ParClark Tech Solutions
Mortgage · AI Compliance · Federal Law

Fannie Mae LL-2026-04: what every loan originator needs to know about the new AI policy requirement

By Emily Clark · June 25, 2026 · ~13 minute read

Most loan originators are already using AI. ChatGPT for pre-approval letters. Claude for rate-change emails. Some AI tool or another for disclosure explainers and refi outreach. Fannie Mae noticed. On April 8, 2026, it issued Lender Letter LL-2026-04, requiring every seller/servicer to have a written AI governance framework. The operative word is written. Almost no one at the individual MLO level has one.

This post is a plain-English breakdown of what LL-2026-04 requires, who it applies to, what the six required elements actually mean for a sole loan originator or small mortgage business, and what a compliant written policy looks like in practice. It is not legal advice, and the lender letter itself is the authoritative source. But if you are an individual MLO trying to figure out whether this applies to you and what to do about it, this is the explainer that did not exist until now.

What LL-2026-04 is, and why it matters now

Fannie Mae issues Lender Letters to update the requirements in its Selling Guide and Servicing Guide. They are not suggestions. Seller/servicers who do not comply risk losing eligibility to sell loans to Fannie Mae, which for most mortgage businesses is an existential consequence.

LL-2026-04, titled "Artificial Intelligence and Machine Learning Governance Requirements for Seller/Servicers," was issued April 8, 2026. The core requirement: every seller/servicer must establish and maintain a written AI/ML governance framework that addresses six specified elements. The framework must be active and documented, not aspirational. It must be reviewed at least annually and updated when regulatory requirements change.

The lender letter acknowledges that AI is already being used across the mortgage origination process, including in marketing, client communication, underwriting support, and document preparation. It does not prohibit any of those uses. What it requires is that the use be governed, documented, and subject to human oversight.

The gap Fannie Mae is targeting

The lender letter was written in response to a documented pattern: lenders and originators deploying AI tools in consumer-facing workflows without any formal assessment of fair lending risk, data handling, or model reliability. In plain terms, people were using ChatGPT to write borrower communications without any policy governing what goes in, what comes out, or who reviews it before it is sent.

LL-2026-04 closes that gap by requiring the governance framework to exist on paper, not just in practice.

Who LL-2026-04 applies to

The lender letter applies to Fannie Mae seller/servicers. If you originate conventional loans that are sold to Fannie Mae, you are a seller. If you service loans on Fannie Mae's behalf, you are a servicer. Most independent mortgage brokers, small mortgage businesses, and individual loan originators working under a lender that sells to Fannie Mae are operating within seller/servicer relationships.

The question of whether a sole MLO working under a sponsoring lender must have their own individual policy, or whether the lender's policy covers them, depends on how that lender structures its AI governance and whether it extends to individual originator workflows. If your lender has a policy that covers the AI tools you use as part of the origination process, you may be covered. If your lender has no policy, or if you use AI tools independently of your lender's supervised workflow, that coverage likely does not exist.

The safest assumption for individual MLOs

If you are using any AI tool in any part of your origination workflow, including drafting client communications, explaining disclosures, or generating marketing content, you should assume that LL-2026-04 applies to your AI use and that a written policy covering your workflow is expected. A sole-LO policy does not need to be a 40-page enterprise document. It needs to address the six required elements at the scale of your business.

The six required elements, explained in plain English

LL-2026-04 specifies six elements that every AI governance framework must address. Here is what each one means at the individual MLO and small-business level.

Element 1 of 6

Model risk management

The framework must describe what AI tools you use, what you use them for, and what you do not permit them to do. This is the inventory and scope section of your policy.

In practice: A list of every AI tool you use (Claude, ChatGPT, Encompass AI features, whatever), the specific workflow each tool is used in, and a clear statement of what is off-limits. For most individual MLOs, the off-limits list includes: credit decisions, rate calculations presented as final, and any output sent to a borrower without human review.
Element 2 of 6

Data governance and quality

The framework must address what borrower data may and may not be entered into AI tools, and how data quality is maintained in AI-assisted workflows.

In practice: A written statement of what goes in and what does not. Social Security numbers, full credit files, and detailed income documentation should not be entered into third-party AI tools. Names, loan scenarios in general terms, and draft communication language are generally acceptable. Your policy needs to say this explicitly, because "we use good judgment" does not satisfy this requirement.
Element 3 of 6

Fair lending and bias monitoring

The framework must address how AI outputs are monitored for potential disparate impact under ECOA (12 CFR Part 1002) and the Fair Housing Act (42 U.S.C. § 3604).

In practice: This is the element most individual MLOs overlook. You do not need a statistical disparity model. You do need a written commitment to review AI-generated communications for content that varies by borrower type, uses language that could evidence geographic steering, or references protected class characteristics. For a sole MLO, this might be as simple as: "AI-generated client communications are reviewed by [name] before sending to ensure consistency across borrower types and absence of protected-class references." The review must actually happen, and your policy must say who does it.
Element 4 of 6

Human oversight and explainability

The framework must establish who reviews AI outputs before they are used in consumer-facing contexts, and how that review is documented.

In practice: Every AI-generated communication sent to a borrower must be reviewed and approved by the licensed MLO before it goes out. This is the element that LL-2026-04 is most explicit about: AI may assist, but the MLO of record is responsible for every communication sent under their license. Your policy must name who performs the review and describe what that review involves. "The MLO reviews all AI-drafted borrower communications before sending" is a start, but it needs to describe what the review checks for.
Element 5 of 6

Vendor and third-party AI risk

The framework must acknowledge that third-party AI tools (Claude, ChatGPT, etc.) carry their own model risks, and that the seller/servicer takes responsibility for outputs regardless of which tool generated them.

In practice: You cannot disclaim responsibility by saying the AI made a mistake. Your policy must acknowledge that you have assessed the AI tools you use, that you understand their limitations, and that your human review process is the control that catches errors before they reach borrowers. You do not need a full vendor risk assessment for every AI tool. You do need a written acknowledgment that these tools have limitations and a statement of how you manage that risk.
Element 6 of 6

Documentation and record retention

The framework must describe how AI-assisted communications and decisions are documented, and how long those records are retained.

In practice: If you send a borrower communication that was drafted with AI assistance, there should be a record that it was AI-assisted and that it was reviewed before sending. This does not require a complex system. It may be as simple as a notation in your loan file, a saved version of the AI draft alongside the final sent version, or a consistent tagging convention in your email system. Your policy must describe your retention approach and align with your existing loan file retention requirements under RESPA and applicable state law.

What a compliant written policy actually looks like

A sole MLO or small mortgage business does not need a 40-page enterprise AI governance framework. Fannie Mae is explicit that the framework should be scaled to the size and complexity of the seller/servicer's operations. A policy for a sole originator who uses AI only for client communications might be four to six pages. A policy for a ten-person broker shop with more varied AI use will be longer.

The policy needs to address all six elements, be signed by the MLO of record, include an effective date and a version number, and commit to annual review. It does not need to be perfect on day one. It needs to exist, be accurate, and be followed in practice.

What examiners will look for

If a GSE examiner or CFPB examiner asks about your AI governance framework, the first question is whether a written policy exists. The second is whether the policy describes actual practice or aspirational intent. A policy that says "the MLO reviews all AI outputs" when outputs are routinely sent without review is worse than no policy, because it creates a documented misrepresentation. Write the policy to describe what you actually do, then use it to improve your actual process where gaps exist.

The federal compliance context around LL-2026-04

LL-2026-04 sits on top of an existing stack of federal mortgage compliance law that already governs how AI can and cannot be used in the origination process. The governance framework requirement is new. The underlying compliance obligations are not.

A few laws that intersect directly with AI use in mortgage origination:

ECOA / Regulation B (12 CFR Part 1002): Prohibits discrimination in any aspect of a credit transaction on the basis of race, color, religion, national origin, sex, marital status, age, or public assistance income. AI-generated communications, marketing, and underwriting support must not produce disparate treatment or disparate impact along protected class lines. The CFPB has confirmed that ECOA's prohibition on discrimination applies regardless of whether a human or an algorithm is making the decision.

Fair Housing Act (42 U.S.C. § 3604): Extends fair lending protections specifically to residential mortgage lending. AI-generated listing descriptions, pre-approval communications, and marketing outreach must not use language that evidences steering, geographic redlining, or treatment that varies by protected class.

TILA / Regulation Z (12 CFR Part 1026): Requires specific disclosures when advertising credit terms. AI-generated rate outreach, pre-approval emails, and refi marketing must comply with Reg Z advertising requirements. An AI that generates a compelling email mentioning a specific interest rate without the required APR disclosure has produced a TILA violation, regardless of who prompted it.

GLBA / Regulation P (12 CFR Part 1016): Requires financial institutions to protect nonpublic personal information. Entering borrower NPI into third-party AI tools raises GLBA compliance questions that must be addressed in your data governance policy.

CFPB UDAAP (12 U.S.C. § 5531): Prohibits unfair, deceptive, or abusive acts or practices. AI-generated content that creates false urgency, makes unsubstantiated savings claims, or misrepresents loan terms to a borrower is a potential UDAAP violation. The CFPB has issued supervisory guidance making clear that UDAAP liability extends to AI-assisted consumer communications.

The consequences of not having a policy

The direct consequence of failing to maintain a compliant AI governance framework is risk to your seller/servicer eligibility. Fannie Mae can condition or restrict a seller/servicer's selling or servicing eligibility for failure to comply with the Selling Guide. For a mortgage business that depends on selling loans to the secondary market, that is an existential risk, not a technical one.

The indirect consequences are broader. A CFPB examination that identifies AI-assisted communications sent without an established review process is likely to result in findings related to UDAAP, fair lending, or Reg Z advertising, depending on what the communications contained. The absence of a written governance framework will be cited as an aggravating factor, because it evidences that the issue was systemic rather than isolated.

The issue is not using AI. The issue is undocumented AI.

LL-2026-04 does not prohibit the use of AI in mortgage origination. It requires that use to be documented, governed, and subject to human oversight. An MLO with a written policy that describes accurate practice is in a materially better position than one using AI informally, even if the actual AI usage is identical. The policy is the evidence that the use was intentional, controlled, and compliant.

How to build a written policy without a compliance team

Building an AI governance framework for a sole MLO or small mortgage business involves answering a specific set of questions about your actual practice: what tools you use, what you use them for, what data you enter, who reviews outputs, and how you document AI-assisted work. The answers to those questions, organized around the six LL-2026-04 elements, constitute a compliant policy.

The most common mistake is treating the policy as aspirational rather than descriptive. Write what you actually do. If your current practice has gaps relative to what the policy should say, close the gaps in practice first, then write the policy to describe the improved practice. A policy that describes a review process you do not actually follow is a liability, not a protection.

The six questions a sole MLO needs to answer:

Those answers, structured into a formal policy document with a header, effective date, and signature block, satisfy the LL-2026-04 requirement at the scale of a small mortgage business. A compliance attorney should review the policy before formal adoption if you are a Fannie Mae seller/servicer; the policy must match your actual GSE eligibility context.

Frequently asked questions

Does LL-2026-04 apply to me if I am a mortgage broker, not a direct lender?

The lender letter is addressed to Fannie Mae seller/servicers. Whether it applies directly to a mortgage broker depends on whether the broker has a direct seller relationship with Fannie Mae or operates through a lender sponsor. If your lender sponsor is a Fannie Mae seller/servicer, their AI governance framework may cover your workflows, but only if it explicitly addresses independent originator AI use. Confirm with your sponsor lender.

My lender has a compliance team. Does that mean I am covered?

Maybe. If your lender's AI governance policy covers the specific AI tools you use in your individual originator workflow, and if your workflow is documented under that policy, you may be covered. If you are using AI tools independently of your lender's supervised workflow, that coverage likely does not extend to your individual use. Ask your lender's compliance team directly whether their policy covers independent originator AI use.

What counts as an AI tool for purposes of LL-2026-04?

The lender letter is broad. It covers AI/ML systems used in any part of the seller/servicer's operations, including marketing, client communication, underwriting support, and document preparation. If you use ChatGPT, Claude, Gemini, Copilot, or any other generative AI tool in any part of your origination workflow, that tool is within the scope of the governance requirement.

How often does the policy need to be updated?

LL-2026-04 requires annual review at minimum, plus updates whenever Fannie Mae, Freddie Mac, the CFPB, or other relevant regulators issue new AI-related guidance. Given the pace of AI regulation in 2026, that update cadence may need to be more frequent in practice. Build the annual review into your calendar with a specific review date, not just a general commitment.

Can I use an AI tool to generate my AI governance policy?

Yes, with the same caveat that applies to any AI-generated output: the licensed professional of record must review and approve it before adoption. An AI-generated policy draft is a starting point, not a finished document. It must be reviewed for accuracy relative to your actual practice, your specific GSE context, and current regulatory requirements before it is signed and adopted.

What is the risk of waiting to address this?

LL-2026-04 was issued April 8, 2026. The longer a seller/servicer continues AI use without a documented governance framework, the longer they operate outside the lender letter's requirements. There is no grace period described in the lender letter. If a GSE or CFPB examination occurs before you have a framework in place, the absence will be documented. The risk of a finding increases with time, not with notice.

The Mortgage Loan Officer AI Toolkit includes Skill 07: AI Governance Policy Generator

Skill 07 generates a written AI use policy structured around all six LL-2026-04 required elements, scaled to your business size: sole LO, broker, or small mortgage business. Includes all eight federal compliance frameworks referenced in this post, a data governance section, a fair lending monitoring commitment, a documentation protocol, and an annual review schedule. The output requires review by your licensed MLO of record and, for Fannie Mae seller/servicers, confirmation with compliance counsel before adoption.

See the full toolkit → Buy now · $79
E
Emily Clark
Real estate Compliance · Financial Investigations · Applied AI
Founder, ParClark Tech Solutions
Emily writes about the operational side of regulated work, the forms, the timing, organizational workflows, for agents, brokers, transaction coordinators, and investigators who'd rather catch problems before they become complaints. She works as a Compliance Analyst, supports cryptocurrency fraud cases from victim intake to law-enforcement reporting, and builds the AI tooling ParClark Tech Solutions ships to teams in regulated environments. ParClark's Markdown skill bundles ride along with Claude, ChatGPT, and Cursor to keep AI output inside the compliance lines, whether that's listing copy, a victim-intake packet, or a vendor agreement under counsel review.
This post is informational only and does not constitute legal advice. Fannie Mae Lender Letter LL-2026-04 is the authoritative source for seller/servicer requirements. Individual MLOs and mortgage businesses should consult with compliance counsel before adopting an AI governance framework, particularly those with Fannie Mae seller/servicer relationships. ParClark Tech Solutions LLC is not a law firm and does not provide legal or compliance advice.