It should come as no surprise to mortgage lenders that artificial intelligence (AI) is already being integrated throughout all phases of the mortgage lifecycle. Rather than serving as an experimental initiative, AI functions as essential production infrastructure, supporting processes such as pricing, fraud detection, document analysis, marketing, servicing, appraisal review, borrower communications, quality control, and employee productivity. As such, the question is no longer whether mortgage companies can use AI — they can — but whether they can defend it.
In today’s regulatory and litigation environment, lenders must be able to show an examiner, investor, plaintiff’s counsel, or a GSE counterparty that each AI system was identified, risk-rated, tested for fair lending and accuracy, governed through clear ownership and policies, monitored for drift and security, and controlled through enforceable vendor contracts. That proof — rooted in existing consumer protection and model/third-party risk expectations and sharpened by AVM rules, adverse-action explainability, and new GSE frameworks — is now the industry’s operational reality.
The Current Legal Baseline
Mortgage AI governance currently builds upon established laws rather than relying on a dedicated federal statute. No comprehensive federal code exists specifically for AI within mortgage banking, so AI tools are evaluated according to existing regulations: ECOA, Regulation B, the Fair Housing Act, UDAAP principles, GLBA, model risk guidance, third-party risk management guidelines, appraisal standards, and GSE seller/servicer requirements.
At the federal level, the most notable update is the interagency rule regarding automated valuation models (AVMs). In July 2024, six federal agencies released the AVM Quality Control final rule, which requires mandatory compliance by October 1, 2025 (89 Fed. Reg. 64658). As a result, institutions now need policies, procedures, and controls that ensure AVMs adhere to quality-control standards, including those related to nondiscrimination.
Adverse action represents another significant challenge. CFPB Circular 2023-03 clarified that creditors utilizing AI or advanced credit models cannot simply use generic checklist reasons unless those reasons accurately and specifically reflect why adverse action was taken. While this principle isn’t new, satisfying it has become more complex due to AI. If a vendor’s model cannot clearly explain why a consumer was denied, offered different pricing, or assigned an alternate pathway, the lender faces a Regulation B issue, even before considering innovation obstacles.
The joint statement issued in April 2023 by the CFPB, DOJ Civil Rights Division, FTC, and EEOC remains relevant, but should be referenced correctly. It didn’t establish new law, but confirmed through an enforcement-position document that civil rights, consumer protection, and competition regulations apply to automated systems. As the FTC press release accompanying the statement made clear: there is no exemption for AI under current laws.
Model Risk Has Changed
For several years, institutions regarded SR 11-7 as the foundation for AI governance. However, this is no longer entirely applicable for banking organizations. In April 2026, the OCC, Federal Reserve, and FDIC released updated interagency model risk management guidance via OCC Bulletin 2026-13, superseding earlier model risk frameworks, including OCC Bulletin 2011-12. The revised guidance adopts a risk-based approach and specifically excludes generative AI and agentic AI from its scope.
This exclusion is significant. While it does not imply that generative AI is unregulated, it requires banks to manage such technologies through alternative frameworks, including compliance management, operational risk, third-party oversight, cybersecurity, privacy, fair lending practices, and board-level governance. Non-bank mortgage lenders are subject to a different regulatory paradigm, though one that is not less rigorous; their responsibilities often stem from GSE contracts, investor standards, vendor relationships, state legislation, and litigation exposure.
FHFA Advisory Bulletin AB 2022-02 provides further context for GSEs by outlining requirements for Fannie Mae and Freddie Mac with respect to AI/ML risk management — encompassing governance, data integrity, model controls, monitoring, bias mitigation, explainability, model drift, and lifecycle management. This supervisory framework is currently being extended to seller/servicers.
Fannie Mae And Freddie Mac Establish AI Governance Standards
Fannie Mae’s Lender Letter LL-2026-04, released on April 8, 2026, introduces an AI/ML governance framework for seller/servicers utilizing artificial intelligence or machine learning in loan origination or servicing. Effective 120 days post-publication, the letter mandates comprehensive policies and procedures governing the development, deployment, operation, maintenance, and risk management of AI/ML systems. Specifically, the Lender Letter addresses trustworthy and ethical AI practices, legal and regulatory compliance issues, acceptable risk levels, clear personnel communication, and annual review by designated ownership. Additionally, adherence to Fannie Mae’s Information Security and Business Resiliency Supplement is required, including vendor governance standards that must be at least as robust as those used by lenders themselves, and prompt disclosure obligations upon request.
Freddie Mac’s guidance, announced in Bulletin 2025-16 and outlined in Guide §§1302.2 and 1302.8, is distinctly more prescriptive. Industry summaries note explicit requirements regarding AI-related security vulnerabilities such as model inversion, data poisoning, and prompt injection, together with governance expectations for seller/servicer use of AI/ML technologies.
A comparison between the two frameworks underscores their differences: Fannie Mae adopts a principles-based approach, while Freddie Mac emphasizes operational detail. For dual-approved seller/servicers, it is advisable to develop a single enterprise AI governance program that satisfies the stricter operational demands of Freddie Mac, mapping each control to both Fannie Mae and Freddie Mac obligations individually.
Understanding these distinctions is critical. Fannie Mae provides broad guidelines rooted in principles; Freddie Mac delivers more specific, actionable instructions. Seller/servicers engaging with both entities should pursue an integrated governance framework that meets the highest operational standards, ensuring alignment with the respective requirements stipulated by Fannie Mae and Freddie Mac.
The Primary Governance Issues
The first issue is inventory. Most lenders do not have a complete list of AI tools in use. AI often enters through vendor upgrades, embedded platform functionality, marketing tools, productivity tools, and employee experimentation. If the institution cannot identify the tool, it cannot test, monitor, restrict, or explain it.
The second issue is fair lending. AI can create disparate outcomes through variables that appear neutral but correlate with protected characteristics. Geography, behavioral data, credit attributes, shopping patterns, lead sources, and servicing histories can all produce proxy risk. The legal question is not whether the model intended discrimination. The question is whether the lender can measure outcomes, explain differences, and remediate unjustified disparities.
The third issue is adverse action. Mortgage lenders need reason-code mapping that connects the actual model drivers to the notice given to the consumer. Vendor assurances are not enough. The contract should require model documentation, feature-importance information, testing support, change notification, and cooperation in regulatory examinations.
The fourth issue is vendor control. AI governance cannot stop at the lender’s firewall. If a pricing vendor, servicing platform, chatbot provider, fraud tool, or document-intelligence system uses AI, the lender needs contractual rights to understand the use case, obtain testing evidence, restrict data use, audit controls, receive change notices, and require remediation.
The fifth issue is data governance. AI systems may ingest nonpublic personal information, credit data, servicing notes, call transcripts, tax documents, employment records, appraisal data, and privileged communications. GLBA, state privacy law, discovery obligations, and contractual confidentiality all converge here. Consumer AI tools should be treated as prohibited for borrower NPI, confidential business information, and privileged material unless the institution has enterprise-grade contractual protections.
The sixth issue is monitoring. AI governance does not end at deployment. Models drift. Vendor systems change. Data populations move. Market conditions shift. A defensible program needs ongoing testing for performance, bias, accuracy, explainability, security, and borrower impact.
What Mortgage Lenders Should Do Now
The initial phase involves preparing a comprehensive written inventory of AI tools, encompassing vendor-integrated solutions, employee-facing applications, borrower-facing platforms, underwriting overlays, pricing engines, fraud detection systems, marketing technologies, servicing workflows, and quality-control mechanisms.
Subsequently, each tool should be classified according to its associated risk profile. Functions such as credit, pricing, valuation, servicing, collections, marketing, and employment warrant greater scrutiny compared to administrative productivity solutions.
Next, update contracts with vendors to ensure they meet critical requirements, including model documentation, support for fair lending testing, provision of adverse-action reason codes, audit rights, change notifications, data-use restrictions, incident reporting, subcontractor transparency, and collaboration with GSE or regulatory requests.
Additionally, establish a robust governance record proactively, prior to any formal request. The documentation must clearly identify AI risk ownership, catalog current tools in use, articulate the rationale behind tool deployment, outline existing safeguards, detail testing activities, describe ongoing monitoring processes, and specify response protocols for tool failures.
Finally, integrate AI oversight into board and senior management reporting structures. Examiners should not need to consult multiple departments to determine responsibility for AI risk management.
The Litigation Horizon
The forthcoming challenges related to artificial intelligence will extend beyond regulatory scrutiny. Plaintiffs are likely to pursue claims involving algorithmic redlining, deficiencies in adverse-action notifications, disparities in servicing triage, appraisal-review biases, chatbot misrepresentations, and broad discovery requests encompassing model documentation, prompts, training data, vendor communications, and AI audit trails. Institutions that will be most resilient in this landscape are not those touting the most advanced AI capabilities, but rather those able to demonstrate a robust and transparent governance framework.
