BLOG

FAQ - Risk Assessments

May 14, 2026 BY MQMR Blogger

Question:

What risk assessments should a mortgage lender perform and how often?

 

Answer:

Performing risk assessments are an important component of maintaining an effective compliance management system. Federal and state regulators are increasingly asking for risk assessments in connection with examinations. Although there is not a one-size-fits-all approach for risk assessments, performing the following periodic risk assessments assist mortgage lenders with identifying and addressing both industry-wide and subjective risks:

 

1. AML Risk Assessments – residential mortgage loan originators (RMLO) must conduct an AML risk assessment to appropriately identify high-risk operations unique to the business. Conducting an AML risk assessment will assist a RMLO in developing and implementing an effective AML program and should be reviewed on a regular basis (generally every 12-18 months) in order to maintain accurate and updated information and address evolving concerns and changes to the business. The Conference of State Bank Supervisors (CSBS) published an AML Risk Assessment tool several years ago, which mortgage lenders may utilize as a template, but must tailor specifically to a mortgage lender’s activities and risks.

2. Information Security / Cybersecurity Risk Assessments – mortgage lenders are key targets for hackers, cyber criminals, and other bad actors. Security breaches can cause significant damage to a mortgage lender and its customers. Information security and cybersecurity risk assessments focus on identifying security vulnerabilities so that mortgage lenders may limit this risk.

 

  1. CSBS indicates that a risk assessment should be performed at least annually to confirm if an organization’s resources, priorities, or business operations have changed significantly to warrant a strategy modification. See How to Structure Your Cybersecurity Program – Identify.
  2. The California Privacy Protection Agency (CPPA) adopted Regulations updating the California Consumer Privacy Act (CCPA), which, among other things, require risk assessments. Businesses subject to the CCPA must perform risk assessments as of January 1, 2026 and will be required to submit summaries of such risk assessment to the CPPA beginning April 1, 2028.
  3. The New York State Department of Financial Services published a Cybersecurity Program Template, which includes a Risk Assessment template attached as Appendix 3.
  4. National Institute of Standards and Technology (NIST) – Assessing Security and Privacy Controls in Information Systems and Organizations

 

3. Fair Lending Risk Assessments – regulators expect mortgage lenders to conduct fair lending risk assessments to ensure the risk is being appropriately measured and mitigated. These assessments are typically conducted annually, but could be updated following a major event, such as a merger or acquisition or material change in the lender’s business.

 

4. Fannie Mae Seller/Servicer Risk Self-Assessment Checklists – Fannie Mae indicates that risk management is one of the most important aspects of the business of originating and servicing mortgage loans and provides self-assessment checklists to guide seller/servicers.

 

5. CSBS Non-Bank Mortgage Servicer Prudential Standards – among other things, these standards, which have been adopted by a number of states, establish corporate governance requirements, including risk management requirements for mortgage servicers. Generally, licensees subject to these requirements must conduct an annual risk assessment and report findings to its Board of Directors or other governing body.

 

Note, the above is not an all-inclusive list of the types of risk assessments that should be performed.