Bulletin 2026-4 Selling
Freddie Mac is updating selling guide requirements to enhance information security practices, simplify underwriting documentation, and align mortgage eligibility standards.
Advisory Assessment
Impact. Freddie Mac is imposing new information security controls that require business impact analyses for critical data by May 11 and upgraded software security standards plus environment separation by July 1. The bulletin also prohibits selling mortgages with capitalized balances starting July 1 and streamlines several underwriting documentation requirements around tax returns and flood insurance.
Risk. Technology functions face the tightest deadlines with less than four weeks to complete data impact analyses and six weeks to achieve environment separation. Examination focus on information security practices means any gaps in implementation will draw immediate scrutiny, while the mortgage capitalization prohibition could disrupt loan pipeline management if not properly communicated to origination partners.
Recommended Action. Convene technology and compliance leadership immediately to assess current environment separation status and initiate the critical data business impact analysis process. Operations should simultaneously audit active loan inventory for any mortgages with capitalized balances and establish cutoff procedures to prevent new originations that violate the July 1 prohibition.
Watch. Monitor for any Freddie Mac clarifications on the scope of "critical data" requiring business impact analyses, as this definition will drive the depth of required documentation and potentially expand implementation timelines.
Classification
- Regulatory Program
- GSE Secondary Market
- Doc Type
- Guidance
- Effective Date
- 2026-04-01
- Days to Action
- 46
- Comment Deadline
- —
- Published
- 2026-04-01
Urgency Basis
Multiple provisions with effective dates of May 11, 2026 and July 1, 2026 require action within 30-90 days from today (2026-05-16)
Operational Context
Impact by Category
Key Requirements
Scoring Rationale
This bulletin contains a mix of operational updates and new compliance requirements. The information security provisions (business impact analyses and software standards) represent the most significant changes requiring coordinated implementation across compliance and technology functions. The mortgage capitalization prohibition and various underwriting clarifications require process modifications but are more straightforward to implement. Most changes are clarifications or alignments rather than entirely new obligations.