Data privacy architecture, SOX controls, and regulatory compliance assessment for AI-powered loan analysis within Encompass Web.
SmartAdvisor™ is an AI-powered loan analysis sidebar embedded in the MortgageTech® URLA Workbook, a custom tool deployed within ICE Mortgage Technology's Encompass Web platform. This report assesses the system's compliance with Sarbanes-Oxley (SOX) Section 404 internal controls, Gramm-Leach-Bliley Act (GLBA) privacy requirements, and industry security best practices.
Overall Assessment: Compliant. SmartAdvisor™ implements a server-side proxy architecture that ensures API credentials never reach the client, loan data is processed within the organization's own Azure tenant, and no Personally Identifiable Information (PII) is stored in AI provider systems beyond the request lifecycle.
Understanding how data moves through SmartAdvisor™ is critical for compliance assessment. The architecture implements a zero-trust model where the browser client never possesses API credentials.
The following controls map SmartAdvisor™ operations to SOX 404 requirements for IT General Controls (ITGCs) related to financial data processing systems.
| Control ID | Control Description | Implementation | Status |
|---|---|---|---|
| SOX-AC-01 | Access Control — API Credentials | API keys stored in Azure SWA Environment Variables. Accessible only to SWA managed functions. Cannot be read by client-side code or browser DevTools. | PASS |
| SOX-AC-02 | Access Control — Azure Portal | Azure OpenAI resource access governed by Azure RBAC. Key rotation available via Azure Portal. Separate KEY 1 and KEY 2 for zero-downtime rotation. | PASS |
| SOX-CM-01 | Change Management — Deployments | All deployments go through Azure DevOps CI/CD pipeline. Every change tracked via Git commits. SWA deployment requires deployment token. | PASS |
| SOX-CM-02 | Change Management — Code Review | Azure Function proxy code (~155 lines) is auditable. Single-purpose endpoint. No dynamic code execution or eval(). | PASS |
| SOX-DI-01 | Data Integrity — Input Validation | Azure Function validates request body (requires POST method, JSON content type, non-empty prompt). Rejects malformed requests with 400 status. | PASS |
| SOX-DI-02 | Data Integrity — Output Parsing | AI responses are parsed server-side into structured insight objects. Raw AI text is not rendered as HTML. XSS protection inherent in architecture. | PASS |
| SOX-AU-01 | Audit Trail — Request Logging | Azure SWA functions emit logs to Azure Monitor. Each request logged with timestamp, status code, and execution duration. No PII in logs. | PASS |
| SOX-AU-02 | Audit Trail — Configuration Changes | Environment variable changes logged in Azure Activity Log. Azure RBAC tracks who made changes and when. | PASS |
| SOX-BC-01 | Business Continuity — Failover | If Azure OpenAI is unavailable, SmartAdvisor™ degrades gracefully — displays "AI unavailable" message. Core workbook functionality unaffected. | PASS |
| SOX-BC-02 | Business Continuity — Provider Fallback | Google Gemini available as secondary AI provider. Users can switch in real time via settings. Loan data entry never blocked by AI outage. | PASS |
| Data Element | Classification | Stored in AI System? | Mitigation |
|---|---|---|---|
| Borrower Name | PII | No — not included in AI prompt | Prompt contains only loan metrics (DTI, LTV, credit score, loan amount) |
| SSN | Sensitive PII | No — never transmitted | SSN fields excluded from all AI data flows |
| Loan Amount | Financial NPI | Transient only | Azure OpenAI does not retain data per Microsoft DPA |
| Credit Score | Financial NPI | Transient only | Included in prompt for analysis, not persisted |
| DTI / LTV Ratios | Calculated | Transient only | Derived values, no direct consumer identification possible |
| Property Address | PII | No — not included in prompt | Address fields excluded from AI data flow |
| API Credentials | Secret | N/A | Server-side only. Never in browser. Never in AI request body. |
The GLBA Safeguards Rule requires financial institutions to implement security controls for customer information. SmartAdvisor™ addresses this through:
The following AI providers were evaluated and removed from SmartAdvisor™ due to inability to meet bank-grade privacy requirements:
| Provider | Reason for Removal | Status |
|---|---|---|
| Ollama (Local) | Runs on user workstation. No enterprise governance. No audit trail. No centralized key management. Violates SOX change management requirements. | REMOVED |
| LM Studio (Local) | Same as Ollama — local inference with no enterprise controls. Cannot meet GLBA safeguards for multi-tenant environments. | REMOVED |
| OpenAI (Direct) | Client-side API key transmission. Key visible in browser DevTools and network tab. Cannot guarantee key rotation or access revocation in enterprise context. | REMOVED |
| Custom Endpoint | Arbitrary URL — no governance, no compliance verification possible. Could point to any system including personal or unauthorized servers. | REMOVED |
Remaining Approved Providers:
| Priority | Recommendation | Impact |
|---|---|---|
| HIGH | Implement API key rotation schedule (quarterly) | Reduces exposure window if key is compromised |
| HIGH | Enable Azure Monitor alerts for unusual API usage patterns | Early detection of abuse or compromise |
| MEDIUM | Migrate Gemini to server-side proxy (same pattern as Azure) | Eliminates last client-side key exposure |
| LOW | Add rate limiting to /api/ai-insight endpoint | Prevents cost runaway from abuse |
| LOW | Implement prompt logging (without PII) for audit trail | Enables retroactive compliance review |
SmartAdvisor™ operates within ICE Mortgage Technology's Encompass Web platform as a component of the MortgageTech® URLA Workbook. Compliance with ICE's Secure Scripting Framework (SSF), custom form hosting specifications, and Encompass platform requirements is critical to maintaining our deployment authority. A comprehensive technical assessment is available in the ICE Compliance Report.
All interaction with Encompass loan data is mediated through ICE's SSF JavaScript API layer. SmartAdvisor™ never directly accesses the Encompass host frame or loan database — every field read and write passes through elli.script.getObject() and elli.script.setObject() calls in our encompassBridge.js abstraction layer.
| Control ID | ICE / Encompass Requirement | SmartAdvisor™ Implementation | Status |
|---|---|---|---|
| ICE-SSF-01 | SSF API Exclusive Access Custom forms must use SSF for all loan data I/O |
All 831+ field bindings route through SSF. No direct DOM manipulation of the Encompass host. SmartAdvisor™ reads loan metrics (DTI, LTV, credit score) exclusively via SSF subscription events. | PASS |
| ICE-SSF-02 | Field ID Mapping Canonical Encompass IDs required (FR01xx, URLA.Xxx, CX.xxx) |
Every input uses the emid attribute bound to the standard Encompass field schema. SmartAdvisor™ prompt construction references the same canonical IDs for loan parameter extraction. |
PASS |
| ICE-SSF-03 | No Parent Frame Access Custom forms must not access host frame DOM |
Each T-panel runs in an isolated iframe. SmartAdvisor™ sidebar communicates with the workbook shell via postMessage() with origin verification — never touches the Encompass parent frame. |
PASS |
| ICE-SSF-04 | Graceful Degradation Forms must function when SSF is unavailable |
Bridge detects Encompass via window.elli check. In standalone/simulation mode, SmartAdvisor™ operates against local state. Core workbook remains functional without SSF. |
PASS |
ICE specifies strict hosting, security, and embedding requirements for any custom form deployed within Encompass Web.
| Control ID | Hosting / Security Requirement | Implementation | Status |
|---|---|---|---|
| ICE-HOST-01 | HTTPS & TLS All URLs must use TLS 1.2+ |
Deployed to Azure Static Web Apps (HTTPS enforced by default). Azure-managed TLS certificate. No mixed content. Matches SOX-DI encryption controls. | PASS |
| ICE-HOST-02 | Frame Embedding (CSP) Must permit Encompass iframe embedding |
staticwebapp.config.json sets frame-ancestors to include *.icemtprod.com, *.encompass.me, *.elliemae.com, and *.icemortgagetechnology.com. |
PASS |
| ICE-HOST-03 | Zero External Dependencies Minimize third-party script loading |
No CDN scripts, no npm packages in the browser. All CSS/JS is first-party and self-hosted on Azure SWA. Eliminates supply-chain attack vectors. | PASS |
| ICE-HOST-04 | No Client-Side Secrets API keys must not appear in browser code |
Azure OpenAI key stored in SWA Environment Variables (server-side only). AI requests route through /api/ai-insight Azure Function proxy. Aligns with SOX-AC-01. |
PASS |
| ICE-HOST-05 | No PII to External Services Borrower data must not leak to unauthorized parties |
SmartAdvisor™ prompt contains only calculated ratios (DTI, LTV) and loan parameters — no names, SSN, addresses, or account numbers. Compliant with GLBA safeguards (Section 4). | PASS |
| ICE-HOST-06 | Authentication Boundary Forms operate within Encompass session context |
No separate login required. SSF API calls inherit the user's Encompass session token. SmartAdvisor™ is only accessible within the authenticated Encompass Web session. | PASS |
Beyond security, ICE requires custom forms to integrate seamlessly with the Encompass Web user experience and data integrity model.
| Control ID | Platform Requirement | Implementation | Status |
|---|---|---|---|
| ICE-PLAT-01 | Field Lock Compliance Respect Encompass field-level locking |
fieldLockManager.js queries lock status via SSF. Locked fields render as read-only with visual indicator. No write-back attempted for locked fields. |
PASS |
| ICE-PLAT-02 | Data Validation & Format Preservation Dates, SSN, currency must match Encompass format |
Input masks enforce MM/DD/YYYY, XXX-XX-XXXX, XXX-XXX-XXXX formats. Currency stored as unformatted numbers. Empty fields write empty string (never "null"). | PASS |
| ICE-PLAT-03 | URLA 1003 Full Coverage All five URLA sections implemented |
38 interactive panels cover Sections 1–5 of the Uniform Residential Loan Application. All fields map to the same Encompass field IDs used by the native form. | PASS |
| ICE-PLAT-04 | Browser Compatibility Chrome (primary), Edge (supported) |
Tested on Chrome 120+ and Edge 120+. Pure HTML5/CSS3/ES5 — zero polyfill requirements. Meets Encompass Web's browser baseline. | PASS |
| ICE-PLAT-05 | Print & Accessibility WCAG 2.1 AA, printable for compliance files |
Built-in accessibility-toolkit.js: keyboard navigation, ARIA labels, font scaling, high-contrast mode. @media print rules convert to print-friendly format. |
PASS |
encompassBridge.js, hosting follows all security mandates, and the platform integrates seamlessly within the Encompass Web custom form architecture. For the full 33-control technical audit, see the ICE Compliance Report.
This report has been prepared based on architectural review, code inspection, and configuration verification of SmartAdvisor™ as deployed to Azure Static Web Apps on February 9, 2026.
The assessment covers the /api/ai-insight Azure Function proxy, client-side SmartAdvisor™ JavaScript module, and supporting Azure infrastructure. All controls were verified as operational at the time of assessment.