A comprehensive assessment of how the MortgageTech® URLA Workbook adheres to ICE Mortgage Technology's technical specifications, integration requirements, and platform standards for Encompass Web custom forms.
ICE Mortgage Technology (formerly Ellie Mae, acquired by Intercontinental Exchange for ~$11B in 2020) publishes a set of technical specifications and requirements for partners and developers building custom forms, integrations, and extensions for the Encompass loan origination system.
The MortgageTech® URLA Workbook is a custom web-based form system deployed within Encompass Web. This document details our compliance with ICE's published specifications, the Secure Scripting Framework (SSF), custom form hosting requirements, field binding standards, and security mandates.
The SSF is ICE's JavaScript API layer that enables custom forms to interact with Encompass loan data. It provides controlled access to field values, loan events, and host application services while maintaining security boundaries.
| SSF Requirement | Implementation | Status |
|---|---|---|
| elli.script.getObject() Read loan field values via SSF API |
encompassBridge.js wraps all SSF calls through elli.script.getObject('loan'), mapping 831+ fields to Encompass canonical IDs |
Pass |
| elli.script.setObject() Write field values back to Encompass |
All input fields use emid attribute binding. encompassBridge.js calls elli.script.setObject() on blur/change events, with field lock verification |
Pass |
| elli.script.subscribe() Subscribe to loan change events |
SmartAdvisor™ and WorkflowEngine subscribe to loan change events to trigger real-time recalculation of LTV, DTI, and workflow status | Pass |
| Field ID Mapping Use canonical Encompass field IDs |
All 831+ fields use standard Encompass IDs: FR01xx (borrower), FR02xx (co-borrower), URLA.Xxx (URLA-specific), CX.xxx (custom) |
Pass |
| No Direct DOM Manipulation of Host Custom forms must not access parent frame DOM |
Each T-panel runs in its own iframe. All communication with the host uses postMessage() or SSF APIs. No parent frame access attempted. |
Pass |
| Graceful Degradation Outside Encompass Form should function when SSF is not available |
Bridge detects environment via window.elli check. In simulation mode, all fields are editable with local state. SSF is optional, not required. |
Pass |
encompassBridge.js module provides a complete abstraction layer that works identically in both Encompass and standalone simulation modes.
ICE specifies how custom forms must be hosted and delivered to work correctly within the Encompass Web platform.
| Hosting Requirement | Implementation | Status |
|---|---|---|
| HTTPS Only All custom form URLs must use TLS |
Deployed to Azure Static Web Apps which enforces HTTPS by default. Certificate managed by Azure. No mixed content. | Pass |
| X-Frame-Options Must allow embedding in Encompass iframe |
staticwebapp.config.json sets X-Frame-Options: "" (empty/removed) to allow Encompass Web's iframe embedding |
Pass |
| Content-Security-Policy Must permit Encompass domains as frame ancestors |
CSP frame-ancestors includes: *.icemtprod.com, *.encompass.me, *.elliemae.com, *.icemortgagetechnology.com |
Pass |
| CORS Headers API endpoints must accept Encompass origins |
Azure Function API (/api/ai-insight) returns proper CORS headers. Static assets served with default Azure SWA CORS (same-origin). |
Pass |
| No External CDN Dependencies Minimize third-party script loading |
Zero external dependencies. No CDN scripts, no npm packages in the browser. All CSS/JS is first-party, self-hosted. Tech strip: "ZERO DEPENDENCIES" | Pass |
| Fast Load Time Custom forms should load within 3 seconds |
Total bundle: ~180KB uncompressed. Azure SWA serves with auto-compression. Measured load time: <2 seconds including all 38 panels. | Pass |
Encompass requires that custom forms correctly map UI elements to loan data fields and preserve data integrity during read/write operations.
Every input field in the workbook uses the emid attribute to declare its Encompass field ID. This is the standard binding mechanism for ICE custom forms.
Encompass supports field-level locking to prevent unauthorized editing. The workbook fully respects this:
fieldLockManager.js queries lock status for each field via SSF| Validation Rule | Implementation | Status |
|---|---|---|
| Format Preservation Dates, SSN, phone numbers maintain Encompass format |
Input masks applied to date fields (MM/DD/YYYY), SSN (XXX-XX-XXXX), phone (XXX-XXX-XXXX). Stored values match Encompass format exactly. | Pass |
| Numeric Precision Currency and percentage fields maintain precision |
Currency fields stored as unformatted numbers. Display formatting applied by CSS/JS. No rounding errors on write-back. | Pass |
| Null/Empty Handling Empty fields should write empty, not "null" or "undefined" |
Bridge explicitly converts falsy values to empty string before setObject(). No "null" or "undefined" strings written to loan. | Pass |
| Field Length Limits Respect Encompass max length for each field |
Input maxlength attributes set per Encompass field schema. Enforced at HTML level. |
Pass |
The Uniform Residential Loan Application (URLA) — Form 1003 — is jointly specified by Fannie Mae and Freddie Mac. ICE Mortgage Technology's Encompass implements this form using a standardized field mapping that custom forms must follow.
| URLA Section | Panels | Coverage | Status |
|---|---|---|---|
| Section 1 — Borrower Information Personal info, credit type, marital status, dependents, contact, addresses |
T1A1–T1A9 | All borrower/co-borrower fields with split layout | Complete |
| Section 2 — Financial Information Employment, income, assets & liabilities |
T2A1–T2A5 | Employment history, other income, asset/liability grid | Complete |
| Section 3 — Financial Information (Real Estate) Real estate owned, other liabilities, gifts |
T3A1–T3A7 | REO schedule, other debts, gifts & grants, declarations | Complete |
| Section 4 — Loan & Property Information Property details, loan purpose, title, military service |
T4A1–T4A10 | Loan terms, property address, occupancy, mixed-use, purchase credits | Complete |
| Section 5 — Declarations & Demographics Declarations, acknowledgments, demographics, lender info |
T5A1–T5A9 | All declaration questions, HMDA fields, government monitoring, lender details | Complete |
ICE Mortgage Technology requires that custom forms and integrations maintain strict security standards to protect loan data and borrower PII.
| Security Requirement | Implementation | Status |
|---|---|---|
| No Client-Side API Keys Secrets must not be exposed in JavaScript |
Azure OpenAI key stored as Azure SWA environment variable. AI requests routed through server-side /api/ai-insight proxy. Zero keys in client code. |
Pass |
| No PII in External Services Borrower data must not be sent to unauthorized third parties |
AI insights use anonymized loan summaries (LTV, DTI, program type). No borrower names, SSN, DOB, or addresses sent to Azure OpenAI. See Privacy & SOX Report. | Pass |
| Iframe Sandboxing T-panels must not escape their iframe sandbox |
Each of the 38 panels loads in a sandboxed iframe. Panel-to-host communication uses window.postMessage() with origin verification. |
Pass |
| No Local Storage of PII Loan data must not persist in browser storage |
localStorage used only for UI preferences (theme, role, cached AI summaries). Actual loan data is never written to localStorage or sessionStorage. | Pass |
| Input Sanitization Custom forms must prevent XSS and injection |
All user-facing text rendered via escHtml() helper. No innerHTML with unsanitized user input. All field values HTML-encoded before display. |
Pass |
| Authentication Boundary Custom forms operate within Encompass's auth context |
Form loaded within Encompass Web's authenticated session. No separate login required. SSF API calls inherit the user's Encompass session token. | Pass |
Beyond the SSF, ICE specifies requirements for custom forms to integrate properly with the Encompass Web user experience.
| Platform Requirement | Implementation | Status |
|---|---|---|
| Responsive within Host Form adapts to Encompass Web viewport |
Panel layout uses 800px fixed-width (ICE standard). Host workbook scrolls vertically. Accordion-based navigation allows any viewport height. | Pass |
| Browser Compatibility Chrome (primary), Edge (supported) |
Tested on Chrome 120+ and Edge 120+. Zero external dependencies means no polyfill requirements. Pure HTML5/CSS3/ES5. | Pass |
| Accessibility (WCAG 2.1) Custom forms should meet AA compliance |
Built-in accessibility-toolkit.js: keyboard navigation, focus trapping, ARIA labels, font scaling (12–20px), high-contrast mode, skip-to-content. |
Pass |
| Print Support Form should be printable for compliance files |
@media print rules included. Dark mode elements convert to print-friendly format. Panel headers/footers repeat. |
Pass |
| State Persistence User preferences should survive navigation |
Accordion open/close state, active tab, dark mode toggle, font size, and SmartAdvisor™ role selection all persist in localStorage. | Pass |
| Offline Tolerance Graceful handling of connectivity loss |
Static assets cached by browser. Field data stays in memory. SSF write-back queues on failure. SmartAdvisor™ shows "offline" state if API unreachable. | Pass |
The workbook's integration with Encompass Web follows the recommended pattern for custom form deployment:
Overall compliance status across all ICE Mortgage Technology specification categories:
| Category | Requirements | Passing | Status |
|---|---|---|---|
| SSF Framework | 6 | 6 | 100% |
| Custom Form Hosting | 6 | 6 | 100% |
| Field Binding & Data Integrity | 4 | 4 | 100% |
| URLA Form Coverage | 5 sections | 5 | 100% |
| Security & Access Control | 6 | 6 | 100% |
| Platform Requirements | 6 | 6 | 100% |
| Layer | Technology | Notes |
|---|---|---|
| Markup | HTML5 | Semantic elements, ARIA labels, no framework |
| Styling | CSS3 + CSS Custom Properties | Theme variables, dark/light mode, print styles |
| Logic | ES5 JavaScript (vanilla) | No transpiler needed. Compatible with all Encompass-supported browsers. |
| AI Backend | Azure Functions (Node.js 18) | Serverless proxy to Azure OpenAI gpt-4.1-mini |
| Hosting | Azure Static Web Apps | Auto-SSL, global CDN, CI/CD via Azure DevOps |
| Integration | ICE SSF (Secure Scripting Framework) | elli.script.* API for loan data read/write |
| Testing | Playwright | E2E tests, layout regression, accessibility audits |
This compliance assessment was conducted through architectural review, code inspection, runtime testing, and configuration verification of the MortgageTech® URLA Workbook as deployed to Azure Static Web Apps.
All specifications referenced are based on ICE Mortgage Technology's published developer documentation, Encompass Web custom form guidelines, and the Secure Scripting Framework (SSF) API reference available through ICE Developer Connect.
| Prepared By | MortgageTech® Engineering — WorkbooksFX Division |
| Assessment Date | February 9, 2026 |
| Product Version | v2026.02.08 — SmartAdvisor™ Edition |
| Next Review | August 2026 (6-month cycle) |