Artificial intelligence and machine learning are no longer experimental tools in residential mortgage lending. They are embedded across the loan lifecycle, from borrower intake and underwriting to pricing, quality control, servicing, fraud detection and loss mitigation. For several years, federal regulators have cautioned that the use of advanced analytics does not alter lenders’ legal obligations, particularly under fair lending and consumer protection laws. What has changed recently is that Fannie Mae and Freddie Mac have translated those expectations into concrete governance requirements that directly condition a lender’s ability to sell loans into the secondary market.
For mortgage lenders and servicers, including nonbank lenders, compliance with Fannie Mae and Freddie Mac requirements is foundational. These institutions’ artificial intelligence governance requirements represent a material shift in compliance expectations, extending well beyond traditional underwriting models and into nearly every technology-enabled function that touches a mortgage loan.
Fannie Mae and Freddie Mac AI Governance Requirements
In April 2026, Fannie Mae issued Lender Letter LL 2026 04, establishing a formal governance framework for any approved seller or servicer using artificial intelligence (AI) or machine learning (ML) in connection with the origination or servicing of loans sold to, or guaranteed by, Fannie Mae. The letter applies broadly and does not distinguish between internally developed tools and vendor-provided systems, nor does it limit its scope to underwriting. Instead, it captures any AI or ML system used in origination or servicing activities, with a rapidly approaching effective date of August 6, 2026. The full text is available directly from Fannie Mae.
Freddie Mac acted earlier and more prescriptively. Through Guide Bulletin 2025 16, issued December 3, 2025, Freddie Mac amended its Single Family Seller/Servicer Guide to impose detailed governance, audit and security requirements for AI and ML systems. This bulletin is already in effect, as it had an effective date of March 3, 2026. Those requirements are codified principally in Section 1302.8 of the Guide, and summarized in the bulletin itself.
Although the two frameworks differ in tone and level of detail, they are directionally aligned. Fannie Mae provides a principles-based structure that establishes the essential components of AI governance. Freddie Mac goes further, mandating specific operational controls, audit standards and an express indemnification obligation. Lenders that sell to both institutions must satisfy the more stringent elements of each.
How AI Changes the Compliance Analysis
These frameworks are best understood against the backdrop of how artificial intelligence has altered long-standing compliance assumptions in mortgage lending.
Traditional mortgage compliance programs developed around human decision-making and relatively static models. These prior models, generally speaking, relied on rules-based logic that could be documented, tested and explained. Modern large language models challenge those assumptions in several important respects.
First, explainability has become more complex. Many AI models rely on large numbers of variables and non-linear interactions that are difficult to interpret – even for the model providers. This creates tension with long-standing requirements under the Equal Credit Opportunity Act and Regulation B that lenders provide accurate and specific reasons for adverse actions. Lenders should also recognize that the Consumer Financial Protection Bureau’s removal of disparate impact from Regulation B, effective July 2026, does not eliminate fair lending exposure tied to AI. Disparate impact theories remain available under the Fair Housing Act, Government Services Exchange contractual requirements, and a number of state fair lending regimes.
Second, AI systems are often dynamic. Unlike traditional credit models that are recalibrated periodically, ML systems may update continuously as they ingest new data. The Federal Housing Finance Agency, an independent agency responsible for the effective supervision, regulation, and oversight of the housing mission of Fannie Mae, Freddie Mac and the Federal Home Loan Bank System, has warned this creates the risk of model drift, where a system that was compliant at deployment evolves in ways that introduce bias or other compliance issues over time. FHFA addressed these risks in Advisory Bulletin 2022 02, revised in May 2025, which provides guidance to Fannie Mae and Freddie Mac on AI and ML risk management and emphasizes transparency, accountability, fairness and ongoing monitoring.
Third, AI has accelerated reliance on third-party vendors. Document processing tools, income and asset verification platforms, fraud detection engines, customer communication systems and marketing analytics increasingly rely on AI. Under Fannie Mae’s framework, seller-servicers must manage risks arising from vendor and subcontractor use of AI in a manner that is no less protective than the controls applied internally.
Finally, AI introduces security and integrity risks that differ from those associated with traditional software. Freddie Mac’s requirements explicitly reference threats, such as data poisoning and adversarial inputs, and require lenders to assess and mitigate those risks as part of their AI governance programs.
Governance and Accountability
Both Fannie Mae and Freddie Mac expect AI governance to be embedded in enterprise risk management and overseen by senior leadership. Fannie Mae requires written policies governing AI and ML use that are owned, maintained and reviewed at least annually. Freddie Mac goes further, requiring AI policies be approved by senior management, including executives such as the chief information officer, chief technology officer, chief information security officer or chief risk officer. In practice, this means AI governance cannot be delegated solely to technology teams. Compliance, legal, risk management and senior leadership must all play defined roles, with clear accountability and escalation paths.
Written Policies and Procedures
At a minimum, lenders must maintain written policies and procedures that address the full lifecycle of AI and ML systems, including development, implementation, use, maintenance and retirement. Across both frameworks, those policies are expected to:
- Reflect applicable legal and regulatory requirements
- Incorporate principles of trustworthy and ethical AI\
- Be aligned with the lender’s risk tolerance
- Be communicated to relevant personnel
- Be reviewed and updated regularly
Inventory, Risk Assessment and Monitoring
Both Fannie Mae and Freddie Mac, informed by FHFA guidance, expect lenders to know where and how AI is used across the business. Maintaining a comprehensive inventory of AI and ML systems is therefore a critical step. That inventory should include internally developed tools, external AI programs, as well as vendor-provided systems embedded in broader platforms.
Risk assessment does not end at deployment. Freddie Mac explicitly requires ongoing monitoring for performance degradation, bias and security issues, as well as regular internal and external audits measured against recognized standards. Fannie Mae’s framework is less prescriptive with regard to mechanics, but it reserves broad rights to request information and evaluate whether a seller-servicer’s controls align with industry best practices and applicable law.
Vendor and Third-Party Oversight
One of the most consequential aspects of the new frameworks is their treatment of third-party AI systems. Fannie Mae requires lenders to manage risks associated with vendor use of AI in a manner that is no less protective than their internal controls.
For many lenders, this will require revisiting vendor contracts and due diligence practices to ensure access to sufficient information about how AI systems function, how they are updated and how risks are tested and mitigated.
Generative AI also raises distinct records-management concerns. Prompts, outputs, uploaded documents and usage logs may not be retained by vendor systems by default and may be lost before litigation or regulatory review. Lenders should update legal hold procedures and document retention policies to address generative AI electronically stored information expressly, specify what must be preserved and confirm that vendor configurations will not auto-delete material that may be subject to preservation obligations.
Transparency and Disclosure
Both Fannie Mae and Freddie Mac reserve the right to request detailed information about lenders’ AI use. Fannie Mae expressly requires seller-servicers, upon request, to disclose the types of AI systems used, their purposes and the safeguards in place to mitigate risk. Freddie Mac reinforces these expectations through an express indemnification provision tied to AI use.
Practical Compliance Considerations
For many companies, the challenge is not identifying a single missing control, but integrating AI governance into existing compliance and risk frameworks in a sustainable way. Many lenders are establishing cross-functional AI governance committees that include representatives from compliance, legal, risk management, technology and the business units that use AI. Institutions are also moving toward risk-tiered governance models, applying more rigorous validation, monitoring and documentation requirements to higher-risk AI systems, particularly those that directly affect credit decisions or borrower outcomes. FHFA has endorsed risk-based approaches, provided they are well-reasoned and consistently applied.
Customer-Facing AI and Consumer Communications
Lenders that deploy AI in customer-facing applications, including chatbots used for origination inquiries or servicing communications, automated outbound communications and voice or biometric authentication systems, face an additional layer of consumer protection obligations. Several states, including California and New York, have enacted or proposed laws requiring disclosure that a consumer is interacting with an AI system rather than a human, and AI-generated calls, texts and marketing must comply with Telephone Consumer Protection Act requirements. AI tools that process biometric data, such as voice or facial recognition, implicate state biometric privacy laws, including the Illinois Biometric Information Privacy Act. Training is another area of heightened focus. Freddie Mac expressly requires AI risk management training for personnel and partners.
Looking Ahead
Fannie Mae and Freddie Mac have made clear that artificial intelligence is now a permanent feature of the mortgage market and a permanent focus of regulatory scrutiny. Their governance frameworks do not prohibit innovation, but they do require that innovation be accompanied by transparency, accountability and disciplined risk management.
For lenders that depend on access to the secondary market, these requirements establish a new compliance baseline. It is a legal, regulatory and enterprise risk issue that demands coordinated attention across the organization. Lenders that focus now on compliant, proportionate AI governance will be better positioned not only to maintain Fannie Mae and Freddie Mac eligibility, but also to deploy AI responsibly in a market where trust, fairness and auditability are critical.
Our Artificial Intelligence Industry Team can help with Freddie Mac and Fannie Mae AI compliance. If you need assistance or have questions, please reach out to attorney Brendan M. Palfreyman at (315) 214-2161 and bpalfreyman@harrisbeachmurtha.com, or the Harris Beach Murtha attorney with whom you most frequently work.
This alert is not a substitute for advice of counsel on specific legal issues.
Harris Beach Murtha’s lawyers and consultants practice from offices throughout Connecticut in Bantam, Hartford, New Haven and Stamford; New York State in Albany, Binghamton, Buffalo, Ithaca, New York City, Niagara Falls, Rochester, Saratoga Springs, Syracuse, Long Island and White Plains; as well as in Boston, Massachusetts, and Newark, New Jersey.