Confer Solutions AI - AI-Powered Business SolutionsConfer Solutions AI
Compliance
Updated April 28, 202613 min read

8 Mortgage Compliance Features Every Lender Needs in 2026

TRID, QM/ATR, HMDA, ECOA, RESPA, HOEPA — and the cross-cutting controls that make them enforceable. The eight features mid-sized lenders should require, with CFR citations and demo-day test criteria.

Yatin Karnik

Founder & CEO, Confer Solutions

TL;DR

Compliance fails when it lives in QC reports rather than the workflow itself. The eight features below — TRID durable timers, QM/ATR per-loan verification, HMDA auto-population, ECOA decisioning + 30-day timer, RESPA Section 8 + servicing, HOEPA detection at lock, immutable audit logging, and 100% pre-close QC — are what separate workflow-enforced compliance from post-fund discovery. Each carries a CFR citation and a demo-day test criterion. Confer's compliance engine ships every one as architecture, not policy.

Why does compliance architecture matter more than compliance modules?

A compliance module reports on what already happened. Compliance architecture prevents the violation by gating the action. The cure cost difference is real: pre-close, you collect the missing document; post-close, you face a CFPB finding, an investor repurchase demand, or both. ACES Q4 2024 critical defect rate of 1.79% across the industry is the cost of compliance-as-module. Pre-close continuous validation targets sub-0.5%.

The eight features, with CFR citation and test criterion

#1 · 12 CFR § 1026.19(e)–(f)

TRID timing enforcement

The Closing Disclosure must reach the borrower exactly 3 business days before consummation. The Loan Estimate must go out within 3 business days of application. Tolerance buckets (0%, 10%, unlimited) constrain post-disclosure cost changes.

What the LOS must do

Durable workflow timers — Confer uses Temporal — that survive server restarts, deploys, and queue-worker crashes. Atomic state transitions on every clock event. Automatic redisclosure trigger when tolerance buckets are breached.

Cost of getting it wrong

TRID violation: $5K–$25K per CFPB incident. Late CD pushes closing 3+ business days. The cycle-time and reputation cost compounds.

#2 · 12 CFR § 1026.43(c)

QM / ATR — Ability to Repay verification

Eight factors must be verified on every loan: (1) current/expected income, (2) employment, (3) other income relied on, (4) monthly mortgage payment, (5) payments on simultaneous loans, (6) other obligations, (7) DTI/residual income, (8) credit history.

What the LOS must do

Per-loan verification of all 8 factors with stored evidence. Safe harbor vs. rebuttable presumption tracked. HPML detection at lock with auto-flag. No sampling — every loan verified.

Cost of getting it wrong

ATR violations expose lenders to indefinite borrower-foreclosure-defense liability. Investor repurchase demand on ATR-deficient loans: $15K–$50K per loan.

#3 · Regulation C, 12 CFR § 1003

HMDA LAR auto-population

110+ data points per loan must be filed annually with FFIEC. The 2024 reporting threshold lowered the bar; many mid-sized lenders that didn't report before now must.

What the LOS must do

Auto-population from origination data as the loan progresses. FFIEC edit-check validation continuously, not as a March crunch. Demographic data collected at borrower interaction, not retrofitted.

Cost of getting it wrong

Inaccurate HMDA: $50K–$2M+ in CFPB enforcement penalties. HMDA prep done manually consumes 80–120 FTE hours per cycle.

#4 · 12 CFR § 1002

ECOA / Reg B — Adverse action and decision timing

Adverse action notices must go out within 30 days of an application's completion. Demographic data must be collected with prescribed wording. Fair lending requires consistent decisioning logic that can be audited for disparate impact.

What the LOS must do

30-day decision timer that fires automatically. Adverse action notice generation from templates with correct ECOA disclosure language. Decisioning logic versioned and auditable for fair lending review.

Cost of getting it wrong

ECOA violations: civil penalties up to $1.087M per violation. Class-action exposure on disparate impact findings.

#5 · 12 CFR § 1024

RESPA — Section 8 and servicing transfer

Section 8 prohibits kickbacks for referrals. Servicing transfers require specific borrower notices. Escrow account analysis runs annually with refund/shortage rules.

What the LOS must do

Marketing service agreement (MSA) tracking with explicit value documentation. Servicing transfer notice generation with correct timing. Annual escrow analysis with auto-generated borrower notices.

Cost of getting it wrong

RESPA Section 8 violations: $10K+ per violation, treble damages possible. Servicing transfer notice failures generate borrower complaints and CFPB exam findings.

#6 · 12 CFR § 1026.32

HOEPA — High-cost mortgage detection

Loans crossing APR, points-and-fees, or prepayment-penalty thresholds become 'high-cost' and trigger additional disclosures, counseling requirements, and substantive loan-term restrictions.

What the LOS must do

Real-time HOEPA detection at lock with block-or-disclose workflow gating. APR and points-and-fees calculation automated. Counseling-completed verification before close.

Cost of getting it wrong

Originating an undisclosed HOEPA loan creates indefinite rescission rights for the borrower. The loan is effectively unsalable to most investors.

#7 · Operational standard — required by SOC 2, FFIEC, and CFPB exams

Immutable audit logging

Every agent action, data mutation, decision, and state transition must be captured in an append-only ledger with operator, timestamp, before/after state, and reasoning.

What the LOS must do

Append-only audit log written synchronously with every loan record change. Tamper-evident storage. Tenant isolation via row-level security. Retention aligned with state and federal requirements (typically 5–7 years post-close).

Cost of getting it wrong

Without immutable audit trails, regulator examinations rebuild history from logs and inferences. The reconstruction itself becomes a finding.

#8 · Operational standard — driven by ACES Q4 2024 industry critical defect rate of 1.79%

Continuous pre-close QC

Sampling 10% of files post-fund finds defects after the loan is sold. Continuous pre-close QC catches defects while they can still be cured.

What the LOS must do

100% pre-close validation on income reproducibility, AUS findings vs. final terms, TRID timing, HMDA completeness, and ULDD/MISMO export against investor specs. Defects route to a review queue, not a discovery report.

Cost of getting it wrong

Investor repurchase demand: $15K–$50K per loan. Critical defect industry average is 1.79%; pre-close continuous QC targets under 0.5%. At 5,000 loans/year that's a $1M+ exposure delta.

Related reading

Frequently asked questions

What is the most important mortgage compliance feature in a modern LOS?

TRID timing enforcement via durable workflow timers; because it is the single highest-frequency compliance failure mode and it has direct CFPB exposure ($5K–$25K per incident). A modern LOS must run TRID timers in a durable execution engine that survives server restarts and crashes. Cron-based reminders or queue-worker timers fail in production. After TRID, the next priorities are continuous QM/ATR verification of all 8 factors per 12 CFR § 1026.43(c) and immutable audit logging on every agent action.

How is workflow-enforced compliance different from post-close QC?

Workflow-enforced compliance prevents the violation by gating the action; for example, a loan cannot reach close-disclosure until all 8 ATR factors are verified. Post-close QC is a sampling-based discovery mechanism that finds violations after the loan has funded and possibly been sold. The cost difference is the cure cost: pre-close, you collect the missing document; post-close, you face investor repurchase demands ($15K–$50K) or CFPB findings. ACES Q4 2024 reports 1.79% industry critical defect rate. Pre-close continuous validation targets sub-0.5%.

Do mid-sized lenders really need all 8 of these features?

Yes; every one of the eight is a federal requirement that applies to lenders making consumer mortgage loans. The question is not whether to comply but how much manual labor it takes. Lenders without workflow-enforced compliance still meet the requirements but pay for them in FTE hours, post-fund repurchases, and exam findings. The 8 features above are how a modern LOS lets a mid-sized lender meet the same requirements with less manual work and lower exam risk.

How does Confer's compliance engine handle TRID compared to Encompass?

Confer's TRID timers run inside Temporal durable workflows. The clock state is persisted at every transition, so a server restart, deployment, or worker crash cannot lose the timer. Encompass uses scheduled jobs and rule alerts; while these work most of the time, the architecture allows lost timers in failure scenarios. The architectural difference is what eliminates the highest-severity TRID risk. Confer also tracks tolerance buckets (0%, 10%, unlimited) atomically so redisclosure triggers fire deterministically.

What does immutable audit logging actually mean in a mortgage LOS?

Append-only logging where each entry captures: (1) the operator (human or agent identifier), (2) timestamp, (3) the change being made (field, document, state transition), (4) the before-and-after value, and (5) reasoning when applicable. Append-only means existing entries cannot be edited or deleted; tamper-evident means cryptographic chaining or storage controls prevent silent modification. This is what lets regulators and internal QC reconstruct what happened on a loan without inference. Confer captures every agent action and every data write into this ledger by default, with row-level security ensuring tenant isolation.

How do AI agents stay within compliance frameworks like ECOA?

Three controls. (1) Decisioning logic versioned and audited for fair lending; same applicant profile produces the same decision regardless of when or by whom it was processed. (2) Adverse action notice generation from templates with correct ECOA disclosure language and the 30-day timer enforced as a workflow event. (3) Demographic data collected per Reg B prescribed wording, with optional fields clearly marked. Confer's compliance agent treats ECOA as workflow infrastructure rather than a checklist.