T3
FHFA
Medium Confidence
Guidance
Compliance Risk Management
Enhanced compliance risk management framework for GSE safety and soundness oversight
MODERATE
Impact Level
Top: compliance (4)
Classification
- Regulatory Program
- FHFA Enterprise Safety and Soundness
- Doc Type
- Guidance
- Effective Date
- 2026-11-13 (est.)
- Days to Action
- 120
- Comment Deadline
- —
- Published
- —
Urgency Basis
FHFA guidance document without specified effective date, estimated 90-180 day implementation timeframe
Operational Context
Flags
Examination Focus
Board Reporting Required
Systems Change Required
Legal Review Required
Affected Functions
Compliance
Risk Management
Internal Audit
Legal
Operations
Institution Applicability
Government-Sponsored Enterprises
Fannie Mae
Freddie Mac
Impact by Category
Compliance
4
Operational
3
Data Governance
2
Model Risk
1
Reporting & Disclosure
3
Capital & Liquidity
0
Consumer Protection
2
Third-Party Risk
2
Key Requirements
- Establish comprehensive compliance risk management framework
- Implement board and senior management oversight of compliance risks
- Develop compliance risk assessment and monitoring procedures
- Create compliance risk reporting mechanisms to FHFA
- Maintain qualified compliance risk management personnel
- Conduct regular compliance risk evaluations and testing
Scoring Rationale
High compliance impact (4) reflects comprehensive framework implementation requirements. Moderate operational (3) and reporting (3) scores reflect significant process and reporting changes. Lower scores for other categories reflect indirect or minimal impacts. GSE-specific guidance with enterprise-wide compliance implications.
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.