oversight

Utility of FHFA's Semi-Annual Risk Assessments Would Be Enhanced Through Adoption of Clear Standards and Defined Measures of Risk Levels

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-01-04.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

           Federal Housing Finance Agency
               Office of Inspector General




Utility of FHFA’s Semi-Annual Risk
 Assessments Would Be Enhanced
     Through Adoption of Clear
Standards and Defined Measures of
             Risk Levels




Evaluation Report  EVL-2016-001  January 4, 2016
                  Executive Summary
                  The Federal Housing Finance Agency (FHFA) mission as a federal financial
                  regulator is to ensure that Fannie Mae and Freddie Mac (the Enterprises) and
                  the Federal Home Loan Banks operate safely and soundly so that they serve as
                  a reliable source of liquidity and funding for housing finance and community
                  investment. FHFA and other federal financial regulators for sophisticated
EVL-2016-001      financial institutions use a risk-based approach for their examination activities.
                  Critical to the success of a risk-based approach are risk assessments for each
January 4, 2016   regulated entity. A risk assessment presents a comprehensive, risk-focused
                  view of the regulated entity so that examiners can focus their supervisory
                  activities around the risks with the highest supervisory concerns: it identifies
                  and evaluates the primary risks to the regulated entity; identifies cause(s) of
                  unfavorable trends; and highlights the entity’s strengths, vulnerabilities, and
                  risks. A risk assessment is not a static document; revised regularly, pursuant to
                  a schedule set by each financial regulator, the evolving risk assessment informs
                  the development of the examination plan.

                  Pursuant to the Housing and Economic Recovery Act of 2008 (HERA),
                  FHFA conducts annual on-site examinations, plans and executes targeted
                  examinations of high risk areas, and engages in ongoing monitoring of the
                  entities it regulates to determine their safety and soundness. FHFA has vested
                  its Division of Enterprise Regulation (DER) with responsibility for performing
                  these supervisory activities for the Enterprises. FHFA requires the examiner-
                  in-charge for each Enterprise to prepare a risk assessment for that Enterprise
                  and update it semi-annually.

                  As we announced in our Audit and Evaluation Plan, OIG uses a risk-based
                  focus for its audit and examination activities and one area of that focus is
                  FHFA’s supervisory activities. Pursuant to our Plan, we conducted this
                  evaluation to assess whether FHFA’s requirements for its risk assessments of
                  the Enterprises are sufficiently robust to produce risk assessments that achieve
                  the purpose for which they are intended. We compared FHFA’s broad
                  guidance in its Examination Manual and in supplemental guidance issued by
                  DER, for the preparation of risk assessments against the stringent requirements
                  and specific guidance of other federal financial regulators. We found FHFA’s
                  loosely defined parameters lack standardized measures of risks (such as credit
                  risk, sensitivity to market risk, liquidity risk, and operational risk), do not
                  define the risk measures that examiners must use, or do not require examiners
                  to use a common format and common, defined measures of risk. Over the past
                  four years, DER has experienced high turnover in examination staff. FHFA’s
                  flexible guidance on preparation of risk assessments, combined with
                  significant changes in examiner staffing, has produced risk assessments that
                  are not readily susceptible to comparison year over year for one Enterprise.
                  The lack of comparability limits the utility of risk assessments in planning risk-
                  based supervision activity for that Enterprise.

                  The Enterprises have virtually identical federal charters, substantially
                  comparable business models, and similar risk profiles, and FHFA uses side-
                  by-side comparison analyses of the Enterprises in its published financial
EVL-2016-001      performance reports. However, the significant variations in risk assessments
                  for each Enterprise limits the utility of these risk assessments as a tool to
January 4, 2016   compare risk exposures between the Enterprises, even though the Enterprises
                  share the same types of risk and those risks lend themselves to standardized
                  measures.

                  Based on the deficiencies identified by OIG in this evaluation, we make three
                  recommendations to FHFA to enhance its risk assessment framework for the
                  Enterprises. FHFA agreed with our recommendations.

                  This report was prepared by Jacob Kennedy, Senior Investigative Evaluator,
                  and Desiree Yang, Financial Analyst. We appreciate the cooperation of FHFA
                  staff, as well as the assistance of all those who contributed to the preparation of
                  this report.

                  This report has been distributed to Congress, the Office of Management and
                  Budget, and others and will be posted on our website www.fhfaoig.gov.




                  Angela Choy
                  Assistant Inspector General for Evaluations
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................5

BACKGROUND .............................................................................................................................6
      FHFA’s Role as Regulator of the Enterprises ..........................................................................6
      Risk Assessments: Their Role and Purpose.............................................................................6

FACTS AND ANALYSIS...............................................................................................................8
      Risk Assessments: Requirements and Guidance of Other Federal Financial
      Regulators .................................................................................................................................8
             Examples of Specific Risk Assessment Requirements and Guidance ..............................8
      Risk Assessments: FHFA Requirements and Guidance ........................................................10
             FHFA Flexible Standards ...............................................................................................10
             FHFA Does Not Require that Risk Assessments Follow a Common Format ................11

FINDINGS .....................................................................................................................................13
      1. The flexible guidance adopted by FHFA and DER for preparation of risk
      assessments falls far short of the requirements and clear guidance provided by other
      federal financial regulators that we reviewed. ........................................................................13
      2. Lack of minimum required standards limits the utility of DER’s risk
      assessments. ............................................................................................................................13

CONCLUSION ..............................................................................................................................14

RECOMMENDATIONS ...............................................................................................................15

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................16

APPENDIX A ................................................................................................................................17
      FHFA’s Comments on OIG’s Findings and Recommendations ............................................17

ADDITIONAL INFORMATION AND COPIES .........................................................................19




                                            OIG  EVL-2016-001  January 4, 2016                                                                4
ABBREVIATIONS .......................................................................

DER                   Division of Enterprise Regulation

Enterprises           Fannie Mae and Freddie Mac

Federal Reserve       Federal Reserve Board of Governors

Fannie Mae            Federal National Mortgage Association

FHFA or Agency        Federal Housing Finance Agency

Freddie Mac           Federal Home Loan Mortgage Corporation

HERA                  Housing and Economic Recovery Act of 2008

NCUA                  National Credit Union Administration

OCC                   Office of the Comptroller of the Currency

OIG                   Federal Housing Finance Agency Office of Inspector General

OPB                   Operating Procedures Bulletin




                          OIG  EVL-2016-001  January 4, 2016                      5
BACKGROUND ..........................................................................

FHFA’s Role as Regulator of the Enterprises

FHFA, which was created by Congress in 2008, is charged by the Housing and Economic
Recovery Act of 2008 (HERA) with supervision of the Enterprises.1 Its mission as a federal
financial regulator is to ensure that the Enterprises operate safely and soundly so that they
serve as a reliable source of liquidity and funding for housing finance and community
investment.2 It conducts annual on-site examinations, executes targeted examinations, and
engages in ongoing monitoring of the Enterprises to determine the Enterprises’ safety and
soundness.3 FHFA has vested DER with responsibility for these supervisory activities. DER
has established a team of examiners to conduct such activities for each Enterprise, led by an
examiner-in-charge.4 The FHFA Examination Manual provides comprehensive guidance on
the examination process, establishes standards, and communicates expectations to examiners.5

Risk Assessments: Their Role and Purpose

FHFA, like other federal financial regulators, has adopted a risk-based approach for its
supervisory activities. According to FHFA, risk assessments provide the critical foundation
for planning its annual supervisory strategies, targeted examinations, and ongoing monitoring.
They identify and evaluate the primary risks; identify cause(s) of unfavorable trends;
highlight the strengths, vulnerabilities, and risks of the regulated entity; and assess the
adequacy of management systems used to measure, monitor, and control such risks. FHFA
examiners are then able to leverage their resources by focusing their supervisory activities
around the risks identified as posing the highest supervisory concerns in the risk assessments.
Because of the critical importance of risk assessments, DER requires each examiner-in-charge
to update the Enterprise’s risk assessment semi-annually to reflect changes in the Enterprise’s
risk profile and FHFA’s supervisory concerns.

We conducted this evaluation to assess whether FHFA’s requirements for its risk assessments
of the Enterprises are sufficiently robust to produce risk assessments that achieve the purpose


1
    Pursuant to HERA, FHFA is also charged with supervisory authority for the Federal Home Loan Banks.
2
    See FHFA, About FHFA – Who We Are & What We Do (online at www.fhfa.gov/AboutUs).
3
    See 12 U.S.C. § 4517(a).
4
  DER’s subject matter experts provide examination support and conduct other supervisory activities in the
different risk areas.
5
 FHFA, FHFA Examination Manual, Version 1.0 (Dec. 2013) (online at
www.fhfa.gov/SupervisionRegulation/Documents/ExaminationProgramOverview.pdf).



                                    OIG  EVL-2016-001  January 4, 2016                                     6
for which they are intended: namely, to identify and evaluate the critical risks to each
Enterprise, using clearly defined terms, so that supervisory activities can focus on those risks.




                               OIG  EVL-2016-001  January 4, 2016                                 7
FACTS AND ANALYSIS ...............................................................

FHFA maintains that its regulatory authority over the Enterprises mirrors the authority of
federal bank examiners and has successfully asserted the bank examination privilege to shield
from discovery materials relating to its regulation of the Enterprises.6 Because FHFA is a
relatively new federal financial regulator, it is useful to look to the risk assessment
requirements and guidance from three mature federal financial regulators and compare them
to FHFA’s requirements and guidance for risk assessments of the Enterprises.

Risk Assessments: Requirements and Guidance of Other Federal Financial Regulators

Similar to FHFA, the Office of the Comptroller of the Currency (OCC), Federal Reserve
Board of Governors (Federal Reserve), and National Credit Union Administration (NCUA)
use risk assessments to ensure that appropriate examination resources will be focused on areas
of elevated residual risk and not on those areas where inherent risk is well controlled and
remaining risk is limited or low.

The OCC and Federal Reserve require their examiners to use standardized tools and apply
common definitions for the risk assessments and to document and communicate judgments
regarding their assessments of existing and emerging risks and the strengths and weaknesses
of risk management on a risk template. Required use of these tools provides a repeatable,
measurable, and consistent process to identify and measure the level of known and emerging
risk associated with a regulated entity’s products, services, and activities and the adequacy of
management systems used to measure, monitor, and control such risks.

As a result, these regulators have reasonable assurance that their risk assessments enable them
to measure and assess existing and emerging risks and the quality of controls in place to
manage those risks, in the entities they regulate. Through a defined risk assessment process
with clearly defined terms and required assessment tools, each regulator can assess the risks
and the strengths and weaknesses of risk management across the entities that it regulates.

      Examples of Specific Risk Assessment Requirements and Guidance

The OCC requires its examiners to assess specific factors used to measure risks and reach
judgments about them. For example, examiners evaluating the quantity of credit risk must
consider a number of factors, including underwriting, strategic, external, and credit quality
factors. The level of credit risk is assessed using measures of specific delinquencies,
nonperforming and problem assets, underwriting standards, and counterparty financial


6
    See Fed. Hous. Fin. Agency v. JPMorgan Chase & Co., 978 F. Supp. 2d 267 (S.D.N.Y. 2013).



                                   OIG  EVL-2016-001  January 4, 2016                            8
performance. Moreover, OCC identifies and defines exposure levels or ranges – high,
moderate, or low – for each measure that must be used in each risk assessment. The OCC
requires its examiners to use a standardized set of measures to assess the credit quality of its
banks and a minimum set of factors that must be considered in reaching conclusions.7 These
standards do not preclude OCC examiners from using their professional discretion to assess
credit or any other type of risks. The OCC’s required elements of a risk assessment, using
defined measures of risk, facilitates the consistent analysis of risk across the entities it
regulates because OCC examiners use both a common language and defined standards to
assess risk.

While the Federal Reserve does not require its examiners to consider specific factors like
that of the OCC, it defines, in writing, high, moderate, and low composite risk, to “facilitate
consistency” among its examiners in the assessment of risk. So, too, the Federal Reserve
defines, in writing, the elements that constitute strong, acceptable, and weak risk
management, which aids in reliable assessment of risk management across the entities
it regulates.8

The NCUA has also developed standardized risk evaluation tools that its examiners use in
their risk assessments. For example, one tool compares current financial and statistical data to
prior years’ data. This tool assists examiners to quickly identify significant changes and have
their attention drawn to adverse or unusual trends. As with the OCC and Federal Reserve,
NCUA examiners can add other risks to assess.

Both the OCC and the Federal Reserve require their examiners to complete a template for
their risk assessments. Use of these templates provides examination teams with a standard
format in which to document and communicate risk assessment conclusions.9 By providing
common definitions of risk, and requiring risk and quality of risk management to be measured
using a well-defined method of evaluation, the basis for supervisory activities is consistent
and clearly documented and communicated, regardless of the composition of the examination




7
 See Office of the Comptroller of the Currency, “Large Bank Supervision,” Comptroller’s Handbook (January
2010, updated December 2015) (online at www.occ.gov/publications/publications-by-type/comptrollers-
handbook/pub-ch-ep-lbs.pdf) (accessed Dec. 22, 2015).
8
 See Federal Reserve System, Framework for Risk-Focused Supervision of Large Complex Institutions
(August 8, 1997) (online at www.federalreserve.gov/boarddocs/srletters/1997/sr9724a1.pdf) (accessed Dec. 22,
2015).
9
  While the NCUA does not require the use of a standard template, it directs that the risk assessment must be
documented to demonstrate the extent of procedures and testing performed; reasons and factors considered in
determining the areas and extent of review; analysis and assessment of risk areas; conclusions reached and
recommendations made; and adequate support for conclusions and recommendations.



                                   OIG  EVL-2016-001  January 4, 2016                                         9
team, and facilitates comparison of quantity of risk and quality of risk management among
regulated entities.

Risk Assessments: FHFA Requirements and Guidance

   FHFA Flexible Standards

The source of instructions and guidance to DER examiners on risk assessments is FHFA’s
Examination Manual, as supplemented by FHFA’s Supervision Directive 2013-02 and DER’s
Operating Procedures Bulletin 03.1. While FHFA acknowledges the critical importance of
risk assessments in planning its supervisory activities, its guidance, set forth in its
Examination Manual, is approximately ¾ of one page. The Examination Manual first affirms
the central role that risk assessments play in focusing supervisory attention on high-risk
matters and in developing an annual supervisory strategy to address FHFA’s supervisory
concerns. Then, it explains that the goal of a risk assessment is to “present a comprehensive
view of the Enterprise” and directs that a risk assessment must be in writing. Last, it counsels
that a risk assessment should include the following elements:

      An executive summary;

      Description of the types of risk (credit, market, liquidity, reputational, operational,
       model, legal) and direction (increasing, stable, decreasing);

      Assignment of a specific risk level of “high,” “moderate,” or “low” to each type of
       risk;

      Identification of all major functions, business lines, activities, and products from
       which significant risks emanate, as well as the key issues that could affect the risk
       profile; and

      Description of the Enterprise’s risk management systems.

While we observed that these elements are included in the risk assessments, the factors
or measures relied on varied and lacked common definition, resulting in inconsistent and
incomparable assessments. FHFA’s Examination Manual provides no definition of each of
these risk levels or the elements inherent in each risk level. For example, with regard to credit
risk, the Examination Manual provides no detail on whether the level of credit risk should
be assessed using measures of serious delinquency, foreclosures, charge-offs, underwriting
standards, early payment defaults, or changes in the loan loss allowance. Likewise, it
does not identify exposure levels or ranges in these or other measures that would be high,
moderate, or low. FHFA, with its Supervision Directive 2013-02, prescribes the timing of
risk assessments.


                              OIG  EVL-2016-001  January 4, 2016                                  10
On September 24, 2013, DER supplemented FHFA’s guidance with Operating Procedures
Bulletin (OPB) 03, which provided a three-page list of “risk category components and
evaluative factors.” Approximately one month later on October 29, 2013, DER revised OPB
03 with OPB 03.1. While DER affirmed, in OPB 03.1, that a risk assessment “helps the
[examiners-in-charge] focus supervisory activities on areas of greatest risk to the Enterprises,”
DER eliminated the detailed guidance in OPB 03 on risk category components and evaluative
factors. The risk assessment guidance in OPB 03.1 was reduced to ½ page and restates the
guidance in the Examination Manual.

FHFA and DER provide no additional requirements or other guidance as to the content of risk
assessments. None of these sources define the risk types or minimum risk measures, like
those used by the OCC that examiners-in-charge must include in the risk assessments.
Instead, they only set forth a number of factors for examiners-in-charge to “consider,”
including, for example: the overall risk environment; reliability of risk management and
controls; and the adequacy of information technology systems.

Unlike other federal financial regulators, FHFA, through its Examination Manual, as
supplemented by FHFA’s Supervision Directive and DER’s OPB, does not articulate the
specific risks or measures of risk exposures that must be included in risk assessments, and
provides no guidance to determine whether a given risk should be characterized as high,
moderate, or low. Instead, each examiner-in-charge and examination team is free to develop
its own factors to assess risk and quality of risk management. Because FHFA does not define
the levels of risk, or require risk and quality of risk management to be measured with a well-
defined method of evaluation, DER examination teams use different definitions to prepare
their risk assessments. For example, we noted disparities between the two examination teams
in the area of underwriting. The exam team for Fannie Mae assesses underwriting as a risk
area but does not define what constitutes low, moderate, or high risk. Freddie Mac, on the
other hand, considers underwriting in greater detail in the context of asset quality with
specific quantifiable metrics.

   FHFA Does Not Require that Risk Assessments Follow a Common Format

In light of the similarities in the Enterprises’ federal charters, permissible activities, business
limitations, business models, risk exposures, and current status in conservatorship, FHFA uses
side-by-side and year-over-year analyses to compare the Enterprises’ financial condition and
performance in its public reports. Its quarterly performance reports compare key measures of
the Enterprises’ single-family credit guarantee business, such as income, credit losses, and
loss reserves, and compare credit losses by state, product type, and vintage.

Because FHFA and DER provide no defined set of standard risk measures, no clear guidance,
and no templates to document and communicate the risk assessments, each examiner-in-


                               OIG  EVL-2016-001  January 4, 2016                                   11
charge and his or her examination manager is vested with discretion to develop its own
approach and determine which measures to use in assessing risks and which format to use to
present its conclusions. Since 2011, DER has experienced high turnover at all levels of staff:
it has had three different deputy directors, three Fannie Mae examiners-in-charge, and
complete turnover of Fannie Mae exam managers. As of August 2015, the DER examination
managers for Fannie Mae had an average of slightly less than one year in their current
positions and approximately two and a half years examining the Enterprise.

Because FHFA does not require that risk assessments be prepared using a common format or
template using a specific set of risk measures to analyze risk, OIG’s efforts to compare the
Enterprises’ respective risk exposures and quality of risk management and to evaluate the
level of consistency between the two teams’ determinations of whether risks were high,
moderate, or low were unsuccessful. A senior DER official acknowledged to us that a
consistent, standardized risk assessment approach, one that promotes efficiency and useful
risk assessments, would be valuable but is not currently possible in light of the significant
variances in the content and format of each risk assessment.




                              OIG  EVL-2016-001  January 4, 2016                               12
FINDINGS .................................................................................

1. The flexible guidance adopted by FHFA and DER for preparation of risk
   assessments falls far short of the requirements and clear guidance provided
   by other federal financial regulators that we reviewed.

Other federal financial regulators are clear in their guidance and definitions for risk
assessments. As discussed above, the OCC requires its examiners to assess specific factors
used to measure risks and reach judgments about them. Similarly, the Federal Reserve
facilitates consistency with definitions of high, moderate, and low composite risk and what
constitutes strong, acceptable, and weak risk management. Both the OCC and the Federal
Reserve require their examiners to complete a template for their risk assessments. DER’s
standards lack defined requirements for risk assessments and fall short of the standards used
by these other federal financial regulators.

2. Lack of minimum required standards limits the utility of DER’s risk assessments.

The absence of minimum required standards for risk assessments combined with the broad
discretion granted to examiners-in-charge and exam managers to select and define risk
measures has resulted in a lack of consistency in defining significant risks and identifying
supervisory concerns in risk assessments for an Enterprise over a period of years. The
significant variability in risk assessments for an Enterprise limits their utility in development
of a risk-based supervisory plan.

Because of the similarities in the Enterprises’ federal charters, permissible activities, business
limitations, business models, risk exposures, and current status in conservatorship, FHFA uses
side-by-side and year-over-year analyses to compare the Enterprises’ financial condition and
performance in its public reports. A senior DER official acknowledged to OIG that a
consistent, standardized risk assessment approach, one that promotes efficiency and useful
risk assessments, would be valuable, but such comparisons are not currently possible because
of the lack of clear guidance, defined terms, and standard risk matrix.




                               OIG  EVL-2016-001  January 4, 2016                                  13
CONCLUSION ............................................................................

FHFA would benefit from upgrading its examination guidance and practices to more closely
align with the more mature examination programs of the federal banking regulators. Detailed
risk assessment standards, common risk measures and evaluative factors, standardized
templates, and clear expectations for supporting documentation promote consistency over
time while still allowing for reasonable examiner discretion and judgment. Standard
templates and common measures of risk would facilitate comparisons between Enterprises
and thereby increase the utility of risk assessments in planning examination activities and
updating examination ratings.

Enhanced risk assessment requirements will also help mitigate the effects of high staff
turnover within DER. Standard templates and clear instructions, accompanied by structured
training, would promote common practice among examination staff new to FHFA and reduce
the variability among DER’s risk assessments. Common, stable practices over successive
examination cycles also would promote continuity in institutional knowledge among DER
examiners and would strengthen FHFA’s examination program.




                             OIG  EVL-2016-001  January 4, 2016                             14
RECOMMENDATIONS ...............................................................

We recommend that FHFA implement detailed risk assessment guidance that provides:

        1. Minimum requirements for risk assessments that facilitate comparable analyses
           for each Enterprise’s risk positions, including common criteria for determining
           whether risk levels are high, medium, or low, year over year;

        2. Standard requirements for format and the documentation necessary to support
           conclusions in order to facilitate comparisons between Enterprises and reduce
           variability among DER’s risk assessments for each Enterprise and between the
           Enterprises.

And that FHFA:

        3. Direct DER to train its examiners-in-charge and exam managers in the
           preparation of semi-annual risk assessments, using enhanced risk assessment
           guidance consistent with Recommendations 1 and 2.

OIG provided FHFA an opportunity to respond to a draft report of this evaluation. In its
comments, which are reprinted in their entirety in Appendix A, FHFA agreed with the
recommendations. FHFA also provided technical comments on the draft report, which were
incorporated as appropriate.




                            OIG  EVL-2016-001  January 4, 2016                             15
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

The objective of this report was to evaluate DER’s 2013 and 2014 processes for identifying
high risk areas.

To achieve this objective, we interviewed FHFA personnel with examination responsibilities.
We also reviewed publicly available documents, internal DER documents, and non-public
information provided by FHFA.

Our work was conducted under the authority of the Inspector General Act and in accordance
with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for
Inspection and Evaluation (January 2012). These standards require us to plan and perform an
evaluation based upon evidence sufficient to provide reasonable bases to support its findings and
recommendations. We believe that the finding and recommendations discussed in this report
meet these standards.

The performance period for this evaluation was between February and July 2015.




                              OIG  EVL-2016-001  January 4, 2016                            16
APPENDIX A .............................................................................

FHFA’s Comments on OIG’s Findings and Recommendations




                           OIG  EVL-2016-001  January 4, 2016                      17
OIG  EVL-2016-001  January 4, 2016   18
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                               OIG  EVL-2016-001  January 4, 2016                        19