Defensible pricing — for the regulator already on the phone.
Compliance teams need to answer 'why did this loan price this way on this day' without coordinating across five tools. RateStack's per-rule trace is the answer surface: emitted as a side-effect of pricing, hash-chained into common_audit_log with actingAsOrgId for delegation, and replayable as-of any historical moment using the ratesheet that was active then.
The audit chain is append-only and tamper-evident: every row carries previous_hash → entry_hash, computed over a canonical serialization. The verify endpoint walks the chain and reports the first break by row id. Auditors don't need a separate explainability module; the trace is the explanation.
URLA 2021 Tiers 1–5 ship complete, with the borrowers[0..N] unified namespace eliminating MISMO container aliasing. Property fields decompose into Fannie ULDD orthogonal axes with confidence scoring and warrantability rationale grounded in the contributing fields. Non-QM lanes are first-class: 40+ DocumentationType values cover DSCR, bank statement, asset utilization, ITIN, and more.
Cross-tenant operations carry actingAsOrgId in the audit row, so wholesale and TPO compliance gets unambiguous evidence of who initiated each request under whose delegation. Capability catalog is published at /v1/capabilities — your scoping is reviewable, not hidden.
Before vs. after
The shape of a day.
The same operating model, rebuilt around explicit pricing and a single audit log.
Before
Regulator asks 'why did this price this way' and the answer takes a week to assemble.
After
Per-rule trace on every quote — open the loan, export the trace as PDF, send. Done same day.
Before
Lock-day pricing differs from quote pricing; reconciliation is forensic.
After
Lock pins ratesheet version + investor + rate; historical replay reproduces the quote price deterministically against the as-of sheet.
Before
Multi-borrower loans get re-keyed across MISMO and the LOS; co-borrower fields drift.
After
borrowers[0..N] unified namespace with identical field shape across primary and co-borrowers.
Before
Property warrantability is an enum with no rationale; reviewers argue.
After
Warrantability classified from decomposed fields with explainable rationale citing the contributing axes.
Before
Wholesale delegation creates ambiguity about who initiated each action.
After
actingAsOrgId on every audit row makes the grantor → grantee chain unambiguous.
Capabilities, framed for you
The platform pieces you'll touch first.
Per-rule trace
Every quote ships with the rule chain — rule id, condition, value, combine strategy.
Hash-chained audit
Append-only, SHA-256 chained with actingAsOrgId. Verify endpoint reports first break.
Historical replay
Reprice any past loan against the ratesheet active at the moment.
URLA 2021 Tiers 1–5
Multi-borrower namespace, 2021 enums, orthogonal property fields.
Property intelligence + warrantability
Orthogonal ULDD field decomposition with explainable warrantability call.
Capability catalog
Published at /v1/capabilities. 12 operational + 7 provider capabilities.
Onboarding
What week one looks like.
A pragmatic sequence — from sandbox to first signed quote.
- 1
Day 1: trust + posture brief
Walk the audit chain, capability catalog, and chain verify endpoint. Customer evidence packet shared under NDA.
- 2
Day 2: connect a non-prod tenant
Bring three representative loans (one full-doc, one DSCR, one wholesale with delegation). Walk the trace end to end.
- 3
Week 1: historical replay rehearsal
Pick a past funded loan from your current system; replay against RateStack with the as-of ratesheet. Compare.
- 4
Week 2: scoping review
Map your roles to capabilities; tighten where appropriate. Capability catalog is the source of truth.
- 5
Week 3: chain verification cadence
Schedule /v1/admin/audit/verify from your monitoring stack. Ship hash-break alerts to the on-call queue.
- 6
Production
Inbound regulator requests resolve via the trace + replay. SOC 2 + GLBA evidence is one ZIP.
Frequently asked
Specific to your operating model.
How does the trace satisfy ECOA?
ECOA non-discrimination depends on the rules you configure; the rule engine itself does not read protected characteristics. The trace lets you audit rules for prohibited bases by inspecting the program eligibility table directly. If a rule references a prohibited characteristic, the trace will show it.
What about HMDA?
We are not a HMDA filer — compliance is the lender's responsibility. The audit chain captures every pricing decision with the inputs and the ratesheet version that fired, which is the evidence layer most lenders need for HMDA defensibility.
How is data retained?
Default: API request logs 90d, ratesheet raw blobs 90d, ratesheet rows indefinite, audit log indefinite, event streams 7-180d. Custom retention is available on Business and Enterprise — see /trust/compliance.
Can we run /v1/admin/audit/verify on a schedule?
Yes. Recommended cadence: daily for warn alerts, hourly for critical. We can also push a delta-verify endpoint on Enterprise that returns only since-last-verify.
What about state-specific overlays (NY, CA)?
State overlays are configured as eligibility rules and audit annotations. The platform does not ship state-specific compliance defaults; operator configuration is required.
How does actingAsOrgId help in a wholesale audit?
When a wholesale lender executes against a TPO loan via a delegation grant, the audit row carries actingAsOrgId=TPO (the grantor) and actor.orgId=wholesale (the grantee). Auditors get the full chain — who delegated, who acted, when, against which loan, under which capability.
Ready when you are
See compliance officers on RateStack.
Live demo with your real ratesheets, your real scenarios, and an honest read on whether the platform fits your team.