Lending compliance is familiar territory for mortgage companies — but if you don't understand how vendors, technology, and operations connect across your business, you're exposed to risks that threaten your ability to operate.
Recent enforcement actions reflect this risk. Mortgage companies are facing penalties ranging from $1.2 million to $27 million — not for fair lending violations, but for lack of governance.
So what does this mean for mortgage companies? Let's explore the importance of strong governance, common vendor management gaps and solutions, and how to build a risk management infrastructure that protects beyond lending compliance.
Related: How to Build a Risk Management Program from Scratch
Historically, mortgage companies have operated with healthy margins. Operational inefficiencies — loan errors and penalties, for example — didn't typically threaten survival.
But that’s changed. The Mortgage Bankers Association found that in Q1 2025, lenders with less than $100 million in dollar volume posted average losses of over $1,000 per loan, while lenders with low average loan balances recorded losses of over $1,300 per loan. When you're already operating with tight margins, operational mistakes compound the problem. If you experience a cyber breach, a vendor goes down, or your loan operating system (LOS) doesn't work, you can't do business.
The regulatory landscape is also fragmented. While the CFPB may be stepping back, state attorneys general (AGs) across the country, each with their own priorities, are stepping up. Last year, the Massachusetts AG announced a $2.5 million settlement with a lender for AI-driven underwriting violations, among other issues.
And it's not just state AGs — the Baltimore mayor filed a lawsuit on behalf of the city against a fintech in October 2025 for allegedly misleading consumers through marketing practices and illegal interest charges.
The bottom line: Enforcement isn't going away. It's just coming from more directions.
Related: Compliance for Mortgage Companies: How to Avoid Top Violations
For mortgage companies, governance is understanding how vendors, technology, and operations connect across your organizations and designating a role for overseeing those connections.
It's not just about following rules or avoiding penalties, though there has been a string of recent enforcement actions citing a “lack of governance” as grounds for action. Governance is also about enabling your business to adopt technology safely, serve more customers, and compete effectively. Without it, you're not just dealing with potential penalties — you're at risk of operational failures that stop you from growing.
Related: Operational Risk for Financial Institutions: A Comprehensive Guide
A strong governance program for a mortgage company includes a few key elements:
Related: How to Build Better Governance with Stronger Policies
Organizations like the Conference of State Bank Supervisors (CSBS), which runs the National Multistate Licensing System (NMLS), are advancing standards through model laws pushed to states. Following examinations that identified inadequate corporate governance and board oversight at nonbank mortgage servicers, CSBS developed Prudential Standards covering capital, liquidity, audit, risk management, and board oversight.
These aren't just compliance requirements — they're infrastructure that enables safe technology adoption, scalable operations, and deliver competitive advantages. Applying to servicers with 2,000+ loans operating in multiple states, the standards are already being adopted by those who collectively service 99% of the nonbank mortgage market.
The challenge? State adoption happens at different paces. Some states have already enacted prudential standards legislation, while others are following their own timelines. This challenge adds to an already complex, multi-state landscape where you need to track not only federal lending regulations but also state-specific operational and risk management requirements.
Related: How to Keep Up with State Regulations
Nearly everything your mortgage company does is supported by a third party — your LOS, appraisal management company, settlement service providers, title search providers, cloud infrastructure, and even the person who services your copiers. As my colleague Rafael DeLeon has noted, third-party risk management can't be an afterthought for mortgage companies, yet that's exactly how most companies treat it until something goes wrong.
Ask yourself basic questions about your vendors: Which vendor failure would shut down your operations? What data access do they have? What does your due diligence process look like? How frequently do you monitor critical vendors? Is your offboarding process comprehensive?
If the answers are vague, you're not alone. Most mortgage companies aren't successfully managing the full lifecycle of third-party risk — and that's creating expensive problems.
Related: TPRM 101: Top Third-Party Vendor Risks for Financial Institutions
Related: TPRM 101: What is a Critical Vendor?
Artificial intelligence adds another layer of complexity to governance and risk management. What makes AI particularly challenging: it multiplies whatever you're already doing — good or bad.
Mortgage companies were early adopters of AI in the financial services space, implementing automated underwriting and other tools. The problem: if you have bad data or outdated underwriting criteria and you feed that into AI, it just approves or denies more loans based on those bad criteria faster. Instead of making one mistake a day, you can make 1,000 mistakes a day with AI.
Before expanding AI use, you need to answer:
If you can't answer these questions, you're not ready to scale AI — regardless of competitive pressure.
Related: Managing Your Vendors' AI Risk Checklist
Risk management doesn't have to slow you down — it's what enables you to move faster. Governance, TPRM, and AI oversight aren't barriers to adopting technology or scaling operations. They're the infrastructure that allows you to do both safely and efficiently. When you understand how vendors, technology, and operations connect across your business, you can compete effectively even in compressed-margin environments.
The mortgage companies prepared for evolving CSBS standards and state-level enforcement are those building this infrastructure now — before gaps become operational failures.
Better risk visibility starts with the right tools. Take our Nrisk product tour to see our ERM software in action.