oversight

Update on the Status of the Development of the Common Securitization Platform

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-12-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                  REDACTED



          Federal Housing Finance Agency
              Office of Inspector General




     Update on the Status of the
    Development of the Common
      Securitization Platform




Special Report  COM-2017-001  December 9, 2016
               Executive Summary
               In 2012, the Federal Housing Finance Agency (FHFA/Agency), the
               conservator of Fannie Mae and Freddie Mac (the Enterprises), directed them
               to build a Common Securitization Platform (CSP or Platform). As originally
               envisioned by FHFA, the CSP was intended to provide a Platform for multiple
               market participants to issue mortgage-backed securities (MBS) in a future
COM-2017-001   housing finance reform system that had yet to be defined. FHFA believed
               the Enterprises’ back-office systems were “outmoded” and assumed that the
 December 9,   cost to build the CSP and integrate the Enterprises’ legacy financial and
    2016       information technology (IT) systems into the Platform would be less than the
               combined costs for the Enterprises to upgrade their back-office systems. In
               2013, FHFA directed the Enterprises to establish and fund a joint venture,
               Common Securitization Solutions, LLC (CSS), to develop and ultimately
               operate the CSP.

               In May 2014, after extensive discussion within FHFA and with the Enterprises,
               FHFA concluded that the many variables in the CSP project created extreme
               risks and determined to de-risk the project by breaking it down into smaller
               pieces. In its May 2014 Strategic Plan for the Conservatorships, FHFA
               clarified that the CSP’s primary focus would be on supporting the Enterprises’
               current securitization activities, although the Platform would use standard
               industry technology and interfaces so that future market participants could
               connect to it. FHFA also announced three key goals of the conservatorships,
               one of which was to build a new infrastructure for the Enterprises’
               securitization functions and enable them to replace their separate MBS with
               a single, common security which would be issued and serviced via the CSP.
               According to FHFA, Enterprise issuance of a single common security through
               the CSP would improve liquidity in the housing finance system.

               FHFA Has Implemented Recommendations from FHFA Office of Inspector
               General’s 2014 Evaluation Report that Were Intended to Improve its Oversight
               of the CSP’s Development

               In a May 2014 evaluation report, we assessed the status of the CSP’s
               development since 2012. We found that, as of December 31, 2013, the
               Enterprises had spent a total of $65 million on the CSP program. FHFA
               and the team building the CSP had constructed a Platform prototype, and
               associated software testing was underway. We reported that officials from
               FHFA and the Enterprises recognized that the Enterprises’ legacy financial
               and information systems were outmoded and upgrading them so they could be
               integrated into the Platform would be complex and risky. Unless the risks
               attendant to these challenges were managed properly, we cautioned that the
               CSP project could fail.
               We also found that FHFA had not adopted essential project management
               tools to enable it to effectively oversee the CSP project. Two years into the
               development of the CSP, we learned that FHFA had not established schedules
               and timelines for the completion of the project, and lacked an estimate of the
               cost to complete the CSP project. We recommended that FHFA take steps to
               address these limitations in its oversight, and it agreed to do so.

COM-2017-001   In June 2016, we closed our recommendations based on the corrective actions
               taken by FHFA. FHFA established timelines under which it anticipated that
 December 9,   Freddie Mac would begin to use the CSP to issue its fixed rate securities in the
    2016       fourth quarter of 2016 (referred to as Release 1) and both Enterprises would
               use the CSP to issue the new single security at some point during calendar year
               2018 (referred to as Release 2). FHFA required CSS and the Enterprises to
               track the monies spent to date and to estimate the total costs to develop the
               Platform and integrate the Enterprises’ legacy systems on to it. We also
               observe that FHFA put into place a system to monitor the Enterprises’ efforts
               to finish construction of the Platform and upgrade and integrate their legacy
               systems into it.

               FHFA Has Not Fully Met its Commitment to be Transparent about CSP’s
               Development

               When it announced its revised goals for the CSP in May 2014, FHFA
               committed to be transparent in its development—a commitment it reaffirmed
               on several ocassions. From May 2014 through early July 2016, FHFA issued
               a number of public reports in which it discussed the status of the CSP’s
               development. In view of FHFA’s repeated commitment to transparency about
               the development of the CSP, we reviewed these reports to assess the extent to
               which they disclosed information about the project’s status.

               We were guided in our analysis by the transparency standards for major
               IT acquisition projects contained in the Federal Information Technology
               Acquisition Reform Act (FITARA). Federal agencies covered by FITARA
               are required to provide the Office of Management and Budget (OMB) with
               detailed information about the the annual costs of their major IT projects,
               as well as the risks to their successful completion. OMB publishes this
               information on a public website called the IT Dashboard. The CSP is a major
               IT acquisition project. Although FHFA is not an agency covered by FITARA,
               the Act’s transparency principles provide a useful standard against which to
               evaluate FHFA’s reports on the costs and risks of the CSP project.

               We found that FHFA had collected a significant amount of information on the
               actual and projected costs of the CSP from the Enterprises, and had conducted
               regular assessments of the risks to successful completion of the CSP. In our
               view, FHFA has not disclosed this information, even at a high level, in its
               public reports.

                     Actual and Projected Costs of the CSP: All of the costs associated
                      with the development of the CSP have been, and will be borne by the
                      Enterprises. Since 2014, FHFA has collected data from the Enterprises
                      on the costs to develop the CSP and the costs they have incurred to
COM-2017-001          modify their legacy financial and information systems to integrate them
                      into the CSP.
 December 9,
    2016              FHFA only disclosed specific CSP cost data once in a September 2015
                      status report in which it announced that, from 2012 through mid-2015,
                      the Enterprises spent $146 million to develop the actual CSP Platform
                      (the Enterprises’ 2015 10-Ks reveal that this amount increased to
                      $218 million by year end 2015). However, FHFA has never publicly
                      reported that from 2012 through 2015 the Enterprises spent an
                      additional $              to integrate their legacy systems into the
                      Platform, even though it had collected this data from the Enterprises.
                      These unreported costs are % higher than the $218 million the
                      Enterprises spent over the same period to develop the actual CSP
                      Platform.

                      According to our review of internal FHFA documents and Enterprise
                      data, the Agency projects—but has not publicly disclosed—that the
                      Enterprises’ total CSP costs from 2012 through 2018 (including
                      Platform development and integration expenses) will be more than
                      $           .

                      FHFA has asserted that the Enterprises’ legacy financial and
                      information systems were outmoded and in need of modernization;
                      therefore, the Enterprises would have incurred “many” of the actual
                      and projected Platform and integration costs without the CSP project.
                      However, FHFA has acknowledged that the Enterprises do not have
                      estimates of the portion of the $           in costs for the CSP program
                      which would have been incurred anyway if they had pursued separate
                      upgrades to their securitization platforms.

                     CSP Software Development Risks: FHFA reported publicly that the
                      Enterprises and CSS were “making progress” in developing and testing
                      the CSP’s software. FHFA has not disclosed that since 2014 it has
                      internally rated the risks to CSP’s successful development on a monthly
                      basis. These internal reports identify elevated risks facing CSP’s
                      development, particularly related to integrating the Enterprises’ legacy
                      systems into the Platform.
                      In its technical comments on a draft of this report, the Agency asserted
                      that the risks identified in its monthly reports were being addressed
                      and would not affect the publicly-reported completion dates for CSP.
                      However, the transparency principles underlying FITARA are intended
                      to ensure that policy-makers and the public are kept informed of the
                      risks facing major IT aquisitions and Agency efforts to remediate them.
                      FHFA’s assurance that it would address the risks it did not disclose in
COM-2017-001          the first instance does not amount to transparency.

 December 9,   FHFA has acted as conservator of the Enterprises since September 2008 and is
    2016       the steward of the $187.5 billion investment from American taxpayers in the
               Enterprises. As conservator, FHFA has met its commitment to implement the
               recommendations in our 2014 evaluation to strengthen its oversight of the CSP
               project. In our view, FHFA has not fully met its commitment to transparency
               about the development of the CSP because it has not publicly disclosed the
               actual and projected costs of the project or the risks to its successful
               development and timely delivery.

               This report was prepared by David P. Bloch, Senior Investigative Counsel
               with assistance from David M. Frost, Assistant Inspector General for
               Compliance & Special Projects, Bruce G. McWilliams, Senior Investigative
               Evaluator, Wesley M. Phillips, Senior Policy Advisor, Alisa Davis, Senior
               Policy Advisor, Karen Berry, Senior Investigative Counsel, and Patrice
               Wilson, Senior Investigative Evaluator. We appreciate the assistance of
               officials from FHFA in completing this special project.




               Richard Parker
               Deputy Inspector General, Compliance & Special Projects
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................8

BACKGROUND .............................................................................................................................9
      FHFA’s Initial Goal in May 2012: Development of a New Securitization Platform
      for the Secondary Mortgage Market .........................................................................................9
      FHFA’s Revised Goal in May 2014: Clarification of the Scope and Purpose of the
      CSP 10
      OIG’s May 2014 Evaluation Identified Challenges to the Successful Development of
      the CSP ...................................................................................................................................10
              FHFA Met its Commitment to Implement the Recommendations in our 2014
                 Report which were Intended to Improve the Project’s Management ......................11
      FHFA Timelines for the CSP and the Single Security ...........................................................11
      FHFA’s Public Commitment to Transparency On Development of the CSP and the
      Single Security ........................................................................................................................12

FACTS ...........................................................................................................................................12
      FITARA Established Transparency Standards for Acquisition and Management of
      Major Federal IT Projects .......................................................................................................13

ANALYSIS ....................................................................................................................................14
              FHFA’s Reports Disclose Only the Costs Incurred by the Enterprises to Build
                 the CSP Platform and Develop CSS Through Mid-2015 ........................................15
              FHFA Collects, but Has Not Reported Upon, the Enterprises’ Actual Integration
                 Costs, as Well as Projected Integration and Platform Development Costs .............15
      FHFA Has Not Disclosed Its Assessments of the Elevated Risks to the CSP’s
      Successful Development Posed by Software and Technological Challenges ........................17
              FHFA’s Reports Contained only General Information About Software
                 Development and Technological Challenges ..........................................................17
              FHFA’s Internal CSP Monthly Risk Rating System ......................................................18

CONCLUSION ..............................................................................................................................19

OBJECTIVES, SCOPE, AND METHODOLOGY .......................................................................19


                                          OIG  COM-2017-001  December 9, 2016                                                                 6
APPENDIX A ................................................................................................................................20
      FHFA’s Formal Comments ....................................................................................................20

ADDITIONAL INFORMATION AND COPIES .........................................................................24




                                        OIG  COM-2017-001  December 9, 2016                                                              7
ABBREVIATIONS .......................................................................

Agency or FHFA        Federal Housing Finance Agency

CSP or Platform       Common Securitization Platform

CSS                   Common Securitization Solutions, LLC

Enterprises           Fannie Mae and Freddie Mac

FITARA                Federal Information Technology Acquisition Reform Act

MBS                   Mortgage-Backed Securities

OMB                   Office of Management and Budget

PAR                   Performance and Accountability Report

Progress Report       2015 Scorecard Progress Report

2012 Strategic Plan   A Strategic Plan for Enterprise Conservatorships: The Next Chapter in
                      a Story that Needs an Ending

2014 Strategic Plan   The 2014 Strategic Plan for the Conservatorships of Fannie Mae and
                      Freddie Mac

2015 Update           An Update on the Common Securitization Platform

2016 Update           Update on the Implementation of the Single Security and Common
                      Securitization Platform




                        OIG  COM-2017-001  December 9, 2016                              8
BACKGROUND ..........................................................................

Each Enterprise purchases mortgage loans from banks, mortgage companies, and other loan
originators. Generally speaking, individual mortgage loans are illiquid assets. However,
when individual mortgages of similar characteristics are combined into a pool, securities can
be issued that represent claims on the principal and interest payments made by borrowers on
the loans in the pool. The process by which mortgages are pooled is called “securitization.”
Securitization turns the assets underlying illiquid mortgage loans into marketable securities
that can be bought, sold, and traded on the secondary markets. Mortgage securitization allows
the Enterprises to continue to purchase mortgage loans without retaining the loan assets on
their books.1

FHFA’s Initial Goal in May 2012: Development of a New Securitization Platform for
the Secondary Mortgage Market

In February 2012, FHFA issued “A Strategic Plan for Enterprise Conservatorships: The Next
Chapter in a Story that Needs an Ending” (2012 Strategic Plan). In it, FHFA announced the
goal of building a new securitization platform “designed to issue securities supported with or
without a government guarantee.” FHFA’s proposed design objectives for the platform
included “an open architecture that [would] permit multiple future issuers of mortgage-backed
securities to access the platform” and sufficient flexibility “to permit a wide array of securities
and mortgage structures.” FHFA also observed in the 2012 Strategic Plan that “[i]n the
intermediate term, a single platform would allow for a single mortgage-backed security.”

In that same 2012 Strategic Plan, FHFA recognized that the back-office systems by which the
Enterprises issued and serviced their MBS were ill-equipped to fulfill its vision of a new,
common securitization platform:

        Neither Enterprise has a securitization infrastructure capable of becoming a
        market utility today. Taking on that role would require substantial investment
        of both human capital and information technology resources. Both
        Enterprises would have to draw from the American taxpayer to make such a
        long-term infrastructure investment, so it makes more sense to do this only
        once. (emphasis added)



1
 For a more comprehensive discussion of the MBS process, see OIG, Status of the Development of the
Common Securitization Platform (May 21, 2014) (EVL-2014-008) (online at
www.fhfaoig.gov/Content/Files/EVL-2014-008.pdf).




                                OIG  COM-2017-001  December 9, 2016                                 9
FHFA worked with the Enterprises during 2012 to develop a plan for the design of a common
securitization platform that would “serve both companies and also potentially be used in a
post conservatorship market.” In its 2012 Report to Congress, issued in June 2013,2 FHFA
explained that its “basic premise is that the Enterprises’ outmoded proprietary infrastructures
need to be updated and maintained and any updates should enhance value to the mortgage
market with a common and more efficient model.”

In October 2013, the Enterprises established CSS as an independent, jointly-owned business
entity to develop the CSP, including building the Platform software and operational
capabilities, and to support the Enterprises’ use of the CSP.

FHFA’s Revised Goal in May 2014: Clarification of the Scope and Purpose of the CSP

After discussions both within FHFA and with the Enterprises, FHFA concluded that the many
variables in the original CSP project created extreme risks and decided to “de-risk” the CSP
project by breaking it down into smaller pieces. In its May 2014 revised Strategic Plan for the
Conservatorships of Fannie Mae and Freddie Mac (2014 Strategic Plan), FHFA announced
three key goals of the conservatorships, one of which was to build a new infrastructure for
the Enterprises’ securitization functions which would enable them to issue a single common
security. According to FHFA, the Enterprises issuance of a single, common security through
the CSP would improve liquidity in the housing finance system.

Recognizing that other market participants might seek to use the CSP, FHFA instructed
the Enterprises to develop the CSP with industry-standard software, systems, and data
requirements. FHFA envisioned that, at a later point in time, the CSP could be configured for
use by private-label securities issuers.

OIG’s May 2014 Evaluation Identified Challenges to the Successful Development of the CSP

In our May 2014 evaluation, we assessed the progress made since 2012 to develop the
CSP.3 Although we found that progress had been made, we cautioned that the CSP faced
considerable challenges because it was a large and complex technology project. We observed
that FHFA lacked experience and expertise in overseeing such projects, and that the
Enterprises did not have a good record of completing such projects on time.




2
 FHFA, 2012 Report to Congress, at 13 (June 13, 2013) (online at
www.fhfa.gov/AboutUs/Reports/Pages/FHFA-2012-Annual-Report-to-Congress.aspx).
3
  OIG, Status of the Development of the Common Securitization Platform (May 21, 2014) (EVL-2014-008)
(online at www.fhfaoig.gov/Content/Files/EVL-2014-008.pdf).



                               OIG  COM-2017-001  December 9, 2016                                   10
In our view, the most significant challenge to the
success of the CSP was the integration of the                            Integration is the process
Enterprises’ separate IT and financial systems into the                  enabling the Enterprises to
new Platform. Each Enterprise used a significant                         communicate with the CSP. In
number of different systems, and upgrading, modifying                    some cases, the Enterprises
or replacing those systems so they could be integrated                   must modify their legacy
                                                                         financial and information
into the CSP was likely to be complex and risky. We
                                                                         systems to integrate with the
warned that the process, if not managed well, could                      CSP.
result in CSP’s failure to function as planned.

      FHFA Met its Commitment to Implement the Recommendations in our 2014 Report
      which were Intended to Improve the Project’s Management

Our 2014 evaluation report also found that FHFA had not adopted project management tools
for its oversight of the CSP project; that is, it lacked schedules and timelines for the project’s
completion, cost estimates for its various stages, and an overall cost estimate. We
recommended that FHFA address these limitations in its oversight of the CSP project, and it
agreed to do. As discussed below, we closed this recommendation in June 2016 because
FHFA has developed timelines, budgets, and cost estimates through 2018 that it tracks
internally and put into place a system to monitor the Enterprises’ efforts to finish construction
of the Platform and upgrade and integrate their legacy systems into it.

FHFA Timelines for the CSP and the Single Security

In a March 2016 report, FHFA announced that the CSP and the single security would be
completed in two phases—Release 1 and Release 2.4 As explained by FHFA, Release 1,
during the fourth quarter of 2016, would be Freddie Mac’s use of the CSP to issue its fixed-
rate MBS. Release 2, during calendar year 2018, would be both Enterprises’ use of the CSP
to issue the new single, common security. In its July 2016 public update on the CSP, the
Agency provided a list of planned software tests from 2016 through 2018, and stated that it
would announce in the fourth quarter of 2016 a timeline for issuing the single security via the
CSP in 2018.5 FHFA also stated that it would provide stakeholders with a year’s notice of the
single security’s completion date in 2018.




4
 FHFA, 2015 Scorecard Progress Report (Mar. 2016) (online at
www.fhfa.gov/AboutUs/Reports/ReportDocuments/Progress-Report-2015-Scorecard.pdf).
5
    FHFA, Implementation of the Single Security and Common Securitization Platform (July 7, 2016).




                                  OIG  COM-2017-001  December 9, 2016                                  11
FHFA’s Public Commitment to Transparency On Development of the CSP and the
Single Security

Contemporaneous with FHFA’s release of its 2014 Strategic Plan, FHFA Director Watt
discussed the manner in which each goal in that Plan built upon and, in some instances,
reformulated past conservatorship goals. 6 Director Watt provided a “clear sense of direction”
for the conservatorships, and recognized that implementing the goals in the 2014 Strategic
Plan would entail “ongoing analysis, evaluation and input.” He committed that FHFA would
“proceed with these steps in a transparent way that incorporates the feedback of the public and
stakeholder groups whenever possible.”7 Several months later, Director Watt reaffirmed
FHFA’s commitment to transparency in the development of the CSP. That commitment was
reiterated by FHFA in its July 2016 update on the status of the CSP.


FACTS .......................................................................................

FHFA committed to oversee the development of the CSP in a transparent manner and
reaffirmed that commitment most recently in July 2016. It issued a number of public
reports from May 2014 through early July 2016, in which it described the progress of the
development of the CSP. By any measure, CSP is a significant IT project.8 We reviewed all
of these reports against the transparency standards for major federal IT acquisitions enacted
by Congress in FITARA. For presentation purposes, we focus our discussion below on the
following three reports:9




6
 See Melvin L. Watt, FHFA Director, Prepared Remarks at the Brookings Institution Forum on the Future of
Fannie Mae and Freddie Mac (May 13, 2014) (online at www.fhfa.gov/Media/PublicAffairs/Pages/Watt-
Brookings-Keynote-5132014.aspx).
7
    Id. at Conclusion.
8
  For example, OMB Memorandum M-15-14 defines a “major IT investment” as an acquisition requiring
special management attention because it has importance to the mission or function of the government,
significant program or policy implications, high executive visibility, high development, operating, or
maintenance costs, an unusual funding mechanism; or is defined as major by the agency’s capital planning and
control process.
9
  We reviewed the thirteen FHFA public reports issued from May 2014 through early July 2016 in which it
discussed the CSP project, including the seven reports issued after OMB’s memorandum of June 10, 2015, in
which it encouraged federal agencies to apply the principles of FITARA in the management of their major IT
acquisitions. None of these thirteen reports discussed the Enterprises’ CSP integration costs or the total
projected costs for the platform; nor did any of them discuss FHFA’s internal assessments of the risks facing
the CSP project.



                                 OIG  COM-2017-001  December 9, 2016                                          12
          An Update on the Common Securitization Platform (2015 Update), issued on
           September 15, 2015.

          2015 Scorecard Progress Report (Progress Report), issued March 2016.

          An Update on the Implementation of the Single Security and the Common
           Securitization Platform (2016 Update) issued July 2016, and the cover letter by which
           it was transmitted to the Chairmen and Ranking Members of the Senate Committee on
           Banking, Housing and Urban Affairs and the House Committee on Financial Services.

We found that FHFA’s reports provide considerable information about the CSP project, such
as descriptions of its systems and the manner in which the Enterprises are aligning their
policies and procedures to issue the single security from the Platform. However, we found
that FHFA has not fully met its commitment to transparency because it has not disclosed the
integration costs to date and the projected Platform development and integration costs from
2016 through 2018; and has not disclosed, even at a high level, the status of the risks facing
successful completion of the CSP.

FITARA Established Transparency Standards for Acquisition and Management of Major
Federal IT Projects

In numerous reports issued from fiscal years 2010 through 2015, the Government
Accountability Office (GAO) identified significant weaknesses and failures across the federal
government with respect to the acquisition and management of IT projects.10 Recognizing the
severity of issues related to government-wide acquisition and management of IT, Congress, in
December 2014, enacted FITARA to improve the efficiency and effectiveness of federal IT
acquisitions.11 12 To bring about these improvements, Congress established specific
requirements in seven areas, one of which was enhanced transparency and improved risk
management. Federal agencies covered by FITARA13 are required to make publicly available


10
   See GAO, Information Technology: Implementation of Reform Legislation Needed to Improve Acquisitions
and Operations (Nov. 4, 2015) (GAO-16-204T) (online at www.gao.gov/assets/680/673508.pdf); GAO,
Information Technology: OMB and Agencies Need to Focus Continued Attention on Implementing Reform
Law (May 18, 2016) (GAO-16-672T) (online at www.gao.gov/assets/680/677290.pdf).
11
  Federal Information Technology Acquisition Reform provisions of the Carl Levin and Howard P. ‘Buck’
McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. 113-291, div. A, title VIII, subtitle
D, 128 Stat. 3292, 3438-3450 (Dec. 19, 2014). See also GAO, Information Technology: OMB and Agencies
Need to Focus Continued Attention on Implementing Reform Law (May 18, 2016) (GAO-16-672T) (online at
www.gao.gov/assets/680/677290.pdf).
12
     FITARA does not apply to the Enterprises or CSS because they are not Federal agencies.
13
     See 31 U.S.C. § 901(b)(1) and (2).




                                   OIG  COM-2017-001  December 9, 2016                                        13
“data on cost, schedule, and performance” of major IT investments to the Office of
Management and Budget (OMB).14 OMB publishes this information on its IT Dashboard.15

The IT Dashboard “provide[s] Federal agencies and the public with the ability to view details
of Federal information technology (IT) investments online and to track their progress over
time.” It displays detailed cost, schedule, and performance data for over 700 major IT
investments. Specifically, the website shows the total expenditures for each IT project; breaks
out the cost data into varying categories including development and operations and
maintenance; and provides information as to the extent to which each project’s actual costs
vary from its planned costs. The website also provides ratings showing the severity of the
risks facing major IT investments using a traditional stoplight scale (Green, Yellow, Red); the
risk ratings are displayed in graphic form on the website.

FHFA, like a number of other federal agencies, has determined that it is not covered by
FITARA. In a memorandum issued on June 10, 2015, OMB issued guidance to implement
the FITARA requirements, including its transparency standards.16 OMB “encouraged” “all
other Executive Branch agencies … to apply the principles described in this guidance to their
management of IT, consistent with their legal authorities.” The transparency principles
announced in FITARA provide a useful standard against which to evaluate the transparency
of FHFA’s public reporting on the project’s costs and risks.


ANALYSIS .................................................................................

We found that FHFA has not been fully transparent about the CSP project. First, it has
not publicly disclosed the actual and projected costs for the CSP project which exceed
$            . While FHFA claims, in its technical comments on a draft of this report, that
some portion of these costs would have been incurred had the Enterprises simply upgraded
their internal systems, it has acknowledged that the Enterprises do not have estimates of the
costs that they would have incurred if they had not been directed to build the CSP. Second,
FHFA has not disclosed, even at a high level, the status of the risks facing successful
completion of the CSP. FHFA acknowledges in its monthly internal reports that there are
elevated risks facing the CSP project; however it claims in its technical comments that these




14
     See Pub. L. No. 113-291, § 832 (codified at 40 U.S.C. § 11302(c)).
15
     OMB established the IT Dashboard in 2009. FITARA codified some of its requirements.
16
  OMB Memorandum M-15-14: Management and Oversight of Federal Information Technology (June 10,
2015).



                                   OIG  COM-2017-001  December 9, 2016                          14
risks are being remediated and will not affect the projects’s publicly reported completion
dates.

   FHFA’s Reports Disclose Only the Costs Incurred by the Enterprises to Build the CSP
   Platform and Develop CSS Through Mid-2015

In its 2015 Update, issued in September 2015, FHFA reported that, from 2012 through mid-
2015, the Enterprises spent $146 million, primarily to develop and test the CSP itself. FHFA
explained that the $146 million was exclusive of “spending by the Enterprises to adapt their
existing IT platforms and operations to integrate with the CSP.” FHFA advised that each
Enterprise reported its Platform development expenses in its 10-Ks and 10-Qs. The
Enterprises’ 2015 10-Ks report that both Enterprises spent $218 million by year-end 2015 to
develop the CSP Platform itself, an increase of $72 million from the $146 million spent from
2012 through mid-2015.

In the 2015 Scorecard Progress Report, issued in March 2016, the Agency provided no
further information on the costs to the Enterprises to develop and test the CSP. It explained
that it was “working with CSS and the Enterprises to develop an updated, multiyear CSS plan
and budget” and planned to “publicly release the projected cost” of completing the CSP
project, once a final plan and budget had been approved.

FHFA’s 2016 Update, issued in July 2016, did not report any data on the Enterprises’ costs
for the CSP project. In the non-public cover letter transmitting this 2016 Update to Congress,
the Agency reported that, from 2012 through the first quarter of 2016, the Enterprises spent
$               on the construction of the CSP. FHFA estimated that, from 2012 through 2018,
the actual and projected costs to construct the CSP would total $               . FHFA again
explained that these costs were exclusive of the Enterprises’ integration costs, which it
characterized as “large.” FHFA did not report the integration costs but stated that it would
provide them on request. FHFA claimed in its letter that each Enterprise separately reported
its costs in its public securities filings under “administrative expenses.” Based on our review
of the Enterprises’ public securities filings, we were not able to isolate the CSP integration
costs from other administrative expenses. FHFA has subsequently acknowledged that it is not
possible to determine each Enterprise’s integration costs from its reported administrative
expenses reported.

   FHFA Collects, but Has Not Reported Upon, the Enterprises’ Actual Integration Costs,
   as Well as Projected Integration and Platform Development Costs

According to the senior FHFA executive responsible for CSP’s oversight, FHFA has collected
integration cost data from the Enterprises since 2014. This information was not published in
the Agency’s public reports on the CSP. From the data provided to us by FHFA we


                            OIG  COM-2017-001  December 9, 2016                                 15
calculated that from 2012 through 2015 the Enterprises spent nearly $           to integrate
their legacy systems into the CSP, — % more than the $218 million they incurred over the
same period to build the CSP Platform. Based on the data provided by the Enterprises and
FHFA, the Enterprises have spent nearly $              from 2012 through 2015 to develop the
CSP Platform and integrate their legacy systems into the Platform.

The Enterprises also
                                FIGURE 1. CSP PLATFORM DEVELOPMENT AND INTEGRATION COSTS,
have provided data to                                         IN $ MILLIONS
FHFA on their projected
integration and Platform                                                                   Actual
development costs.                                                                             +
                                                                    Actual     Projected Projected
FHFA did not publish          Time Period                         2012-2015   2016-2018  2012-2018
this information in its       Platform Development Costs            $218         $            $
public reports on the         Integration Costs                     $            $            $
CSP, although it              Total                                 $            $         $
reported on the costs         Source: Enterprise reporting and FHFA.
of the CSP itself.
According to data provided by FHFA, the Enterprises project that from 2016 to 2018 they will
spend an additional $               to develop the Platform and an additional $              to
integrate their legacy systems into it. Thus, the projected Platform development and
integration costs for the period 2016 through 2018 are $                   . When the $
the Enterprises spent on the Platform and integration from 2012 through 2015 is added to the
$             that is projected to be spent on those items from 2016 through 2018, the total
projected cost to the Enterprises for the CSP project as of July 2016 amounts to nearly
$           . Figure 1 provides a table of this information.

On Wednesday, October 26, 2016, we provided the Agency with a draft of this report in
which we criticized it for its lack of transparency in disclosing the actual and projected costs
of integrating the Enterprises’ legacy systems into the CSP. We noted that it was not possible
to determine the monies spent to date by each Enterprise on its integration efforts from a
review of the public securities filings because those costs were reported as part of each
Enterprise’s administrative expenses; they were not broken out separately.

Within days after receiving a draft of this report, the Agency received a request from a
Member of Congress, for the actual and projected costs of integrating the Enterprises’ legacy
systems into the CSP. On November 10, 2016, FHFA replied to the Member and provided
the integration costs after acknowledging what our draft reported: that each Enterprise’s
integration costs could not be ascertained from review of the Enterprise’s 10-Ks and 10-Qs
because, those costs “are not broken-out from other administrative expenses in these
filings ….”



                            OIG  COM-2017-001  December 9, 2016                                  16
Based on our review of FHFA’s November 10, 2016 response, we found that the Enterprises’
integration costs increased since we completed our fieldwork and collected the data for Figure
1. According to FHFA, the projected integration costs were $              ; in other words,
they had increased by $            , or %, since year-end 2015. If unchanged, this would
cause the projected cost of the CSP from 2012 through 2018 to total $              . In that
same response, FHFA reported that the projected costs for development of the Platform were
being refined and would likely increase above the current projection of $             . In that
event, the overall projected cost of the CSP would exceed $            .

In its technical comments on a draft of this report, FHFA maintained that the Enterprises
would have incurred “many” of the Platform development and integration costs, even if they
had not been directed by FHFA to develop the CSP. FHFA stated these costs would have
been incurred because the Enterprises needed to upgrade their separate securitization
platforms anyway. However, FHFA acknowledged that the Enterprises do not have estimates
of the costs that would have been incurred if they had not been directed to build the CSP.

Finally, the Agency told Congress that it would publish, “another update on the Single
Security and CSP during the first quarter of 2017 in which we plan to include information
about costs incurred through the end of 2016 and projected costs through 2018.” We expect
that FHFA’s pledge to provide actual and projected cost data in its updates will help provide
transparency around development of the CSP.

FHFA Has Not Disclosed Its Assessments of the Elevated Risks to the CSP’s Successful
Development Posed by Software and Technological Challenges

   FHFA’s Reports Contained only General Information About Software Development
   and Technological Challenges

FHFA’s 2015 Update provided a lengthy discussion of the software development and testing
methodology used by CSS to build the CSP. In its 2015 Scorecard Progress Report, FHFA
reported that CSS had sent additional versions of the CSP software to the Enterprises for
testing and that “(t)esting of this software continues to progress.” The Progress Report noted
that one component of Release 1 testing had been completed, and that additional testing for
both Releases 1 and 2 was ongoing or planned. Regarding integration, the Progress Report
stated that “Fannie Mae and Freddie Mac are progressively completing the technology and
operational changes that each Enterprise needs to make to enable it to use the CSP.”

In its 2016 Update, FHFA reported that a series of software tests were planned through 2018
to ensure that Releases 1 and 2 would occur and operate as planned. This 2016 Update
explained that CSS and Freddie Mac would engage in parallel testing in 2016 to ensure that




                            OIG  COM-2017-001  December 9, 2016                                 17
Release 1 would be able to “go-live” as scheduled in the fourth quarter of 2016.17 Testing in
support of Release 2, according to the 2016 Update, would be undertaken to ensure that the
CSP Platform performs as expected, and that the Enterprises have successfully integrated their
financial and information systems into the CSP.

     FHFA’s Internal CSP Monthly Risk Rating System

Since 2014, FHFA has rated the risks to CSP’s successful development on a monthly basis
using a stoplight system similar to the IT risk rating system used for agencies covered by
FITARA. According to the senior FHFA executive responsible for CSP’s oversight, the
Agency receives weekly reports from CSS and the Enterprises on the status of key project
management topics, such as software testing results and the status of integration programs.
He advised us that he communicates regularly with CSS and the Enterprises on the status of
the CSP project. Based on this information, FHFA prepares a monthly report assessing the
status of the CSP project, which rate the risks facing the CSP project, and these monthly
reports are distributed to senior FHFA, Enterprise, and CSS officials, as well as employees
in FHFA’s Division of Conservatorship. According to the same senior FHFA executive,
FHFA’s monthly risk reports reflect a consensus view of FHFA, CSS and the Enterprises.18

We reviewed the monthly risk reports issued by FHFA from June 2014 through July 2016 and
found that the overall risk to the CSP project was rated as Yellow, or medium risk.19 As we
forecasted in our 2014 evaluation, integration of the Enterprises’ legacy systems has proved to
be a complex challenge that has been a key driver of CSP’s elevated risk ratings. Based on
our review of these monthly reports, we found that integration related tests have often been
deferred or delayed and that the version of Release 2 under development is larger and more
complex than originally planned because integration related problems that could not be fixed
in earlier versions have been rolled into the current version for resolution.

Our review of FHFA’s public reports on the development of the CSP issued through July
2016 found no disclosure of these risks, even in summary form. According to FHFA, the
challenges identified in its internal monthly risk reports have been, and continue to be,
addressed on an on-going basis and will not affect the publicly-reported dates for Release 1
and 2. However, the transparency principles underlying FITARA are intended to ensure that

17
  In parallel testing, CSS and Freddie Mac will run the CSP and Freddie Mac’s existing production systems in
parallel to ensure that each system produces the expected results for Freddie Mac’s current fixed-rate MBS.
18
   According to the FHFA executive in charge of the CSP project, the risk ratings are formulated initially by
CSS, Fannie Mae, and Freddie Mac. The senior FHFA executive then reviews the ratings and provides his
feedback. According to this executive, the monthly reports he issues contain consensus risk ratings.
19
  On November 15, 2016, FHFA released its Fiscal Year 2016 Performance and Accountability Report (the
PAR) which provides additional information about the CSP’s development and testing for FY 2016. The PAR
does not discuss any of the internal risk assessments conducted subsequent to the July 2016 Update.



                                  OIG  COM-2017-001  December 9, 2016                                         18
policy-makers and the public are kept informed of the risks facing major IT acquisitions and
Agency efforts to remediate them. FHFA’s assurance that it will address the risks it did not
disclose in the first instance does not amount to transparency.


CONCLUSION ............................................................................

FHFA has acted as conservator for the Enterprises since September 2008 and is the steward of
the $187.5 billion investment from American taxpayers in the Enterprises. This status report
demonstrates that FHFA fulfilled its commitment to implement our 2014 evaluation report
recommendations to improve its oversight of the project. However, FHFA has not fully met
its commitment to transparency around the development of the CSP because it has not
publicly disclosed the actual and projected costs of the CSP and the risks to its successful
development and timely delivery.


OBJECTIVES, SCOPE, AND METHODOLOGY ...............................

Our objective for this special project was to assess the transparency of FHFA’s public
disclosures about the CSP project from May 2014 through July 2016. The scope of our
project did not include assessing FHFA’s oversight of the CSP project’s development during
that period.

To meet our objective, we reviewed FHFA’s public disclosures on the project from May 2014
through July 2016 in light of FITARA’s transparency standards. We determined what the
disclosures stated about the CSP project’s costs, CSP and software and integration testing
results. We also requested and reviewed internal Agency documentation on the CSP project,
including cost data, risk rating designations, and weekly and monthly reports on CSP testing.

We also held several interviews with the Agency executive responsible for FHFA’s oversight
of the project. We also met with a representative from FHFA’s Division of Enterprise
Regulation.

We conducted this special project during the period April 2016 to September 2016 under the
authority of the Inspector General Act of 1978, as amended, and in accordance with the
Quality Standards for Inspection and Evaluation (January 2012), which were promulgated by
the Council of the Inspectors General on Integrity and Efficiency.

FHFA provided technical comments on a draft of this report which were incorporated as
appropriate. FHFA’s formal comments are appended hereto.


                            OIG  COM-2017-001  December 9, 2016                               19
APPENDIX A .............................................................................

FHFA’s Formal Comments




                         OIG  COM-2017-001  December 9, 2016                       20
OIG  COM-2017-001  December 9, 2016   21
OIG  COM-2017-001  December 9, 2016   22
OIG  COM-2017-001  December 9, 2016   23
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                             OIG  COM-2017-001  December 9, 2016                         24