oversight

FHFA's 2015 Report of Examination to Fannie Mae Failed to Follow FHFA's Standards Because it Reported on an Incomplete Targeted Examination of the Enterprise's New Representation and Warranty Framework

Published by the Federal Housing Finance Agency, Office of Inspector General on 2017-09-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                         REDACTED

                     Federal Housing Finance Agency
                         Office of Inspector General




 FHFA’s 2015 Report of Examination to
  Fannie Mae Failed to Follow FHFA’s
  Standards Because it Reported on an
Incomplete Targeted Examination of the
  Enterprise’s New Representation and
         Warranty Framework




  This report contains redactions of information that is privileged or confidential.



    Audit Report • AUD-2017-008 • September 22, 2017
                Executive Summary
                The Federal National Mortgage Association (Fannie Mae) and the Federal
                Home Loan Mortgage Corporation (Freddie Mac) (together, the Enterprises)
                provide liquidity to the U.S. housing finance system by supporting the
                secondary mortgage market. The Enterprises purchase residential mortgages
                from lenders and bundle the purchased mortgages into securities for which
AUD-2017-008    they guarantee principal and interest. In guaranteeing the securities, the
                Enterprises assume the credit risk from possible default of the underlying
September 22,   mortgages. To mitigate this risk, the Enterprises require lenders that sell the
    2017        residential mortgages to make specific contractual representations and
                warranties in which they represent that the mortgages meet specific
                underwriting standards.

                Historically, the Enterprises relied on the lenders’ representations and
                warranties and conducted limited due diligence at the time the mortgages were
                purchased. When mortgages defaulted or the borrower missed payments, the
                Enterprises would review the loan files for evidence of breach of the
                representations and warranties and exercise their contractual rights to require
                lenders to repurchase, or buy back, non-compliant loans. The Enterprises’
                contractual rights to put back non-compliant loans at any point during the term
                of the loans enabled the Enterprises to reduce losses caused by underwriting
                defects.

                In September 2012, the Federal Housing Finance Agency (FHFA) announced
                that the Enterprises would launch a new representation and warranty
                framework (new framework). The objective of the new framework was to
                enhance transparency and certainty for lenders by clarifying when a mortgage
                loan may be subject to repurchase. The new framework, designed by the
                Enterprises to meet FHFA’s stated objective, shifted some risk of non-
                compliance with representations and warranties from the lenders to the
                Enterprises (and therefore to taxpayers). The new framework required
                operational changes at the Enterprises to mitigate the additional risk. FHFA
                recognized the need to test the adequacy of those operational changes, through
                its supervisory activities, to ensure that the risks had been mitigated.

                FHFA is charged by the Housing and Economic Recovery Act with, among
                other things, ensuring that the Enterprises and the Federal Home Loan Banks
                operate in a safe and sound manner. Within FHFA, the Division of Enterprise
                Regulation (DER) is responsible for the supervision of the Enterprises.
                According to the FHFA Examination Manual, each year DER assesses the
                risks of Enterprise operations and plans its supervisory activities to assess the
                mitigation of those risks. DER summarizes and communicates the results of its
                supervisory activities in an annual report of examination (ROE) issued to each
                Enterprise.

                We performed this audit to assess (1) whether DER’s planned supervisory
                activities relating to Fannie Mae’s implementation of the new framework for
                the 2015 and 2016 examination cycles could be tracked to its risk assessments
                and supervisory strategies and (2) whether DER executed these planned
AUD-2017-008    supervisory activities during the 2015 and 2016 examination cycles. As part of
                our work, we also assessed whether the objectives of the planned supervisory
September 22,   activities during the 2015 and 2016 examination cycles would provide for the
    2017        testing of controls to mitigate the risks identified with the new framework.

                For the 2015 examination cycle, the risks identified by DER with respect to
                Fannie Mae’s implementation of the new framework focused on Fannie Mae’s
                                        . We found that DER planned a targeted examination of
                Fannie Mae’s quality control function during the 2015 examination cycle and
                that the objectives of that planned targeted examination, if completed as stated,
                would provide for the testing of controls to mitigate the risks identified with
                the new framework.

                At the conclusion of each annual examination cycle, FHFA prepares and
                transmits an ROE to the board of directors (Board) for each Enterprise. The
                annual ROE constitutes DER’s “primary work product that communicates . . .
                the cumulative results of [DER’s] supervisory activities conducted during the
                annual examination cycle.” The ROE rolls up the substantive examination
                results from DER’s targeted examinations and ongoing monitoring activities.
                In March 2013, FHFA issued Supervision Directive (SD) 2013-01 which
                directed DER and the Division of Federal Home Loan Bank Regulation (DBR)
                (which is responsible for supervision of the Federal Home Loan Banks) to
                perform independent quality control reviews of “examination findings,
                conclusions, ratings, supporting workpapers, and related documents” and of
                the ROEs, prior to finalizing and distributing the ROEs to the regulated
                entities. The then-Deputy Directors of DBR and DER provided input into the
                content of SD 2013-01 and formally approved it.

                In a prior evaluation, we found the then-Deputy Director of DER had
                committed in writing to develop and implement a quality control review
                program by December 2012 and we catalogued the difficulties and delays over
                several years in establishing such a program within DER. In the summer of
                2015 (and more than two years after SD 2013-01 issued), DER announced it
                was implementing a program for quality control reviews. We recommended
                that FHFA “[e]nsure that DER’s recently adopted procedures for quality
                control reviews meet the requirements of [SD] 2013-01 and require DER to
                document in detail the results and findings of each quality control review in
                examination workpapers, including any shortcomings found during the quality
                control review.” In its written response, FHFA “agree[d] with this
                recommendation,” and acknowledged that “a process for independent quality
                control of examination documentation is important to the supervision of Fannie
                Mae and Freddie Mac.”

                In March 2016, DER issued an ROE to Fannie Mae for the 2015 examination
AUD-2017-008    cycle. Notwithstanding the requirements in SD 2013-01, that ROE was not
                subjected to an independent quality control review. A DER official reported to
September 22,   us that DER determined that quality control reviews of the ROEs were not
    2017        needed because quality control reviews were conducted of all examination
                findings and conclusions before they were incorporated in the annual ROEs.
                This ROE for the 2015 supervisory cycle reported on DER’s targeted
                examination of Fannie Mae’s quality control function. Our audit of DER
                workpapers for this targeted examination found that no independent quality
                control review of this examination was conducted before the ROE issued,
                contrary to SD 2013-01 and the representations made to us by a DER official.
                Reporting examination findings in an ROE before they are vetted through a
                quality control process creates a risk that DER could provide misinformation to
                the Enterprise and its Board.

                DER did not identify risks associated with the new framework as a specific
                supervisory focus for the Fannie Mae 2016 examination cycle and did not
                perform any new framework-related supervisory activities during 2016.

                We make one recommendation to FHFA to address the shortcomings identified
                in this audit. In a written management response, FHFA stated that it disagreed
                with various statements in the report and the finding but agreed with our
                recommendation.

                We are also issuing today the results of our audit of DER’s execution and
                completion of planned supervisory activities for the 2015 and 2016
                examination cycles to test the adequacy of Freddie Mac’s implementation of
                the new framework. See FHFA’s 2015 and 2016 Supervisory Activities, as
                Planned, Addressed Identified Risks with Freddie Mac’s New Representation
                and Warranty Framework, AUD-2017-009, available online at
                www.fhfaoig.gov/reports/auditsandevaluations.

                This report was prepared by James Lisle, Audit Director; Marco Uribe,
                Auditor-in-Charge; and Brian Maloney, Auditor; with the assistance of Bob
                Taylor, Assistant Inspector General for Audits. We appreciate the cooperation
                of FHFA staff, as well as the assistance of all those who contributed to the
                preparation of the report.
                This report has been distributed to Congress, the Office of Management and
                Budget, and others and will be posted to our website, www.fhfaoig.gov.



                Marla A. Freedman, Deputy Inspector General for Audits /s/


AUD-2017-008
September 22,
    2017
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................7

BACKGROUND .............................................................................................................................8
      DER Supervisory Process .........................................................................................................8
      The New Framework Sought to Provide Greater Certainty to the Seller, Shifting
      Some Risk to the Enterprises ..................................................................................................10
      Implementation of the New Framework Required Operational Changes at Fannie
      Mae 12

FACTS AND ANALYSIS.............................................................................................................13
      DER Planned and Executed Supervisory Activities for Fannie Mae to Address the
      Risks it Identified with the New Framework in the 2015 Examination Cycle .......................13
              2015 Examination Cycle .................................................................................................13
              2016 Examination Cycle .................................................................................................15

FINDING .......................................................................................................................................17
      DER Did Not Complete a 2015 Targeted Examination of Fannie Mae’s
      Implementation of the New Framework before Reporting the Results in the 2015
      ROE ........................................................................................................................................17

CONCLUSION ..............................................................................................................................17

RECOMMENDATION .................................................................................................................18

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................19

APPENDIX: FHFA MANAGEMENT RESPONSE ....................................................................21

ADDITIONAL INFORMATION AND COPIES .........................................................................23




                                         OIG • AUD-2017-008 • September 22, 2017                                                                 6
ABBREVIATIONS .......................................................................

Board              Board of directors

DBR                Division of Federal Home Loan Bank Regulation

DER                Division of Enterprise Regulation

EIC                Examiner-in-Charge

Enterprises        Fannie Mae and Freddie Mac

Fannie Mae         Federal National Mortgage Association

FHFA               Federal Housing Finance Agency

Freddie Mac        Federal Home Loan Mortgage Corporation

LQC                Loan Quality Center

MRA                Matter Requiring Attention

New framework      Representation and Warranty Framework

OIG                Office of Inspector General

OPB                Operating Procedures Bulletin

PSPA               Preferred Stock Purchase Agreement

QC                 Quality Control

ROE                Report of Examination

SD                 Supervision Directive

Treasury           Department of the Treasury

UPB                Unpaid Principal Balance




                        OIG • AUD-2017-008 • September 22, 2017                     7
BACKGROUND ..........................................................................

DER Supervisory Process

Created by Congress in 2008, FHFA is charged by the Housing and Economic Recovery Act
of 2008 with, among other things, the supervision of the Enterprises. Its mission as a federal
financial regulator includes ensuring the safety and soundness of the Enterprises so that they
serve as a reliable source of liquidity and funding for housing finance and community
investment. FHFA exercises its supervision of the Enterprises through DER. Like other
federal financial regulators, FHFA maintains that it uses a risk-based approach to carry out its
supervisory activities.

In a number of recently issued reports, we have explained in detail the different elements of
DER’s supervision program for the Enterprises. 1 According to FHFA, DER’s examinations of
the Enterprises are risk-based and rely on an understanding of the Enterprise, risk
assessments, the development of a supervisory strategy and supervisory plan, and examination
procedures tailored to the Enterprise’s risk profile. The specific elements of DER’s
supervisory program include:

    •   DER’s written assessment of risks at the Enterprises, which serves as a platform for
        developing an annual supervisory strategy and supervisory plan;

    •   DER’s annual supervisory strategy is intended to form a bridge between the risk
        assessment, which identifies significant risks and supervisory concerns, and the
        supervisory activities to be conducted. The supervisory strategy should include,
        among other things, the planned supervisory approach (extent of ongoing monitoring
        or targeted examination activity) and planned objectives that address the significant
        risks and the principal supervisory priorities for the year;

    •   DER’s supervisory plan for each annual examination cycle sets forth the planned
        supervisory activities, prioritized based on level of risk identified in DER’s risk
        assessments. Because supervisory planning is a continuous process, supervisory plans
        may need to be adjusted during each year to address newly emerging risks that require
        attention during the current examination cycle. Beginning with the 2014 examination
        cycle, DER requires that approved supervisory plans shall only be adjusted for risk-
        related reasons, must be approved by the examiner-in-charge (EIC), and be fully

1
  We have issued a number of reports addressing DER’s supervisory process that are summarized in Safe and
Sound Operation of the Enterprises Cannot Be Assumed Because of Significant Shortcomings in FHFA’s
Supervision Program for the Enterprises (OIG-2017-003) (Dec. 15, 2016) (online at
https://www.fhfaoig.gov/Content/Files/OIG-2017-003.pdf).



                               OIG • AUD-2017-008 • September 22, 2017                                      8
         documented in the examination workpapers. Planned supervisory activities in each
         plan can include ongoing monitoring and targeted examinations. According to FHFA,
         ongoing monitoring and targeted examinations serve complementary purposes. The
         purpose of ongoing monitoring is to analyze real-time information and to use those
         analyses to identify Enterprise practices and changes in an Enterprise’s risk profile
         that may warrant increased supervisory attention. According to the FHFA
         Examination Manual, ongoing monitoring is also “used to determine the status of the
         Enterprise’s compliance with supervisory guidance, MRAs [Matters Requiring
         Attention], and conservatorship directives[.]” 2 Targeted examinations complement
         ongoing monitoring; further, the FHFA Examination Manual notes that they enable
         examiners to conduct “a deep or comprehensive assessment” of the areas found to be
         of high importance or risk.

    •    DER’s planned examination procedures for its supervisory activities, which are
         designed to identify the objectives of the activity and describe the examination steps to
         be performed, including sampling and testing;

    •    DER’s quality control processes for its targeted examinations and for ongoing
         monitoring activities with findings that assess whether such activities comply with
         FHFA examination standards and procedural requirements in the FHFA Examination
         Manual, supplemental modules, supervision directives, and DER operating procedures
         bulletins (OPB), 3 which DER requires must be completed before DER communicates
         the results of such activities to an Enterprise;

    •    DER’s communication of its findings from its supervisory activities, including its
         supervisory concerns, to each Enterprise;

    •    DER follow-up on efforts by each Enterprise to correct identified deficiencies
         throughout the remediation period to ensure that remediation is timely and adequate;
         and



2
  As discussed in AB-2017-01 Classifications of Adverse Examination Findings, MRAs are adverse
examination findings that fall into one of the following categories: (1) critical supervisory matters (the highest
priority) that pose substantial risk to the safety and soundness of the Enterprise and (2) deficiencies that are
supervisory concerns, which FHFA believes could, if not corrected, escalate and potentially negatively affect
the condition, financial performance, risk profile, operations, or reputation of the Enterprise.
3
  On June 23, 2016, DER issued DER-OPB-02, Quality Control Reviews. This OPB set forth the procedures
for DER to follow in implementing SD 2013-01. Among other things, it required quality control reviews to be
completed prior to the review and approval of supervisory letters by the Deputy Director of DER. It also
provided that quality control reviews may only be waived by the Deputy Director of DER and that such
waivers must be documented in the quality control review files.




                                  OIG • AUD-2017-008 • September 22, 2017                                            9
    •    DER’s communication of its examination conclusions, findings, and composite/
         component examination ratings after the end of each annual examination cycle to each
         Enterprise Board in an annual ROE to assist Enterprise directors in executing their
         oversight responsibilities.

The New Framework Sought to Provide Greater Certainty to the Seller, Shifting Some
Risk to the Enterprises

The Enterprises provide liquidity to the U.S. housing finance system by purchasing residential
mortgages and bundling the purchased mortgages into securities for which they guarantee
principal and interest. In guaranteeing the securities, the Enterprises assume the credit risk 4
from possible default of the underlying mortgages. To mitigate this risk, the Enterprises
require lenders that sell the residential mortgages to make specific contractual representations
and warranties in which they represent that their mortgages meet the specific underwriting
standards set forth in Fannie Mae’s Selling Guide or Freddie Mac’s Single-Family
Seller/Servicer Guide.

Historically, the Enterprises performed limited due diligence on the loans at the time of
purchase. In the event of default, the affected Enterprise reviewed whether the defaulted loan
complied with the lender’s representations and warranties in the lender contract. If an
Enterprise found that a defaulted loan breached these representations and warranties in any
way, the Enterprise could exercise its contractual right to require the lender to repurchase the
non-compliant loan, even if the loan defaulted years after it was made. This right to demand
repurchase of defaulted loans that did not comply with the representations and warranties in
the lender contract mitigated the risk of loss to the Enterprises from defaulted loans.

In September 2012, FHFA announced that the Enterprises would launch the new framework
for conventional loans sold or delivered on or after January 1, 2013. 5 The objective of the new
framework was to enhance transparency and certainty for lenders by clarifying when a
mortgage loan may be subject to repurchase. The new framework provides relief for lenders
from the requirement to remedy (e.g., repurchase) a loan due to breaches of certain
underwriting and property valuation representations and warranties when a loan meets certain
4
 Credit risk is the potential that a borrower or counterparty will fail to meet its obligations in accordance with
agreed terms.
5
  On September 10, 2012, then-acting FHFA Director DeMarco explained that “there has been much
discussion that the uncertainty with representation and warranty exposure may be affecting the willingness of
lenders to extend credit” and that this uncertainty warranted a change in the representation and warranty
framework. Edward J. Demarco, FHFA Acting Director, Remarks as Delivered – American Mortgage
Conference, Raleigh, NC (Sept. 10, 2012) (online at
https://www.fhfa.gov/Media/PublicAffairs/Pages/Remarks-as-Delivered-Edward-J-DeMarco-Acting-Director-
FHFA-American-Mortgage-Conference.aspx).




                                  OIG • AUD-2017-008 • September 22, 2017                                            10
payment history requirements or the satisfactory conclusion of a quality control review by the
Enterprise. 6 The new framework does not change the underlying representations and
warranties the lender makes to the Enterprises when selling mortgages; it changes whether
and how the Enterprises will enforce breaches of those representations. 7 As Director Watt
testified to Congress in January 2015:

         FHFA’s supervision function evaluates the safety and soundness of the
         Enterprises’ operations. Safety and soundness is a top priority in meeting
         FHFA’s statutory obligations, in execution of Enterprise strategic initiatives
         and in all business and control functions…. In updating and clarifying the
         Framework, FHFA’s objectives are to continue to support safe and sound
         Enterprise operations, encourage lenders to reduce their credit overlays, and
         complement the agency’s efforts to strengthen the Enterprises’ quality control
         process. 8

As Fannie Mae recognized in its March 31, 2017, Form 10-Q, 9 “Providing lenders with relief
from repurchasing loans for breaches of certain representations and warranties on loans that
meet specified eligibility requirements shifts some of the risk of non-compliance with our
requirements back to us.” The increased exposure under this new framework could pass
through to the taxpayers, as the Enterprises continue to operate under FHFA’s
conservatorship. 10



6
  A quality control program defines the standards for loan quality, establishes processes designed to achieve
those standards, and mitigates risks associated with the origination processes. A quality control program
includes a documented quality control plan that outlines requirements for validating that loans are originated in
accordance with the Enterprise’s established policies and procedures.
7
 Lenders remain responsible for the life of the loan in the event of misstatements, misrepresentations and
omissions, and certain other situations.
8
 Statement of Melvin L. Watt, before the U.S. House of Representatives Committee on Financial Services,
“Sustainable Housing Finance: An Update from the Director of the Federal Housing Finance Agency (Jan. 27,
2015) (online at www.fhfa.gov/Media/PublicAffairs/Pages/Statement-of-Melvin-L-Watt-Director-FHFA-
Before-the-US-House-of-Representatives-Committee-on-Financial-Services-1272015.aspx).
9
  Securities laws require publicly traded companies to disclose information on an ongoing basis. Form 10-Q
includes unaudited financial statements and provides a continuing view of the company's financial position
during each of the first three fiscal quarters of a company’s fiscal year.
10
   Fannie Mae and Freddie Mac continue to operate under conservatorship, as they have since 2008. At the
time the Enterprises were placed into conservatorship the Department of the Treasury (Treasury) and FHFA, as
conservator of the Enterprises, executed senior preferred stock purchase agreements (PSPAs) to ensure that the
Enterprises could continue to operate. The PSPAs, among other things, obligated Treasury to provide funds
(subject to specified limits) to an Enterprise to restore it to positive net worth in any quarter in which the
Enterprise’s net worth becomes negative. Under these PSPAs, U.S. taxpayers, through Treasury, have invested
a total of $187.5 billion into the Enterprises since 2008.



                                 OIG • AUD-2017-008 • September 22, 2017                                            11
Fannie Mae reported that as of March 31, 2017, it has acquired more than 8 million loans,
with an unpaid principal balance (UPB) of approximately $1.67 trillion, that are subject to the
new framework. More than 3 million of those loans, with a UPB of approximately $543
billion, have demonstrated acceptable payment histories or passed Fannie Mae quality control
review. Pursuant to the new framework, Fannie Mae will not exercise its remedies, including
a demand to repurchase those loans except in limited situations. More than 5 million loans,
with a UPB of nearly $1.11 trillion, have either not completed Fannie Mae quality control
review or are still within the sunset period. Pursuant to the new framework, Fannie Mae can
exercise its remedies, including a demand to repurchase those loans. More than 100,000 loans,
with a UPB of nearly $19 billion, did not demonstrate acceptable payment histories within the
sunset period or did not pass Fannie Mae quality control review. For those loans, Fannie Mae
retains the right to exercise its remedies, including a demand to repurchase by the lender.

Implementation of the New Framework Required Operational Changes at Fannie Mae

Implementation of the new framework shifted some risk of non-compliance with
representations and warranties from the lenders to the Enterprises. As a result, the Enterprises’
quality control programs became increasingly important to mitigate origination quality and
credit risks since the Enterprises would no longer be able to seek repurchase from a lender for
the life of the loan. For loans acquired under the new framework, both Enterprises represented
that they would conduct most quality control reviews within 30 to 120 days after delivery of
the loan to assess whether the specific representations and warranties were satisfied.
According to the Enterprises, they would employ new technologies and data gathering tools to
identify loans that are not originated in accordance with applicable underwriting and
eligibility requirements.




                            OIG • AUD-2017-008 • September 22, 2017                                 12
FACTS AND ANALYSIS ...............................................................

DER Planned and Executed Supervisory Activities for Fannie Mae to Address the Risks
it Identified with the New Framework in the 2015 Examination Cycle

      2015 Examination Cycle

Risk Assessment – DER identified new framework-related risks in the risk assessment for the
2015 examination cycle. The Risk assessment noted that

                                                    . 11 Specifically, the Risk assessment identified
risk associated with actions taken




Supervisory Strategy – Consistent with the identification of new framework-related risks with
Fannie Mae’s quality control function, DER’s 2015 supervisory strategy included quality
control as one of the focus areas in FHFA’s supervision of Fannie Mae’s credit risk.

Supervisory Plan – DER’s 2015 supervisory plan included one supervisory activity related to
the new framework, a targeted examination entitled Quality Control (QC). The planned
objectives of this targeted examination were




                                                                                 12
                                                                           We determined that
the objectives of that planned targeted examination, if completed as stated, would provide for
the testing of controls to mitigate the risks identified with the new framework.




11
     The National Underwriting Center is the former name of what is now Fannie Mae’s Loan Quality Center.
12
  This second objective was intended to address a recommendation in OIG, FHFA’s Representation and
Warranty Framework, AUD-2014-016 (Sept. 17, 2014), available online at
www.fhfaoig.gov/Content/Files/AUD-2014-016.pdf. In this report, we concluded that neither Enterprise had
implemented the processes, procedures, nor systems needed to operate within the new framework before it
went into effect in 2013.




                                 OIG • AUD-2017-008 • September 22, 2017                                    13
Execution of Supervisory Activities – Our review of DER’s workpapers for the QC targeted
examination found that DER examiners began that examination in September 2015 13 and
completed the analysis memorandum on March 10, 2016. Those workpapers also showed that
the independent quality control review for this targeted examination was completed on April 15,
2016, and that the conclusion letter was issued to Fannie Mae on April 27, 2016.

DER noted in its analysis memorandum that
                                                                                                      . In
the conclusion letter, DER reported that it:




                                                                                                             .

DER’s Quality Control Program – In a 2015 evaluation, we reported that FHFA’s Office of
Quality Assurance recommended in 2011 that DER establish and implement formal quality
control reviews for examinations and that the then-Deputy Director of DER committed in writing
to develop and implement a quality control review program by December 2012. We explained
that FHFA, in March 2013, issued SD 2013-01 in which it directed DER and DBR to perform
quality control reviews of “examination findings, conclusions, ratings, supporting workpapers,
and related documents” and of the ROEs, prior to finalizing them. 14

Our evaluation catalogued the difficulties and delays in establishing a quality control program
within DER. Shortly before we issued that evaluation, and more than two years after SD 2013-01
issued, DER announced it was implementing a program for quality control reviews. We
recommended that FHFA “[e]nsure that DER’s recently adopted procedures for quality control
reviews meet the requirements of Supervision Directive 2013-01 and require DER to document
in detail the results and findings of each quality control review in examination workpapers,
including any shortcomings found during the quality control review.” In its written response,
FHFA “agree[d] with this recommendation,” and acknowledged that “a process for independent
quality control of examination documentation is important to the supervision of Fannie Mae and
Freddie Mac.” The formal written guidance issued by DER in June 2016, Operating Procedures



13
  In the request letter and subsequent examination documentation and correspondence, the Quality Control
(QC) targeted examination was referred to as Single-Family Loan Quality Center.
14
  DER documents show that the then-Deputy Directors of DBR and DER provided input into the content of
SD 2013-01 and formally approved it.




                               OIG • AUD-2017-008 • September 22, 2017                                           14
Bulletin DER-OPB-02, Quality Control Review, fell short of the requirements of SD 2013-01
because it did not require quality control reviews of the ROEs.

In a recently issued evaluation, 15 we assessed, among other things, whether DER performed
independent quality control reviews of the ROEs for the 2015 examination cycle before it issued
the ROEs to the Enterprises. Notwithstanding the requirements in SD 2013-01 that an
independent quality control review be conducted for every ROE before it issued, a senior DER
official reported to us that DER determined that such reviews were not needed because DER
conducted quality control reviews of all examination findings and conclusions before they were
incorporated in the annual ROEs.

Report of Examination for 2015 Supervisory Cycle – We found that the ROE for the 2015
examination cycle, dated March 23, 2016, included a narrative consistent with the conclusions
stated in DER’s analysis memorandum for its QC targeted examination dated March 10, 2016.
At that point in time, the findings and conclusions of that QC targeted examination had not been
subjected to an internal independent quality control review. That review was completed on April
15, 2016, and a conclusion letter subsequently issued to Fannie Mae on April 27, 2016.

In its technical comments, FHFA sought to dismiss our finding that the conclusions from this
targeted examination were included in the ROE before they were subjected to an independent
quality control review on the grounds that a “substantive review” of the examination results by
the EIC was an acceptable substitute. As mentioned previously, in March 2013, FHFA issued SD
2013-01, which required DER to conduct independent quality control reviews of its
examinations and its ROEs. No provision of SD 2013-01 vested DER with authority to waive
this requirement and determine that “substantive review” by the EIC was sufficient. DER failed
to meet the requirements of SD 2013-01 when it included in the 2015 ROE conclusions from a
targeted examination for which no independent quality control review had been conducted.

     2016 Examination Cycle

There were no specific risks identified or discussion included related to the new framework in
DER’s risk assessment for the 2016 examination cycle. The only mention of new framework-
related risk in the risk assessment was a notation in the earnings (governance) risk area that
the new framework

Consistent with a lack of any risks identified in the risk assessment, the 2016 supervisory
strategy did not identify the new framework as a focus of supervisory activities. We asked
DER’s EIC why the new framework was only mentioned in passing in the risk assessment for

15
  For the full report, see The Gap in FHFA’s Quality Control Review Program Increases the Risk of
Inaccurate Conclusions in its Reports of Examination of Fannie Mae and Freddie Mac (Aug. 17, 2017) (EVL-
2017-006) (online at https://www.fhfaoig.gov/Content/Files/EVL-2017-006.pdf).



                              OIG • AUD-2017-008 • September 22, 2017                                      15
the 2016 examination cycle and was not mentioned at all in the 2016 supervisory strategy.
The EIC could not specifically recall but explained that the new framework received
heightened attention in its earlier stages. The EIC commented that DER did not need to
dedicate resources to a risk each year if they were comfortable with the examination results of
the prior year related to that risk.

In line with the lack of any new framework-related risks identified in the 2016 risk assessment
and supervisory strategy for Fannie Mae, no specific targeted examinations and ongoing
monitoring activities regarding the new framework were planned and executed during the
2016 examination cycle. However, we found that workpapers supporting a DER 2016
ongoing monitoring activity, single-family credit risk, reflected that DER examiners looked at
certain new framework- and LQC-related topics. For example, DER examiners

                                                               DER’s summary
memorandum for 2016 single-family credit risk ongoing monitoring did not summarize the
results of new framework- or LQC-related monitoring. A DER official told us that this
conclusion was reached because DER’s 2016 ongoing monitoring on this issue did not change
the conclusion that DER had reached in its 2015 QC targeted examination. DER did not
include any discussion of the new framework in the ROE issued to Fannie Mae on March 3,
2017, for the 2016 examination cycle.




                           OIG • AUD-2017-008 • September 22, 2017                                16
FINDING ...................................................................................

DER Did Not Complete a 2015 Targeted Examination of Fannie Mae’s Implementation
of the New Framework before Reporting the Results in the 2015 ROE

DER reported to us that quality control reviews of ROEs are unnecessary because all
examination findings and conclusions undergo a quality control review before they are
incorporated in the annual ROEs. 16 Here, DER included the results of its QC targeted
examination in the ROE issued on March 23, 2016, before that examination had been
subjected to an internal quality control review. DER did not complete its quality control
review for this targeted examination until April 15, 2016, or issue its conclusion letter to the
Enterprise until April 27, 2016. 17 Reporting examination findings in an ROE before they are
vetted through a quality control process creates a risk that DER could provide misinformation
to the Enterprise and its Board.


CONCLUSION ............................................................................

We found that DER’s planned supervisory activities relating to Fannie Mae’s implementation
of the new framework for the 2015 examination cycle could be tracked to its risk assessments
and supervisory strategies. We also found that DER executed the planned supervisory
activities for the 2015 examination cycle. DER did not identify risks associated with the new
framework as a specific supervisory focus for the Fannie Mae 2016 examination cycle and did
not perform any new framework-related supervisory activities during 2016.

DER reported on a new framework-related targeted examination in the 2015 ROE. However,
the targeted examination had not been subjected to an independent quality control review or
communicated to Fannie Mae before the ROE issued, contrary to the requirements of
SD 2013-01. The failure to perform timely quality control reviews on targeted examinations
supporting conclusions communicated in the ROE creates the risk that DER could misinform
the Enterprise and its Board on the condition of the Enterprise.




16
    OIG, The Gap in FHFA’s Quality Control Review Program Increases the Risk of Inaccurate Conclusions in
its Reports of Examination of Fannie Mae and Freddie Mac (Aug. 17, 2017) (EVL-2017-006) (online at
https://www.fhfaoig.gov/Content/Files/EVL-2017-006.pdf).
17
  With the issuance of DER-OPB-02, in June 2016, quality control reviews can be waived, but only by the
Deputy Director, DER. Such waivers must be documented in the quality control review files.



                               OIG • AUD-2017-008 • September 22, 2017                                      17
RECOMMENDATION .................................................................

We recommend that FHFA reinforce the requirements of DER-OPB-02 and hold DER
leadership accountable to ensure that targeted examination conclusions presented in the ROE
are based on work that has either (1) undergone quality control review and been
communicated in writing to the Enterprise, or (2) the required quality control review has been
waived by the Deputy Director of DER and documented in writing.

We provided FHFA an opportunity to respond to a draft of this audit report. FHFA provided
technical comments on the draft report, which we incorporated as appropriate. In its
management response, which is included in the Appendix to this report, FHFA stated that
while it disagreed with various statements in the report and the finding, it agreed with our
recommendation.




                           OIG • AUD-2017-008 • September 22, 2017                               18
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

We conducted this audit to assess (1) whether DER’s planned supervisory activities relating to
Fannie Mae’s implementation of the new framework for the 2015 and 2016 examination
cycles could be tracked back to its risk assessments and supervisory strategies and (2) whether
DER executed and completed these planned supervisory activities during the 2015 and 2016
examination cycles.

To accomplish our objective, we reviewed the FHFA Examination Manual (December 2013)
and the related Credit Risk Management examination module (July 2013); guidance issued by
FHFA and DER related to supervisory planning, execution, and quality control; and
supervisory planning and examination documentation supporting the supervisory activities
conducted of Fannie Mae as related to the new framework.

Specifically, for Fannie Mae, we:

   •   Reviewed DER’s risk assessments for the 2015 and 2016 examination cycles to
       identify risks related to the new framework.

   •   Reviewed DER’s supervisory strategy documents for the 2015 and 2016 examination
       cycles to identify risks related to the new framework.

   •   Reviewed DER supervisory plan documents for the 2015 and 2016 examination cycles
       to identify whether planned supervisory activities addressed the risks related to the
       new framework DER identified in the risk assessments and supervisory strategies.

   •   Interviewed DER personnel to gain an understanding of the supervision process and
       examination approach used to supervise Fannie Mae’s implementation of the new
       framework.

   •   Reviewed DER’s workpapers for the targeted examinations and ongoing monitoring
       related to the new framework performed during the 2015 and 2016 examination cycles
       to determine whether:

           o Required documents for each type of examination performed were completed
             and included in examination documentation in accordance with FHFA
             guidelines, and

           o The scope and conclusions of each of the supervisory activities’ conclusion
             documents addressed the associated supervisory activity objectives.




                           OIG • AUD-2017-008 • September 22, 2017                                19
   •   Reviewed the 2015 and 2016 ROEs to determine whether the results and conclusions
       of the new framework-related supervisory activity were discussed.

We conducted this performance audit from March 2017 through September 2017 in
accordance with generally accepted government auditing standards. Those standards require
that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for the findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our findings and conclusions based
on our audit objectives.




                           OIG • AUD-2017-008 • September 22, 2017                              20
APPENDIX: FHFA MANAGEMENT RESPONSE .............................




                  OIG • AUD-2017-008 • September 22, 2017     21
OIG • AUD-2017-008 • September 22, 2017   22
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

   •   Call: 202-730-0880

   •   Fax: 202-318-0239

   •   Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

   •   Call: 1-800-793-7724

   •   Fax: 202-318-0358

   •   Visit: www.fhfaoig.gov/ReportFraud

   •   Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                            OIG • AUD-2017-008 • September 22, 2017                        23