Freddie Mac Single-Family Seller/Servicer Guide Section 1302.6 — Document retention and destruction
Freddie Mac Single-Family Seller/Servicer Guide Section 1302.6 — Document retention and destruction.
Verbatim regulatory text
Verbatim provisions from Freddie Mac Single-Family Seller/Servicer Guide Section 1302.6 — Document retention and destruction — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.
Freddie Mac Single-Family Seller/Servicer Guide Section 1302.6 — Document retention and destruction
1302.6: Document retention and destruction (03/11/25) Seller/Servicers must have written data retention and destruction policies and procedures which contain minimum requirements to comply with applicable corporate, regulatory and legal standards. The policies and procedures must include the following: Freddie Mac Single-Family Seller/Servicer Guide Chapter 1302 As of 04/01/26 Page 1302-71 ■ Identification or definition of the electronic or other information which are subject to the policies, including how to handle electronic or other information that is, or may be, subject to a legal or litigation-related hold ■ A data storage, retention and destruction schedule ■ Clearly defined criteria for destruction of electronic or other information, regardless of the form in which the information is stored ■ Destruction methodology, including a process for logging and certifying such destruction has been completed When electronic or other information is destroyed in accordance with Seller/Servicer’s corporate policies in the ordinary course, or at Freddie Mac’s direction, such information must be rendered unreadable and incapable of being re-created. Paper records must be properly and securely destroyed, and Seller/Servicer must retain evidence of destruction. Upon request, Seller/Servicers will provide to Freddie Mac certificates of destruction or other evidence demonstrating the fact, time and manner of destruction, be it electronic, paper, hard drive or other media, which contained the destroyed information. Such certification or evidence is in addition to any other obligations that Seller/Servicer may have with respect to the destroyed information, including without limitation pursuant to Section 1301.3. 1302.7: Information security and other requirements for Related Third Parties (03/11/25) Seller/Servicers must: ■ Require any Related Third Party to: ❑ Comply with requirements substantially similar to those imposed on the Seller/Servicer under Chapter 1302 ❑ Refrain from interfering with or impairing any obligations of the Seller/Servicer to Freddie Mac, under a Purchase Document or elsewhere, of which any member of the Related Third Party’s Senior Management has actual knowledge ■ Designate Freddie Mac as an express, intended third-party beneficiary of each agreement with a Related Third Party, a breach of which may have a Material Adverse Effect and include in the agreement the obligations referenced above. Notwithstanding the foregoing, the third-party designation requirement shall not apply to agreements with any of the Seller/Servicer’s counterparties that have direct relationship(s) with Freddie Mac relative to the same subject matter and Freddie Mac has direct standing to enforce the terms of the subject agreement. (MIs, credit bureaus or Warehouse Lenders, for example, may qualify as such counterparties.) In determining whether the third-party Freddie Mac Single-Family Seller/Servicer Guide Chapter 1302 As of 04/01/26 Page 1302-72 designation requirement applies to a specific counterparty, the Seller/Servicer shall seek clarification from Freddie Mac. ■ Indemnify Freddie Mac and its directors, officers, employees, agents, successors and assigns and hold each harmless from and against any and all liabilities, losses, claims, actions, damages, including, but not limited to, indirect, incidental, special or consequential damages, whether foreseeable or not, judgments, costs and expenses, including reasonable attorneys’ fees, arising directly or indirectly out of or relating to any breach of a Seller/Servicer representation, warranty, covenant and/or obligation under Chapter 1302, whether such breach arises out of its own action or inaction or the action or inaction of a Related Third Party or of any Seller/Servicer or Related Third Party director, officer, employee, subcontractor, partner, principal, agent, successor or assign. Freddie Mac shall provide the Seller/Servicer with notice of any such claim after it comes to Freddie Mac’s attention. 1302.8: Use of artificial intelligence and machine learning (03/03/26) This section contains requirements related to: ■ Compliance with applicable law ■ Indemnification ■ Governance framework (a) Compliance with applicable law Seller/Servicers that use artificial intelligence and/or machine learning (together, “AI/ML”) in connection with the origination of Mortgages sold to or guaranteed by Freddie Mac or Servicing Mortgages on behalf of Freddie Mac must ensure compliance with Applicable Law and their Purchase Documents. In addition, such use is conditioned upon: ■ Seller/Servicer’s development, implementation and maintenance of policies and procedures for the use of AI/ML, which must at a minimum: ❑ Be approved by Senior Management, including, at a minimum, the Chief Information Officer, Chief Technology Officer, Chief Information Security Office or Chief Risk Officer (or the equivalents thereof) ❑ Be communicated to appropriate personnel who have job responsibility in areas that use AI/ML; and Freddie Mac Single-Family Seller/Servicer Guide Chapter 1302 As of 04/01/26 Page 1302-73 ❑ Have an owner(s) that implements, maintains and reviews the policies and procedures at least annually to ensure they comply with Applicable Law and consistently reflect industry best practices ■ Upon request by Freddie Mac, Seller/Servicer’s prompt disclosure of the types of AI/ML used, the purpose and manner for such use, safeguards to mitigate risks related to the use of AI/ML, and such other information as Freddie Mac may require. (b) Indemnification Seller/Servicer agrees to indemnify Freddie Mac and its directors, officers, employees, agents, successors and assigns, and to hold each harmless from and against any and all liabilities, losses, claims, actions, damages, including, but not limited to, indirect, incidental, special or consequential damages, whether foreseeable or not, judgments, costs and expenses, including reasonable attorneys’ fees, arising directly or indirectly out of or relating to its use of AI/ML. Freddie Mac shall provide the Seller/Servicer with notice of any such claim after it comes to Freddie Mac’s attention. (c) Governance framework Seller/Servicer must establish clear governance frameworks for AI/ML adoption by ensuring the following: ■ Policies, processes, procedures and practices across the organization related to the mapping, measuring and managing of AI risks are in place, transparent and implemented effectively ■ Legal and regulatory requirements involving AI are understood, managed and documented ■ The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures and practices ■ Processes, procedures and practices are in place to determine the level needed of risk management activities based on the organization’s risk tolerance Seller/Servicer must do the following: ■ Assess AI/ML for specific threats such as data poisoning and adversarial inputs ■ Conduct regular internal and external audits to identify any potential vulnerabilities or deviations from established policies. Ongoing monitoring and periodic review of the risk management process and its outcomes must be planned and organizational roles and responsibilities clearly defined, including determining the frequency of periodic review ■ Regularly monitor AI systems for performance, security breaches and biases Freddie Mac Single-Family Seller/Servicer Guide Chapter 1302 As of 04/01/26 Page 1302-74 ■ Conduct audits to ensure compliance with standards like National Institutes of Standards and Technology 800-53 and International Organization for Standardization 27001 ■ Establish clear policies and codes of conduct to ensure the following: ❑ The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures and practices ❑ Processes, procedures and practices are in place to determine the needed level of risk management activities based on the organization’s risk tolerance ❑ The risk management process and its outcomes are established through transparent policies, procedures and other controls based on organizational risk priorities ■ Apply segregation of duties to prevent conflicts of interest and ensure the following: ❑ Accountability structures are in place so that the appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing AI risks ❑ Roles and responsibilities and lines of communication related to mapping, measuring and managing AI risks are documented and are clear to individuals and teams throughout the organization Freddie Mac Single-Family Seller/Servicer Guide Chapter 1401 As of 12/17/25 Page 1401-1 Chapter 1401: Electronic Transactions