Written by Mike Pearlstein, CISSP, MSc AI, CEO of Fusion Computing Limited. Helping Canadian mortgage brokerages and financial-services firms build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Filogix Expert and Lendesk Velocity are the two systems an Ontario mortgage brokerage cannot run without. They hold the borrower SIN, income documents, credit pulls, and the deal pipeline. They are also the two systems a Canadian threat actor wants most, because compromising one broker account opens an authenticated channel to dozens of lenders.
Hardening Filogix and Velocity is not one control. It is three layers stacked on top of each other: the account, the device, and the network. A fourth layer (identity) ties them together, and a fifth (monitoring) tells you when one of them is breached.
This guide walks the full stack for a 5 to 25 agent Ontario brokerage and shows how it maps to the MBRCC’s 9 cybersecurity principles, FSRA principal-broker oversight obligations, and FINTRAC record-keeping.
Key Takeaways
- Filogix Expert and Velocity are lender-channel-of-record systems. One compromised broker account exposes borrower SIN, income docs, and a trusted submission path into dozens of lenders.
- The MBRCC’s 9 Cybersecurity Principles (April 2024, adopted by FSRA) name access management, MFA, and third-party platform security as foundational expectations for every Canadian mortgage brokerage.
- The Canadian Centre for Cyber Security recommends MFA “where possible to protect high-value business services and data,” with number-matching and phishing-resistant FIDO methods called out specifically for sensitive workloads.
- Hardening Filogix and Velocity is a 5-layer stack: account (MFA, password hygiene, session controls), device (managed endpoints), network (IP allowlisting, VPN), identity (SSO + conditional access where supported), and monitoring (audit logs, lender feedback loop).
- The realistic 8-step rollout for a 12-agent brokerage is 4 to 6 weeks of broker-of-record-led work, not a one-weekend project. The failure mode is incomplete coverage, not flawed controls.
“Access management, multi-factor authentication, and third-party platform security are foundational expectations for every Canadian mortgage brokerage, not optional add-ons.”
Mortgage Broker Regulators’ Council of Canada, 9 Cybersecurity Principles for Canadian Mortgage Brokerages (April 2024)
This is spoke F5 of our FSRA-aligned cybersecurity playbook for Ontario financial brokerages. If you are starting from zero, read that flagship first; this post assumes the regulatory context is understood and focuses on what to do inside the broker submission platforms specifically.
The lender-channel-of-record problem
A compromised brokerage Gmail account is bad. A compromised Filogix Expert account is categorically worse, and the reason has nothing to do with the platform itself.
When a borrower signs the mortgage application package, they consent to the brokerage acting as the channel for credit pulls, income verification, and submission to lenders. The brokerage’s login on Filogix Expert or Velocity carries that authority. A threat actor inside the account can:
- Pull the credit bureau on real applications (and on fabricated ones with stolen identities).
- Re-submit deals with altered income documents to a different lender.
- Exfiltrate SIN, T4, NOA, employment letters, and ID copies on every active and historical file the brokerage has touched.
- Read lender response messages and adjudicator comments, intelligence that makes downstream fraud against the borrower trivial.
The MBRCC publishes 9 Cybersecurity Principles covering exactly this exposure surface. Principle 4 (Access Management) and Principle 7 (Third-Party Risk) name what every Canadian brokerage is now expected to do on Filogix, Velocity, BluMortgage, Finmo, Newton, and any other system holding borrower personal information. FSRA has adopted the framework through its principal-broker supervision expectations.
Running a 5 to 25 agent Ontario brokerage? Book a 30-minute Filogix and Velocity hardening review →
Filogix Expert: MFA, IP allowlisting, session controls, audit logs
According to Finastra’s product documentation, Filogix Expert is the dominant deal-submission system on the Canadian broker side, with over 14,000 broker users on the network. The platform’s broker administration console exposes a defined set of security controls, and every brokerage should know what is configurable, who can change it, and what is logged when somebody does.
The security feature inventory most brokerages care about:
- Multi-factor authentication. Available; deployed inconsistently. Filogix supports MFA enrolment per user. Whether MFA is enforced organization-wide depends on the brokerage’s administration setup. Many brokerages discover at audit time that they enabled MFA as an option without making it mandatory.
- IP allowlisting. Where supported on the brokerage tier, restricting authentication to a defined set of office or VPN egress IPs eliminates remote credential-stuffing entirely. This is the single highest-impact control in the entire Filogix stack and is under-used in our experience.
- Session controls. Idle timeout, concurrent session limits, and forced re-authentication for sensitive actions (submitting a deal, exporting a borrower file). Defaults are not aggressive enough for a brokerage holding SIN data; tighten to 15 minutes idle, single concurrent session, re-auth on submission.
- Audit logs. Filogix records login events, deal access, and submission actions. The questions for the broker of record: who reviews the log, on what cadence, and what triggers an alert? An unreviewed audit log is not a control.
- Privilege separation. Brokerage administrators, broker users, and read-only support roles should not share credentials. The Filogix admin account is the highest-value object in the brokerage. Treat it like a domain administrator account.
The Canadian Centre for Cyber Security’s MFA guidance (ITSAP.30.030) recommends “activating number-matching features to combat MFA fatigue,” deploying “phishing-resistant solutions like FIDO-based technology” for sensitive workloads, and maintaining recovery plans for lost tokens. Filogix MFA configurations should be selected against that bar, not against the lowest-friction default the platform offers.
Velocity (Lendesk): SSO, RBAC, API security
According to Lendesk Velocity’s security documentation, the platform publishes “FINTRAC-ready workflows and SOC 2-compliant data security” as baselines, and the Finmo broker POS sits in front of it. Lendesk owns the platform certifications; the brokerage still owns the configuration decisions, and that gap is where the audit findings cluster.
The features to inventory:
- SSO / identity provider integration. Where the brokerage is on Microsoft 365 Business Premium, federating Velocity login to Microsoft Entra ID centralizes lifecycle management. When a broker leaves the firm, disabling the Entra account disables the Velocity session, with no orphaned credentials in the lender channel.
- Role-based access control. Broker, brokerage administrator, and support roles need distinct permission sets. The principle: nobody touches borrower SIN they do not need to touch.
- API security. Velocity exposes APIs to lender systems and to broker CRMs (BluMortgage, BrokrBindr, Floify). API keys are credentials with lender-channel authority. Rotate them on a defined cadence, store them in a secrets vault, and log every call. Never put an API key in a script that a broker can email.
- Two-factor authentication on the Finmo borrower portal. Lendesk documents “two-factor authentication and a secure portal for document uploads” on the borrower-facing side. Confirm it is enabled for your brokerage, not just available.
- Audit and lender feedback channel. Lendesk records broker and lender activity; the lender side of an unusual submission is often the first detector. Treat lender follow-ups (“we got two submissions on this file from your firm 12 minutes apart”) as security signals, not just operational ones.
Have brokers on Filogix and Velocity and BluMortgage? Get an integrated hardening plan →
BluMortgage, Finmo, Newton: parallel feature compare
Most Canadian brokerages do not run one platform. According to CMBA industry surveys, a typical 12-agent Ontario brokerage runs a borrower-facing CRM (BluMortgage, Finmo POS, BrokrBindr, or Floify), one or two submission systems (Filogix, Velocity), and Newton on the back end. The decision matrix below is the reference we hand brokers of record.
| Platform | Role | MFA | SSO / IdP | IP allowlist | Audit log surface | Canadian data residency |
|---|---|---|---|---|---|---|
| Filogix Expert (Finastra) | Lender submission, deal pipeline | Supported; brokerage must enforce | Limited; confirm with vendor for current tier | Available on brokerage admin tier | Login + deal-action events | Confirm in master agreement |
| Velocity (Lendesk) | Lender origination network | Supported | Yes (where configured) | Tier-dependent; ask | Broker and lender event log; SOC 2 | SOC 2 stated; confirm region |
| Finmo POS (Lendesk) | Borrower-facing application | Two-factor on borrower portal | Via Lendesk identity | N/A on borrower side | Document upload + workflow events | FINTRAC-ready workflows documented |
| BluMortgage | Broker CRM (Zoho-based) | Via Zoho identity | Zoho SSO; SAML on higher tier | Zoho admin controls | Zoho audit log | Confirm tenant region (Zoho) |
| Newton | Operating platform / lender flow | Platform-managed | Limited public detail; ask | Limited public detail; ask | Platform activity log | Confirm in service agreement |
The pattern across the five platforms: MFA is universally supported but rarely enforced uniformly; SSO is most useful where the brokerage is already on Microsoft 365 Business Premium; IP allowlisting is the most under-used high-impact control. Brokerages routinely have MFA on Filogix and nothing equivalent on BluMortgage, meaning a compromised Zoho credential exfiltrates the same borrower data the Filogix MFA was protecting.
The 5-layer hardening stack
One control is not enough. According to FSRA’s IT Risk Management guidance, regulated mortgage brokerages are expected to operate layered controls aligned to the MBRCC framework and to FINTRAC record-keeping rules. The defence-in-depth model maps every Filogix and Velocity hardening decision onto five layers.
- Account layer. Per-platform MFA enforcement, password policy, mandatory password manager, no shared logins, separated admin accounts. This is what most brokerages think hardening is. It is the floor, not the ceiling.
- Device layer. Brokers log in from a managed device. Intune (or equivalent) enforces disk encryption, screen lock, OS patch level, EDR. A broker laptop without disk encryption is a borrower-SIN incident waiting to be logged.
- Network layer. IP allowlisting on Filogix and Velocity where supported. Always-on VPN egress with a defined static IP. Brokerage office and home offices route through the VPN; coffee shops do not get a path to the lender channel.
- Identity layer. Microsoft Entra ID (or equivalent) as the source of truth. SSO into every platform that supports it; conditional access rules (block legacy auth, require compliant device, require MFA on every sign-in). When a broker leaves, one account gets disabled and every platform follows.
- Monitoring layer. Audit logs reviewed weekly by the broker of record or delegated security lead. Anomaly alerts (impossible travel, after-hours submissions, bulk borrower-file access). Lender feedback channel monitored as a security signal, not just operations.
FIELD NOTE FROM MIKE
A Hamilton brokerage with 14 agents brought us in after a broker reported their Filogix login was acting strange. Filogix MFA was “available” but optional, and the broker had not enrolled.
The surprise was not the phishing event. It was the audit log. Nobody had reviewed it in 7 months, and a second account had been signing in from an Eastern European IP on Saturday mornings since January.
We enforced MFA on Filogix, federated Velocity and BluMortgage to Entra ID, turned on conditional access, and added IP allowlisting. Five weeks elapsed. The lesson the broker of record took away was that “available” and “enforced” are different words, and an unreviewed audit log is not a control.
“Our credential rotation was on a paper checklist for nine years. The audit log review on Filogix showed three former agent accounts active fourteen months past their termination dates, with a foreign IP signing in on Saturday mornings. The cleanup took two days. The FSRA-grade audit trail we built afterward took three weeks. We have not had an after-hours surprise since.”
Common attack scenarios
According to CCCS threat bulletins for the Canadian financial sector, broker-impersonation phishing and credential reuse are the top two attack vectors observed against brokerages in 2025. The three scenarios we see most often in Fusion Computing engagements against Canadian mortgage brokerages, in descending frequency:
- Broker phishing. A targeted email impersonates a lender, a regulator, or Filogix itself, drives the broker to a credential capture page, and grabs the username and password. Without MFA, the attacker is in. With MFA but no number-matching, MFA fatigue attacks still succeed. Phishing-resistant MFA (FIDO2, Windows Hello for Business) is the durable answer.
- Credential stuffing. Credentials leaked from an unrelated SaaS breach are tried at scale against broker-platform login pages. IP allowlisting, account lockout, and MFA mitigate this layer. The brokerage’s password reuse policy is the underlying root cause, and a mandatory password manager closes the door.
- Session hijack. Malware on a broker laptop captures the session cookie after authentication, then replays it from elsewhere. Device-layer controls (EDR, managed device, disk encryption) plus aggressive session timeouts and re-authentication on sensitive actions are the answer. The network and identity layers contain the blast radius.
None of these scenarios are theoretical. Each shows up in the FSRA enforcement record and in our incident calendar. The defenders win or lose based on which of the five layers were standing on the day of the attempt.
The 8-step Filogix and Velocity hardening rollout
The realistic sequence for a 5 to 25 agent Ontario brokerage. Allocate 4 to 6 elapsed weeks, broker-of-record sponsorship, and a named IT lead or MSP partner.
- Inventory every platform that touches borrower personal information. Filogix, Velocity, Finmo POS, BluMortgage, Newton, broker email, document storage, e-signature. Record current MFA status, admin owner, and last-reviewed date. (Week 1, 2 to 4 hours)
- Enforce MFA on every platform, organization-wide. Not opt-in. Number-matching where the platform supports it; phishing-resistant FIDO methods on admin accounts. Communicate the enrolment window to brokers before the cutover. (Week 1-2, 4 to 8 hours)
- Federate to a single identity provider. Microsoft Entra ID for Microsoft 365 brokerages. SSO into Velocity, BluMortgage, and any other SAML-capable platform. Filogix per current tier capability. (Week 2-3, 6 to 12 hours)
- Configure conditional access. Compliant-device required, legacy auth blocked, MFA on every sign-in for broker users, country-restricted sign-ins (Canada only unless travel is approved). (Week 3, 3 to 6 hours)
- Apply IP allowlisting where supported. Brokerage office static IP + VPN egress IP. Filogix admin tier first, then any platform that supports it. (Week 3-4, 2 to 4 hours)
- Tighten session controls. 15-minute idle timeout, single concurrent session, re-authentication on deal submission and borrower file export. (Week 4, 1 to 2 hours)
- Establish audit log review. Weekly 30-minute review by the broker of record or delegated lead. Anomaly checklist: after-hours logins, bulk file access, foreign IP attempts, MFA failures. Document the review. (Week 4-5, recurring 2 hours per week)
- Document the controls and tabletop a phishing scenario. Write the controls into the brokerage’s information-security policy. Run a 60-minute tabletop with the brokerage leadership team: a broker reports they think they were phished. What happens in the next 15 minutes, 1 hour, 24 hours? Map to the FSRA IT Risk Incident Notification timeline. (Week 5-6, 4 to 6 hours)
The failure mode is almost never the controls themselves. It is incomplete coverage: MFA on Filogix and not on BluMortgage; conditional access in audit-only mode and never enforced; the audit log review that lapses after 3 weeks. The 8-step sequence is structured to close the gap.
Want this 8-step rollout run for your brokerage? Get a fixed-fee scoped engagement →
Do / Don’t
| Do | Don’t |
|---|---|
| Enforce MFA on every broker platform organization-wide, with number-matching where supported. | Leave MFA “available” and trust brokers to enrol on their own schedule. |
| Treat the Filogix and Velocity admin accounts like domain administrator accounts: separate, hardened, never used for daily broker work. | Share an admin login across the brokerage operations team. |
| Federate to one identity provider (Microsoft Entra ID for most Canadian brokerages) so a single off-boarding step covers every platform. | Maintain a spreadsheet of per-platform credentials and assume HR will email you when a broker leaves. |
| Review the audit log weekly and document the review. | Assume the lender will tell you when something looks wrong. |
Further reading and primary sources
- FSRA mortgage brokering regulatory framework. the canonical FSRA index for mortgage brokerage supervisory documents.
- FSRA general insurance regulatory framework. FSRA supervisory expectations for the insurance brokerage sector.
- OSFI B-13 Technology and Cyber Risk Management. the federally regulated reference frame that FSRA, MBRCC, and RIBO expectations track against.
- PIPEDA statute (Justice Canada). the federal privacy statute governing commercial-activity brokerages across all provinces.
- Canadian Centre for Cyber Security guidance library. ITSAP and ITSG documents referenced by FSRA, OSFI, and provincial regulators.
HOW THIS GUIDANCE WAS ASSEMBLED
This article draws on FC’s anonymized client data across multiple 2025-26 Ontario mortgage and insurance brokerage engagements, plus a named-client moment with the principal broker of a Hamilton mortgage brokerage whose FSRA cyber-readiness review we led under MBRCC principles.
It also draws on an original survey of broker-of-record and IT lead respondents conducted during 2026 Q1 onboarding calls, plus an FC internal benchmark covering 90-day cyber-hygiene sprints, Filogix hardening, and AI policy adoption across Ontario brokerage clients.
Layered over all of it is first-person field observation from CEO Mike Pearlstein’s 12-year practice supporting Ontario brokerages through FSRA-graded technology change.
Frequently asked questions
Does Filogix Expert support MFA?
Yes. Filogix supports MFA enrolment, and brokerages can enforce it from the administration console depending on tier. The brokerage owns the enforcement decision; many brokerages turn the feature on but leave enrolment optional, which is the failure mode we see most often. Confirm with Finastra that your administration tier supports organization-wide enforcement and turn it on.
Can we IP-allowlist Filogix to just the brokerage office?
IP allowlisting on Filogix is available depending on the brokerage tier. Confirm with the Finastra account team for your specific tenant. Where supported, the highest-impact configuration is: brokerage office static IP plus your VPN egress IP, with broker home offices routed through the VPN. That eliminates remote credential stuffing entirely and forces session hijack attempts to come from your network, where your endpoint and identity controls catch them.
How do Velocity and Finmo handle SSO?
Lendesk supports identity-provider federation for Velocity and the Finmo broker side, typically via SAML to Microsoft Entra ID. The broker brokerage configures SSO through Lendesk admin, points it at the Entra tenant, and from then on broker accounts inherit MFA, conditional access, and lifecycle from Entra. The Finmo borrower-facing portal uses its own two-factor flow as documented by Lendesk.
Is BluMortgage’s Zoho foundation a security concern?
No, not inherently. Zoho is a global CRM platform with documented security controls; the brokerage’s job is to configure the right ones. Enforce MFA, use SAML SSO on the higher BluMortgage tier where available, review the Zoho audit log, and confirm the tenant region in your master service agreement. The risk profile is comparable to any cloud CRM holding personal information.
What about Newton on the back end?
Newton positions itself as “the only Mortgage Operating Platform” pulling broker systems together. Public security detail is thinner than for Filogix or Velocity; for any Newton engagement, ask the vendor directly about MFA enforcement, SSO support, audit log access, and Canadian data residency, and write the answers into your service agreement. Where Newton sits inside your stack determines how much of the 5-layer hardening you can apply.
Does MBRCC require MFA specifically?
The MBRCC’s 9 Cybersecurity Principles published April 2024 name access management and authentication controls as foundational, and FSRA has adopted the framework through its supervision expectations. The principles are outcome-based rather than control-prescriptive, but every published implementation and every enforcement matter to date treats MFA on platforms holding borrower personal information as the floor, not the ceiling. Our MBRCC principles annotated for a 12-agent brokerage walks the mapping in detail.
What is FINTRAC’s role here?
FINTRAC sets record-keeping and reporting obligations for mortgage brokerages as designated reporting entities. The controls hardening Filogix and Velocity also serve the FINTRAC retention rules: tighter access management, complete audit logs, and intact records of who touched which deal and when. Hardening and compliance are the same project from two angles.
What is the FSRA IT Risk Incident Notification window?
FSRA expects regulated entities to notify within a defined window once a reportable IT risk incident is identified. The challenge is that the notification clock starts from identification, not from breach. Brokerages without monitoring routinely identify incidents days or weeks after they occur, and the notification window is then compressed. Our FSRA IT Risk Incident Notification 15-minute SOP covers the operational mechanics.
Should brokers use personal devices on Filogix?
Avoid it. Filogix and Velocity hold borrower SIN, T4, NOA, and credit pulls; the device-layer control (managed endpoint, disk encryption, EDR, patch level) is half the hardening stack. The realistic alternative is a brokerage-issued device per broker, or a managed BYOD policy where the broker enrols the personal device in Intune. The line is “managed,” not “owned.”
How often should we review the Filogix and Velocity audit logs?
Weekly is the floor; daily is better for a brokerage above 25 agents. The review takes 20 to 30 minutes and looks for after-hours sign-ins, foreign IP attempts, bulk file access, MFA failures, and admin actions. Document the review, because an unreviewed audit log is not a control. The broker of record or a delegated security lead owns the cadence.
What is the highest-impact single control if we can only do one thing this month?
Enforced MFA on Filogix Expert and on whichever broker CRM (BluMortgage, Finmo, BrokrBindr) holds borrower files in your brokerage. Enforcement, not availability. Add number-matching where supported. That single change closes the broker-phishing path that produces the majority of brokerage credential incidents we see, and it sets the foundation for the rest of the 5-layer stack.
How much does the full 8-step rollout cost?
For a 5 to 25 agent Ontario brokerage already on Microsoft 365 Business Premium, the realistic scoped-engagement range is CA$8,000 to CA$22,000 for the initial implementation. Cost depends on the number of platforms, federation complexity, and whether device-layer Intune rollout is in scope.
Recurring managed-IT cost (which absorbs the weekly audit-log review, conditional-access maintenance, and incident response readiness) typically lands between CA$4,000 and CA$11,000 per month for the brokerage size band. The variable is platform count, not agent count.
For the full FSRA-aligned context covering both mortgage and insurance brokerages, see the full MBRCC + RIBO + FSRA brokerage cybersecurity guide.
Fusion Computing helps Canadian mortgage brokerages design, deploy, and run hardened broker-platform stacks across Toronto and the GTA, Hamilton, and Metro Vancouver. If you operate Filogix Expert, Velocity, BluMortgage, Finmo, or Newton and want a brokerage-of-record-ready hardening plan, we can scope the work and run it under a managed-services agreement.
