Timing Is NOW – Fannie Mae Supplement

Fannie Mae, embedded in their “Featured News” dated February 12, 2025, issued a “Supplement” to its Information Security and Business Resiliency requirements effective August 12, 2025.   

Did your Corporate Governance, Compliance, Technology, Loan Origination, and Loan Servicing Teams see this Supplement? If not – pay attention now!

Fannie Mae encourages Sellers, Servicers, and Seller/Servicers to adopt these changes immediately – but must fully implement these changes by the August 12, 2025 deadline.  That means your firm has a mere six months to be fully compliant.  

As the CEO, CFO, COO, ask what needs to occur?  I had a client express to me just last week – they are not only implementing change, though they also have their regular job to get done.  If you are not on the right footing here delays and mistakes are guaranteed to happen  – ask about the impact to people, time, and effort.

My best guess is that you have the following timeline to address and mitigate any gaps. 

• One month to interpret and define the changes,
• One month to have round table working sessions to address how to implement the changes,
• Two months to design and implement the changes,
• Only six remaining weeks to test, validate, and document the changes, 

This leaves two weeks to adjust the timeline as needed!

These changes impact assorted business units AND, also impacts the method in which companies who wish to apply for their Seller / Servicer approval will need to make sure their firm is aware of and compliant with these requirements.

Key impact areas include:

• Information Security Program that is aligned with, or exceed, a current industry standard such as the National Institute of Standards in Technology (NIST) Framework or the International Organization for Standardization (ISO) 27001 Standard among other items.
• Cyber-Security Plan, processes including the management incident and response framework.
• System Development and Change Management that includes a formal Software Development Life Cycle (“SDLC”) policy, standard or supporting procedures.
• Network Security and Management standards.
• Supply Chain Risk Management – includes a formal Vendor Risk Management Program.
• Human Resource Security Requirements for employees, contractors and any other authorized parties working through the Company or on its behalf. 
• Ability of a Seller/Servicer to demonstrate they have in a place processes – described as “Vulnerability Management” , which identifies weaknesses before those weaknesses are exploited. 
• Physical and Environmental Control requirements
• Business Continuity Management and Disaster Recovery Procedures which include an audit protocol and governance.

Granted, your firm has in place processes to be compliant with in doing business with Fannie Mae.  However, many times ongoing systems are fragmented among business owners who may not be willing to share their expertise internally – thinking this gives them political positioning and influence in the organization.  Additionally, there could be a direct loss of staff expertise due to the ongoing major downsizing since 2023.   Ask, does your firm’s team have the expertise internally to manage and implement change? 

Due to the magnitude of business functions impacted, I would anticipate that when firms file their year-end 2025 reporting to Fannie Mae, these topics will then need to be certified by your firm.   Be mindful that your name, as the CEO. CFO, or COO can be required as the authorized representative on these filing documents – so ask the questions now.