Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - FNMA
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A. Risk Factors
Overview
Our cybersecurity risk management program is integrated into our overall Enterprise Risk Management framework, which is described in “MD&A—Risk Management—Overview.” Our Enterprise Response Framework establishes the cybersecurity risk management. Role of External Consultants, Vendors and Other Third Parties Third-Party Cybersecurity Risk Oversight
Board Oversight The full Board of Directors oversees the company’s cybersecurity risk management, assisted by the Risk Policy and Capital Committee of the Board. The Board has delegated management-level risk oversight, including for cybersecurity Our Chief Security Officer leads our Information Security organization , which has primary responsibility for assessing overseeing the company’s cybersecurity risk management program . Our Chief Security Officer reports to our Chief incidents in accordance with the company’s incident response processes. The Information Security organization and Risk Committee, the Enterprise Risk Committee and the Risk Policy and Capital Committee of the Board of Directors. As noted above, the Board has delegated oversight responsibility at the management level for risk-related matters to the the Technology & Third Party Risk Committee. The Technology & Third Party Risk Committee receives reports on
Chief Security Officer cybersecurity incidents, have not materially affected our business, including our business strategy, results of operations or financial condition. However, large-scale cyber attacks perpetrated against other companies in recent years suggest
The risks we face could materially adversely affect our business, results of operations, financial condition, liquidity and
net worth, and could cause our actual results to differ materially from our past results or the results contemplated by any
forward-looking statements we make. If any such risk occurs, the market price of our stock could decline and you may
lose all or part of your investment. We believe the risks described below and in the other sections of this report
referenced below are the most significant we face; however, these are not the only risks we face. We face additional
risks and uncertainties not currently known to us or that we currently believe are immaterial that may also materially
adversely affect us. Refer to “MD&A—Risk Management,” “MD&A—Single-Family Business” and “MD&A—Multifamily
Business” for more detailed descriptions of the primary risks to our business and how we seek to manage those risks.
Risk Factors Summary
The summary of risks below provides an overview of the principal risks we are exposed to in the normal course of our
business activities. This summary does not contain all of the information that may be important to you, and you should
read the more detailed discussion of risks that follows this summary.
Fannie Mae 2025 Form 10-K | 22 |
Risk Factors | Risk Factors Summary | ||
GSE and Conservatorship Risk
•The future of our company is uncertain.
•We are significantly undercapitalized and may be unable to fully satisfy our regulatory capital requirements.We are significantly undercapitalized and may be unable to achieve full capitalization.
•FHFA, as our conservator, controls our business activities. We may be required by FHFA to take actions that
are difficult to implement, reduce our profitability, create additional challenges in meeting regulatory capital
requirements, or expose us to additional risk.
•Our business activities are significantly affected by the senior preferred stock purchase agreement.
•Our regulator is authorized or required to place us into receivership under specified conditions, which would
result in our liquidation. Amounts recovered by our receiver may not be sufficient to pay claims outstanding
against us, repay the liquidation preference of our preferred stock or to provide any proceeds to common
stockholders.
•Our business and results of operations may be materially adversely affected if we are unable to retain and
recruit well-qualified executives and other employees. The conservatorship, the uncertainty of our future, and
compensation limits put us at a disadvantage in competing for talent.
•Our higher capital requirements relative to our primary competitor could materially negatively affect our
business.
•Pursuing our housing mission requirements may materially adversely affect our business, results of operations
and financial condition.
•The conservatorship and agreements with Treasury adversely affect our common and preferred stockholders.
•The liquidity and market value of our MBS could be materially adversely affected by developments in the
secondary mortgage market or the UMBS market, or by legislative, regulatory or industry developments, which
could have a material adverse impact on our business, financial results and financial condition.
•Our issuance of UMBS and structured securities backed by Freddie Mac-issued securities exposes us to
operational and counterparty credit risk.
•Our reliance on U.S. FinTech and the common securitization platform exposes us to significant third-party risk.
•We are limited in our ability to diversify our business.
•An active trading market in our equity securities may cease to exist, which would adversely affect the market
price and liquidity of our common and preferred stock.
Credit Risk
•We may incur significant future provisions for credit losses and write-offs on the loans in our book of business,
which could materially adversely affect our results of operations and financial condition.
•The credit enhancements we use provide only limited protection against potential future credit losses. These
transactions also increase our expenses.
•We may suffer material losses if borrowers suffer property damage as a result of hazards for which the
borrowers have no or insufficient insurance.
•The occurrence of major natural or other disasters in the United States or its territories could materially
increase our provision for credit losses and our write-offs.
•One or more of our institutional counterparties may fail to fulfill their contractual obligations to us, resulting in
financial losses, business disruption and decreased ability to manage risk.
•Our financial condition and results of operations may be materially adversely affected if mortgage servicers fail
to perform their obligations to us.
•We may incur losses as a result of claims under our mortgage insurance policies not being paid in full or at all.
•We could experience additional financial losses due to mortgage fraud.
Operational and Model Risk
•A failure in our operational systems or infrastructure, or those of third parties or the financial services industry,
could cause material business disruptions, materially adversely affect our business, liquidity, results of
operations and financial condition, and materially harm our reputation.
Fannie Mae 2025 Form 10-K | 23 |
Risk Factors | Risk Factors Summary | ||
•A cyber attack or other cybersecurity incident relating to our systems or those of third parties with which we do
business could have a material adverse impact on our business, financial results and financial condition.
•Material weaknesses in our internal control over financial reporting could result in errors in our reported results
or disclosures that are not complete or accurate.
•Failure of our models to produce reliable outputs may materially adversely affect our ability to manage risk and
make effective business decisions, as well as create regulatory and reputational risk.
Liquidity Risk
•Limitations on our ability to access the debt capital markets could have a material adverse effect on our ability
to fund our operations, and our liquidity contingency plans may be difficult or impossible to execute during a
sustained liquidity crisis.
•A decrease in the credit ratings on our senior unsecured debt could increase our borrowing costs and have an
adverse effect on our ability to issue debt on reasonable terms, particularly if such a decrease were not based
on a similar action on the credit ratings of the U.S. government. A decrease in our credit ratings could also
require that we post additional collateral for our derivatives contracts.
Market and Industry Risk
•Changes in interest rates or limitations on our ability to manage interest-rate risk successfully could materially
adversely affect our financial results and condition, and increase our interest-rate risk.
•Changes in spreads could materially impact the fair value of our net assets, and therefore our results of
operations and net worth.
•Our business and financial results are affected by general economic conditions, including home prices and
employment trends, and changes in economic conditions or financial markets may materially adversely affect
our business and financial condition. Volatility or uncertainty in global, regional or domestic political conditions
also can significantly affect economic conditions and financial markets.
Legal and Regulatory Risk
•Regulatory changes in the financial services industry and shifts in monetary policy may negatively impact our
business.
•Legislative, regulatory or judicial actions, and changes in interpretations of laws, regulations or accounting
standards, could negatively impact our business, results of operations, financial condition, liquidity or net worth.
•We face risk of non-compliance with our legal and regulatory obligations, which could have a material adverse
impact on our business, financial results and financial condition.
•Our business and financial results could be materially adversely affected by legal or regulatory proceedings.
General Risk
•In many cases, our accounting policies and methods, which are fundamental to how we report our financial
condition and results of operations, require management to make judgments and estimates about matters that
are inherently uncertain. Management also relies on models in making these estimates.
GSE and Conservatorship Risk
The future of our company is uncertain.
The company faces an uncertain future, including how long we will continue to exist in our current form, what changes
may occur to our business model during or following conservatorship, the extent of our role in the market, the level of
government support for our business, how long we will be in conservatorship, what form we will have, what ownership
interest, if any, our current common and preferred stockholders will hold in us, and whether we will continue to exist. The
conservatorship has been in place since 2008, is indefinite in duration, and the timing, conditions and likelihood of our
emerging from conservatorship are uncertain. Our conservatorship could terminate through a receivership. Actions
taken by the conservator or by a receiver could substantially dilute or eliminate any value associated with our existing
common stock and preferred stock. Termination of the conservatorship, other than in connection with a mandatory
receivership, requires Treasury’s consent under the senior preferred stock purchase agreement.
We believe that our return on equity based on our regulatory capital requirements may not be sufficient to attract
prospective private investors in our equity securities, which we believe may limit our options to raise, or increase the
cost of raising, sufficient capital to exit conservatorship. Increasing our returns to a level sufficient to attract private
equity investors may require increases in our pricing or changes in other aspects of our business or regulatory oversight
Fannie Mae 2025 Form 10-K | 24 |
Risk Factors | GSE and Conservatorship Risk | ||
that could affect our competitive position, our loan acquisition volumes and market share, the mix of loans that we
acquire or the type of business we do, including the level of support we provide to low- and moderate-income borrowers
and renters. Our ability to increase our returns may be limited given our conservatorship status, our business model, our
role in the U.S. housing market, and the limitations on our ability to change our guaranty fees and pricing described in
“Business—Legislation and Regulation—Guaranty Fees and Pricing.” In addition, we believe that Treasury’s ownership
of our senior preferred stock and Treasury’s potential additional substantial equity ownership in our company, along with
restrictions imposed on our business and future dividends and fees we will be required to pay to Treasury under the
current terms of the senior preferred stock purchase agreement and senior preferred stock, reduces our attractiveness
to prospective equity investors.
If we exit conservatorship, specified regulatory exemptions that currently apply to us or our securities would no longer
apply, such as the rule implementing the Dodd-Frank Act’s credit risk retention requirement and the Federal Reserve
Board’s single-counterparty credit limits rule. The expiration of these exemptions could result in significant changes to
our business and materially adversely affect our financial results and condition.
In recent months, the Administration has made public comments suggesting it is considering various options for the
future of Fannie Mae and Freddie Mac. The Administration and Congress may consider housing finance reforms or
legislation that could result in significant changes in our structure, our financial condition, the amount of capital we hold,
and our role in the market, including proposals that would result in Fannie Mae’s liquidation or dissolution, or its merger
or consolidation under common ownership with Freddie Mac. In addition, Congress may consider legislation, federal
agencies such as FHFA may consider regulations or administrative actions, or the Administration may issue executive
orders that directly or indirectly increase the competition we face, reduce our market share, further restrict our ability to
change our loan pricing, further expand our obligations to provide funds to Treasury, further constrain our business
operations, or subject us to other obligations or restrictions that may adversely affect our business. We cannot predict
the likelihood, timing or nature of housing finance reform legislation or other legislation, regulations or administrative
actions that will impact our activities or relating to our future, nor can we predict the extent of such impact.
We are significantly undercapitalized and may be unable to fully satisfy our regulatory capital requirements.We are significantly undercapitalized and may be unable to achieve full capitalization.
As of December 31, 2025, we had a $22 billion deficit in available capital for purposes of our risk-based adjusted total
capital requirement, and a $215 billion shortfall to our risk-based adjusted total capital requirement including buffers. We
may be unable to fully satisfy our capital requirements under the enterprise regulatory capital framework, as dividends
on the senior preferred stock may resume before we reach full capitalization. Our efforts to build capital to meet our
requirements can be significantly affected by the amount, type and pricing of our new loan acquisitions, which can drive
increases in our required capital that offset or even outpace increases in our available capital. Other factors that can
result in increases in our capital requirements include the size and performance of our guaranty book and retained
mortgage portfolio, the level of our participation in credit risk transfer transactions, and economic conditions. For more
information on the enterprise regulatory capital framework and our capital metrics as of December 31, 2025, see
“Business—Legislation and Regulation—Capital Requirements” and “MD&A—Liquidity and Capital Management—
Capital Management—Capital Requirements.”
FHFA, as our conservator, controls our business activities. We may be required by FHFA to take actions that
are difficult to implement, reduce our profitability, create additional challenges in meeting regulatory capital
requirements, or expose us to additional risk.
In conservatorship, our business is not managed with a strategy to maximize stockholder value. Our directors owe their
fiduciary duties of care and loyalty solely to the conservator. Thus, while we are in conservatorship, the Board has no
fiduciary duties to the company or its stockholders. Our directors are also elected by the conservator, not by our
stockholders. The Supreme Court has interpreted FHFA’s authority as conservator expansively, noting that “when the
FHFA acts as a conservator, it may aim to rehabilitate the regulated entity in a way that, while not in the best interests of
the regulated entity, is beneficial to the Agency and, by extension, the public it serves.” As conservator, FHFA can direct
us to enter into contracts or enter into contracts on our behalf, and generally has the power to transfer or sell any of our
assets or liabilities. Since March 17, 2025, the FHFA Director has served as the Chair of our Board, and FHFA’s General
Counsel has also served as a member of our Board. The Board of Directors has delegated to the Chair of the Board the
authority to approve or take any action on behalf of the Board or any Board Committee or Board Committee Chair, other
than the Audit Committee or Audit Committee Chair. Following this delegation, the Chair of the Board has approved
certain Board and Board Committee actions on behalf of the Board and certain of its Committees, including a number of
Board and executive officer appointments and compensation decisions, and may continue to do so in the future.
Our strategic direction is subject to FHFA review and approval. Our strategic direction is subject to FHFA review and approval. FHFA has also required us to meet specified annual
corporate performance objectives referred to as the conservatorship scorecard. We face a variety of different, and
sometimes competing, business objectives and FHFA-mandated activities. FHFA has and may require us to undertake
activities that are costly or difficult to implement and that increase our operational risk. FHFA also has required us to
Fannie Mae 2025 Form 10-K | 25 |
Risk Factors | GSE and Conservatorship Risk | ||
make changes to our business that have adversely affected our financial results and could require us to make additional
changes at any time. FHFA may require us to undertake some activities that: reduce our profitability or net worth; create
additional challenges in meeting regulatory capital requirements; expose us to additional credit, market, funding,
operational, model, legal, strategic, reputational, and other risks; or provide additional support for the mortgage market
that serves our mission, but adversely affects our financial results. For example, if FHFA directs us to begin acquiring
new or novel loan products, it could result in increased credit risk, operational risk, model risk and market risk, and
adversely affect our financial results.
FHFA can prevent us from engaging in business activities or transactions that we believe would benefit our business
and financial results, and from time to time has done so. For example, FHFA can both prevent us from making, and
direct us to make, changes to our guaranty fee pricing, and has currently set minimum return thresholds for our loan
acquisitions, as described in “Business—Legislation and Regulation—Guaranty Fees and Pricing.” These factors
constrain our ability to address changing market conditions, pursue certain strategic objectives, manage the mix of
loans we acquire, and compete with Freddie Mac and other market competitors for the acquisition of loans.
With FHFA’s broad powers as conservator, changes in leadership at FHFA have resulted in significant changes to the
goals, directions and regulations that FHFA establishes for us, and could result in significant additional changes to these
goals, directions and regulations. These changes could have a material impact on our financial results and condition.
The President has the power to remove the FHFA Director.
Our business activities are significantly affected by the senior preferred stock purchase agreement.
Even if we are released from conservatorship, we would remain subject to the terms of the senior preferred stock
purchase agreement with Treasury, under which we issued the senior preferred stock and warrant, unless those terms
are waived or amended. The senior preferred stock purchase agreement can only be waived or amended with the
consent of Treasury. The agreement includes a number of covenants that significantly restrict our business activities.
We believe these restrictions under the senior preferred stock purchase agreement adversely affect our ability to attract
capital from the private sector. For more information about the covenants in the senior preferred stock purchase
agreement, see “Business—Conservatorship and Treasury Agreements—Treasury Agreements—Covenants.”
Our regulator is authorized or required to place us into receivership under specified conditions, which would
result in our liquidation. Amounts recovered by our receiver may not be sufficient to pay claims outstanding
against us, repay the liquidation preference of our preferred stock or to provide any proceeds to common
stockholders.
The FHFA Director is required to place us into receivership if he makes a written determination that our assets are less
than our obligations or if we have not been paying our debts as they become due, in either case, for a period of 60 days
after the SEC filing deadline for any of our Form 10-Ks or Form 10-Qs. Although Treasury committed to providing us
funds in accordance with the terms of the senior preferred stock purchase agreement, if we need funding from Treasury
to avoid triggering FHFA’s obligation to place us into receivership, Treasury may not be able to provide sufficient funds
to us within the required 60 days if it has exhausted its borrowing authority, if there is a government shutdown, or if the
funding we need exceeds the amount available to us under the agreement. In addition, with the prior written consent of
Treasury, we could be put into receivership at the discretion of the FHFA Director at any time for the reasons set forth in
the GSE Act, including if our board of directors or stockholders consent to the appointment of a receiver or, if under the
definitions in the GSE Act, we are undercapitalized with no reasonable prospect of becoming adequately capitalized or
we are critically undercapitalized. Under the GSE Act, FHFA succeeded to all of the rights, titles, powers and privileges
of our board of directors and stockholders.
A receivership would terminate our conservatorship. In addition to the powers FHFA has as our conservator, the
appointment of FHFA as our receiver would terminate all rights and claims that our stockholders and creditors may have
against our assets or under our charter arising from their status as stockholders or creditors, except for their right to
payment, resolution or other satisfaction of their claims as permitted under the GSE Act. If we are placed into
receivership and do not or cannot fulfill our MBS guaranty obligations, there may be significant delays of any payments
to our MBS holders, and the MBS holders could become unsecured creditors of ours with respect to claims made under
our guaranty to the extent the mortgage collateral underlying the Fannie Mae MBS is insufficient to satisfy the claims of
the MBS holders.
In the event of a liquidation of our assets by FHFA as receiver, only after payment of secured claims, administrative
expenses of the receiver and the immediately preceding conservator, other obligations of the company (other than
obligations to stockholders), and the liquidation preference of the senior preferred stock, would any liquidation proceeds
be available to repay the liquidation preference on any other series of preferred stock. Finally, only after the liquidation
preference on all series of preferred stock is repaid would any liquidation proceeds be available for distribution to the
holders of our common stock. In the event of such a liquidation, we can make no assurances that there would be
Fannie Mae 2025 Form 10-K | 26 |
Risk Factors | GSE and Conservatorship Risk | ||
sufficient proceeds to make any distribution to holders of our preferred stock or common stock, other than to the holder
of our senior preferred stock. As described in “Business—Conservatorship and Treasury Agreements—Treasury
Agreements—Senior Preferred Stock Purchase Agreement and Senior Preferred Stock,” under the current terms of the
senior preferred stock, until the capital reserve end date, the liquidation preference of the senior preferred stock
increases each quarter by the amount of the increase in our net worth, if any, during the immediately prior fiscal quarter.
The aggregate liquidation preference of the senior preferred stock was $227.0 billion as of December 31, 2025, and we
expect it will continue to increase as we increase our net worth.
Our business and results of operations may be materially adversely affected if we are unable to retain and
recruit well-qualified executives and other employees. The conservatorship, the uncertainty of our future, and
compensation limits put us at a disadvantage in competing for talent.
Our business is highly dependent on the talents and efforts of our executives and other employees. The
conservatorship, the uncertainty of our future, and limitations on executive compensation have had, and are likely to
continue to have, an adverse effect on our ability to retain and recruit talent. Departures in key management positions
and challenges in finding replacements could materially harm our ability to manage our business effectively, to
successfully implement strategic initiatives, and ultimately could adversely affect our financial performance.
Actions taken by Congress, FHFA and Treasury to date, or that may be taken by them or other government agencies in
the future, have had and are expected to continue to have an adverse effect on our retention and recruitment of
executives. We are subject to significant restrictions on the amount and type of compensation we may pay as a result of
the senior preferred stock purchase agreement and conservatorship, as described in more detail in “Executive
Compensation—Compensation Discussion and Analysis—Restrictions on Executive Compensation.” For example,
during conservatorship direct annual compensation for our chief executive officer (“CEO”) role is limited to base salary
at an annual rate of $600,000 and our senior executives are prohibited from receiving bonuses. The cap on our CEO
compensation continues to make retention and succession planning for this position difficult, and it may make it difficult
to attract qualified candidates for this critical role in the future.
In addition to restrictions on our compensation, our ability to retain and recruit executives and other employees has
been and may continue to be adversely affected by the uncertainty of potential action by the Administration or Congress
with respect to our business, as described in the risk factors above.
We face competition from the financial services and technology industries, and from businesses outside of these
industries, for qualified executives and other employees. If future competition for executive and employee talent is
strong and if we are unable to attract, promote and retain executives and other employees with the necessary skills and
talent, we would face increased risks for operational failures. In the future, if there are several high-level departures at
approximately the same time, our ability to conduct our business could be materially adversely affected, which could
have a material adverse effect on our results of operations and financial condition.
Our higher capital requirements relative to our primary competitor could materially negatively affect our
business.
We have higher capital requirements than our primary competitor, Freddie Mac, driven primarily by our larger share of
U.S. residential mortgage debt outstanding. These higher capital requirements relative to Freddie Mac could materially
negatively affect our ability to compete with Freddie Mac for the acquisition of mortgage loans, our market share, and
the profitability and credit characteristics of the loans we acquire.
Pursuing our housing mission requirements may materially adversely affect our business, results of operations
and financial condition.
We are required by the GSE Act and FHFA regulation to support the housing market in ways that could materially
adversely affect our financial results and condition. For example, we are subject to housing goals that require a portion
of the mortgage loans we acquire to meet specified standards relating to affordability or location. We also have a duty to
serve very low-, low-, and moderate-income families in three specified underserved markets: manufactured housing,
affordable housing preservation and rural housing.
We are taking actions to support the housing market that could materially adversely affect our profitability and our ability
to meet our targeted return requirements established by FHFA. For example, we are acquiring loans to meet our
housing mission requirements that generally offer lower expected returns than the returns earned on non-mission-
related loans, which negatively affects our ability to meet our targeted return requirements established by FHFA. In
addition, some of the loans we are acquiring to meet our housing mission requirements pose a higher credit risk than
the other loans we purchase, which could materially increase our provision for credit losses and our write-offs.
If we do not meet our housing goals or Duty-to-Serve requirements, and FHFA finds that the goals or requirements were
feasible, FHFA may require us to submit a housing plan describing the actions we will take to improve our performance.
The actions we take under the housing plan could have a material adverse effect on our results of operations and
Fannie Mae 2025 Form 10-K | 27 |
Risk Factors | GSE and Conservatorship Risk | ||
financial condition. The potential penalties for failure to comply with housing plan requirements relating to our housing
goals include a cease-and-desist order and civil money penalties. See “Business—Legislation and Regulation” for more
information on our housing goals and Duty to Serve underserved markets.
The conservatorship and agreements with Treasury adversely affect our common and preferred stockholders.
The material adverse effects on our stockholders of the conservatorship and under the current terms of our agreements
with Treasury include the following:
No voting rights during conservatorship. During conservatorship, our common stockholders do not have the ability to
elect directors or to vote on other matters unless the conservator delegates this authority to them.
No dividends on common or preferred stock, other than senior preferred stock. Our conservator announced in
September 2008 that we would not pay any dividends on the common stock or on any series of preferred stock, other
than the senior preferred stock, while we are in conservatorship. In addition, under the current terms of the senior
preferred stock purchase agreement, dividends may not be paid to common or preferred stockholders (other than on the
senior preferred stock) without the prior written consent of Treasury, regardless of whether we are in conservatorship.
Our profits directly increase the liquidation preference of the senior preferred stock and we will be required to pay
dividends on the senior preferred stock in the future. The senior preferred stock ranks senior to our common stock and
all other series of our preferred stock, as well as any capital stock we issue in the future, as to both dividends and
distributions upon liquidation. Accordingly, if we are liquidated, the senior preferred stock is entitled to its then-current
liquidation preference, before any distribution is made to the holders of our common stock or other preferred stock.
Under the current terms of the senior preferred stock, until the capital reserve end date, the liquidation preference of the
senior preferred stock increases each quarter by the amount of the increase in our net worth, if any, during the
immediately prior fiscal quarter. We expect the aggregate liquidation preference of the senior preferred stock will
continue to increase as we increase our net worth. In addition, the current terms of the senior preferred stock provide
that, following the capital reserve end date, we will be required to pay dividends on the senior preferred stock of the
lesser of (1) a 10% annual rate on the then-current liquidation preference of the senior preferred stock and (2) an
amount equal to the incremental increase in our net worth during the immediately prior fiscal quarter. The current terms
of the senior preferred stock also provide that dividends will resume when our net worth exceeds the amount of adjusted
total capital necessary for us to meet the capital requirements and buffers set forth in the enterprise regulatory capital
framework, which we expect will occur before the capital reserve end date because our net worth is calculated
differently than, and is higher than, our available capital under the enterprise regulatory capital framework. As of
December 31, 2025, the amount of adjusted total capital necessary for us to meet the capital requirements and buffers
set forth in the enterprise regulatory capital framework was $193 billion, our net worth was $109.0 billion and we had an
available capital deficit of $22 billion. See “Business—Conservatorship and Treasury Agreements—Treasury
Agreements—Senior Preferred Stock Purchase Agreement and Senior Preferred Stock” for more information on the
dividend provisions and aggregate liquidation preference of the senior preferred stock.
Exercise of the Treasury warrant would substantially dilute the investment of current common stockholders. If Treasury
exercises its warrant to purchase shares of our common stock equal to 79.9% of the total number of shares of our
common stock outstanding on a fully diluted basis, the ownership interest in the company of our then-existing common
stockholders will be substantially diluted.
We are not managed for the benefit of stockholders. Because we are in conservatorship, we are not managed with a
strategy to maximize stockholder returns.
The senior preferred stock purchase agreement, senior preferred stock and warrant can only be waived or amended
with the consent of Treasury. For additional description of the conservatorship and our agreements with Treasury, see
“Business—Conservatorship and Treasury Agreements.”
The liquidity and market value of our MBS could be materially adversely affected by developments in the
secondary mortgage market or the UMBS market, or by legislative, regulatory or industry developments, which
could have a material adverse impact on our business, financial results and financial condition.
The success of UMBS is largely predicated on the fungibility of UMBS issued by Fannie Mae and Freddie Mac. If
investors stop viewing Fannie Mae-issued UMBS and Freddie Mac-issued UMBS as fungible, or if investors prefer
Freddie Mac-issued UMBS over Fannie Mae-issued UMBS, it could adversely affect the liquidity and market value of
Fannie Mae MBS, the volume of our UMBS issuances and our guaranty fee revenues. Our competitiveness in
purchasing single-family loans from our lenders and the volume and profitability of our single-family business activity are
affected by the price performance of UMBS issued by us relative to comparable Freddie Mac-issued UMBS. If our
UMBS were to trade at a material discount relative to comparable Freddie Mac-issued UMBS, or at a minor discount for
Fannie Mae 2025 Form 10-K | 28 |
Risk Factors | GSE and Conservatorship Risk | ||
a prolonged period of time, due to prepayment performance, credit profile or other factors, such a difference in relative
pricing may create an incentive for lenders to conduct more of their single-family business with Freddie Mac.
To support the fungibility of Fannie Mae-issued UMBS and Freddie Mac-issued UMBS, FHFA adopted a rule to align
Fannie Mae and Freddie Mac programs, policies and practices that affect the prepayment rates of TBA-eligible
mortgage-backed securities. However, these alignment efforts may not be successful and the prepayment rates on
Fannie Mae-issued UMBS and Freddie Mac-issued UMBS could materially diverge in a manner that is disadvantageous
for us.
It is possible that a liquid market for our UMBS may not be sustained, which could materially adversely affect their price
performance and our single-family market share. A significant reduction in our market share, and thus in the volume of
loans that we securitize, or a reduction in the trading volume of our UMBS, could materially reduce the liquidity of our
UMBS. While we may decide to employ various strategies to support the liquidity and price performance of our UMBS,
any such strategies may fail or may result in our incurring costs that materially adversely affect our business and
financial results. We may cease any such activities at any time, or FHFA could require us to do so, which could
materially adversely affect the liquidity and price performance of our UMBS.
In addition, we have experienced, and may continue to experience, price differences with Freddie Mac on individual new
production pools of TBA-eligible mortgages, particularly with respect to specified pools and our multi-lender securities.
From time to time, we may need to adjust our pricing for a particular new production pool category, introduce new
initiatives, or change our loan acquisition strategy to maintain alignment and competitiveness with Freddie Mac with
respect to the acquisition of such pools. Depending on the amount of pricing adjustments in any period, it is possible
that those adjustments could adversely affect our guaranty fee revenues for that period.
The continued support of FHFA, Treasury, the Securities Industry and Financial Markets Association, and certain other
regulatory bodies is critical to the success of UMBS. If any of these entities were to cease its support, the liquidity and
market value of Fannie Mae-issued UMBS could be adversely affected. Furthermore, if either we or Freddie Mac exits
conservatorship, it is unclear whether our and Freddie Mac’s programs, policies and practices in support of UMBS and
resecuritizations of each other’s securities would be sustained.
Our issuance of UMBS and structured securities backed by Freddie Mac-issued securities exposes us to
operational and counterparty credit risk.
When we resecuritize Freddie Mac-issued UMBS or other Freddie Mac securities, our guaranty of principal and interest
extends to the underlying Freddie Mac security. Although we have an indemnification agreement with Freddie Mac, in
the event Freddie Mac were to fail (for credit or operational reasons) to make a payment due on its securities underlying
a Fannie Mae-issued structured security, we would be obligated under our guaranty to fund any shortfall and make the
entire payment on the related Fannie Mae-issued structured security on that payment date. A failure by Freddie Mac to
meet these obligations could have a material adverse effect on our earnings and financial condition, and we could be
dependent on Freddie Mac and on the senior preferred stock purchase agreements that we and Freddie Mac each have
with Treasury to avoid a liquidity event or a default under our guaranty. Our current risk exposure to Freddie Mac-issued
securities is provided in “MD&A—Guaranty Book of Business.” In addition, the market value and liquidity profile of
single-family Fannie Mae MBS could be affected by financial and operational incidents relating to Freddie Mac, even if
those incidents do not directly relate to Fannie Mae or Fannie Mae MBS.
Our reliance on U.S. FinTech and the common securitization platform exposes us to significant third-party risk.
We rely on U.S. FinTech and its common securitization platform for the operation of a majority of our single-family
securitization activities. Although we jointly own U.S. FinTech with Freddie Mac, there are limitations on our ability to
control the company.
The U.S. FinTech Board of Managers currently has seven members—the U.S. FinTech CEO, one member appointed by
Fannie Mae, two members appointed by Freddie Mac, and three members appointed by FHFA, which includes the
Board Chair. Fannie Mae and FHFA each has the right to appoint one additional board member. If FHFA appoints an
additional board member, the four U.S. FinTech board members that we and Freddie Mac have the right to appoint
could be outvoted by the other five board members on any matter during conservatorship and on a number of significant
matters after conservatorship.
Board actions must be approved by a majority vote and the board may not take any actions absent the Chair’s consent.
Once either Fannie Mae or Freddie Mac has exited conservatorship and is not in receivership, the Board Chair and any
board members appointed by FHFA may be removed by a unanimous vote of the Fannie Mae and Freddie Mac
members and the U.S. FinTech CEO. Although the limited liability company agreement would require our approval for
certain “material decisions” if either we or Freddie Mac have exited conservatorship, the U.S. FinTech Board of
Managers may approve a number of actions even after conservatorship over the objection of the board members we
appoint, including: approval of the annual budget and strategic plan for U.S. FinTech (so long as it does not involve a
Fannie Mae 2025 Form 10-K | 29 |
Risk Factors | GSE and Conservatorship Risk | ||
material business change); withdrawal of capital by a member; and requiring capital contributions necessary to support
U.S. FinTech’s ordinary business operations. It is possible that FHFA may require us to make additional changes to the
U.S. FinTech limited liability company agreement, or may otherwise impose restrictions or provisions relating to U.S.
FinTech or UMBS, that may adversely affect us.
We do not currently pay service fees to U.S. FinTech under our customer services agreement; its operations are funded
entirely through capital contributions from Fannie Mae and Freddie Mac pursuant to the limited liability company
agreement. During conservatorship, FHFA can direct us to enter into an amendment of the customer services
agreement, or enter such an amendment on our behalf, that could provide for a fee structure that would survive an exit
from conservatorship absent a further amendment to the customer services agreement, which a majority of the board
would have to approve. Although implementation of any fee changes could require a further amendment to the customer
services agreement, we might not have significant leverage to negotiate that amendment and the associated fee
changes given our dependence on U.S. FinTech.
Our securitization activities are complex and present significant operational and technological challenges and risks. Any
measures we take to mitigate these challenges and risks might not be sufficient to prevent a disruption to our
securitization activities. Our business activities could be adversely affected and the market for single-family Fannie Mae
MBS could be disrupted if the common securitization platform were to fail or otherwise become unavailable to us or if
U.S. FinTech were unable to perform its obligations to us. Any such failure or unavailability could have a significant
adverse impact on our business and could adversely affect the liquidity or market value of our single-family MBS. In
addition, a failure by U.S. FinTech to maintain effective controls and procedures could result in material errors in our
reported results or in disclosures that are materially incomplete or materially inaccurate.
We are limited in our ability to diversify our business.
As a federally chartered corporation, we are subject to the limitations imposed by the Charter Act, extensive regulation,
supervision and examination by FHFA, and regulation by other federal agencies, including Treasury, HUD and the SEC.
The Charter Act defines our permissible business activities. For example, we may not originate mortgage loans or
purchase single-family loans in excess of the conforming loan limits, and our business is limited to the U.S. housing
finance sector. FHFA, as our regulator, may impose and has imposed additional limitations on our business. For
example, the GSE Act requires us to obtain prior approval from FHFA for new products and to provide advance notice to
FHFA of new activities. As described in “Business—Legislation and Regulation—Guaranty Fees and Pricing,” we are
also subject to a number of limitations on the guaranty fees we are permitted to charge, which is our primary source of
revenue. As a result of the limitations on our ability to diversify our operations, our financial condition and results of
operations depend almost entirely on conditions in a single sector of the U.S. economy, specifically, the U.S. housing
market. Weak or unstable conditions in the U.S. housing market can therefore have a significant adverse effect on our
business that we cannot mitigate through diversification. For a discussion of current U.S. housing market conditions,
see “MD&A—Key Market Economic Indicators.”
An active trading market in our equity securities may cease to exist, which would adversely affect the market
price and liquidity of our common and preferred stock.
Our common stock and preferred stock are now traded exclusively in the over-the-counter market, and are not currently
listed on any securities exchanges. We cannot predict the actions of market makers, investors or other market
participants, and can offer no assurances that the market for our securities will be stable. If there is no active trading
market in our equity securities, the market price and liquidity of the securities will be adversely affected. In addition, the
market price of our common stock and preferred stock has been and may continue to be subject to significant volatility,
which may be due to other factors described in these “Risk Factors,” as well as speculation regarding our future,
economic and political conditions generally, liquidity in the over-the-counter market in which our stock trades, and other
factors, many of which are beyond our control. Such factors could cause the market price of our common stock and
preferred stock to decline significantly from their current levels, which may result in significant losses to holders of our
common stock and preferred stock.
Credit Risk
We may incur significant future provisions for credit losses and write-offs on the loans in our book of business,
which could materially adversely affect our results of operations and financial condition.
We are exposed to a significant amount of mortgage credit risk on our $4.1 trillion guaranty book of business. Borrowers
may fail to make required payments on mortgage loans we own or guaranty. This exposes us to the risk of credit losses.
We have experienced significant provisions for credit losses that have materially adversely affected our financial results
in certain prior periods, and this could occur again in a future period.
In general, significant home price or multifamily property value declines or increased loan delinquencies could materially
increase our provision for credit losses and our write-offs. Loan delinquencies, among other factors, are influenced by
Fannie Mae 2025 Form 10-K | 30 |
Risk Factors | Credit Risk | ||
income growth rates and unemployment levels, which affect borrowers’ ability to make their mortgage payments.
Changes in home prices or multifamily property values affect the amount of equity that borrowers have in their
properties. As home prices and multifamily property values increase, the severity of losses we incur on defaulted loans
that we hold or guarantee decreases because the amount we can recover from the properties securing the loans
increases. Conversely, declines in home prices and multifamily property values increase the losses we incur on
defaulted loans. If home prices or multifamily property values decline rapidly and a large number of borrowers default on
their loans, we could experience significant credit losses on our book of business, which could materially adversely
affect our results of operations and financial condition.
The credit performance of the loans in our guaranty book of business may decline compared to recent performance,
particularly if we experience national or regional declines in home prices, weakening economic conditions or higher
unemployment, resulting in materially higher provisions for credit losses and write-offs. In addition, borrowers affected
by a government shutdown or by a requirement to resume making their student loan payments may find it difficult to
make payments on their mortgage loans.
We have loans in our single-family guaranty book of business that are typically associated with higher levels of credit
risk, such as loans with high LTV ratios, high debt-to-income (“DTI”) ratios and lower FICO credit scores. Similarly, we
have loans in our multifamily guaranty book of business that may present higher credit risk, such as loans with high LTV
ratios and lower debt service coverage ratios (“DSCRs”). We present detailed information about the risk characteristics
of our single-family conventional guaranty book of business in “MD&A—Single-Family Business” and our multifamily
guaranty book of business in “MD&A—Multifamily Business.” At any time, the risk characteristics of the loans we
acquire may change due to new or revised guidance from FHFA or due to other federal government policy changes
established through legislation, rulemaking or other actions.
Changes in interest rates can also affect our credit losses, as we describe in a risk factor below in “Market and Industry
Risk.”
The credit enhancements we use provide only limited protection against potential future credit losses. These
transactions also increase our expenses.
While we use certain credit enhancements to mitigate some of our potential future credit losses, we may not be able to
obtain as much protection from our credit enhancements as we would like for a number of reasons, including:
•Some of the credit enhancements we use, such as mortgage insurance, Credit Insurance Risk TransferTM
(“CIRTTM”) transactions and DUS lender loss-sharing arrangements, are subject to the risk that the
counterparties may not meet their obligations to us, which we discuss in a risk factor below.
•Our Connecticut Avenue Securities® (“CAS”) and CIRT credit risk transfer transactions have limited terms, after
which they provide limited or no further credit protection on the covered loans.
•Our credit risk transfer transactions are not designed to shield us from all losses because we retain a portion of
the risk of future losses on loans covered by these transactions, including all or a portion of the first loss
position in most transactions.
•In the event of a sufficiently severe economic downturn or other adverse market conditions, we may not be able
to enter into new back-end credit risk transfer transactions for our recent acquisitions on economically
advantageous terms.
•Mortgage insurance does not protect us from all losses on covered loans. For example, mortgage insurance
does not cover property damage that is not already covered by the hazard or flood insurance we require, and
such damage may result in a reduction to, or a denial of, mortgage insurance benefits.
In addition, the costs associated with credit risk transfer transactions are significant and may increase. For a discussion
of how we use credit risk transfer transactions to reduce our credit risk and manage our capital requirements, see
“MD&A—Single-Family Business—Single-Family Mortgage Credit Risk Management—Single-Family Credit
Enhancement and Transfer of Mortgage Credit Risk” and “MD&A—Multifamily Business—Multifamily Mortgage Credit
Risk Management—Multifamily Transfer of Mortgage Credit Risk.”
We may suffer material losses if borrowers suffer property damage as a result of hazards for which the
borrowers have no or insufficient insurance.
We require borrowers to obtain and maintain property insurance to cover the risk of damage to their homes or
properties resulting from hazards such as fire, hail, wind and, for properties in a Federal Emergency Management
Agency (“FEMA”)-designated Special Flood Hazard Area, flooding. However, insurance would not cover property
damage from hazards for which we do not generally require insurance, such as earthquake damage or flood damage on
a property located outside a Special Flood Hazard Area. There may be instances in which borrowers’ claims under
insurance policies are not paid, borrowers’ insurance is insufficient to cover their losses, borrowers fail to use insurance
Fannie Mae 2025 Form 10-K | 31 |
Risk Factors | Credit Risk | ||
proceeds to make improvements to the property commensurate with the value of the damaged improvements, or
borrowers fail to maintain insurance and suffer property damage. Additionally, hazard insurers may experience
significant financial strain and be unable to make payments on related claims during a period in which significant
numbers of mortgaged properties are damaged by natural or other disasters. Since we generally permit borrowers to
select and obtain required hazard insurance policies, our requirements for hazard insurance coverage are verified by
the lender or servicer, as applicable. For single-family loans, we require a minimum financial strength rating for
nongovernmental hazard insurers that must be provided by S&P Global, Demotech, AM Best or KBRA, while for
multifamily loans the rating must be provided by AM Best. We do not independently verify the financial condition of
these hazard insurers and rely on these rating agencies for their assessment of the financial condition of these insurers.
To the extent that borrowers suffer property damage as a result of a hazard that is uninsured or underinsured, or the
hazard insurer does not pay their claim, the borrowers may not pay their mortgage loans. If borrowers fail to make
required payments on mortgage loans we own or guarantee, we could experience significant provisions for credit losses
and write-offs on the loans in our book of business.
We estimate that, as of December 31, 2025, only a small portion of loans in our guaranty book of business were located
in a Special Flood Hazard Area, for which we require flood insurance: 3.2% of loans in our single-family guaranty book
of business and 7.3% of loans in our multifamily guaranty book of business. We believe that only a small portion of
borrowers outside of these areas obtain flood insurance. The risk of significant flooding in places outside a Special
Flood Hazard Area is expected to increase due to a number of factors. Furthermore, FEMA flood maps may not
accurately reflect the extent of flood risks in certain areas, and do not indicate how the risk will change in the future.
Single-family borrowers who obtain flood insurance generally rely on the National Flood Insurance Program (“NFIP”),
which requires periodic congressional reauthorization. If Congress fails to extend or re-authorize the program, FEMA
may not have sufficient funds to pay claims for flood damage, and borrowers may not be able to renew their flood
insurance coverage or obtain new policies through the NFIP. In addition, NFIP insurance does not cover temporary
living expenses, and the maximum limit of coverage available under NFIP for a single-family residential property is
$250,000, which may not be sufficient to cover all losses.
Increases in the intensity or frequency of floods or other weather-related disasters may amplify many of these risks.Increases in the intensity or frequency of floods or other weather-related disasters as a result of climate change are expected to increase the foregoing risks. In
some areas, some insurers have ceased writing new coverage or have significantly increased insurance premiums for
certain perils or conditions. As coverage becomes unavailable or prohibitively expensive in an area, home prices or
multifamily property values may experience considerable negative impacts, and borrowers may face greater financial
strain. Ultimately, the desirability of areas that frequently experience hurricanes, wildfires, or other natural disasters or
face chronic weather-related risks such as persistent drought or excessive heat, may diminish over time. This could
adversely affect those regions’ economies, home prices and multifamily property values, which may negatively impact
our financial results or condition. In addition, investors may place greater weight on climate-related risks when making
investment decisions, which could increase our cost or ability to transfer credit risk.
Efforts to address these risks could also affect our business. Changing policies, such as introducing new building codes,
carbon taxes, and energy efficiency requirements, coupled with changing market preferences could increase housing
and compliance costs, impacting borrowers’ ability to pay their mortgage loans.
The occurrence of major natural or other disasters in the United States or its territories could materially
increase our provision for credit losses and our write-offs.
We conduct our business in the single-family and multifamily residential mortgage markets and own or guarantee the
performance of mortgage loans throughout the United States and its territories. The occurrence of a major disruptive
event, such as a major natural or environmental disaster, terrorist attack, cyber attack, pandemic, or similar event, in the
United States or its territories could negatively impact our provision for credit losses and our write-offs on loans in the
affected geographic area or, depending on the magnitude, scope and nature of the event, nationally, in a number of
ways.
A major disruptive event that either damages or destroys single-family or multifamily real estate securing mortgage
loans in our book of business or negatively impacts the ability of borrowers to make principal and interest payments on
mortgage loans in our book of business could increase our delinquency rates, default rates and average loan loss
severity of our book of business in the affected region or regions. The amount of losses we incur following a major
disruptive event is affected by the availability of federal, state, or local assistance to borrowers affected by the event. If
such assistance is unavailable or severely limited following a major disruptive event, it could impact borrowers’ ability to
repay their mortgage loans and adversely affect our business and financial results.
Further, a major disruptive event or a long-lasting increase in the vulnerability of an area to disasters may significantly
discourage housing activity, including homebuilding or home buying and affect borrowers’ ability or willingness to make
payments on their mortgages. It could also deteriorate housing conditions or the general economy in the affected
region, lowering mortgage originations, negatively affecting home prices and multifamily property values, negatively
Fannie Mae 2025 Form 10-K | 32 |
Risk Factors | Credit Risk | ||
impacting the availability, quality and affordability of insurance, and increasing delinquency and default rates. Any of
these outcomes could generate significant provisions for credit losses and write-offs.
Recent years have seen frequent and severe natural disasters in the U.S., including wildfires, hurricanes and severe
flooding. Population growth and an increase in people living in high-risk areas, such as coastal areas vulnerable to
severe storms and flooding, have also increased the impact of these events. Although our financial exposure from these
events is mitigated to the extent our book of business is geographically diverse, we remain exposed to risk, particularly
in connection with the risk of geographically widespread weather events and changes in weather patterns, as well as
geographic areas where our book of business is more heavily concentrated. For a description of the geographic
concentration of our single-family guaranty book of business, see “MD&A—Single-Family Business—Single-Family
Mortgage Credit Risk Management—Single-Family Guaranty Book Diversification and Monitoring,” and for our
multifamily guaranty book of business, see “MD&A—Multifamily Business—Multifamily Mortgage Credit Risk
Management—Multifamily Guaranty Book Diversification and Monitoring.” While many weather‑related perils are
expected to increase in frequency or severity, impacts of such changes remain uncertain. As a result, any continuation
or increase in recent weather trends or their unpredictability, or any single natural disaster of significant scope or
intensity, could have a material impact on our results of operations and financial condition.
Additionally, we do not differentiate our single-family guaranty fee pricing based on geographic area; therefore, we do
not charge higher upfront guaranty fees on single-family loans in geographic areas that may be more susceptible to
natural disaster-related or other major disruptive events. Charging differentiated single-family upfront guaranty fees on
loans in certain geographic areas would require the approval of FHFA as conservator. For a discussion on natural
disaster risk management, see “MD&A—Risk Management—Natural Disaster Risk Management.”
One or more of our institutional counterparties may fail to fulfill their contractual obligations to us, resulting in
financial losses, business disruption and decreased ability to manage risk.
We rely on our institutional counterparties to provide services and credit enhancements that are critical to our business.
We face the risk that one or more of our institutional counterparties may fail to fulfill their contractual obligations to us. If
an institutional counterparty defaults on its obligations to us, it could also negatively impact our ability to operate our
business, as we outsource some of our critical functions to third parties, such as mortgage servicing, single-family
Fannie Mae MBS issuance and administration, and certain technology functions.
Our primary exposures to institutional counterparties are with:
•credit guarantors that provide credit enhancements on the mortgage assets in our guaranty book of business,
including mortgage insurers, reinsurers, and multifamily lenders with risk-sharing arrangements;
•mortgage lenders that sell loans to us and mortgage lenders and other counterparties that service our loans;
and
•the institutions that issue the investments held in our corporate liquidity portfolio.
We also have direct counterparty exposure to: derivatives counterparties; central counterparty clearing institutions;
custodial depository institutions; mortgage originators, investors and dealers; debt security dealers; and document
custodians. We also have counterparty credit risk exposure to Freddie Mac arising from our resecuritization of Freddie
Mac-issued securities, and to the MERS® System.
The concentration of our counterparties in similar or related businesses heightens our counterparty risk exposure. We
routinely enter into a high volume of transactions with counterparties in the financial services industry, including brokers
and dealers, mortgage lenders and commercial banks, and mortgage insurers, resulting in a significant credit
concentration with respect to this industry. We may also have multiple exposures to particular counterparties, as many
of our counterparties perform several types of services for us. For example, our lenders or their affiliates may also act
as derivatives counterparties, mortgage servicers, custodial depository institutions or document custodians. Accordingly,
if one of these counterparties were to become insolvent or otherwise default on its obligations to us, it could harm our
business and financial results in a variety of ways.
An institutional counterparty may default on its obligations to us for a number of reasons, such as changes in financial
condition that affect its credit rating, changes in its servicer rating, a reduction in liquidity, operational failures, a
cybersecurity incident, or insolvency. In the event of a bankruptcy or receivership of one of our counterparties, we may
be required to establish evidence of our ownership rights to the assets these counterparties hold on our behalf to the
satisfaction of the bankruptcy court or receiver, which could result in a delay in accessing these assets causing a
decline in their value. Counterparty defaults or limitations on their ability to do business with us could result in significant
financial losses or hamper our ability to do business or manage the risks to our business. In addition, if we are unable to
replace a defaulting counterparty that performs services critical to our business, it could adversely affect our ability to
conduct our operations and manage risk.
Fannie Mae 2025 Form 10-K | 33 |
Risk Factors | Credit Risk | ||
We have significant exposure to institutions in the financial services industry relating to derivatives, funding, short-term
lending, securities, and other transactions. We depend on our ability to enter into derivatives transactions with our
derivatives counterparties in order to manage the duration and prepayment risk of our retained mortgage portfolio. If we
lose access to our derivatives counterparties, it could adversely affect our ability to manage these risks.
We use clearinghouses to facilitate many of our derivative trades. If the clearinghouse or the clearing member we use to
access the clearinghouse defaults, we could lose margin that we have posted with the clearing member or
clearinghouse. We are also a clearing member of two divisions of Fixed Income Clearing Corporation (“FICC”), a central
counterparty (“CCP”). One FICC division clears our trades involving securities purchased under agreements to resell,
securities sold under agreements to repurchase, and other non-mortgage related securities. The other division clears
our forward purchase and sale commitments of mortgage-related securities, including dollar roll transactions. As a
clearing member of FICC, we are exposed to the risk of losses if the CCP or one or more of the CCP’s clearing
members fails to perform its obligations, because each FICC clearing member is required to absorb a portion of the
losses incurred by other clearing members if they fail to meet their obligations to the clearinghouse. We could also incur
losses associated with replacing transactions cleared through FICC in the event of a default by, or the financial or
operational failure of, FICC. For more information, see “MD&A—Risk Management—Institutional Counterparty Credit
Risk Management—Other Counterparties—Central Counterparty Clearing Institutions.”
We also have indirect counterparty exposure to many different types of entities that provide services and credit
enhancements to our direct counterparties, such as hazard insurers.
Our financial condition and results of operations may be materially adversely affected if mortgage servicers fail
to perform their obligations to us.
We generally delegate the servicing of the mortgage loans in our guaranty book of business to mortgage servicers.
Functions performed by mortgage servicers on our behalf include collecting from borrowers and delivering to Fannie
Mae principal and interest payments, administering escrow accounts, monitoring and reporting delinquencies,
performing default prevention and loss mitigation activities, and other functions. A servicer’s inability or other failure to
perform these functions or to follow our requirements could negatively impact our ability to, among other things: manage
our book of business; collect amounts due to us; actively manage troubled loans; and implement our homeownership
assistance, foreclosure prevention and other loss mitigation efforts.
A decline in a servicer’s performance, such as delayed or missed opportunities for loan workouts, foreclosure
alternatives or foreclosures, could significantly affect our ability to mitigate credit losses and could materially adversely
affect the overall credit performance of the loans in our guaranty book of business. Servicers may experience financial
and other difficulties due to the advances they are required to make on our behalf on delinquent mortgages, including
mortgages subject to forbearance plans. We could be materially adversely affected if our servicers lack appropriate
controls, experience a failure in their controls, or experience a disruption in their ability to service loans, including as a
result of legal or regulatory actions, ratings downgrades, liquidity constraints, operational failures or cybersecurity
incidents. We have experienced losses as a result of servicers’ failure to perform their obligations.
As of December 31, 2025, over half of our single-family guaranty book and over half of our multifamily guaranty book
were serviced by non-depository servicers. The generally lower financial strength and liquidity of non-depository
mortgage servicers compared with depository mortgage servicers may negatively affect their ability to fully satisfy their
financial obligations or to properly service the loans on our behalf. Non-depository servicers also are generally not
subject to the same level of regulatory oversight as our mortgage servicer counterparties that are depository institutions.
Replacing a mortgage servicer can result in potentially significant increases in our costs, as well as increased
operational risks. If a mortgage servicer fails, it could result in a temporary disruption in servicing and loss mitigation
activities relating to the loans serviced by that mortgage servicer, particularly if there is a loss of experienced servicing
personnel. We may also face challenges in transferring a large servicing portfolio. Although we have contingency plans
in the event of a failure of one or more of our mortgage servicers, there can be no assurance that we will be able to
successfully execute against those plans in times of severe economic stress in the mortgage servicing industry.
The actions we have taken to mitigate our risk exposure to mortgage servicers may not be sufficient to prevent us from
experiencing significant financial losses or business interruptions in the event they cannot fulfill their obligations to us.
We may incur losses as a result of claims under our mortgage insurance policies not being paid in full or at all.
We rely heavily on mortgage insurers to provide insurance against borrower defaults on single-family conventional
mortgage loans with LTV ratios over 80% at the time of acquisition. Although our primary mortgage insurer
counterparties currently approved to write new business must meet risk-based asset requirements, there is still a risk
that these mortgage insurers may fail to fulfill their obligations to pay our claims under mortgage insurance policies. If a
currently approved mortgage insurer fails to meet its obligations to pay our claims, our credit losses could increase. In
addition, if a regulator determines that a currently approved mortgage insurer lacks sufficient capital to pay all claims
Fannie Mae 2025 Form 10-K | 34 |
Risk Factors | Credit Risk | ||
when due, the regulator could take action that might affect the timing and amount of claim payments made to us by our
currently approved mortgage insurer counterparties. We face similar risks with respect to our credit insurance risk
transfer counterparties.
With respect to our currently approved primary mortgage insurers, we do not differentiate pricing based on the mortgage
insurer’s strength or operational performance. Additionally, we would not suspend or terminate a primary mortgage
insurer’s status as an eligible insurer unless there were a material violation of our private mortgage insurer eligibility
requirements. Further, we generally do not select the provider of primary mortgage insurance on a specific loan,
because the selection is usually made by the lender at the time the loan is originated. Accordingly, we have limited
ability to manage our concentration risk with respect to primary mortgage insurers.
On at least a quarterly basis, we assess our mortgage insurer counterparties’ respective abilities to fulfill their
obligations to us, and our loss reserves take into account this assessment. If our assessment indicates their ability to
pay claims has deteriorated significantly or if our projected claim amounts have increased, we could experience a
material increase in our provision for credit losses and write-offs.
We could experience additional financial losses due to mortgage fraud.
We use a process of delegated underwriting in which single-family and multifamily lenders make specific
representations and warranties about the characteristics of the mortgage loans we purchase and securitize. As a result,
while we have implemented certain quality control processes, we do not independently verify all borrower information
that is provided to us. This exposes us to an increased risk that one or more of the parties involved in a transaction
(such as the borrower, borrower’s attorney, sponsor, seller, broker, appraiser, property inspector, title agent, lender or
servicer) will engage in fraud by misrepresenting facts about a mortgage loan. Similarly, we rely on delegated servicing
of loans and use of a variety of external resources to assist in asset management functions, including managing our
REO inventory. For a discussion of how we mitigate this risk, see “MD&A—Single-Family Business” and “MD&A—
Multifamily Business.” The use of artificial intelligence technologies by malicious actors could potentially increase the
risks we face from mortgage fraud, as it could make mortgage fraud harder to detect. We have experienced financial
losses resulting from mortgage fraud, including institutional fraud perpetrated by counterparties. In the future, we may
experience additional financial losses as a result of mortgage fraud that could be material to our financial results.
Operational and Model Risk
A failure in our operational systems or infrastructure, or those of third parties or the financial services industry,
could cause material business disruptions, materially adversely affect our business, liquidity, results of
operations and financial condition, and materially harm our reputation.
Shortcomings or failures in our internal processes, people, or systems, third parties, or external events, could
significantly disrupt our business or have a material adverse effect on our risk management, liquidity, financial statement
reliability, financial condition and results of operations. Such a failure could result in legislative or regulatory intervention
or sanctions, liability to counterparties, financial losses, business disruptions and damage to our reputation. For
example, our business is highly dependent on our ability to manage and process, on a daily basis, an extremely large
number of transactions, many of which are highly complex, across numerous and diverse markets that continuously and
rapidly change and evolve. These transactions are subject to various legal, accounting and regulatory standards. Our
financial, accounting, data processing or other operating systems and facilities may fail to operate properly or become
disabled or damaged as a result of a number of factors, including events that are wholly or partially beyond our control,
adversely affecting our ability to process these transactions or manage associated data with reliability and integrity. For
example, third-party changes have negatively affected the functionality and availability of certain of our systems for
certain periods of time, and this could happen again in the future and materially negatively affect our ability to conduct
our business. In addition, we rely on information provided by third parties in processing many of our transactions; that
information may be incorrect or we may fail to properly manage or analyze it or properly monitor its data quality.
We rely upon business processes that are highly dependent on people, technology, data and the use of numerous
complex systems and models to manage our business and produce information upon which our financial statements
and risk reporting are prepared. This reliance increases the risk that we may be exposed to financial, reputational or
other losses because of inadequately designed internal processes or data management architecture, inflexible
technology or the failure of our systems. In addition, our use of third-party service providers for some of our business
and technology functions increases the risk that an operational failure by a third party will adversely affect us. For
example, we use third-party service providers for cloud infrastructure services. We and our customers, suppliers and
other third parties have experienced interruptions in access to our platforms as a result of connectivity issues with third-
party cloud-based platforms and related data centers and could experience disruptions again if there is a lapse of
service, interruption of internet service provider connectivity or damage to third-party cloud-based platforms or any
related data centers. The risk of these disruptions is exacerbated by key fourth-party relationships, in which some of our
Fannie Mae 2025 Form 10-K | 35 |
Risk Factors | Operational and Model Risk | ||
third-party service providers have engaged subcontractors to provide key services and our ability to assess the fourth
party’s operational controls is limited.
We have implemented and continue to enhance our technology, infrastructure, operational controls, governance and
organizational structure to reduce operational risks, but these actions may not fully mitigate these risks. Moreover, some
of our initiatives designed to reduce our operational risk over the long term, particularly those relating to the
implementation of new technology and the ongoing transition to third-party cloud-based platforms, increase our
operational risk over the short term as we implement the changes, as many involve significant changes to our business
processes, controls, systems and infrastructure. If we fail to implement these initiatives in a well-managed, secure and
effective manner, or have gaps in our controls or governance of our cloud-based infrastructure, we may experience
significant unplanned service disruptions or unforeseen costs, which could result in material harm to our business and
results of operations. The high level and pace of organizational change we experienced in 2025 may increase our
operational risk, as well as change our organizational environment in ways that could have a material adverse impact on
our business and risk management processes.
Our ability to manage and aggregate data may be limited by the effectiveness of our policies, programs, processes,
systems and practices that govern how data is acquired, validated, stored, protected, processed and shared. Failure to
manage data effectively and to aggregate data in an accurate and timely manner may limit our ability to manage current
and emerging risks, as well as to manage changing business needs. The increasing use of new third-party and open
source artificial intelligence tools poses additional risks relating to the protection of data, including the potential
exposure of significant proprietary confidential information to unauthorized recipients and the misuse of our intellectual
property. Third-party service providers or other external parties, or our employees, may use artificial intelligence in ways
we have not authorized that may increase our risk of a material loss of our confidential data or intellectual property, or
that create material operational or reputational risks for us.
We use artificial intelligence and machine learning technology to help manage some of the operational risks we face.
Our use of this technology presents risks, including the potential for outages, inefficiencies, data loss, and bias or errors
in the technology’s analysis and conclusions while the technology and our use of the technology matures. Additionally,
the use of artificial intelligence within products or services that we use or that are used by our third-party service
providers may pose similar risks. As a new technology, use of artificial intelligence without sufficient controls,
governance, and risk management may result in increased risks across all of our risk categories. Further, we may be
negatively impacted if we, or our third-party service providers, do not timely develop and apply artificial intelligence, or if
our initiatives in these areas are deficient or fail. Our competitors may be more timely or successful in developing or
integrating artificial intelligence technologies, which could materially adversely impact our business, financial results and
financial condition.
We also face the risk of operational failure, termination or capacity constraints of any of the clearing agents, paying
agents, exchanges, clearinghouses or other financial intermediaries, including the Federal Reserve, we use to facilitate
our securities and derivatives transactions. Moreover, the consolidation and interconnectivity among clearing agents,
exchanges and clearing houses increases the risk of operational failure, on both an individual basis and an industry-
wide basis. Any such failure, termination or constraint could adversely affect our ability to effect transactions or manage
our exposure to risk.
Most of our employees and business operations functions are consolidated in two metropolitan areas: Washington, DC
and Dallas, Texas. A major disruptive event at or affecting either location (such as severe weather, natural disaster,
utility failure, civil unrest, terrorist attack or active shooter) could significantly adversely impact our ability to conduct
normal business operations. Moreover, because of the concentration of our employees in the Washington, DC and
Dallas metropolitan areas, a regional disruption, particularly a disruption with a sustained impact, in one of these areas
could prevent our employees from accessing our facilities, working remotely, or communicating with or traveling to other
locations. Accordingly, the occurrence of one or more major disruptive events could materially adversely affect our ability
to conduct our business and lead to financial losses.
A cyber attack or other cybersecurity incident relating to our systems or those of third parties with which we do
business could have a material adverse impact on our business, financial results and financial condition.
Our operations rely on the secure processing, storage and transmission of confidential and other information (including
personal information) in our computer systems and networks, and those of third parties with which we do business.
Cybersecurity risks for large institutions like us have continued to increase, in part because of the proliferation of new
technologies and the use of the Internet, telecommunications and cloud technologies to conduct financial transactions,
and the increased sophistication and activities of organized crime, hackers, “hacktivists,” terrorists, and other external
parties, including nation-states and foreign state-sponsored threat actors. A number of financial services companies,
consumer-based companies, software and information technology service providers, and other organizations have
reported the unauthorized access or disclosure of client, customer or other confidential information (including personal
Fannie Mae 2025 Form 10-K | 36 |
Risk Factors | Operational and Model Risk | ||
information), as well as cybersecurity incidents involving the dissemination, theft or destruction of corporate information
or other assets. There have also been many highly publicized cyber attacks where threat actors have requested
“ransom” payments in exchange for not disclosing stolen customer information or for restoring access to the company’s
systems. In addition, there have been cyber attacks against companies where threat actors have misled company
personnel into granting unauthorized access or making unauthorized transfers of funds to the actors’ accounts. Global
events and geopolitical instability have also led to increased nation-state targeting of financial institutions in the U.S. and
abroad.
We have been, and expect to continue to be, the target of cyber attacks and other cybersecurity threats, such as
computer viruses, malware, ransomware, denial of service attacks, phishing and other social engineering attacks, and
data breaches, from various actors, including foreign state-sponsored threat actors, cyber criminals and others. We also
have experienced, and expect to continue to experience, incidents such as server malfunctions, system outages, and
software or hardware failures. We could also be materially adversely affected by cybersecurity incidents that target the
infrastructure of the Internet and critical service providers, as such incidents could cause widespread unavailability of
websites, applications and application programming interfaces (“APIs”), and degrade website, application and API
performance. Despite our efforts to protect the integrity of our systems and information, we may not be able to
anticipate, detect or recognize all cybersecurity threats, or to implement effective preventative measures against all
cybersecurity threats, especially because the techniques used in cyber attacks are increasingly sophisticated, change
frequently, and in some cases are not recognized until launched or even later.
Our risk and exposure to cyber attacks and other cybersecurity incidents remain heightened because of, among other
things:
•the evolving nature and increasing frequency of these threats, including the emergence of powerful new
technologies to assist threat actors in cyber attacks, such as generative artificial intelligence, machine learning
and quantum computing;
•the persistence, sophistication and intensity of cybersecurity threats;
•our prominent size and scale and our role in the financial services industry;
•the outsourcing of some of our business operations;
•our use of, as well as our third parties’ use of, automation, artificial intelligence and robotics;
•a shortage of qualified cybersecurity professionals in the industry;
•our ongoing migration to cloud-based systems;
•our use of employee-owned devices for business communication;
•hybrid or remote working arrangements at our company and many third parties;
•the interconnectivity and interdependence of external parties to our systems; and
•the current global economic and political environment.
We routinely identify cybersecurity threats as well as vulnerabilities in our systems and work to address or mitigate
those we have identified. We also become aware of vulnerabilities in the systems of third parties with which we do
business. Some cybersecurity vulnerabilities take a substantial amount of time and coordination to resolve or mitigate. Some cybersecurity vulnerabilities take a substantial amount of time to resolve or mitigate.
We continue to have cybersecurity vulnerabilities that we have identified but not resolved or mitigated. In addition,
efforts to resolve or mitigate some of our cybersecurity vulnerabilities may be unsuccessful and some cybersecurity
vulnerabilities may not be possible to resolve. We may also have cybersecurity vulnerabilities that we have not yet
identified.
Cyber attacks can originate from a variety of sources, including external parties who are, or who are affiliated with,
foreign governments or are involved with organized crime or terrorist organizations. Cybersecurity risks also derive from
human error, fraud or malice on the part of our employees or third parties. Threat actors have attempted, and we expect
will continue to attempt, to induce employees, lenders, servicers, vendors, service providers, counterparties or other
users of our systems to disclose confidential and other information (including personal information) or provide access to
our systems or network, or to our data or that of our counterparties or borrowers, and these types of risks may be
difficult to detect or prevent.
The increasing sophistication of artificial intelligence technologies poses a greater risk of identity fraud, as threat actors
may exploit artificial intelligence to create convincing false identities or manipulate verification processes. Hybrid or
remote working arrangements at our company and many third parties also increases the risk associated with worker
identity fraud. Failure to manage these risks or to implement effective countermeasures could lead to unauthorized
transactions, financial losses, loss of confidential and other information (including personal information), reputational
damage and increased regulatory scrutiny that have a material impact on our business, financial results or financial
Fannie Mae 2025 Form 10-K | 37 |
Risk Factors | Operational and Model Risk | ||
condition. In addition, to the extent that new computing technologies, such as quantum computing, vastly increase the
speed and computing power available to threat actors, it increases the risk that encryption and other protective
measures we take may be defeated. Emerging technologies may also assist threat actors in finding cybersecurity
vulnerabilities, as well as in obfuscating their cyber attacks.
Cybersecurity incidents from time to time could result in the theft of important assets or the unauthorized disclosure,
gathering, monitoring, misuse, corruption, loss or destruction of confidential and other information (including personal
information) that belongs to us, our lenders, our servicers, our counterparties, third-party service providers or borrowers
that is processed and stored in, and transmitted through, our computer systems and networks. These incidents could
also result in damage to our systems or otherwise cause interruptions or malfunctions in our, our lenders’, our
counterparties’ or third parties’ operations, systems or networks, which could disrupt our day-to-day business activities
and negatively affect our ability to effect business transactions and manage our exposure to risk. We have experienced
cybersecurity incidents and some of these incidents have resulted in disruptions to our systems and/or those of our
lenders, counterparties and other third parties, as well as financial losses. While to date the impact of these incidents
has not been material to our business strategy, business, financial results or financial condition, cybersecurity incidents
could result in financial losses, loss of lenders, servicers and business opportunities, reputational damage, damage to
our competitive position, litigation, regulatory fines, penalties or intervention, reimbursement or other compensatory
costs or other harms that have a material adverse impact on our business strategy, business, financial results or
financial condition.
Cyber attacks or other cybersecurity incidents can persist for an extended period of time without detection. It may take
considerable time to complete an investigation of a cybersecurity incident and obtain full and reliable information. While
we are investigating a cybersecurity incident, we may not know the full impact of the incident or how to remediate it, and
actions and decisions that are taken or made may further increase the negative impact of the incident. In addition,
announcing that a cyber attack or cybersecurity incident has occurred may worsen the impact of the attack or incident,
and may increase the risk of additional cyber attacks. All or any of these challenges could further increase the costs and
consequences of a cybersecurity incident, as well as hinder our ability to obtain and provide rapid, complete and reliable
information about a cybersecurity incident. We may be required to expend significant additional resources to modify or
add to our protective measures and to investigate and remediate vulnerabilities or other exposures arising from
cybersecurity risks.
Although we maintain insurance coverage relating to cybersecurity risks, our insurance may not be sufficient to provide
adequate loss coverage (including if the insurer denies future claims) and may not continue to be available to us on
economically reasonable terms, or at all. Further, we cannot ensure that any indemnification or limitation of liability
provisions in our agreements with lenders, servicers, service providers, vendors, counterparties and other third parties
with which we do business would be enforceable or adequate or would otherwise protect us from liabilities or damages
with respect to a particular claim in connection with a cybersecurity incident.
Third parties with which we do business and our regulators are also sources of cybersecurity risk. Because we are
interconnected with and dependent on third-party vendors, lenders, servicers, exchanges, clearing houses, fiscal and
paying agents, and other financial intermediaries, including U.S. FinTech, we could be materially adversely impacted if
any of them is subject to a successful cyber attack or other cybersecurity incident. Some of the third parties with which
we do business have experienced, and we expect will continue to experience, cybersecurity incidents. While third-party
cybersecurity incidents have not had a material impact on our business to date, the inability of a third party with which
we do business to meet its obligations to us as a result of a cybersecurity incident, our response to such an incident, or
other consequences of the incident could materially adversely affect our business.
We routinely transmit and receive personal, confidential and proprietary information by electronic means. We also share
this type of information with regulatory agencies and their vendors. We outsource certain functions and these
relationships allow for the external storage and processing of our information, as well as lender, servicer, counterparty
and borrower information, including on cloud-based systems. In addition, our lenders and servicers maintain personal,
confidential and proprietary information, including borrower personal information. While we engage in actions to mitigate
our exposure resulting from our information-sharing activities with lenders, servicers, regulatory agencies, vendors,
service providers, counterparties and other third parties to protect against cybersecurity incidents, we cannot ensure
that these third parties have appropriate controls in place to protect the confidentiality of the information. An interception,
misuse or mishandling of personal, confidential or proprietary information being sent to, received from, or maintained by
a lender, servicer, regulatory agency, vendor, service provider, counterparty or other third party could result in legal
liability, fines, regulatory action and reputational harm that have a material adverse impact on our business, financial
results or financial condition.
Fannie Mae 2025 Form 10-K | 38 |
Risk Factors | Operational and Model Risk | ||
Material weaknesses in our internal control over financial reporting could result in errors in our reported
results or disclosures that are not complete or accurate.
Management has determined that, as of the date of this filing, we have ineffective disclosure controls and procedures
that result in a material weakness in our internal control over financial reporting. In addition, our independent registered
public accounting firm, Deloitte & Touche LLP, has expressed an adverse opinion on our internal control over financial
reporting because of the material weakness. Our ineffective disclosure controls and procedures and material weakness
could result in errors in our reported results or disclosures that are not complete or accurate, which could have a
material adverse effect on our business and operations.
Our material weakness relates specifically to the impact of the conservatorship on our disclosure controls and
procedures. Because we are under the control of FHFA, some of the information that we may need to meet our
disclosure obligations may be solely within the knowledge of FHFA. As our conservator, FHFA has the power to take
actions without our knowledge that could be material to our stockholders and other stakeholders, and could significantly
affect our financial performance or our continued existence as an ongoing business. Because FHFA currently functions
as both our regulator and our conservator, there are inherent structural limitations on our ability to design, implement,
operate and test effective disclosure controls and procedures relating to information known to FHFA. As a result, we
have not been able to update our disclosure controls and procedures in a manner that adequately ensures the
accumulation and communication to management of information known to FHFA that is needed to meet our disclosure
obligations under the federal securities laws, including disclosures affecting our financial statements. Given the
structural nature of this material weakness, we do not expect to remediate this material weakness while we are under
conservatorship. See “Controls and Procedures” for further discussion of management’s conclusions on our disclosure
controls and procedures and internal control over financial reporting.
Failure of our models to produce reliable outputs may materially adversely affect our ability to manage risk and
make effective business decisions, as well as create regulatory and reputational risk.
We make significant use of quantitative models to measure and monitor our risk exposures and to manage our
business. For example, we use models to measure and monitor our exposures to interest rate, credit and market risks,
and to forecast credit losses. We use this information in making business decisions relating to strategies, initiatives,
transactions, pricing and products.
Models are inherently imperfect predictors of actual results because they are based on historical data and assumptions
regarding factors such as future loan demand, borrower behavior, creditworthiness and home price trends. Other
potential sources of inaccurate or inappropriate model results include errors in computer code, inaccurate or incomplete
data, misuse of data, or use of a model for a purpose outside the scope of the model’s design. Modeling often assumes
that historical data or experience can be relied upon as a basis for forecasting future events, an assumption that may be
especially tenuous in the face of unprecedented events, such as the COVID-19 pandemic. The introduction of new
products or activities also presents modeling challenges and risks, as there may be limited or no historical performance
data available upon which to train our models.
Given the challenges of predicting future behavior, management judgment is used throughout the modeling process,
from model design decisions regarding core underlying assumptions, to interpreting and applying final model output.
When market conditions change quickly and in unforeseen ways, there is an increased risk that the model assumptions
and data inputs for our models are not representative of the most recent market conditions, which requires management
to apply its judgment to make adjustments or overrides to our models. In a rapidly changing environment, it may not be
possible to update existing models quickly enough to properly account for the most recently available data and events.
In addition, in periods of low transaction volume for certain types of assets, the limited data available may reduce the
reliability of model outputs.
We also use third-party models that expose us to additional risks beyond those for internally-developed models. We
often have limited visibility into the third-party’s model methodology and change management process. In addition, in
some instances we rely on third-party data providers to develop and provide estimates and other data for our models.
This reliance on third-party data providers exposes us to risk should the data provider cease to provide the data going
forward, change its methodology or fail to meet our data quality standards, which could require that we find a suitable
replacement for the data and could result in the need to re-estimate our models with the new data, or we may be
required to operate our models without the data.
We currently use artificial intelligence and machine learning techniques in our models, and expect to increase our use of
these modeling techniques. The use of new artificial intelligence and machine learning technology in our models
presents risks, such as the risk of undetected bias in the model and the limited ability to understand and challenge the
model due to a limited ability to observe the internal workings of many machine learning models. Further, we use
artificial intelligence models developed by third parties, and, to that extent, are dependent in part on the manner in
which those third parties develop and train their models, including risks arising from the inclusion of any unauthorized
Fannie Mae 2025 Form 10-K | 39 |
Risk Factors | Operational and Model Risk | ||
material in the training data for their models, and the effectiveness of the steps these third parties have taken to limit the
risks associated with the output of their models, matters over which we may have limited visibility.
To the extent our internal models or the third-party models that we use fail to produce reliable outputs on an ongoing
basis, we may not make appropriate business and risk management decisions, including decisions affecting loan
purchases, guaranty fee pricing, management of credit losses, and asset and liability management. While we employ
strategies to manage and govern the risks associated with our use of models, they have not always been fully effective.
Errors were previously discovered in some of the models we use, and we continue to have deficiencies in our current
processes for managing model risk. And we have experienced instances where model failures have adversely affected
our business and risk management decisions, and resulted in errors in our external disclosures. As noted in “MD&A—
Risk Management—Model Risk Management,” we have completed remediation of our model governance and
standards, and are in the process of implementing the updated governance and standards across our modeling
inventory. Until these remediation activities are completed, we face a higher risk that we may make inappropriate
business or risk management decisions based on unreliable model outputs that could materially negatively affect our
financial results and condition, and result in material errors in our external disclosures that create regulatory and
reputational risk.
Also see the risk factor below in “General Risk” for a discussion of the risks associated with the use of models in our
accounting methods.
Liquidity Risk
Limitations on our ability to access the debt capital markets could have a material adverse effect on our ability
to fund our operations, and our liquidity contingency plans may be difficult or impossible to execute during a
sustained liquidity crisis.
Our ability to fund our business depends in part on our ongoing access to the debt capital markets. Market concerns
about matters such as the extent of government support for our business and debt securities, the future of our business
(including future profitability, future structure, regulatory actions and our status as a government-sponsored enterprise)
and the creditworthiness of the U.S. government could cause a severe negative effect on our access to the unsecured
debt markets, particularly for long-term debt. We believe that our ability in recent years to issue debt of varying
maturities at attractive pricing resulted from federal government support of our business. As a result, we believe that our
status as a government-sponsored enterprise and continued federal government support are essential to maintaining
our access to debt funding. Changes or perceived changes in federal government support of our business, our debt
securities or our status as a government-sponsored enterprise could materially and adversely affect our ability to fund
our business. There can be no assurance that the government will continue to support our business or our debt
securities, or that our current level of access to debt funding will continue. If our senior preferred stock purchase
agreement with Treasury is amended to reduce its support for our debt securities issued after such amendment, it could
materially increase our borrowing costs or materially adversely affect our access to the debt capital markets.
U.S. banking regulators currently recognize our debt as a high quality liquid asset for U.S.-regulated financial
institutions. Any regulatory or other changes causing our debt to no longer be considered a high quality liquid asset
could significantly increase our debt funding costs or reduce our ability to issue debt.
The Federal Reserve Banks provide us with fiscal agency and depository services, and we make extensive use of the
Federal Reserve Banks’ payment systems in our daily business activities. We are required to fully fund our payment
accounts at the Federal Reserve Bank of New York to the extent necessary to cover principal and interest payments on
our debt and mortgage-related securities each day. The Federal Reserve Bank of New York, acting as our fiscal agent,
will initiate payments to depository institutions, which will credit the accounts of the holders of our securities. Although
we maintain access to various sources of intraday liquidity, such access is not guaranteed. If we have insufficient
resources to fully fund our Federal Reserve payment accounts on a given day, there could be delays in the payments on
our securities. Unlike depository financial institutions, we do not currently have access to the Federal Reserve’s
discount window, nor are we allowed to overdraw our Federal Reserve accounts during the business day.
Future changes or disruptions in the financial markets could significantly change the amount, mix and cost of funds we
obtain, as well as our liquidity position. If we are unable to issue a sufficient amount of short- and long-term debt
securities at attractive rates, it could interfere with the operation of our business and have a material adverse effect on
our liquidity, results of operations, financial condition and net worth.
Our liquidity contingency plans may be difficult or impossible to execute during a sustained market liquidity crisis. If the
financial markets experience substantial volatility in the future, it could significantly adversely affect the amount, mix and
cost of funds we obtain, as well as our liquidity position. If we cannot access the unsecured debt markets, our ability to
repay maturing indebtedness and fund our operations could be significantly impaired. In this event, our alternative
source of liquidity, our corporate liquidity portfolio, may not be sufficient to meet our liquidity needs. As noted in “MD&A
Fannie Mae 2025 Form 10-K | 40 |
Risk Factors | Liquidity Risk | ||
—Retained Mortgage Portfolio,” we expect to continue to increase our holdings of agency MBS and intend to fund these
purchases primarily through cash from business operations, the sale of assets in our corporate liquidity portfolio and the
issuance of additional debt securities. As a result, the size of our corporate liquidity portfolio may decline from its current
level.
A decrease in the credit ratings on our senior unsecured debt could increase our borrowing costs and have an
adverse effect on our ability to issue debt on reasonable terms, particularly if such a decrease were not based
on a similar action on the credit ratings of the U.S. government. A decrease in our credit ratings could also
require that we post additional collateral for our derivatives contracts.
A reduction in our credit ratings could materially adversely affect our liquidity, our ability to conduct our normal business
operations, our financial condition and our results of operations. Credit ratings on our senior unsecured debt, as well as
the credit ratings of the U.S. government, are primary factors that could affect our borrowing costs and our access to the
debt capital markets. Credit ratings on our debt are subject to revision or withdrawal at any time by the rating agencies.
Actions by governmental entities impacting the support our business or our debt securities receive from Treasury could
adversely affect the credit ratings on our senior unsecured debt. If our senior preferred stock purchase agreement with
Treasury is amended to reduce its support for our debt securities issued after such amendment, it could result in a
downgrade in the credit ratings on our senior unsecured debt.
Because we rely on the U.S. government for capital support, in recent years, when a rating agency has taken an action
relating to the U.S. government’s credit rating, they have taken a similar action relating to our ratings at approximately
the same time. S&P Global Ratings (“S&P”), Moody’s Ratings (“Moody’s”) and Fitch Ratings (“Fitch”) have all indicated
that they would likely lower their ratings on the debt of Fannie Mae and certain other government-related entities if they
were to lower their ratings on the U.S. government. As a result, if a failure to raise the debt limit, a government
shutdown or other event results in downgrades of the government’s credit rating, our credit ratings are likely to be
similarly downgraded.
A reduction in our credit ratings could also cause certain derivatives counterparties to demand that we post additional
collateral for our derivative contracts or to terminate our contracts. Additionally, a reduction in our credit ratings could
reduce investor demand for our MBS. Our credit ratings, ratings outlook and additional collateral requirements are
described in “MD&A—Liquidity and Capital Management—Liquidity Management—Credit Ratings” and “Note 9,
Derivative Instruments.”
Market and Industry Risk
Changes in interest rates or limitations on our ability to manage interest-rate risk successfully could materially
adversely affect our financial results and condition, and increase our interest-rate risk.
We are subject to interest-rate risk, which is the risk that movements in interest rates will adversely affect the value of
our assets or liabilities or our future earnings or capital. Our exposure to interest-rate risk primarily arises from two
sources: (1) our “net portfolio,” which we define as: our retained mortgage portfolio assets, our corporate liquidity
portfolio, outstanding debt of Fannie Mae, mortgage commitments and risk management derivatives; and (2) our
consolidated MBS trusts. We describe these risks and how we manage these risks in “MD&A—Risk Management—
Market Risk Management, including Interest-Rate Risk Management.” Changes in interest rates affect both the value of
our mortgage and other assets and prepayment rates on our mortgage loans, which could have a material adverse
effect on our financial results and condition, as well as our liquidity. Changes in interest rates also affect the earnings on
our investments in our corporate liquidity portfolio and retained mortgage portfolio. The impact on our business and
financial results from changes in interest rates can depend on many factors, including but not limited to the size and
composition of our retained mortgage portfolio, corporate liquidity portfolio and guaranty book of business, as well as
market and economic conditions.
Our ability to manage interest-rate risk depends on our ability to issue debt instruments with a range of maturities and
other features, including call provisions, at attractive rates and to engage in derivatives transactions. We must exercise
judgment in selecting the amount, type and mix of debt and derivative instruments that will most effectively manage our
interest-rate risk. The amount, type and mix of financial instruments that are available to us may not offset possible
future changes in the spread between our borrowing costs and the interest we earn on our mortgage assets. We mark
to market changes in the estimated fair value of our derivatives through our earnings on a quarterly basis, but we do not
similarly mark to market changes in some of the financial instruments that generate our interest-rate risk exposures. As
a result, changes in interest rates, particularly significant changes, can have an adverse effect on our earnings and net
worth, depending on the nature of the changes and the derivatives and short-term investments we hold at that time.
Although we have a hedge accounting program that is designed to reduce the volatility of our financial results
associated with changes in benchmark interest rates, our hedge accounting program does not eliminate all potential
earnings volatility associated with changes in interest rates. Decreasing interest rates would likely reduce the amounts
Fannie Mae 2025 Form 10-K | 41 |
Risk Factors | Market and Industry Risk | ||
that we earn on our corporate liquidity portfolio, as we tend to earn lower yields on this portfolio in a declining interest
rate environment.
We have experienced significant fair value losses in some periods due to changes in interest rates. Our hedge
accounting program is specifically designed to address the volatility of our financial results associated with changes in
fair value related to changes in the benchmark interest rates. As such, earnings variability driven by other factors, such
as spreads or the timing of when we recognize deferred guaranty fee income, remains. We describe how the timing of
when we recognize deferred guaranty fee income is sensitive to mortgage interest rates in “MD&A—Key Market
Economic Indicators” and “MD&A—Consolidated Results of Operations—Net Interest Income.” In addition, our ability to
effectively reduce earnings volatility is dependent on having the right mix and volume of interest-rate swaps available.
As our portfolio of interest-rate swaps varies over time, our ability to reduce earnings volatility through hedge accounting
may vary as well.
Changes in interest rates also can affect our loss reserves and provision for credit losses. When interest rates increase,
our credit losses from loans with adjustable payment terms may increase as borrower payments increase at their reset
dates, which increases the borrower’s risk of default. Rising interest rates may also reduce the opportunity for these
borrowers to refinance into a fixed-rate loan. Similarly, many borrowers may have additional debt obligations, such as
home equity lines of credit and second liens, that also have adjustable payment terms. If a borrower’s payment on his or
her other debt obligations increases due to rising interest rates or a change in amortization, it increases the risk that the
borrower may default on a loan we own or guarantee. Rising interest rates also typically reduce expected future loan
prepayments, which tends to lengthen the expected life of our loans and therefore generally increases the probability of
default on the loans and therefore our loss reserves. When interest rates decrease, it can result in an increase in our
acquisition of refinance loans; the enterprise regulatory capital framework requires higher capital on refinance loans
than on purchase loans.
Increases in interest rates may also reduce the ability of multifamily borrowers to refinance their loans, which often have
balloon balances at maturity. In addition, in a rising interest rate environment, multifamily borrowers with adjustable-rate
mortgages may have difficulty paying higher monthly payments if property operating income is not increasing at a
similar pace. While we generally require multifamily borrowers with adjustable-rate mortgages to purchase an interest
rate cap to protect against large movements in interest rates, purchasing or replacing these required interest rate caps,
especially those with longer terms and/or lower strike rates, becomes more expensive as interest rates rise.
Changes in interest rates also typically affect our business volume. A higher interest rate environment generally results
in lower business volumes, as fewer loans may benefit from refinancing and the higher cost of borrowing reduces
affordability, driving lower mortgage volumes. A reduction in our business volume can reduce our net interest income
and adversely affect our financial results. Interest rate increases also can negatively affect the demand for and liquidity
of our MBS or result in slowdowns in home price growth, home price declines or declines in multifamily property values,
which also could adversely affect our results of operations, net worth and financial condition.
Changes in spreads could materially impact the fair value of our net assets, and therefore our results of
operations and net worth.
Spread risk is the risk from changes in an instrument’s value that relate to factors other than changes in interest rates.
We can experience losses from changes in the spreads between our financial assets, including mortgage purchase and
sale commitments, and our financial liabilities, including the derivatives we use to hedge our position. Changes in
market conditions, including changes in interest rates, liquidity, prepayment and default expectations, and the level of
uncertainty in the market for a particular asset class may cause fluctuations in spreads. Changes in mortgage spreads
have contributed to significant volatility in our financial results in certain periods, due to fluctuations in the estimated fair
value of the financial instruments that we mark to market through our earnings, and this could occur again in a future
period. Changes in mortgage spreads could cause significant fair value losses, and could adversely affect our near-term
financial results and net worth. If our agency MBS holdings increase as we expect, as described in “MD&A—Retained
Mortgage Portfolio,” it will increase our exposure to spread risk. Spread risk is intrinsic to our business model. While we
monitor our spread risk exposure and manage the risk where feasible and appropriate, we do not seek to fully mitigate
this risk and accept some level of spread risk. See “MD&A—Risk Management—Market Risk Management, including
Interest-Rate Risk Management—Other Market Risk” for additional discussion of spread risk.
Our business and financial results are affected by general economic conditions, including home prices and
employment trends, and changes in economic conditions or financial markets may materially adversely affect
our business and financial condition. Volatility or uncertainty in global, regional or domestic political
conditions also can significantly affect economic conditions and financial markets.
In general, a prolonged period of slow growth in the U.S. economy or a deterioration or volatility in general economic
conditions or financial markets could materially adversely affect our results of operations, net worth and financial
condition. Our business is significantly affected by the status of the U.S. economy, including home prices and
Fannie Mae 2025 Form 10-K | 42 |
Risk Factors | Market and Industry Risk | ||
employment trends, as well as economic growth rates, interest rates and inflation rates. For example, see a risk factor
above in “Credit Risk” for a discussion of how worsening economic conditions could negatively affect the credit
performance of loans in our guaranty book of business and result in materially higher provisions for credit losses and
write-offs. Deterioration in economic conditions also typically results in reduced housing market activity, which reduces
our business volume. As noted in a risk factor above, a reduction in our business volume can reduce our net interest
income and adversely affect our financial results.
Global economic conditions can also adversely affect our business and financial results. Changes or volatility in market
conditions resulting from deterioration in or uncertainty regarding global economic conditions can adversely affect the
value of our assets, which could materially adversely affect our results of operations, net worth and financial condition.
To the extent global economic conditions negatively affect the U.S. economy, they also could negatively affect the credit
performance of the loans in our book of business.
Volatility or uncertainty in global, regional or domestic political conditions also can significantly affect economic
conditions and financial markets, including volatility or uncertainty in connection with additional changes the
Administration may implement relating to trade, fiscal or immigration policies. Global, regional or domestic political
unrest also could affect growth and financial markets.
We describe above the risks to our business posed by changes in interest rates and changes in spreads. In addition,
future changes, disruptions or volatility in financial markets as a result of global, regional or domestic economic or
political conditions could significantly change the amount, mix and cost of funds we obtain, as well as our liquidity
position.
Legal and Regulatory Risk
Regulatory changes in the financial services industry and shifts in monetary policy may negatively impact our
business.
Changes in the regulation of the financial services industry are affecting and are expected to continue to affect many
aspects of our business. Such changes could affect our business directly or indirectly if they affect our lenders and other
counterparties. The Administration or Congress may implement changes in the regulation of the financial services
industry or in fiscal or monetary policy that substantially affect our business and financial results, including investor
demand for our debt securities, MBS and credit risk transfer transactions, the amount and credit quality of the loans we
acquire, and the servicing of our loans. For example, changes in regulations applicable to U.S. banks could affect the
volume and characteristics of mortgage loans available in the market for us to purchase, and could also affect demand
for our MBS and debt securities, as U.S. banks purchase a large amount of our MBS and debt securities. New or
revised liquidity or capital requirements applicable to U.S. banks could materially affect banks’ willingness to deliver
loans to us and to service our loans, as well as demand by those banks for our MBS and debt securities. In addition,
developments in connection with the single-counterparty credit limit regulations, including those taken in anticipation of
our potential future exit from conservatorship, could also cause our lenders and investors to change their business
practices.
Our business is significantly affected by shifts in fiscal and monetary policies, particularly actions taken by the Federal
Reserve. The actions of the Federal Reserve, Treasury, the OCC, the FDIC, the SEC, the CFTC, the CFPB, and
international central banking authorities directly or indirectly impact financial institutions’ cost of funds for lending,
capital-raising and investment activities, which could increase our borrowing costs or make borrowing more difficult for
us. Changes in monetary policy are beyond our control and can be difficult to anticipate. The Federal Reserve currently
holds a significant amount of mortgage-backed securities issued by us, Freddie Mac and Ginnie Mae. At the time of this
filing, the Federal Reserve has not announced any plans to begin selling the mortgage-backed securities in its portfolio.
If the Federal Reserve announces such a plan or changes its announced strategy to reduce its mortgage-backed
securities holdings, it could reduce the current level of demand for our MBS, which could adversely affect our results of
operations, net worth and financial condition.
Legislative and regulatory changes could affect us in substantial and unforeseeable ways and could have a material
adverse effect on our business, results of operations, financial condition, liquidity and net worth.
Legislative, regulatory or judicial actions, and changes in interpretations of laws, regulations or accounting
standards, could negatively impact our business, results of operations, financial condition, liquidity or net
worth.
Legislative, regulatory or judicial actions at the federal, state or local level could negatively impact our business, results
of operations, financial condition, liquidity or net worth. Legislative, regulatory or judicial actions could affect us in a
number of ways, including by imposing significant additional costs on us, diverting management attention or other
resources from other matters, or increasing our operational risk. We could also be affected by:
Fannie Mae 2025 Form 10-K | 43 |
Risk Factors | Legal and Regulatory Risk | ||
•Further actions taken by the U.S. Congress, Treasury, the Federal Reserve, FHFA or other national, state or
local government agencies or legislatures in response to emergencies, such as expanding or extending our
obligations to help borrowers, renters or counterparties.
•Designation as a systemically important financial institution by the Financial Stability Oversight Council
(“FSOC”). We have not been designated as a systemically important financial institution; however, FSOC
announced in 2020 that it will continue to monitor the secondary mortgage market activities of the government-
sponsored enterprises to ensure potential risks to financial stability are adequately addressed. Designation as a
systemically important financial institution would result in our becoming subject to additional regulation and
oversight by the Federal Reserve Board.
•Other agencies of the U.S. government or Congress asking us to take actions to support the housing and
mortgage markets or in support of other goals. For example, in December 2011, Congress enacted the TCCA
under which we increased our guaranty fee on all single-family mortgages delivered to us by 10 basis points.
The revenue generated by this fee increase is paid to Treasury. In November 2021, the Infrastructure
Investment and Jobs Act was enacted, which extended to October 1, 2032 our obligation under the TCCA to
collect 10 basis points in guaranty fees on single-family mortgages delivered to us and pay the associated
revenue to Treasury.
The laws, regulations and accounting standards that apply to our business are often complex and, in many cases, we
must make interpretive decisions regarding the application of those laws, regulations and accounting standards to our
business activities. Changes in interpretations, whether in response to regulatory guidance, industry conventions, our
own reassessments or otherwise, could adversely affect our business, results of operations or ability to satisfy
applicable regulatory requirements.
We face risk of non-compliance with our legal and regulatory obligations, which could have a material adverse
impact on our business, financial results and financial condition.
We operate in a highly regulated industry and are subject to heightened supervision from FHFA, as both our regulator
and our conservator. Our compliance systems and programs may not be adequate to confirm that we are in compliance
with all legal, regulatory, and other requirements as the requirements continue to evolve. We also rely upon third parties
and their respective compliance risk management programs. The failure or limits of any such third-party compliance
programs may expose us to legal and compliance risk. Our reliance on and interdependence with third parties is further
illustrated by the number and complexity of our contracts. These contracts expose us to the risk that we could fail to
perform our obligations in a satisfactory manner and that a contractual counterparty could commence legal proceedings
against us for deficiencies related to our performance. If we fail to comply with our legal and regulatory obligations, it
could result in enforcement actions, investigations, fines, monetary and other penalties, additional restrictions on our
business activities imposed by FHFA, and harm to our reputation that may adversely affect our results of operations and
financial condition.
Privacy and cybersecurity are currently areas of considerable legislative and regulatory attention, with new or modified
laws, regulations, rules and standards being frequently adopted and potentially subject to divergent interpretation or
application in different jurisdictions in a manner that may create inconsistent or conflicting requirements for businesses.
The uncertainty created by these legislative and regulatory developments is compounded by the rapid pace of
technology development, including in artificial intelligence and quantum computing, that affect the use or security of
data, including personal information. Our business manages and holds a large volume of data, including a large volume
of personal information. Privacy and cybersecurity laws and regulations often impose strict requirements on the
collection, storage, handling, use, disclosure, transfer, security, and other processing of personal information. These
laws and regulations, combined with our evolving data footprint, may increase our compliance costs and require
additional changes to our business and operations. An actual or perceived failure to comply with these laws and
regulations or contractual obligations by us, or by our lenders, servicers, vendors, service providers, counterparties and
our other third parties, could result in legal liabilities, fines, regulatory action and reputational harm that have a material
adverse impact on our business, financial results and financial condition. In addition, compliance with new or changing
laws, regulations or industry standards relating to artificial intelligence may impose significant additional operational
risks and costs.
Our business and financial results could be materially adversely affected by legal or regulatory proceedings.
We are a party to various claims and other legal proceedings. We are periodically involved in government
investigations. We may be required to establish accruals and to make substantial payments in the event of adverse
judgments or settlements of any such claims, investigations or proceedings, which could have a material adverse effect
on our business, results of operations, financial condition, liquidity and net worth. For example, due to a judgment
against us in two cases consolidated for trial in the U.S. District Court for the District of Columbia, which are described
in “Note 17, Commitments and Contingencies” and “Legal Proceedings,” we accrued a total of $545 million from 2023
Fannie Mae 2025 Form 10-K | 44 |
Risk Factors | Legal and Regulatory Risk | ||
through 2025 relating to the jury verdict and related awards of prejudgment and post-judgment interest. Any legal
proceeding or governmental investigation, even if resolved in our favor, could result in negative publicity, reputational
harm or cause us to incur significant legal and other expenses. In addition, responding to these matters could divert
significant internal resources away from managing our business.
General Risk
In many cases, our accounting policies and methods, which are fundamental to how we report our financial
condition and results of operations, require management to make judgments and estimates about matters that
are inherently uncertain. Management also relies on models in making these estimates.
Our management must exercise judgment in applying many of our accounting policies and methods so that they comply
with GAAP and reflect management’s judgment of the most appropriate manner to report our financial condition and
results of operations. In some cases, management must select the appropriate accounting policy or method from two or
more acceptable alternatives, any of which might be reasonable under the circumstances but might affect the amounts
of assets, liabilities, revenues and expenses that we report. See “Note 1, Summary of Significant Accounting Policies”
for a description of our significant accounting policies.
We have identified one of our accounting estimates, allowance for loan losses, as critical to the presentation of our
financial condition and results of operations, as described in “MD&A—Critical Accounting Estimates.” We believe this
estimate is critical because it involves significant judgments and assumptions about highly complex and inherently
uncertain matters, and the use of reasonably different judgments and assumptions could have a material impact on our
reported results of operations or financial condition.
Because our financial statements involve estimates for amounts that are very large, even a small change in the estimate
can have a significant impact for the reporting period. For example, because of the large size of our allowance for loan
losses, even a change that has a small impact relative to the size of this allowance can have a meaningful impact on
our results for the quarter in which we make the change.
Many of our accounting methods involve substantial use of models, which are inherently imperfect predictors of actual
results because they are based on historical data and assumptions to project future events. For example, we use
models to determine expected lifetime losses on loans and certain other financial instruments. Our actual results could
differ significantly from those generated by our models. As a result, the estimates that we use to prepare our financial
statements, as well as our estimates of our future results of operations, may be inaccurate, perhaps significantly. For
more discussion of the risks associated with our use of models, see a risk factor in “Operational and Model Risk” above.
Item 1B. Unresolved Staff Comments
None.
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Cybersecurity risk is a key operational risk that we face; therefore, managing cybersecurity risk is an inherent part of our
business activities. We describe the material cybersecurity risks we face in “Risk Factors—Operational and Model Risk.”
Cybersecurity Risk Management Program
We have developed and continue to enhance our cybersecurity risk management program as we seek to protect the
security of our information systems, software, networks and other technology assets against unauthorized attempts to
access confidential information and data or to disrupt or degrade business operations. Our cybersecurity risk
management program has evolved, and continues to evolve, based on the changing needs of our business, the
evolving threat environment, and evolving legal and regulatory requirements.
We design and assess our cybersecurity risk management program based on the National Institute of Standards and
Technology Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”). While
we generally consult the NIST Cybersecurity Framework when designing and assessing our cybersecurity risk
management program, we have not implemented and do not plan to implement all categories and subcategories
included in the framework. We use the framework as a guide to help us identify, assess and manage cybersecurity risks
relevant to our business based on our current understanding of the cybersecurity threat environment.
Fannie Mae 2025 Form 10-K | 45 |
Cybersecurity | Cybersecurity Risk Management and Strategy | ||
Integration into Enterprise Risk Management Framework
reporting structure and escalation process for managing all enterprise incidents, including cybersecurity-related
incidents. The framework defines the relationship and notification steps among the various crisis management
stakeholders, including the Board of Directors, the Management Committee, the CEO, other members of the executive
leadership team, the crisis manager and crisis management coordinators. See “Cybersecurity Governance—
Management Role” for a description of the oversight role of the Corporate Risk & Compliance division, Internal Audit
and the management-level Technology & Third Party Risk Committee and Enterprise Risk Committee relating to
Cybersecurity Risk Management Strategy
Overview and Goal. Fannie Mae has a multilayered cybersecurity defense strategy. We take a risk-based defense-in-
depth approach that prioritizes the highest impact events and employs overlapping layers of protection. Our
cybersecurity threat operations operate with the goal of identifying, preventing, and mitigating cybersecurity threats and
responding to cybersecurity incidents in accordance with incident response and recovery plans.
Tools and Safeguards. Tools and Safeguards. As part of our cybersecurity defense strategy, we employ tools and systems safeguards intended
to help secure our networks, applications, data and infrastructure, and to manage cybersecurity vulnerabilities. These
safeguards include network and perimeter defense, infrastructure security, cloud security, endpoint protection, data
protection, identity management and network segmentation. We work to evaluate and improve on these tools and
safeguards through periodic cybersecurity assessments and the integration of cybersecurity threat intelligence.
Backup Data Storage. We have both internal and external third-party backup data storage to help protect our data from
cybersecurity incidents. We test our internal backup restoration process on a regular basis. We test our backup restoration process on a regular basis.
Response Plans and Procedures. We maintain cybersecurity incident response procedures that identify the activities
and escalation processes to be implemented upon detection of a cybersecurity incident, and we routinely practice these
activities and processes. We also have business and technology continuity plans and a crisis management plan, which
we test on a regular basis.
Training. We provide mandatory cybersecurity training to employees and contractors on an annual basis. We test our
employees’ response to simulated phishing scenarios on a regular basis. We also conduct enhanced training for certain
groups of employees that may pose higher risk.
Assessments. We examine the effectiveness of our cyber defenses through various means, including internal audits,
targeted testing, vulnerability testing, maturity assessments, incident response exercises and industry benchmarking.
Insurance Coverage. We maintain insurance coverage relating to cybersecurity risks. As described in “Risk Factors—
Operational and Model Risk,” our insurance may not be sufficient to provide adequate loss coverage.
We regularly use external consultants and vendors to assist in our assessment and management of cybersecurity risks,
including employing third parties to evaluate the security of our networks and our approach to cybersecurity risk
management, such as external vendors that conduct penetration testing against our network on at least an annual
basis, an external vendor that reviews and tests our cybersecurity incident response plan on at least an annual basis,
and external vendors that support our network event alerting and detection capabilities. We also have external vendors
on retainer to assist with cybersecurity incident response activities if requested.
We are also focused on building and maintaining relationships with the appropriate government and law enforcement
agencies and with other businesses, industry groups and cybersecurity services to better understand the cybersecurity
risks in our environment, enhance our defenses and improve our resiliency against cybersecurity threats.
Our cybersecurity risk management program extends to oversight of third parties that pose a cybersecurity risk to us,
including lenders that use our systems and third-party service providers. In alignment with the NIST Cybersecurity
Framework and FHFA regulatory guidance, we have established a risk-based framework for managing third-party risk
that defines specified triggers for assessing and reporting cyber-related third-party risks and events. Pursuant to this
framework, we have implemented both preventive and detective controls to mitigate cybersecurity risks posed by third
parties.
Fannie Mae 2025 Form 10-K | 46 |
Cybersecurity | Cybersecurity Risk Management and Strategy | ||
We have identified certain third parties that we believe pose a higher cybersecurity risk to us because they have
significant access to our systems or data. For these higher-risk third parties, we have implemented additional
requirements, including:
•We assess these higher-risk third parties’ cybersecurity controls through a cybersecurity questionnaire and a
review of their cybersecurity controls, either through independent audits or by direct review of their
cybersecurity policies and practices.
•We use third-party cybersecurity monitoring and alert services to monitor these higher-risk third parties.
•We conduct periodic monitoring reviews of these higher-risk third parties’ cybersecurity policies and practices.
Cybersecurity Governance
Overview
We address the risk from cybersecurity threats using a cross-functional approach, involving management personnel
from our technology, operations, legal, corporate risk & compliance, internal audit and other key business functions in
an ongoing dialogue regarding cybersecurity threats and incidents. As described in “Board Oversight” below,
management also regularly reports to the Risk Policy and Capital Committee of the Board on cybersecurity risk matters.
We have implemented controls and procedures for the escalation of cybersecurity incidents so that decisions regarding
the disclosure and reporting of such incidents can be made in a timely manner.
risk matters, to the Enterprise Risk Committee, as described under “Management Role” below.
The Risk Policy and Capital Committee of the Board discusses cybersecurity risk matters with management throughout
the year. Senior management team members, such as the Chief Security Officer or Deputy Chief Risk Officer of Non-
Financial Risk & Compliance, report to the Risk Policy and Capital Committee and/or the Board on matters such as
updates on our cybersecurity risk management program, resiliency, and external cybersecurity developments, threats
and risks. The company has procedures to escalate information regarding certain cybersecurity incidents to the Board
Chair. At least once every two years, the Risk Policy and Capital Committee reviews and approves the company’s
Cybersecurity Risk Policy and Operational Risk Policy.
Management Role
and managing our cybersecurity risks. Our Chief Security Officer has principal management responsibility for
Control Officer and Head of Enterprise Operations.
The Information Security organization works collaboratively across the company to help protect the company’s
information systems from cybersecurity threats and to respond to cybersecurity threats and incidents. The Information
Security organization monitors information systems to detect anomalies, including attempted cyber attacks, as well as
user activity for access controls and risks of insider threat. The Information Security organization also monitors and
investigates cybersecurity incidents through detection tools, reports from end users, and other cybersecurity threat and
vulnerability intelligence. The Information Security organization also shares and obtains information on cybersecurity
threats through participation in the Financial Services Information Sharing and Analysis Center, referred to as FS-ISAC,
a member-driven organization that advances cybersecurity and resilience in the global financial system.
As appropriate, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity
Corporate Risk & Compliance division are informed about and monitor the prevention, detection and mitigation of
cybersecurity incidents through risk and control assessments, targeted reviews, scenario analysis, and monitoring of
risk metrics. The company’s performance in managing cybersecurity risk is reported to the Technology & Third Party
Enterprise Risk Committee, members of which include senior leaders throughout the company. The Enterprise Risk
Committee has delegated primary responsibility for management-level oversight of cybersecurity risk management to
cybersecurity risk matters on a regular basis from the company’s Chief Security Officer. The Technology & Third Party
Risk Committee reviews and approves the company’s management-level cybersecurity risk policies and standards. The
Fannie Mae 2025 Form 10-K | 47 |
Cybersecurity | Cybersecurity Governance | ||
Technology & Third Party Risk Committee also reviews and monitors metrics relating to cybersecurity risk. The
Technology & Third Party Risk Committee escalates matters to the Operational Risk Committee or the Enterprise Risk
Committee as appropriate.
The company’s Corporate Risk & Compliance division provides risk-based independent oversight of cybersecurity risk
management performed by the Information Security organization. Members of the Corporate Risk & Compliance
division chair the Technology & Third Party Risk Committee and the Enterprise Risk Committee.
The company’s Internal Audit organization audits the Corporate Risk & Compliance division’s oversight of cybersecurity
risk management and also independently tests the effectiveness of the company’s cybersecurity risk management and
governance. Members of the Internal Audit organization participate as non-voting members of both the Technology &
Third Party Risk Committee and the Enterprise Risk Committee.
Management Expertise
Our Chief Security Officer has over 21 years of professional experience in information security, including over 1 year in
his current position, over 8 years as Fannie Mae’s Chief Information Security Officer (2016-2024) and over 1 year as
Fannie Mae’s Deputy Chief Information Security Officer. Our Chief Security Officer holds a graduate degree in
information technology management.
Technology & Third Party Risk Committee
Members of the Technology & Third Party Risk Committee include officers with expertise in cybersecurity risk oversight,
such as the Chief Security Officer described above and the head of our Technology and Third Party Risk Oversight
department. As of December 2025, several members of the Technology & Third Party Risk Committee had prior work
experience in cybersecurity and several had a relevant degree or certification, or other knowledge, skills or background
in cybersecurity.
Impact of Risks from Cybersecurity Threats
We and the third parties with which we do business have been, and we expect will continue to be, the target of cyber
attacks and other cybersecurity threats. To date, risks from cybersecurity threats, including as a result of previous
that the risk of damaging cyber attacks is increasing. Notwithstanding our efforts to manage cybersecurity risks as
described above, we may not be successful in preventing or mitigating a cybersecurity incident that could have a
material adverse effect on our business, including our business strategy, results of operations and financial condition.
See “Risk Factors—Operational and Model Risk” for additional discussion of cybersecurity risks to our business.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| NNN | 22 minutes ago |
| NVCT | 55 minutes ago |
| AVTR | an hour ago |
| LEU | an hour ago |
| FNMA | an hour ago |
| U | an hour ago |
| SHOP | an hour ago |
| UE | an hour ago |
| BXMT | 2 hours ago |
| NI | 2 hours ago |
| PSN | 2 hours ago |
| ZG | 2 hours ago |
| REXR | 10 hours ago |
| KRC | 13 hours ago |
| F | 13 hours ago |
| ENTG | 14 hours ago |
| NSP | 14 hours ago |
| LYFT | 15 hours ago |
| DAL | 15 hours ago |
| ARW | 15 hours ago |
| SPGI | 15 hours ago |
| DIOD | 15 hours ago |
| LEGT | 15 hours ago |
| NTST | 16 hours ago |
| AOS | 16 hours ago |
| EXEL | 16 hours ago |
| HCA | 16 hours ago |
| PEGA | 16 hours ago |
| MOH | 16 hours ago |
| GPRE | 16 hours ago |
| PTEN | 16 hours ago |
| PECO | 16 hours ago |
| ARI | 16 hours ago |
| HIW | 16 hours ago |
| SLAB | 16 hours ago |
| KVYO | 16 hours ago |
| UPST | 16 hours ago |
| TCBI | 16 hours ago |
| ADC | 16 hours ago |
| MEDP | 16 hours ago |
| INCY | 16 hours ago |
| CMI | 17 hours ago |
| CNX | 18 hours ago |
| MAR | 19 hours ago |
| GT | 21 hours ago |
| CMS | 21 hours ago |
| L | 1 day ago |
| CNA | 1 day ago |
| MAS | 1 day, 1 hour ago |
| CURB | 1 day, 2 hours ago |
