Running a mortgage operation without a solid mortgage compliance setup checklist is like closing loans without a rate lock. You might get away with it for a while, but eventually the exposure catches up with you. Between TRID disclosure timelines, HMDA reporting thresholds, GLBA data security requirements, and state-specific overlays, the regulatory surface area is wide. This article gives compliance officers and loan operations professionals a structured, regulation-by-regulation checklist built around 2026 requirements, with the kind of IT and operational detail that actually holds up under exam conditions.
Table of Contents
- Key takeaways
- Your mortgage compliance setup checklist: core framework
- 1. TRID disclosure timeline and evidence tracking
- 2. Record retention matrix
- 3. HMDA eligibility testing and threshold controls
- 4. GLBA data privacy and AI vendor management
- 5. Compliance program infrastructure beyond the checklist
- My take on what most compliance checklists get wrong
- How 1smtg supports your compliance setup from day one
- FAQ
Key takeaways
| Point | Details |
|---|---|
| TRID requires timestamped evidence | Examiners reconstruct full disclosure timelines from system logs, so missing timestamps are a direct failure point. |
| Retention must be a matrix, not a single period | Different regulations require different retention windows; a document-type indexed matrix prevents gaps. |
| HMDA threshold updated for 2026 | Institutions with assets at or below $59 million as of Dec. 31, 2025, are exempt from HMDA data collection. |
| GLBA now covers AI vendor data flows | Written security programs must map how AI tools access and process borrower nonpublic personal information. |
| Checklists must be living documents | Annual updates, board oversight, and integrated IT controls separate passing programs from deficient ones. |
Your mortgage compliance setup checklist: core framework
Before you build line items, you need to know what a mortgage compliance setup checklist is actually supposed to do. It is not a one-time form you complete at licensing. It is an operational control document that maps every regulatory obligation to a specific process, system configuration, evidence type, and responsible party. Think of it as the intersection of your compliance program and your IT architecture.
Effective compliance programs include board-level oversight, written policies and procedures, ongoing training, monitoring with corrective action, complaint response, and independent audits. Weakness in any one component can cause an overall deficiency in exam results. Your checklist should reflect all of these components, not just the disclosure and reporting items.
The regulations your checklist must cover at minimum include TRID, HMDA, ECOA, GLBA, RESPA, and applicable state laws. Each carries distinct documentation requirements, retention periods, and evidence standards. When you build your mortgage business compliance setup checklist, map each regulation to the specific data fields, system logs, and procedural controls that satisfy it.
Pro Tip: Add a "documentation owner" column to every checklist item. When an examiner asks who is responsible for a specific control, you want a name and a title, not a shrug.
Annual updates are non-negotiable. Thresholds change, guidance evolves, and state regulators issue new requirements. Build a calendar control that triggers a full checklist review every December, before year-end threshold adjustments take effect.
1. TRID disclosure timeline and evidence tracking
TRID is where most lenders get tripped up during exams. The problem is rarely that disclosures were not sent. The problem is that examiners reconstruct a complete, timestamped disclosure timeline from system logs and require proof of each event. If your system cannot produce that timeline on demand, you have a deficiency regardless of what actually happened.
Your TRID checklist items should cover:
- Timestamped generation of the Loan Estimate within 3 business days of application
- Delivery method logging (mail, email, in-person) with borrower receipt confirmation
- Waiting period enforcement via system blocks that prevent premature closing
- Closing Disclosure delivery with a minimum 3-business-day waiting period before consummation
- Fee tolerance tracking with automated tolerance calculations at each disclosure event
- Changed circumstances documentation with reason codes and re-disclosure triggers
- Immutable audit trail storage accessible to examiners without manual reconstruction
The most overlooked item on this list is number three. Borrower receipt must be treated as a first-class system event that drives waiting period calculations, not just a note in the file. If your LOS does not enforce a hard block on closing until the waiting period clears from the receipt date, you have a gap.
Pro Tip: Run a quarterly sample of 10 closed loans and attempt to reconstruct the full TRID disclosure timeline from system logs alone. If you cannot do it in under 15 minutes per file, your system configuration needs work before an examiner does it for you.
| TRID Event | Evidence Required | System Control |
|---|---|---|
| Loan Estimate generation | Timestamp in LOS log | Automated 3-day trigger from application |
| LE delivery | Delivery method and date | Delivery confirmation logged |
| Borrower receipt | Receipt timestamp | Waiting period calculation starts here |
| Closing Disclosure delivery | Timestamp and method | 3-business-day block enforced |
| Fee tolerance check | Tolerance calculation log | Automated flag on out-of-tolerance fees |
| Changed circumstance | Reason code and re-disclosure date | Workflow trigger on qualifying event |
2. Record retention matrix
Using a single retention period for all mortgage documents is one of the most common compliance errors in the industry. Different regulations require different windows, and retention policy should be a matrix indexed by regulation and document type.
Here is what the core retention requirements look like:
| Document Type | Regulation | Retention Period |
|---|---|---|
| Closing Disclosure | TRID | 5 years |
| Loan Application (consumer) | ECOA | 25 months |
| HMDA LAR | HMDA | 3 years |
| Servicing records | RESPA | 1 year after payoff |
| Security program documentation | GLBA | Duration of program |
The 5-year TRID Closing Disclosure period is often the binding constraint for consumer mortgage records, but that does not mean you can apply it universally. ECOA adverse action notices only require 25 months. Over-retaining creates data privacy risk. Under-retaining creates exam exposure. The matrix approach eliminates both problems.
Configure your document management system so that retention rules are applied automatically at the document type level, not manually by staff. Manual application creates inconsistency. Retrieval speed also matters. If an examiner requests a specific Closing Disclosure from three years ago and your team spends two hours finding it, that is a red flag even if the document exists.
Pro Tip: When configuring retention rules, also document the mortgage renewal workflow implications for any records that carry over into refinance or renewal transactions. Retention clocks can reset on modified loans.
3. HMDA eligibility testing and threshold controls
HMDA reporting is not automatic. You must first determine whether your institution is required to report, and that determination needs to be documented as a formal control with clear logic. Practitioners frequently struggle with HMDA applicability tests, and documented classification logic covering institution type, lending volume, and asset size is what separates a defensible position from a guess.
For 2026, the asset-size exemption threshold is $59 million. Banks, savings associations, and credit unions with assets at or below that figure as of December 31, 2025, are exempt from collecting HMDA data this year. That threshold changes annually, which is why it must be a discrete, documented control reviewed each January.
Your HMDA eligibility checklist should address:
- Institution type classification (depository vs. non-depository)
- Asset-size test with documented source data and date of determination
- Dwelling-secured loan volume test with prior-year origination count
- Geographic coverage determination (home or branch in an MSA)
- LAR field completeness review prior to annual submission
- Quality control process for data accuracy before filing
Treat HMDA eligibility as an annual audit control with documented assumptions. If your institution is borderline on the asset-size threshold, document the analysis in writing, including who performed it and when. Misclassification in either direction carries real consequences. Failing to report when required is a violation. Reporting when exempt wastes resources and creates unnecessary data exposure.
4. GLBA data privacy and AI vendor management
The GLBA Safeguards Rule has always required a written information security program. What has changed in 2026 is the scope of what that program must cover. AI tools used in mortgage operations, whether for pricing, underwriting support, or document review, create new data flow risks that most written security programs have not caught up with.
Key data flow documentation, breach notification procedures, vendor audit rights, and AI data usage mapping are all required for GLBA compliance. If a loan officer is using an AI tool that processes borrower nonpublic personal information (NPI) and that tool is not covered in your vendor management program, you have a gap.
Your GLBA and vendor management checklist items should include:
- Written information security program with annual risk assessment
- Data flow map identifying every system and vendor that touches borrower NPI
- Vendor contracts with explicit data security obligations and audit rights
- AI tool inventory with documented acceptable use policies
- Shadow AI policy addressing unauthorized tool usage by staff
- Incident response plan with breach notification timelines
- Annual employee training on data handling and phishing awareness
The shadow AI risk is real and underappreciated. Staff members using consumer-grade AI tools to draft borrower communications or process documents may be transmitting NPI to systems outside your vendor management framework without realizing it. Your acceptable use policy needs to address this explicitly, and your training program needs to explain why it matters.
Pro Tip: Add a standing agenda item to your quarterly compliance committee meetings specifically for new AI tool requests. Requiring pre-approval before any AI tool touches borrower data is far easier to manage than discovering unauthorized usage during an exam.
5. Compliance program infrastructure beyond the checklist
A mortgage regulation checklist is only as strong as the program behind it. The checklist items tell you what to do. The program infrastructure determines whether those items actually get done, get documented, and get corrected when they fail.
Board-level oversight is not optional. Your board or senior management needs to receive regular compliance reports, approve the compliance program annually, and demonstrate engagement with the results. Examiners look at board minutes. If compliance is never on the agenda, that absence tells a story.
Training must be tied to specific regulatory requirements, not just general awareness. A loan officer who completes annual compliance training should be able to explain the TRID waiting period and why it matters. A processor should understand what triggers a re-disclosure. Generic training does not produce that level of operational knowledge.
Your monitoring and corrective action process closes the loop. When a checklist item fails, you need a documented path from discovery to root cause analysis to corrective action to verification. That cycle, documented in writing, is what demonstrates to examiners that your compliance program is functional rather than decorative.
My take on what most compliance checklists get wrong
I have reviewed a lot of compliance programs over the years, and the pattern I keep seeing is the same. The checklist exists. The policies exist. But the IT controls and the procedural controls live in completely separate worlds, and nobody has connected them.
A checklist that says "deliver Loan Estimate within 3 business days" is not a control. A system configuration that blocks loan progression until a timestamped LE delivery event is logged is a control. Most programs have the first and think they have the second.
The other failure point I see consistently is treating the checklist as an annual project rather than an operational tool. You update it in December, file it away, and pull it out when an exam is scheduled. That approach produces checklists that are technically current but operationally disconnected from what staff actually does day to day.
The compliance officers I have seen succeed treat their checklist as a living document tied directly to their LOS configuration, their training calendar, and their monitoring reports. Every item on the checklist has a system log, a responsible person, and a testing frequency. That is what survives a CFPB exam.
— Omar
How 1smtg supports your compliance setup from day one
Building and maintaining a mortgage compliance setup checklist is significantly easier when your LOS, disclosure tracking, and records management all live in one place. 1smtg's mortgage platform is built specifically for loan officers and brokers who need disclosure event logging, timestamped audit trails, and document retention controls without managing three separate systems. The platform supports the TRID evidence requirements, document archiving, and reporting workflows that compliance officers need to stay exam-ready. New users get hands-on training and dedicated human support, not a help center article. If you want to see how the platform maps to your compliance requirements, request a demo directly through the site.
FAQ
What is a mortgage compliance setup checklist?
A mortgage compliance setup checklist is a structured document that maps each regulatory obligation, such as TRID, HMDA, ECOA, and GLBA, to specific processes, system configurations, and evidence requirements your institution must maintain.
How often should a mortgage compliance checklist be updated?
At minimum, annually. Regulatory thresholds like the HMDA asset-size exemption change each year, and state requirements evolve, so a December review cycle before year-end adjustments take effect is standard practice.
What are the most common TRID compliance failures in exams?
Missing or non-retrievable timestamps for disclosure delivery and borrower receipt are the most frequent failure points. Examiners reconstruct the full disclosure timeline from system logs, so incomplete logs create deficiencies even when disclosures were actually sent.
What is the 2026 HMDA asset-size exemption threshold?
The 2026 threshold is $59 million. Depository institutions with assets at or below that figure as of December 31, 2025, are exempt from HMDA data collection requirements for 2026.
How does GLBA apply to AI tools used in mortgage operations?
GLBA requires that any tool processing borrower nonpublic personal information be covered under your written information security program, including AI tools. Vendor contracts must include data security obligations and audit rights, and staff usage policies must address unauthorized AI tool use.