Bulletin 2026-5 Servicing
GSE servicing operational updates with enhanced information security requirements
Advisory Assessment
Impact. Freddie Mac has imposed new information security standards for Critical Data that became effective five days ago, creating immediate compliance gaps at most servicers. The bulletin also mandates eBilling platform transitions, updated bankruptcy fee coding aligned with Federal Rules changes, and modified suspense fund application procedures by July 1.
Risk. The retroactive Critical Data requirements expose servicers to immediate GSE compliance violations since the May 11 deadline has passed. Information security gaps will draw scrutiny during upcoming Freddie Mac operational reviews, particularly around business impact analysis documentation and software security standards that most servicers have not yet implemented.
Recommended Action. Technology and compliance teams should immediately document current Critical Data handling practices and file a remediation plan with Freddie Mac acknowledging the missed May 11 deadline. Legal should simultaneously review the new Chapter 13 bankruptcy fee codes against current vendor billing practices to identify coding mismatches before the July transition.
Watch. Monitor Freddie Mac communications for enforcement actions related to the retroactive Critical Data requirements, and track the July 1 eBilling platform rollout timeline since system integration issues could compound existing compliance exposures.
Classification
- Regulatory Program
- GSE Servicing
- Doc Type
- Guidance
- Effective Date
- 2026-04-08
- Days to Action
- -99
- Comment Deadline
- —
- Published
- 2026-04-08
Urgency Basis
Information security requirements effective May 11, 2026 (5 days from today's date of May 16, 2026) with retroactive application
Operational Context
Impact by Category
Key Requirements
Scoring Rationale
This bulletin contains multiple operational changes with varying effective dates. The information security requirements create immediate T1 urgency due to the May 11, 2026 effective date for Critical Data requirements (which has already passed by today's date of May 16). The compliance score reflects new regulatory obligations across servicing, legal fees, and information security. Operational impact is moderate due to multiple process changes including system transitions and procedural updates. Data governance scores moderately due to new Critical Data requirements and software security standards.