Pilot Launch You have early access to the Barinhall Compliance Intelligence Portal. Coverage and features are expanding weekly. Share feedback →
← Back to Feed
View source document ↗
T2 FREDDIE_MAC High Confidence Guidance

Bulletin 2026-4 Selling

Freddie Mac is updating selling guide requirements to enhance information security practices, simplify underwriting documentation, and align mortgage eligibility standards.

LOW
Impact Level
Top: Compliance (3)

Advisory Assessment

Impact. Freddie Mac is imposing new information security controls that require business impact analyses for critical data by May 11 and upgraded software security standards plus environment separation by July 1. The bulletin also prohibits selling mortgages with capitalized balances starting July 1 and streamlines several underwriting documentation requirements around tax returns and flood insurance.

Risk. Technology functions face the tightest deadlines with less than four weeks to complete data impact analyses and six weeks to achieve environment separation. Examination focus on information security practices means any gaps in implementation will draw immediate scrutiny, while the mortgage capitalization prohibition could disrupt loan pipeline management if not properly communicated to origination partners.

Recommended Action. Convene technology and compliance leadership immediately to assess current environment separation status and initiate the critical data business impact analysis process. Operations should simultaneously audit active loan inventory for any mortgages with capitalized balances and establish cutoff procedures to prevent new originations that violate the July 1 prohibition.

Watch. Monitor for any Freddie Mac clarifications on the scope of "critical data" requiring business impact analyses, as this definition will drive the depth of required documentation and potentially expand implementation timelines.

Classification

Regulatory Program
GSE Secondary Market
Doc Type
Guidance
Effective Date
2026-04-01
Days to Action
46
Comment Deadline
Published
2026-04-01

Urgency Basis

Multiple provisions with effective dates of May 11, 2026 and July 1, 2026 require action within 30-90 days from today (2026-05-16)

Operational Context

Flags
Systems Change Required Examination Focus
Affected Functions
Compliance Operations Technology Risk Management
Institution Applicability
All

Impact by Category

Compliance
3
Operational
3
Data Governance
2
Model Risk
0
Reporting & Disclosure
1
Capital & Liquidity
0
Consumer Protection
1
Third-Party Risk
2

Key Requirements

- Implement business impact analyses for Freddie Mac Critical Data by May 11, 2026 - Update software and applications to meet new security standards by July 1, 2026 - Establish separation of non-production, testing and production environments by July 1, 2026 - Discontinue selling mortgages with capitalized balances effective July 1, 2026 - Update underwriting processes to reflect simplified tax return age requirements - Modify flood insurance premium calculations per updated guidance - Document IRS Forms 4868/7004 for tax filing extensions in automated income assessments

Scoring Rationale

This bulletin contains a mix of operational updates and new compliance requirements. The information security provisions (business impact analyses and software standards) represent the most significant changes requiring coordinated implementation across compliance and technology functions. The mortgage capitalization prohibition and various underwriting clarifications require process modifications but are more straightforward to implement. Most changes are clarifications or alignments rather than entirely new obligations.

Scored: 2026-05-16T07:40:56.947Z Model: claude-sonnet-4-20250514 Confidence: High Aggregate Score: 2.0
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment. Effective dates, applicability determinations, impact assessments, and any recommended actions should be independently verified against primary regulatory source documents and reviewed by qualified compliance or legal personnel before taking compliance action. This output does not constitute legal or compliance advice.