LoanPro’s Originate platform includes our front-end application manager. This system is handled by LoanPro—instead of accessing the system directly, you’ll work with LoanPro’s team to configure and customize your application playbooks, settings, and integrations based on your business needs.

To request any configuration changes or updates described in this document, reach out to your normal contact at LoanPro.

Application playbooks

Playbooks are the different applications you create—not a specific user filling out the form, but the form itself. Each playbook is a specific application workflow with its own data collection requirements, verification checks, and approval logic.

Playbook components

Your playbooks can include multiple types of nodes that define the application flow:

• Data collection: Gather applicant information like personal details, employment information, and income
• Document collection: Request supporting documents from applicants
• Verification checks: Run KYC (Know Your Customer), KYB (Know Your Business), AML (Anti-Money Laundering), or fraud checks
• Decisioning logic: Define approval paths and rules based on collected data
• External API connections: Integrate with third-party systems through the Vault Proxy

We have template playbooks available for several common underwriting models, and can work with you to fine tune them to your risk tolerance and decisioning policies.

Playbook settings

Several configuration options can be applied to your playbooks:

• One-Time Password (OTP) Settings: At least one of these options must be enabled. When applicants enter their email or phone number, a 6-digit one-time passcode is sent to verify it.
• Passkeys: Passkeys can be enabled on iOS and Android devices, allowing you to validate applicants on future logins without requiring passwords.
• Identity Data Confirmation Screen: By default, applicants see a confirmation screen after entering their identity data, giving them a chance to review and edit. This screen can be skipped to streamline the application process, though applicants will then be unable to edit their data after submission.
• User Deduplication on PII: When enabled, if an existing user attempts to start a new application, the system recognizes their email or phone number and prompts them to sign into their existing account instead of creating a duplicate.

Playbook themes

Themes control the visual appearance of your applications. Each theme includes:

• General information: Brand name, internal theme name, and white-labeling options
• Support and legal links: Privacy policy URL, terms of service URL, and support contact information (email, phone, website)
• Visual styles: Colors, fonts, and other visual elements
• Copy customization: Header text, subtitle, and call-to-action button text for the application landing page

Themes are configured independently and then applied to playbooks. This approach ensures visual consistency across multiple playbooks and makes it easy to update branding across all applications simultaneously.

Testing playbooks

Playbooks can be tested in two modes:

• Basic preview: A step-by-step walkthrough of what applicants will see, allowing you to enter test data and experience the flow
• Advanced preview: A JSON payload method using pre-determined data from the vault

Shareable test links can be generated for playbooks, allowing stakeholders to preview and test application flows before deploying them to production.

The Vault and Vault Proxy

The Vault

The Vault is the system's secure data warehouse. It stores and encrypts all applicant personal information, keeping data encrypted at rest to maintain compliance with data privacy laws.

Two categories of data are stored within the Vault:

1. Native information: Standard applicant data such as name, SSN, and address
2. Custom information: Additional data collected during the application process based on your specific requirements

Data stored in the vault can be referenced and used throughout the application flow and in external integrations.

The Vault Proxy

The Vault Proxy serves as your gateway for managing external API integrations. It enables secure communication with third-party systems while keeping applicant data encrypted throughout the process.

Proxy Configuration Options

Each proxy configuration includes:

• Name: Internal identifier for the proxy
• Base URL: The default endpoint for API calls
• HTTP Method: The default method (GET, POST, PUT, etc.)
• Access reason: Documentation of why this integration exists
• Headers: Default headers for API requests, with the option to encrypt sensitive values
• Client certificate authentication: For integrations requiring certificate-based security
• Pinned server certificates: Additional security for server validation
• Ingress vaulting: Configuration for encrypting and storing PII returned from external APIs

All API calls made through proxies are logged with detailed information including HTTP method, URL, timestamp, request payload, and response data.

Vault Proxies can be used either within playbooks or with external connections.

Within playbooks: Proxies can be integrated directly into your application flow as external API connections. For each proxy node, you can configure:

• Connection name and purpose
• Separate configurations for live and sandbox environments
• URL path modifications
• Additional headers and query parameters
• JSON request payload (body)
• Failure handling (whether to fail onboarding if the API doesn't return a successful response)
• Response storage using custom variables in the vault

External integrations: Proxies can be called by third-party decisioning tools or webhook systems, allowing external systems to securely access encrypted applicant data without exposing PII publicly across the internet.

Why use the Vault Proxy?

Rather than making direct API calls that expose sensitive applicant data, the Vault Proxy acts as a secure intermediary. By passing an applicant's vault identifier instead of raw PII, your integrations can access and use encrypted applicant data while maintaining privacy and compliance throughout the process.

Applicant management

The system provides comprehensive views of both consumer and commercial applicants. Applications can be filtered by:

• Completion status
• Pass/fail status
• Manual review requirements
• Playbook used
• Custom tags

Applicant data and actions

For each applicant, the following information and actions are available:

Applicant information:

• Personal information (encrypted by default, with decryption available)
• Playbook outcomes and approval path
• Audit trail with timestamps of all actions
• Risk signals including duplicate account detection and device insights
• Field validation results
• Uploaded documents
• Process metadata

Actions:

• Edit user information manually
• Add custom tags for filtering and organization
• Upload documents (driver's license, paystubs, etc.)
• Run verification checks (KYC, KYB, AML, fraud)
• Request additional information or documents from the applicant
• Allow users to update login methods
• Mark applications as fraudulent
• Manual pass/fail decisions

Risk signals

The system automatically detects several risk indicators:

• Duplicate accounts: Flags when a single device has been used for multiple separate applications
• Device insights: Compares a user's listed address to the location they applied from
• VPN usage: Detects VPN use that may indicate suspicious activity
• GPS spoofing: Identifies location manipulation
• Bot detection: Flags behavior patterns consistent with automated applications

Reporting and analytics

Onboarding metrics

The system tracks key performance indicators that can be filtered by playbook or time period:

Security logs

Security logs provide a complete audit trail of all actions taken in the environment, including the date, time (down to the minute), and specific action performed.

Webhook event tracking

Webhook activity can be monitored with:

• Event catalog listing all events that can trigger webhooks
• Logs of previous webhook deliveries
• Activity metrics over time

Integration options

If you’re looking to integrate our application manager with other systems, you have two options:

• API Keys. API keys can be created and managed with different permission levels. Each key includes a key name and access control level. Keys can be revealed, disabled, or have their permissions modified as needed. For any set of keys, we can supply the last used date, the created date, and the enabled/disabled status.
• Webhooks. Webhooks can be configured to send updates to external systems whenever specific events occur during the application process. Configuration includes endpoint URLs to receive webhook notifications, event selection from the event catalog, and retry information. We can also supply delivery logs and activity metrics.

Account settings

Business Profile

Your business profile contains company information used across the application system:

• Company logo
• Company name
• Company website
• Organization ID (system-generated identifier)
• Support contact information (email, phone, website) displayed to applicants

Members and roles

Members: Individual users who access and manage your front-end application system. Member information includes their assigned roles and last active date.

Roles: Permission sets that can be assigned to members based on business needs (e.g., Admin, Member). Each role can be configured with specific permissions.

Domain Access: Can be enabled to allow team members with your company email domain to automatically join the system. Users joining through domain access receive read-only permissions by default until their role is updated.

Manual review workflows

Manual review processes can be configured for applications that require human oversight, including both approval workflows and fraud marking procedures.

Custom lists

Lists can be created to manage and organize blocked users and businesses, helping to prevent unwanted applications.

Getting started

To begin configuring your credit application system or to make changes to any of the options described above, reach out to your normal contact at LoanPro. Our team will work with you to understand your requirements and implement the appropriate configuration for your business needs.