Compliance Brief · 2026

Your AI program is due August 6.

Fannie Mae's LL-2026-04 takes effect in weeks. Freddie Mac's AI rules have been live since March. If any AI touches your origination or servicing — yours or your vendors' — the GSEs now expect a documented, auditable governance program. Here's exactly what that means, and a three-week plan that gets you there without boiling the ocean.

July 16, 2026 12 min read
Share

On August 6, 2026, a two-page letter quietly becomes one of the most consequential documents in mortgage operations. Fannie Mae's Lender Letter LL-2026-04 requires every approved seller and servicer that uses AI or machine learning — anywhere in origination or servicing — to operate a documented governance program, and to prove it on request.1

Freddie Mac got there first: its AI/ML requirements have been in effect since March 3, 2026.2 Together, the two frameworks turn a question most shops have never written down — what AI runs in our loan process, and who's accountable for it? — into something a GSE can ask you to answer, promptly, in writing.

Aug 6
the effective date of Fannie Mae's LL-2026-04 AI governance requirements (2026)1
Mar 3
when Freddie Mac's §1302.8 requirements took effect — already live (Bulletin 2025-16)2
120
days between LL-2026-04's publication and its effective date1
38%
of lenders used AI/ML in 2024, up from 15% in 2023 (STRATMOR Group)3
63%
of AI adopters use it for document classification — vendor tools count3
37%
say the regulatory environment pushed them to speed up AI in underwriting (NMN)4

If you use AI anywhere, you're already in scope

The most common misreading of LL-2026-04 is that it's about exotic underwriting models. It isn't. The letter applies to any AI/ML system used in connection with origination or servicing — and it draws no line between tools you built and tools you bought.1 Freddie Mac's Section 1302.8 works the same way.2 The document classifier inside your LOS plugin, the chatbot on your point-of-sale, the fraud-detection layer in your verification stack, the OCR reading paystubs in intake — all of it is in scope.

And nearly everyone has something. STRATMOR's Technology Insight study found 38% of lenders using AI/ML in 2024 — double the year before — with document classification (63%) and document reading (54%) the most common uses, and most of it delivered through third-party vendors.3 If a vendor's AI reads a paystub on your files, you have an AI program. The only question is whether it's written down.

The takeaway

"We only use vendor tools" is not an exemption — it's the reason you're in scope. Both GSEs apply the same governance standards to vendor and subcontractor AI as to systems you build yourself.1,2

The compliance clock: the dates that matter

The compliance clock has been running longer than most shops realize. Freddie Mac published Bulletin 2025-16 in December 2025 and its requirements took effect March 3, 2026 — meaning Freddie sellers are already subject to them today.2 Fannie Mae issued LL-2026-04 on April 8, 2026, giving sellers 120 days to the August 6 effective date.1 After that, the obligation doesn't end — policies must be reviewed at least annually, and disclosure can be requested at any time. Internationally, the EU AI Act's high-risk provisions covering credit scoring land December 2, 2027, so the direction of travel is global.5

The compliance clock
Where the industry stands today — countdown runs live
days until LL-2026-04 takes effect
Dec 3, 2025 Freddie Mac issues Bulletin 2025-16
Mar 3, 2026 Guide §1302.8 in effect
Apr 8, 2026 Fannie Mae issues LL-2026-04
Every year after Annual policy review
Effective dates per Fannie Mae LL-2026-04 and Freddie Mac Bulletin 2025-16.1,2 EU AI Act high-risk obligations for credit scoring follow on December 2, 2027.5

Two frameworks, one bar

The two frameworks are aligned in purpose but differ in style. Fannie Mae's letter is principles-based — it gives you the skeleton of a governance program and expects you to calibrate it to your own risk tolerance.7 Freddie Mac's Guide section reads more like an operational checklist: named senior-management roles, security audit standards, monitoring duties, training, and express indemnification.6 If you sell to both — and most shops do — the practical answer is simple: build to the stricter spec. Tap any row to see what each GSE expects.

Requirement Fannie Mae · LL-2026-04 Freddie Mac · §1302.8
Written AI policies & procedures RequiredFull lifecycle · annual review · named owner RequiredFormal policies with senior-management approval

Fannie Mae: policies must be transparent, communicated to staff whose jobs touch AI/ML, grounded in legal and regulatory requirements, calibrated to your risk tolerance, and reviewed at least annually.1 Freddie Mac: clear ownership and escalation paths, approved at the top.2

Inventory of AI/ML systems ExpectedEvery system, internal and vendor, with its purpose ExpectedIncluding AI embedded in vendor tools

You can't govern what you haven't listed. Both frameworks assume you can enumerate the systems in use, what they do, what data they touch, and which decisions they influence.6,8

Senior-management accountability PrinciplesA designated owner for the program ExplicitCIO / CTO / CISO / CRO-level approval

Freddie Mac names the roles it expects to sign off; Fannie Mae requires ownership without prescribing the title. Either way, "nobody owns it" is no longer an acceptable answer.6

Security standards & audits ReferencedInformation Security & Business Resiliency Supplement ExplicitAudits against NIST 800-53 / ISO 27001 · segregation of duties

Fannie Mae ties AI use to its existing information-security supplement; Freddie Mac specifies the audit standards and adds operational controls like segregation of duties.1,6

Bias & performance monitoring PrinciplesTrustworthy, ethical AI characteristics ExplicitOngoing monitoring for degradation, bias & security issues

Freddie Mac expects monitoring to run continuously in production — performance drift, bias, and security are named. Fannie Mae folds the same expectations into its trustworthy-AI principles.2,6

Personnel training ImpliedPolicies communicated to relevant staff ExplicitAI risk-management training required

Freddie Mac requires training in AI risk management for relevant personnel; Fannie Mae requires that staff whose responsibilities touch AI/ML know the policies exist and what they say.1,6

Vendor & subcontractor AI RequiredSame governance standards as internal AI RequiredSame — plus express indemnification tied to AI use

Both frameworks make third-party AI the lender's responsibility. Freddie Mac goes further with indemnification obligations tied to AI use — worth re-reading your vendor contracts for.1,6

Disclosure on request RequiredTypes · purpose & manner of use · safeguards RequiredPrompt disclosure of the same

Both GSEs reserve the right to ask what AI you use, why, how, and what safeguards mitigate the risk — plus "such other information" as they may require. The practical implication: keep a disclosure pack ready, don't assemble one under deadline.1,2

Effective date Aug 6, 2026120 days from publication Mar 3, 2026In effect since March

Freddie Mac's requirements took effect March 3, 2026; Fannie Mae's effective date is August 6, 2026. Annual reviews keep both programs evergreen after that.1,2

Requirements paraphrased from LL-2026-04, Guide §1302.8, and legal analyses.1,2,6,7 Tap a row for detail. Selling to both GSEs means meeting the stricter of each element.

Fannie tells you to have a governance program. Freddie tells you what's in it. Selling to both means building to the stricter spec.

— The practical reading of the two frameworks

What you actually have to build

Strip the two documents to their operating requirements and five pillars remain. First, written policies that cover the full lifecycle of every AI/ML system — development, implementation, use, and maintenance — reviewed at least annually, communicated to the staff who touch AI, grounded in the legal landscape, calibrated to your risk tolerance, and owned by a named person.1 Second, an inventory: every AI system in production, internal or vendor, with its purpose, its data, and the decisions it influences.6,8 Third, risk management that runs continuously — not a one-time assessment — with NIST's AI Risk Management Framework as the reference most programs are built on.8

Fourth, vendor oversight with teeth. Equivalent standards for third-party AI, standardized due-diligence questionnaires, written attestations, and — for Freddie sellers — contracts that address indemnification.2,6 Fifth, disclosure readiness: the ability to promptly tell a GSE what AI you use, why, how, and what safeguards protect it. Compliance advisers consistently find this is where shops that "have a policy somewhere" fall down — the request is answerable in days only if the pack already exists.9

How ready are you? Score yourself

Ten statements, drawn directly from the two frameworks. Tap the ones that are true of your shop today — the score updates as you go. Be honest; the GSEs will be.

0/ 10

Tap the statements that are true today.

Runs entirely in this page — nothing you tap is recorded or sent anywhere.

Self-assessment derived from LL-2026-04 and Guide §1302.8 requirements.1,2 Directional, not legal advice.

Your vendors' AI is your AI

Here's the part that changes buying behavior: under both frameworks, the AI inside your vendors' products is your compliance responsibility.1,2 And the CFPB has already made the adjacent point on the consumer side — a creditor using a complex algorithm still owes specific, accurate adverse-action reasons, and can't hide behind a black box it can't explain.10 The vendor questionnaire just became the sharpest tool in your program. Seven questions worth asking every AI vendor — and what a good answer looks like.

A good answer is a specific written inventory — model types, functions, data touched — not marketing copy. This becomes a line in your own AI inventory, so vagueness here is your gap, not theirs.
A good answer is page-level citations: every figure, condition, and flag tied to the document and page it came from. If a number can't be traced, it can't be audited — and it can't survive a disclosure request.
A good answer draws the boundary explicitly: the AI analyzes, a human decides. Approvals, pricing, and adverse action stay with your underwriter — by design, not by workaround.
A good answer is a documented evaluation process with a cadence and results you're allowed to see. Freddie Mac expects ongoing monitoring for exactly these failure modes — your vendor should already be doing it.
A good answer is clear, contractual data-use terms — and no training on your borrowers' data without explicit consent. "It improves the model for everyone" is not a data-governance policy.
A good answer maps to the standards Freddie Mac audits against — NIST 800-53, ISO 27001 — or an equivalent attestation like SOC 2, in writing, current, and renewable.
A good answer is cooperation with GSE disclosure requests written into the contract, plus indemnification language that matches what Freddie Mac now expects of you. A vendor who won't put it in writing is asking you to carry their risk.
A vendor who can't answer these in writing is a compliance gap you're adopting voluntarily.

Three weeks is enough — if you sequence it right

Compliance advisers report most shops still aren't ready — many hadn't heard of the letter months after publication.9 The good news: LL-2026-04 is two pages and principles-based.1 The work is real, but it's bounded, and it sequences cleanly:

Perfection isn't the bar — a documented, owned, honestly-scoped program is. The lenders that treat August 6 as the start of an operating discipline, rather than a paperwork deadline, get something better than compliance: they get to keep deploying AI while competitors freeze.

Frequently asked questions

Any approved Fannie Mae seller or servicer that uses AI/ML in connection with origination or servicing — with no distinction between internally built and vendor-provided systems.1 If AI reads documents, scores risk, verifies income, answers borrower chat, or flags fraud anywhere in your process, you're in scope. Effective August 6, 2026.
Written policies covering the full AI lifecycle, reviewed at least annually with a named owner; an inventory of systems and purposes; continuous risk management; vendor AI held to the same standards; and prompt disclosure on request of the types of AI used, the purpose and manner of use, and the safeguards in place.1,2 Freddie Mac adds senior-management approval, audits against NIST 800-53 / ISO 27001, bias and performance monitoring, training, and indemnification.6
Yes — both GSEs apply the same governance standards to vendor and subcontractor AI as to internal systems.1,2 Using only vendor tools isn't an exemption; it makes vendor due diligence the core of your program. Get written answers: what AI is inside, how outputs trace to sources, who decides, how models are tested and secured.
Quickly, if you sequence it right. The letter is principles-based and the work is bounded: inventory first, then a written policy with a named owner, then vendor attestations and a disclosure pack.1,9 Done in that order, a defensible first version fits in about three weeks — and the annual review keeps it alive after the effective date.

Sources

This brief is an operational summary of public guidance, not legal advice. Requirements are paraphrased from the primary documents and the legal analyses below — consult the originals and your counsel before relying on them.

  1. Fannie Mae — Lender Letter LL-2026-04: Governance Framework on Use of AI and MLIssued April 8, 2026, effective August 6, 2026. Written lifecycle policies reviewed annually; vendor/subcontractor coverage; disclosure on request of types, purpose and manner of use, and safeguards; information-security supplement compliance.
  2. Freddie Mac — Seller/Servicer Guide §1302.8: Use of AI and Machine Learning (Bulletin 2025-16)Issued December 3, 2025, effective March 3, 2026. Governance program, senior-management approval, monitoring for degradation/bias/security, training, indemnification, prompt disclosure on request.
  3. STRATMOR Group — Increasing AI and Automation Adoption in the Mortgage IndustryAI/ML use rose from 15% of lenders (2023) to 38% (2024); document classification (63%) and document reading (54%) lead use cases; most delivered via third-party vendors.
  4. National Mortgage News — AI hits underwriting: 57% of pros predict changeSurvey (Nov–Dec 2025): 57% named AI-driven underwriting 2026's biggest change; 37% said the regulatory environment encouraged faster AI implementation in underwriting.
  5. Morgan Lewis — EU Approves Delays to Certain EU AI Act Obligations (June 2026)Digital Omnibus defers high-risk obligations for stand-alone Annex III systems (including credit scoring) to December 2, 2027.
  6. Harris Beach Murtha — Fannie Mae and Freddie Mac Set New AI Standards for Mortgage LendersSide-by-side analysis: Fannie's principles-based structure vs. Freddie's prescriptive controls — named senior roles, NIST 800-53 / ISO 27001 audits, segregation of duties, training, indemnification.
  7. Cooley — Fannie Mae Issues AI/ML Governance Framework for Sellers and ServicersScope and preparation analysis; notes GSEs will increasingly examine AI/ML use and reserve the right to question deployment rationale and safeguards.
  8. NIST — AI Risk Management FrameworkThe de facto reference for AI governance programs: govern, map, measure, manage — including the Generative AI Profile.
  9. Ncontracts — Will You Be Ready to Comply with Freddie Mac's AI Requirements?Readiness analysis: most lenders unprepared; centralized AI/vendor inventories, standardized due-diligence questionnaires, and documented oversight are the gap-closers.
  10. CFPB — Circular 2022-03: Adverse-action notification with complex algorithmsCreditors using complex algorithms must still provide specific, accurate adverse-action reasons — no hiding behind black-box models.
Built to be governed

Bring your vendor questionnaire. We'll answer it on a live file.

Power Underwriter is designed for exactly this bar: every figure cited to a source page, every run auditable, every decision human. See the seven answers — on your own loan, inside the LOS you already use.

Power Underwriter Research

AI underwriting for mortgage brokers & lenders

We build the AI underwriting assistant that reads complete loan files, calculates income and assets, reviews conditions, and generates structured reports — without leaving your loan origination system. This brief summarizes public GSE guidance and is not legal advice; every claim is traceable to the numbered sources above.