Before you deploy — or before you sign — ask these questions.

When evaluating digital lending tools, compliance teams face a challenge: how do you assess compliance risk for a tool you haven't built and may not fully understand? Vendors present features and benefits; compliance needs to understand exposures and safeguards.

The right questions cut through the sales pitch to reveal how the tool actually handles compliance-relevant concerns. Whether you're evaluating a vendor solution or reviewing an internally developed tool, these questions help identify risks before they become problems.

This isn't an exhaustive compliance audit checklist — that's specific to your institution, products, and jurisdictions. It's a starting point for the conversations that should happen before any digital lending tool goes live.

Calculation Accuracy

Inaccurate calculations create immediate compliance exposure. Wrong payment estimates, incorrect APR displays, or misleading comparisons can violate TILA and create UDAAP risk.

Questions to ask

How are payment calculations performed? Understand the formulas used. Are they standard amortization calculations? How are irregular periods handled? What assumptions are made about payment timing?

How is APR calculated? APR calculation is regulated and specific. What methodology does the tool use? Has it been validated against regulatory examples?

How are rate estimates generated? If the tool shows estimated rates before a credit pull, what's the basis? Rate sheet ranges? Assumptions about creditworthiness? How clearly is the estimate qualified?

What happens when rates change? How quickly do new rates propagate to the tool? Who's responsible for updating rates? What's the process to ensure displayed rates match current actual rates?

How has calculation accuracy been tested? Ask for documentation of testing methodology and results. What scenarios were tested? How were edge cases handled?

What's the process for fixing calculation errors? If an error is discovered, how quickly can it be corrected? What happens to borrowers who saw incorrect information?

Disclosures

Required disclosures must appear at the right time, in the right format, with the right content. Digital tools need to integrate disclosures properly.

Questions to ask

What disclosures appear, and where? Walk through the borrower experience and identify every disclosure. Map these to regulatory requirements. Are required disclosures present? Are they properly timed?

How conspicuous are the disclosures? "Clear and conspicuous" is a regulatory standard. Are disclosures prominent, or buried? Is the font readable? Is the contrast adequate? Could a reasonable borrower miss them?

Can disclosures be customized? Your products and jurisdictions may require specific disclosure language. Can you modify disclosure content? Add disclosures? Adjust where they appear?

How are advertising triggers handled? Certain terms (specific rates, payment amounts, loan terms) trigger additional disclosure requirements. Does the tool recognize these triggers and include required disclosures?

What happens when disclosure requirements change? Regulations evolve. Can disclosures be updated? What's the process and timeline? Who's responsible for monitoring regulatory changes?

How are disclosures documented? Can you prove what disclosures a specific borrower saw? Are disclosure presentations logged? How long are records retained?

Fair Lending

Fair lending considerations apply to any tool that affects what borrowers see, what products they're offered, or how they're treated.

Questions to ask

What factors drive variation in borrower experience? If different borrowers see different things, why? What inputs cause outputs to differ? Are all those inputs legitimate underwriting or preference factors?

Does the tool use geography? Geographic factors correlate with race and ethnicity. If the tool uses zip code, address, or region for any purpose, what's the justification? Has the impact been analyzed?

How are product recommendations generated? If the tool recommends products, what's the logic? Is it documented? Could you explain to a regulator why borrower A received recommendation X while borrower B received recommendation Y?

Has the tool been tested for disparate impact? What testing has been done? On what data? What were the results? How were identified disparities addressed?

How do you monitor for fair lending after deployment? What data is available to analyze outcomes by protected class? What monitoring will be performed? How frequently?

What happens when borrowers step outside the digital flow? If someone calls for help or requests an exception, how is that handled? Is treatment in those situations consistent?

Data and Documentation

Good documentation supports compliance verification, complaint response, and examination readiness.

Questions to ask

What data is captured from each borrower interaction? Get specific: timestamps, screens viewed, inputs entered, outputs displayed, clicks, time spent. The more complete the record, the more defensible the compliance position.

How long is data retained? Retention requirements vary by regulation and institution policy. Does the tool's retention meet your requirements? What happens to data after retention periods expire?

Who can access the data? Can your compliance team access logs? Can you run reports? Export data for analysis? Or is it locked in the vendor's system?

How is data secured? What security measures protect borrower data? Encryption in transit and at rest? Access controls? Audit logging of who accessed what?

Where is data stored? Jurisdiction matters for data privacy. Is data stored domestically? In the cloud? By what provider? Do you control the data's location?

Can you produce records for examination? If an examiner asks "show me what borrower X saw on date Y," can you produce that? How quickly? In what format?

Accessibility

Digital lending tools must be accessible to users with disabilities. This is both a legal requirement and a fair lending consideration.

Questions to ask

Has the tool been tested for accessibility? Against what standard (WCAG 2.0, 2.1, AA, AAA)? By whom? When? Ask for the testing report.

Does it work with screen readers? Have someone actually test with JAWS, NVDA, or VoiceOver. Vendors may claim compliance without thorough testing. Verify.

Is it keyboard-navigable? Users who can't use a mouse must be able to navigate entirely by keyboard. Try it yourself. Can you complete the full experience without touching a mouse?

How is accessibility maintained over time? Accessibility can regress with updates. What process ensures new versions remain accessible? Is accessibility part of the QA process?

What's the process for addressing accessibility issues? If an accessibility problem is identified — by testing or by user complaint — how quickly can it be fixed?

Control and Customization

Your institution is responsible for compliance, even when using vendor tools. You need sufficient control to meet that responsibility.

Questions to ask

What can you change without vendor involvement? Can you update rates? Modify disclosures? Turn features on or off? Change content? The more control you have, the faster you can respond to compliance needs.

What requires vendor involvement to change? For changes that need vendor action, what's the timeline? What's the cost? Is there a process for emergency changes?

What can't be changed at all? Are there hard-coded elements you can't modify? Do these create compliance constraints for your institution?

How are updates deployed? When the vendor updates the tool, do updates apply automatically? Can you review changes before they go live? What notice do you receive?

What happens if you disagree with a vendor change? Can you decline an update? Roll back to a previous version? What if a vendor change creates compliance issues for your specific situation?

What's the exit path? If you need to stop using the tool, what happens to your data? Your customizations? Your borrower records? How quickly can you transition?

Vendor Compliance Posture

If you're working with a vendor, their compliance awareness matters.

Questions to ask

Does the vendor understand lending compliance? Can they discuss TILA, ECOA, UDAAP knowledgeably? Or do compliance questions get deflected to "that's your responsibility"? Both are partly true, but vendors should understand the regulatory context.

What compliance documentation can they provide? Calculation methodologies, disclosure integration guides, fair lending testing reports, accessibility certifications — reputable vendors can provide these. Reluctance to share is a concern.

Do they have financial institution clients? Experience serving regulated institutions suggests familiarity with compliance requirements. A vendor new to financial services may not anticipate compliance needs.

How do they stay current on regulations? Regulations change. Does the vendor monitor regulatory developments? Update their tools accordingly? Notify clients of relevant changes?

What's their track record? Have their tools been through regulatory examinations at client institutions? With what results? Can they provide references from compliance officers?

The Takeaway

No set of questions guarantees compliance. Your institution's specific products, jurisdictions, and risk tolerance determine what's acceptable. But these questions surface the information compliance teams need to make informed decisions.

The goal isn't to find a tool with no compliance considerations — that doesn't exist. The goal is to understand the considerations, assess whether they're manageable, and implement appropriate controls. Informed decisions, well-documented, are defensible decisions.

Ask the questions before you deploy. The time to discover compliance gaps isn't during an examination.