We know what to do when a regulator, investor, or agency requests evidence of a specific compliance audit, such as an AML Audit Report, Quality Control Report, or another review to satisfy a particular requirement. But what about when the request is simple, "provide copies of policies and procedures, compliance reviews, and management responses."?

This open-ended request means the regulator expects you to conduct some audits independently. Generally, the minimum required compliance audits include (depending on your business model) those in this chart. These are reviews federal laws mandate, although they may not mandate the frequency, how they are conducted, and the components. 

Compliance Audits/Reviews

Anti-Money Laundering Audit

NMLS/Call Reporting
Loan Level QC Reviews
Fair Lending Compliance Review
Training Audit
Advertising Review
SAFE Act Audit
Loan Originator Compensation Review
Information Security Review
Vendor Review
Risk Assessment

Policy & Procedure Update


The frequency of the reviews depends on the element under review. For instance Loan Originator Compensation review should only take place when there is a change in plans. Vendor reviews only take place if a regulator requires them AND if the company has any choice in the vendors under review. 

As part of the review, each audit has a policy and procedure and a training component for the employees involved in the function. To easily understand the audit process think of the "four pillars:."

  1. A compliance officer - you, probably
  2. A policy and procedure - your manuals
  3. An audit - see the checklists in your manuals
  4. Training for employees - see https://www.mortgagemanuals.com/training-services.html

Remember that there are a lot of reports you receive that represent audits. For instance, you probably got an FCRA audit from your credit bureau. This is an essential component of your customer ID Theft Prevention plan. You may also get scorecards from your investors. These are Quality Control Reports. If you get examined by a state, and go through a renewal or application process with a lender or other third party, you can use these as evidence of compliance audits.