Fannie Mae’s Lender Letter LL-2026-04 sets a governance framework for how sellers and servicers use artificial intelligence and machine learning. It takes effect around August 6, 2026. If you sell to Fannie and AI or ML touches your operations anywhere, you need written policies and procedures in place. That is work you have to do regardless, so the only real question is how to do it without burning a quarter on it.
The good news: the starting point fits in the tool that is almost certainly already in your tenant. The honest part: this rule is broad, so the starting point is not the finish line. Here is both.
What the letter actually requires
Stripped to its operative requirements, a seller/servicer must:
- Have policies and procedures “regarding the development, implementation, use and maintenance of any AI/ML system it utilizes, and the measuring and managing of AI/ML risks.”
- Name an owner who “implements, maintains and reviews the policies and procedures at least annually to ensure they comply with applicable law and consistently reflects industry best practices.”
- Comply with “the Fannie Mae Information Security and Business Resiliency Supplement.”
- Govern vendors and subcontractors’ AI/ML use “no less protective” than your own.
- Disclose on request: “the types of AI/ML used, the purpose and manner for such use, the safeguards … to mitigate risks,” and related information.
- Stay legal: “ensure compliance with applicable laws and the Lender Contract.”
There is no template, no form, no portal. You are expected to write the policies, name the owner, and be ready to show your work.
The honest catch: this one is broad
“Policies and procedures for your AI/ML use” sounds like one document. It is not, because AI use is not in one place. It shows up in valuation (AVMs), underwriting models, pricing, fraud and AML screening, servicing optimization, document automation, and marketing. The governing policy is one new document, but every existing P&P that touches an AI system may need oversight language too.
So the real job is three steps, not one. And the size of each step tells you which tool to use.
The three steps
1. Inventory (find where AI lives). Ask the AI to read across your P&Ps and operations and tell you where AI or ML is in use, and which policies need governance language. This is a reading job, so even Microsoft Copilot handles it (it can summarize a document set up to roughly 300 pages). The output is your list of policies to touch, and the AI inventory the letter expects you to produce on request.
2. Draft the core policy (net-new). The standalone AI Governance Policy that satisfies the six requirements above. It is a fresh document, so it drafts cleanly in any tool. The copy-paste block below gets you a working first draft.
3. Touch each affected P&P. Update each AI-using policy with the oversight, vendor-governance, and disclosure language. One at a time these are small edits that fit any tool; all at once, with the whole policy set in view, is where a larger context window earns its keep.
Start here: paste this into Copilot, Claude, or ChatGPT
This drafts the core policy (Step 2). It is small enough to run in any tool, free Copilot included.
You are a mortgage compliance analyst. Below are the requirements from Fannie Mae
Lender Letter LL-2026-04 governing the use of AI and machine learning. Draft a
starter AI Governance Policy for a Fannie Mae seller/servicer that addresses each
requirement. For each section, quote the specific requirement it satisfies. Use
ONLY the requirements below; do not invent or paraphrase regulatory text. Flag
every place the firm must fill in its own specifics (its AI inventory, its named
owner, its vendor list, its safeguards). Keep it to a working draft a compliance
officer will review and tailor. This is a draft for review, not legal advice.
REQUIREMENTS (FNMA LL-2026-04), verbatim:
1. "Have policies and procedures regarding the development, implementation, use and
maintenance of any AI/ML system it utilizes, and the measuring and managing of
AI/ML risks."
2. "have an owner(s) that implements, maintains and reviews the policies and
procedures at least annually to ensure they comply with applicable law and
consistently reflects industry best practices."
3. "Comply with the requirements in the Fannie Mae Information Security and Business
Resiliency Supplement."
4. "Manage risks and appropriate governance of subcontractor and vendor use of AI/ML
that is no less protective of these."
5. "Upon request by Fannie Mae, the seller/servicer must promptly disclose the types
of AI/ML used, the purpose and manner for such use, the safeguards the
seller/servicer has implemented to mitigate risks related to the use of AI/ML."
6. "the seller/servicer must ensure compliance with applicable laws and the Lender
Contract."
Review it, fill in your specifics, and you have a defensible first draft of the document the letter requires.
Which tool for which step
One number runs this decision: Microsoft caps Copilot’s rewrite at about 3,000 words, roughly 6 pages, and notes quality drops past that. It can read far more than it can rewrite. So:
- Drafting the core policy (a fresh ~6-page document): any tool, Copilot included.
- Inventorying where AI lives (reading across your P&Ps): Copilot reads up to ~300 pages, so it finds the list even though it cannot redline all of it.
- Redlining one affected P&P at a time: any tool.
- Redlining the whole affected set in one pass, holding the policy library and the regulation together: a Claude job (200K tokens on Pro/Team, 500K on Enterprise).
The rule of thumb: under ~6 pages of rewrite, use what you have; over it, that is where you graduate to Claude. A broad rule like this one crosses that line the moment you go past the core policy.
What they’re saying
This issue’s curated round-up of industry reactions to LL-2026-04 is being compiled. If you are writing or speaking about the letter, reply and we may feature your take.
Get the rest
The core policy is one piece. The full kit, the affected-P&P checklist, and the Skill that runs the whole sweep are on the site, along with every update on this year’s calendar sorted by which you can do in Copilot and which want Claude.
Appendix — the operative provisions, verbatim
Source: Fannie Mae Lender Letter LL-2026-04, “Governance framework on use of artificial intelligence and machine learning.”
- “Have policies and procedures regarding the development, implementation, use and maintenance of any AI/ML system it utilizes, and the measuring and managing of AI/ML risks.”
- “have an owner(s) that implements, maintains and reviews the policies and procedures at least annually to ensure they comply with applicable law and consistently reflects industry best practices.”
- “Comply with the requirements in the Fannie Mae Information Security and Business Resiliency Supplement.”
- “Manage risks and appropriate governance of subcontractor and vendor use of AI/ML that is no less protective of these.”
- “Upon request by Fannie Mae, the seller/servicer must promptly disclose the types of AI/ML used, the purpose and manner for such use, the safeguards the seller/servicer has implemented to mitigate risks related to the use of AI/ML, and such other information as Fannie Mae may request.”
- “the seller/servicer must ensure compliance with applicable laws and the Lender Contract.”