T2
FHFA
Medium Confidence
Guidance
Artificial Intelligence/Machine Learning Risk Management
AI/ML risk management framework establishment to address emerging technology risks in regulated financial institutions
HIGH
Impact Level
Top: data governance (5)
Classification
- Regulatory Program
- FHFA Supervision
- Doc Type
- Guidance
- Effective Date
- 2026-09-14 (est.)
- Days to Action
- 60
- Comment Deadline
- —
- Published
- —
Urgency Basis
Advisory bulletin guidance with no specified effective date but immediate supervisory expectations for AI/ML risk management implementation
Operational Context
Flags
Ai Machine Learning
Model Validation Trigger
Board Reporting Required
Systems Change Required
Examination Focus
Affected Functions
Risk Management
Model Validation
Data Governance
Compliance
Technology
Board Governance
Institution Applicability
Banks
Credit Unions
Fannie Mae
Freddie Mac
Federal Home Loan Banks
Impact by Category
Compliance
4
Operational
4
Data Governance
5
Model Risk
5
Reporting & Disclosure
3
Capital & Liquidity
1
Consumer Protection
3
Third-Party Risk
4
Key Requirements
- Establish comprehensive AI/ML governance framework
- Implement model risk management for AI/ML systems
- Conduct regular AI/ML model validation and testing
- Monitor for bias and fairness in AI/ML applications
- Maintain AI/ML model inventory and documentation
- Enhance third-party AI/ML vendor oversight
- Report AI/ML risks to board and senior management
Scoring Rationale
High impact guidance addressing critical emerging risk area. Model risk and data governance receive maximum scores due to direct AI/ML focus. Compliance and operational impacts are high given comprehensive framework requirements. Third-party risk elevated due to vendor management needs. Consumer protection moderate due to fairness considerations.
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.