Pilot Launch You have early access to the Barinhall Compliance Intelligence Portal. Coverage and features are expanding weekly. Share feedback →
← Back to Feed
View source document ↗
T3 FHFA Medium Confidence Guidance

AB 2023-02: Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management

Enhanced information security management requirements and controls for FHFA-regulated entities

MODERATE
Impact Level
Top: data governance (4)

Advisory Assessment

Impact. This supplemental guidance requires FHFA-regulated entities to strengthen their information security frameworks through enhanced policies, controls, and vendor oversight procedures. Your institution must review existing security management policies, implement additional protective controls, and upgrade third-party risk assessments to meet the enhanced standards.

Risk. Examination focus centers on data governance gaps and third-party vendor security weaknesses, where FHFA will scrutinize your ability to protect sensitive financial data and manage vendor-introduced vulnerabilities. Information security teams often struggle with the integration requirements between existing controls and the new supplemental measures.

Recommended Action. Information Security should lead an immediate gap analysis against the supplemental requirements, working with Risk Management to identify policy updates and control enhancements needed within the next 120 days. Vendor Management must simultaneously review existing third-party security assessments to determine which relationships require upgraded due diligence.

Watch. Monitor for examination guidance or frequently asked questions from FHFA that clarify implementation expectations, particularly around vendor security assessment standards and incident response procedure enhancements.

Classification

Regulatory Program
FHFA Information Security
Doc Type
Guidance
Effective Date
2026-11-13 (est.)
Days to Action
120
Comment Deadline
Published

Urgency Basis

Supplemental guidance to existing advisory bulletin - implementation typically expected within 90-180 days

Operational Context

Flags
Systems Change Required Legal Review Required Examination Focus
Affected Functions
Information Security Risk Management Compliance Technology Operations Vendor Management
Institution Applicability
Federal Home Loan Banks Fannie Mae Freddie Mac Fhfa-Regulated Entities

Impact by Category

Compliance
3
Operational
3
Data Governance
4
Model Risk
1
Reporting & Disclosure
2
Capital & Liquidity
0
Consumer Protection
2
Third-Party Risk
3

Key Requirements

- Review and update information security management policies - Implement supplemental security controls and procedures - Enhance third-party vendor security assessments - Strengthen data governance and protection measures - Update security incident response procedures - Conduct security awareness training updates

Scoring Rationale

Moderate impact focused on information security enhancements. Data governance receives highest score due to direct security implications. Operational and compliance impacts are moderate requiring policy and procedure updates. Third-party risk management also significantly affected through vendor security requirements.

Scored: 2026-05-26T19:03:03.621Z Model: claude-sonnet-4-20250514 Confidence: Medium Aggregate Score: 2.6
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment. Effective dates, applicability determinations, impact assessments, and any recommended actions should be independently verified against primary regulatory source documents and reviewed by qualified compliance or legal personnel before taking compliance action. This output does not constitute legal or compliance advice.