RateStack is the unified pricing platform for correspondent lenders, brokers, lock desks, and hedge teams. Run loan-level pricing across every investor, manage locks and exceptions end-to-end, get a real-time capital-markets cockpit with AI-assisted decisioning, and automate ratesheet ingestion from email, portals, and vendor exports — with a full audit trail on every decision.
Cut lock-day surprises with two-stage eligibility
Real-time hedge cockpit with AI daily briefing
Exception Inbox replaces email with audit-chained triage
Stand up a branded portal under your own domain
Defensible price traces for every quote
Why mortgage capital markets pick RateStack
Three pains are universal across correspondents, brokers, and lock desks. They are the reason RateStack exists.
01 / 03
Every morning your team downloads PDFs, opens vendor portals, and copies cells from Excel into the LOS. Vendor-profile imports (Encompass, etc.) and learning header templates eat the work — no investor-specific code, no spreadsheet plumbing.
02 / 03
Eligibility shifts when the borrower or property profile changes by 1%. Two-stage pre-flight catches it; when a lock does drift, the Exception Inbox routes it to the desk with an AI-suggested resolution instead of a stale spreadsheet.
03 / 03
Investor pricing engines tell you the final number, not why. RateStack ships the per-rule trace inline on every quote, every lock pin, and every overlay merge — readable straight to compliance.
The platform
A unified event backbone (NATS JetStream) carries documents from source to price to distribution. Hover any stage to see what runs there.
Capabilities
Each capability is wired end-to-end — no stubs, no roadmap features. Click any card for the full brief.
Stateless rule engine with three-tier caching. BEST_EX, BY_RATE, BY_PRICE modes. Two-stage eligibility pre-flight. Drill-down on every quote.
Email-in, portal scraping, web scraping, Excel/PDF/OCR conversion, learning header-mapping templates, and named vendor profiles (Encompass et al). Versioned activation with rollback.
End-to-end lock lifecycle with Exception Inbox, AI-assisted resolution suggestions, sell-side audit, and configurable lock-desk policy per organization.
Real-time capital-markets cockpit: P&L roll-ups, daily sparklines, pullthrough scoring, anomaly callouts, and an AI daily briefing — for the executives who need the desk in one screen.
Conversational assistant grounded on your lock, hedge, and exception data — answers P&L questions, surfaces exception patterns, and suggests resolutions. Rate-limited and audit-chained.
Per-organization branding, custom logos and colors, claimable domains with DNS verification and automatic Let's Encrypt certificate issuance. Run RateStack under your own brand.
Vendor text like "Detached PUD - 2 Story - Fee Simple" auto-decomposes into Fannie ULDD orthogonal fields with confidence scoring. Warrantability auto-determined with explainable rationale.
MISMO 3.4 / ULAD / JSON plus AI-assisted vendor imports with type-aware coercion, tiered apply gate, fuzzy-match FICO, top-K fallback, and named vendor profiles.
Org → Entity (BRANCH·REGION·TEAM·DIVISION) → Loan Officer hierarchy. Layered margin rules and per-org pricing/guideline overlays with sign-policy enforcement.
FFIEC-aligned area-median-income lookups, percent-of-AMI calculations, and the two-stage eligibility pre-flight that guards every quote.
REST and GraphQL gateway, capability catalog endpoint, scoped API keys, distributed rate limit, signed outbound webhooks with retry, DLQ, and per-subscriber circuit breakers.
What's new
The capabilities the platform shipped through 2026 that compete on a different axis than legacy PPEs.
Real-time P&L, pullthrough scoring, anomaly callouts, and an AI daily briefing.
Lock exceptions stream via SSE with AI-suggested resolutions and an audit-chained workflow.
Conversational AI grounded on your tenant data; every claim cites a correlationId.
Branded portal under your domain with automatic TLS — coordinated by tenant-domain-controller.
Vendor text decomposes into orthogonal ULDD fields with warrantability rationale.
LOs see ~40% of fields per loan type; Encompass-native import lands 400 fields out of the box.
Solutions
Same platform, different operating models. Tap an audience to see how the pieces line up for your team.
Correspondent operations live and die by speed of price discovery and quality of documentation. RateStack runs the full ladder against every investor in milliseconds, surfaces the BEST_EX, and ships a per-rule trace your compliance team can read out loud.
Eligibility runs in two stages so you don't waste cycles on programs the borrower can't take. Locks integrate with sell-side pricing so the secondary desk sees the same numbers as the LO — and exceptions route to a single Inbox with AI-suggested resolutions.
What you get out of the box
These are not add-ons. They are how the platform was built from day one — because compliance, secondary, and oncall all read the same audit log.
Every quote, every lock exception, every P&L roll-up ships with a per-rule trace. See which adjustment fired, in what order, and why a price landed where it did.
Ratesheets, mapping templates, scenarios, locks, overlays, and audit entries are all version-pinned. Roll back, replay, or reprice as of any prior moment.
NATS JetStream backbone with idempotent replay, Redis-backed dedup, SHA-256 content addressing, and SSE push for exceptions. Every event carries a correlationId end to end.
AES-256-GCM master-key encryption, append-only audit log with SHA-256 hash chain, RFC 7807 error envelopes, capability-based access control with org-delegation auditing, OAuth SSO.
Public REST and GraphQL APIs, a published capability catalog endpoint, signed webhooks with HMAC-SHA256 and DLQ replay, OpenAPI spec, idempotency keys. No proprietary lock-in.
OpenTelemetry tracing, distributed bucket4j rate limit, three-tier ratesheet cache, ShedLock-guarded retention runner, content-addressed encrypted document store, multi-tenant white-label.
Built for the people who get paged at 3 a.m.
Every claim below maps to a specific subsystem in the platform — not a roadmap, not a marketing aspiration.
AES-256-GCM master-key encryption (online rotation supported) for all persisted secrets — IMAP credentials, webhook secrets, app settings.
Append-only `common_audit_log` linked by SHA-256(prevHash || canonical(row)) with actingAsOrgId on every row for clean delegation evidence. A single mutated row is detectable by hash mismatch.
PiiRedactor scrubs emails, phones, SSN-shaped numbers, and credit-card numbers from every outbound log, audit payload, and OTLP span — pre-write, not post-process.
Catalog of 12 operational + 7 provider capabilities, exposed at /v1/capabilities. JWT org_roles claim drives gating. Email/password plus Google, Microsoft, and Apple Sign-In.
Every HTTP error returns application/problem+json with type, title, detail, status, instance, and a stable correlationId field for log correlation.
SafeUrlValidator blocks loopback, private, link-local, and cloud-metadata IPs; per-service host allowlists for outbound integrations.
Integrations
No proprietary SDK is required. Use the OpenAPI spec, run cURL, subscribe to events, import a MISMO 3.4 file. We meet you at the wire.
Idempotency keys, RFC 7807 problem+json, scoped API keys, distributed rate limits. The OpenAPI spec is published live.
Single round-trip pricing + drill-down via /graphql. Same auth, same rate limit, same trace.
HMAC-SHA256 signed deliveries, exponential backoff, 8-attempt retry, DLQ replay, per-subscriber circuit breaker.
Import 1003 loan applications in MISMO 3.4 XML, ULAD, or RateStack JSON. Returns a normalized loan ready to price.
What teams say
The folks running pricing, lock-desks, and secondary marketing helped us shape every shipped feature. Their words, their teams.
Two-stage eligibility cut our lock-day surprises to almost zero. The drill-down is the first time a pricing engine has actually answered 'why' for our compliance team.
The webhook DLQ replay alone justified the migration. We used to lose deliveries when subscribers blipped; now we replay them in one click and the trace shows exactly what we did.
Our hedge desk needed clean event-time pricing. The correlationId on every event means we can join pricing, lock, and sell-side data without guessing.
Quotes are paraphrased from operator interviews. Identifiable customer logos are added only with written permission.
Sandbox, Team, Business, and Enterprise tiers — every tier runs on the same engine, the same audit log, the same APIs. Upgrade when the volume or compliance posture changes; you do not change the integration.
Frequently asked
Email IMAP polling, portal automation via headless browser, web/API scraping, named vendor profiles (Encompass Standardized Report ships with 400 fields mapped), and direct file upload. Every source feeds the same conversion → extraction → ingestion → versioning pipeline. There is no investor-specific hardcoding — parsers are data-driven, vendor profiles short-circuit known shapes, and the header-mapping templates learn over time.
Yes, in places where it actually helps: AI-assisted vendor mapping, property text decomposition, lock exception triage suggestions, a daily Hedge Cockpit briefing, and the AI Desk Assistant. AI suggests, operators decide; every prompt and reply is grounded on your tenant's data, cited, and audit-chained. AI is never in the pricing decision itself.
Yes. RateStack is purpose-built for residential mortgage capital markets — correspondents, brokers, mini-correspondents, lock desks, hedge desks, secondary marketing, TPO/wholesale channels, and platform lenders running white-label. The rule engine, MISMO/ULAD importers, AMI service, and lock subsystem are all residential-specific.
No. RateStack runs alongside your LOS. Use the public REST or GraphQL API, the loan import endpoints (MISMO 3.4, ULAD, JSON, or Encompass-native via the Standardized Report profile), or webhooks to integrate. We do not require you to move your borrower data.
Yes on Enterprise. Claim a custom domain, verify DNS, and the tenant-domain-controller reconciles a cert-manager Certificate via Let's Encrypt HTTP-01 + an IngressRoute. Per-org branding (logos, colors, email templates) lights up automatically. Same engine, same audit chain, same APIs under your domain.
Every quote ships with a full per-rule trace — which rule fired, with what condition, against which input, in what combine strategy (SUM, MAX, MIN, OVERRIDE, REPLACE_DIMENSION). The audit log is append-only with a SHA-256 hash chain plus actingAsOrgId on every row for clean delegation evidence, so any post-write mutation is detectable.
Ratesheets are versioned (DRAFT → ACTIVE → SUPERSEDED). Roll back to a prior active version with a single API call; pricing immediately uses the rolled-back grid. Historical replay lets you reprice as of any prior moment using the ratesheet that was active then.
AES-256-GCM master-key encryption for all persisted secrets (online rotation supported). PII redaction strips emails, phones, SSN-shaped numbers, and PANs from outbound logs and audit payloads. Append-only audit log linked by SHA-256(prevHash || canonical(row)) with actingAsOrgId for delegation. Capability catalog of 12 operational + 7 provider capabilities published at /v1/capabilities. SSO via Google, Microsoft, and Apple.
Ready when you are
We'll wire up a sandbox with your ratesheets, run your top scenarios head-to-head against your current engine, and walk you through the per-rule trace line by line. No procurement steps to start.