Regulatory change is hitting mortgage lending on many fronts — from the CFPB's latest agenda to Fannie Mae's new cybersecurity requirements to an influx of evolving state regulations. Staying compliant requires financial institutions (FIs) to stay updated on the latest developments.
To help you navigate the changing regulatory landscape, we've compiled the latest must-know updates for mortgage lenders. For a deeper dive into these topics, watch our webinar.
Stay informed: For the latest mortgage industry updates — and more tailored notifications relevant to your FI — check out Ncomply.
Table of Contents
With cyber threats escalating, Fannie Mae published its Information Security and Business Resiliency Supplement outlining new business resiliency and cyber requirements.
Effective August 12, 2025, these requirements apply to single-family sellers and servicers, multifamily lenders, technology service providers, and document custodians.
Here’s an overview of the three main obligations covered:
Takeaway: Fannie Mae isn’t reinventing the wheel — these requirements mirror broader industry standards — but the supplement makes clear that business continuity and disaster recovery must be tightly aligned with Fannie Mae’s contractual obligations, including annual validation and board-level accountability.
The Homebuyers Privacy Protection Act (HPPA), passed in September 2025 and taking effect March 4, 2026, represents a significant shift in how mortgage lenders can access and use consumer credit information for marketing purposes.
The law restricts credit reporting agencies (CRAs) from sharing consumer credit reports for unsolicited marketing, allowing access only for legitimate mortgage offers.
One example is a trigger lead. A trigger lead is when credit bureaus sell your loan inquiry to other lenders so they can market competing offers. Third parties receiving this information must obtain explicit consumer consent unless they are the consumer’s current mortgage originator, loan servicer, or have an established banking relationship.
While the law primarily targets CRAs, financial institutions must continue to comply with other federal rules, including Fair Credit Reporting Act (FCRA) opt-outs, pre-screen solicitations, and Do Not Call regulations.
Many states are tightening rules on trigger leads, with requirements and exemptions varying by jurisdiction. For example, Arkansas exempts only institutions that hold or service existing debt. Some states also require consumer notices when a trigger lead is received, clarifying that the institution is not affiliated with the lender where the consumer originally applied.
The Consumer Financial Protection Bureau (CFPB) has an active rulemaking agenda that touches nearly every corner of mortgage operations. From loan originator pay to servicing standards and consumer data rights, upcoming proposals and final rules could reshape compliance expectations in meaningful ways.
Below are several noteworthy items from the CFPB’s rule list. Be sure that you’re tracking and preparing for potential changes by:
The CFPB issued an advance notice that could potentially rescind some discretionary compensation provisions under Regulation Z, including limits on terms and condition-based and dual compensation for loan originators.
These prohibitions are written into the Truth in Lending Act (TILA), so the CFPB itself can’t change them — only grant exemptions through Regulation Z. If the Bureau tries to override these restrictions broadly, legal challenges are likely.
The CFPB could potentially roll back requirements under the Real Estate Settlement Procedures Act (RESPA) related to servicer policies and procedures, including early intervention with delinquent borrowers, continuity of contact requirements, and procedures for evaluating loss mitigation applications.
Since the official proposed rule hasn’t been published, the Bureau may aim to scale back operational requirements, possibly requiring borrowers rather than servicers to complete incomplete loss mitigation applications.
The CFPB’s advance notice under TILA focuses on the form and content of consumer disclosures, especially interest rate adjustment notices for variable-rate transactions. Currently, any change in interest that affects a consumer’s payment triggers a notification requirement. Proposed changes could potentially lighten this burden, perhaps by requiring an annual notice or aligning notifications with closing disclosures.
While details are limited, recent shifts suggest the CFPB may update its current stance to reflect that disparate impact is not a violation of ECOA.
It’s crucial to note that the courts still recognize disparate impact under the Fair Housing Act, and state attorneys general or private parties could bring claims. Future administrations may also revisit these interpretations, allowing FIs’ current lending practices to be reviewed retrospectively.
Originally proposed in July 2024, many of the rule’s provisions stemmed from COVID-era practices. It is likely that the final rule slated for December will not include all elements of the proposal, such as the requirement that servicing communications be provided in languages other than English. However, certain aspects are likely to remain.
The CFPB issued an advance notice addressing whether authorized third parties must have a fiduciary relationship with the consumer to access their data.
The proposal also raises the question of whether FIs can charge fees to cover operational or technical costs associated with providing consumer data. While compliance dates have been extended, this rulemaking remains relevant to mortgage operations.
Court cases and enforcement actions often serve as early warning signals for lenders. They highlight how regulators interpret existing laws, where plaintiffs’ attorneys are focusing their efforts, and which practices may create legal exposure. By tracking litigation trends, financial institutions can better anticipate risk, refine compliance programs, and avoid repeating costly mistakes.
A 2022 case involved allegations that discriminatory appraisals violated the Equal Credit Opportunity Act (ECOA) and fair lending laws. The CFPB and DOJ filed an amicus brief emphasizing that lenders could be liable if they knew — or should have known — an appraisal was discriminatory.
The court ultimately ruled in favor of the appraiser. The plaintiffs couldn’t prove that the appraisal disparities weren’t based on legitimate factors, such as comparable sales, location analysis, and documented methodology.
In this case, eight borrowers alleged that a large bank’s automated underwriting system discriminated against Black and Hispanic applicants, citing lower approval rates, longer delays, and less favorable terms. Class certification was denied — not because discrimination was disproven, but because the plaintiffs lacked the commonality needed to represent all minority applicants. Individual lawsuits remain possible.
Takeaway: Ensure that appraisal reviews are thorough and that automated systems have meaningful human oversight. Statistical disparities alone do not establish discrimination; claims require evidence of intentional conduct.
On March 1, 2025, the Conference of State Bank Supervisors implemented its first mortgage licensing fee increase since 2008. This move is part of a broader trend: many states are also raising fees, either through annual adjustments or one-time hikes.
Takeaway: FIs should continue focusing on ensuring compliance while controlling costs.
Many states are updating mortgage rules regarding remote work for licensed employees. Typically, consumers can’t visit personal home offices and loan records can’t be stored at residences, but Wisconsin, Rhode Island, and California are enacting stricter requirements.
Takeaway: Remote work policies should be formalized and tailored to meet state requirements, including proper data security and limiting access to public spaces.
New York has proposed a law that would directly regulate automated decision-making tools in lending. If enacted, FIs must conduct annual impact assessments, evaluate risks such as bias, cybersecurity, and privacy, and post them on their websites, among other requirements.
Takeaway: Continue to monitor the proposal, as it could create new compliance obligations and influence similar legislation in other states.
Related: Massachusetts Hits Lender with $2.5 Million AI-Related Underwriting Settlement
California’s newly approved CCPA amendments are expanding compliance expectations in two major ways:
Takeaway: FIs in California (or with customers in California) that are subject to the CCPA should prepare for compliance ASAP.
Related: California Privacy Protection Agency's New CPPA Rules for Financial Institutions
AI remains a buzzword, but regulators, especially on the state level, are starting to add more specificity to definitions that apply across financial services — including lending. Best practices for AI include:
Takeaway: AI is powerful for fraud prevention and operational efficiency, but it’s vital to evaluate each use case through risk, regulatory overlap, and explainability before adoption.
Related: What is AI Auditing and Why Does It Matter?
Consumer complaints remain a critical focus, particularly given limited federal examination resources. Since complaint resolution is less prioritized at the federal level, FIs must manage complaints effectively on their own by upholding best practices, such as documenting complaint policies and processes and integrating complaints into program-level risk assessments.
Takeaway: Implement a robust complaint management program to identify trends, detect control weaknesses, and address issues promptly.
Related: What is Complaint Management and How Does It Work?
Want a deeper dive into these updates? Our compliance team breaks them down in detail in our latest webinar.