The Shift to State Regulation: What Lenders Need to Know About Servicing Risk

Suzanne Szymoniak is chief compliance officer with LoanCare, Virginia Beach, Va.

Over the past several years, mortgage servicers have experienced a noticeable shift in regulatory momentum. While federal regulatory activity–particularly from the Consumer Financial Protection Bureau–has slowed, oversight has not disappeared. Supervisory guidance has been pulled back, certain proposals have stalled and enforcement posture has recalibrated. But this does not signal a lighter compliance burden.

Instead, the regulatory center of gravity is moving to the states.

For lenders that retain servicing or rely on a subservicer, this shift matters. Rather than disappear, the compliance responsibility simply becomes more fragmented, more localized and more operationally complex.

Since 2022, federal regulatory changes impacting servicing have declined year over year. At the same time, state-level activity has accelerated. While 2023 saw a slight dip, 2024 and 2025 brought a significant increase in enacted state regulations that affect mortgage servicing.

Based on our regulatory change tracking, impactful state-level changes increased materially year over year–rising from roughly 250 enacted changes to approximately 350, a substantial jump in compliance volume. The states leading this activity include California, New York, Maryland and Colorado. These jurisdictions are not only active, they are setting the tone and direction that other states will most likely follow.

For lenders operating nationally, that means the compliance landscape is becoming more decentralized and more dynamic.

Where States Are Expanding Oversight
The most significant areas of state-level expansion over the past two years include:

• Data Privacy, Cybersecurity and Artificial Intelligence
States continue to strengthen privacy statutes, cybersecurity expectations and incident reporting obligations. Unlike a singular federal standard, servicers now manage nuanced, and sometimes conflicting, state-level requirements. Artificial intelligence is increasingly layered into these efforts. Several states, including Colorado, Utah, Maine and California, now require consumer disclosures when AI is used in borrower interactions. That means servicers must inventory where AI touches the consumer experience, tag AI-driven communications across chat, portal and email, and implement disclosure triggers before consequential decisions.

Colorado, in particular, has introduced heightened governance expectations for “high risk” AI–defined as AI used in consequential decisioning within housing or financial services. Organizations deploying such tools must maintain risk management programs, conduct annual impact assessments and demonstrate reasonable care to avoid algorithmic discrimination. Those assessments must evaluate bias, inputs and outputs, data sources, model limitations, transparency and consumer-notice obligations.

Importantly, liability remains with the business. “AI made the decision” is not a defense. For servicers, this creates additional oversight considerations, particularly when third-party vendors are incorporating AI into servicing workflows.

• Foreclosure and Eviction Process Tightening

States are not only modifying foreclosure timelines, but in some cases, they are fundamentally reshaping the risk calculus for servicers.

For example, New York’s Foreclosure Prevention Act has made it significantly more difficult for servicers once the statute of limitations is triggered. The law limits the ability to toll the statute of limitations and creates meaningful procedural hurdles that must be navigated precisely. For servicers, that means tighter timelines, less flexibility and greater exposure if processes are not meticulously managed.

We are also seeing ongoing updates to required consumer communications leading into foreclosure. Pennsylvania, for instance, recently revised certain foreclosure notice requirements, adding or refining disclosure expectations. These types of updates may appear incremental, but operationally they require system changes, template revisions, legal review and training updates–often across multiple jurisdictions simultaneously.

The broader trend is clear: states are taking a more consumer-centric approach. Rather than extending timelines or easing administrative burdens, they are increasing protections, enhancing notice requirements and tightening procedural safeguards. For servicers, this means foreclosure compliance requires close monitoring of state-level changes that directly impact timelines, documentation requirements and borrower communications–all of which carry material litigation and reputational risk if mishandled.

• Loss Mitigation and Insurance Proceeds Reform
At the agency level, there are major overhauls of loss mitigation frameworks. In certain cases, states are encouraging more streamlined loss mitigation reviews based on limited documentation. However, federal frameworks like RESPA remain rooted in more formal application-based processes. This creates operational friction that must be carefully managed to avoid compliance gaps.

• Licensing and Prudential Standards Modernization
States are modernizing supervisory expectations, often elevating risk management and governance requirements to levels more commonly associated with banking institutions. For non-bank servicers, this means building enterprise risk infrastructures that are formal, documented and audit ready.

The Operational Impact: More Complexity, Not Less
For nationally licensed servicers, the impact is straightforward: complexity has increased.

Higher regulatory change volume means more system updates, more policy revisions, more control enhancements and more testing. Multi-state examinations add another layer of scrutiny with coordinated audits that can be shared across jurisdictions.

The practical question is whether this shift creates more challenges or fewer. Operationally, it creates more.

Patchwork state requirements complicate nationwide servicing. Compliance costs rise. Vendor oversight intensifies, particularly as vendors deploy AI capabilities that trigger new governance expectations. The absence of a singular federal anchor increases the likelihood of divergence across jurisdictions.

At the same time, clearer governance expectations can reduce uncertainty in emerging areas. Strong consumer protections can enhance borrower trust. Organizations that invest in mature enterprise risk frameworks can differentiate themselves through disciplined compliance management.

The Rise of Enterprise Risk Expectations
Perhaps the most significant structural shift is the elevation of risk management expectations.

Historically, compliance functions sat at the center of servicing oversight. Today, regulators increasingly expect robust enterprise risk management programs comparable to those of depository institutions. This includes formal regulatory change management processes, issue governance oversight, and risk and control assessments that require quality control testing and integrated vendor management oversight.

For servicers, building and maintaining that infrastructure internally requires substantial investment in specialized talent, systems and governance frameworks.

The Bottom Line
The pullback at the federal level has not reduced regulatory pressure on servicing, it has redistributed it.

For servicers, the question is not whether these requirements apply, it’s how best to manage them.

Working with a subservicer that maintains dedicated regulatory change management teams, enterprise risk infrastructure and state-by-state monitoring capabilities allows lenders to mitigate the operational burden of tracking, interpreting and implementing hundreds of regulatory updates each year.

Mortgage servicing is subject to expansive oversight at the federal, state, agency and insurer levels. Every regulatory shift carries downstream operational implications. A mature subservicing partner absorbs that complexity so lenders can focus on origination growth, borrower relationships and capital strategy without building a full-scale servicing compliance apparatus in-house.

The regulatory center of gravity may have shifted, but oversight remains firmly in place.

The right servicing partner ensures you are prepared for it.

(Views expressed in this article do not necessarily reflect policies of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes submissions from member firms. Inquiries can be sent to Editor Michael Tucker or Editorial Manager Anneliese Mahoney.)