Guides
How to build a lending compliance program for a small non-bank lender
The core components of a compliance program
A functional compliance program for a small non-bank lender does not need to be elaborate — it needs to be real. The components that matter are: written policies that describe how each credit product is underwritten and decided; procedures that translate those policies into step-by-step operational workflow; a training record showing that staff know the policies; a monitoring or audit function that checks whether practices match policies; and documentation that makes every decision reviewable after the fact.
Many small lenders skip written policies, relying on institutional knowledge. That creates risk: when a regulator, capital partner, or court asks 'what is your policy on adverse action timing?' the answer cannot be 'ask our head underwriter.' The policy needs to exist in writing and be followed consistently.
Adverse action and fair lending as foundational obligations
For lenders whose products are subject to ECOA, adverse action and fair lending compliance are non-negotiable — the consequences of deficiencies include regulatory enforcement, private litigation, and reputational damage. The adverse action workflow should be designed as a required step triggered automatically when a denial is recorded, not an optional afterthought. Reason codes should be specific enough to survive scrutiny, not generic.
Fair lending monitoring does not require a dedicated analyst. Even small lenders should periodically review approval and denial rates across available demographic proxies — time in business, industry, geography — and document that review. Disparate impact can arise without intent, and detecting it early is far less costly than defending against it later.
Infrastructure that makes compliance a byproduct of operations
The most durable compliance programs are built into the operational workflow — not layered on top of it. When the case management system enforces adverse action timing, requires specific reason codes, and retains the evidence behind every decision automatically, compliance documentation is generated as a byproduct of normal operations rather than a separate step that gets skipped under volume pressure.
Hadrian's governance-native infrastructure is designed for this model: the audit ledger records every case event automatically, adverse action workflows are triggered by the decisioning step, and the evidence graph retains the documents and data that supported each decision. Operators remain responsible for ensuring their policies, reason codes, and workflow configuration satisfy applicable regulatory requirements — software infrastructure alone does not constitute a compliance program.
FAQ
How to build a lending compliance program — common questions
Does a small MCA funder need a formal compliance program?
The scale of the compliance program should match the scale of the operation and the regulatory exposure — but every lender benefits from some version of documented policies, consistent procedures, and an audit trail. State commercial finance disclosure requirements, ACH processor requirements, and capital partner expectations are increasingly making documented compliance a threshold requirement for operating at any meaningful volume.
What should a compliance program include for AI-assisted underwriting?
At minimum: a documented inventory of AI tools used, a policy defining human oversight requirements for AI-assisted decisions, a process for monitoring AI outputs for fair lending compliance, and an audit trail that records what AI did and what the human reviewer decided. These requirements are reflected in emerging regulatory guidance including Fannie Mae LL-2026-04 and state AI laws.
Related
The institution around the intelligence
See Hadrian run your case lifecycle — intake to close, every decision audited.
Governance-native case processing for lenders and regulated teams.