oversight

FHFA's Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise's Remediation of Serious Deficiencies

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-03-29.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                  REDACTED



           Federal Housing Finance Agency
               Office of Inspector General




 FHFA’s Examiners Did Not Meet
 Requirements and Guidance for
   Oversight of an Enterprise’s
Remediation of Serious Deficiencies




Evaluation Report  EVL-2016-004  March 29, 2016
                 Executive Summary
                 As the regulator of Fannie Mae and Freddie Mac (collectively, the Enterprises)
                 and of the Federal Home Loan Banks (FHLBanks), the Federal Housing
                 Finance Agency (FHFA) is tasked by statute to ensure that these entities
                 operate safely and soundly so that they serve as a reliable source of liquidity
EVL-2016-004     and funding for housing finance and community investment. On-site
                 examinations of the regulated entities are fundamental to FHFA’s supervisory
March 29, 2016   mission.

                 FHFA has directed its Division of Enterprise Regulation (DER) to conduct
                 supervisory activities of the Enterprises and its Division of Federal Home Loan
                 Bank Regulation (DBR) to conduct these activities for the FHLBanks. When
                 DER or DBR identifies a deficiency, it will classify the deficiency as a Matter
                 Requiring Attention (MRA), a violation, or a recommendation. According to
                 FHFA, MRAs are reserved for “the most serious supervisory matters” and will
                 be issued for matters “that result or may result in significant risk of financial
                 loss or damage,” “repeat deficiencies that have escalated due to insufficient
                 action or attention,” “unsafe or unsound practices,” “matters that have resulted,
                 or are likely to result, in a regulated entity being in an unsafe or unsound
                 condition,” and “breakdowns in risk management, significant control
                 weaknesses, or inappropriate risk-taking.” Because an MRA identifies a
                 “serious deficiency,” FHFA requires “prompt remediation” by the institution
                 to which the MRA was issued.

                 In our 2015 Annual Audit and Evaluation Plan, FHFA Office of Inspector
                 General (OIG) explained that we intended to focus our resources on programs
                 and operations that pose the greatest financial, governance, and reputational
                 risk to FHFA, the Enterprises, and the FHLBanks. One of the four areas we
                 identified was FHFA’s rigor in its examinations of the Enterprises. According
                 to FHFA, a key component of effective supervision is close oversight of an
                 institution’s efforts to correct identified supervisory concerns. This evaluation
                 is the first of a number of OIG reports that will assess the robustness of
                 FHFA’s policies, procedures, and practices governing its oversight of MRA
                 remediation by the entities it supervises.

                 FHFA consistently maintains, based on the language of its authorizing statute,
                 that its supervisory authority over its regulated entities “is virtually identical
                 to—and clearly modeled on—Federal bank regulators’ supervision of banks.”
                 According to FHFA, “Congress virtually duplicated the examination regime
                 applicable to banks when it designed the examination regime” for the
                 Enterprises and the FHLBanks. Because FHFA asserts that it has exactly the
                 same powers as bank regulators, we first compared FHFA’s requirements and
                 supplemental guidance for issuance of an MRA and supervision of an entity’s
                 remediation to address the deficiencies identified in the MRA against the
                 requirements and specific guidance of two mature federal financial regulators.
                 We found that, in certain instances, FHFA’s standards fell short. We then
                 reviewed whether DER examiners followed existing FHFA requirements and
                 guidance in their oversight of an MRA related to                  issued to an
                 Enterprise in July 2013, and found that they did not. The MRA remains open
EVL-2016-004     and unresolved more than 30 months later. The shortcomings that we
                 identified include: DER accepted the Enterprise’s proposed remediation plan,
March 29, 2016
                 even though the plan failed to address all of the deficiencies identified in the
                 MRA; DER did not press the Enterprise to revise its plan to address the
                 excluded items; and DER never prepared an internal procedures plan, as
                 required by FHFA, to identify the steps it planned to take to monitor MRA
                 remediation, and to document, at specific intervals, its assessment of the
                 effectiveness of the completed remediation steps. We also found no evidence
                 that DER assessed the adequacy and timeliness of the Enterprise’s efforts to
                 remediate the MRA, beyond attending meetings with Enterprise personnel and
                 receiving written presentations; and, as of this writing, we found no evidence
                 that DER performed any assessment to determine whether the deficiencies,
                 which relate to an area that FHFA deems a “significant risk,” had been
                 corrected.

                 We make six recommendations to FHFA to remedy the shortcomings we
                 found. FHFA disagreed with two of our recommendations and agreed with the
                 remaining four recommendations.

                 This report contains redactions to protect from disclosure information that
                 could be abused to circumvent the Enterprise’s internal controls.

                 This report was prepared by Jacob Kennedy, Senior Investigative Evaluator.
                 We appreciate the cooperation of FHFA staff, as well as the assistance of all
                 those who contributed to the preparation of this report.

                 This report has been distributed to Congress, the Office of Management and
                 Budget, and others and will be posted on our website, www.fhfaoig.gov.




                 Angela Choy
                 Assistant Inspector General for Evaluations
TABLE OF CONTENTS ................................................................

EXECUTIVE SUMMARY .............................................................................................................2

TABLE OF CONTENTS .................................................................................................................4

ABBREVIATIONS .........................................................................................................................6

BACKGROUND .............................................................................................................................7
      MRAs: Their Role and Purpose ...............................................................................................7

FACTS .............................................................................................................................................8
      MRAs: Comparison of Oversight Requirements and Guidance..............................................9
      A 2013 Internal FHFA Review Identified Weaknesses in DER’s Efforts to Monitor
      MRA Remediation by the Enterprises ....................................................................................14
      DER’s Response to the Findings of the 2013 Internal FHFA Review ...................................15
      Notwithstanding DER’s Concurrence with the “Spirit and Intent” of OQA’s
      Recommendations, Review of its MRA Monitoring Efforts Found No Improvement
      and a Continued Lack of Compliance with Existing FHFA Requirements and
      Guidance .................................................................................................................................17
              DER Approved a Remediation Plan Which Did Not Identify the Specific
                 Deficiencies to Be Corrected and Which Lacked Any Plan or Milestones to
                 Remediate All of the Shortcomings ........................................................................17
              DER Examiners Failed to Prepare a Required Procedures Document at the
                 Outset of Monitoring ...............................................................................................18
              FHFA-Mandated Examiner Follow-up on an Enterprise’s Remediation Efforts
                 Requires More than Participation in Meetings with Enterprise Employees
                 and Attendance at Briefings by Enterprise Employees ...........................................19
              DER Documentation of its Ongoing Monitoring Contains No Assessment by
                 DER Examiners of the Adequacy or Timeliness of the Enterprise’s Efforts
                 to Remediate the MRA ............................................................................................21
              The Enterprise’s Failure to Meet its Internal Deadlines for Validation Testing
                  Prompted No Response or Inquiry from DER ........................................................22
              FHFA’s Representations to the Public Respecting the Timeliness of MRA
                 Remediation Is Questionable...................................................................................22


                                             OIG  EVL-2016-004  March 29, 2016                                                                 4
FINDINGS .....................................................................................................................................23
      1. FHFA guidance with respect to the content of MRAs falls short of the guidance
      of other federal financial regulators. .......................................................................................23
      2. Although FHFA’s requirements and guidance for monitoring MRA remediation
      are similar to that of other financial regulators, DER examiners have not adhered to
      the requirements and guidance in their oversight of remediation of a
             MRA. ..........................................................................................................................23

CONCLUSION ..............................................................................................................................24

RECOMMENDATIONS ...............................................................................................................25

FHFA COMMENTS AND OIG RESPONSE ...............................................................................26

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................28

APPENDIX A ................................................................................................................................29
      FHFA’s Comments on OIG’s Recommendations ..................................................................29

ADDITIONAL INFORMATION AND COPIES .........................................................................32




                                            OIG  EVL-2016-004  March 29, 2016                                                              5
ABBREVIATIONS .......................................................................

DBR                   Division of Federal Home Loan Bank Regulation

DER                   Division of Enterprise Regulation

Enterprises           Fannie Mae and Freddie Mac

Fannie Mae            Federal National Mortgage Association

FDIC                  Federal Deposit Insurance Corporation

Federal Reserve       Board of Governors of the Federal Reserve System

FHFA or Agency        Federal Housing Finance Agency

FHLBanks              Federal Home Loan Banks

Freddie Mac           Federal Home Loan Mortgage Corporation

MRA                   Matter Requiring Attention

MRIA                  Matter Requiring Immediate Attention

OCC                   Office of the Comptroller of the Currency

OIG                   Federal Housing Finance Agency Office of Inspector General

OPB                   Operating Procedures Bulletin

OQA                   Office of Quality Assurance




                          OIG  EVL-2016-004  March 29, 2016                       6
BACKGROUND ..........................................................................

Since 2008, FHFA has operated as both regulator and conservator of the Enterprises and
regulator of the FHLBanks to ensure that they operate safely and soundly so that they serve
as a reliable source of liquidity and funding for housing finance and community investment.
FHFA, like other federal financial regulators, has adopted a risk-based approach for
supervision. Supervision activities for the Enterprises are conducted by DER while
supervision of the FHLBanks is the responsibility of DBR. DER continually conducts
ongoing monitoring and targeted examinations into strategically selected areas of high
importance or risk at each Enterprise pursuant to a supervisory plan that is prepared annually
and revised at mid-year. With respect to the FHLBanks, DBR’s supervisory activities include
annual examinations, periodic visits, special reviews, and off-site monitoring. DER and DBR
also have regular communications with senior management and communications on a limited
basis with directors of each regulated entity throughout the supervisory cycle. Both DER and
DBR issue an annual Report of Examination to each Enterprise and FHLBank, respectively.

MRAs: Their Role and Purpose

Throughout its supervisory activities, FHFA examiners
may identify supervisory concerns or deficiencies                  FHFA issues MRAs only for the
occurring at a regulated entity. FHFA categorizes                  most significant deficiencies that
such examination findings into one of three categories:            require prompt remediation by
(1) recommendations, (2) violations, or (3) Matters                the regulated entity and timely
Requiring Attention (MRAs). According to FHFA,                     follow-up by FHFA to check
only “the most serious supervisory matters” are                    resolution consistent with a
                                                                   remediation plan.
categorized as MRAs. FHFA will issue an MRA
for such matters as “non-compliance with laws or
regulations that result or may result in significant risk of financial loss or damage,” “repeat
deficiencies that have escalated due to insufficient action or attention,” “unsafe or unsound
practices,” “matters that have resulted, or are likely to result, in a regulated entity being in
an unsafe or unsound condition,” and “breakdowns in risk management, significant control
weaknesses, or inappropriate risk-taking.”1

FHFA’s Examination Manual, issued in December 2013, and its Advisory Bulletin 2012-01,2
issued in April 2012, provide FHFA’s current requirements and guidance on MRA

1
 See FHFA, Advisory Bulletin 2012-01, Categories for Examination Findings (Apr. 2, 2012) (online at
www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2012-01-CATEGORIES-FOR-
EXAMINATION-FINDINGS.aspx (accessed Feb. 8, 2016).
2
    An FHFA Advisory Bulletin is directed to FHFA employees and the entities regulated by FHFA. Id. at 4.



                                    OIG  EVL-2016-004  March 29, 2016                                     7
remediation and supervisory follow-up. These materials are supplemented by guidance issued
by DER and DBR. Prior to December 2013, DER and DBR established MRA guidance for
their examiners. DER set forth its guidance to examiners in its Supervisory Guide 2.0 and
Operating Procedures Bulletin (OPB) 2013-DER-OPB-01, Matters Requiring Attention
(MRA) Process (OPB 2013-01).


FACTS .......................................................................................

FHFA consistently maintains, based on the language of its authorizing statute,3 that its
supervisory authority over its regulated entities “is virtually identical to – and clearly modeled
on – Federal bank regulators’ supervision of banks.” According to FHFA, “Congress
virtually duplicated the examination regime applicable to banks when it designed the
examination regime” for the Enterprises and FHLBanks. FHFA must conduct annual
examinations of the financial condition of the Enterprises and FHLBanks; the FHFA Director
has substantially the same authority as the bank regulators; and examiners have the same
authority as examiners employed by the Federal Reserve Banks.4 Like the Office of the
Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System
(Federal Reserve), and the Federal Deposit Insurance Corporation (FDIC), FHFA conducts
safety and soundness examinations of its regulated entities, reports on examination findings in
annual reports of examination, and, when necessary, issues findings identifying deficiencies.5
FHFA’s governing statute grants the Director authority to use examiners from the OCC, the
Federal Reserve, or the FDIC to conduct examinations, and requires the Director to set
compensation levels for FHFA staff that are comparable with other federal financial
regulators.6 A federal court has acknowledged that Congress granted FHFA the same powers

3
  Federal Housing Enterprises Financial Safety and Soundness Act of 1992, 12 U.S.C. § 4501 et seq. and
§ 4513, as amended by Sections 1101 and 1102 of the Housing and Economic Recovery Act of 2008, and
§ 4517(e).
4
    See 12 U.S.C. § 4517(a), (c), (e).
5
  The Federal Reserve Board of Governors establishes examination standards, and the Reserve Banks are
responsible for supervising bank holding companies, Federal Reserve System member banks, foreign branches
of member banks, and other related entities to ensure safe and sound banking practices and compliance with
applicable laws and regulations. For purposes of this report, any reference to the “Federal Reserve” includes
the Reserve Banks. See, e.g., Federal Reserve Bank of New York, Supervision (online at
www.newyorkfed.org/aboutthefed/org_banksup.html). The OCC is responsible for ensuring that national
banks and federal savings associations operate in a safe and sound manner, provide fair access to financial
services, treat customers fairly, and comply with applicable laws and regulations. See 12 U.S.C. § 1 et seq.,
12 U.S.C. § 1461 et seq. See also OCC, What We Do (online at www.occ.gov/about/what-we-
do/mission/index-about.html).
6
    See 12 U.S.C. §§ 4515(b), 4517(c).




                                         OIG  EVL-2016-004  March 29, 2016                                    8
as bank regulators and observed that Congress intended FHFA’s regulatory framework to
mirror the banking regulatory framework.7

For these reasons, we compared FHFA’s definition of an MRA and its requirements and
guidance for supervisory oversight of MRA remediation to the standards and guidance of
the OCC and Federal Reserve.8 Like FHFA, the OCC defines MRAs to be practices that

          [d]eviate from sound governance, internal control, and risk management
          principles, and have the potential to adversely affect the bank’s condition,
          including its financial performance or risk profile, if not addressed; or [r]esult
          in substantive noncompliance with laws and regulations, enforcement actions,
          supervisory guidance, or conditions imposed in writing in connection with the
          approval of any application or other request by the bank.9

The Federal Reserve classifies deficiencies identified in supervisory findings into two
categories, Matters Requiring Immediate Attention (MRIAs) and MRAs. Supervisory
matters of significant importance and urgency are labeled MRIAs. The Federal Reserve
issues MRIAs for “matters that have the potential to pose significant risk to the safety and
soundness of the banking organization,” “matters that represent significant noncompliance
with applicable laws or regulations,” and “repeat criticisms that have escalated in importance
due to insufficient attention or inaction by the banking organization” and it requires
immediate remediation of MRIAs.10 The Federal Reserve issues MRAs for bank practices
that deviate from sound risk management principles, but remediation is not required
immediately. Matters that give rise to an MRIA by the Federal Reserve are substantially
similar to the matters that lead to issuance of an MRA by the OCC and FHFA.

MRAs: Comparison of Oversight Requirements and Guidance

Format and Content of Communication. Both the OCC and the Federal Reserve require
their examiners to communicate, in writing, the supervisory findings that result in issuing an
7
    See Fed. Hous. Fin. Agency v. JPMorgan Chase & Co., 978 F. Supp. 2d 267 (S.D.N.Y. 2013).
8
 As recently as January 2016, FHFA selectively incorporated the regulatory standards issued by the OCC,
Federal Reserve, and the FDIC into its own regulatory guidance for the FHLBanks. See FHFA, Advisory
Bulletin 2016-01, Classification of Investment Securities at FHLBanks (Jan. 21, 2016) (online at
www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Classification-of-Investment-Securities-at-
FHLBanks.aspx.
9
 See OCC, Comptroller’s Handbook—Bank Supervision Process (Sept. 2007, updated Dec. 2015) (online at
www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-bsp.pdf) (accessed Feb. 8,
2016).
10
  See Federal Reserve System, Commercial Bank Examination Manual (Mar. 1994, updated Oct. 2015)
(online at www.federalreserve.gov/boarddocs/supmanual/cbem/cbem.pdf) (accessed Feb. 8, 2016).




                                   OIG  EVL-2016-004  March 29, 2016                                     9
MRA or an MRIA. The OCC, in its Comptroller’s Handbook, directs its examiners to
communicate, in writing, MRA deficiencies to the board “when discovered.” The OCC also
directs that examiners “shall describe the practices that resulted in the concerns, as well as
the board’s or management’s commitment to corrective action” in writing. Moreover, the
OCC prescribes the specific elements that examiners must use in documenting an MRA.
Examiners are required to use what the OCC calls the “Five Cs” format for an MRA.11

        Concern: the MRA must describe the supervisory concern(s) and how the bank’s
         deficient practice deviates from sound governance, internal control, or risk
         management principles, or results in substantive noncompliance with laws and
         regulations, enforcement actions, supervisory guidance, or conditions imposed in
         writing.

        Cause: the MRA must identify the root cause(s) of the concern, where evident.

        Consequence: the MRA must explain how continuation of the practice could affect
         the bank’s condition, including its financial performance or risk profile.

        Corrective Action: the MRA must include what the board and management must do
         to address the concern and eliminate the cause. Timely remediation of MRAs is not
         optional but required.

        Commitment: the MRA must document management’s commitment(s) to corrective
         action and include the time frame(s) and the person(s) responsible for corrective
         action.

Management’s commitment must include processes for the board to monitor and verify the
effective implementation of the corrective action. If management is unable to provide a
corrective action plan during the examination, the bank must submit to the OCC a board-
approved remedial plan within 30 days of receipt of the formal written MRA.

Similarly, the Federal Reserve, in its Commercial Bank Examination Manual, states that an
MRA or MRIA resulting from supervisory activity “must [be] formally communicate[d]” in a
written report to the affected bank. For an MRA, the Federal Reserve directs that examiners
use standardized language in the written reports. Each written report must inform an entity’s
“board of directors (or executive-level committee of the board)” that the bank “is required to”
remediate the identified MRA within a timeframe specified in that report. The Federal
Reserve recognizes that the initial timeframe “may require estimation because the banking
organization may first need to complete preliminary planning to establish the timeframe for

11
 See OCC, Bulletin 2014-52 – Matters Requiring Attention, Updated Guidance (Oct. 30, 2014) (online at
www.occ.treas.gov/news-issuances/bulletins/2014/bulletin-2014-52.html) (accessed Feb. 10, 2016).



                                  OIG  EVL-2016-004  March 29, 2016                                   10
initiating and completing the corrective action.” Following review of the Federal Reserve
report, “the banking organization’s board of directors is required to provide a written response
to the [Federal Reserve] regarding its plan, progress, and resolution of the MRA.”

For an MRIA, Federal Reserve examiners are instructed to communicate to the board of
directors (or an executive-level committee of the board) that remediation is required
“immediately” and to define the timeframe to address the MRIA. Following review of the
written report of the MRIA, “the banking organization’s board of directors is required to
respond to the [Federal Reserve] in writing regarding corrective action taken or planned,
along with a commitment to corresponding timeframes.”

In contrast, FHFA does not require that an MRA be communicated to the board of directors of
a regulated entity and leaves it to the examiner-in-charge whether to provide the MRA to the
board or to management. FHFA imposes limited requirements on the content of an MRA,
requiring only that the communication of an MRA be in the form of a “conclusion letter” or
“supervisory letter.” The letter must describe the “examination findings with sufficient detail
to enable management or the board of directors to prepare a remediation plan and correct the
problem.”12 Unlike the OCC, FHFA does not require the examination team to describe the
actions that a regulated entity must take to remediate the deficiency that gave rise to the
MRA, beyond stating that it must be addressed. Whether the Enterprises are provided with
any details about the practices that resulted in the MRA, or the potential consequences if the
MRA is not remediated, is left to the discretion of the DER examination team.

According to FHFA, MRAs “require prompt remediation.” Unlike the OCC and Federal
Reserve, FHFA does not require that a board of directors review and approve a remediation
plan before it is submitted. FHFA instructs in Advisory Bulletin 2012-01 that “specific
milestones within remediation plans should reflect the seriousness of the MRA, taking into
consideration the complexity of the issue, and the urgency regarding correction.” DER’s
supplemental guidance provides that the proposed remediation plan must “outline[] specific
and detailed steps that will be taken to address the MRA and ensure that a sustainable solution
will be put in place.”13 Unlike the OCC and Federal Reserve, however, FHFA does not
require a timeframe to be established within which all remedial actions to correct MRA
deficiencies must occur.

Follow-up. In its Comptroller’s Handbook, the OCC requires examiners to “include plans to
follow up on MRAs.” The OCC also requires its examiners to engage in a number of follow-
12
  See FHFA, Examination Manual (Dec. 19, 2013) (online at
www.fhfa.gov/SupervisionRegulation/Documents/ExaminationProgramOverview.pdf) (accessed Feb 10,
2016).
13
  See FHFA, DER Operating Procedures Bulletin 2013-01 – Matters Requiring Attention (MRA) Process
(Apr. 23, 2013).



                                OIG  EVL-2016-004  March 29, 2016                                 11
up activities at least once each quarter until the MRA is closed. These activities include, but
are not limited to, the following:

         Monitoring board and management progress in implementing corrective actions;

         Verifying and validating the effectiveness of corrective actions; and

         Performing timely verification after receipt of documentation or communication from
          the bank that the documentation is ready for review.

Similarly, the Federal Reserve requires examiners to follow up on MRAs and MRIAs

          [t]o assess progress and verify satisfactory completion … [corresponding]
          with the timeframe specified for the action being required, and should be
          appropriate for the severity of the matter requiring the corrective action. The
          means of follow-up may vary depending upon the nature and severity of the
          matter requiring the action. Follow-up may take the form of a subsequent
          examination, a targeted review, or any other supervisory activity deemed
          suitable for evaluating the issue at hand.14

In Advisory Bulletin 2012-01, FHFA instructs that MRAs “require prompt remediation,” and
that “timely” action by FHFA examiners is needed “to check for resolution consistent with a
remediation plan.” FHFA’s Examination Manual directs that DER examiners must engage in
ongoing monitoring “to determine the status of the Enterprise’s compliance with [ ] MRAs.”
This requirement is echoed in OPB 2013-01, which instructs that examiners will assess the
remediation of an MRA through ongoing monitoring or related targeted examination work.
Finally, FHFA states in Advisory Bulletin 2012-01 that the ongoing monitoring, or
remediation follow-up, “should include an assessment of materials provided by the regulated
entity, discussions with the responsible parties at the regulated entity, and testing, if
appropriate, to determine progress against a remediation plan.”

For all ongoing monitoring (defined in the Examination Manual to include MRA follow-up)
and targeted examinations, DER’s Operating Procedures Bulletin 2014-DER-OPB-01 (OPB
2014-01), which supplements FHFA’s requirements and guidance, requires DER examiners to
prepare a Procedures Document, or plan of the steps they intend to take in their examination
work.15 A Procedures Document for ongoing monitoring of an Enterprise’s efforts to

14
     Federal Reserve System, Commercial Bank Examination Manual, § 6000.1, at 3 (Oct. 2013).
15
  Supervisory Guide 2.0, which governed DER examinations prior to the December 2013 Examination
Manual, required examiners to draft a Procedures Document “at the beginning of the [supervisory] activity and
when the activity is complete updates them to ensure they provide an auditable trail of supervisory work.” See
FHFA, DER Supervisory Guide 2.0 (Sept. 8, 2009).



                                    OIG  EVL-2016-004  March 29, 2016                                          12
remediate an MRA must include examination steps to monitor its progress in implementation
of corrective actions; to assess materials provided by the Enterprises; to discuss the progress
of remedial activities with the responsible parties at the Enterprise; and to test, if appropriate,
to determine progress against a remediation plan. However, the intervals at which FHFA
examiners must “check and document progress” are “determined by the [examiner-in-charge]
and guided by the remediation plan,” rather than by FHFA requirements and guidance.

Documentation. Because the OCC places great value on oversight of MRA remediation, the
OCC instructs examiners that they must document, on a quarterly basis, the efforts of the
bank’s board and management to correct the MRA, validate that the corrective actions are
sustainable, and document the OCC’s supervisory activities to ensure remediation of the
MRA, until the MRA is closed. The Federal Reserve directs examiners engaged in
supervisory follow-up of MRIA and MRA remediation to clearly and fully document the
rationale for their decision to close any issue, and to communicate in writing the results of
their work and their findings to the regulated entity.

Similarly, FHFA directs in the Examination Manual that DER

        [e]xaminers performing ongoing monitoring must document their activities,
        findings, and conclusions using the appropriate form of documentation (for
        example, procedures documents, meeting notes, reports notes and summary
        analysis memoranda). The guiding principle is that the results of these
        activities must be reflected in a workproduct—or workproducts—in a manner
        that provides the [examiner-in-charge] with the basis to take action of some
        kind.

Beyond this high-level guidance, neither FHFA’s Examination Manual nor DER’s OPBs
provide additional detail on the content of the documentation.

Supervisory Action. The OCC’s Enforcement Action Policy permits the use of MRAs or
a combination of MRAs and other informal actions to address deficient practices in certain
banks, subject to some conditions.16 The OCC policy also states a presumption in favor of a
formal enforcement action, rather than an MRA, when management’s corrective actions are
less than satisfactory and when there is uncertainty as to whether management and the bank
have the ability or willingness to take appropriate corrective measures to address deficient
practices. The Federal Reserve recognizes that initiation of additional formal or informal
investigation or enforcement action may be necessary when supervisory follow-up indicates
the organization’s corrective action has not been satisfactory.


16
 See OCC, Policies & Procedures Manual—Enforcement Action Policy (Sept. 9, 2011) (online at
www.occ.gov/static/publications/ppm-5310-3.pdf) (accessed Feb. 8, 2016).



                                 OIG  EVL-2016-004  March 29, 2016                                  13
FHFA directs that other supervisory actions, including an enforcement action, should be
considered if progress toward remediation is not being made or if milestones are missed. We
are not aware of any enforcement actions brought by DER against either Enterprise for lack of
remedial progress or missed remediation milestones, and a 2013 FHFA Advisory Bulletin
suggests that FHFA intentionally has not brought any such actions.17

A 2013 Internal FHFA Review Identified Weaknesses in DER’s Efforts to Monitor MRA
Remediation by the Enterprises

As a federal agency, FHFA is required to implement internal controls to meet its mission,
goals, and objectives and to minimize risks associated with its programs and operations.
One such control is the FHFA Office of Quality Assurance (OQA). OQA is charged with
reviewing the work of FHFA divisions responsible for supervision.18 In July 2013, OQA
issued a quality assurance report that reviewed DER’s oversight of Enterprise remediation of
MRAs. Although OQA concluded that DER’s oversight of Enterprise remediation of MRA
was “generally adequate,” it identified a number of shortcomings, including:19

          Lack of preparation of required documentation. OQA found that, contrary to the
           requirements in Supervisory Guide 2.0 that DER examiners prepare written quarterly
           updates to reflect current MRA status, DER prepared no quarterly updates for any of
           the 32 MRAs in the OQA sample.

          Lack of adequate storage, retrieval, and tracking of MRA information. Of the 32
           MRAs in the OQA sample, DER was unable to provide supporting documentation for


17
     FHFA Advisory Bulletin 2013-03, FHFA Enforcement Policy, provides:
           Conservatorship does not preclude other enforcement actions; however, the conservator’s
           broad statutory powers may provide FHFA with more efficient means to address problems
           than traditional enforcement tools. When a regulated entity is placed into conservatorship or
           receivership, FHFA succeeds to the rights of the stockholders, officers, and directors, as well
           as title to the regulated entity’s books, records, and assets. FHFA as conservator may take
           immediate action, consistent with applicable law, to direct or restrict the activities at the
           regulated entity, including the activities of the board of directors and executive management.
           In addition, the conservator or receiver is not subject to most mandatory PCA [Prompt
           Corrective Action directive] requirements that would apply to an undercapitalized,
           significantly undercapitalized, or critically undercapitalized regulated entity that was not
           placed into conservatorship or receivership, because those requirements are superseded by
           the conservator’s or receiver’s powers and responsibilities, including, in the case of a
           conservator, to put the regulated entity in a sound and solvent condition, and to carry on its
           business and preserve and conserve its assets, and in the case of a receiver, to liquidate the
           regulated entity, which may include transferring assets to a limited life regulated entity.
18
  Pursuant to its charter, OQA is primarily responsible for evaluating the quality of work performed by DER,
DBR, and the Division of Housing Mission and Goals.
19
     See FHFA, Office of Quality Assurance Review Report (July 23, 2013).



                                      OIG  EVL-2016-004  March 29, 2016                                      14
         eight MRAs, and these eight MRAs remained open between 15 months and five years.
         As a result, OQA was unable to reach any conclusions about the adequacy of DER’s
         follow-up processes for 25% of its sample. For the remaining 24 MRAs in the sample,
         monitoring documents for at least 16 were not stored pursuant to FHFA’s record
         keeping system. While DER subsequently provided “much” of the exam
         documentation, that documentation was retrieved from numerous sources outside of
         DER’s centralized records storage for examination documentation.

        Shortcomings in required Procedures Documents. Supervisory Guide 2.0 required
         the lead examiner assigned to monitor MRA remediation to prepare a Procedures
         Document outlining the exam steps to be taken to determine if an Enterprise was
         addressing the deficiencies in the MRA. Based on the OQA report, it appears that
         OQA found only 18 Procedures Documents for the 32 MRAs sampled (or 56%), and
         these 18 were all for closed MRAs. None was updated on a regular basis, as required
         by Supervisory Guide 2.0. In addition, six Procedures Documents failed to meet
         existing DER requirements: three did not identify the steps for determining if the
         MRA has been corrected, and were not updated to reflect the work performed or facts
         discovered; and three were dated after DER determined that Enterprise remediation
         was complete.

        Unauthorized extensions of time. Of the 32 MRAs in the sample, extensions of
         remediation deadlines were granted in three instances without written authorization
         from the DER Deputy Director and without a finding that the Enterprise “made a
         convincing case for extending the due date,” as required by Supervisory Guide 2.0.

        Inadequate DER policies and procedures for MRA monitoring. DER policies and
         procedures lacked a clear assignment of responsibility for MRA tracking and lacked a
         means to ensure consistency in examiners’ documentation.

        Lack of a comprehensive quality control process.20 Work papers and reports prepared
         by examiners were not subject to a comprehensive quality control review process.
         OQA noted that a quality control process helps ensure the accuracy and consistency of
         the examination reports and supporting work papers and may help DER management
         self-identify and resolve these issues.

DER’s Response to the Findings of the 2013 Internal FHFA Review

In its written response to the OQA report, DER concurred with “the spirit and intent of the
report’s recommendations.” DER asserted that it had updated its policies and procedures for

20
  OQA noted that it had identified DER’s lack of formal quality control process in a 2011 report that looked at
DER’s 2010 Reports of Examination.



                                   OIG  EVL-2016-004  March 29, 2016                                            15
monitoring Enterprise remediation of MRAs and acknowledged the importance of effective
record keeping. DER also acknowledged that its examiners were required to document their
efforts to monitor Enterprises remediation of MRAs.

DER also committed to establish and adopt a formal internal quality control process, and
represented that implementation of the process would have a significant positive effect on
ensuring appropriate documentation of actions related to all aspects of examination activities.
As we explained in a recent evaluation, we found that DER repeatedly committed to
implement a formal quality control review process from 2012 until year end 2014, but failed
to do so until July 28, 2015, after our evaluation was completed.21

DER also advised OQA that it was working with the Enterprises’ Internal Audit divisions to
“appropriately shift from FHFA to Internal Audit the responsibility to assess that underlying
issues associated with the MRA have been addressed.” DER stated, however, that it would
retain “full and sole responsibility for ultimately assessing whether an Enterprise has
successfully addressed all issues associated with an MRA, as determined through ongoing
monitoring and related targeted examination work.” In December 2014, OQA closed its
outstanding recommendations directed toward improvement of DER’s efforts to monitor
MRA remediation.

Subsequent to issuance of the OQA report, FHFA and DER took action to eliminate a number
of the requirements at issue in the OQA report. As discussed, Supervisory Guide 2.0 required
an examiner to prepare quarterly reports assessing an Enterprise’s remediation efforts and
OQA found that no quarterly monitoring reports on remediation activity were prepared for
any of the 32 MRAs in the sample. When FHFA issued the Examination Manual in
December 2013, it did not include the quarterly assessment requirement and DER did not
include the requirement in any supplemental guidance. As a consequence, the only remaining
guidance to DER examiners on the obligation to assess an Enterprise’s MRA remediation
efforts is contained in FHFA’s Advisory Bulletin 2012-01, which allows the examiner-in-
charge to set the intervals at which examiners should check on and document progress by an
entity in remediating an MRA. Further, DER officials maintained to us, in disregard of the
plain requirements in Supervisory Guide 2.0, which was in effect at the time this MRA issued,
that they interpreted the Guide to permit DER examiners to review remediation efforts as part
of ongoing monitoring covering the risk area addressed by the MRA without a separate
Procedures Document. Finally, DER subsequently eliminated from its guidance the
requirement in Supervisory Guide 2.0 that extensions of an MRA remediation deadline could



21
  See OIG, Intermittent Efforts Over Almost Four Years to Develop a Quality Control Review Process
Deprived FHFA of Assurance of the Adequacy and Quality of Enterprise Examinations (Sept. 30, 2015) (EVL-
2015-007) (online at www.fhfaoig.gov/Content/Files/EVL-2015-007.pdf).



                                 OIG  EVL-2016-004  March 29, 2016                                       16
only be made by the DER Deputy Director and only upon a showing by an Enterprise of a
“convincing case for extending the due date.”

Notwithstanding DER’s Concurrence with the “Spirit and Intent” of OQA’s
Recommendations, Review of its MRA Monitoring Efforts Found No Improvement and
a Continued Lack of Compliance with Existing FHFA Requirements and Guidance

In July 2013, DER conducted a targeted examination of one Enterprise’s
         controls                        and found significant deficiencies relating to its
continued use of                            .22 DER issued an MRA requiring the Enterprise
to mitigate        shortcomings in its                . The MRA directed the Enterprise,
among other things, to provide dates by which it planned to remediate its                  , in
priority order.

     DER Approved a Remediation Plan Which Did Not Identify the Specific Deficiencies
     to Be Corrected and Which Lacked Any Plan or Milestones to Remediate All of the
     Shortcomings

DER requires that remediation plans outline “specific and detailed steps” to address the MRA
and “ensure that a sustainable solution will be put in place.” In its remediation plan, the
Enterprise reported that it had identified a specific number of shortcomings for which
remediation was required by the MRA, but did not provide any information about any of
these shortcomings. The Enterprise proposed to develop and implement a sustainable plan to

22




                              OIG  EVL-2016-004  March 29, 2016                                 17
address all of the specific number of unidentified shortcomings by December 15, 2013, and
proposed to complete implementation of its plan for 59% of the unidentified shortcomings
within year one. Nowhere in the Enterprise’s remediation plan did it identify the
shortcomings or propose a timeline to remediate the remaining 41% of the unidentified
shortcomings.

FHFA’s Advisory Bulletin 2012-01 directs that a remediation plan to correct MRA
deficiencies contain specific milestones reflecting the seriousness of the MRA, taking into
consideration the complexity of the issue and the urgency of correction. The 2013 MRA
involved shortcomings in                                 controls                        , an
area that FHFA reported to Congress, in its recent Performance and Accountability Report for
FY 2015,                        23
                                    As discussed above, the Enterprise’s remediation plan
contained no milestones to remediate 41% of the unidentified shortcomings, and no end date
by which these unidentified shortcomings would be corrected.

Notwithstanding these flaws in the Enterprise’s remediation plan, DER approved the plan. At
no time subsequently did DER require the Enterprise to amend its plan to identify the specific
shortcomings that were going to be remediated or to provide a timeline for remediation of the
outstanding 41% of the shortcomings.

     DER Examiners Failed to Prepare a Required Procedures Document at the Outset of
     Monitoring

DER officials informed us that examiner oversight of an Enterprise’s efforts to correct MRA
deficiencies is critical to the Agency’s mission of ensuring the safety and soundness of the
Enterprises. At the time DER issued the MRA in July 2013, Supervisory Guide 2.0 was in
effect. As we discussed previously, Supervisory Guide 2.0 directed DER examiners to
prepare a Procedures Document identifying the intended examination steps to monitor
an Enterprise’s remediation of an MRA; to provide quarterly updates reporting on the
supervisory activity during that period; and to finalize the Procedures Document when
remediation was complete to “provide an auditable trail of supervisory work.” We showed
that OQA’s July 2013 report was critical of DER’s failure in many instances to prepare
Procedures Documents, and of the lack of documentation to show efforts made by DER
examiners to monitor and assess MRA remediation. DER’s ongoing monitoring of the
Enterprise’s remediation of the July 2013 MRA began after its receipt of the OQA report.
We found no Procedures Document prepared in 2013, which DER officials confirmed.




23
 See FHFA, Fiscal Year 2015 Performance and Accountability Report (Nov. 16, 2015) (online at
www.fhfa.gov/AboutUs/Reports/ReportDocuments/FHFA-2015-PAR.pdf) (accessed Feb. 10, 2016).



                                OIG  EVL-2016-004  March 29, 2016                              18
DER’s examiner-in-charge for the Enterprise when the July 2013 MRA was issued reported
to us that he was “not sure” that a Procedures Document was required for monitoring
remediation of the MRA and that he was not concerned by the lack of a Procedures
Document. While he acknowledged to us that DER monitors MRA remediation through
ongoing monitoring, he was dismissive of the need to document that monitoring.

FHFA’s Examination Manual, issued in December 2013, directs that examiners are to follow
an Enterprise’s MRA remediation efforts through ongoing monitoring, and OPB 2014-01
requires examiners to prepare a Procedures Document to record the steps that they intend to
take for ongoing monitoring activities, which include monitoring an Enterprise’s remediation
of an MRA. DER officials asserted to us that they did not read the requirements in examiner
guidance to require a separate Procedures Document specific to each MRA and that an
examiner’s review of remediation could be included in ongoing monitoring covering the risk
area that encompasses the MRA. DER officials also acknowledged to us that no Procedures
Document was prepared from December 2013 through December 2014, but reported that
“in 2015, examination activity related to tracking [the Enterprise’s] remediation” of the
MRA was included in a Procedures Document. In short, DER did not follow its established
requirements for a Procedures Document for the MRA in 2013 and 2014, even though it had
previously agreed with the “spirit and intent” of the 2013 OQA report.

The examiner-in-charge when the MRA was issued asserted to us that his team of examiners
prepared analysis memoranda to document their assessments of the Enterprise’s remedial
efforts, which he maintained was permitted by FHFA’s Examination Manual. The
Examination Manual, issued five months after this MRA, permits examiners to document
their ongoing monitoring activities with analysis memoranda. In response to our requests,
DER provided no analysis memoranda detailing DER’s efforts to monitor the Enterprise’s
remediation of the MRA at any point in time.

   FHFA-Mandated Examiner Follow-up on an Enterprise’s Remediation Efforts Requires
   More than Participation in Meetings with Enterprise Employees and Attendance at
   Briefings by Enterprise Employees

DER officials reported to us that DER examiners engaged in ongoing monitoring of the
Enterprise’s remediation efforts through participation in frequent meetings with Enterprise
staff in which updates were provided by the Enterprise on the progress of its remedial efforts,
receipt and review of materials from the Enterprise on its remediation, and detailed tracking
of the progress of remediation of the MRA. Many of these meetings and entries in the
tracking system, these officials explained, related to the Enterprise’s efforts to
                                                            that included the scope of this MRA.




                              OIG  EVL-2016-004  March 29, 2016                                  19
We do not question DER’s representations that its examiners attended frequent meetings with
Enterprise staff and were present during numerous presentations by Enterprise staff relating to
actions planned and taken with respect to its                               . We reviewed all
of the Enterprise materials provided to us by DER and its entries in its tracking system and
found copious information from the Enterprise relating to its presentations. We credit DER’s
statements that examiners learned a great deal of information from the Enterprise during their
meetings and review of the Enterprise materials. But MRA follow-up, as defined by FHFA
and DER, is not limited to listening to an Enterprise explain what actions the Enterprise has
planned or is undertaking to correct MRA deficiencies.

Fundamental to the requirement for DER examiner follow-up of an Enterprise’s efforts to
correct MRA deficiencies contained in DER’s Supervisory Guide 2.0, FHFA’s Advisory
Bulletin 2012-01 and Examination Manual, and DER’s OPB 2013-01, is a regular assessment
of the timeliness and adequacy of the Enterprise’s remedial efforts. While each of these
guidance documents uses different words, all express the same concept – MRA follow-up
requires examiners to measure and assess an Enterprise’s progress in remediating the
deficiencies identified in the MRA:24

        DER’s Supervisory Guide 2.0, issued in 2009: examiners will conduct quarterly
         assessments of the Enterprise’s progress;

        FHFA’s Advisory Bulletin 2012-01, issued in 2012: “timely” action by FHFA
         examiners is needed “to check for resolution consistent with a remediation plan” at
         “an interval determined by the [examiner-in-charge] and guided by the remediation
         plan,” which includes “an assessment of materials provided by the regulated entity,
         discussions with the responsible parties at the regulated entity, and testing, if
         appropriate, to determine progress against a remediation plan”;

        FHFA’s Examination Manual, issued in 2013: DER examiners must engage in
         ongoing monitoring “to determine the status of the Enterprise’s compliance with [ ]
         MRAs”; the “purpose of ongoing monitoring is to analyze real-time information and
         to use those analyses to identify Enterprise practices and changes in an Enterprise’s
         risk profile that may warrant supervisory attention”;

        DER’s OPB 2013-01: examiners will assess the remediation of the MRA through
         ongoing monitoring or related targeted examination work.



24
   Advisory Bulletin 2012-01 states that the timeframe for the Enterprise’s response to FHFA’s MRA “should
reflect the seriousness of the MRA, taking into consideration the complexity of the issue, and the urgency
regarding correction.”



                                  OIG  EVL-2016-004  March 29, 2016                                        20
It is axiomatic that an assessment of the adequacy and timeliness of remedial efforts requires
knowledge of deficiencies or shortcomings to be corrected and the timeline for those remedial
efforts. The Enterprise’s 2013 remediation plan neither disclosed the specific shortcomings
it planned to correct nor proposed a timeline for remediating 41% of these non-disclosed
shortcomings, and we found no supplemental plan provided by the Enterprise that addressed
remediation of the remaining 41%. Whatever actions were taken by DER examiners from
December 2013 through October 2015 in connection with this MRA, these actions cannot
constitute ongoing monitoring because the remediation plan did not specifically identify
the shortcomings that were being remediated or the timetable to remediate 41% of them.
Consequently, they could not, and did not, assess the adequacy of the corrective actions taken
by the Enterprise or the timeliness of remediation for 41% of the unidentified shortcomings.

   DER Documentation of its Ongoing Monitoring Contains No Assessment by DER
   Examiners of the Adequacy or Timeliness of the Enterprise’s Efforts to Remediate
   the MRA

As discussed, the 2013 OQA review found that DER examiners had not documented their
quarterly assessments of Enterprise remediation for any of the 32 MRAs in the OQA sample,
as required by DER’s Supervisory Guide 2.0. While DER subsequently eliminated the
quarterly assessment requirement, both DER and FHFA still require examiners to document
their follow-up of an Enterprise’s efforts to remediate an MRA. We reviewed all materials
represented by DER to constitute its documentation of ongoing monitoring of the Enterprise’s
efforts to correct the shortcomings in response to the July 2013 MRA. These materials were
voluminous and consisted of numerous chart decks and PowerPoint presentations from the
Enterprise on its initiative to                                 controls, entries in DER’s MRA
tracking system for this MRA, and several sets of meeting notes from examiners taken during
meetings with Enterprise employees. By way of example, the only notes that include any
reference to MRA remediation are two sets reporting that the Enterprise provided short
reports on its corrective actions, without any description of those efforts. None of the
materials provided by DER to us contained observations, assessments, or conclusions by
DER examiners on the adequacy or timeliness of the Enterprise’s remediation efforts.

Based on our review, we observed that DER’s ongoing monitoring was confined to receiving
reports and information from the Enterprise. Several DER examiners we interviewed
validated that observation: in their experience, DER relied on representations about the
progress of ongoing remediation activities made by the Enterprise management and on
materials supplied by the Enterprise for its monitoring effort. DER’s reliance on the
Enterprise is contrary to FHFA requirements and DER guidance directing examiners to
analyze, in real-time, information received from the entity engaged in MRA remediation,
and testing, as appropriate, to validate the sufficiency of the remediation.



                              OIG  EVL-2016-004  March 29, 2016                                21
   The Enterprise’s Failure to Meet its Internal Deadlines for Validation Testing
   Prompted No Response or Inquiry from DER

In its December 2013 update on the status of its remedial efforts, the Enterprise reported
that it had corrected almost 60% of the unidentified shortcomings in response to the MRA.
Separately, and at a later date, the Enterprise represented that its Internal Audit division would
complete validation testing of that remediation by December 15, 2014, a step described in
OPB 2013-01. DER officials acknowledged in October 2015 that testing was not completed
in 2014, and had not been completed as of the conclusion of the fieldwork for this report.
They represented to us that DER agreed to postpone this milestone because remediation of the
MRA was a subset of a broader issue for review by Internal Audit, and that DER determined
there was a reasonable basis for the postponement. We found no contemporaneous
documentation that DER examiners made any inquiries to understand the reasons that Internal
Audit delayed validation testing, and DER examiners confirmed to us that DER made no such
inquiries.

   FHFA’s Representations to the Public Respecting the Timeliness of MRA Remediation
   Is Questionable

As we have shown, DER set no specific milestones for completion of specific remedial
activities for this MRA. Its approval of the Enterprise’s remediation plan amounted to its
agreement to a December 2014 milestone for remediation of 59% of the shortcomings, a
milestone that, according to the Enterprise, it met. However, the Enterprise never proposed
a completion date for remediation of the remaining 41% of the shortcomings to address the
MRA, and FHFA never imposed one. The MRA remains open more than 30 months after it
issued, notwithstanding FHFA’s mandate that all MRAs be promptly remediated.

In its 2014 Report to Congress, FHFA stated that it assessed the remediation of MRAs
previously issued to both the Enterprises and the FHLBanks through examination activities.
In its most recent Performance and Accountability Report, FHFA identified 24 measures
to help evaluate and assess its progress toward meeting the three goals announced in its
Strategic Plan for Fiscal Years 2015-2019. Under Strategic Goal 1, “Ensure Safe and Sound
Regulated Entities,” FHFA established Performance Goal 1.3: “Require timely remediation of
risk management weaknesses.” Included in this Performance Goal is Strategic Goal 1.3.1:
“Regulated entities complete remedial action for Matters Requiring Attention within agreed
upon timeframes.” FHFA reported in the Performance and Accountability Report that this
Performance Goal was “MET” and that the Enterprise “reported a 100% compliance rate”
with the goal. We cannot determine the basis for these representations, given that no
timeframe for remediation of 41% of the shortcomings to address the July 2013 MRA was
established or agreed to by DER.



                               OIG  EVL-2016-004  March 29, 2016                                   22
FINDINGS .................................................................................

1. FHFA guidance with respect to the content of MRAs falls short of the guidance of
   other federal financial regulators.

As part of their safety and soundness missions, federal financial regulators such as FHFA, the
OCC, and the Federal Reserve are responsible for examining the financial institutions they
regulate and reporting any deficiencies they find to the institutions’ boards of directors and
management. According to FHFA, its statutory supervision authority over Fannie Mae,
Freddie Mac, and the FHLBanks “is virtually identical to – and clearly modeled on – Federal
bank regulators’ supervision of banks.” Like the OCC and Federal Reserve, FHFA issues
MRAs to communicate serious deficiencies requiring prompt remediation by the regulated
institution.

We compared FHFA’s guidance for MRA content and remediation to the guidance of the
OCC and Federal Reserve. We found that FHFA’s standards for MRA content are less
rigorous than those of the other regulators. Both the OCC and the Federal Reserve require
their examiners to communicate, in writing, detailed supervisory findings that resulted in
the MRA. The OCC goes as far as prescribing the specific elements that the examiners must
apply in documenting an MRA, using its “Five C’s” format. In contrast, there is no FHFA
requirement that the examination team provide details about the practices that resulted in the
MRA, or the potential consequences if the MRA is not remediated. FHFA’s guidance for the
content of an MRA does not require the examination team to describe the actions that the
Enterprises must take to remediate the identified deficiency, or that examiners provide a time
frame in which the corrective actions must be completed. Similarly, FHFA does not require
that the regulated institution provide, as part of its remediation plan, a completion date for
remediation of deficiencies identified in the MRA.

2. Although FHFA’s requirements and guidance for monitoring MRA remediation are
   similar to that of other financial regulators, DER examiners have not adhered to
   the requirements and guidance in their oversight of remediation of a
                     MRA.

FHFA’s guidance with respect to follow-up and oversight of MRA remediation is similar to
that of the OCC and Federal Reserve. All three regulators require specific and timely follow-
up activities, documentation of corrective actions taken by the regulated institution, and
documented assessments of these corrective actions. FHFA guidance instructs that examiners
will track and assess MRA remediation through ongoing monitoring or related targeted
examination work, and that examiners are to use specific documents to assess corrective
actions by the Enterprises.


                              OIG  EVL-2016-004  March 29, 2016                                23
In July 2013, DER issued an MRA to an Enterprise finding certain deficiencies and risks
related to its                                               . We evaluated DER’s
oversight of the Enterprise’s remediation of the MRA against FHFA and DER requirements.
We found that DER’s oversight did not meet the Agency’s own standards for oversight of
MRA remediation.

DER accepted a proposed remediation plan from the Enterprise that was incomplete. The
proposed plan failed to identify the specific deficiencies covered by the MRA for which
remediation was required and failed to provide any milestones, or ultimate completion date,
for remediating 41% of the non-disclosed shortcomings. DER examiners did not prepare
a Procedures Document, as required by governing DER guidance for ongoing monitoring of
MRA remediation. Although DER examiners dutifully summarized the Enterprise’s remedial
actions to correct the MRA deficiencies, we found no evidence of any active, regular
assessments by DER of the effectiveness or timeliness of these corrective actions. We found
no evidence that DER inquired about the reasons that the Enterprise’s Internal Audit division
delayed validation testing of remediation efforts.

As of the completion of our field work, the MRA remains open and unresolved more than 30
months after it was issued. We found no evidence that DER has performed any assessment of
the adequacy and timeliness of the Enterprise’s efforts to remediate the deficiencies that gave
rise to the MRA.


CONCLUSION ............................................................................

Similar to other federal financial regulators, FHFA issues MRAs only for the most significant
supervisory concerns. However, certain FHFA requirements and supplemental guidance on
MRA content and the Enterprises’ proposed remediation plans fall short of the requirements
and specific guidance of other financial regulators.

FHFA requirements and guidance related to follow-up of MRA remediation are similar to
that of other financial regulators; however, DER examiners have not always adhered to these
requirements and guidance. In July 2013, DER issued an MRA to an Enterprise finding
deficiencies and risks related to its             . Our evaluation of DER’s supervision
of the Enterprise’s efforts to remediate the MRA found that DER did not meet FHFA
requirements and guidance. Apart from the examiner-in-charge’s representations to us that
DER examiners engaged in ongoing monitoring of the Enterprise’s remediation efforts, we
found no documentation that DER assessed the adequacy and timeliness of those efforts.
As of the completion of our field work, FHFA had yet to assess and verify whether the
deficiencies, which relate to an area that FHFA deems a “significant risk,” had been corrected.



                              OIG  EVL-2016-004  March 29, 2016                                 24
RECOMMENDATIONS ...............................................................

Consonant with FHFA’s assertion that its supervisory authority over its regulated entities is
virtually identical to other Federal bank regulators’ supervision of banks, we recommend that
FHFA:

   1. Review FHFA’s existing requirements, guidance, and processes regarding MRAs
      against the requirements, guidance, and processes adopted by the OCC, Federal
      Reserve, and other federal financial regulators including, but not limited to, content of
      an MRA; standards for proposed remediation plans; approval authority for proposed
      remediation plans; real time assessments at regular intervals of the effectiveness and
      timeliness of an Enterprise’s MRA remediation efforts; final assessment of the
      effectiveness and timeliness of an Enterprise’s MRA remediation efforts; and required
      documentation for examiner oversight of MRA remediation.

   2. Based on the results of the review in recommendation 1, assess whether any of the
      existing requirements, guidance, and processes adopted by FHFA should be enhanced,
      and make such enhancements.

   3. Because DER and DBR examiners are bound to follow FHFA’s requirements and
      guidance, compare the processes followed by DBR for the form, content, and issuance
      of an MRA, standards for a proposed remediation plan, approval authority for a
      proposed remediation plan, and real time assessments at regular intervals of the
      effectiveness and timeliness of MRA remediation efforts to the processes followed
      by DER.

   4. Based on the results of the review in recommendation 3, assess whether guidance
      issued and processes followed by either DER or DBR should be enhanced, and make
      such enhancements.

   5. Provide mandatory training for all FHFA examiners on FHFA requirements, guidance,
      and processes and DER and DBR guidance for MRA issuance, review and approval of
      proposed remediation plans, and oversight of MRA remediation.

   6. Evaluate the results of quality control reviews conducted by DER and DBR to identify
      and address gaps and weaknesses involving MRA issuance, review and approval of
      proposed remediation plans, and oversight of MRA remediation.




                             OIG  EVL-2016-004  March 29, 2016                                  25
FHFA COMMENTS AND OIG RESPONSE .....................................

OIG provided FHFA an opportunity to respond to a draft report of this evaluation. FHFA
provided several technical comments that we incorporated into the report, as appropriate. On
March 18, 2016, FHFA provided its formal response to our recommendations. In its
response, FHFA disagreed with recommendations 1 and 2 and agreed with recommendations
3, 4, 5, and 6. FHFA’s complete response is attached as Appendix A to this report.

With respect to its disagreement with recommendations 1 and 2, FHFA stated that its existing
requirements and guidance “appropriately enable FHFA to meet [its] statutory obligations.”
FHFA also asserted that it “will continue . . . to be informed as appropriate” by the guidance,
requirements, and processes of other regulatory agencies. FHFA claimed, however, that a
review of the requirements, guidance, and processes adopted by the OCC, Federal Reserve,
and other financial regulators would be “unduly burdensome” and that the costs of such a
review would “far outweigh” the benefits.

FHFA’s position that its existing requirements and guidance are sufficient to meet its statutory
obligations misses the central point of this evaluation that FHFA’s regulatory guidance related
to MRA content and remediation falls short of the guidance of its peer federal financial
regulators. FHFA’s statutory obligation with respect to the institutions it regulates is clear
and straightforward: to ensure the financial safety and soundness of Fannie Mae, Freddie
Mac, and the FHLBanks through, among other things, regular examinations of these
institutions. Other federal financial regulators, such as the OCC and Federal Reserve, have a
similar statutory obligation to examine the institutions they regulate. The statutory
obligations are parallel; the issue is that FHFA’s regulatory guidance in support of its
statutory obligation is less disciplined than that of other regulators charged with the same
statutory obligation.

Further, FHFA, in line with the other financial regulators, elects to use MRAs to describe
serious deficiencies discovered during examinations of the regulated entities. Like other
regulators, FHFA states that an MRA must be promptly remediated in accordance with
an approved remediation plan. As we explained in the report, FHFA’s guidance deviates
from the detailed guidance of other regulators with respect to the content of an MRA,
communication of an MRA to the board of directors of the regulated entity, and the board’s
role in overseeing the remediation of an MRA. FHFA’s response to our recommendation
does not dispute these observations. For these reasons, FHFA’s focus on its statutory
obligation to examine the institutions it regulates, as opposed to its regulatory implementation
governing how it satisfies that obligation, is misplaced.




                              OIG  EVL-2016-004  March 29, 2016                                  26
Moreover, FHFA’s statements that reviewing other agencies’ guidance would be “unduly
burdensome” and that the costs of conducting such a review “would far outweigh the
benefits” are not supported by any facts and are inconsistent with other representations in
FHFA’s response. FHFA includes the accompanying statement that it “will continue, as [it
has] in the past, to be informed, as appropriate by requirements, guidance, and processes” of
other regulators. If FHFA already keeps itself informed as to the requirements, guidance, and
processes of other regulators, it is unclear to OIG what “undue burden” would befall FHFA
by implementing our recommendation to review the guidance of other regulators and identify
opportunities to enhance existing practice.

Regarding FHFA’s claim that the costs of implementing OIG’s recommendations “would far
outweigh the benefits,” FHFA provides no facts to support its position. During our field work
for this evaluation, we identified and reviewed the relevant regulatory guidance materials
from the OCC and Federal Reserve. These materials comprise fewer than ten documents and,
with respect to MRA content and remediation, a small and manageable number of pages.
FHFA did not provide its reasoning behind its statement that the cost of performing a similar
review “would far outweigh” the benefits to the Agency of enhancing its MRA-related
guidance to achieve parity with regulatory best practice.

FHFA is a financial regulator with supervisory and examination responsibilities and
authorities comparable to those of the other financial regulators, and has formally
acknowledged that it modeled its examination program after the examination programs
of these other regulators. Shortly after its creation, FHFA adopted the examination term
“Matters Requiring Attention,” a term that was in common usage among the financial
regulators to describe serious deficiencies at a financial institution. An MRA is the most
serious examination finding FHFA issues. FHFA has also drawn favorable comparisons
between its examination program and those of other financial regulators. Most recently, the
FHFA Director remarked in a public forum that “[l]ike other federal financial regulators,
FHFA conducts safety and soundness supervision with a deliberate distance between FHFA
and the Enterprises. Members of our supervision staff . . . conduct examinations that focus
on areas of highest risk to the Enterprises. They produce reports of examination and make
findings as to whether the Enterprises need to make corrective actions in particular areas.”

OIG believes that recommendations 1 and 2, if implemented, position FHFA to enhance its
practices to keep pace with best practices among federal financial regulators. Given the
potential benefit to FHFA and the lack of an articulated burden, it is unfortunate that FHFA
has declined to adopt these recommendations.




                              OIG  EVL-2016-004  March 29, 2016                               27
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

The objective of this evaluation was to assess FHFA’s oversight of an Enterprise’s
remediation of deficiencies in its                          .

To achieve this objective, we interviewed officials from FHFA’s examination division, DER.
We also reviewed information provided by the Enterprise and FHFA. The information used
in this report covered 2013 through October 2015.

Our work was conducted under the authority of the Inspector General Act and in accordance
with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for
Inspection and Evaluation (January 2012). These standards require us to plan and perform an
evaluation based upon evidence sufficient to provide reasonable bases to support its findings
and recommendations. We believe that the findings and recommendations discussed in this
report meet these standards.

Field work for this evaluation was performed from February to October 2015.




                             OIG  EVL-2016-004  March 29, 2016                                 28
APPENDIX A .............................................................................

FHFA’s Comments on OIG’s Recommendations




                           OIG  EVL-2016-004  March 29, 2016                       29
OIG  EVL-2016-004  March 29, 2016   30
OIG  EVL-2016-004  March 29, 2016   31
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                               OIG  EVL-2016-004  March 29, 2016                         32