Why State Regulators Are Now The Most Important Compliance Partners In Mortgage Lending

Over the past decade, the compliance landscape in mortgage lending has evolved dramatically. The Consumer Financial Protection Bureau (CFPB) once stood as the clear authority in consumer financial oversight — issuing sweeping regulations, consent orders, and high-profile enforcement actions that shaped the way we all did business. But in recent years, something fundamental has changed: state regulators have stepped into the spotlight, becoming the primary enforcers, educators, and partners guiding mortgage companies through an increasingly complex environment.

This isn’t just a procedural shift; it’s a cultural one. The mortgage industry is experiencing what could be called a “state-centric era of compliance.” Understanding this transition is now essential for any lender or broker who operates across multiple states.

The Decentralization Of Oversight

The CFPB still matters, of course. Its rules remain in the backbone of consumer protection, and its enforcement authority is significant. But the Bureau’s focus has shifted toward high-level systemic issues, such as junk fees, data privacy, and algorithmic bias — leaving day-to-day oversight largely to the states.

State financial agencies have responded decisively. From Washington to Florida, they’re conducting broader, deeper, and more frequent examinations, often surpassing federal standards in both scope and precision.

At West Capital Lending, we’ve seen state examinations evolve from routine check-ups into detailed operational audits that cover:

• Marketing and advertising practices
• Lead source tracking and consent verification
• Compensation structures and anti-steering compliance
• Borrower communication records
• Remote work arrangements and data-security controls

Amanda Tucker, chief risk and compliance officer at Atlantic Bay Mortgage Group, adds that examiner focus has evolved to incorporate robust reviews and sampling of third-party arrangements from technology vendors to independent contractors. Regulators want to see detailed policies and procedures governing third party risk management, such as due diligence and ongoing monitoring. Atlantic Bay has seen an increase in state deployment of the Conference of State Bank Supervisors’ (CSBS) non-bank cybersecurity examination procedures, most recently in the District of Columbia and Virginia.

Some of these examinations can result in costly citations for the company, as noted by Melissa Grindel, EVP/head of compliance and product at ActiveComply, a marketing compliance technology provider.

“We’ve seen citations that have had costly implications for financial institutions,” said Grindel. “One lender in Massachusetts had an administrative penalty of $25K for misleading information on certain marketing materials and websites. Another in Virginia for $85K for repeat marketing compliance issues and missing refinance disclosures in social media posts. The dollar amounts certainly matter, but what might be most damaging is the brand reputation of that business — both for future examinations and for consumer sentiment when public consent orders are issued.”

There is also a key interest by certain states for remote worker supervision.

“States like Kentucky and Oregon have made this a focal point of their examinations,” said Grindel, who helps institutions craft remote work policies and implement monitoring programs. “We see a lot of variability between the states in how they regulate this practice and what expectations they have for institutions.”

One key consideration she says, “What have you defined for your supervision oversight — not only the process and procedure of it all, but also the narrative on why you do it and how it mitigates consumer harm.”

It’s no longer about paperwork alone. Examiners now want to see that your processes — not just your policies — demonstrate integrity, transparency, and consumer protection.

A New Regulatory Mindset

The encouraging part of this evolution is the change in tone. Many state examiners now approach compliance with a collaborative rather than a punitive mindset.

At one time, an audit felt adversarial, an exercise in “gotcha” enforcement where the regulator’s job was to find fault. That era is fading. Today’s state regulators increasingly act like compliance partners: they want to understand your systems, discuss your rationale, and help identify blind spots before they become violations.

For lenders who engage openly, this partnership can be invaluable. Examiners often share best practices observed across the industry, clarify evolving expectations, and even help you improve your internal controls. The relationship has shifted from “regulator versus lender” to “regulator with lender,” a development that benefits both compliance and consumer trust.

Investing in building collaborative relationships with regulators is critical in ensuring your company’s success. Tucker indicates that the time to invest and build these relationships is before you approach an examiner with an issue or concern during an examination. You want to have established the relationship and built mutual trust so that when approaching an examiner over a disagreement or frustration during an examination, they too will approach that conversation with an existing foundation.

Compliance Is Now A State-By-State Exercise

One of the most common mistakes lenders make today is assuming that a single, national compliance policy is enough. It’s not.
With each state asserting greater independence, “compliance is now local.”

Whether it’s Washington’s advertising standards, Florida’s remote-work guidance, or California’s compensation disclosure requirements, each jurisdiction has its own nuances, and they expect you to understand and apply them.

For multistate lenders, this means compliance teams must be nimble, adaptive, and granular. A compliance management program rooted in change management, controls, and monitoring governing all lines of business is critical. Maintaining one federal-level policy binder is no longer sufficient. Instead, companies must:

• Map their operational footprint and identify every applicable state rule.
• Train MLOs and branch managers on state-specific expectations.
• Implement monitoring tools that track compliance activity across jurisdictions.
• Keep documentation current, centralized, and easily auditable.

Events in 2025 have had an impact on state-by-state exams.

“Institutions are seeing more state exams than perhaps ever before. Many lenders I’ve spoken with outline that the number of open exams is substantially higher this year than in years past,” says Grindel. “One lender I spoke with last week noted that in 2024 they had seven state exams open at any given time, but this year, it’s 12 right now.”

Beyond the quantity increase, Tucker noted “exam requests are also longer and broader, what was perhaps five pages before is now 20.”

Many exam requests are overly broad and at times may appear to push beyond state lines. Seeking clarity on overly broad exam requests is a critical part of positive regulatory relations and protecting your company from unintended consequences of misunderstanding examination requests.

A robust compliance program today must look more like a federal-system map than a single national playbook.

Lessons From The Front Lines

At West Capital Lending, we’ve learned that successful relationships with state regulators hinge on three things: communication, transparency, and consistency.

• Proactive Engagement: Don’t wait for an audit to start the conversation. Build relationships with your state contacts early. A quick call to clarify a gray area can prevent future findings.
• Document Everything: Regulators want evidence, not just intent. Keep detailed logs of training, correspondence, and corrective actions. It’s your best defense and your best demonstration of diligence.
• View Exams as Growth Opportunities: An exam can reveal inefficiencies and outdated processes. Treat findings as a free compliance audit rather than a punishment.

These small mindset shifts can transform the compliance function from a reactive cost center into a proactive strategic asset.
Tucker offers that beyond examiner collaboration, industry peer collaboration is helpful in navigating a multi-state framework.
“Speaking with other lenders, especially those whose entity structure and product and program suite are similar can be helpful in understanding their examination experience in overlapping states,” added Tucker. “Industry collaboration in the spirit of employing sound compliance strategies to protect the end consumer is an effort all of us within the industry should celebrate.”

Preparing For What’s Next

The rise of state-led regulation is not a temporary phase, it’s the new normal. As fintech expands, remote work becomes standard, and advertising grows increasingly digital; states will continue to refine their frameworks to protect consumers within their borders.

We can expect to see more:

• Targeted state guidance on AI, data privacy, and lead generation.
• Cross-state cooperation, where multiple agencies coordinate on examinations.
• Enhanced scrutiny of compensation and entity structures, especially for 1099 vs. W-2 classifications.
• Identify and complete a gap analysis of state iterations of federal laws to determine if your company will apply a state-by-state approach towards compliance or take the most stringent state law and broadly apply it. For example; TCPA- several states have stricter rules than the federal TCPA, such as Florida, Georgia, Washington, Arizona, and Maryland.

Even as we see state regulators take up a more active role in enforcement, it’s worth noting that changes at the federal level this year have certainly had an influence. “We are seeing former CFPB examiners taking positions as state regulators in jurisdictions like Virginia and Maryland,” says Grindel.

Tucker adds that “we also can’t forget former CFPB Director Chopra’s final closing remarks to states, reminding them that many federal regulations are within the state's purview,” reenergizing the state regulatory framework.

For compliance officers, this means building a dynamic infrastructure that can evolve alongside state expectations. Those who invest in transparency, documentation, and strong regulator relationships today will be best positioned tomorrow.

The Bottom Line

The balance of power in mortgage compliance has shifted, not away from accountability, but toward accessibility. State regulators are no longer just enforcers; they are educators, collaborators, and, increasingly, partners in building better mortgage companies.

By embracing this partnership, lenders can create stronger systems, better outcomes for consumers, and a more sustainable business model for the long run.

If you’re not already treating your state examiners as key allies in your compliance strategy, now is the time to start.
The future of compliance isn’t about surviving oversight, it’s about collaborating with it.