On the Horizon: Expanding State Prudential Standards for Nonbanks

6 minute read | April.10.2026

State regulators are accelerating efforts to impose bank-like prudential standards on nonbank mortgage companies—a shift that could materially reshape governance, liquidity expectations, and supervisory scrutiny across the sector.

In July 2021, the Conference of State Bank Supervisors (CSBS) published its model state prudential standards for nonbank mortgage servicers (Model Standards), focusing on financial condition and corporate governance for some of the largest nonbank mortgage servicers in the nation. These standards addressed areas characteristic of bank prudential regulation: capital and liquidity, risk management, data standards and borrower information, data protection, and cyber risk. Several states had already adopted similar prudential standards at that time, and many others enacted the Model Standards in the three years that followed. Today, many loans serviced in the U.S. are serviced by mortgage licensees subject to the Model Standards through those states that have adopted them.

In 2025, we saw a meaningful increase in adoption as Nevada, Wisconsin, Arkansas, North Carolina, and Georgia all took action to implement the Model Standards. This led to optimism among some regulators that more states will not only adopt prudential standards, but that these standards may expand beyond servicers to other nonbank participants in the mortgage market.

For example, Maryland has expanded certain corporate governance concepts embedded in the Model Standards to both licensed mortgage and money transmission entities. Similarly, Georgia expanded applicability of general concepts embedded in the Model Standards to all mortgage-related licensees.

What Are the Model Standards?

During a recent Orrick panel on state financial services regulation, a representative for state regulators shared that 17 states have already adopted some form of the Model Standards, with some states beginning to expand beyond the largest mortgage servicers. But what are these standards, how important are they, and what impact do they have?

As a general matter, covered institutions under these standards—defined as nonbank mortgage servicers with servicing portfolios of 2,000 or more 1-4 unit residential mortgage loans and that operate in two or more states—are required to:

Maintain written policies and procedures on capital and liquidity requirements;
Use Generally Accepted Accounting Principles (GAAP) for all financial data;
Meet the Federal Housing Finance Agency (FHFA) Eligibility Requirements for Enterprise Single-Family Seller/Servicers, including requirements related to capital, net worth ratio, and liquidity;
Maintain sufficient allowable assets for operational liquidity in addition to amounts required for servicing liquidity, to cover normal business operations;
Establish and maintain a board of directors, or similar body, responsible for operational oversight and establishing a durable corporate governance framework;
Conduct an external audit that meets the requirements set out in the Model Standards;
Establish a risk management program that identifies, measures, monitors, and controls risk sufficient for the level of sophistication of the servicer; and
Conduct an annual risk management assessment with a formal report to the board of directors.

Some mortgage servicers may be subject to more requirements than others. For example, the Model Standards provide for both baseline standards and enhanced standards, the latter of which apply to large and complex servicers.

What Expectations Are Emerging, Even Where Model Standards Have Not Been Adopted?

Even if certain nonbanks are not technically subject to these prudential standards, there is an expectation among some regulators that mortgage companies will have a structure in place addressing many elements therein. For example, the Multistate Mortgage Committee (MMC), which coordinates joint multi-state mortgage examinations, provides for in its current examination manual what it considers a “safety and soundness” construct around two primary areas of focus—financial condition and management—which is conceptually similar to the Model Standards.

Within the MMC examination construct is a review of core components around:

Financial Condition: “Liquidity, earnings, asset quality, capital, and sensitivity to market risk”
Board Oversight and Management: “Effective, rational organizational structure, exhibited by sound and clear policies and procedures and effective internal routine and control processes”
Compliance Program: “An effective [compliance management system or] CMS”
Violations of Law and Consumer Harm: “The severity and level of violations incurred” and in consideration of “repeat violations and … success in address[ing] outstanding violations”

As noted by the Financial Stability Oversight Council (FSOC) in a 2024 report, “[a]s the primary regulators, states are the only entities with authority to directly supervise [nonbank mortgage companies] for prudential risks and with examination and enforcement authorities to promote safety and soundness …. While the CFPB has examination, enforcement, and rule-writing authority for federal consumer financial law applicable to the [nonbank mortgage companies], the CFPB is not a comprehensive prudential regulator.”

Therefore, even if a mortgage company operates in one or more states that have not yet implemented the Model Standards or falls outside the definition of a covered institution within those states, it may still find itself confronted with similar principled expectations from its regulators.

How Can Financial Institutions Prepare?

Regardless of whether a mortgage company finds itself in a jurisdiction that has enacted these prudential standards or has otherwise set similar expectations, there are several actions mortgage companies can consider to proactively address corporate governance and reduce regulatory risks.

Internal Awareness: Ensure the right internal stakeholders are aware of potential expectations from state regulators. This should go beyond any compliance and legal personnel—senior management and boards of directors should also be aware not only of potential expectations but also should have clear lines of sight into potential risks on a routine basis.
Risk Assessment: Companies should assess their risk profiles and think about their own risk tolerances, taking into account the size and complexity of their business models and other factors which may impact regulators’ assessments of business objectives and related compliance infrastructures. Ultimately, informed risk management, including appropriate decisioning around risk acceptance, should form transparent business expectations and position companies to strategically react to regulatory scrutiny.
Peers: Pay attention to what other industry participants are doing. Regulatory standards and guidelines are often tied to industry best practices. Companies should ensure that whatever actions they decide to take, or not take, are within market tolerances relative to their peers, in addition to being otherwise defensible. To the extent that certain objectives deviate compared to other peer organizations, make sure such actions are informed and decisioned through appropriate governance protocols.
Regulatory Approvals: Consider regular regulatory approvals and interactions under state licensing regimes, including strategic engagements such as change of control implications and other potential needs to interact with regulators when making critical business decisions. Companies may need to demonstrate adherence to the Model Standards—or the spirit of such standards—in order to obtain regulatory blessings for critical business opportunities.
Due Diligence: Lastly, consider implications for business combinations and third-party partnerships. Acquiring companies may want to pay attention to prudential considerations both for the entity they are purchasing as well as the resulting institution. To limit regulatory objections and ensure a smooth transaction, legal due diligence should include an assessment of the selling entity’s compliance with prudential standards and the potential enforcement risk that may result from acquiring a company that lacks adequate controls. Similarly, leveraging third-party partnerships, including critical vendors, may be key to efficient and effective operations. However, ensuring continuity of compliance to the prudential standards is key, especially when relying on third parties to engage in certain aspects of regulated activities.

As state regulators continue to expand prudential expectations, mortgage companies should evaluate whether their governance, liquidity, and risk management frameworks would withstand supervisory scrutiny across jurisdictions. Orrick’s team is actively advising clients on how to align with evolving standards and prepare for increased regulatory focus.

Authors

Kathryn Ryan Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8008
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Kathryn Ryan Partner

Washington, D.C.

She represents banks, first and second mortgage originators and servicers, reverse mortgage originators and servicers, fulfillment service providers, commercial lenders and servicers, bank holding companies, private equity firms, finance companies, debt collection companies, financial institutions and technology companies, payment processors, money transmitters and various related service providers.

Katy assists clients with matters before state regulatory agencies, the Consumer Financial Protection Bureau (CFPB), the Department of Justice (DOJ), the Department of Housing and Urban Development (HUD), federal banking agencies, Fannie Mae and Freddie Mac. She also provides strategic and tactical advice to help clients identify and secure the nationwide federal and state approvals necessary to achieve operational goals.

Prior to joining Orrick, Katy was a partner at Buckley LLP, where she was a member of the firm’s partner board.

Jedd Bellman Partner, Corporate Governance, Consumer Finance Regulatory

Washington, D.C.

See my bio

D:+1 202 349 8043
E: [email protected]

Practice:

Corporate Governance
Consumer Finance Regulatory
Financial Services Investigations & Enforcement
Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech
Government Investigations and Enforcement Actions
Higher Education and Student Loan Financing
Internal Investigations
State Legislative & Regulatory
State Attorneys General Investigations & Enforcement

vCard

See full bio

Jedd Bellman Partner

Washington, D.C.

Jedd's solutions-based methodology allows clients to gather the appropriate intelligence and legal analysis they need so that they can make informed, risk-based decisions as they navigate the ever-changing state licensing and regulatory ecosystem. His collaborative and strategic approach is designed to maximize outcomes whether evaluating the merits of a transaction or responding to a multi-state enforcement action.

Jedd was the Assistant Commissioner for Non-Depository Supervision in the Office of the Maryland Commissioner of Financial Regulation, where he coordinated the licensing and supervision of approximately 23,000 individuals and business entities covering the mortgage, student loan, consumer finance, sales finance, debt services, credit reporting and money services industries. He also managed the office’s regulatory investigations and enforcement actions, including playing a leadership role in every significant multistate enforcement matter handled by state regulators during his tenure. Additionally, Jedd oversaw numerous successful legislative and regulatory initiatives.

Prior to that, Jedd served as Counsel and Senior Policy Advisor at the U.S. House of Representatives, where he developed policy and legislative agendas in the areas of housing and financial services, small business and minority business.

Jedd also served as Assistant Attorney General for Maryland, where he handled mortgage fraud and payday lending enforcement prosecutions, as well as mortgage compliance, payday lending and money services business investigations.

Following law school, he served as law clerk to Judge John K. Olson of the U.S. Bankruptcy Court, Southern District of Florida.

Sasha Leonhardt Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 7971
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Fintech
Government Investigations and Enforcement Actions

vCard

See full bio

Sasha Leonhardt Partner

Washington, D.C.

Sasha also has substantial experience advising clients on the Servicemembers Civil Relief Act (SCRA), Military Lending Act (MLA), Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHA), and Fair Debt Collection Practices Act (FDCPA). He advises companies, non-profits and industry associations with consumer privacy issues arising from the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule and state and federal laws that address data privacy and information security.

In addition to representing clients, Sasha has published numerous articles on various aspects of consumer financial services law and practice, including data privacy, class action litigation, white collar litigation, whistleblower lawsuits and recent trends in regulation and enforcement. He also maintains an active pro bono practice and serves as a member of the Legal Counsel for the Elderly’s Young Lawyers Alliance. A frequent speaker on a variety of legal topics, Sasha has taught at Duke University School of Law and American University Washington College of Law, and was previously a Professorial Lecturer in Law at the George Washington University Law School.

Prior to joining Orrick, Sasha was a partner at Buckley LLP. He also previously served as Deputy Press Secretary to Maryland Governor Martin O’Malley. He is accredited as a Privacy Law Specialist, a Fellow of Information Privacy, a Certified Information Privacy Manager (CIPM/US), and a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

Lauren Bomberger Managing Associate, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 461 2970
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Lauren Bomberger Managing Associate

Washington, D.C.

Lauren’s practice covers a wide spectrum of banking and consumer financial services issues, with particular experience in:

Fair lending, including the Equal Credit Opportunity Act (ECOA/Regulation B) and the Fair Housing Act (FHA);
The Community Reinvestment Act;
Prohibitions on unfair, deceptive, or abusive acts or practices (UDAAP); and
Enforcement and supervisory matters, including counseling clients on examination responses, responding to regulatory subpoenas and information requests, and consent order compliance.

Lauren has significant experience advising clients on matters involving fintech, traditional retail banking products, including mortgages and other consumer lending products, and private banking. Lauren also assists clients in their interactions with federal regulatory agencies, including the Federal Reserve Board of Governors (FRB), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and has successfully represented a client in an appeal of a material supervisory determination before the Federal Deposit Insurance Corporation (FDIC).

Lauren received her J.D. from the American University Washington College of Law (magna cum laude, Order of the Coif). During law school, she served as Executive Editor of the American University Business Law Review and was awarded the T. Morton McDonald Award for excellence in legal scholarship.

Prior to joining Orrick, Lauren was an associate at Buckley LLP.