Does LL-2026-04 apply to lenders that only deliver loans to Freddie Mac?

LL-2026-04 is a Fannie Mae document. Freddie Mac Section 1302.8 has been enforced since March 3, 2026 and covers similar ground. Lenders that deliver loans to either GSE are in scope for at least one of the two regimes. Most lenders deliver to both, which puts them in scope for both. The operational architecture that satisfies the two regimes is the same: inventory, governance, audit trail, disclosure on demand. Differences in language between the two documents do not materially change the infrastructure required.

What is the effective date and how should lenders read the date discrepancy?

The lender letter was issued on April 8, 2026 and indicates a 120-day implementation window. The 120-day calculation from April 8 lands on August 6, 2026. Some lender-side summaries reference August 8 instead. The Cooley legal analysis of LL-2026-04 lands on August 6. Lenders should plan to August 6 to be safe and verify with their Fannie Mae representative if the two-day discrepancy matters operationally.

Are vendor AI tools really in scope when the lender does not control the AI?

Yes. The lender letter is explicit that the lender is responsible for AI used on its behalf, including AI used by vendors and subcontractors in the loan lifecycle. The lender carries the disclosure obligation regardless of which party operates the AI. Procurement contracts written before LL-2026-04 typically do not require vendor-side records. Lenders have to either renegotiate contracts to include audit rights and on-demand record production, or move the AI calls into an inspection layer the lender controls, or accept the disclosure gap and the representation and warranty exposure that goes with it.

How does LL-2026-04 interact with the existing ECOA and FCRA regimes?

ECOA and FCRA require lenders to maintain records of credit decisions, provide adverse action notices, and respect the consumer's right to obtain the information used to make the decision. LL-2026-04 layers an AI-specific governance and audit obligation on top. The two regimes overlap on records but the LL-2026-04 records are more granular: per-decision, per-AI-step, with the natural person whose role triggered the AI call. A lender that satisfies ECOA and FCRA but cannot produce the per-decision AI record fails the LL-2026-04 audit trail and disclosure obligations.

What does a lender do about embedded AI features in cloud LOS platforms?

The lender's first action is inventory. The lender has to identify which features of the cloud LOS use AI under the hood and which data types those features process. The second action is contractual. The lender has to require the LOS provider to support the lender's disclosure obligation, which means vendor-side records the lender can request on demand. The third action is architectural. Where the LOS routes AI calls through APIs the lender can inspect, the lender can build per-decision records at the inspection layer. Where the LOS hides the AI calls entirely, the lender is stuck with vendor-side records and has to negotiate access aggressively.

Fannie Mae LL-2026-04: What the Lender AI Governance Mandate Requires from Mortgage Originators

On April 8, 2026, Fannie Mae issued Lender Letter LL-2026-04, a governance framework for the use of artificial intelligence and machine learning in mortgage origination and servicing. The lender letter takes effect August 6, 2026, 120 days after publication. Freddie Mac Section 1302.8 has been enforced since March 3, 2026. The combined GSE regime applies to every seller and servicer that delivers loans to either GSE and requires governance, inventory, audit trails, and disclosure on demand for AI used anywhere in the loan lifecycle, including embedded AI inside vendor tools. The disclosure obligation runs into the lender's vendor ecosystem and exposes most lenders today.

I want to walk through what LL-2026-04 actually requires, where lender deployments are exposed, how the mandate sits alongside the broader regulatory picture (Texas TRAIGA, California AI Transparency Act, EU AI Act for cross-border lenders), and the architecture that produces records the GSEs will accept.

Mandate

The lender letter establishes a framework with four pillars that lenders have to satisfy operationally.

Pillar 1: AI Inventory

The lender has to maintain an inventory of AI systems used in any step of the loan origination, processing, underwriting, closing, and servicing lifecycle. The inventory has to include AI used by vendors and subcontractors on the lender's behalf. The inventory captures the system, the provider, the function performed, the data types processed, and the risk classification.

The vendor inclusion is the part most lenders are not ready for. Document preparation tools that use AI to classify uploaded documents, quality-control vendors that use AI to flag loan defects, customer-service platforms that use AI to summarize interactions, and pricing engines that use AI to score risk all sit inside vendor environments. The lender owns the inventory obligation for these as if the lender were operating them directly.

Pillar 2: Governance

The lender has to maintain a governance framework that documents the policies governing each AI system in the inventory. The policies have to cover risk classification, data handling, validation, monitoring, change management, and incident response. The governance framework has to be approved at a senior management level and reviewed at a documented cadence.

Pillar 3: Audit Trails

The lender has to maintain audit trails for AI-assisted decisions across the loan lifecycle. The audit trail has to permit reconstruction of the decision: what AI system was involved, what inputs it received, what outputs it produced, what role the output played in the human decision that followed. The lender letter is specific that application logs are insufficient where they fail to capture the AI-specific elements of the decision.

Pillar 4: Disclosure on Demand

The lender has to disclose on Fannie Mae's demand the AI systems used in connection with a specific loan, the providers, the safeguards, the data flows, and the controls. The disclosure has to be producible on a normal Fannie Mae request and is part of the seller and servicer file. Failure to disclose on demand is a representation and warranty breach with the usual remedies.

Where lender deployments are exposed

The exposure is concentrated in three places.

Vendor AI is invisible to the lender

The lender's quality-control vendor uses ML to flag potential loan defects. The vendor environment owns the prompts, the model, and the audit record. When Fannie Mae asks "produce the AI decisions made on this loan by your vendors," the lender either says it lacks the records or asks the vendor for evidence the vendor was never required to produce. Procurement contracts written before LL-2026-04 typically omit vendor-side record obligations. The lender carries the disclosure burden alone.

Internal application logs do not capture the AI step

The lender's loan origination system logs application events: status changes, user actions, document uploads. The AI decisions inside the LOS (document classification, suspicious-activity flagging, automated underwriting score) are not logged as AI decisions. The audit trail captures that the system advanced the loan to the next stage; it does not capture which AI inferred which classification at which step under which policy. The Pillar 3 audit trail obligation fails on this.

Static service credentials hide the natural person

The AI components inside the LOS are typically called using a service credential. The credential identifies the LOS, not the loan officer or the processor whose work triggered the call. The Pillar 3 obligation includes "what role the output played in the human decision." Without identity attribution at the AI request layer, that mapping has to be reconstructed from secondary metadata. The reconstruction is fragile and the supervisor will not accept it as the primary record.

Mandate vs Compliance

The mandate's text reads at one level of abstraction. The infrastructure to satisfy it operates several levels lower. The gap between the two is where most lenders are exposed.

Disclosure test

The disclosure-on-demand obligation is the operational test. When Fannie Mae issues a request, the lender has to produce the disclosure in the timeframe the request specifies. Lenders that have not built the disclosure pipeline in advance respond late, partially, or with reconstructed evidence that fails on review. The disclosure is not a one-off deliverable. It is a recurring obligation that arrives unpredictably.

Vendor liability

The lender is liable for AI mistakes by subcontractors and vendors. Procurement attestations do not transfer the liability. The lender's vendor risk management has to require vendor-side records that the lender can request on demand. Contracts that do not include audit rights, record retention, and on-demand production requirements leave the lender exposed.

Compliance gap

Most lenders cannot produce, for an arbitrary loan, the per-decision AI record across both lender-controlled and vendor-controlled AI steps. The remediation requires structural changes. Vendor contracts have to be amended. AI calls from lender systems have to be routed through an inspection layer that produces per-decision records. The vendor records have to be retrievable on demand. The lender's master record has to compose vendor and internal records into a single disclosure-ready file.

Beyond Fannie Mae

LL-2026-04 sits alongside the broader regulatory picture. Texas TRAIGA took effect January 1, 2026 with civil penalties and AG enforcement. The California AI Transparency Act took effect January 1, 2026 with disclosure requirements for AI systems serving 1 million or more monthly users. The EU AI Act Article 6 and Annex III point 5(b) take effect August 2, 2026 and apply to creditworthiness assessment of natural persons, which sweeps mortgage underwriting for EU borrowers into the high-risk regime.

For a US lender operating only in domestic markets, the GSE mandate is the binding clock. For a lender originating across the US and the EU, the combined regime is the operational baseline. The infrastructure that satisfies LL-2026-04 produces records that also satisfy EU AI Act Article 12 and Article 26.

DeepInspect

This is the gap DeepInspect closes for mortgage lenders facing LL-2026-04. DeepInspect sits inline between lender applications and any LLM or model API. For every AI call inside the loan lifecycle, including calls into model APIs that vendor tools route through inspection-friendly architectures, DeepInspect attaches the natural person's identifier (loan officer, processor, underwriter, or borrower as applicable), the application's user role, the data classification of the input, and the policy version in effect. It records the outcome with a cryptographic signature so the record is independent of the application that produced it.

For Pillar 1, the inspection layer also performs the discovery function: AI calls that originated from inside the lender's network surface in the inventory automatically. For Pillar 3, the per-decision record is the audit trail. For Pillar 4, the disclosure-on-demand obligation runs against the record set instead of being reconstructed from application logs.

If you are facing the August 6 deadline for LL-2026-04, let's talk.