Questions we hear most.
From compliance officers, IT teams, risk managers, and procurement. If your question isn't here, reach out and we'll answer it.
The AVM Final Rule, what it requires, and how the platform addresses it.
What regulation does AVMS.AI address?
The Interagency AVM Final Rule (12 CFR Part 1125), issued under FIRREA § 1125 (12 U.S.C. § 3354) as amended by Dodd-Frank § 1473(q). The rule was issued by six federal agencies — OCC, Federal Reserve, FDIC, NCUA, CFPB, and FHFA — and took effect October 1, 2025. It requires mortgage originators and secondary market issuers to adopt quality control standards for automated valuation models.
Is the AVM Final Rule already in effect?
Yes. The rule took effect on October 1, 2025. The final rule was published in the Federal Register on August 7, 2024, and the effective date was the first day of the calendar quarter following 12 months after publication. Institutions that use AVMs in covered transactions should already have quality control standards in place.
What are the five quality control standards?
The rule requires institutions to adopt standards that: (1) ensure a high level of confidence in AVM estimates, (2) protect against the manipulation of data, (3) seek to avoid conflicts of interest, (4) require random sample testing and reviews, and (5) comply with applicable nondiscrimination laws. AVMS.AI enforces all five — automatically, consistently, and with cryptographic proof.
Does my institution need this if we only use AVMs occasionally?
If your institution uses AVMs in connection with making credit decisions for mortgage lending — regardless of volume — the rule applies. The agencies designed the rule to be scalable: institutions should establish controls 'based on their size and the risk and complexity of transactions for which they will use AVMs.' Even low-volume institutions need documented controls.
Does AVMS.AI replace our existing compliance policies?
No. The platform operationalizes your policies. During onboarding, you configure your institution-specific compliance policies — confidence thresholds, loan type eligibility, conflict-of-interest parameters, QC sampling rates, and nondiscrimination settings. The platform then enforces those policies consistently across every intake method and produces the cryptographic evidence that they were followed.
How does the platform handle nondiscrimination (Factor 5)?
Every loan is geocoded and classified against federal demographic standards. Applicable federal and state nondiscrimination laws are identified per jurisdiction. The platform runs continuous statistical disparity analysis across your corpus — comparing AVM outcomes across demographic classifications with methodological rigor sufficient for regulatory review. This is not a periodic study. It is ongoing, operational monitoring that updates as loans enter the system.
What evidence does the platform produce for examiners?
Every compliance session is a self-contained cryptographic proof: document provenance hashes, extraction records, human confirmations, policy enforcement results across all five factors, normalization audit data, and a tamper-evident seal. The protocol log provides a cross-domain audit view with independently verifiable event proofs. This is designed to answer the examiner question: 'Show me your control system.'
Who is covered by the AVM Final Rule?
Mortgage originators that use AVMs in connection with credit decisions and secondary market issuers that use AVMs in covered securitization determinations. This includes national banks, state banks, credit unions, mortgage lenders, correspondent lenders, the GSEs, private securitizers, aggregators, and servicers — whether using AVMs directly or through third parties.
What the platform does, how it differs from conventional compliance tools, and why the architecture matters.
How is AVMS.AI different from conventional compliance software?
Conventional compliance tools record decisions after the fact in a database and generate reports on demand. AVMS.AI performs compliance operations as cryptographically sequenced protocol events within a deterministic state machine. Every decision is hashed, chained, and sealed as it happens — not logged retroactively. The result is a tamper-evident evidence chain that can be independently verified without trusting the software that produced it.
What is MISMO normalization and why does it matter?
AVM vendors report confidence in incompatible proprietary formats — continuous percentages, inverse deviation metrics, ordinal grade systems, categorical qualitative labels, and bounded discrete scales. The MISMO Common Confidence Score is an industry standard that projects all formats onto a unified 0-100 continuous scale with five ordinal tiers. The platform's normalization engine applies vendor-specific transform functions with cited methodological basis, producing standardized scores with full provenance tracking. Without normalization, cross-vendor confidence thresholds are semantically meaningless.
What is PP10 and why does the platform track it?
PP10 refers to the MISMO standard probabilistic interpretation: the confidence score represents the probability that the AVM estimate falls within a ±10% band of actual market value. Not all vendor metrics carry this semantics. The platform classifies each score's PP10 basis through vendor documentation verification and metric-type analysis, producing a three-state attribution: direct vendor assertion, platform-derived approximation via documented mathematical transform, or inapplicable due to source metric constraints. This ensures institutions understand the epistemological strength of each confidence claim.
How many AVM vendors does the platform support?
The canonical registry covers 24 vendors across six institutional categories — lending-grade, GSE, consumer platform, data provider, valuation services, and specialty/emerging. The registry includes canonical identity resolution for vendor name variations across loan tapes and AVM documents. Vendors not in the registry are processed through probabilistic metric-type inference with calibrated confidence attenuation.
What happens when the platform encounters a vendor it doesn't recognize?
The normalization engine employs a multi-resolution entity resolution pipeline with cascading match confidence. Unresolved vendors are processed through probabilistic metric-type inference with calibrated confidence attenuation. The system degrades gracefully — every input produces a defensible output with honest uncertainty quantification, regardless of whether the vendor exists in the canonical registry.
Can I reconstruct compliance state at a historical point in time?
Yes. Because the system uses event-sourced state derivation, application state at any historical point is reconstructible by deterministic replay of the protocol event sequence through pure reducer functions with snapshot-optimized tree traversal. This means compliance posture at any date can be mathematically verified — not by reading a report generated today, but by reconstructing state from the cryptographic event chain.
How does the cryptographic integrity model work?
Every protocol event is content-addressed via SHA-256 with chained hash linkage to its predecessor, forming an append-only structure with O(1) integrity verification per event and O(n) full-chain verification. Modification of any historical event produces a cascade failure detectable at any subsequent node. Chain integrity is verified across all protocol domains and reported per-domain. Individual events can be exported as self-contained verification proofs.
How your data is protected, where it lives, and who can access it.
Where is my data stored?
All data is stored in US-based cloud infrastructure with AES-256 encryption at rest. Protocol state uses a single-table document store with partition-level tenant isolation and optimistic concurrency control. Documents are stored in encrypted object storage with content-addressable integrity verification. No data leaves the US.
Who can access my institution's data?
Only authenticated users within your tenant. The platform enforces multi-tenant isolation at every layer — protocol state, document storage, and API access are all scoped to your institution. Cross-tenant access is architecturally impossible, not just access-controlled. Within your tenant, role-based permissions determine what each user can see and do.
Is multi-factor authentication required?
Yes. MFA is enforced on all accounts. The platform supports TOTP authenticator apps for direct accounts, and delegates MFA to your identity provider for enterprise SSO configurations.
What authentication methods are supported?
Email/password with required MFA, Google Workspace OAuth, Microsoft 365 OAuth, and enterprise SSO via SAML 2.0 (compatible with Okta, Azure AD, PingFederate, and other SAML providers). SSO includes JIT provisioning and attribute-mapped role assignment. Available on Professional and Enterprise plans.
Can my data be tampered with?
The cryptographic hash chain makes tampering mathematically detectable. Every protocol event is chained to its predecessor via content-addressed hash linkage. Modifying any historical event invalidates every subsequent hash in the chain — a break that integrity verification detects immediately. This is tamper-evidence by mathematical construction, not by policy.
Do you sell or share my institution's data?
No. We do not sell, share, or aggregate institution data across tenants. We do not use your data to train models. We do not provide data to third parties. Your institution's data is isolated to your tenant and accessible only to your authorized users.
What happens to my data if I cancel?
Your data is retained for 90 days after subscription expiration, then securely deleted. During the retention period, you can reactivate and resume with all protocol state intact. The compliance evidence you generated represents your institution's actual decisions and is retained with the same integrity guarantees as during active subscription.
Getting started, day-to-day usage, and how the platform fits your workflow.
How long does it take to get started?
Under 10 minutes. Sign up, select your institution type, configure your compliance policies (the platform provides regulatory-body-specific defaults), and submit your first loan. There is no implementation project, no data migration, and no IT involvement required for the Community plan.
Do I need IT involvement?
Not for the Community plan. Document upload and batch tape processing work entirely through the web dashboard. The Professional plan adds API and SFTP integration, which typically involves your IT team for initial setup. Enterprise includes dedicated integration support.
How does onboarding work?
You select your institution type and regulatory context. The platform configures appropriate default compliance policies based on your selection — confidence thresholds, eligible loan types, QC sampling parameters, and nondiscrimination settings. You then customize these to match your institution's specific risk tolerance and operational requirements. The entire process takes minutes, not weeks.
What intake methods are available?
Four methods, all producing identical cryptographic protocol state: (1) Document upload via the web dashboard, (2) Batch tape processing for loan files, (3) REST API for programmatic integration, (4) SFTP for automated file processing. Community includes document and batch intake. Professional adds API, SFTP, and additional file formats.
How does document extraction work?
When you upload a loan or AVM document, the platform runs multi-pass intelligent extraction to identify and structure data from the document. Extracted data is presented for human confirmation — you review, correct if needed, and confirm. This human-in-the-loop consensus pattern ensures accuracy while eliminating manual data entry. The extraction, any corrections, and the confirmation are all sequenced as cryptographic protocol events.
Can I use the platform for existing portfolios?
Yes. Batch processing is designed for exactly this. Upload historical loan tapes and the platform will normalize, policy-check, and classify every loan. You can process in analytics mode for lightweight analysis or compliance mode to build full cryptographic sessions. Many institutions start by processing their existing book to establish a compliance baseline.
How does team access work?
The platform supports four roles with granular permission control: Admin (full access including policy configuration), Location Admin (branch-scoped operations), Reviewer (compliance staff with audit access and QC review), and Operator (submit sessions and view their own work). Community supports up to 5 team members. Professional and Enterprise include unlimited team members with SSO.
Can I manage multiple branches or locations?
Yes, on Professional and Enterprise plans. The location management system supports multi-branch operations with branch-scoped analytics, role assignments by location, and institution-wide oversight with optional branch filtering.
Billing, trials, and plan comparisons.
How does the free trial work?
Sign up, complete onboarding, and start processing loans immediately. Full platform access for 30 days. No credit card required. The compliance evidence you generate during the trial — including cryptographic seals and protocol events — persists when you subscribe. Walking away means leaving real compliance evidence behind.
Are there per-loan or per-document fees?
No. Plans include validation volume appropriate for your tier. There are no per-document charges and no hidden fees. Compliance should never be a reason to skip processing a loan.
What's the difference between the plans?
Every plan includes the full compliance engine — all five factors, MISMO normalization, cryptographic proof, and nondiscrimination monitoring. Plans are differentiated by validation volume, integration methods (API, SFTP), governance controls (vendor firewall, branch analytics), team size, identity management (SSO), and support level. See the pricing page for the complete feature comparison.
Can I upgrade mid-contract?
Yes. Upgrades are available at any time with prorated billing. All protocol state, compliance evidence, and vendor analytics carry forward completely. Enterprise upgrades have custom terms.
Can I get a demo before signing up?
The free trial is the demo. Rather than watching a slideshow of screenshots, you can configure your institution's actual policies, process real loans, and see your compliance evidence building in real time. Start to value in under 10 minutes.
Still have questions? Let's talk.
Or skip the conversation and start the free trial. Full platform access. No credit card required. See the value in under 10 minutes.