SOC 1 for Loan
Servicers

Loan servicers directly affect the financial statements of the loan owners and investors they serve. Payment collections flow into interest-income accounts; remittances reduce investor cash; charge-offs affect the allowance for credit losses; and custodial balances appear as liabilities. Under SSAE 18 (AT-C Section 320), when a user entity outsources a process relevant to its ICFR, its external auditors must obtain assurance over the service organization's controls. A SOC 1 report provides that assurance at scale, replacing costly on-site auditor visits for each investor or owner.

Type I confirms that your control descriptions are suitably designed at a point in time. Type II tests whether those controls operated effectively over a minimum 6-month observation period. Most institutional investors, warehouse lenders, and GSE counterparties require a Type II because it demonstrates sustained operating effectiveness. A practical path is to achieve Type I first (typically 6-10 weeks of readiness plus a one-day CPA examination) to identify any design gaps, then run the Type II observation window immediately after.

The core six areas are: (1) payment processing and application to principal, interest, and fees; (2) interest and principal accrual including rate-change processing; (3) investor and owner remittance plus servicing-fee calculation; (4) delinquency and default management including charge-off accounting; (5) custodial and trust account controls including segregation and reconciliation; and (6) segregation of duties and access governance. The exact objectives are scoped with your CPA firm based on the asset classes and services you actually provide.

Custodial accounts hold borrower payments temporarily before they are disbursed to investors or applied to loan accounts. Because these funds are not the servicer's own money, the controls over segregation, reconciliation, and disbursement are treated as high-risk in a SOC 1 examination. The auditor will test that custodial accounts are legally separate from operating accounts, that daily reconciliations are performed by an independent function, and that stale items are investigated promptly. Gaps here are among the most common causes of qualified opinions in loan-servicing SOC 1 reports.

Complementary User Entity Controls (CUECs) are responsibilities that the loan owner or investor must fulfil for the servicer's controls to achieve their stated objectives. Examples include providing accurate loan boarding data, reviewing remittance statements each period, approving charge-offs within contractual timelines, and reconciling custodial balances to internal records. The servicer's SOC 1 report lists these explicitly. Each investor's or owner's external auditor then tests the CUECs on the client side as part of their own ICFR assessment.

Yes — if you operate an online borrower portal, mobile app, or API that stores personal or financial data, your investors and regulators will likely ask for SOC 2 in addition to SOC 1. SOC 1 covers financial-reporting controls (ICFR); SOC 2 covers operational and security controls under the Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy). A coordinated dual-report engagement is efficient because general IT controls — access management, change management, incident response — are relevant to both reports and can be tested once.

Cost depends on scope: number of asset classes serviced, geographic footprint, number of control objectives, and report type. There are two components: the CPA firm's attestation fee (typically $25K–$70K for a mid-size servicer in the US) and the readiness/advisory fee. Tranquility Cybersecurity provides readiness and remediation support for loan-servicing SOC 1 at a significant cost advantage versus US- or UK-based advisory firms. Contact us for an indicative quote scoped to your platform.