Every kit we ship updates one regulation against your P&Ps. This issue is the method underneath all of them — the reframe that takes your policies and procedures from a binder you maintain to an instrument you operate. It rests on four propositions, each building on the last.
If you’ve tried to use AI on your P&Ps before, you may have run into hallucination — invented citations, confident misreadings. That’s the exact problem this method is built to contain: let AI do what it’s genuinely good at (reading), and forbid, mechanically, what it isn’t (inventing). The infrastructure below is how.
There is a full white paper version of this with the worked example and the guardrails spelled out:
1. AI is good at reviewing documents
Strip away the hype and one capability is solid enough to build on: AI reads well. It holds a long document in view, compares it to another, and finds the passage that matters. That is the most time-expensive part of a compliance officer’s job — reading a regulation, reading a policy, and finding where the two meet or fail to.
This isn’t our claim alone: Anthropic’s own legal use-case guide points compliance and legal teams at exactly this work — reviewing contracts and regulatory text — and adds, tellingly, that the output “should be reviewed by legal professionals.” The known limit cuts the same way: models track the start and end of a long document better than its middle, which is precisely why this method keeps each policy in its own focused chat instead of dumping the whole library into one window.
State it plainly because the industry skips past it toward flashier claims, and the flashier claims are where the risk lives. Reading and locating is reliable. Inventing and asserting is not. A method that leans entirely on the first and structurally forbids the second is one you can stand behind.
2. With the right instructions and data, that becomes regulatory maintenance
Give the AI two things — the verbatim text of the new or changed rule and the policy it may touch — and instruct it carefully. It can then do what manual review does slowly and unevenly:
- Locate the sections of the P&P that reflect the old rule.
- Draft a first-pass revision so they comply with the new rule, each change tied to the requirement that drove it.
- Surface the operational gap — not just the wording to change, but what in the line of business has to change to actually comply. A new disclosure obligation isn’t satisfied by editing a sentence; someone has to send the disclosure. The gap analysis names that.
That second output is the one teams underestimate. A good AI pass produces two deltas: the document delta (what the policy should now say) and the operational delta (what the business must start, stop, or change). Both are first drafts for you to review and own — but starting from a structured draft instead of a blank page next to a 300-page rule is the difference between a week and an afternoon.
3. Projects + Skills make it consistent across your whole set
One well-prompted document is a parlor trick. A program is forty policies, and the bar is every policy, the same way, every time — because an examiner doesn’t grade your best document, and a missed one is where exposure hides. Two platform features turn the trick into a method:
- Upload each P&P as its own chat in a Project. One policy per chat keeps each review focused and produces a clean, structured result. (Split a very large policy across several chats.)
- Use a Skill to enforce the current regulatory requirements — and the discipline — uniformly. Installed once, it makes every chat cite verbatim, never assert what the document doesn’t support, and report in one fixed format. Rigor is built into the method, not improvised. The Skill enforces the rules of engagement; the rule text stays a swappable file it reads first, so currency is a one-file update, not a rebuild.
- Chats in a Project share what they find. So a single regulatory update becomes a program-wide event: fan out to identify which P&Ps are impacted, run the operational gap analysis for each, and produce a provisional first-draft update for every affected policy — grounded in the verbatim requirement, the same way across the whole library.
You review and decide on all of it. The labor of finding, analyzing, and drafting — thoroughness, not judgment — is done consistently across every policy in one coordinated pass.
4. Then it becomes a shared operating method
Once the policies are current, create a new shared Project with the operational people the P&Ps govern — origination, servicing, marketing, vendor management. There, the now-current policies become a working surface, not an archive:
- An operator runs an ad-hoc item — a borrower letter, a marketing piece, a new procedure — through a chat for a first-draft compliance check against the relevant current policy, before it goes out.
- The check is fast, consistent, and grounded in the firm’s own approved text.
- You set the rules the shared Project enforces and review what it surfaces. The compliance officer is the gate — never the bottleneck, never bypassed.
At that point the P&Ps have changed category: from a binder consulted after a problem to part of the methodology by which the firm stays compliant in the first place — catching first-draft issues at the point of creation, with your judgment encoded into the rules and applied to the review.
That’s the whole arc: P&Ps as liability → P&Ps as asset → P&Ps as methodology.
The guardrails that make it defensible
Built into the mechanics, not left to good intentions:
- Verbatim source, no invented citations. Every cite is the actual rule text, traceable. Can’t ground a claim? It says so and stops. It’s the same principle behind Anthropic’s Citations feature — tie each statement back to its source sentence.
- First drafts for human review — never final, never legal advice. Every output is a working draft a qualified professional reviews, corrects, and owns.
- The compliance officer decides. Materiality, risk, adequacy — the load-bearing judgment stays with the human accountable for it. AI reads and drafts; you decide. This mirrors the NIST AI Risk Management Framework: define human review points, override rights, and clear ownership for high-risk decisions. The goal is never to route around the compliance pro; it’s to give the hardest thinkers in the building a system that scales with them.
What goes in a prompt — and what goes in a Skill
The method lives or dies on two artifacts. Here’s what belongs in each.
A good compliance prompt has five parts: a role and the job; the source named as the only citable input (the keystone anti-hallucination move); the task stated concretely; the discipline (cite verbatim, flag gaps don’t assert, run to completion, first-draft-for-review); and a fixed output format. A compact example that does all five — a one-prompt regulatory-maintenance pass:
You are a mortgage compliance analyst. I'm giving you two things: an
Update Kit (verbatim rule text — your ONLY citable source) and one of
my loss-mitigation P&Ps.
Find every section of my P&P that reflects the OLD rule. For each:
- quote the kit requirement that changed it (verbatim, with its ID),
- draft a compliant first-pass revision,
- name the operational gap: what the business must start, stop, or
change to actually comply — not just what the document should say.
Rules: cite only from the kit; if it isn't in there, say "outside this
kit" — never invent a citation. Where the P&P is silent rather than
wrong, flag it as a gap; don't assert. Run to completion. First draft
for my review, not legal advice.
End with a change-log table: section · what changed · kit ID · operational owner.
That’s the whole Level-1 move — and exactly what our FHA Loss-Mitigation update kit packages: one file you attach, one prompt, a verbatim self-checked gap analysis against Mortgagee Letter 2025-06.
A Skill turns that one-off prompt into something every chat runs identically. Its structure: frontmatter (a name, a description with the trigger phrases, a version) so Claude knows when to use it; the operating rules applied every run (cite verbatim, never assert what’s unevidenced, run to completion); a source-of-truth resolution order (in-chat → Project knowledge → bundled fallback, so currency is a one-file swap); the output contract every run ends with, so many chats merge cleanly; stage routing to pick the right step; and references/ (one file per stage) + assets/ (the verbatim rule kit). Every one of these is visible in the FNMA AI Lender Letter Skill — download it, open the folder, and read the SKILL.md.
See it made concrete
The FNMA AI Lender Letter (LL-2026-04) — published April 8, 2026, effective August 6 — is this method applied to one broad rule: scan every P&P, reconcile against your vendor and app inventory, synthesize the master AI policy, realign each P&P, produce the change log. The free, build-it-yourself kit is the methodology made specific.
Further reading
- Anthropic — Legal summarization use-case guide — document review/summarization as a primary, recommended use.
- NIST — AI Risk Management Framework (+ Generative AI Profile) — the authoritative human-oversight and governance standard.
- Liu et al. — Lost in the Middle (TACL 2024) — why focused, bounded contexts beat one giant window.
- Fannie Mae — Lender Letter LL-2026-04 — the worked example’s primary source.