Why This Matters
Most small mortgage companies do not operate their own servers or proprietary technology. Instead, they rely on third-party vendors for nearly every system that stores, transmits, or processes customer Non-Public Personal Information (“NPI”).
FORM 2-91-1 IT Vendor Review Ch…
This means your vendor list is not “IT paperwork.”
It is your cybersecurity footprint.
A company with no vendor inventory cannot credibly claim it understands its risk.
What This Form Is (and Isn’t)
FORM 2-91-1 is a vendor cybersecurity inventory and validation checklist.
FORM 2-91-1 IT Vendor Review Ch…
It is designed for companies that:
Are small
Are mostly cloud-based
Use third-party systems for core operations
Need a simple way to document vendor due diligence
This form is not a full vendor management program. It is the minimum defensible proof that you:
Know your vendors, and
Took reasonable steps to confirm they are not reckless with consumer data.
Step-by-Step: How to Complete FORM 2-91-1
Step 1 — List Vendors by Category (Not by Memory)
Start with the vendor categories already in the form. These categories cover the “usual suspects” in a mortgage company:
FORM 2-91-1 IT Vendor Review Ch…
E-Mail
Loan Origination System (LOS)
E-Disclosure
Data Backup
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-Mail/Telephony
Network / Internet Service
Office Support (Cleaner/Landlord)
Courier
Practical tip:
If you are stuck, open your bank/credit card statement and scan for recurring monthly software charges. That list is usually more accurate than anyone’s memory.
Step 2 — Confirm the Vendor Name Exactly
Use the vendor’s legal or platform name (example: “Google Workspace” not “Gmail”).
This prevents confusion later when:
Auditors ask for documentation
A vendor is acquired and renamed
You are asked “who stores your data?”
Step 3 — Identify the Vendor’s Audit or Certification Status
The form gives four methods for validating vendor cybersecurity:
FORM 2-91-1 IT Vendor Review Ch…
Qualified audits of the technology
Vendor is regulated/supervised by a similar authority
Confirmation of ISO 27001 or similar
Vendor not chosen by us (required use)
This is the core of the form.
How to Validate Vendors Have Their Own Security Protocols
This is where most small companies freeze up. The good news is: you do not need to be a cybersecurity engineer.
You need to document reasonable verification.
Method 1 — “Vendor Audit Certification”
For most vendors, this means they can provide one of the following:
SOC 2 Type II report (most common)
SOC 1 Type II (less relevant, but still useful)
ISO 27001 certification
Independent penetration test summary (less common)
What to do:
Ask the vendor for the report (or a summary letter)
If they won’t provide it, ask for:
a security whitepaper, or
a compliance attestation
What not to do:
Don’t accept “we take security seriously” as evidence.
Method 2 — “Supervised / Regulated Vendor”
This is useful when the vendor is:
A regulated bank
A regulated financial institution
A major credit bureau or similar provider
This is explicitly referenced as an acceptable basis for reliance in the form.
FORM 2-91-1 IT Vendor Review Ch…
What to document:
The vendor is regulated
The regulator type (example: bank regulator, SEC, FINRA, etc.)
The nature of the service
Method 3 — “ISO 27001 or Similar”
This is a clean checkbox if the vendor can provide:
An ISO/SOC/SOC2 certificate
The certificate scope statement
Important:
ISO 27001 only helps if the certificate scope actually covers the service you use.
Example:
“ISO 27001 for corporate headquarters” is not as strong as
“ISO 27001 for cloud platform operations.”
Method 4 — “3rd Party Vetting”
This is a catch-all category for situations where the vendor:
Is selected by a lender, investor, or LOS ecosystem
Is required for participation in a platform
Is industry-standard and unavoidable
The form explicitly recognizes this scenario.
FORM 2-91-1 IT Vendor Review Ch…
What to document:
“Required by third party”
“Vendor not selected by company”
“Due diligence is performed by platform owner”
What a Completed Form Should Look Like
A completed form should not have blanks for key vendors.
At minimum, you should see vendors listed for:
FORM 2-91-1 IT Vendor Review Ch…
Email
LOS
Credit ordering
Document management / storage
E-sign / e-disclosure
Internet service provider
Backup (if separate)
Common Findings (Small Mortgage Companies)
When you complete this form honestly, you will usually discover:
No one can name all vendors off the top of their head
There is no written record of vendor security validation
Credit and document vendors are the largest NPI risk
“Backup” is assumed but not confirmed
Office support vendors (cleaner/landlord) are ignored
Email is the #1 NPI exposure point
No one has assigned ownership for vendor review
These findings are normal. The purpose of the form is to make them visible.
Minimum Documentation You Should Retain
For each vendor listed, retain at least one of the following:
SOC report (or SOC summary letter)
ISO 27001 certificate
Vendor security whitepaper
Vendor’s written statement of compliance
Screenshot or copy of the vendor’s security page
Contract clause showing security obligations
You do not need to store a 90-page SOC report for every vendor, but you do need some proof that you asked and reviewed.
Frequency and Ownership
This vendor inventory should be:
Reviewed at least annually
FORM 2-91-1 IT Vendor Review Ch…Updated whenever:
a new vendor is added
a vendor changes services
a vendor is acquired
a security incident occurs
The form includes an “Audited by” signature block for accountability.
FORM 2-91-1 IT Vendor Review Ch…
Bottom Line
For small mortgage companies, vendor oversight is not optional. It is the core cybersecurity control.
Completing FORM 2-91-1 provides evidence that:
You know where NPI lives
You know who touches it
You have verified that vendors have security controls
You can explain your vendor reliance to an auditor or regulator
If your company is “all cloud,” your vendors are your IT department. This form is how you prove you understand that reality.