How MortgageTech® implements borrower communications within TCPA, GLBA, CAN-SPAM, and mortgage industry regulatory requirements.
The MortgageTech® Processing Workbook enables loan processors, underwriters, and closers to communicate with borrowers via SMS text messaging and email directly from within the Encompass® Web loan origination platform. All messaging is transactional — tied to an active loan file — and initiated by authorized loan personnel.
This document details the technical architecture, regulatory compliance posture, consent mechanisms, and data protection controls that govern all borrower messaging.
The workbook includes a Text panel in the sidebar where processors can send and receive SMS messages tied to the currently open loan file. Messages flow through Azure Communication Services (ACS), a Microsoft-managed telephony platform.
The Telephone Consumer Protection Act (TCPA) governs the sending of text messages to consumers. MortgageTech® complies through the following mechanisms:
| Requirement | Implementation | Status |
|---|---|---|
| Prior Express Consent | Borrowers provide their phone number on the Uniform Residential Loan Application (URLA Form 1003). By providing a mobile number and engaging in the loan process, borrowers consent to transactional communications related to their loan. | COMPLIANT |
| Opt-Out Mechanism | Every message template includes STOP language. Borrowers can reply STOP at any time. The system honors STOP requests and ceases all further SMS to that number. | COMPLIANT |
| Message Content | All messages are transactional (document requests, status updates, closing coordination). No marketing, promotional, or advertising content is sent via SMS. | COMPLIANT |
| Sender Identification | Messages are sent from a verified toll-free number (+1-877-324-9604) registered with Azure Communication Services. Toll-free verification submitted to carriers. | COMPLIANT |
| Time Restrictions | The workbook is used by processors during normal business hours. Messages are initiated manually by a human — no automated sends, no scheduled blasts, no after-hours auto-messages. | COMPLIANT |
| Record Keeping | All messages (inbound and outbound) are stored in Azure Table Storage with full metadata: timestamp, direction, phone, loan number, sender name, and ACS message ID. | COMPLIANT |
The Gramm-Leach-Bliley Act requires financial institutions to protect consumers' Nonpublic Personal Information (NPI). SMS messaging handles NPI as follows:
Email communication from the workbook will be powered by Azure Communication Services Email or direct SMTP integration with the customer's existing email infrastructure (Microsoft 365, Exchange). The architecture mirrors SMS:
While CAN-SPAM primarily regulates commercial/marketing email, MortgageTech® exceeds its requirements for all transactional email:
| Requirement | Implementation | Status |
|---|---|---|
| Accurate Header Info | From address uses the lender's verified domain. No spoofing, no misleading sender names. | COMPLIANT |
| Subject Line Accuracy | Subject lines reflect actual content (e.g., "Document Needed for Loan #12345"). No deceptive subjects. | COMPLIANT |
| Physical Address | All emails include the lender's physical business address in the footer. | COMPLIANT |
| Unsubscribe Mechanism | While not required for transactional email, an opt-out link is included as best practice. | COMPLIANT |
| No Marketing Content | All emails are transactional — loan-specific communications only. No cross-selling, rate promotions, or marketing. | COMPLIANT |
Both SMS and email conversations are stored in a unified thread per loan, giving processors a complete communication history:
The Consumer Financial Protection Bureau (CFPB) and Equal Credit Opportunity Act (ECOA) impose additional requirements on borrower communications:
| Regulation | Requirement | How We Comply | Status |
|---|---|---|---|
| ECOA / Reg B | Adverse action notices must be in writing | Adverse action notices are never sent via SMS. The workbook is for document requests and status updates only. Formal notices go through the LOS adverse action workflow. | COMPLIANT |
| TILA / Reg Z | Rate/fee disclosures require specific formatting | No rate, fee, or APR information is communicated via SMS or informal email. All disclosures route through Encompass disclosure engine. | COMPLIANT |
| RESPA / Reg X | Servicing notices require specific timelines and content | Workbook messaging is used during origination only. Servicing notices are handled by the servicer's platform, not the workbook. | COMPLIANT |
| CFPB Servicing Rules | Document all borrower contact attempts | Every message (sent and received) is logged with full metadata and tied to the loan file. Provides complete contact documentation for examiners. | COMPLIANT |
| Fair Lending | Consistent communication regardless of protected class | Message templates and workflows are standardized. No borrower receives different treatment based on demographics — same tools, same process for every loan. | COMPLIANT |
| Control | Detail | Status |
|---|---|---|
| Credential Isolation | ACS connection strings, API keys, and storage keys are stored in Azure SWA Environment Variables. Never exposed to the browser client. | PASS |
| Encryption at Rest | Azure Table Storage encrypts all data at rest using Microsoft-managed keys (AES-256). Customer-managed keys available. | PASS |
| Encryption in Transit | All API calls use HTTPS/TLS 1.2+. ACS SDK connections are encrypted. No plaintext transmission. | PASS |
| Access Control | Azure RBAC governs who can access the ACS resource, storage account, and phone numbers. Key rotation supported with zero downtime. | PASS |
| Data Residency | ACS resource configured with US data location. Storage account in Central US. All borrower data stays within US Azure regions. | PASS |
| Audit Logging | Azure Monitor captures all API function invocations. ACS provides delivery reports. Table Storage operations are logged. | PASS |
MortgageTech® messaging is purpose-built for the mortgage industry: