemaking agenda that touches nearly every corner of mortgage operations. From loan originator pay to servicing standards and consumer data rights, upcoming proposals and final rules could reshape compliance expectations in meaningful ways. 

Below are several noteworthy items from the CFPB’s rule list. Be sure that you’re tracking and preparing for potential changes by:  

• Monitoring updates closely: Stay updated as the proposed rules move through the rulemaking process.
• Maintaining current compliance practices: Continue your existing compliance risk management processes until the final rules are published to prevent any gaps in your compliance management system (CMS).
• Preparing for operational changes: Begin identifying which systems and processes could be affected by the proposed changes, such as data sharing obligations and disclosure timing.  

Loan Originator Compensation Requirements (July 2025)

The CFPB issued an advance notice that could potentially rescind some discretionary compensation provisions under Regulation Z, including limits on terms and condition-based and dual compensation for loan originators. 

These prohibitions are written into the Truth in Lending Act (TILA), so the CFPB itself can’t change them — only grant exemptions through Regulation Z. If the Bureau tries to override these restrictions broadly, legal challenges are likely. 

Discretionary Servicing Rules Update under RESPA (July 2025)

The CFPB could potentially roll back requirements under the Real Estate Settlement Procedures Act (RESPA) related to servicer policies and procedures, including early intervention with delinquent borrowers, continuity of contact requirements, and procedures for evaluating loss mitigation applications. 

Since the official proposed rule hasn’t been published, the Bureau may aim to scale back operational requirements, possibly requiring borrowers rather than servicers to complete incomplete loss mitigation applications.  

Discretionary Servicing Rules Updates under TILA (July 2025)

The CFPB’s advance notice under TILA focuses on the form and content of consumer disclosures, especially interest rate adjustment notices for variable-rate transactions. Currently, any change in interest that affects a consumer’s payment triggers a notification requirement. Proposed changes could potentially lighten this burden, perhaps by requiring an annual notice or aligning notifications with closing disclosures. 

Equal Credit Opportunity Act Changes (September 2025)

While details are limited, recent shifts suggest the CFPB may update its current stance to reflect that disparate impact is not a violation of ECOA.  

It’s crucial to note that the courts still recognize disparate impact under the Fair Housing Act, and state attorneys general or private parties could bring claims. Future administrations may also revisit these interpretations, allowing FIs’ current lending practices to be reviewed retrospectively. 

Mortgage Servicing Streamlining (December 2025)

Originally proposed in July 2024, many of the rule’s provisions stemmed from COVID-era practices. It is likely that the final rule slated for December will not include all elements of the proposal, such as the requirement that servicing communications be provided in languages other than English. However, certain aspects are likely to remain. 

Personal Financial Data Rights (December 2025)

The CFPB issued an advance notice addressing whether authorized third parties must have a fiduciary relationship with the consumer to access their data. 

The proposal also raises the question of whether FIs can charge fees to cover operational or technical costs associated with providing consumer data. While compliance dates have been extended, this rulemaking remains relevant to mortgage operations.  

Mortgage-Related Litigation

Court cases and enforcement actions often serve as early warning signals for lenders. They highlight how regulators interpret existing laws, where plaintiffs’ attorneys are focusing their efforts, and which practices may create legal exposure. By tracking litigation trends, financial institutions can better anticipate risk, refine compliance programs, and avoid repeating costly mistakes. 

1. Connolly v. Mott - Appraisal Bias

A 2022 case involved allegations that discriminatory appraisals violated the Equal Credit Opportunity Act (ECOA) and fair lending laws. The CFPB and DOJ filed an amicus brief emphasizing that lenders could be liable if they knew — or should have known — an appraisal was discriminatory. 

The court ultimately ruled in favor of the appraiser. The plaintiffs couldn’t prove that the appraisal disparities weren’t based on legitimate factors, such as comparable sales, location analysis, and documented methodology. 

2. Large Bank - Automated Underwriting and Class Action

In this case, eight borrowers alleged that a large bank’s automated underwriting system discriminated against Black and Hispanic applicants, citing lower approval rates, longer delays, and less favorable terms. Class certification was denied — not because discrimination was disproven, but because the plaintiffs lacked the commonality needed to represent all minority applicants. Individual lawsuits remain possible. 

Takeaway: Ensure that appraisal reviews are thorough and that automated systems have meaningful human oversight. Statistical disparities alone do not establish discrimination; claims require evidence of intentional conduct. 

State-Specific Regulatory Changes

Conference of State Bank Supervisors (CSBS)

On March 1, 2025, the Conference of State Bank Supervisors implemented its first mortgage licensing fee increase since 2008. This move is part of a broader trend: many states are also raising fees, either through annual adjustments or one-time hikes.  

Takeaway: FIs should continue focusing on ensuring compliance while controlling costs. 

Remote Work Rules

Many states are updating mortgage rules regarding remote work for licensed employees. Typically, consumers can’t visit personal home offices and loan records can’t be stored at residences, but Wisconsin, Rhode Island, and California are enacting stricter requirements.  

Takeaway: Remote work policies should be formalized and tailored to meet state requirements, including proper data security and limiting access to public spaces. 

Proposed AI & Algorithmic Decision-Making Law (New York)

New York has proposed a law that would directly regulate automated decision-making tools in lending. If enacted, FIs must conduct annual impact assessments, evaluate risks such as bias, cybersecurity, and privacy, and post them on their websites, among other requirements.  

Takeaway: Continue to monitor the proposal, as it could create new compliance obligations and influence similar legislation in other states.  

Related: Massachusetts Hits Lender with $2.5 Million AI-Related Underwriting Settlement

Finalized CCPA Amendments (California)

California’s newly approved CCPA amendments are expanding compliance expectations in two major ways: 

• Automated decision-making technology (ADMT): Lenders must disclose ADMT use at data collection, offer at least two opt-out options, provide access to the technology’s logic and consumer data, and conduct a formal risk assessment when triggered.
• Cybersecurity audits: Businesses handling personal data with “significant risk” must perform an annual cybersecurity audit — internal or external — with qualified, independent auditors. Reports must include required components, be signed, and submitted to management each year. 

Takeaway: FIs in California (or with customers in California) that are subject to the CCPA should prepare for compliance ASAP.  

Related: California Privacy Protection Agency's New CPPA Rules for Financial Institutions 

Trending Topics

Artificial Intelligence

AI remains a buzzword, but regulators, especially on the state level, are starting to add more specificity to definitions that apply across financial services — including lending. Best practices for AI include:

• Risk-Based AI Use: Ensure AI deployment aligns with the institution’s risk appetite. Implement controls for accuracy, access, and information security, and define policies for when and how AI can be used — especially when handling sensitive or personally identifiable information (PII) under the Gramm-Leach-Bliley Act (GLBA), Regulation P, and other data privacy rules.
• Third-Party AI and Vendor Due Diligence: Conduct thorough due diligence, verifying performance claims and understanding the context behind metrics or efficiency assertions. Prioritize transparency, integrity, and trust when evaluating and onboarding AI solutions. 

Takeaway: AI is powerful for fraud prevention and operational efficiency, but it’s vital to evaluate each use case through risk, regulatory overlap, and explainability before adoption. 

Related: What is AI Auditing and Why Does It Matter? 

Consumer Complaints

Consumer complaints remain a critical focus, particularly given limited federal examination resources. Since complaint resolution is less prioritized at the federal level, FIs must manage complaints effectively on their own by upholding best practices, such as documenting complaint policies and processes and integrating complaints into program-level risk assessments.  

Takeaway: Implement a robust complaint management program to identify trends, detect control weaknesses, and address issues promptly. 

Related: What is Complaint Management and How Does It Work?

Want a deeper dive into these updates? Our compliance team breaks them down in detail in our latest webinar.