Fannie Mae's Compliance with FHFA Email Retention Requirements

Published by the Federal Housing Finance Agency, Office of Inspector General on 2013-08-16.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                               August 16, 2013

To:              Steve A. Linick, Inspector General

From:            Richard Parker, Director, Office of Policy, Oversight, and Review (OPOR)

Subject:         Fannie Mae’s Compliance with FHFA Email Retention Requirements
                 (Evaluation Report No. EVL-2013-011)



In November 2011, while conducting an investigation, OIG special agents learned that although
Fannie Mae permanently retained the email of most employees in sensitive positions, it
automatically deleted the unsaved email of other employees after 60 days.a Consequently, email
records that the special agents expected to be maintained were determined to be unavailable. An
OIG representative advised Fannie Mae’s counsel and senior managers that the Enterprise’s
email deletion practices could have a negative impact upon OIG’s ability to perform its mission,
especially its ability to conduct thorough investigations. Fannie Mae, however, did not alter its
automatic deletion practices.

In August 2012, the Principal Deputy Inspector General brought OIG’s concerns in this regard to
the attention of FHFA’s Acting Director. Thereafter, on October 22, 2012, the Deputy Director
for Enterprise Regulation directed Fannie Mae to:

         Immediately begin saving all employee email records;
         Establish a corporate 5-year email retention policy;
         Develop a project plan to ensure that Fannie Mae’s systems and technology support the
          revised email retention policy; and

 Fannie Mae IT staff estimated that the “other employees” portion of Fannie Mae’s staff consists of 13,000 users
who have mailboxes on the Enterprise’s email system. Approximately 6,000 of the users are Fannie Mae
employees. The rest of the mailboxes are assigned to contractors or specific business areas.
       Develop an internal audit plan under which to review this area during the 2013 audit
In response to FHFA’s directive, Fannie Mae began retaining all of its employee and contractor
email, including deleted messages, for a period of five years.b Further, it took steps to ensure
that its information technology systems could support the new email retention requirement.
Fannie Mae Internal Audit staff performed compliance testing of Fannie Mae’s implementation
of the FHFA directive during a scheduled information technology audit.c The internal auditors
concluded that Fannie Mae was in full compliance with FHFA’s directive.

In order to independently verify Fannie Mae’s compliance with the directive, members of the
OPOR staff reviewed the internal auditors’ work papers and the records of the compliance
testing they performed. OPOR staff members also interviewed Fannie Mae IT personnel and
obtained additional evidence regarding back-up tape retention. At the close of its review, the
OPOR team concurred with the Fannie Mae internal auditors’ conclusion that the Enterprise now
captures and stores all email activity, including deleted emails, as required by FHFA’s directive.d


OIG’s involvement in this situation, coupled with FHFA’s directive, has caused Fannie Mae to
put into place a basic email retention system, thereby enabling OIG and others to conduct more
comprehensive investigations into matters that involve email sent and received by Fannie Mae
employees. This development represents a marked improvement over the situation that existed
during the time that Fannie Mae destroyed most employee emails after 60 days. OIG will
continue to monitor FHFA’s oversight of Fannie Mae’s and Freddie Mac’s email retention
practices and records management policies to ensure that they fulfill their intended purposes.

 Fannie Mae has retained back-up tapes of employee email from August 6, 2012, forward; however, the tapes do
not capture deleted messages. The expanded technology solution implemented in January 2013, as a result of
FHFA’s directive, captures all email, including deleted messages.
  Fannie Mae’s internal auditors reviewed and tested the technical capabilities of Windows Exchange servers that
support the five-year email retention requirement. They also recommended that Fannie Mae management enhance
the Backup and Recovery Service Level Requirements and Procedures. Finally, the auditors said that during the
2013 Data Center Operations Audit they would continue to review back-up and recovery procedures for the overall
technology infrastructure, including retention of email.
  OIG determined that Fannie Mae has expanded its existing retention processes to include all user accounts and set
the retention period to five years.