oversight

FHFA Conducted BSA/AML Program Examinations of 10 of 11 Federal Home Loan Banks During 2016-2018 in Accordance with its Guidelines, But Failed to Support a Conclusion in the Report of Examination for the Other Bank

Published by the Federal Housing Finance Agency, Office of Inspector General on 2019-07-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                             REDACTED

                   Federal Housing Finance Agency
                       Office of Inspector General




    FHFA Conducted BSA/AML
      Program Examinations of
 10 of 11 Federal Home Loan Banks
  During 2016-2018 in Accordance
  with its Guidelines, But Failed to
 Support a Conclusion in the Report
 of Examination for the Other Bank




This report contains redactions of information that is privileged or confidential.


      Audit Report • AUD-2019-008 • July 10, 2019
                Executive Summary
                Created by Congress in 2008, the Federal Housing Finance Agency (FHFA) is
                charged by the Housing and Economic Recovery Act of 2008 with oversight
                of Fannie Mae, Freddie Mac, the 11 Federal Home Loan Banks (FHLBanks)
                (collectively, the regulated entities), and the FHLBanks’ fiscal agent, the
                Office of Finance. Since 2008, FHFA has also served as conservator of Fannie
AUD-2019-008    Mae and Freddie Mac.

July 10, 2019   The Bank Secrecy Act (BSA) was enacted to safeguard the U.S. financial
                system: from illicit use such as for terrorist financing; to combat money
                laundering and other illegal activity; and to require suspicious activity
                reporting, including fraud reporting. In February 2014, the Financial Crimes
                Enforcement Network (FinCEN), a bureau of the Department of the Treasury,
                published a Final Rule amending its regulations to define the regulated entities
                as financial institutions subject to BSA requirements and to delegate authority
                to FHFA to examine the regulated entities’ compliance with those
                requirements.

                FHFA has delegated to its Division of Federal Home Loan Bank Regulation
                (DBR) the duty to supervise the FHLBanks and the Office of Finance. As
                such, DBR conducts annual safety and soundness examinations of each
                FHLBank and the Office of Finance. As part of these examinations, DBR
                periodically, in accordance with its minimum frequency guidelines, examines
                the FHLBanks’ BSA/Anti-Money Laundering (AML) programs.

                In this audit, we sought to determine whether DBR followed FHFA’s
                guidance for examinations of BSA/AML programs performed at each of the
                11 FHLBanks. We reviewed the most recent BSA/AML program examination
                performed at each FHLBank during the 2016, 2017, or 2018 examination
                cycles (review period).

                We found that, during our review period, examinations of BSA/AML
                programs were performed at all 11 FHLBanks in accordance with DBR’s
                established minimum frequency guidelines. DBR planned, performed,
                documented, and reported on each examination in accordance with FHFA
                guidance for 10 of the FHLBanks. For the remaining FHLBank, DBR’s
                examination workpapers did not support a BSA/AML-related conclusion
                included in the Report of Examination (ROE) that DBR prepared and
                transmitted to the FHLBank’s board of directors. We found that DBR
                included in its ROE the conclusion that

                        even though there was not support in the workpapers for that
                conclusion.
                The unsupported conclusion in the ROE for this FHLBank caused us to
                examine whether the BSA/AML program examination workpapers underwent
                a quality control review. DBR’s quality control process is intended to confirm
                that examination findings and conclusions in the ROE are adequately
                supported before DBR transmits the ROE to the board of the regulated entity.
                The unsupported conclusion in the ROE in this instance was not detected by
                DBR’s quality control process because that process did not require the review
AUD-2019-008    of examination work performed by the Examiner-in-Charge (EIC). This gap in
                DBR’s quality control process increases the risk that an ROE will assure an
July 10, 2019
                FHLBank’s board of directors that management is meeting FHFA’s
                supervisory expectations when it is not.

                We make two recommendations in this report. In a written management
                response, FHFA agreed with the recommendations.

                This report was prepared by James Lisle, Audit Director; Marco Uribe,
                Auditor-in-Charge; and Michael Rivera, Auditor; with assistance from Bob
                Taylor, Senior Advisor. We appreciate the cooperation of FHFA staff, as well
                as the assistance of all those who contributed to the preparation of this report.

                The report has been distributed to Congress, the Office of Management and
                Budget, and others, and will be posted to our website www.fhfaoig.gov.

                Marla A. Freedman, Deputy Inspector General for Audits /s/
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................5

BACKGROUND .............................................................................................................................6
      Federal Home Loan Bank System ............................................................................................6
      The Bank Secrecy Act/Anti-Money Laundering Program .......................................................6
      FHFA’s Division of Federal Home Loan Bank Regulation .....................................................7
      DBR Examination Guidance ....................................................................................................8
      FHFA’s BSA/AML Examination Module................................................................................9

FACTS AND ANALYSIS.............................................................................................................10
      DBR Planned and Conducted Most FHLBank BSA/AML Program Examinations in
      Accordance with FHFA and DBR Examination Guidance ....................................................10
      The BSA/AML Examination Module Has Not Been Finalized Even Though it Has
      Been in Field Test for Four Years ..........................................................................................12

FINDING .......................................................................................................................................13
      A BSA/AML Program Examination Conclusion in the ROE for One FHLBank
      Lacked Workpaper Support ....................................................................................................13

CONCLUSIONS............................................................................................................................13

RECOMMENDATIONS ...............................................................................................................14

FHFA COMMENTS AND OIG RESPONSE ...............................................................................15

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................15

APPENDIX: FHFA MANAGEMENT RESPONSE ....................................................................18

ADDITIONAL INFORMATION AND COPIES .........................................................................20




                                             OIG • AUD-2019-008 • July 10, 2019                                                               4
ABBREVIATIONS .......................................................................

AML                Anti-Money Laundering

BSA                Bank Secrecy Act

DBR                Federal Housing Finance Agency Division of Bank Regulation

EIC                Examiner-in-Charge

FHFA               Federal Housing Finance Agency

FHLBank            Federal Home Loan Bank

FinCEN             Financial Crimes Enforcement Network

MRA                Matter Requiring Attention

OIG                Federal Housing Finance Agency Office of Inspector General

OPB                Operating Procedures Bulletin

ROE                Report of Examination

SAR                Suspicious Activity Report

SD                 Supervision Directive




                           OIG • AUD-2019-008 • July 10, 2019                       5
BACKGROUND ..........................................................................

Federal Home Loan Bank System

The FHLBank System consists of the 11 FHLBanks and the Office of Finance. As of March
31, 2019, the FHLBank System had combined total assets of approximately $1.08 trillion with
total consolidated obligations of approximately $1.01 trillion.

The FHLBanks are organized under the authority of the Federal Home Loan Bank Act of
1932, as amended. Their mission is to provide reliable liquidity to member institutions
(generally, federally insured depository institutions, insurance companies, and eligible
community development financial institutions) to support housing finance and community
investment.

To accomplish their mission, FHLBanks provide financial products and services to their
members, which include advances. These advances assist and enhance a member’s financing
of: (1) housing, including single-family and multi-family housing serving consumers at all
income levels; and (2) community lending.

The Bank Secrecy Act/Anti-Money Laundering Program

The Bank Secrecy Act is comprised of a number of separate legislative acts stemming from
1970 to the present, including the USA PATRIOT Act, passed in 2001. 1 BSA was enacted: to
safeguard the U.S. financial system from illicit use such as for terrorist financing; to combat
money laundering and other illegal activity; and to require suspicious activity reporting,
including fraud reporting. BSA was designed to help identify the source, volume, and
movement of currency and other monetary instruments transported or transmitted into or out
of the United States or deposited in U.S. financial institutions.

On February 25, 2014, FinCEN published a Final Rule amending its regulations to define the
regulated entities as financial institutions subject to BSA, to require the regulated entities to




1
  BSA was enacted in 1970. Since then, a number of other laws have enhanced and amended BSA. Those laws
include: Money Laundering Control Act (1986), Anti-Drug Abuse Act of 1988, Annunzio-Wylie Anti-Money
Laundering Act (1992), Money Laundering Suppression Act (1994), Money Laundering and Financial Crimes
Strategy Act (1998), Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act of 2001 (USA PATRIOT Act), and Intelligence Reform & Terrorism Prevention
Act of 2004. BSA is codified at 12 U.S.C. § 1829b, 12 U.S.C. §§1951-1959, 18 U.S.C. §§ 1956, 1957, 1960,
and 31 U.S.C. §§ 5311-5314 and 5316-5332 and notes thereto, with implementing regulations at 31 C.F.R.
Chapter X. See 31 C.F.R. 1010.100(e).



                                   OIG • AUD-2019-008 • July 10, 2019                                         6
establish AML programs and file suspicious activity reports (SAR), and to delegate authority
to FHFA to examine the regulated entities’ compliance with BSA. 2

FinCEN’s Final Rule outlines the requirements for the AML program. Each regulated entity
is required to develop and implement an AML program that is reasonably designed to prevent
it from being used to facilitate money laundering or the financing of terrorist activities, and
other financial crimes, including mortgage fraud. At a minimum, the AML program must
include the following requirements, generally referred to as the four pillars:

    •   Internal policies, procedures, and controls based upon the regulated entity’s
        assessment of the money laundering and terrorist financing risks associated with its
        products and services;

    •   A designated compliance officer responsible for administering the program;

    •   Ongoing training of appropriate persons with responsibilities under the program; and

    •   Independent testing to monitor and maintain an adequate program.

In addition, FinCEN’s Final Rule requires the regulated entities to file with FinCEN a report
of any suspicious transaction relevant to a possible violation of law or regulation by
completing a SAR.

FHFA’s Division of Federal Home Loan Bank Regulation

The FHFA Director has delegated to the Deputy Director, DBR, the duty to supervise the
FHLBanks and the Office of Finance. DBR has adopted a supervision program that it
maintains is risk-based and consists of both on-site annual examinations and off-site
monitoring of the FHLBanks and the Office of Finance.

Reporting to the Deputy Director, DBR’s Examinations Group conducts annual safety and
soundness examinations of each FHLBank and the Office of Finance as well as community
investment examinations of each FHLBank. DBR issues an annual ROE for each FHLBank




2
 FinCEN, Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing
Government Sponsored Enterprises, 79 Fed. Reg. 10365 (Feb. 25, 2014) (Final Rule codified at 31 C.F.R.
Parts 1010 and 1030).



                                  OIG • AUD-2019-008 • July 10, 2019                                     7
and the Office of Finance. The ROEs communicate examination conclusions, findings (if
any), and composite and component CAMELSO ratings for the entity. 3

DBR Examination Guidance

The FHFA Examination Manual provides guidance to DBR teams performing examinations
within the FHLBank System. Specifically, Part I of the FHFA Examination Manual provides
a description of the examination program and sets forth the processes examiners are to follow
when conducting examination activities at a regulated entity. It also describes the work
products examiners are to produce during those examinations. Part II of the FHFA
Examination Manual includes a general description of the examination modules and
Supplemental Examination Guidance. The modules provide examination instructions and
work programs organized by risk category and line of business. DBR also issues Operating
Procedures Bulletins (OPBs) that set forth expectations of examiners who conduct
examinations within the FHLBank System.

The FHFA Examination Manual and the Federal Home Loan Bank Examination Workpaper
Standards (2016-DBR-OPB-01) establish guidance for examiners to document the
performance of an examination. The guidance notes that examination documentation serves
as the written record of examination activity; must support examination results, conclusions,
findings, 4 and ratings presented in the ROE; and is DBR’s primary examination work
product. 5 Examination documentation facilitates the planning, performance, and supervision
of examination activities. In addition, examiners must cross-reference documents provided
by a regulated entity or other documents created by FHFA staff in their workpapers when
necessary to support examination work and explain observations and logic used to reach
conclusions. Put simply, the OPB requires that statements in the ROE be supported by
workpapers.




3
  CAMELSO is a risk-focused rating system under which each FHLBank and the Office of Finance is assigned
a composite rating based on an evaluation of various aspects of its operations. For the FHLBanks, the
components evaluated are Capital, Asset Quality, Management, Earnings, Liquidity, Sensitivity to Market
Risk, and Operational Risk. Due to the nature of its activities, the Office of Finance is only rated on the
Management and Operational Risk components.
4
  FHFA uses three categories of adverse examination findings: (1) Matters Requiring Attention (MRAs),
(2) Violations, and (3) Recommendations. MRAs are the most serious supervisory matters.
5
  Key examination documentation consists of the following: (1) pre-examination analysis, (2) pre-examination
scope memoranda, (3) work program, (4) activity memoranda, (5) findings memoranda (if findings were
identified), (6) conclusion memoranda, and (7) ROE.



                                    OIG • AUD-2019-008 • July 10, 2019                                         8
FHFA’s supervisory directive SD 2013-01, Quality Control Program for Examinations
Conducted by the Division of Bank Regulation and the Division of Enterprise Regulation, 6
states that, “final examination findings and conclusions are subject to a quality control review
before a report of examination or supervisory correspondence is communicated to the
regulated entity or Office of Finance.” It further states that quality control reviews will
evaluate whether workpapers support examination findings, conclusions, and ratings and
directs that “participants in a quality control review must not have participated in the
examination activity under review.”

DBR has implemented a two-prong quality control process intended to ensure high quality
work products that adhere to FHFA and DBR examination guidance. 7 The first prong of the
quality control process assigns primary responsibility for quality control to the DBR staff,
supervisors, and executives directly involved in preparing and reviewing work products.
Specifically, the examiner is responsible for ensuring that he or she completes work
satisfactorily and with adequate documentation. The EIC is responsible for ensuring that
documentation adequately evidences the work performed and agrees with conclusions reached
and expressed in the ROE. To meet this responsibility, EICs must review a sufficient number
of workpapers to have confidence in their adequacy or otherwise ensure that a combination of
their reviews and reviews by others provide that confidence. The second prong of the quality
control process entails reviews by a DBR examination specialist who is independent of the
examination of selected DBR work products. 8

FHFA’s BSA/AML Examination Module

After FinCEN issued its Final Rule, FHFA issued for field testing an examination module,
Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Program (BSA/AML examination
module), intended to assist FHFA examiners in evaluating the effectiveness of the regulated

6
  During our review period, SD 2013-01, Quality Control Program for Examination Conducted by the Division
of Bank Regulation and the Division of Enterprise Regulation (Mar. 25, 2013) set forth the general
requirements for DBR to assess examination findings, conclusions, ratings, supporting workpapers, and related
documents for quality control purposes. SD 2013-01 has since been superseded and replaced by SD 2017-01,
Quality Control Program (Apr. 28, 2017); however, the new guidance does not alter our analysis.
7
  During our review period, 2014-DBR-OPB-003, Safety and Soundness Examination Quality Control
Program (Dec. 24, 2014) and 2014-DBR-OPB-004, Community Investment Examination Quality Control
Program (Dec. 24, 2014), defined the DBR quality control process. These two OPBs have since been
superseded and replaced by 2018-DBR-OPB-03, Quality Control Program (Dec. 26, 2018); however, the
new guidance does not alter our analysis.
8
  The independent examination specialists complete their QC review in two ways: a “general workpaper
review” and a “specific workpaper review.” The general workpaper review assesses the planning, summary
results, and reporting of the overall examination by reviewing documents such as the supervisory strategy,
examination scope memorandum, scope matrix, findings memorandums, etc. The specific workpaper review
assesses supporting documentation for a judgmental sample of specific examination activities, i.e., those
typically associated with an individual examination work program.



                                    OIG • AUD-2019-008 • July 10, 2019                                          9
entities’ BSA compliance program and AML policies, procedures, and controls. 9 The
BSA/AML examination module lays out work steps to evaluate the minimum requirements
(i.e., “the four pillars”) of a BSA/AML compliance program: (1) the development of internal
policies, procedures, and controls, (2) the designation of a compliance officer, (3) an ongoing
employee training program, and (4) an independent audit function to test programs. It also
includes work steps for the examiner review of the regulated entities’ compliance with SAR
filing requirements.

In Work Program Minimum Frequency Guidelines (updated October 2016) (2012-DBR-OPB-
03), DBR established minimum frequency guidelines (annual, biennial, and triennial) for each
examination module. The minimum frequency guideline for the BSA/AML examination
module is         . That is, each FHLBank’s BSA/AML program should be examined, at a
minimum,                          .

                                                  *****

Our objective for this audit was to determine whether DBR followed FHFA’s guidance for
examinations of BSA/AML programs at each of the 11 FHLBanks. The scope of this audit
was the most recent BSA/AML program examination performed at each of those 11
FHLBanks. The examinations were performed during the 2016, 2017, or 2018 examination
cycles.


FACTS AND ANALYSIS ...............................................................

DBR Planned and Conducted Most FHLBank BSA/AML Program Examinations in
Accordance with FHFA and DBR Examination Guidance

We found that the examinations of BSA/AML programs at all 11 FHLBanks were conducted
in accordance with DBR’s established minimum           frequency guideline set forth
in 2012-DBR-OPB-03. Our review of examination workpapers also found that DBR’s
BSA/AML program examinations at 10 of the 11 FHLBanks were planned, performed,
documented, and reported in accordance with guidance set forth in the FHFA Examination


9
  FHFA, Bank Secrecy Act / Anti-Money Laundering (BSA/AML) Program - Supplemental Guidance: Field
Test (June 2015). The “Field Test” designation means that the module is in draft and has been since June 2015.
While a module is in Field Test, examiners are solicited for their comments and suggestions to improve
application of the module. Modules in Field Test are considered by FHFA to be non-public information and
are not posted on FHFA’s public website at
www.fhfa.gov/SupervisionRegulation/ExaminerResources/Pages/Manual-and-Supplemental-Guidance.aspx.
Since its initial issuance, the BSA/AML examination module has been used at least once at each of the
FHLBanks.



                                    OIG • AUD-2019-008 • July 10, 2019                                           10
Manual, BSA/AML examination module, and 2016-DBR-OPB-01. Specifically, for each of
the BSA/AML program examinations at 10 FHLBanks:

     •   DBR prepared a BSA/AML pre-examination analysis memorandum that identified
         areas of review and defined the examination objectives. DBR included the BSA/AML
         examination module on the schedule of work in the examination’s scope
         memorandum.

     •   DBR’s BSA/AML work program included work steps that addressed the examiner-
         defined objectives from the pre-examination analysis memorandum. These work steps
         provided for an evaluation of aspects of the program required by regulation, as well as
         a review of the regulated entities’ SAR filings.

     •   Documentation of examiner analysis and information obtained from the FHLBank
         supported conclusion statements made in the BSA/AML work program, activity
         memorandum, and, when applicable, findings memorandum. 10

     •   Summary conclusions regarding the BSA/AML program made in the component
         rating conclusion memorandum and the ROE were consistent with and supported by
         the conclusion statements made in the work program, activity memorandum, and,
         when applicable, findings memorandum.

For the remaining BSA/AML program examination at an FHLBank, we found that DBR
planned and executed work steps to evaluate the Bank’s implementation of a BSA/AML
program (i.e., that the program met the “four pillars” requirements) and the examination
workpapers supported the conclusion presented in the ROE that
                                                                               However,
this examination also resulted in a specific conclusion in the ROE that

          We found that this statement was not supported by examination workpapers. While
the BSA/AML examination workpapers documented examiner analysis of certain controls
surrounding the Bank’s SAR filing process (e.g., board reporting of SARs, internal audit
coverage of the SAR filing process, etc.), the work program did not include a related work
step to review the Bank’s SAR filings. The examination workpapers also did not contain
evidence that such a review was performed. 11



10
   DBR examiners identified BSA/AML-related adverse examination findings at        FHLBanks during the
review period.
11
  A review of SARs is not a mandatory work step in the BSA/AML examination module; however, a
conclusion in the ROE regarding SAR filings would infer that work was done to support that conclusion.



                                    OIG • AUD-2019-008 • July 10, 2019                                   11
The EIC for the 2016 FHLBank examination in question acknowledged that the examination
workpapers did not support the conclusion that
                                                                          The EIC stated that he
performed the work steps in the BSA/AML work program for the FHLBank himself. He said
that there was a possibility that he reviewed the Bank’s SAR filings and simply failed to
document the work but could not recall whether that happened with any certainty. He also
admitted that there was a possibility that a review of SAR filings was not performed – the
2016 examination of the FHLBank’s BSA/AML program was limited in scope because it was
a first-time review of a      risk area, examiner resources were limited, and, as the EIC, he
had other bank-wide examination priorities on which to focus.

As stated previously, the FHFA quality control guidance in effect at the time the 2016
FHLBank examination was performed stated that it is “important that final examination
findings and conclusions are subject to a quality control review before a report of
examination…is communicated to the regulated entity…” and that “participants in a quality
control review must not have participated in the examination activity under review.” 12
Typically examination work is performed by an examiner and, under DBR quality control
procedures, the EIC is responsible for reviewing examiner workpapers to ensure that they
support the conclusions reached and expressed in the ROE. However, because the EIC also
served as the examiner who performed FHLBank’s BSA/AML program examination and the
examination workpapers were not selected for a quality control review, his BSA/AML
program examination workpapers were not reviewed by anyone.

The BSA/AML Examination Module Has Not Been Finalized Even Though it Has Been
in Field Test for Four Years

The BSA/AML examination module provides background information and delineates
examination procedures to examine the basic requirements of an FHLBank’s BSA/AML
program. However, this module has remained in a non-public “Field Test” status for four
years, and since its initial issuance it has been used at least once at each of the FHLBanks.
The Deputy Director told us that the BSA/AML examination module is undergoing a last
review and is expected to be issued in final soon. Once final and made public, the BSA/AML
examination module informs the regulated entities of the scope of the examination program.




12
   SD 2013-01, Quality Control Program for Examinations Conducted by the Division of Bank Regulation and
the Division of Enterprise Regulation, and 2014-DBR-OPB-003, Safety and Soundness Examination Quality
Control Program, were the quality control guidance in effect when the 2016 FHLB Cincinnati examination
was conducted. This guidance has since been superseded by SD 2017-01, Quality Control Program, and
2018-DBR-OPB-03, Quality Control Program, respectively, which continue to emphasize that workpaper
reviews should be completed by someone who did not perform the work.



                                  OIG • AUD-2019-008 • July 10, 2019                                       12
FINDING ...................................................................................

A BSA/AML Program Examination Conclusion in the ROE for One FHLBank Lacked
Workpaper Support

There is an increased risk that conclusions communicated to regulated entities in an ROE
could be inaccurate if they are not supported by examination workpapers and do not undergo
quality control review. Guidance set forth in the FHFA Examination Manual and 2016-DBR-
OPB-01 notes that examination documentation serves as the written record of examination
activity and must support examination results, conclusions, findings, and ratings presented in
the ROE. Further, FHFA quality control guidance in effect at the time the examination was
performed stated that it is “important that final examination findings and conclusions are
subject to a quality control review before a report of examination…is communicated to the
regulated entity…” and that “participants in a quality control review must not have
participated in the examination activity under review.”

For 1 of the 11 FHLBank BSA/AML program examinations we reviewed, the examination
workpapers did not support the conclusion, included in the ROE, that

         According to 2014-DBR-OPB-003, the EIC is primarily responsible for reviewing
sufficient workpapers to ensure that “documentation adequately evidences the work
performed and agrees with conclusions reached and expressed in the [ROE].” However, since
the EIC performed the FHLBank’s BSA/AML program examination, his work supporting the
conclusion in the ROE related to the FHLBank’s SARs was not subject to an EIC review
under the OPB. Also, as allowed by DBR’s quality control process, the BSA/AML work
program for this examination was not selected for a quality control review by a DBR
examination specialist who was independent of the examination, so the supporting
workpapers prepared by the EIC were not reviewed by anyone.


CONCLUSIONS ..........................................................................

During our review period, examinations of BSA/AML programs at all 11 FHLBanks were
conducted in accordance with DBR’s established minimum frequency guidelines. DBR
planned, performed, documented, and reported examinations in accordance with FHFA
guidance for 10 of the FHLBanks.

During the course of our review, we learned that DBR’s quality control process – which is
intended to confirm that examination findings and conclusions are adequately supported



                               OIG • AUD-2019-008 • July 10, 2019                                13
before DBR communicates them to the regulated entity – does not require a review of
examination findings and conclusions if that examination work was performed by an EIC. As
a result, for the remaining FHLBank, a conclusion in the ROE based on examination work by
an EIC that
                                 was not supported by examination workpapers and did not
undergo a quality control review. Had the conclusion undergone a quality control review, it is
likely that DBR would have detected the workpapers did not support the conclusion. As we
have previously noted, gaps that allow conclusions to be communicated without quality
control present a risk that an ROE will assure a regulated entity’s board of directors that
management is meeting supervisory expectations when it is not. 13 By requiring quality control
review when the work is performed by an EIC, DBR would better assure itself that
conclusions are accurate and adequately supported.

We also noted that FHFA’s BSA/AML examination module has remained in Field Test status
for four years (since its issuance). All the while, the module has not been made publicly
available. The Deputy Director told us that the BSA/AML examination module is undergoing
a last review and that final issuance is expected soon. We encourage FHFA to continue its
work to issue a BSA/AML examination module in final.


RECOMMENDATIONS ...............................................................

We recommend that FHFA:

     1. Revise DBR’s quality control procedures to specifically require that all examination
        workpapers supporting examination findings, conclusions, and ratings directly
        prepared by the EIC be reviewed by an individual who did not participate in the
        examination.

     2. Take action to either determine whether the unsupported conclusion in 2016 ROE for
        the FHLBank in question
                                                                        ) is accurate or
        inform the board of the FHLBank not to rely on the unsupported conclusion.




13
  See OIG, The Gap in FHFA’s Quality Control Review Program Increases the Risk of Inaccurate
Conclusions in its Reports of Examination of Fannie Mae and Freddie Mac (Aug. 17, 2017) (EVL-2017-006)
(online at www.fhfaoig.gov/Content/Files/EVL-2017-006.pdf).



                                  OIG • AUD-2019-008 • July 10, 2019                                     14
FHFA COMMENTS AND OIG RESPONSE .....................................

OIG provided FHFA an opportunity to respond to a draft report of this audit. FHFA provided
a management response, which is provided as an Appendix to this report. In its response,
FHFA agreed with both recommendations and stated that it would take the following
corrective actions.

   1. DBR will revise its written procedures by September 30, 2019, to require examination
      workpapers prepared by the EIC to be reviewed by the EIC's Associate Director, or
      have that review delegated by the Associate Director to the team's Supervisory
      Examiner or to another EIC who did not participate on the examination. While both
      the Associate Director and Supervisory Examiner may participate in examinations,
      they do not report to the EIC and can conduct independent reviews.

   2. DBR will provide an unredacted version of the OIG report to the FHLBank in
      question by September 30, 2019. When doing so, DBR will refer the recommendation
      regarding the 2016 ROE. In follow-up discussions regarding this response, a DBR
      official told us that they will also provide an unredacted version of this OIG report to
      the chairman of the FHLBank’s board of directors.

We consider FHFA’s planned corrective actions responsive to our recommendations.


OBJECTIVE, SCOPE, AND METHODOLOGY .................................

We conducted this audit to determine whether DBR has followed FHFA’s guidance for
examinations of BSA/AML programs at each of the 11 FHLBanks. The scope of this audit
was the most recent BSA/AML examination performed at each of those 11 FHLBanks. These
examinations were performed during the 2016, 2017, or 2018 examination cycles.

To accomplish our objective, we:

   •   Reviewed FinCEN’s implementing regulation requiring FHFA-regulated entities to
       establish anti-money laundering programs and report suspicious activities pursuant to
       the BSA.

   •   Reviewed the following FHFA documentation:

          o FHFA Examination Manual (December 2013)




                              OIG • AUD-2019-008 • July 10, 2019                                 15
       o Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Program Supplemental
         Guidance: Field Test (June 2015)

       o SD 2013-01, Quality Control Program for Examinations Conducted by the
         Division of Bank Regulation and the Division of Enterprise Regulation (March
         25, 2013)

       o SD 2017-01, Quality Control Program (April 28, 2017)

       o 2012-DBR-OPB-03, Work Program Minimum Frequency Guidelines
         (December 19, 2012; updated October 7, 2016)

       o 2014-DBR-OPB-003, Safety and Soundness Examination Quality Control
         Program (December 24, 2014)

       o 2014-DBR-OPB-004, Community Investment Examination Quality Control
         Program (December 24, 2014)

       o 2016-DBR-OPB-01, Federal Home Loan Bank Examination Workpaper
         Standards (July 29, 2016)

       o 2018-DBR-OPB-03, Quality Control Program (December 26, 2018)

•   Interviewed FHFA personnel to gain an understanding of the BSA/AML examination
    module, the examination approach to the program, the FHLBank SAR reporting
    process, and FHFA policy and guidance review process. Additionally, we interviewed
    DBR personnel to identify causes for documentation shortcomings.

•   Reviewed examination documentation for the most recent BSA/AML examination
    performed during the review period at each of the 11 FHLBanks to determine whether:

       o DBR’s BSA/AML examination coverage complied with DBR requirements
         during the review period.

       o Examination procedures were planned in accordance with the FHFA
         Examination Manual, the BSA/AML examination module, and DBR guidance
         on workpaper preparation.

       o The examiners executed the planned examination procedures, documented the
         results, and reached and documented supportable conclusions in accordance
         with the FHFA Examination Manual, the BSA/AML examination module, and
         DBR guidance on workpaper preparation.



                          OIG • AUD-2019-008 • July 10, 2019                              16
           o The conclusions documented in the work program support those documented
             in the activity memorandum, the finding memorandum, conclusion
             memorandum, and the ROE.

           o Adverse examination findings identified in the examination workpapers were
             reported in the ROE.

We conducted this performance audit from November 2018 through June 2019 in accordance
with generally accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for the findings and conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on our audit
objectives.




                               OIG • AUD-2019-008 • July 10, 2019                                17
APPENDIX: FHFA MANAGEMENT RESPONSE .............................




                    OIG • AUD-2019-008 • July 10, 2019        18
OIG • AUD-2019-008 • July 10, 2019   19
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

   •   Call: 202-730-0880

   •   Fax: 202-318-0239

   •   Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

   •   Call: 1-800-793-7724

   •   Fax: 202-318-0358

   •   Visit: www.fhfaoig.gov/ReportFraud

   •   Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                                OIG • AUD-2019-008 • July 10, 2019                         20