MPF Announcement 2025-34

MPF Program – Business Continuity and Security Incident Updates

Effective Date: Immediately (unless otherwise noted)

The MPF Program Guide has been updated to:

• Clarify that PFIs and Servicers must ensure their information security program includes appropriate technical and organizational measures that at minimum meets or exceeds industry standards.
• Revise the timing requirements when reporting a security incident or breach, when a PFI or Servicer determines a security incident has occurred they must immediately, and no later than 36 hours after identification that a security incident has occurred or the reasonable conclusion a security incident has occurred.
• Expand the list of details that must be included when reporting a security incident to the MPF Provider and MPF Bank.
• Clarify that PFIs and Servicers must ensure their business continuity and disaster recovery program meets or exceeds industry standards and in addition to MPF Program requirements must comply with any applicable Government Agency and/or Investor requirements.

For MPF Xtra, this includes Fannie Mae requirements for such programs, including those provided for in A2-1-01, General Servicer Duties and Responsibilities of the Fannie Mae Servicing Guide and the Fannie Mae Information Security and Business Resiliency Supplement.

For additional information see MPF Program Guide Section 4.2.4 Business Continuity / Disaster Recovery Program, 6.1.1 Loss of Confidential Information/Security Incident, and MPF Xtra Servicing Guide Section 1.7.20 Business Continuity and Information Security Programs.

For questions or assistance, please contact the MPF Service Center by using one of the following options:

• MPF Customer Service Portal

• Email: MPF-Help@fhlbc.com

• Phone: (877) 345-2673