AI governance in mortgage servicing after the GSE mandates
Artificial intelligence is no longer an emerging technology in mortgage servicing. For many servicers, it has already become part of their day-to-day operations. AI-assisted tools summarize servicing calls, automate document review, classify borrower communications, and support customer interactions through chat and voice assistants. More advanced applications—including predictive borrower analytics, early intervention models, and automated loss mitigation workflows—are beginning to move from pilot programs into production at some institutions, while broader adoption continues across the industry.
Until recently, governance of those systems was largely a matter of best practices. Institutions looked to voluntary frameworks, regulatory guidance, and industry standards to shape their internal AI programs. Over the course of just a few months, that changed.
On December 3, 2025, Freddie Mac issued Bulletin 2025-16, amending Sections 1302.2 and 1302.8 of its Single-Family Seller/Servicer Guide to require a comprehensive governance framework for the development, deployment, and oversight of artificial intelligence and machine learning systems, effective March 3, 2026. On April 8, 2026, Fannie Mae followed with Lender Letter LL-2026-04, establishing its own AI/ML governance framework for seller/servicers, effective August 6, 2026. Nine days later, the federal banking agencies jointly rescinded SR 11-7, OCC Bulletin 2011-12, and related model risk management guidance, replacing them with revised interagency guidance on model risk management.
Although these developments occurred within days of one another, they affect different institutions in different ways.
For banks, the revised interagency guidance remains supervisory guidance. For Freddie Mac and Fannie Mae seller/servicers, however, AI governance now appears in the Guides themselves, making it part of the contractual obligations governing the seller/servicer relationship for those with GSE approvals. In practical terms, AI governance is no longer just a regulatory consideration for seller/servicers. It is now part of the contractual framework governing their relationship with the GSEs, subject to the same contractual remedies applicable to other Guide requirements.
Freddie Mac's requirements are already in effect. Fannie Mae's become effective on August 6, 2026.
How AI Is Changing Mortgage Servicing
Traditional default servicing is reactive by design. A payment is missed, a late notice is generated, roll-rate reports move the loan from one delinquency bucket to the next, and somewhere around day forty-five, a collector attempts right-party contact. The process often treats a short-term cash flow issue and a permanent loss of income as the same event until a servicing specialist determines otherwise—typically after the borrower has already become delinquent.
Artificial intelligence is beginning to change that workflow. Many servicers already use AI-assisted tools to summarize calls, classify borrower communications, automate document review, and support borrower interactions through chat and voice assistants. More advanced applications—including predictive borrower analytics, early intervention models, and automated loss mitigation workflows—are beginning to move from pilot programs into production at some institutions, although adoption remains uneven across the industry.
Where those capabilities are deployed, the operational benefits can be significant. Predictive models may identify borrowers showing signs of financial distress before a payment is missed, allowing servicers to initiate outreach earlier, improve quality right-party contact (QRPC), and better match borrowers with appropriate loss mitigation options. Earlier intervention can reduce foreclosure referrals while improving outcomes for both investors and borrowers.
Those same tools, however, increasingly influence decisions that carry legal and contractual significance. Whether AI classifies a borrower communication, routes a hardship package, prioritizes an outbound call, or recommends a workout path, each automated decision becomes part of a regulated servicing process and should be governed accordingly.
The technology also operates within a regulatory framework that predates it. Regulation X requires live contact, or good faith efforts to establish live contact, by the thirty-sixth day of delinquency under 12 C.F.R. § 1024.39. A loss mitigation application triggers a five-day acknowledgment requirement under § 1024.41(b)(2), a complete application triggers a thirty-day evaluation period under § 1024.41(c)(1), and § 1024.41(f) prohibits the first foreclosure notice or filing until the borrower is more than 120 days delinquent. Those requirements apply regardless of whether the work is performed by a servicing specialist, a workflow engine, or an AI-enabled system. If an AI model routes an application to the wrong queue or prematurely triggers a foreclosure workflow, the resulting compliance issue remains the servicer's responsibility. Human review after the deadline has passed generally does not cure the violation.
The next generation of those servicing requirements is already taking shape. The CFPB's pending Regulation X streamlining proposal, 89 Fed. Reg. 60,204 (July 24, 2024) would replace the current complete-application framework with a loss-mitigation review process that begins when a borrower first requests payment assistance. The proposal also contemplates communications in languages other than English where appropriate. Although the proposal has not been finalized and the current Regulation X framework remains in effect, it provides useful insight into the direction of future servicing expectations. Institutions designing AI-enabled servicing processes today should consider whether their systems are capable of supporting early borrower engagement, continuous loss mitigation review, comprehensive audit trails, and multilingual communications if those concepts ultimately become regulatory requirements.
From Guide to Contract
Freddie Mac moved first and did so with a prescriptive framework. Bulletin 2025-16 applies to artificial intelligence and machine learning used in connection with both origination and servicing, including AI embedded within third-party vendor platforms that a Seller/Servicer neither developed nor fully controls. Updated Section 1302.8 requires enterprise-wide policies, processes, and practices for identifying, measuring, and managing AI risk; integrating trustworthy AI characteristics into those controls; aligning risk management activities with defined risk tolerances; conducting internal and external audits; and performing ongoing monitoring with clearly assigned roles and responsibilities. Updated Section 1302.2 also expands annual information security training to address AI-specific threats, including deepfakes, targeted phishing, model inversion, data poisoning, and prompt injection. Section 1302.8 further includes indemnification obligations associated with a Seller/Servicer's use of AI.
Practitioners familiar with the NIST AI Risk Management Framework will recognize much of the same terminology. Section 1302.8 closely tracks the GOVERN function of the AI RMF, while the remaining provisions align closely with the corresponding GOVERN subcategories. As a result, many of the governance concepts NIST published as voluntary guidance in 2023 now appear as contractual requirements in Freddie Mac's Seller/Servicer Guide.
Fannie Mae adopted a different drafting approach but arrived at many of the same governance expectations. Lender Letter LL-2026-04 requires Seller/Servicers using AI or machine learning in origination or servicing to maintain policies and procedures governing the development, implementation, use, and maintenance of AI/ML systems, together with processes for measuring and managing AI-related risks. Those policies must incorporate trustworthy and ethical AI principles, reflect applicable legal and regulatory requirements, align with the institution's risk tolerance, reach personnel whose responsibilities involve AI, and identify an owner responsible for reviewing the framework at least annually. Vendor and subcontractor use of AI must be governed to standards no less protective than the Seller/Servicer's own framework. Upon request, Seller/Servicers must also disclose to Fannie Mae the AI systems they use, how those systems are used, and the safeguards supporting them. Both Guide frameworks build upon FHFA Advisory Bulletin AB 2022-02, revised in May 2025, which established AI and machine learning risk management expectations for the Enterprises themselves and now, through the Guides, extends similar expectations to their counterparties.
For Seller/Servicers, the significance of these changes lies in where the requirements now reside. Unlike supervisory guidance, the Freddie Mac and Fannie Mae AI governance requirements are incorporated directly into the Seller/Servicer Guides and become contractual obligations. As with other Guide requirements, deficiencies in an AI governance program may give rise to contractual remedies, including indemnification obligations and compensatory fees. Where AI-related deficiencies contribute to loan-level defects, they may also create repurchase exposure. In more significant cases, the Guides permit suspension or termination of Seller/Servicer approval. For institutions approved with both Enterprises, the practical approach is to implement a single enterprise governance program that satisfies the more prescriptive Freddie Mac requirements while mapping those controls to both Guide frameworks.
The Revised Model Risk Guidance
The April 17, 2026, interagency action is important, but it should not be confused with what Freddie Mac and Fannie Mae did. Through OCC Bulletin 2026-13, Federal Reserve SR 26-2, and FDIC FIL-15-2026, the federal banking agencies jointly rescinded SR 11-7, OCC Bulletin 2011-12, the 2021 interagency statement addressing BSA/AML model risk, and the OCC's Model Risk Management booklet of the Comptroller's Handbook, replacing them with a single revised guidance on model risk management.
The revised guidance makes two things clear. First, it remains supervisory guidance. The agencies expressly state that it does not establish enforceable standards and that noncompliance, standing alone, will not result in supervisory criticism. At the same time, they recognize that poor model risk management may still lead to supervisory action where it contributes to violations of law or unsafe or unsound banking practices. The agencies also explain that the guidance is primarily intended for banking organizations with more than $30 billion in total assets, although institutions of any size should scale their model risk management based on the nature and complexity of the models they use.
Second, the guidance expressly excludes generative and agentic AI models from its scope. Traditional quantitative models and non-generative AI models remain covered, while the agencies have indicated that they intend to address generative AI separately. That approach differs from the Freddie Mac and Fannie Mae Guides, which already apply to generative AI and AI embedded within third-party vendor platforms.
Taken together, these developments create different governance frameworks for different parts of the mortgage industry. Depository institutions received updated supervisory guidance that modernizes traditional model risk management while reserving generative AI for future guidance. Freddie Mac and Fannie Mae Seller/Servicers, by contrast, are already subject to contractual AI governance requirements that expressly encompass generative AI and vendor-supported systems.
That distinction should not be read to suggest that generative AI currently operates without regulatory oversight outside the GSE framework. Existing federal and state consumer protection laws, privacy requirements, servicing regulations, fair lending laws, and examination authority continue to apply regardless of the technology being used. State regulators, GSE audit teams, and private litigants are also beginning to evaluate AI-enabled servicing activities through those existing legal frameworks. For institutions deploying AI today, the revised federal guidance should therefore be viewed as one part of a broader governance landscape rather than the full scope of regulatory expectations.
Fair Lending Did Not Go Anywhere
The federal government's approach to disparate-impact enforcement changed significantly during 2025 and 2026. Those developments are important, but they should not be interpreted as eliminating fair lending risk for institutions deploying AI.
Executive Order 14281, issued April 23, 2025, announced a federal policy opposing disparate-impact liability. In January 2026, HUD proposed rescinding its discriminatory-effects regulations and leaving disparate-impact doctrine to the courts. Those regulations include the burden-shifting framework set forth in 24 C.F.R. § 100.500, originally adopted in 2013 and reinstated in 2023 after the 2020 revisions were enjoined before taking effect. In April 2026, the CFPB issued a final rule, published at 91 Fed. Reg. 21,620 and scheduled to become effective July 21, 2026, removing the effects test from Regulation B and narrowing the discouragement prohibition to statements reflecting an intent to discriminate. Together, these developments reflect a broader shift in federal enforcement priorities. The rule has already been challenged. National Fair Housing Alliance v. CFPB, No. 1:26-cv-01820 (D.D.C. filed May 27, 2026), seeks vacatur under the Administrative Procedure Act, and a request for preliminary injunctive relief was pending as this article went to press.
Those developments do not change several important legal realities. An executive order does not amend a statute, and an agency's revision of its own regulation does not rewrite the statute enacted by Congress. Texas Department of Housing & Community Affairs v. Inclusive Communities Project, 576 U.S. 519 (2015), remains controlling Supreme Court precedent recognizing disparate-impact claims under the Fair Housing Act. The FHA applies to residential mortgage lending and servicing, including loss mitigation activities. In practical terms, the Regulation B amendments shift much of the disparate-impact discussion toward the Fair Housing Act, state fair lending laws, and whatever ECOA theories courts continue to recognize. Many state fair lending laws do not mirror the federal changes, several expressly preserve effects-based liability, and state legislatures continue to enact AI-specific legislation, including Colorado's revised AI framework, which becomes effective January 1, 2027. A reduction in federal enforcement activity should not be confused with a reduction in litigation risk. Fair lending theories will continue to be tested through private litigation and under state law.
The amended Regulation B also preserves an important consideration for institutions using AI. Facially neutral criteria remain prohibited where they function as proxies for protected characteristics and are designed or applied with an intent to advantage or disadvantage individuals on a prohibited basis. Although intent may appear to present a high evidentiary hurdle, model development files often contain exactly the types of evidence litigants seek, including the target variables selected, features engineered, alternatives considered and rejected, and disparity analyses performed during model development. For institutions deploying AI in servicing, questions regarding proxy discrimination are not merely theoretical; they are likely to become the subject of discovery.
The mechanics are straightforward. Historical mortgage data reflects decades of lending and housing patterns that continue to influence borrower outcomes today. Federal Reserve Bank of Chicago researchers have documented persistent differences in homeownership, property values, and access to credit along the boundaries of the 1930s HOLC maps. A model optimized solely for "workout success," without appropriate fairness constraints or governance, may identify correlations that function as proxies for protected characteristics. For example, proximity to a well-funded school district may appear to be a neutral predictive variable, yet it also correlates with historical patterns of residential segregation and wealth accumulation. The model is not programmed to discriminate. It learns patterns reflected in historical data, and without appropriate governance, those patterns may influence future decisions.
Regulation B's adverse action requirements also remain unchanged. Section 1002.9(b)(2) requires adverse action notices to identify the principal reasons for a credit decision with specificity, and the April 2026 amendments left those provisions intact. The CFPB withdrew its interpretive guidance addressing algorithmic credit decisions in May 2025, together with numerous other guidance documents, but the Bureau expressly noted that the withdrawal was not necessarily permanent. More importantly, the withdrawal eliminated the guidance, not the regulation itself. A servicing-specific consideration remains: Regulation B excludes certain actions taken in connection with default or delinquency from the definition of adverse action, meaning whether a particular loss mitigation decision triggers the notice requirement depends on the facts. Where the notice requirement applies—for example, when a current borrower is denied a requested loan modification—a servicer relying on a model it cannot meaningfully explain faces the same Regulation B concerns that existed before the recent amendments.
None of this means complex AI models are impermissible. Regulation B does not require institutions to abandon sophisticated models in favor of simpler scorecards. The practical question is whether an institution can identify and accurately communicate the principal reasons underlying an adverse decision when the regulation requires it. Post-hoc explainability techniques may satisfy that obligation if the institution has validated that the explanation faithfully reflects the model's actual decision-making process. Where it cannot do so, the issue is not the use of artificial intelligence itself, but whether the institution can demonstrate that its decision-making process satisfies Regulation B's longstanding requirements.
Building a Defensible AI Governance Program
None of this requires institutions to reinvent risk management. The underlying disciplines have existed in the banking industry for years. What has changed is that Freddie Mac's AI governance framework now expects many of those same governance principles to be applied by Seller/Servicers.
The process begins with understanding where AI is actually being used. Most institutions identify fewer AI deployments than they ultimately discover. A comprehensive inventory often includes borrower-facing voice agents, AI-assisted call summarization, chatbot-based loss-mitigation intake, document classification and extraction, early-intervention models, collections automation, escrow administration, payment-change processing, and bankruptcy-related workflows. Each use case raises different legal and operational considerations. For example, the FCC's February 2024 declaratory ruling, FCC 24-17, treats AI-generated voices as artificial or prerecorded voices under the TCPA, while Regulation F applies differently to collections activities depending on when servicing rights were acquired. Document classification tools may directly affect Regulation X timing requirements, and bankruptcy-related workflows must account for the amendments to Bankruptcy Rule 3002.1 that became effective December 1, 2025. An effective inventory therefore does more than identify where AI exists; it identifies what each system does, the decisions it influences, and the legal framework that governs those activities.
Once the inventory is complete, each system should be evaluated according to the level of risk it presents. A tool that drafts call summaries presents different governance considerations than one that recommends or routes loss mitigation decisions. Governance documentation should reflect those differences rather than applying the same controls across every AI deployment.
Governance responsibilities should also be clearly separated. The business and technology functions should own each system's purpose, design, training approach, and intended use. An independent risk function should validate the model, evaluate performance, assess potential bias, and retain authority to approve, condition, or retire the system. Internal audit should periodically evaluate whether those governance processes are operating as designed. Freddie Mac's framework reflects the same principle by requiring sufficient independence between those deploying AI systems and those responsible for overseeing their risks.
Human oversight also remains an essential control. AI may identify trends, recommend outcomes, or draft communications, but decisions affecting borrowers should continue to receive appropriate human review. Equally important is documenting when that review occurs. Override decisions provide evidence of human oversight during examinations and GSE reviews, create valuable feedback for improving model performance, and may become important evidence in future litigation. Machine-generated servicing records, prompts, model versions, and review histories are all electronically stored information that may be discoverable under Federal Rule of Civil Procedure 34. Institutions should assume those records will be requested and retained accordingly.
Finally, AI governance depends on effective data governance. For independent mortgage banks, that begins with the FTC Safeguards Rule, 16 C.F.R. Part 314, including its requirements for written information security programs and oversight of service providers. Depository institutions remain subject to the federal banking agencies' information security guidelines. Regardless of charter, borrower nonpublic personal information should not be transmitted through unapproved public generative AI platforms. Institutions deploying generative AI should maintain controlled environments, establish clear data lineage, ground outputs in applicable investor and regulatory requirements, and require appropriate human review before borrower-facing communications are finalized. These controls help reduce compliance, operational, and litigation risk while supporting the broader governance expectations reflected in the GSE Guides.
Before August 6: A Working Checklist
Freddie Mac's AI governance requirements are already in effect. Fannie Mae's become effective on August 6, 2026. Institutions that have not yet completed their implementation should work with legal counsel, compliance, information security, and business leadership to evaluate whether the following foundational elements are in place:
- Complete an enterprise-wide inventory of AI systems and use cases.
- Adopt a written AI governance policy and supporting procedures.
- Evaluate servicing workflows for compliance with applicable regulatory timelines.
- Validate model explainability where AI supports borrower-facing decisions.
- Update vendor due diligence, contract provisions, and ongoing oversight for AI-enabled service providers.
- Incorporate AI-specific risks into annual information security training.
- Establish ongoing monitoring, periodic testing, and annual governance reviews.
- Maintain documentation demonstrating the design, implementation, and oversight of the AI governance program.
The specific controls each institution adopts will depend on its size, risk profile, and use of artificial intelligence. The common objective, however, is to demonstrate that AI is being deployed within a governance framework that is documented, monitored, and capable of adapting as technology and regulatory expectations continue to evolve.
Disclaimer: This article is provided by Brody | Gapp LLP for general informational purposes only and does not constitute legal advice or create an attorney-client relationship. Laws and regulatory requirements vary by jurisdiction and specific facts. Readers should consult qualified legal counsel before acting on any information discussed. This article was prepared with AI assistance under attorney supervision and review. It may be considered attorney advertising in some jurisdictions.