On Dec. 11, Freddie updated the cyber incident reporting process.
Freddie issued Bulletin 2024-17 on updates to My Home by Freddie, servicing transfer checklists, information security, Freddie gateway, and Bank of NY Mellon contact data.
Provided a new process for reporting security breaches effective Jan. 1, 2025.
My Home
Freddie currently provides links to My Home in the additional resources section within letter templates for workout options that Servicers may use when sending out notices.
Reported changes to these templates to make it easier for borrowers to access data.
Provided updated links on getting help when struggling to make mortgage payments.
Added QR code for each letter template that can be used to directly access resources.
Removed outdated Transfer of Servicing best practice documents references, s. 7101.3
Included references to recently updated Transfer of Servicing checklists in s. 7101.1.
Transferors and Transferees should review and consider adopting the Servicing Transfer Management Checklists that include links to the MISMO Servicing Transfer Catalog.
Which includes best practices, servicing transfer instruction checklist, portfolio characteristics, image transfer schedules, required reporting, and reconciliation.
Incident Notification
Process for reporting Security Incidents (as defined in Section 1302.2) and Privacy Incidents (as defined in Section 1302.2) is being consolidated, effective Jan. 1, 2025.
Timeline for reporting incidents is reduced to no later than 36 hours after discovery.
Incidents must be reported immediately if they cause seller/servicer to shut down or disable connection with mortgage originations or servicing on behalf of Freddie.
Non-critical Privacy Incidents (S. 1302.5) must be reported using the notification tool.
Security Updates
Effective Mar. 11, 2025, updated topics on data transmission and data loss prevention, vulnerability management, data encryption, incident management, and access.
Also updated authentication requirements and guidelines and cloud computing.
Added requirements related to business continuity plans (BCPs), including BCP review, policies, and procedures to support the BCPs, and BCP education and training.
Finally, added new sections 1302.4 and 1302.6 - 1302.8 on disaster recovery plans, document retention and destruction, third parties, use of AI and machine learning.
Freddie Gateway
In Bulletin 2024-16 introduced Freddie Gateway as the new single sign-on portal for users who access tools through the Advisor Portal or Servicing Gateway, #235816.
Effective Jan. 25, 2025, Loan Advisor Portal and Servicing Gateway will be retired.
Existing Seller/Servicer Loan Advisor Portal and Servicing Gateway credentials will still be active to sign into Freddie Gateway; does not impact system-to-system integrations
Seller/Servicers will be able to access Gateway, once it launches, via Freddie website.
