The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI recently issued a joint cybersecurity advisory due to matters related to the conflict in Ukraine. Seller/Servicers are encouraged to review and have their related third parties review the contents of the advisory and to assess their respective environments for atypical channels for malware delivery and/or propagation through their systems, to implement appropriate strategies, and to ensure robust contingency planning and preparation in the event of a cyberattack.

Given the current state of affairs, it is crucial that we maintain heightened awareness of potential security breaches. As a reminder, the Freddie Mac Single-Family Seller/Servicer Guide (Guide) requires that Seller/Servicers report any security incidents, including security incidents impacting their related third parties to Freddie Mac immediately (no later than 48 hours after discovery), and have adequate business continuity provisions in the event of a systems outage.

Our requirements for reporting security incidents and maintaining business continuity can be found in the following Guide Sections:

OFAC Screening

Additionally, Sellers must screen each borrower against the Office of Foreign Assets Control’s (OFAC's) most recent list of Specially Designated Nationals and Blocked Persons ("OFAC SDN List") prior to delivery of the related mortgage to Freddie Mac.

Clients that service mortgages for Freddie Mac must periodically screen the mortgages against the OFAC SDN List. If a Servicer identifies that a borrower on a mortgage it services for Freddie Mac is a match against the OFAC SDN List, the Servicer is required to notify Freddie Mac by email within 24 hours of identifying such a match.

See Guide Section 1301.2(b) for our requirements for OFAC screening.

Please reach out to your Freddie Mac representative for questions regarding our requirements related to this matter.