T4
FANNIE_MAE
High Confidence
Guidance
Announcement SVC-2025-01 – Servicing Guide Update
Fannie Mae cybersecurity requirements for mortgage servicers and seller/servicers
MODERATE
Impact Level
Top: Operational (4)
Classification
- Regulatory Program
- GSE Servicing Requirements
- Doc Type
- Guidance
- Effective Date
- 2025-08-12
- Days to Action
- -338
- Comment Deadline
- —
- Published
- 2025-02-12
Urgency Basis
Effective date of August 12, 2025 is beyond 180 days from today (June 2, 2026), but servicers are encouraged to adopt immediately
Operational Context
Flags
Systems Change Required
Examination Focus
Affected Functions
Compliance
Risk Management
Technology
Operations
Institution Applicability
All
Impact by Category
Compliance
3
Operational
4
Data Governance
3
Model Risk
0
Reporting & Disclosure
3
Capital & Liquidity
0
Consumer Protection
1
Third-Party Risk
2
Key Requirements
- Implement comprehensive cybersecurity program covering information security, incident management, and business resiliency by August 12, 2025
- Report cybersecurity incidents to Fannie Mae within 36 hours of discovery
- Adopt Fannie Mae Information Security and Business Resiliency Supplement requirements
- Establish incident management procedures for third-party cybersecurity impacts
- Update Community Land Trust Ground Lease Rider documentation to accept Freddie Mac equivalent forms
Scoring Rationale
This Fannie Mae servicing guide update introduces moderate cybersecurity compliance obligations with operational implementation requirements. The 36-hour incident reporting mandate and comprehensive cybersecurity program implementation create cross-functional remediation needs. The shared equity clarifications are minor administrative updates. Scored as GSE guidance rather than federal regulation, but creates binding contractual obligations for Fannie Mae servicers.
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.