oversight

FHFA's Oversight of Risks Associated with the Enterprises Relying on Counterparties to Comply with Selling and Servicing Guidelines

Published by the Federal Housing Finance Agency, Office of Inspector General on 2014-09-26.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

          Federal Housing Finance Agency
              Office of Inspector General




   FHFA’s Oversight of Risks
 Associated with the Enterprises
  Relying on Counterparties to
Comply with Selling and Servicing
           Guidelines




Audit Report  AUD-2014-018  September 26, 2014
                                        September 26, 2014


TO:            Nina Nichols, Deputy Director for Enterprise Regulation


FROM:          Russell A. Rau, Deputy Inspector General for Audits


SUBJECT:       Audit of FHFA’s Oversight of Risks Associated with the Enterprises Relying on
               Counterparties to Comply with Selling and Servicing Guidelines


Summary

Two government-sponsored Enterprises, the Federal National Mortgage Association (Fannie
Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac), use a delegated business
model to buy and service mortgage loans. In this model, they contract with third-party mortgage
loan sellers and/or servicers (e.g., counterparties, such as banks) that are relied on to comply with
their requirements for: (1) originating loans that the Enterprises buy; (2) servicing the purchased
loans (e.g., collecting payments); and (3) reporting data about the loans. As a result of relying on
the counterparties for compliance and reporting, the Enterprises run the risk of their
counterparties failing to meet their respective selling and servicing guidelines. Assurance
regarding compliance with selling requirements is particularly important in light of new limits on
how long Fannie Mae and Freddie Mac have to perform quality control activities on loans being
acquired and to make decisions about whether sellers need to repurchase noncompliant loans. As
such, increased reliance is being placed on controls at the sellers.

As their conservator and regulator, the Federal Housing Finance Agency (FHFA or Agency) has
established prudential standards for identifying, measuring, monitoring, and controlling
Enterprise risk, and can act to mitigate risks, including those posed by counterparties. To better
assess the operational and financial risks posed by these counterparties, the Office of Inspector
General (OIG) reviewed FHFA’s oversight of how the Enterprises ensure their counterparties
comply with their requirements.

In the mid-1990s, one of the Enterprises required an independent, third-party assurance of
counterparties’ compliance with some elements of its guidelines, but this requirement was
replaced by reliance on counterparties’ self-representations of their compliance. Further, the
Enterprises have risk-based, internal oversight of their counterparties’ compliance with selling
and servicing guidelines but most receive no onsite review. In addition, only a portion of loans

 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                 1
purchased are subject to detailed quality reviews. While monitoring controls are important, the
lack of independent assurance across the population of Enterprise counterparties can increase the
risk of subpar originating and servicing going undetected.

OIG concluded that the Enterprises could require independent assurance that counterparties are
complying with their selling and servicing requirements as a complement to other monitoring
controls already in place. As examples of best practice, federal agencies involved in the
mortgage market, such as the Securities and Exchange Commission (SEC) and the Department
of Housing and Urban Development (HUD), and private investors in mortgage-backed securities
(MBS) commonly require independent assurance of counterparty compliance. Also, in December
2013, one Enterprise’s internal audit function proposed using independent, third-party
attestations of compliance with selling and servicing guidelines, but the merits of the proposal
were not assessed by either the Enterprise or FHFA.

Accordingly, OIG recommends that FHFA direct the Enterprises to assess a risk-based approach
to having their counterparties obtain independent, third-party attestations of their compliance
with origination and servicing requirements to increase assurance that the $4.8 trillion in
Enterprise-owned and -guaranteed mortgages are appropriately originated and serviced. Such
attestations could complement but not replace Fannie Mae’s and Freddie Mac’s onsite reviews
and other performance monitoring controls. The attestations can be implemented in a manner
that considers their cost/benefit based on a given counterparty’s size, complexity, performance,
and other risk factors.

FHFA did not agree with the OIG recommendation. OIG is requesting that FHFA reconsider its
disagreement with the recommendation.

Background

Fannie Mae and Freddie Mac provide liquidity for housing finance by purchasing mortgage
loans from primary mortgage sellers and keeping them for their own investment portfolios,
or securitizing them for sale to investors in the secondary mortgage market with guaranteed
monthly payments. By 2014, the Enterprises owned and guaranteed mortgage loans with
outstanding balances totaling $4.8 trillion that are serviced by their counterparties. Since the
Enterprises rely on contracts with these counterparties, oversight in the form of monitoring
controls is important to assuring compliance.

The Enterprises’ annual reports disclose that their loan underwriting and much of their financial
reporting depend on counterparty mortgage loan data required by Enterprise guidance. For
example, loan sellers send the Enterprises data about loan characteristics and underwriting
information. Loan servicers also send the Enterprises loan-level data each month, including
information about payments, delinquencies, and loss mitigation. The Enterprises use this data
for various purposes, such as calculating their loan loss reserves.




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                  2
Seller and Servicer Repurchases

The Enterprises buy mortgage loans from sellers that originate them, which frees up money for
the sellers to make more loans. In 2013, the Enterprises purchased over $1 trillion in mortgages
that, in turn, were either securitized and sold or held in their portfolios.

When the Enterprises buy mortgage loans, they contract with companies (counterparties) for
day-to-day loan servicing, such as collecting payments and handling defaults. Servicers typically
receive a percentage of the monthly interest on the unpaid principal balances of the mortgages
they manage. As of March 31, 2014, Freddie Mac had a total of about 1,200 servicing
counterparties under contract with unpaid principal balances totaling $1.7 trillion while Fannie
Mae had about 1,400 servicing counterparties with balances totaling $3.1 trillion.

The Enterprises rely on representations and warranties under which sellers and servicers assert
that their origination and servicing work complies with the Enterprises’ seller and servicer
contract requirements and related guidance. If Fannie Mae and Freddie Mac later find that it
did not, the Enterprises can, among other remedies, require their counterparties to repurchase
the defective loans or otherwise cover losses.

On September 11, 2012, FHFA and the Enterprises announced the launch of a new
representation and warranty framework for loans sold or delivered on or after January 1, 2013.
With the implementation of the framework, sellers are relieved of certain repurchase obligations
for loan defects after three years. Before the new framework, the Enterprises could demand
repurchase over the life of most loans that defaulted and resulted in losses if underwriting defects
they caused were evident. With this level of protection from losses, the Enterprises’ quality
control efforts focused to a greater extent on nonperforming loans. With the new framework and
a 3-year limit on repurchase demands, the Enterprises’ quality control efforts are now focused
more upfront on performing loans. Since the Enterprises already rely on a delegated business
model, the reduction in their ability to seek repurchase of nonperforming loans points to
increasing focus on the underwriting processes of the sellers to provide assurance of the quality
of purchased loans.

Finding: FHFA Can Further Mitigate the Risks Associated with the Enterprises Relying on
         Counterparties to Comply with Selling and Servicing Guidelines

The Enterprises do not require independent, third-party assurance that their counterparties are
complying with their requirements. Such assurance is commonly used in similar lending and
servicing arrangements. Instead, the Enterprises rely on counterparties’ assertions of compliance
and a set of risk-based, monitoring controls that each Enterprise uses to assess compliance with
its guidance. The coverage of these monitoring controls is limited, which increases the risk
that noncompliance will go undetected. FHFA can potentially achieve greater assurance that
Enterprise-owned and -guaranteed mortgages are being properly originated and serviced.

FHFA and the Enterprises could further mitigate these risks by assessing the cost/benefit of a
risk-based approach to requiring: (1) counterparties’ management to provide representations as



 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                 3
to their companies’ compliance with Enterprise requirements, and (2) independent, third-party
attestations1 to provide reasonable assurance of counterparty compliance.

Other Federal Agencies and Private MBS Investors Require Third-Party Assurance

Unlike the Enterprises, federal agencies, such as the SEC and HUD, and private MBS investors
involved in the secondary mortgage market require annual, independent assurance of
counterparty compliance. Although the requirements vary among federal agencies, the overall
concept as well as many of the counterparties are the same.

SEC Requirements

The SEC’s Regulation AB (Reg AB), Asset-Backed Securities, sets the rules for registering,
disclosing, and reporting publicly registered, asset-backed securities, such as MBS. The
regulation’s requirements include servicers assessing and asserting their compliance with the
regulation’s provisions and obtaining reports from registered accounting firms that attest to their
self-reported compliance. Item 1122 of Reg AB defines the disclosure-based servicing criteria
to be used by the relevant party to the transaction to provide an assertion regarding servicing
compliance and also an attestation report by registered public accounting firms in assessing said
compliance. The minimum servicing criteria in this section are separated into four categories:
general servicing considerations, cash collection and administration, investor remittances and
reporting, and pool asset administration. The SEC has adopted a requirement that material
instances of noncompliance during the reporting period must be disclosed even if such
noncompliance is subsequently corrected during the reporting period.

HUD Requirements

Similar to the SEC’s Reg AB, HUD also requires its sellers and servicers to submit annual,
independent attestation reports. Specifically, HUD’s Consolidated Audit Guide for Audits of
HUD Programs2 (Audit Guide) requires sellers and servicers who do business with the Federal
Housing Administration (FHA) and the Government National Mortgage Association (Ginnie
Mae) to submit an annual audit of financial statements, internal controls, and compliance with
their respective program requirements.3 The compliance audit serves as an independent, third-
party attestation.



1
    These independent, third-party attestations are services typically provided by independent public accountants.
2
 HUD Office of Inspector General, Consolidated Audit Guide for Audits of HUD Programs, Handbook 2000.4
REV-2 CHG-17 (May 2013).
3
 FHA insures single- and multi-family mortgage loans made by FHA-approved lenders. FHA insures mortgages
on single-family and multifamily homes, which reduces lenders’ risk because FHA pays if homeowners default. To
qualify for insurance, loans must meet certain FHA requirements, such as income verification, remittances, escrow,
and loss mitigation. Ginnie Mae is a self-financed, wholly-owned, government corporation within HUD. Ginnie
Mae guarantees investors the timely payment of principal and interest on MBS backed by federally insured or
guaranteed loans—mainly loans insured by FHA or guaranteed by the Department of Veterans Affairs.


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                            4
According to HUD officials, the objectives of a HUD program-specific audit are to help
the program managers in HUD determine whether the auditee has: (a) provided financial data
and reports that can be relied on; (b) internal control in place to provide reasonable assurance
that it is managing HUD programs in compliance with applicable laws and regulations; and
(c) complied with the terms and conditions of federal awards and guarantees, and thus expended
federal funds properly and with supporting documentation. HUD program audit reports are
primary tools used by program managers to meet their stewardship responsibilities in overseeing
these HUD programs and assuring the integrity of funds. Program managers must act on the
areas of noncompliance and internal control weaknesses noted in these reports.

The annual assertions and audits have helped FHA and Ginnie Mae identify problems with their
counterparties, including issues relating to serious noncompliance and poor performance. Since
many of these counterparties also do business with the Enterprises, similar deficiencies could be
identified and corrected if the Enterprises had similar requirements for independent, third-party
attestations.

Mortgage Bankers Association Guidelines

The Mortgage Bankers Association’s (MBA) Uniform Single Attestation Program (USAP)
gives private investors in residential mortgage loans guidelines for gaining assurance over
management’s assertion of a servicing entity’s compliance with USAP’s minimum servicing
standards. Each standard represents a specific minimum requirement with which a servicing
entity is expected to be in material compliance. The USAP engagement must be performed by
a certified public accountant (CPA) who complies with the applicable provisions of the public
accountancy law and the rules of the jurisdiction in which the CPA is licensed. USAP testing
provides assurance on servicing operations in the following areas: custodial bank accounts,
mortgage payments, disbursements, investor accounting and reporting, mortgagor loan
accounting, delinquencies, and insurance policies. Potential users of the USAP report include
all parties with an interest in management’s assertion about a servicing entity’s compliance
with the minimum servicing standards and, specifically, those to whom the mortgage servicer
is obligated, through contractual agreement, to furnish a copy of the report. For example, a
credit rating agency downgraded a large Enterprise seller/servicer late last year due to material
problems identified in part as a result of a USAP engagement.

The following figure presents key third-party assurance requirements of the three organizations
discussed above with respect to the secondary mortgage market.




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                 5
              Figure 1: Other Federal Agencies and Mortgage Association Guidelines on
                                 Mortgage Origination and Servicing




     SEC's Regulation AB             HUD Audit Guidance             Uniform Single
     - Annual reports on             - Annual audit and             Attestation Program
     assessment of compliance        assertion requirements         - Minimum Servicing
     with servicing criteria for     for Ginnie Mae issuers         Standards.
     asset -backed securities.       and FHA-approved
                                                                    - Provide loan investor
     - A Servicer Assessment         lenders.
                                                                    with assurance on the
     Report is required from         - Submit audited financial     compliance with specific
     each party participating in     statements and other           minimum residential loan
     the servicing function of       internal controls and          servicing standards.
     ABS.                            compliance audit reports
                                     in accordance with HUD's       - Must be performed
     - Report must be issued                                        by a registered public
     by a registered public          audit procedures and
                                     guidelines on loan             accounting firm.
     accounting firm.
                                     origination and servicing.
                                     - Audit must be
                                     performed by an
                                     independent, registered
                                     public accounting firm.




Source: MBA’s USAP, SEC’s Regulation AB, and HUD’s Audit Guidance

Enterprises’ Delegated Business Model

Much of the Enterprises’ business and financial success rests with their counterparties. The
Enterprises’ single-family mortgage business is operated largely under a delegated business
model that relies on counterparties to: (1) originate and deliver qualifying loans for purchase or
guarantee; and (2) service the associated mortgages, including reporting timely, accurate data to
the Enterprises about borrowers, collateral, credit characteristics, capacity to repay, and loan
status. Unless monitoring controls detect and correct the noncompliance, this model results in the
Enterprises bearing the risk that their counterparties may fail to meet the requirements of their
respective seller and servicing guides.

As presented in their respective SEC annual reports, the Enterprises rely on representations and
warranties provided by their counterparties concerning the characteristics of the single-family

 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                 6
mortgage loans they buy. Additionally, both Enterprises have deployed an array of monitoring
controls. However, neither Enterprise requires counterparties to have routine, independent
verification of counterparty compliance with their guidance as a complement to these
monitoring controls. This exposes the Enterprises to the risk that the parties involved could
be in noncompliance with Enterprise guidance or even that they could engage in fraud by
misrepresenting facts about properties, borrowers, or loans. In fact, one Enterprise’s annual
report stated that while it reviews a sample of loans after it buys them to determine if such loans
comply with its contractual requirements, there can be no assurance that this will detect or deter
mortgage fraud, or otherwise reduce exposure to the risk of fraud. In addition, the Enterprise’s
annual report4 indicated it is also exposed to fraud by mortgage servicers.

The Enterprises, through the new representation and warranty framework, have substantially
limited their opportunity to perform quality control reviews of purchased loans, which could
shift considerable risk from sellers to themselves. However, neither Enterprise has established
requirements for those sellers to have their loan production processes independently tested by
a third-party as part of either annual financial statement audits or separate engagements. Such
testing could focus on compliance with Enterprise selling guidance and provide additional
assurance that purchased loans comply with that guidance. The testing can serve as an important
component of a governance structure to manage the risk assumed by the Enterprises through
implementation of the new framework and can serve as an important complement to other
monitoring controls.

With respect to mortgage loan servicing, the Enterprises’ respective 2013 annual reports state
that the Enterprises do not service loans. Instead, they rely on counterparties to service their
loans according to their guidelines. As these reports point out, if servicers lack appropriate
controls, or experience a failure in their controls or an operating disruption, the Enterprises’
business and financial results could be adversely affected. Therefore, consideration of
complementary controls to mitigate such risk is an important part of sound risk management.

In summary, obtaining independent, third-party assurance of compliance with selling and
servicing guidance could help the Enterprises manage the risks associated with their delegated
underwriting business model.

Independent Assurance of Counterparty Data Was Previously Required

In the mid-1990s, one Enterprise required counterparties to engage independent auditors to test
their compliance with some elements of origination and servicing requirements and to issue
related reports. This gave the Enterprise reasonable assurance about whether counterparties
were complying with elements of its selling and servicing requirements, but the requirement was
discontinued. When asked about the rationale for dropping the requirement, officials from the


4
  The annual report referred to here was the Enterprise’s SEC Form 10-K for 2013. Federal securities laws require
publicly traded companies to disclose information on an ongoing basis. The annual report on Form 10-K provides a
comprehensive overview of the company’s business and financial condition and includes audited financial
statements.


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                        7
Enterprise were unable to explain or provide documents describing why the Enterprise had
done so.

In December 2013, one Enterprise’s internal audit function analyzed the significant risks posed
by its sellers and servicers. The analysis noted that the Enterprise placed considerable reliance
on sellers and servicers to originate and deliver qualifying loans for purchase or guarantee, to
service mortgages, and to report timely, accurate data about borrowers, collateral, credit,
repayment, and loan status. The Enterprise’s internal audit function recommended:

          Under FHFA’s guidance and direction, Freddie Mac and Fannie Mae should
          consider jointly adopting a risk management program that would require
          Seller/Servicers to provide annual independent third-party attestation reports
          of compliance with significant origination and servicing standards. Regulation
          AB and the Seller/Servicer Guide may serve as useful platforms on which
          to build this assurance program in a manner that is most cost-effective for
          Seller/Servicers. As part of such program, the GSEs [Government-Sponsored
          Enterprises] can focus their on-going efforts on monitoring the attestation
          reports and responding to identified compliance deficiencies.

The analysis was shared with senior management at the Enterprise that did not provide any
formal response. The analysis was also shared with FHFA but no formal actions have yet been
taken by the Agency to assess the merits of independent, third-party attestations.

Enterprises and Ginnie Mae

The Enterprises are currently the largest issuers of MBS. For example, in 2013, the Enterprises’
MBS market share was nearly $980 billion, or triple that of Ginnie Mae, which issued about
$313 billion of MBS as shown in Figure 2.

Despite their dominance of the MBS                                 Figure 2: MBS Market Shares 2013
market, the lack of independent, third-
party attestation requirements by the
Enterprises contrasts with Ginnie Mae,
which has such requirements.5 As noted
earlier, Ginnie Mae requires its mortgage
loan issuers to engage independent
auditors to test their compliance with
origination and servicing requirements.
Although the compliance requirements
vary between Ginnie Mae and the
Enterprises, many of their counterparties
are the same. Importantly, Ginnie Mae’s                  Source: Ginnie Mae Annual Report to Congress
efforts have identified matters requiring
5
 OIG did not assess the overall governance structure used by Ginnie Mae in comparison to that of the Enterprises.
Such an assessment could be a part of FHFA’s consideration of this approach to ensuring the Agency and
Enterprises have reasonable assurance regarding counterparty compliance with selling and servicing guidance.


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                        8
attention by those counterparties, which indicates the value to be derived from such an approach.
Independent, third-party assurance of compliance with origination and servicing requirements
could similarly aid the Enterprises in mitigating underwriting and servicing risks related to
compliance with their guidance. However, the cost/benefit of obtaining this added assurance has
not been assessed by FHFA or the Enterprises, including risk-based alternatives for ensuring the
value of this monitoring control. Such alternatives could include establishing third-party assurance
requirements based on counterparties’ business volume, performance data, size, and complexity.

Enterprises’ Oversight of Counterparties

In lieu of requiring independent, third-party assurance on all counterparties, the Enterprises have
monitoring controls for sellers and servicers, including loan quality control (QC) reviews,
servicer performance reviews, and operational reviews.6 These controls are risk-based, covering
in depth a small percentage of loans and counterparties.

For example, OIG found that the percentage of loans selected for quality control review in
comparison to total loan purchases as of March 31, 2014, is less than 15% at each Enterprise as
shown in the following figure.

               Figure 3: Enterprises’ Mortgage Loans Selected for Quality Control Reviews

           $400,000
           $350,000
           $300,000
           $250,000
           $200,000
           $150,000
           $100,000                                                                       15%
            $50,000                              11%
                  $0
                                    Freddie Mac                                Fannie Mae
                                      1Q 2014                                   1Q 2014

                                     Total Loan Purchases             Total Loans QC
Source: Enterprises’ Reports

Despite the small sample of loans selected for risk-based, quality control review, the results
of the sampling indicated a number of underwriting defects, which subsequently resulted in
repurchase requests being made to the sellers. Most of the repurchases issued and collected due

6
  Both Enterprises noted that they perform risk-based seller reviews that result in many of the largest volume sellers
being reviewed. Although these efforts contribute to overall assessments of seller compliance, they focus on controls
and thus differ from quality control reviews of compliance for individual loans. Further, the risk-based approach
results in a large number of sellers not being reviewed on a regular basis.


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                          9
to underwriting defects were identified through the quality control review of nonperforming
loan files. With the shift in emphasis to upfront quality control on performing loans, additional
attention to counterparty underwriting practices could be critical in protecting the Enterprises’
interests through the use of its repurchase ability, which is now limited to three years.

Each Enterprise currently has over 1,200 sellers and servicers. The Enterprises’ counterparty
operational risk evaluation (CORE) function and servicer quality review (SQR) function
have performed risk-based reviews on a small number (less than 10%) of seller and servicers
annually. For example, in 2013, Freddie Mac and Fannie Mae reviewed approximately 120 and
50 counterparties, respectively, or approximately 10% and 4% of the respective Enterprise’s
population as shown in the following figure.

  Figure 4: Enterprises 2013 Counterparty Operational Risk Evaluation and Servicer Quality Reviews

                            1,600
                            1,400
    No. of Counterparties




                            1,200
                            1,000
                             800
                             600
                             400
                             200               10%
                                                                                4%
                               0
                                       Freddie Mac                    Fannie Mae
                                      2013 Reviews                   2013 Reviews

                                    Approximate Number of Seller/Servicers
                                    CORE or SQR/CMR/Reverse Reviews Performed

Source: Enterprises’ Reports

Although limited to a small sample, the Enterprises’ CORE and SQR reviews, which are risk-
based, have identified numerous operational and compliance issues at the counterparties,
including those related to loss mitigation, delinquency, escrow, and foreclosure. Default
management, fraud, quality control, and governance were the most recurring issues identified in
their risk evaluations for 2013 and 2014. Since these reviews are risk-based, those counterparties
that present greater risk may receive more focus, but the remainder of the counterparties could
also receive compliance testing under an independent, third-party attestation model.

Issues Identified with Enterprise Oversight

Although the Enterprises have implemented various internal functions to oversee counterparty
compliance with their respective origination and servicing standards, FHFA’s Division of
Enterprise Regulation’s examination teams as well as each Enterprise’s internal audit function
have identified weaknesses.

 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                          10
For example, a recent FHFA review of one Enterprise’s operational review function noted
an inadequate process in place to identify and report significant high-risk issues to senior
management. One seller/servicer was identified in the report as having multiple years of
report findings that were not raised to senior management for resolution. The examination
also indicated that the Enterprise’s operational review process did not monitor counterparty
compliance with consumer protection laws and regulations.

Another FHFA review in 2014 of one Enterprise’s counterparty risk management function noted
concerns with the risk management of counterparties and the governance of credit risk. Further,
FHFA expressed concern with the effectiveness of counterparty risk management’s capabilities
at the Enterprise to challenge the business units that deal with counterparties.

In a 2013 Enterprise internal audit report, issues were noted in the performing loan quality
control function and administration. Specifically, there were issues with the quality control
infrastructure and processes to resolve discrepancies. The quality control function is critical
to the Enterprise with the implementation of the new representation and warranty framework.
In another 2013 Enterprise internal audit report, controls weaknesses were identified in the
seller/servicer eligibility function. Specifically, the Enterprise’s internal audit noted issues with
seller/servicer eligibility and compliance monitoring processes.

OIG has also noted a number of issues with counterparty compliance and associated FHFA and
Enterprise oversight in the past two years. For example, in a recent OIG report, a seller/servicer
lacked adequate infrastructure to handle its increased loan volume, which led to consumer
complaints and delayed payments to the Enterprises.7 Moreover, this breakdown in the
seller/servicer infrastructure was not disclosed in its annual report. As such, borrowers with
Enterprise-backed mortgages may not have their loans properly serviced.

In another report, OIG also identified shortcomings with FHFA’s monitoring of the Enterprises’
oversight of their counterparties’ compliance with consumer protection laws.8 OIG determined
that the Enterprises do not ensure counterparties’ business practices follow all federal and
state laws and regulations designed to protect consumers from unlawful activities such as
discrimination. In addition, OIG identified that the Enterprises do not have a formal monitoring
program in place to review their counterparties’ compliance with the federal and state laws that
govern originating and servicing mortgage loans. Instead, both Enterprises rely primarily on
counterparty self-certifications of contractual compliance along with federal regulators’
supervisory and enforcement activities.

These previous examples of issues identified regarding the Enterprises’ counterparty oversight
structure further highlight the need for independent, third-party assurance of counterparty
compliance with Enterprise requirements set forth in their guidance.

7
 FHFA Actions to Manage Enterprise Risks from Nonbank Servicers Specializing in Troubled Mortgages (AUD-
2014-014, July 1, 2014). Accessed August 24, 2014, at http://www.fhfaoig.gov/Content/Files/AUD-2014-014.pdf.
8
 FHFA Should Develop and Implement a Risk-Based Plan to Monitor the Enterprises’ Oversight of Their
Counterparties’ Compliance with Contractual Requirements Including Consumer Protection Laws (AUD-2013-008,
March 26, 2013). Accessed August 24, 2014, at http://www.fhfaoig.gov/Content/Files/AUD-2013-008_0.pdf.


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                     11
Recent Issues with Servicers

Experience since the financial crisis has shown that independent oversight of compliance with
seller and servicer guidelines is essential at some organizations. In 2012, for example, the
Department of Justice, HUD, and state attorneys general announced a settlement with the five
leading bank mortgage servicers to address mortgage loan servicing and foreclosure abuses,
resulting in $25 billion in monetary sanctions and relief. The settlement requires testing of
compliance with mortgage servicing requirements and oversight by an independent monitor
that will report to the attorneys general and the court. The independent monitor has filed a
number of compliance reports with the court, most recently covering testing for the third and
fourth quarters of 2013. To validate servicer compliance efforts, the independent monitor has
engaged professional firms to review servicer work papers and test a sub-sample of servicer
compliance work.

Conclusion

FHFA can further mitigate the risks posed by the Enterprises’ reliance on their counterparties’
information on origination and servicing compliance by directing them to assess the cost/benefit
of whether counterparties should obtain independent, third-party attestations on a risk-focused
basis that considers such things as counterparty size, product line, and other characteristics.
Through such robust attestations and independent oversight, FHFA can increase its assurance
that Enterprise-owned and -guaranteed loans are originated and serviced in compliance with
requirements. Such a control can complement existing risk-based controls and provide broad
compliance coverage to those counterparties that would otherwise not receive oversight. In this
regard, one Enterprise prepared and FHFA received a proposal to consider independent, third-
party attestations of counterparty compliance but has not acted on the proposal.

Compliance with selling requirements is particularly important in light of FHFA’s new
representation and warranties framework that now limits to three years the length of time the
Enterprises have to perform quality control activities on loans being acquired. As such, increased
reliance is being placed on controls at the sellers. Obtaining independent, third-party assurance
could not only help provide the Enterprises with more reliable evidence about the accuracy and
timeliness of data that counterparties report, but also help manage the risks associated with their
delegated underwriting business model.

Finally, other federal agencies require annual assertions and independent, third-party attestations
that allow them to identify problems with counterparty compliance. Since many of these
counterparties also do business with the Enterprises, similar deficiencies could have been
identified if the Enterprises had similar requirements for independent compliance attestations.




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                12
Recommendation

OIG recommends that FHFA:

   1. Direct Fannie Mae and Freddie Mac to assess the cost/benefit of a risk-based approach to
      requiring their sellers and servicers to provide independent, third-party attestation reports
      on compliance with Enterprise origination and servicing guidance.

FHFA provided comments (see Attachment A) disagreeing with OIG’s recommendation.
Attachments B and C contain OIG’s evaluation of FHFA’s comments.

Objective, Scope, and Methodology

The overall objective of this performance audit was to assess FHFA’s oversight of Enterprise
information reporting used to oversee compliance with origination and servicing standards.
To accomplish this objective, in part, OIG reviewed FHFA’s oversight and the Enterprises’
controls and processes to monitor seller/servicers’ compliance with key standards, including
risk management practices used to ensure compliance with the Enterprises’ mortgage origination
and servicing guidance.

OIG conducted its fieldwork at FHFA’s headquarters, Fannie Mae’s corporate offices in
Washington, DC, and Freddie Mac’s corporate offices in McLean, VA.

In order to accomplish its objective, OIG:

      Analyzed FHFA examination results related to Fannie Mae’s and Freddie Mac’s
       counterparty reviews, specifically, the Enterprise functions responsible for
       counterparty compliance;

      Reviewed internal audit reports from the Enterprises related to counterparty oversight
       and/or compliance;

      Reviewed other federal agencies’ regulations and industry best practices related to
       independent audit/attestation on mortgage origination and servicing requirements,
       i.e., HUD, FHA, Ginnie Mae, and the SEC;

      Reviewed counterparty compliance issues and problems identified by other federal
       agencies;

      Discussed with FHFA officials the Agency’s oversight and guidance on independent,
       third-party attestation of counterparty compliance with mortgage origination and
       servicing requirements; and

      Discussed with Enterprise officials the processes to validate counterparty compliance
       with the Enterprises’ respective origination and servicing requirements.

OIG conducted fieldwork for this performance audit from April 2014 through August 2014
in accordance with generally accepted government auditing standards. Those standards require

 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                13
that OIG plan and perform audits to obtain sufficient, appropriate evidence to provide a
reasonable basis for the findings and conclusions based on the audit objective. OIG believes
that the evidence obtained provides a reasonable basis for the finding and conclusions included
herein based on the audit objective. OIG considers its finding to be significant in the context of
the audit objective.

OIG appreciates the cooperation of everyone who contributed to this audit, including officials at
FHFA, Fannie Mae, and Freddie Mac. This audit was led by Kevin Carson, Audit Director, who
was assisted by Damon Jackson, Audit Manager, and Crystal Tsang, Auditor-in-Charge.



cc:    Melvin L. Watt, Director
       Eric Stein, Chief of Staff
       Larry Stauffer, Acting Chief Operating Officer
       Sandra Thompson, Deputy Director for Housing Mission and Goals
       Robert Ryan, Special Advisor
       Mark Kinsey, Chief Financial Officer
       John Major, Internal Controls and Audit Follow-up Manager


Appendices:    Appendix A: FHFA’s Comments on OIG’s Finding and Recommendation
               Appendix B: OIG’s Response to FHFA’s Comments
               Appendix C: Summary of FHFA’s Comments on the Recommendation




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                 14
Appendix A

FHFA’s Comments on OIG’s Finding and Recommendation




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                              15
Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                             16
Appendix B

OIG’s Response to FHFA’s Comments

On September 16, 2014, FHFA provided comments to a draft of this report. FHFA disagreed
with the recommendation. OIG has attached FHFA’s full response as Appendix A and
considered it where appropriate in finalizing this report. Appendix C provides a summary of the
Agency’s response to OIG’s recommendations and the status of agreed-upon corrective actions.
As discussed below, OIG considers the recommendation to be unresolved and requests that
within 30 days of the issuance of this report, FHFA reconsider its position and provide OIG
with a further response.

FHFA agreed that effective counterparty risk management is critical to the safety and soundness
of Enterprise operations and indicated it would continue to treat counterparty risk management
as a high priority. Additionally, the Agency stated that it would include a review of internal
controls relating to counterparty risk management for sellers and servicers in its 2015
examination plan for each Enterprise. FHFA further stated its review of internal controls related
to counterparty risk management would focus on changes to controls made in connection with
the Enterprises’ adoption of the revised representation and warranty framework. OIG considers
these to be positive steps.

FHFA broadly commented that as regulator and supervisor of the Enterprises it is responsible for
reviewing and evaluating the effectiveness of internal controls. However, the Agency stated that
it did not find that the information and arguments in the draft report warrant direction to the
Enterprises to dedicate management and other resources to conduct a cost-benefit analysis of
risk-based attestations of compliance by sellers and servicers to complement and enhance other
counterparty risk management controls. OIG provides the following discussion related to these
two points.

Reviewing and Evaluating Internal Controls for Managing Counterparty Risk

OIG identified that, in some instances, the Enterprises already make use of independent, third-
party attestations. Thus, the Agency’s planned examination to review internal controls relating
to counterparty risk management for sellers and servicers at each Enterprise could lead to
examination of independent, third-party attestations as an internal control. However, FHFA
neither acknowledged the use of independent third-party attestations by the Enterprises in
its response nor stated that the Agency would specifically review this control in its planned
examination work.

There are at least several cases of limited Enterprise use of independent, third-party compliance
attestations. For example, on December 10, 2013, Freddie Mac issued Bulletin Number M2013-7
to multifamily sellers and servicers that provides an option for servicers to have Freddie Mac
consider the results from a Seller/Servicer’s Regulation AB audit when the Enterprise conducts
its own audit of servicer compliance. Specifically, the Bulletin allows servicers of multifamily
loans preparing for a compliance audit to provide Freddie Mac with the servicer’s annual
Regulation AB assertion and related attestation report prepared by an independent public
accountant on its assessment of compliance with the Regulation AB servicing criteria. While

 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                               17
the Bulletin applies only to servicing of multifamily loans, it clearly indicates that Freddie Mac
recognizes that independent, third-party attestations can reduce the burden on servicers in some
cases, especially if the attestation is already being performed in response to other requirements.

Further reliance on the use of independent, third-party attestations by Freddie Mac included
the Enterprise identifying in certain offering circulars for the sale of interests in multifamily
mortgage-backed securities that servicers of the underlying mortgages must provide independent,
third-party attestations of compliance with the minimum servicing standards identified in the
Uniform Single Attestation Program (USAP) for Mortgage Bankers. Such requirements are
intended to, among other things, increase investor confidence in the performance of servicing
functions in order to protect investor interests. Freddie Mac also disclosed in its 2013 annual
report the audit fees billed by PricewaterhouseCoopers LLP for the performance of a compliance
evaluation of the minimum servicing standards as set forth in USAP and the provision of an
attestation report. These USAP fees were approved by FHFA as conservator of Freddie Mac.

OIG also noted that some prospectuses issued by Fannie Mae for single family mortgage-backed
securities had servicer attestation requirements. For example, one prospectus stated that servicers
must annually provide a report on the assessment of compliance with servicing criteria for asset-
backed securities, together with a copy of an attestation report from a registered public
accounting firm regarding such party’s assessment of compliance.

Despite what appears to be use of independent, third-party attestation as an internal control in
some cases, neither Enterprise pointed out in the course of the audit that third party attestations
had in fact been used under certain circumstances or the justification for doing so. Such
information would be directly relevant to OIG’s recommended assessment of a risk-based
approach to managing counterparty and other risks through a process of management assertions
regarding compliance with origination and servicing requirements and independent testing and
attestation to those assertions.

In summary, the Enterprises are making selected use of independent, third-party attestations that
should be considered in planning examination coverage related to counterparty risk management.
FHFA indicates in its response that it is placing a high priority on this area particularly in
connection with the adoption of the revised representation and warranty framework. Yet, without
performing an underlying assessment, FHFA reached a conclusion that independent, third-party
attestations have limitations as a risk management tool. OIG considers it important that FHFA
assess the full range of controls in place and not exclude the use of independent, third-party
attestation from further consideration if further risk mitigation is deemed necessary.

Additional Support for Assessing Independent Third-Party Attestations as an Internal Control

In its efforts to assess counterparty risk management, FHFA should consider the potential risks
impacting the pricing of Enterprise mortgage-backed securities (MBS) that may be mitigated by
strengthened controls such as independent third-party attestations.9 The Enterprises provide a

9
 Independence is relative to both the sellers and servicers being reviewed and, in this context, can also apply to the
Enterprises.


    Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                          18
guarantee to investors related to principal and interest payments on MBS, the cost of which can
be impacted by seller and servicer compliance with Enterprise guidance. These risks can affect
the pricing of MBS and thus the return to the Enterprises. For example, Fannie Mae points out in
its Prospectus for Guaranteed Mortgage Pass-Through Certificates for Single-Family Residential
Mortgage Loans that if loans become delinquent, the Enterprise may purchase the loan from the
pool, resulting in an early return of principal and potentially reduced earnings to the investor.
Factors identified as affecting the likelihood of a borrower default on a mortgage loan include
borrower creditworthiness, uninsured natural disasters, and borrower bankruptcy or other
insolvency, all of which can relate to selling and servicing activities required of counterparties.
The prospectus also points out that, as a result of the new representation and warranty
framework, the Enterprise may determine much earlier in the life of a loan that there has been a
breach of a representation and warranty related to the loan, which may lead to purchases of loans
from pools earlier in their terms. Such action poses similar repurchase risk to investors that can
impact pricing decisions for Enterprise MBS.

Regarding servicing, Fannie Mae points out that if a servicer experiences financial difficulties
or becomes insolvent, that servicer’s ability to effectively service mortgage loans may become
impaired as its focus is more directed toward rebuilding financial strength through measures such
as staff reductions. In some cases it may become necessary to transfer servicing to another more
effective servicer. Less robust servicing practices before, during, or after the transition to a new
servicer can exacerbate loan delinquencies and borrower defaults. Although the Enterprises’
guaranty of timely payment of principal and interest covers borrower delinquencies and defaults,
an increase in borrower delinquencies and defaults could result in acceleration of prepayments
on investor certificates if delinquent loans are repurchased from a pool. As previously stated, this
can result in reduced earnings to investors that could in turn demand higher returns on future
MBS, thus adversely impacting the net income of the Enterprises.

Given the prepayment risks associated with selling and servicing, FHFA should consider
providing additional depth in the internal control structure regarding seller and servicer
compliance with Enterprise requirements, including independent third-party review of
compliance.

Moreover, it is essential to monitor continuously the performance of counterparties and evaluate
the risks associated with continuing business relations with them. As OIG’s work shows, the
Enterprises are only able to conduct detailed reviews of a limited number of counterparties. In
a recent OIG report on lessons learned from the fraud scheme perpetrated by the officers and
employees of Taylor, Bean & Whitaker Mortgage Corporation (TBW), 10 OIG noted
counterparty monitoring as an area for improvement, particularly so-called non-regulated
counterparties that do not have a primary Federal regulator as was the case with TBW.
Moreover, the report concluded that FHFA and the Enterprises could improve the quality of their


10
   Systemic Implication Report: Taylor Bean and Whitaker (TBW)-Colonial Investigation Lessons Learned (SIR-
2014-0013, August 21, 2014) accessed September 17, 2014, at
http://www.fhfaoig.gov/Content/Files/SIR_TBW_Colonial%20Investigation%20Lessons%20Learned%20August%
202014.pdf.


 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                    19
monitoring with compliance testing by independent firms. Freddie Mac suffered significant
losses when TBW failed and no longer had the capacity to fulfill its repurchase obligations.

As part of our audit, we also noted that FHFA had similar concerns with counterparty risk
management. In a 2014 review at one Enterprise, FHFA noted concerns with the lack of
compliance with FHFA Advisory Bulletin, AB 2013-01, Contingency Planning for High-Risks
or High-Volume Counterparties, implemented in 2013. This bulletin was issued in response
to control weaknesses in counterparty risk management noted in a 2012 OIG audit.11 FHFA
also noted that implementation of the guidance is important with the rise of non-regulated
counterparties, because they are large, critically important servicers for which replacement
counterparties may be more difficult to identify. The Agency expressed particular concern
with the effectiveness of Enterprise’s capabilities to deal with counterparties.

FHFA could increase its assurance that counterparty risks are being effectively mitigated by
completing the agreed-to examination coverage and assessing whether additional Enterprise
counterparties need to obtain independent, third-party attestations of their compliance with the
Enterprises origination and servicing guidelines. Such attestations, if warranted based on the
results of the OIG-recommended assessment, could complement but not replace FHFA and the
Enterprises reviews and other monitoring controls. As such, and also as a result of the findings
in this report, we are requesting that FHFA reconsider its position on the recommendation.




11
  FHFA’s Oversight of the Enterprises’ Management of High-Risk Seller/Servicers (AUD-2012-007, September 18,
2012) accessed September 17, 2014, at http://www.fhfaoig.gov/Content/Files/AUD-2012-007.pdf.


 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                    20
Appendix C

Summary of FHFA’s Comments on the Recommendation

This table presents management’s response to the recommendation in OIG’s report and the status
of the recommendation as of when the report was issued.


                                                    Expected         Monetary
 Rec.          Corrective Action: Taken or         Completion         Benefits      Resolved:       Open or
 No.                     Planned                      Date          ($ Millions)    Yes or No a     Closed b
1.        FHFA disagrees with this                      N/A             $0              No           Open
          recommendation and does not find
          that the information and arguments
          in the report warrant supervisory
          direction to the Enterprises to
          dedicate management and other
          resources to conduct a cost-benefit
          analysis of risk-based attestations
          of compliance by sellers and
          servicers.

a
 Resolved means: (1) Management concurs with the recommendation, and the planned, ongoing, and completed
corrective action is consistent with the recommendation; (2) Management does not concur with the recommendation,
but alternative action meets the intent of the recommendation; or (3) Management agrees to the OIG monetary
benefits, a different amount, or no amount ($0). Monetary benefits are considered resolved as long as management
provides an amount.
b
  Once OIG determines that the agreed-upon corrective actions have been completed and are responsive, the
recommendation can be closed.




    Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                       21
Additional Information and Copies

For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:
                FHFA Office of Inspector General
                Attn: Office of Investigation – Hotline
                400 Seventh Street, S.W.
                Washington, DC 20024




 Federal Housing Finance Agency Office of Inspector General • AUD-2014-018 • September 26, 2014
                                                22