On August 6, 2026, a two-page letter quietly becomes one of the most consequential documents in mortgage operations. Fannie Mae's Lender Letter LL-2026-04 requires every approved seller and servicer that uses AI or machine learning — anywhere in origination or servicing — to operate a documented governance program, and to prove it on request.1
Freddie Mac got there first: its AI/ML requirements have been in effect since March 3, 2026.2 Together, the two frameworks turn a question most shops have never written down — what AI runs in our loan process, and who's accountable for it? — into something a GSE can ask you to answer, promptly, in writing.
If you use AI anywhere, you're already in scope
The most common misreading of LL-2026-04 is that it's about exotic underwriting models. It isn't. The letter applies to any AI/ML system used in connection with origination or servicing — and it draws no line between tools you built and tools you bought.1 Freddie Mac's Section 1302.8 works the same way.2 The document classifier inside your LOS plugin, the chatbot on your point-of-sale, the fraud-detection layer in your verification stack, the OCR reading paystubs in intake — all of it is in scope.
And nearly everyone has something. STRATMOR's Technology Insight study found 38% of lenders using AI/ML in 2024 — double the year before — with document classification (63%) and document reading (54%) the most common uses, and most of it delivered through third-party vendors.3 If a vendor's AI reads a paystub on your files, you have an AI program. The only question is whether it's written down.
The compliance clock: the dates that matter
The compliance clock has been running longer than most shops realize. Freddie Mac published Bulletin 2025-16 in December 2025 and its requirements took effect March 3, 2026 — meaning Freddie sellers are already subject to them today.2 Fannie Mae issued LL-2026-04 on April 8, 2026, giving sellers 120 days to the August 6 effective date.1 After that, the obligation doesn't end — policies must be reviewed at least annually, and disclosure can be requested at any time. Internationally, the EU AI Act's high-risk provisions covering credit scoring land December 2, 2027, so the direction of travel is global.5
Two frameworks, one bar
The two frameworks are aligned in purpose but differ in style. Fannie Mae's letter is principles-based — it gives you the skeleton of a governance program and expects you to calibrate it to your own risk tolerance.7 Freddie Mac's Guide section reads more like an operational checklist: named senior-management roles, security audit standards, monitoring duties, training, and express indemnification.6 If you sell to both — and most shops do — the practical answer is simple: build to the stricter spec. Tap any row to see what each GSE expects.
Freddie Mac names the roles it expects to sign off; Fannie Mae requires ownership without prescribing the title. Either way, "nobody owns it" is no longer an acceptable answer.6
Fannie tells you to have a governance program. Freddie tells you what's in it. Selling to both means building to the stricter spec.
— The practical reading of the two frameworks
What you actually have to build
Strip the two documents to their operating requirements and five pillars remain. First, written policies that cover the full lifecycle of every AI/ML system — development, implementation, use, and maintenance — reviewed at least annually, communicated to the staff who touch AI, grounded in the legal landscape, calibrated to your risk tolerance, and owned by a named person.1 Second, an inventory: every AI system in production, internal or vendor, with its purpose, its data, and the decisions it influences.6,8 Third, risk management that runs continuously — not a one-time assessment — with NIST's AI Risk Management Framework as the reference most programs are built on.8
Fourth, vendor oversight with teeth. Equivalent standards for third-party AI, standardized due-diligence questionnaires, written attestations, and — for Freddie sellers — contracts that address indemnification.2,6 Fifth, disclosure readiness: the ability to promptly tell a GSE what AI you use, why, how, and what safeguards protect it. Compliance advisers consistently find this is where shops that "have a policy somewhere" fall down — the request is answerable in days only if the pack already exists.9
How ready are you? Score yourself
Ten statements, drawn directly from the two frameworks. Tap the ones that are true of your shop today — the score updates as you go. Be honest; the GSEs will be.
Tap the statements that are true today.
Runs entirely in this page — nothing you tap is recorded or sent anywhere.
Your vendors' AI is your AI
Here's the part that changes buying behavior: under both frameworks, the AI inside your vendors' products is your compliance responsibility.1,2 And the CFPB has already made the adjacent point on the consumer side — a creditor using a complex algorithm still owes specific, accurate adverse-action reasons, and can't hide behind a black box it can't explain.10 The vendor questionnaire just became the sharpest tool in your program. Seven questions worth asking every AI vendor — and what a good answer looks like.
Three weeks is enough — if you sequence it right
Compliance advisers report most shops still aren't ready — many hadn't heard of the letter months after publication.9 The good news: LL-2026-04 is two pages and principles-based.1 The work is real, but it's bounded, and it sequences cleanly:
- Week 1 — inventory. Walk the loan lifecycle end to end and list every AI touchpoint. Send each vendor one question in writing: "What AI/ML is inside your product, and what does it do on our files?"
- Week 2 — policy and owner. Draft the written policy against the NIST AI RMF skeleton, calibrate it to your risk tolerance, name the owner, and get senior sign-off — Freddie Mac expects CIO/CTO/CISO/CRO-level approval. Brief the staff whose jobs touch AI.
- Week 3 — attestations and the disclosure pack. Collect written vendor answers, file them with your inventory and policy, and assemble the pack you'd hand a GSE on request. Put the annual review on the calendar before you close the file.
- Then keep it alive. Monitoring, training refreshers, and contract updates at renewal. Governance is a program, not a binder.
Perfection isn't the bar — a documented, owned, honestly-scoped program is. The lenders that treat August 6 as the start of an operating discipline, rather than a paperwork deadline, get something better than compliance: they get to keep deploying AI while competitors freeze.
Frequently asked questions
Sources
This brief is an operational summary of public guidance, not legal advice. Requirements are paraphrased from the primary documents and the legal analyses below — consult the originals and your counsel before relying on them.
- Fannie Mae — Lender Letter LL-2026-04: Governance Framework on Use of AI and MLIssued April 8, 2026, effective August 6, 2026. Written lifecycle policies reviewed annually; vendor/subcontractor coverage; disclosure on request of types, purpose and manner of use, and safeguards; information-security supplement compliance.
- Freddie Mac — Seller/Servicer Guide §1302.8: Use of AI and Machine Learning (Bulletin 2025-16)Issued December 3, 2025, effective March 3, 2026. Governance program, senior-management approval, monitoring for degradation/bias/security, training, indemnification, prompt disclosure on request.
- STRATMOR Group — Increasing AI and Automation Adoption in the Mortgage IndustryAI/ML use rose from 15% of lenders (2023) to 38% (2024); document classification (63%) and document reading (54%) lead use cases; most delivered via third-party vendors.
- National Mortgage News — AI hits underwriting: 57% of pros predict changeSurvey (Nov–Dec 2025): 57% named AI-driven underwriting 2026's biggest change; 37% said the regulatory environment encouraged faster AI implementation in underwriting.
- Morgan Lewis — EU Approves Delays to Certain EU AI Act Obligations (June 2026)Digital Omnibus defers high-risk obligations for stand-alone Annex III systems (including credit scoring) to December 2, 2027.
- Harris Beach Murtha — Fannie Mae and Freddie Mac Set New AI Standards for Mortgage LendersSide-by-side analysis: Fannie's principles-based structure vs. Freddie's prescriptive controls — named senior roles, NIST 800-53 / ISO 27001 audits, segregation of duties, training, indemnification.
- Cooley — Fannie Mae Issues AI/ML Governance Framework for Sellers and ServicersScope and preparation analysis; notes GSEs will increasingly examine AI/ML use and reserve the right to question deployment rationale and safeguards.
- NIST — AI Risk Management FrameworkThe de facto reference for AI governance programs: govern, map, measure, manage — including the Generative AI Profile.
- Ncontracts — Will You Be Ready to Comply with Freddie Mac's AI Requirements?Readiness analysis: most lenders unprepared; centralized AI/vendor inventories, standardized due-diligence questionnaires, and documented oversight are the gap-closers.
- CFPB — Circular 2022-03: Adverse-action notification with complex algorithmsCreditors using complex algorithms must still provide specific, accurate adverse-action reasons — no hiding behind black-box models.