Jim Brodsky on how reverse mortgage companies can avoid AI compliance headaches

“If AI is not introduced in your company on an enterprise-wide basis … you’re going to have issues. It’s just inevitable,” Brodsky said. “The choice among providers requires a level of understanding of our business that some have and some don’t, and that’s a critical choice as well.

“When this is done right, it’s going to offer compliance and increased productivity opportunities for lenders and institutions … a force multiplier.”

Existing laws that apply to AI communications

Brodsky’s presentation touched on the federal Telephone Consumer Protection Act (TCPA) and its application to AI voice assistants used for inbound or outbound calls. He said that consumers must express prior consent before companies can initiate contact while noting exceptions for established business relationships that are active within the past 18 months. But exceptions do not extend to affiliate companies.

The National Do Not Call Registry, maintained by the Federal Trade Commission (FTC), also applies to AI-driven communications — i.e., “do not call means do not chat,” according to Brodsky. All outgoing communications, whether conducted by a human or technology, must identify the caller and provide contact information.

Unfair, deceptive or abuse acts or practices (UDAAP) — which were established under the Dodd-Frank Act and enforced by the FTC and the Consumer Financial Protection Bureau (CFPB) — also apply. Consumers must be notified upfront whenever a lender or servicer chooses to interact with them using AI, whether it’s inbound or outbound calls. They also must be provided an easy and accessible way to opt out of the AI interaction and speak with a human representative instead. Brodsky stressed that making it difficult for customers to reach a real person creates potential liability under UDAAP.

When it comes to privacy and security tied to the information received by AI, the Gramm-Leach-Bliley Act of 1999 applies. It states that companies must know where consumer data is stored, how it’s used and who controls it.

“That data is now absorbed in the learning facility of the AI as it’s learning from that data,” Brodsky explained. “Where does it go? Where does it stay? You need to be very robust there.”

Loan officers that use AI for marketing, application or processing tasks should remember that their bots aren’t licensed at the state or federal levels. Brodsky said they should ensure their technology identifies a human LO by name and includes their Nationwide Multistate Licensing System (NMLS) number so consumers know a credential person is in charge.

“Those licensing requirements still envision having you, a licensed natural person and a real company, be responsible to do the tasks,” he said.

Colorado law could provide a template

Lastly, Brodsky mentioned a state-level law that’s set to take effect Jan. 1, 2027. Colorado’s Automated Decision-Making Technology Act repeals similar legislation that was passed in 2024 and slated for adoption in February 2026.

Brodsky said the statute creates a framework for AI regulations across the financial services industry and is likely to serves as guidance for other states. For mortgage lenders, it applies to “consequential decisions” around credit access and eligibility.

Technology developers have obligations under the law to disclose the intended uses and classify the data that’s training their tools. They also must provide any known limitations and risks along with instructions for human oversight.

Lenders that deploy the tools must inform consumers that AI is being used to make credit decisions. If a loan applicant is rejected, they must explain the reasoning reached by AI and offer “meaningful human review and reconsideration,” according to Brodsky.