As a business owner, I’ve come to genuinely appreciate what AI can do. For all of us, it’s an extremely useful tool. But if you’re a lender, especially mortgage lenders, the regulatory risks that come with it have to be accounted for.

I spent years as a Senior Commissioned Examiner at the CFPB. I’ve sat across the table from compliance officers, general counsels, and CEOs reviewing marketing materials, website disclosures, and lead generation arrangements. On the private side, I’ve helped mortgage lenders identify and mitigate the regulatory risks associated with their marketing programs.

Here’s what I can tell you: the digital channel did not eliminate the legal and compliance risks in mortgage marketing. It disguised them — and in many cases, made them worse.

Here’s a quick breakdown of some of those risks that you may or may not have thought about.

The prohibition on kickbacks and unearned fees under RESPA Section 8 is as alive online as it ever was in a back-office referral arrangement. The CFPB’s 2023 Advisory Opinion on digital mortgage comparison-shopping platforms made clear that presenting lenders non-neutrally — highlighting one provider over another — can constitute a referral in violation of Section 8.

That opinion was not among the 67 guidance documents the CFPB rescinded in 2025. That’s not an accident. Mortgages are the bureau’s stated highest consumer protection priority.

The question mortgage lenders need to ask themselves isn’t what you called the arrangement — it’s what value flowed, and what it was for. Co-branded websites, embedded lender placements on real estate platforms, “preferred lender” designations — all of it gets scrutinized on economic substance. If the arrangement correlates to referral volume, the label on the contract doesn’t protect you.

Digital advertising creates enormous omission risk. Truncated ad copy. Rate teasers. Social media posts. Banner ads. All of these formats are structurally designed to leave things out — and regulators know it.

A representation or omission that’s likely to mislead a reasonable consumer on a material fact is a deceptive act or practice. You don’t need to intend to deceive. A technically accurate statement that creates a misleading net impression is still a problem.

There’s at least one consent order worth reading in this context. Undisclosed monthly payments and per-lead fees to a veterans’ organization — combined with “lender of choice” marketing — produced both RESPA and UDAAP violations. The deception wasn’t a lie. It was the absence of material information that consumers would have found important.

Reg N — the Mortgage Acts and Practices Advertising Rule — is a strict liability advertising standard for mortgage products. It applies to any commercial communication about a mortgage credit product, and “commercial communication” is defined broadly: websites, emails, digital ads, social posts, and chatbot outputs.

There’s no intent requirement. If the net impression is misleading — on rates, payment amounts, total costs, product comparisons, or government affiliation — you have a potential violation. The rule also imposes a 24-month recordkeeping requirement on all marketing materials and the basis for any representations made.

Many institutions don’t have a systematic archive process for digital content. When examiners ask for the marketing record and get a shrug, that’s not just a gap — it’s a regulatory finding.

If your chatbot describes loan programs, quotes rates, or compares products, those outputs are commercial communications. They’re Reg N. They’re UDAAP. And if the bot is steering consumers toward certain products based on proxies for protected characteristics — intentionally or not — you have a fair lending risk.

Regulators have explicitly flagged automated customer service tools for providing incorrect information, failing to enable meaningful dispute resolution, and raising privacy risks. The GAO concluded in December 2025 that chatbots and advertising algorithms can violate fair lending laws when they steer consumers in protected classes toward certain products or listings.

“The algorithm decided” is not a legal defense. It’s a description of the mechanism, not an absolution from the outcome.

Sometimes the pattern is this: a company builds a digital marketing infrastructure that scales fast, and the compliance infrastructure never catches up. Content goes live without pre-publication review. Loan officers post without oversight. Third-party lead generators say things the institution would never have approved — and no one is watching.

That’s the CMS story underneath most consent orders in this space. The marketing velocity outran the governance.

Given the risks, where does a lender start? Most of the time, the answer comes down to governance: Model Risk Management, Third-Party Risk Management, Compliance Oversight.

It starts with identifying where the weak spots are, assessing the risks, and building a plan that aligns those risks with the lender’s overall risk appetite and tolerance.

Practical questions every mortgage company should be asking right now:

If those questions don’t have clean answers, you have work to do — and the regulators, even in the current regulatory environment, will eventually find it before you do.

I’m looking forward to getting into this in more depth at the conference. If you’re attending and want to connect, reach out directly.

David Stickney is the Founder and Managing Principal of Arq Advisory LLC, a Service-Disabled Veteran-Owned Small Business specializing in consumer financial regulatory compliance consulting. He is a former CFPB Senior Commissioned Examiner and holds the MBA’s AMP and CMCP designations.