CFPB

CFPB-Proof Loan Application Interfaces: How Banks, Credit Unions, and Mortgage Companies Capture Fair Lending Data Examiners Trust in 2026

Justin Kirsch | | 18 min read
Microsoft-branded hero image for ABT blog article: Is Your Interface CFPB-Proof? What Mortgage Teams Need to Know About HMDA Compliance. Banks, credit unions, and mortgage companies.
CFPB mortgage industry

In This Article

Banks, credit unions, and mortgage companies entered 2026 in a regulatory landscape that pulled back at the federal level and pushed forward in every state capital. Acting Director Russell Vought was designated to lead the Consumer Financial Protection Bureau on February 7, 2025, paused most enforcement, and proposed reducing the Bureau's workforce by more than 80 percent. A D.C. Circuit panel acknowledged that figure in litigation over the reduction-in-force plan. None of that repealed a single statute. The Home Mortgage Disclosure Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Truth in Lending Act, the Real Estate Settlement Procedures Act, and the Bank Secrecy Act are all federal laws that the CFPB implements through regulation. They survive any administrative pullback.

State attorneys general, state banking departments, state credit union examiners, and consumer-protection divisions moved fast to fill the federal gap. New York enacted the FAIR Business Practices Act in 2025. California finalized a single regulation package covering automated decision-making technology, risk assessments, and annual cybersecurity audits, effective January 1, 2026. The Homebuyers Privacy Protection Act amended the Fair Credit Reporting Act and took effect March 4, 2026, restricting mortgage trigger leads nationwide. Multi-state coordination through the Conference of State Bank Supervisors keeps moving toward standardized examination formats. The 2026 HMDA asset-size exemption threshold rose to $59 million per the CFPB's January 7, 2026 final adjustment. Every lender above that threshold still files.

This article walks through what your loan application interface must capture in 2026 to satisfy whichever examiner walks in, how Microsoft 365 governance and audit tooling supports the data-trail requirements across banks, credit unions, and mortgage companies, and the seven specific steps that turn a brittle application workflow into an examination-ready system of record.

$59M
2026 HMDA asset-size exemption threshold under Regulation C, finalized by the CFPB on January 7, 2026. Institutions at or below this asset size as of December 31, 2025 are exempt from collecting and reporting HMDA data in 2026. Every bank, credit union, and mortgage company above this threshold must continue collecting and reporting application-level data regardless of federal enforcement posture.
Sources: CFPB final rule, Federal Register, 91 FR (January 7, 2026); 12 CFR 1003.2(g).

The CFPB Rollback Did Not Repeal Your Data Rules

The Consumer Financial Protection Bureau is one federal agency. The statutes it enforces sit in the United States Code. A change in CFPB leadership cannot rewrite Congress. The Home Mortgage Disclosure Act lives at 12 USC 2801. The Equal Credit Opportunity Act lives at 15 USC 1691. The Fair Credit Reporting Act lives at 15 USC 1681. The Truth in Lending Act lives at 15 USC 1601. These statutes assign data-collection, recordkeeping, and consumer-disclosure obligations to lenders. Reduced examination cadence does not change the obligations.

The 2022 CFPB interpretive rule on state enforcement of the Consumer Financial Protection Act remains in effect. That rule confirmed that state attorneys general can bring civil actions to enforce CFPA provisions, including the prohibition on unfair, deceptive, or abusive acts or practices. The delegation survived the leadership change. State AGs are not waiting for federal coordination.

Three categories of obligation continue regardless of federal enforcement posture.

  • Data collection at the application stage. HMDA Loan Application Register fields apply to mortgage applications at lenders above the $59 million asset threshold. Equal Credit Opportunity Act monitoring information applies to consumer applications across every product where a bank or credit union takes a consumer credit application. Bank Secrecy Act Customer Identification Program fields apply at account opening. None of this is optional.
  • Recordkeeping by statutory period. HMDA records under Regulation C must be retained for three years. ECOA application records under Regulation B require 25 months for consumer applications and 12 months for business applications. TILA general records under Regulation Z require two years. The TRID closing disclosure record under 12 CFR 1026.25(c)(1)(ii)(A) requires five years. RESPA mortgage servicing records under 12 CFR 1024.38(c)(1) require one year after the loan is paid off or servicing is transferred. Your interface and your archival platform must hit the longest applicable window for the document type.
  • Audit-trail evidence. Every consumer protection rule that lets a borrower or applicant challenge a lending decision presumes the lender can reconstruct that decision from contemporaneous records. Adverse action notices under ECOA, fair-lending disparate-treatment analysis, and HMDA quality control all assume the underlying data has not been altered after the fact. Tamper-evident audit trails are what makes the assumption defensible.

The CFPB has not formally rescinded its prior compendium of supervisory guidance. State examiners and federal prudential regulators including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Federal Reserve continue to expect the same documentation discipline they expected before 2025. The path of least resistance for a community bank, a credit union, or a mortgage company is to keep collecting the same fields, retain them under the longest applicable period, and design the interface so the audit trail is automatic.

The 2026 State-Level Patchwork Banks, Credit Unions, and Mortgage Companies Now Navigate

Federal enforcement contracted. State enforcement expanded. The result is a patchwork of consumer-protection regimes that lenders operating in more than one state must reconcile. The strictest state controls. Designing for the federal minimum no longer protects against examination risk in California, New York, Massachusetts, Colorado, or Connecticut.

State 2025-2026 Action What It Means for Your Application Interface
New York FAIR Business Practices Act (Senate Bill 8416, sponsored by Sen. Comrie and Asm. Lasher) passed both houses in June 2025 and was chaptered by Governor Hochul. Amends General Business Law section 349 to cover unfair, deceptive, AND abusive acts or practices. First substantive update to the UDAP framework in roughly 45 years. Application disclosures, pricing practices, and adverse action notices have to defend against an "abusive" standard, not just deception. Junk-fee scrutiny, AI-driven decisioning, and predatory lending fall squarely inside scope.
California California Privacy Protection Agency finalized a single regulation package on automated decision-making technology, risk assessments, and annual cybersecurity audits. Approved by the Office of Administrative Law and filed with the Secretary of State on September 22, 2025. Effective January 1, 2026 with phased compliance windows. Automated underwriting models, AI-assisted application triage, and any decisioning that materially affects a California consumer must be disclosed. Annual cybersecurity audits begin certifying for businesses with more than $100 million in revenue by April 1, 2028, then phase down to smaller revenue tiers.
Michigan Attorney General reaffirmed direct enforcement of the Michigan Consumer Protection Act for consumer lending and mortgage practices. State-level filings and investigations have continued through 2025 and into 2026. Mortgage origination disclosures and consumer banking pricing have to survive a state UDAP review. Documentation of disclosure timing and content is the defense.
Multi-state through CSBS Conference of State Bank Supervisors continued to advance the One Company, One Exam framework, standardizing examination formats across state banking departments. Several former CFPB examiners moved to state agencies, bringing federal-level expertise into local enforcement. A single coordinated state examination can now cover the same scope a CFPB examiner would have covered before 2025. The data requests look similar. Your interface and archive must produce the same evidence packets on roughly the same timelines.

For a multi-state lender, the practical implication is straightforward. Configure your loan application interface against the strictest state requirement applicable to your footprint, then satisfy every other state by default. Trying to maintain separate workflows by state creates a maintenance burden that scales as you grow.

2026 state regulator enforcement patchwork for banks, credit unions, and mortgage companies, showing New York FAIR Business Practices Act, California CPPA final regulations, Michigan Consumer Protection Act enforcement, and CSBS One Company One Exam framework, with Microsoft 365 Purview Audit retention callout
2026 state regulator enforcement patchwork for banks, credit unions, and mortgage companies. Source: NY S.8416, CPPA Final Regulations, Michigan AG, CSBS One Company One Exam. ABT, 2026.

Homebuyers Privacy Protection Act took effect March 4, 2026

Public Law 119-36 was signed September 5, 2025 and took effect 180 days later, on March 4, 2026. It amends Fair Credit Reporting Act section 604(c), at 15 USC 1681b(c), to restrict the use of prescreened consumer reports (known in the industry as trigger leads) for residential mortgage loans. Lenders receiving trigger lead data now must have express consumer authorization or an existing customer relationship before initiating outbound marketing. Your application interface should record consumer authorization for marketing communications at the same point of entry where you capture HMDA monitoring information. Treat the two as a paired requirement.

What Your Loan Application Interface Must Capture in 2026

The fields your application interface must capture vary by institution type and product. The principle is the same. Collect the regulated data at the point of entry, validate it before the application advances, and protect it from after-the-fact editing. Retrofitting data collection creates gaps that examiners and plaintiffs lawyers both find.

HMDA fields for mortgage applications above the $59 million asset threshold

Regulation C requires the following data points on the Loan Application Register for every covered application.

  • Applicant demographics collected using the standardized HMDA categories for race, ethnicity, and sex, including the disaggregated subcategories required since the 2018 LAR update.
  • Loan characteristics including loan type, purpose, loan amount, interest rate, points, loan term, introductory rate period, balloon payment, interest-only payment, negative amortization, prepayment penalty term, and the manufactured home secured property type.
  • Property information including property address with full geocoding, occupancy type, construction method, total units, multifamily affordable units, lien status, property value, and AUS used.
  • Underwriting data including debt-to-income ratio, combined loan-to-value ratio, credit score used and the model that produced it, the applicant's reported income, and the application channel.
  • Action taken as originated, approved not accepted, denied, withdrawn, incomplete, purchased, or preapproval-related categories.
  • Denial reasons captured for every denied application using the Regulation C denial-reason code set.

ECOA monitoring information for non-mortgage consumer applications at banks and credit unions

Regulation B requires creditors to collect monitoring information for applications made primarily for the purchase or refinancing of an applicant's principal residence. For other consumer credit, the Bureau allows but does not require monitoring information collection. Many banks and credit unions choose to collect anyway, both for fair-lending analytics and to align with their HMDA workflow on the mortgage side.

  • Monitoring information at the same point of entry as the credit application, with the applicant given the option to decline using language that does not invite a particular response.
  • Adverse action data when an application is denied, including the specific principal reasons and the data that supported the decision. This includes consumer credit, deposit account opening, member loan applications at credit unions, and small business credit when ECOA applies.
  • Pricing data sufficient to run disparate-treatment analysis across applicant demographic categories. Banks and credit unions with significant indirect auto lending, residential real estate lending, or commercial real estate lending exposures all draw fair-lending scrutiny.
  • Exception logs recording every time a loan officer or branch manager overrides automated pricing or underwriting recommendations. Examiner fair-lending review compares exception rates across demographic groups.

BSA Customer Identification Program data at account opening

Banks and credit unions are required to capture and verify identifying information at account opening under the Customer Identification Program rules implementing the Bank Secrecy Act. The application interface for a deposit account or member account is where the CIP data enters the system.

  • Identifying information including legal name, date of birth, residential address, and tax identification number for U.S. persons, with comparable documentation for non-U.S. persons.
  • Verification evidence including the identification document presented, the issuing authority, and the comparison method used to verify the applicant's identity.
  • Beneficial ownership data for legal entity customers under the FinCEN beneficial ownership rule.
  • OFAC and politically-exposed-person screening records associated with the application at the time the screening was performed.
Tier 1 Microsoft Cloud Solution Provider ABT Partner Insight

Microsoft 365 includes the governance and audit tooling that turns a fair-lending application workflow into an examination-ready system of record. Microsoft Purview Audit retains audit log entries for one year by default and supports a 10-year add-on, with Search-UnifiedAuditLog returning up to 50,000 records per query, so HMDA and ECOA evidence packets can be pulled inside the regulatory window. Microsoft Purview Information Protection sensitivity labels travel with HMDA and Reg B data, encrypting at rest and in transit and enforcing retention policy automatically. Microsoft Entra ID Conditional Access supports up to 195 policies per tenant and 250 applications per policy, gating access to the loan origination system and the deposit application portal to managed devices and authenticated users only. Microsoft Defender for Cloud Apps monitors for risky OAuth grants and consumer-data exfiltration attempts. Microsoft Sentinel ingests audit telemetry into a single financial-services workspace where consumer-protection-relevant events can be alerted, investigated, and retained for the longest applicable regulatory window. ABT manages the Microsoft 365 tenant where these controls live and hosts the Azure environment where the loan origination system and member portals run for community banks, credit unions, and mortgage companies.

Sources: Microsoft Learn (Microsoft Purview Audit retention, Microsoft Purview Information Protection sensitivity labels, Microsoft Entra Conditional Access service limits, Microsoft Defender for Cloud Apps OAuth investigation, Microsoft Sentinel workspace capacity), 2025-2026.

Seven Steps to Build a CFPB-Proof Application Interface

The same seven steps apply to a community bank's deposit application portal, a credit union's member loan application, and a mortgage company's loan origination system. The fields change. The discipline does not.

1

Map Every Data Field to Its Regulatory Source

Build a crosswalk document that ties each field in your application interface to the specific regulation requiring it. HMDA Regulation C, ECOA Regulation B, TILA Regulation Z, RESPA Regulation X, FCRA, BSA Customer Identification Program, OFAC, state UDAP statutes, and any state-specific application-data rules should all be referenced. A field without a regulatory source is either a business field your team can drop in if the workflow gets reworked, or a field your compliance team forgot to map. Either way, it is information your IT director needs.

For banks and credit unions, include core banking application fields that feed your compliance reporting outputs, including the call report, FFIEC 002 if applicable, and Suspicious Activity Report data sources. For mortgage companies, include Fannie Mae and Freddie Mac delivery data fields that depend on application-entry data.

2

Validate Data at Entry, Not at Quality Control

Do not wait for a downstream quality control review to catch missing or inconsistent data. Build validation rules into the application interface itself. Required fields cannot be left blank without an explicit applicant-decline path. Format checks catch transposed digits in property values, dates outside reasonable ranges, and credit score values outside the model's possible output. Cross-field validation flags inconsistencies, like an application with a stated 80 percent loan-to-value that does not arithmetically match the loan amount and property value entered.

Examiner expectations have shifted toward proactive control design. The FFIEC Development, Acquisition, and Maintenance Booklet released August 2024, communicated to national banks through OCC Bulletin 2024-26, to state member banks through Federal Reserve SR 24-6, and to credit unions through NCUA Letter 24-CU-01, all emphasize that data integrity should be designed into the system development lifecycle, not added through post-hoc remediation.

3

Lock Completed Fields and Track Every Change

Once an applicant submits monitoring information under Regulation B or HMDA demographic data under Regulation C, that data should be protected from editing by loan officers, processors, or branch staff. Subsequent changes must be tracked through an audit trail showing the original entry, the changed value, the user who made the change, the timestamp, and the reason recorded.

Microsoft Purview Audit captures the underlying activity log automatically across Microsoft 365 applications. Microsoft Entra ID privileged-identity management ensures that the small group of users who do have authority to override locked fields cannot do so without a just-in-time elevation that itself is logged and approved. The audit trail your examiner expects to see is the same audit trail your security team wants for insider-threat detection. Both groups read the same evidence.

4

Automate Threshold Compliance Against Current-Year Values

The 2026 HMDA asset-size threshold is $59 million. The 2026 HOEPA points-and-fees triggers update annually. The QM safe-harbor APR-to-APOR spread thresholds adjust with the average prime offer rate. The TILA exempt-loan threshold for higher-priced mortgage loans changes. The CFPA UDAAP enforcement priorities shift. Your application interface should reference current threshold values from a centrally managed configuration table, not hardcoded numbers from last year's release.

Your IT and compliance teams should publish a January refresh checklist that runs through every regulatory threshold and updates the production configuration. The same refresh should propagate into Power BI dashboards, alerting rules, and quality-control reports.

5

Generate Examiner-Ready Reports On Demand

State examiners and federal regulators now arrive with detailed data requests. Campaign archives, NMLS identifier verification for mortgage loan originators, branch-level fair lending data, exception logs, and Bank Secrecy Act monitoring evidence are all expected on short turnaround. Build report templates inside your Power BI compliance dashboard environment or your business intelligence layer of choice that pull directly from the application interface data store.

Include calculation methodology, source-system attribution, and timestamps inside the report output itself. Examiners want to know how a number was produced, not just that it is correct.

6

Run Mock Examinations Quarterly

Have your compliance team simulate a state or federal examination at least once per quarter. The compliance officer plays the examiner role and submits the data requests a real examiner would submit. The IT and operations teams produce the data on the timeline a real examination would impose. Gaps found during a mock examination are easy to close. Gaps found during a real examination become enforcement-action narratives.

Include a different consumer-protection theme each quarter. Fair lending one quarter. Servicing compliance the next. BSA and AML the next. HMDA data integrity the next. Rotate the theme so coverage stays broad.

7

Anchor the Interface in a Managed Microsoft 365 and Azure Environment

The application interface is one component. The data trail behind it depends on the surrounding Microsoft 365 tenant and Azure infrastructure. Microsoft Purview Audit retains the activity log. Microsoft Entra ID Conditional Access controls who can reach the interface and under what conditions. Microsoft Defender for Cloud Apps watches for risky integrations. Microsoft Sentinel correlates the telemetry. The application is only as compliant as the environment around it.

A Tier 1 Microsoft Cloud Solution Provider that manages your Microsoft 365 tenant and hosts your Azure environment closes the loop between application interface and audit trail by design. ABT serves community banks, credit unions, and mortgage companies in that capacity, with explicit configuration of Purview, Entra, Defender, and Sentinel controls against the consumer-protection regulations applicable to each customer.

Audit-Readiness Check

How does your current loan application interface score against the seven-step framework?

ABT runs a one-hour examination-readiness review for banks, credit unions, and mortgage companies. We walk through your application data fields, retention configuration, and audit trail with you. No deck. Just your data.

Schedule a 30-Minute Review

Retention Windows by Regulation: Get These Right

The single most common compliance error in cross-functional teams is treating retention as a single number. There is no single number. Retention is a matrix indexed by the regulation, the document type, the institution type, and sometimes the action taken on the application. The simplest defensible policy is to retain to the longest applicable window for the document type, and to design the archive so individual records can be retrieved on examiner timelines.

Regulation and Record Type Retention Period Citation
HMDA Loan Application Register 3 years from publication of the modified LAR 12 CFR 1003.5(a)(1)(i)
ECOA Regulation B consumer application records 25 months after notification of action taken 12 CFR 1002.12(b)(1)
ECOA Regulation B business application records (general) 12 months after notification of action taken 12 CFR 1002.12(b)(5)
TILA Regulation Z general records 2 years after disclosures are required 12 CFR 1026.25(a)
TILA Regulation Z TRID Loan Estimate and ATR-QM 3 years after consummation 12 CFR 1026.25(c)(1)(i), (c)(3)
TILA Regulation Z TRID Closing Disclosure 5 years after consummation 12 CFR 1026.25(c)(1)(ii)(A)
RESPA Regulation X mortgage servicing records 1 year after the loan is discharged or servicing is transferred 12 CFR 1024.38(c)(1)
BSA Customer Identification Program records 5 years after the account is closed 31 CFR 1020.220(a)(3)
FCRA records related to permissible-purpose certifications and adverse action 2 years (general FCRA litigation statute of limitations as a floor) 15 USC 1681p

For an institution serving consumer mortgage borrowers, the binding constraint is typically the 5-year TRID Closing Disclosure retention. Building archive policy against that floor handles the shorter HMDA, ECOA, TILA, and RESPA windows automatically. For state-licensed lenders, layer state-specific retention requirements on top. Several states require 7 or 10 years for mortgage records. Your retention policy should be a matrix, not a single value, and your compliance IT framework should encode the matrix in the archive configuration, not in a procedure document that nobody reads at retrieval time.

Loan application data retention by regulation for banks, credit unions, and mortgage companies in 2026: BSA Customer Identification Program 5 years, TRID Closing Disclosure 5 years, HMDA Loan Application Register 3 years, ECOA Regulation B consumer applications 25 months, TILA Regulation Z general records 2 years, RESPA servicing records 1 year, with Microsoft Purview Audit retention callout
Loan application data retention by regulation for banks, credit unions, and mortgage companies in 2026. Sources: 12 CFR 1003.5, 1002.12, 1024.38, 1026.25; 31 CFR 1020.220. ABT, 2026.

Productivity, Security, and Governance in one workflow

  • Productivity: A well-designed application interface lets loan officers, MSRs, and processors capture the regulated data in a single pass. No re-keying, no spreadsheet hand-offs, no after-hours quality-control rework. Pipeline velocity goes up because the data discipline is automatic.
  • Security: Tamper-evident audit trails through Microsoft Purview Audit and identity gating through Microsoft Entra ID Conditional Access prevent the insider-threat and account-takeover scenarios that breach a fair-lending defense. The same controls satisfy GLBA Safeguards, FFIEC, and state cybersecurity audit expectations.
  • Governance: Examiners get the answer they ask for in the timeframe they expect. Retention windows match the regulation. Adverse action notices defend on the merits. The audit trail tells one story, the report tells the same story, and the live system tells the same story too.

Mock Examination Test: 12 Questions Examiners Will Ask in 2026

Use this list inside a quarterly mock examination. Each question is one a state attorney general, a state banking department, or a federal prudential regulator can credibly submit during a 2026 examination cycle. If your application interface and supporting Microsoft 365 controls cannot produce the answer inside one business day, address the gap before the real request lands.

  1. For the most recent 12-month period, produce a Loan Application Register sample with all HMDA fields populated, including geocoded property addresses, AUS used, denial reasons for denied applications, and a verification trail showing whether the data has been edited after applicant submission.
  2. For three randomly selected denied consumer applications, produce the adverse action notice as sent, the data that supported the denial, the user who entered the data, and the timestamp at each stage.
  3. Show the disparate-treatment fair-lending analysis your institution ran on residential mortgage applications by demographic category for the most recent 12-month period. Include the methodology, the input data, and the disposition of any pricing or denial-rate anomalies.
  4. Produce the exception log showing every override of automated pricing or underwriting for the most recent quarter, broken down by loan officer and demographic category of the applicant.
  5. For any consumer who received a prescreened solicitation in the last six months, demonstrate compliance with the Homebuyers Privacy Protection Act standard. Show express consumer authorization or an existing customer relationship that justified the solicitation.
  6. Produce the Microsoft Entra ID Conditional Access policy set governing who can access the loan origination system, the deposit application portal, or the member loan application interface. Include the device-compliance posture required for access.
  7. Produce the Microsoft Purview Audit retention configuration for the workloads handling consumer application data. Confirm the retention period meets the longest applicable regulatory window for the data type.
  8. For a randomly selected closed loan, retrieve the TRID Closing Disclosure from your archive. Confirm the timestamp of generation, the version control of the document, and the retention period configured.
  9. Produce evidence of the BSA Customer Identification Program data captured for the most recent 100 account openings, including verification documents and screening evidence.
  10. For the most recent annual cybersecurity review, produce the audit report, the management response, and the remediation timeline for any identified gaps. California-domiciled institutions above the revenue threshold should additionally show progress toward their annual cybersecurity audit certification.
  11. For any automated decision-making technology that affects California consumers, produce the disclosure provided to consumers, the methodology summary, and the consumer opt-out path.
  12. Produce the September 2024 release of the FFIEC Operational Resilience Booklet self-assessment for your institution, with named owners for each control objective and the most recent test result.

If three or more questions on this list would take more than one business day to answer, your application interface and supporting Microsoft 365 environment are not yet examination-ready for 2026. The remediation is rarely a new product purchase. The remediation is configuration, retention, and audit-trail discipline that ABT and most other Microsoft Tier 1 Cloud Solution Providers can complete inside a 90-day engagement.

Frequently Asked Questions

No. HMDA and ECOA are federal statutes implemented through Regulation C and Regulation B. The CFPB cannot repeal a statute through administrative action. The 2026 HMDA asset-size exemption threshold is $59 million, finalized by the CFPB on January 7, 2026. Every covered bank, credit union, and mortgage company above that threshold must continue collecting and reporting HMDA data. ECOA monitoring information requirements for residential mortgage applications and ECOA recordkeeping for consumer credit applications remain in full effect. Reduced federal examination cadence does not change the underlying legal obligations.

New York enacted the FAIR Business Practices Act in 2025, which amended General Business Law section 349 to cover unfair, deceptive, and abusive acts or practices. California finalized a single regulation package covering automated decision-making technology, risk assessments, and annual cybersecurity audits effective January 1, 2026. Michigan continued direct enforcement of the Michigan Consumer Protection Act for consumer lending and mortgage practices. Multi-state coordination through the Conference of State Bank Supervisors continued to advance the One Company, One Exam framework, with former CFPB examiners now working inside state agencies. Multi-state lenders should design their application interface against the strictest applicable state requirement.

Retention is a matrix indexed by the regulation and document type. HMDA Loan Application Register records require 3 years under 12 CFR 1003.5. ECOA Regulation B consumer application records require 25 months under 12 CFR 1002.12. TILA Regulation Z general records require 2 years under 12 CFR 1026.25(a), with the TRID Closing Disclosure requiring 5 years. RESPA Regulation X servicing records require 1 year after the loan is paid off or servicing is transferred. BSA Customer Identification Program records require 5 years after the account is closed. The longest applicable window controls. Several states require 7 or 10 years for mortgage records. Build your archive to the longest applicable requirement, not to a single value.

Public Law 119-36, the Homebuyers Privacy Protection Act, was signed September 5, 2025 and took effect 180 days later on March 4, 2026. It amended Fair Credit Reporting Act section 604(c), at 15 USC 1681b(c), to restrict the use of prescreened consumer reports (known in the industry as trigger leads) for residential mortgage applications. Lenders receiving trigger lead data must now have express consumer authorization or an existing customer relationship before initiating outbound marketing to the consumer. Your application interface should capture explicit marketing authorization from each applicant at the same point of entry as HMDA monitoring information.

Microsoft Purview Audit retains audit log entries for one year by default with a 10-year add-on, capturing every read, write, and configuration change across the Microsoft 365 workloads that handle consumer application data. Microsoft Purview Information Protection sensitivity labels travel with HMDA and Regulation B data, enforcing encryption and retention automatically. Microsoft Entra ID Conditional Access gates who can reach the loan origination system, the deposit application portal, or the member loan application interface, requiring managed devices and authenticated identities. Microsoft Defender for Cloud Apps monitors for risky OAuth integrations and consumer-data exfiltration. Microsoft Sentinel correlates the audit telemetry into a single financial-services workspace. A Tier 1 Microsoft Cloud Solution Provider like ABT manages the Microsoft 365 tenant where these controls live and hosts the Azure environment where the loan origination system and member portals run.

The Consumer Financial Protection Bureau enforces federal consumer financial laws including the Home Mortgage Disclosure Act, the Equal Credit Opportunity Act, the Truth in Lending Act, the Real Estate Settlement Procedures Act, and the Fair Credit Reporting Act. State attorneys general can independently enforce the Consumer Financial Protection Act under a 2022 CFPB interpretive rule that remains in effect. Many states also enforce their own UDAP statutes covering unfair and deceptive acts and practices, and increasingly cover abusive practices as well after the 2025 New York FAIR Business Practices Act. State banking departments and credit union supervisors examine state-chartered institutions against state and federal requirements together. The practical implication is that a state-level enforcement action can proceed independently of federal CFPB activity, and lenders operating in multiple states should design against the strictest applicable standard.

Build CFPB-Proof Interfaces

Talk to a financial institution IT specialist about examination-ready application interfaces.

ABT serves community banks, credit unions, and mortgage companies as a Tier 1 Microsoft Cloud Solution Provider. We map your application data fields to current 2026 regulations, harden the surrounding Microsoft 365 tenant, and deliver the audit trails examiners actually trust. A 30-minute conversation tells us whether the seven-step framework fits your operation.

Talk to an FI IT Specialist
Justin Kirsch

Justin Kirsch

CEO, Access Business Technologies

Justin Kirsch has guided Microsoft licensing and compliance strategy for credit unions, banks, and mortgage companies since 1999. As CEO of Access Business Technologies, the largest Tier-1 Microsoft Cloud Solution Provider dedicated to financial services, he helps more than 750 financial institutions capture examination-ready lending data and meet fair-lending requirements across their Microsoft 365 environments.