
The August 6 Deadline: What Fannie Mae's AI Rules Actually Require
Most lenders haven't read the mandate. Here's what Fannie Mae's LL-2026-04 and Freddie Mac's Section 1302.8 actually say—and the 8 things you need to do before the clock runs out.
Executive Summary
Most lenders haven't read the mandate. Here's what Fannie Mae's LL-2026-04 and Freddie Mac's Section 1302.8 actually say—and the 8 things you need to do before the clock runs out.
On April 8, Fannie Mae issued Lender Letter LL-2026-04 — a governance framework for any seller or servicer using AI or machine learning in origination or servicing. It takes effect August 6. That's 97 days from today.
Freddie Mac's version — Section 1302.8 of the Seller/Servicer Guide — has been in effect since March 3. If you sell to Freddie, you're already subject to these requirements. The March deadline has passed.
Both GSEs now require the same thing: an auditable AI governance program. Not a policy PDF. Not a slide deck from last year's board meeting. A living, operational program that can survive a live audit.
Most lenders aren't ready. Only 7% have fully deployed AI enterprise-wide (STRATMOR). But here's the catch — the mandate doesn't only cover lenders who've "deployed AI." It covers anyone using AI anywhere in the loan lifecycle. Your document processing vendor uses ML for data extraction? That's in scope. Your chatbot handles borrower questions? In scope. Your QC tool flags exceptions using pattern matching? Probably in scope.
As attorney James Brody put it: "AI governance is not a future compliance project. It is a present-tense operational requirement."
What the Rules Actually Say
Fannie Mae's approach is principles-based. Freddie Mac's is prescriptive. Attorneys advising lenders — including Cooley, Garris Horn, and HousingWire's legal analysts — recommend building to Freddie Mac's stricter standard, because it satisfies both sets of requirements.
The combined mandate breaks into four pillars (Cooley Finsights, Apr 24; DeepInspect analysis, Apr 17):
Pillar 1: AI Inventory
Every AI and ML tool must be documented. Each entry requires:
- Business purpose
- System owner
- Connection to origination or servicing activities
- Provider (internal or vendor)
This includes vendor-provided AI tools. If your document processing vendor uses ML under the hood, it goes in your inventory. The inventory must be producible on demand when the GSE inquires.
Pillar 2: Risk Management
Lenders must map, measure, and manage AI risks across three categories:
- Bias and fairness: Fair lending implications of AI-driven decisions
- Security vulnerabilities: Prompt injection, data leakage, model manipulation
- Performance degradation: Model drift, accuracy decay, edge case failures
Risk controls must be calibrated to the company's risk tolerance. Freddie Mac specifically requires segregation of duties and documented escalation paths. Freddie also expects alignment with recognized security frameworks — NIST 800-53 and ISO 27001 are named explicitly (Garris Horn, Jan 29).
Pillar 3: Governance Structure
- Designate an executive owner for AI risk
- Review AI policies at least annually
- Document roles, responsibilities, and escalation paths
- Ensure transparency for personnel with AI responsibilities
- Comply with 36-hour incident notification requirements for AI-related incidents
Pillar 4: Audit-Ready Documentation
This is where the mandate gets teeth. Lenders must:
- Demonstrate compliance and operational controls on demand
- Maintain audit trails for AI-assisted decisions
- Disclose types of tools in use, their providers, and safeguards upon GSE inquiry
- Prove that vendor AI usage is supervised and compliant
One critical detail most lenders miss: you are liable for AI mistakes made by your vendors and subcontractors. Your obligation to supervise vendor AI tools persists regardless of the vendor's SOC 2 status.
The Disclosure Test You Need to Pass
Both GSEs expect lenders to "quickly disclose the types of tools in use, their providers, and the safeguards put in place to mitigate risks" upon inquiry (Fannie Mae LL-2026-04; Freddie Mac Section 1302.8).
That's a live audit. When the GSE shows up, they'll ask questions like:
- Which AI tools touched this loan file?
- Who used them, and when?
- What data was in the prompt? Was borrower NPI involved?
- What safeguards prevented misuse?
- Can you prove those safeguards were active at the time of the interaction?
A policy document and a quarterly spreadsheet will not survive this test. You need operational evidence — not intentions.
Australia Just Showed Us the Playbook
On April 30, Australia's prudential regulator APRA issued a formal letter to every regulated financial institution warning that "governance, risk management, assurance and operational resilience practices are not keeping pace with the scale, speed, and complexity of AI adoption" (Reuters, Apr 30).
APRA went further. It named specific frontier AI models — including Anthropic's — as potential vectors for increasing "the speed and scale of cyber attacks." It warned that bank boards are "still developing the technical literacy required for AI oversight."
This is the first time a major bank regulator has issued a formal, industry-wide AI risk letter. It reads like a preview of what U.S. regulators will say when they start examining lender AI programs under the new GSE mandates.
If Australia's regulator is saying boards aren't ready, the question for U.S. mortgage lenders is simple: is yours?
The 8-Step Compliance Checklist
Here's what to do before August 6. This isn't a wish list — it's the minimum the mandate requires.
☐ 1. Complete an enterprise-wide AI inventory
Document every AI and ML tool — internal and vendor-provided — that touches origination or servicing. Include business purpose, system owner, provider, and connection to loan activities. Don't rely on self-reported surveys. Audit your tech stack systematically.
Who owns this: CTO or CIO, with compliance oversight.
☐ 2. Identify your vendor AI exposure
Your vendors' AI is your liability. Review every third-party tool for embedded AI/ML functionality — document processing, fraud scoring, income verification, borrower communications, QC engines. Ask each vendor: Do you use AI or ML in any component that touches our loan data? Get it in writing.
Who owns this: Vendor management + compliance.
☐ 3. Designate an executive AI risk owner
The mandate requires defined accountability. Someone at the executive level must own AI governance — not as an add-on to their existing role, but as a named responsibility with authority to approve, modify, or shut down AI deployments.
Who owns this: CEO/COO decision — this is a reporting-line question.
☐ 4. Build your risk management framework
Map AI risks across the three required categories: bias/fairness, security vulnerabilities, and performance degradation. Calibrate controls to your risk tolerance. Document segregation of duties and escalation paths. Align with NIST 800-53 or ISO 27001 where applicable.
Who owns this: Chief Risk Officer or Chief Compliance Officer.
☐ 5. Establish audit trails for AI-assisted decisions
This is the hardest item on the list. When an AI tool touches a loan file, you need a record linking the specific interaction to the specific loan, the specific user, and the specific output. Most lenders have zero infrastructure for this today.
Who owns this: Technology + compliance, jointly.
☐ 6. Implement incident notification procedures
Freddie Mac requires 36-hour notification for AI-related incidents. Build the playbook now: what constitutes an AI incident, who gets notified, what documentation is required, and how you communicate to the GSE within the window.
Who owns this: CISO or head of risk, with legal counsel.
☐ 7. Schedule your annual AI policy review
Both GSEs expect at least annual review of AI governance policies. Set the cadence now. Define what triggers an off-cycle review — new AI tool deployment, vendor change, regulatory update, or incident.
Who owns this: Compliance, with board-level reporting.
☐ 8. Run a mock disclosure exercise
Before the GSE asks, ask yourself. Pull a random loan file and answer: Which AI tools touched this file? Who used them? What data was involved? What safeguards were in place? Can I prove it? If you can't answer all five questions with documentation, you have a gap.
Who owns this: Internal audit or compliance — treat it like a dry run.
The Benchmark Is Already Being Set
Newrez just committed to an AI-native servicing platform by early 2027, backed by $65M in annual AI savings and a 15% cost-per-loan cut to $93 (BusinessWire, Apr 28). Freddie Mac has already securitized VantageScore 4.0 mortgages through Newrez's pipeline (HousingWire, Apr 24).
That's the lender setting the compliance bar. When the GSEs evaluate what "reasonable care" looks like, they won't measure you against the industry average. They'll measure you against the lenders who took governance seriously.
97 days isn't a lot of time. But it's enough — if you start now and work the checklist.
— Stephen Schrump, CEO, PitchPoint Solutions
Sources:
- Fannie Mae Lender Letter LL-2026-04 (Apr 8, 2026)
- Freddie Mac Seller/Servicer Guide Section 1302.8 (effective Mar 3, 2026)
- Cooley Finsights, "Fannie Mae Issues AI/ML Governance Framework" (Apr 24, 2026)
- DeepInspect / Parminder Singh, "LL-2026-04: What the First Sector-Specific AI Governance Mandate Requires" (Apr 17, 2026)
- Garris Horn LLP, "Freddie Mac's AI Requirements Take Effect March 3, 2026" (Jan 29, 2026)
- HousingWire, "GSE AI governance rules hit lenders and servicers" (Apr 15, 2026)
- APRA Australia, "Letter to Industry on Artificial Intelligence" (Apr 30, 2026)
- Reuters, "Australian banks warned frontier AI could create larger, faster cyber attacks" (Apr 30, 2026)
- STRATMOR Group, AI deployment survey
- BusinessWire, Newrez Q1 earnings (Apr 28, 2026)
- HousingWire, Freddie Mac VantageScore securitization (Apr 24, 2026)
Ready to Transform Your Verification Process?
See how industry leaders are streamlining verification with PitchPoint.
Continue Reading
More insights you might find valuable
97 Days: The AI Governance Deadline Most Lenders Are Missing
Fannie Mae's AI governance mandate takes effect August 6. Freddie Mac's has been live since March 3. Both cover any AI touching a loan—including your vendors'. Here's the 8-step checklist and the disclosure test the GSE will run.

AI Fraud in Mortgage Lending: Why Rules Beat Guardrails
AI-generated fraud is accelerating—synthetic identities, deepfake pay stubs, fabricated bank statements. If your fraud detection is AI-based, it can be fooled by AI. Here's why source-level, deterministic verification is the only durable defense.
Stephen Schrump
May 13, 2026

Why 62% of Lenders Still Haven't Adopted AI — And What the Early Movers Got Right
A November 2025 STRATMOR survey found only 38% of mortgage lenders use any form of AI. That's not ignorance—it's four structural barriers nobody talks about honestly. Here's what the early movers understood that the first wave of mortgagetech didn't.
Stephen Schrump
May 6, 2026