Risk, Regs & Response
Your host, Michael Housch, explores the intersection of cybersecurity, regulation, and law, where compliance meets real-world threats. Each episode breaks down evolving policies, legal cases, and governance challenges to help leaders navigate today’s complex digital risk landscape.”
Risk, Regs & Response
Navigating the Compliance Crosscurrents: Fair Lending Rollbacks and Mandatory Cyber Resilience
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Mike Housch dissects the current risk landscape, examining how the CFPB's proposed narrowing of ECOA protections and limitations on Special Purpose Credit Programs (SPCPs) are reshaping fair lending compliance. We also dive deep into the new, non-negotiable cybersecurity and resilience mandates being pushed down the mortgage supply chain by Fannie Mae and other GSEs
Welcome back to Risk, Regs and Response. I’m your host, Mike Housch, and today we are covering what is arguably one of the most volatile compliance environments we’ve seen in years, particularly across fair lending and data security. The compliance crossroads we are facing demand real agility from lenders, fintechs, and servicers.
We have two major themes driving risk right now: first, the seismic shifts happening in fair lending policy, specifically regarding federal enforcement; and second, the rapidly increasing, and increasingly mandatory, expectations around cybersecurity and business resilience being set by the GSEs. Let’s start with the Consumer Financial Protection Bureau, the CFPB.
In late 2025, the CFPB proposed significant changes to how the 1974 Equal Credit Opportunity Act, or ECOA, is interpreted. This isn't a small tweak; it’s a proposed rollback of a long-standing enforcement lever. Specifically, the CFPB is indicating that ECOA “does not authorize disparate-impact liability”.
Disparate impact has historically been a critical tool used to challenge discriminatory lending outcomes, even when intent wasn't proven. Rolling this back fundamentally changes the federal fair-lending risk model.
As part of that same package, the CFPB also proposed limiting permissible uses of Special Purpose Credit Programs, or SPCPs. For those unfamiliar, SPCPs are essential programs that allow targeted credit assistance for specific classes, such as minority or disadvantaged borrowers.
Now, let’s look at the immediate risk and impact of these proposals. For lenders and fintechs currently offering tailored products, SPCPs may become more legally constrained. This forces institutions to immediately review their marketing, underwriting, and overall compliance frameworks. From a risk posture, every institution should be re-evaluating their fair-lending models and auditing their legacy SPCPs.
But the story doesn’t end there, because this proposed federal retreat is coinciding with a major shift in the broader regulatory environment.
A legal industry summary recently noted that 2025 brought "some of the most significant mortgage lending compliance changes" in years. This is because as federal enforcement pulls back, state-level scrutiny and action are surging.
As federal agencies like the CFPB scale back their efforts, state attorneys general across the country are increasingly using state-level consumer-protection statutes to pursue enforcement. The result is a more fragmented and unpredictable regulatory landscape.
The core takeaway here is that compliance can no longer be "set it and forget it" at the federal-rule level. Firms must now dedicate resources to track state-by-state regulatory changes. This shift mandates that legal and regulatory compliance teams maintain a high degree of agility and tighter risk-management processes.
We should also watch for an emerging risk: with the ECOA changes, there may be a wave of state-level fair-lending litigation or enforcement, especially where disparate-impact or SPCPs were previously utilized, even while federal oversight weakens. The action simply moves from Washington D.C. to state capitals.
Now, let’s pivot entirely to the second massive compliance driver we are seeing: Cybersecurity and Resilience.
In September 2025, Fannie Mae published its “Information Security and Business Resiliency Supplement”. This isn’t just for major institutions; this extends rigorous requirements down to single-family sellers and servicers, multifamily lenders, technology-service providers, and even custodians.
This GSE supplement imposes several key mandates: first, formal InfoSec program requirements. Second, it requires annual officer attestations that cover 14 security domains. This isn't a checkbox exercise; it requires executive leadership sign-off on the maturity of their security posture.
Crucially, it sets strict cyber-incident reporting requirements. Covered entities must report events like ransomware, Distributed Denial of Service (DDoS), or Business Email Compromise (BEC) within 36 hours. That's a very tight window requiring highly responsive internal incident protocols.
Beyond the technical security controls, the supplement also requires robust business-continuity and disaster-recovery plans, along with regular testing and mandatory alignment with NIST standards.
What does this mean for the industry? For fintechs, servicers, or any vendor operating in the mortgage origination or servicing chains, this isn’t optional. These InfoSec requirements, incident response protocols, and overall resilience planning must be explicitly baked into Service Level Agreements, vendor contracts, and internal governance models.
The risk for non-compliance here is severe. It could trigger significant supply-chain risk for larger institutions, and for the vendors themselves, it could lead to disqualification from GSE programs, or major reputational and legal fallout.
This cascade of cybersecurity and resilience rules, flowing from the GSEs down to servicers and vendors, inevitably means that the regulatory and compliance burden will continue to grow. This is especially true for smaller firms or FinTechs that may lack mature Information Security programs already in place.
We also have a related risk emerging in the lending process itself. The expanded conforming-loan limits that we are seeing may pressure loan origination systems, underwriting models, and risk tools. These systems now have to handle more of what we might call "borderline jumbo" volume, which inevitably increases complexity and potential credit risk.
So, to wrap up these dual challenges—the retreat of federal fair lending oversight and the advance of mandatory cyber resilience—we are looking at an environment defined by higher risk and greater complexity.
On the fair lending side, institutions must accept that compliance is a state-by-state puzzle requiring constant monitoring. The focus must shift from blanket federal adherence to granular, jurisdiction-specific tracking to avoid unexpected litigation.
On the cybersecurity front, firms need to treat the GSE requirements as the new baseline for market participation. Investment in robust InfoSec programs, proper officer attestations, and 36-hour incident reporting is no longer a best practice; it is a mandated requirement. Agility and tighter risk-management processes are the keys to surviving this crosscurrent of regulatory change.
It's like navigating a river where the main currents—the federal rules—are weakening, forcing you to constantly scan the fragmented banks for new, powerful eddies of state enforcement, all while simultaneously ensuring your vessel is seaworthy against the constant cyber storms.
That’s all the time we have for today on Risk, Regs and Response. I’m Mike Housch. Thank you for tuning in.