← All issues

Issue 1 · 2026-06-12

FNMA's AI Lender Letter: what it requires, and how to get ahead of it with the AI you already have

Fannie Mae’s Lender Letter LL-2026-04 sets a governance framework for how sellers and servicers use artificial intelligence and machine learning. It takes effect around August 6, 2026. If you sell to Fannie and AI or ML touches your operations anywhere, you need written policies and procedures in place. That is work you have to do regardless, so the only real question is how to do it without burning a quarter on it.

The good news: the starting point fits in the tool that is almost certainly already in your tenant. The honest part: this rule is broad, so the starting point is not the finish line. Here is both.

What the letter actually requires

Stripped to its operative requirements, a seller/servicer must:

  1. Have policies and procedures “regarding the development, implementation, use and maintenance of any AI/ML system it utilizes, and the measuring and managing of AI/ML risks.”
  2. Name an owner who “implements, maintains and reviews the policies and procedures at least annually to ensure they comply with applicable law and consistently reflects industry best practices.”
  3. Comply with “the Fannie Mae Information Security and Business Resiliency Supplement.”
  4. Govern vendors and subcontractors’ AI/ML use “no less protective” than your own.
  5. Disclose on request: “the types of AI/ML used, the purpose and manner for such use, the safeguards … to mitigate risks,” and related information.
  6. Stay legal: “ensure compliance with applicable laws and the Lender Contract.”

There is no template, no form, no portal. You are expected to write the policies, name the owner, and be ready to show your work.

The honest catch: this one is broad

“Policies and procedures for your AI/ML use” sounds like one document. It is not, because AI use is not in one place. It shows up in valuation (AVMs), underwriting models, pricing, fraud and AML screening, servicing optimization, document automation, and marketing. The governing policy is one new document, but every existing P&P that touches an AI system may need oversight language too.

So the real job is three steps, not one. And the size of each step tells you which tool to use.

The three steps

1. Inventory (find where AI lives). Ask the AI to read across your P&Ps and operations and tell you where AI or ML is in use, and which policies need governance language. This is a reading job, so even Microsoft Copilot handles it (it can summarize a document set up to roughly 300 pages). The output is your list of policies to touch, and the AI inventory the letter expects you to produce on request.

2. Draft the core policy (net-new). The standalone AI Governance Policy that satisfies the six requirements above. It is a fresh document, so it drafts cleanly in any tool. The copy-paste block below gets you a working first draft.

3. Touch each affected P&P. Update each AI-using policy with the oversight, vendor-governance, and disclosure language. One at a time these are small edits that fit any tool; all at once, with the whole policy set in view, is where a larger context window earns its keep.

Start here: paste this into Copilot, Claude, or ChatGPT

This drafts the core policy (Step 2). It is small enough to run in any tool, free Copilot included.

You are a mortgage compliance analyst. Below are the requirements from Fannie Mae
Lender Letter LL-2026-04 governing the use of AI and machine learning. Draft a
starter AI Governance Policy for a Fannie Mae seller/servicer that addresses each
requirement. For each section, quote the specific requirement it satisfies. Use
ONLY the requirements below; do not invent or paraphrase regulatory text. Flag
every place the firm must fill in its own specifics (its AI inventory, its named
owner, its vendor list, its safeguards). Keep it to a working draft a compliance
officer will review and tailor. This is a draft for review, not legal advice.

REQUIREMENTS (FNMA LL-2026-04), verbatim:
1. "Have policies and procedures regarding the development, implementation, use and
   maintenance of any AI/ML system it utilizes, and the measuring and managing of
   AI/ML risks."
2. "have an owner(s) that implements, maintains and reviews the policies and
   procedures at least annually to ensure they comply with applicable law and
   consistently reflects industry best practices."
3. "Comply with the requirements in the Fannie Mae Information Security and Business
   Resiliency Supplement."
4. "Manage risks and appropriate governance of subcontractor and vendor use of AI/ML
   that is no less protective of these."
5. "Upon request by Fannie Mae, the seller/servicer must promptly disclose the types
   of AI/ML used, the purpose and manner for such use, the safeguards the
   seller/servicer has implemented to mitigate risks related to the use of AI/ML."
6. "the seller/servicer must ensure compliance with applicable laws and the Lender
   Contract."

Review it, fill in your specifics, and you have a defensible first draft of the document the letter requires.

Which tool for which step

One number runs this decision: Microsoft caps Copilot’s rewrite at about 3,000 words, roughly 6 pages, and notes quality drops past that. It can read far more than it can rewrite. So:

The rule of thumb: under ~6 pages of rewrite, use what you have; over it, that is where you graduate to Claude. A broad rule like this one crosses that line the moment you go past the core policy.

What they’re saying

This issue’s curated round-up of industry reactions to LL-2026-04 is being compiled. If you are writing or speaking about the letter, reply and we may feature your take.

Get the rest

The core policy is one piece. The full kit, the affected-P&P checklist, and the Skill that runs the whole sweep are on the site, along with every update on this year’s calendar sorted by which you can do in Copilot and which want Claude.


Appendix — the operative provisions, verbatim

Source: Fannie Mae Lender Letter LL-2026-04, “Governance framework on use of artificial intelligence and machine learning.”

  1. “Have policies and procedures regarding the development, implementation, use and maintenance of any AI/ML system it utilizes, and the measuring and managing of AI/ML risks.”
  2. “have an owner(s) that implements, maintains and reviews the policies and procedures at least annually to ensure they comply with applicable law and consistently reflects industry best practices.”
  3. “Comply with the requirements in the Fannie Mae Information Security and Business Resiliency Supplement.”
  4. “Manage risks and appropriate governance of subcontractor and vendor use of AI/ML that is no less protective of these.”
  5. “Upon request by Fannie Mae, the seller/servicer must promptly disclose the types of AI/ML used, the purpose and manner for such use, the safeguards the seller/servicer has implemented to mitigate risks related to the use of AI/ML, and such other information as Fannie Mae may request.”
  6. “the seller/servicer must ensure compliance with applicable laws and the Lender Contract.”
Get each issue in your inbox One regulatory update at a time, with the copy-paste block and the kit built in. Forward it to anyone; no spam; one-click unsubscribe.

Find this useful? Forward it to someone who’d want it — they can subscribe at the top.