REDACTED Federal Housing Finance Agency Office of Inspector General FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s Remediation of Serious Deficiencies Evaluation Report EVL-2016-004 March 29, 2016 Executive Summary As the regulator of Fannie Mae and Freddie Mac (collectively, the Enterprises) and of the Federal Home Loan Banks (FHLBanks), the Federal Housing Finance Agency (FHFA) is tasked by statute to ensure that these entities operate safely and soundly so that they serve as a reliable source of liquidity EVL-2016-004 and funding for housing finance and community investment. On-site examinations of the regulated entities are fundamental to FHFA’s supervisory March 29, 2016 mission. FHFA has directed its Division of Enterprise Regulation (DER) to conduct supervisory activities of the Enterprises and its Division of Federal Home Loan Bank Regulation (DBR) to conduct these activities for the FHLBanks. When DER or DBR identifies a deficiency, it will classify the deficiency as a Matter Requiring Attention (MRA), a violation, or a recommendation. According to FHFA, MRAs are reserved for “the most serious supervisory matters” and will be issued for matters “that result or may result in significant risk of financial loss or damage,” “repeat deficiencies that have escalated due to insufficient action or attention,” “unsafe or unsound practices,” “matters that have resulted, or are likely to result, in a regulated entity being in an unsafe or unsound condition,” and “breakdowns in risk management, significant control weaknesses, or inappropriate risk-taking.” Because an MRA identifies a “serious deficiency,” FHFA requires “prompt remediation” by the institution to which the MRA was issued. In our 2015 Annual Audit and Evaluation Plan, FHFA Office of Inspector General (OIG) explained that we intended to focus our resources on programs and operations that pose the greatest financial, governance, and reputational risk to FHFA, the Enterprises, and the FHLBanks. One of the four areas we identified was FHFA’s rigor in its examinations of the Enterprises. According to FHFA, a key component of effective supervision is close oversight of an institution’s efforts to correct identified supervisory concerns. This evaluation is the first of a number of OIG reports that will assess the robustness of FHFA’s policies, procedures, and practices governing its oversight of MRA remediation by the entities it supervises. FHFA consistently maintains, based on the language of its authorizing statute, that its supervisory authority over its regulated entities “is virtually identical to—and clearly modeled on—Federal bank regulators’ supervision of banks.” According to FHFA, “Congress virtually duplicated the examination regime applicable to banks when it designed the examination regime” for the Enterprises and the FHLBanks. Because FHFA asserts that it has exactly the same powers as bank regulators, we first compared FHFA’s requirements and supplemental guidance for issuance of an MRA and supervision of an entity’s remediation to address the deficiencies identified in the MRA against the requirements and specific guidance of two mature federal financial regulators. We found that, in certain instances, FHFA’s standards fell short. We then reviewed whether DER examiners followed existing FHFA requirements and guidance in their oversight of an MRA related to issued to an Enterprise in July 2013, and found that they did not. The MRA remains open EVL-2016-004 and unresolved more than 30 months later. The shortcomings that we identified include: DER accepted the Enterprise’s proposed remediation plan, March 29, 2016 even though the plan failed to address all of the deficiencies identified in the MRA; DER did not press the Enterprise to revise its plan to address the excluded items; and DER never prepared an internal procedures plan, as required by FHFA, to identify the steps it planned to take to monitor MRA remediation, and to document, at specific intervals, its assessment of the effectiveness of the completed remediation steps. We also found no evidence that DER assessed the adequacy and timeliness of the Enterprise’s efforts to remediate the MRA, beyond attending meetings with Enterprise personnel and receiving written presentations; and, as of this writing, we found no evidence that DER performed any assessment to determine whether the deficiencies, which relate to an area that FHFA deems a “significant risk,” had been corrected. We make six recommendations to FHFA to remedy the shortcomings we found. FHFA disagreed with two of our recommendations and agreed with the remaining four recommendations. This report contains redactions to protect from disclosure information that could be abused to circumvent the Enterprise’s internal controls. This report was prepared by Jacob Kennedy, Senior Investigative Evaluator. We appreciate the cooperation of FHFA staff, as well as the assistance of all those who contributed to the preparation of this report. This report has been distributed to Congress, the Office of Management and Budget, and others and will be posted on our website, www.fhfaoig.gov. Angela Choy Assistant Inspector General for Evaluations TABLE OF CONTENTS ................................................................ EXECUTIVE SUMMARY .............................................................................................................2 TABLE OF CONTENTS .................................................................................................................4 ABBREVIATIONS .........................................................................................................................6 BACKGROUND .............................................................................................................................7 MRAs: Their Role and Purpose ...............................................................................................7 FACTS .............................................................................................................................................8 MRAs: Comparison of Oversight Requirements and Guidance..............................................9 A 2013 Internal FHFA Review Identified Weaknesses in DER’s Efforts to Monitor MRA Remediation by the Enterprises ....................................................................................14 DER’s Response to the Findings of the 2013 Internal FHFA Review ...................................15 Notwithstanding DER’s Concurrence with the “Spirit and Intent” of OQA’s Recommendations, Review of its MRA Monitoring Efforts Found No Improvement and a Continued Lack of Compliance with Existing FHFA Requirements and Guidance .................................................................................................................................17 DER Approved a Remediation Plan Which Did Not Identify the Specific Deficiencies to Be Corrected and Which Lacked Any Plan or Milestones to Remediate All of the Shortcomings ........................................................................17 DER Examiners Failed to Prepare a Required Procedures Document at the Outset of Monitoring ...............................................................................................18 FHFA-Mandated Examiner Follow-up on an Enterprise’s Remediation Efforts Requires More than Participation in Meetings with Enterprise Employees and Attendance at Briefings by Enterprise Employees ...........................................19 DER Documentation of its Ongoing Monitoring Contains No Assessment by DER Examiners of the Adequacy or Timeliness of the Enterprise’s Efforts to Remediate the MRA ............................................................................................21 The Enterprise’s Failure to Meet its Internal Deadlines for Validation Testing Prompted No Response or Inquiry from DER ........................................................22 FHFA’s Representations to the Public Respecting the Timeliness of MRA Remediation Is Questionable...................................................................................22 OIG EVL-2016-004 March 29, 2016 4 FINDINGS .....................................................................................................................................23 1. FHFA guidance with respect to the content of MRAs falls short of the guidance of other federal financial regulators. .......................................................................................23 2. Although FHFA’s requirements and guidance for monitoring MRA remediation are similar to that of other financial regulators, DER examiners have not adhered to the requirements and guidance in their oversight of remediation of a MRA. ..........................................................................................................................23 CONCLUSION ..............................................................................................................................24 RECOMMENDATIONS ...............................................................................................................25 FHFA COMMENTS AND OIG RESPONSE ...............................................................................26 OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................28 APPENDIX A ................................................................................................................................29 FHFA’s Comments on OIG’s Recommendations ..................................................................29 ADDITIONAL INFORMATION AND COPIES .........................................................................32 OIG EVL-2016-004 March 29, 2016 5 ABBREVIATIONS ....................................................................... DBR Division of Federal Home Loan Bank Regulation DER Division of Enterprise Regulation Enterprises Fannie Mae and Freddie Mac Fannie Mae Federal National Mortgage Association FDIC Federal Deposit Insurance Corporation Federal Reserve Board of Governors of the Federal Reserve System FHFA or Agency Federal Housing Finance Agency FHLBanks Federal Home Loan Banks Freddie Mac Federal Home Loan Mortgage Corporation MRA Matter Requiring Attention MRIA Matter Requiring Immediate Attention OCC Office of the Comptroller of the Currency OIG Federal Housing Finance Agency Office of Inspector General OPB Operating Procedures Bulletin OQA Office of Quality Assurance OIG EVL-2016-004 March 29, 2016 6 BACKGROUND .......................................................................... Since 2008, FHFA has operated as both regulator and conservator of the Enterprises and regulator of the FHLBanks to ensure that they operate safely and soundly so that they serve as a reliable source of liquidity and funding for housing finance and community investment. FHFA, like other federal financial regulators, has adopted a risk-based approach for supervision. Supervision activities for the Enterprises are conducted by DER while supervision of the FHLBanks is the responsibility of DBR. DER continually conducts ongoing monitoring and targeted examinations into strategically selected areas of high importance or risk at each Enterprise pursuant to a supervisory plan that is prepared annually and revised at mid-year. With respect to the FHLBanks, DBR’s supervisory activities include annual examinations, periodic visits, special reviews, and off-site monitoring. DER and DBR also have regular communications with senior management and communications on a limited basis with directors of each regulated entity throughout the supervisory cycle. Both DER and DBR issue an annual Report of Examination to each Enterprise and FHLBank, respectively. MRAs: Their Role and Purpose Throughout its supervisory activities, FHFA examiners may identify supervisory concerns or deficiencies FHFA issues MRAs only for the occurring at a regulated entity. FHFA categorizes most significant deficiencies that such examination findings into one of three categories: require prompt remediation by (1) recommendations, (2) violations, or (3) Matters the regulated entity and timely Requiring Attention (MRAs). According to FHFA, follow-up by FHFA to check only “the most serious supervisory matters” are resolution consistent with a remediation plan. categorized as MRAs. FHFA will issue an MRA for such matters as “non-compliance with laws or regulations that result or may result in significant risk of financial loss or damage,” “repeat deficiencies that have escalated due to insufficient action or attention,” “unsafe or unsound practices,” “matters that have resulted, or are likely to result, in a regulated entity being in an unsafe or unsound condition,” and “breakdowns in risk management, significant control weaknesses, or inappropriate risk-taking.”1 FHFA’s Examination Manual, issued in December 2013, and its Advisory Bulletin 2012-01,2 issued in April 2012, provide FHFA’s current requirements and guidance on MRA 1 See FHFA, Advisory Bulletin 2012-01, Categories for Examination Findings (Apr. 2, 2012) (online at www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2012-01-CATEGORIES-FOR- EXAMINATION-FINDINGS.aspx (accessed Feb. 8, 2016). 2 An FHFA Advisory Bulletin is directed to FHFA employees and the entities regulated by FHFA. Id. at 4. OIG EVL-2016-004 March 29, 2016 7 remediation and supervisory follow-up. These materials are supplemented by guidance issued by DER and DBR. Prior to December 2013, DER and DBR established MRA guidance for their examiners. DER set forth its guidance to examiners in its Supervisory Guide 2.0 and Operating Procedures Bulletin (OPB) 2013-DER-OPB-01, Matters Requiring Attention (MRA) Process (OPB 2013-01). FACTS ....................................................................................... FHFA consistently maintains, based on the language of its authorizing statute,3 that its supervisory authority over its regulated entities “is virtually identical to – and clearly modeled on – Federal bank regulators’ supervision of banks.” According to FHFA, “Congress virtually duplicated the examination regime applicable to banks when it designed the examination regime” for the Enterprises and FHLBanks. FHFA must conduct annual examinations of the financial condition of the Enterprises and FHLBanks; the FHFA Director has substantially the same authority as the bank regulators; and examiners have the same authority as examiners employed by the Federal Reserve Banks.4 Like the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve), and the Federal Deposit Insurance Corporation (FDIC), FHFA conducts safety and soundness examinations of its regulated entities, reports on examination findings in annual reports of examination, and, when necessary, issues findings identifying deficiencies.5 FHFA’s governing statute grants the Director authority to use examiners from the OCC, the Federal Reserve, or the FDIC to conduct examinations, and requires the Director to set compensation levels for FHFA staff that are comparable with other federal financial regulators.6 A federal court has acknowledged that Congress granted FHFA the same powers 3 Federal Housing Enterprises Financial Safety and Soundness Act of 1992, 12 U.S.C. § 4501 et seq. and § 4513, as amended by Sections 1101 and 1102 of the Housing and Economic Recovery Act of 2008, and § 4517(e). 4 See 12 U.S.C. § 4517(a), (c), (e). 5 The Federal Reserve Board of Governors establishes examination standards, and the Reserve Banks are responsible for supervising bank holding companies, Federal Reserve System member banks, foreign branches of member banks, and other related entities to ensure safe and sound banking practices and compliance with applicable laws and regulations. For purposes of this report, any reference to the “Federal Reserve” includes the Reserve Banks. See, e.g., Federal Reserve Bank of New York, Supervision (online at www.newyorkfed.org/aboutthefed/org_banksup.html). The OCC is responsible for ensuring that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulations. See 12 U.S.C. § 1 et seq., 12 U.S.C. § 1461 et seq. See also OCC, What We Do (online at www.occ.gov/about/what-we- do/mission/index-about.html). 6 See 12 U.S.C. §§ 4515(b), 4517(c). OIG EVL-2016-004 March 29, 2016 8 as bank regulators and observed that Congress intended FHFA’s regulatory framework to mirror the banking regulatory framework.7 For these reasons, we compared FHFA’s definition of an MRA and its requirements and guidance for supervisory oversight of MRA remediation to the standards and guidance of the OCC and Federal Reserve.8 Like FHFA, the OCC defines MRAs to be practices that [d]eviate from sound governance, internal control, and risk management principles, and have the potential to adversely affect the bank’s condition, including its financial performance or risk profile, if not addressed; or [r]esult in substantive noncompliance with laws and regulations, enforcement actions, supervisory guidance, or conditions imposed in writing in connection with the approval of any application or other request by the bank.9 The Federal Reserve classifies deficiencies identified in supervisory findings into two categories, Matters Requiring Immediate Attention (MRIAs) and MRAs. Supervisory matters of significant importance and urgency are labeled MRIAs. The Federal Reserve issues MRIAs for “matters that have the potential to pose significant risk to the safety and soundness of the banking organization,” “matters that represent significant noncompliance with applicable laws or regulations,” and “repeat criticisms that have escalated in importance due to insufficient attention or inaction by the banking organization” and it requires immediate remediation of MRIAs.10 The Federal Reserve issues MRAs for bank practices that deviate from sound risk management principles, but remediation is not required immediately. Matters that give rise to an MRIA by the Federal Reserve are substantially similar to the matters that lead to issuance of an MRA by the OCC and FHFA. MRAs: Comparison of Oversight Requirements and Guidance Format and Content of Communication. Both the OCC and the Federal Reserve require their examiners to communicate, in writing, the supervisory findings that result in issuing an 7 See Fed. Hous. Fin. Agency v. JPMorgan Chase & Co., 978 F. Supp. 2d 267 (S.D.N.Y. 2013). 8 As recently as January 2016, FHFA selectively incorporated the regulatory standards issued by the OCC, Federal Reserve, and the FDIC into its own regulatory guidance for the FHLBanks. See FHFA, Advisory Bulletin 2016-01, Classification of Investment Securities at FHLBanks (Jan. 21, 2016) (online at www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Classification-of-Investment-Securities-at- FHLBanks.aspx. 9 See OCC, Comptroller’s Handbook—Bank Supervision Process (Sept. 2007, updated Dec. 2015) (online at www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-bsp.pdf) (accessed Feb. 8, 2016). 10 See Federal Reserve System, Commercial Bank Examination Manual (Mar. 1994, updated Oct. 2015) (online at www.federalreserve.gov/boarddocs/supmanual/cbem/cbem.pdf) (accessed Feb. 8, 2016). OIG EVL-2016-004 March 29, 2016 9 MRA or an MRIA. The OCC, in its Comptroller’s Handbook, directs its examiners to communicate, in writing, MRA deficiencies to the board “when discovered.” The OCC also directs that examiners “shall describe the practices that resulted in the concerns, as well as the board’s or management’s commitment to corrective action” in writing. Moreover, the OCC prescribes the specific elements that examiners must use in documenting an MRA. Examiners are required to use what the OCC calls the “Five Cs” format for an MRA.11 Concern: the MRA must describe the supervisory concern(s) and how the bank’s deficient practice deviates from sound governance, internal control, or risk management principles, or results in substantive noncompliance with laws and regulations, enforcement actions, supervisory guidance, or conditions imposed in writing. Cause: the MRA must identify the root cause(s) of the concern, where evident. Consequence: the MRA must explain how continuation of the practice could affect the bank’s condition, including its financial performance or risk profile. Corrective Action: the MRA must include what the board and management must do to address the concern and eliminate the cause. Timely remediation of MRAs is not optional but required. Commitment: the MRA must document management’s commitment(s) to corrective action and include the time frame(s) and the person(s) responsible for corrective action. Management’s commitment must include processes for the board to monitor and verify the effective implementation of the corrective action. If management is unable to provide a corrective action plan during the examination, the bank must submit to the OCC a board- approved remedial plan within 30 days of receipt of the formal written MRA. Similarly, the Federal Reserve, in its Commercial Bank Examination Manual, states that an MRA or MRIA resulting from supervisory activity “must [be] formally communicate[d]” in a written report to the affected bank. For an MRA, the Federal Reserve directs that examiners use standardized language in the written reports. Each written report must inform an entity’s “board of directors (or executive-level committee of the board)” that the bank “is required to” remediate the identified MRA within a timeframe specified in that report. The Federal Reserve recognizes that the initial timeframe “may require estimation because the banking organization may first need to complete preliminary planning to establish the timeframe for 11 See OCC, Bulletin 2014-52 – Matters Requiring Attention, Updated Guidance (Oct. 30, 2014) (online at www.occ.treas.gov/news-issuances/bulletins/2014/bulletin-2014-52.html) (accessed Feb. 10, 2016). OIG EVL-2016-004 March 29, 2016 10 initiating and completing the corrective action.” Following review of the Federal Reserve report, “the banking organization’s board of directors is required to provide a written response to the [Federal Reserve] regarding its plan, progress, and resolution of the MRA.” For an MRIA, Federal Reserve examiners are instructed to communicate to the board of directors (or an executive-level committee of the board) that remediation is required “immediately” and to define the timeframe to address the MRIA. Following review of the written report of the MRIA, “the banking organization’s board of directors is required to respond to the [Federal Reserve] in writing regarding corrective action taken or planned, along with a commitment to corresponding timeframes.” In contrast, FHFA does not require that an MRA be communicated to the board of directors of a regulated entity and leaves it to the examiner-in-charge whether to provide the MRA to the board or to management. FHFA imposes limited requirements on the content of an MRA, requiring only that the communication of an MRA be in the form of a “conclusion letter” or “supervisory letter.” The letter must describe the “examination findings with sufficient detail to enable management or the board of directors to prepare a remediation plan and correct the problem.”12 Unlike the OCC, FHFA does not require the examination team to describe the actions that a regulated entity must take to remediate the deficiency that gave rise to the MRA, beyond stating that it must be addressed. Whether the Enterprises are provided with any details about the practices that resulted in the MRA, or the potential consequences if the MRA is not remediated, is left to the discretion of the DER examination team. According to FHFA, MRAs “require prompt remediation.” Unlike the OCC and Federal Reserve, FHFA does not require that a board of directors review and approve a remediation plan before it is submitted. FHFA instructs in Advisory Bulletin 2012-01 that “specific milestones within remediation plans should reflect the seriousness of the MRA, taking into consideration the complexity of the issue, and the urgency regarding correction.” DER’s supplemental guidance provides that the proposed remediation plan must “outline specific and detailed steps that will be taken to address the MRA and ensure that a sustainable solution will be put in place.”13 Unlike the OCC and Federal Reserve, however, FHFA does not require a timeframe to be established within which all remedial actions to correct MRA deficiencies must occur. Follow-up. In its Comptroller’s Handbook, the OCC requires examiners to “include plans to follow up on MRAs.” The OCC also requires its examiners to engage in a number of follow- 12 See FHFA, Examination Manual (Dec. 19, 2013) (online at www.fhfa.gov/SupervisionRegulation/Documents/ExaminationProgramOverview.pdf) (accessed Feb 10, 2016). 13 See FHFA, DER Operating Procedures Bulletin 2013-01 – Matters Requiring Attention (MRA) Process (Apr. 23, 2013). OIG EVL-2016-004 March 29, 2016 11 up activities at least once each quarter until the MRA is closed. These activities include, but are not limited to, the following: Monitoring board and management progress in implementing corrective actions; Verifying and validating the effectiveness of corrective actions; and Performing timely verification after receipt of documentation or communication from the bank that the documentation is ready for review. Similarly, the Federal Reserve requires examiners to follow up on MRAs and MRIAs [t]o assess progress and verify satisfactory completion … [corresponding] with the timeframe specified for the action being required, and should be appropriate for the severity of the matter requiring the corrective action. The means of follow-up may vary depending upon the nature and severity of the matter requiring the action. Follow-up may take the form of a subsequent examination, a targeted review, or any other supervisory activity deemed suitable for evaluating the issue at hand.14 In Advisory Bulletin 2012-01, FHFA instructs that MRAs “require prompt remediation,” and that “timely” action by FHFA examiners is needed “to check for resolution consistent with a remediation plan.” FHFA’s Examination Manual directs that DER examiners must engage in ongoing monitoring “to determine the status of the Enterprise’s compliance with [ ] MRAs.” This requirement is echoed in OPB 2013-01, which instructs that examiners will assess the remediation of an MRA through ongoing monitoring or related targeted examination work. Finally, FHFA states in Advisory Bulletin 2012-01 that the ongoing monitoring, or remediation follow-up, “should include an assessment of materials provided by the regulated entity, discussions with the responsible parties at the regulated entity, and testing, if appropriate, to determine progress against a remediation plan.” For all ongoing monitoring (defined in the Examination Manual to include MRA follow-up) and targeted examinations, DER’s Operating Procedures Bulletin 2014-DER-OPB-01 (OPB 2014-01), which supplements FHFA’s requirements and guidance, requires DER examiners to prepare a Procedures Document, or plan of the steps they intend to take in their examination work.15 A Procedures Document for ongoing monitoring of an Enterprise’s efforts to 14 Federal Reserve System, Commercial Bank Examination Manual, § 6000.1, at 3 (Oct. 2013). 15 Supervisory Guide 2.0, which governed DER examinations prior to the December 2013 Examination Manual, required examiners to draft a Procedures Document “at the beginning of the [supervisory] activity and when the activity is complete updates them to ensure they provide an auditable trail of supervisory work.” See FHFA, DER Supervisory Guide 2.0 (Sept. 8, 2009). OIG EVL-2016-004 March 29, 2016 12 remediate an MRA must include examination steps to monitor its progress in implementation of corrective actions; to assess materials provided by the Enterprises; to discuss the progress of remedial activities with the responsible parties at the Enterprise; and to test, if appropriate, to determine progress against a remediation plan. However, the intervals at which FHFA examiners must “check and document progress” are “determined by the [examiner-in-charge] and guided by the remediation plan,” rather than by FHFA requirements and guidance. Documentation. Because the OCC places great value on oversight of MRA remediation, the OCC instructs examiners that they must document, on a quarterly basis, the efforts of the bank’s board and management to correct the MRA, validate that the corrective actions are sustainable, and document the OCC’s supervisory activities to ensure remediation of the MRA, until the MRA is closed. The Federal Reserve directs examiners engaged in supervisory follow-up of MRIA and MRA remediation to clearly and fully document the rationale for their decision to close any issue, and to communicate in writing the results of their work and their findings to the regulated entity. Similarly, FHFA directs in the Examination Manual that DER [e]xaminers performing ongoing monitoring must document their activities, findings, and conclusions using the appropriate form of documentation (for example, procedures documents, meeting notes, reports notes and summary analysis memoranda). The guiding principle is that the results of these activities must be reflected in a workproduct—or workproducts—in a manner that provides the [examiner-in-charge] with the basis to take action of some kind. Beyond this high-level guidance, neither FHFA’s Examination Manual nor DER’s OPBs provide additional detail on the content of the documentation. Supervisory Action. The OCC’s Enforcement Action Policy permits the use of MRAs or a combination of MRAs and other informal actions to address deficient practices in certain banks, subject to some conditions.16 The OCC policy also states a presumption in favor of a formal enforcement action, rather than an MRA, when management’s corrective actions are less than satisfactory and when there is uncertainty as to whether management and the bank have the ability or willingness to take appropriate corrective measures to address deficient practices. The Federal Reserve recognizes that initiation of additional formal or informal investigation or enforcement action may be necessary when supervisory follow-up indicates the organization’s corrective action has not been satisfactory. 16 See OCC, Policies & Procedures Manual—Enforcement Action Policy (Sept. 9, 2011) (online at www.occ.gov/static/publications/ppm-5310-3.pdf) (accessed Feb. 8, 2016). OIG EVL-2016-004 March 29, 2016 13 FHFA directs that other supervisory actions, including an enforcement action, should be considered if progress toward remediation is not being made or if milestones are missed. We are not aware of any enforcement actions brought by DER against either Enterprise for lack of remedial progress or missed remediation milestones, and a 2013 FHFA Advisory Bulletin suggests that FHFA intentionally has not brought any such actions.17 A 2013 Internal FHFA Review Identified Weaknesses in DER’s Efforts to Monitor MRA Remediation by the Enterprises As a federal agency, FHFA is required to implement internal controls to meet its mission, goals, and objectives and to minimize risks associated with its programs and operations. One such control is the FHFA Office of Quality Assurance (OQA). OQA is charged with reviewing the work of FHFA divisions responsible for supervision.18 In July 2013, OQA issued a quality assurance report that reviewed DER’s oversight of Enterprise remediation of MRAs. Although OQA concluded that DER’s oversight of Enterprise remediation of MRA was “generally adequate,” it identified a number of shortcomings, including:19 Lack of preparation of required documentation. OQA found that, contrary to the requirements in Supervisory Guide 2.0 that DER examiners prepare written quarterly updates to reflect current MRA status, DER prepared no quarterly updates for any of the 32 MRAs in the OQA sample. Lack of adequate storage, retrieval, and tracking of MRA information. Of the 32 MRAs in the OQA sample, DER was unable to provide supporting documentation for 17 FHFA Advisory Bulletin 2013-03, FHFA Enforcement Policy, provides: Conservatorship does not preclude other enforcement actions; however, the conservator’s broad statutory powers may provide FHFA with more efficient means to address problems than traditional enforcement tools. When a regulated entity is placed into conservatorship or receivership, FHFA succeeds to the rights of the stockholders, officers, and directors, as well as title to the regulated entity’s books, records, and assets. FHFA as conservator may take immediate action, consistent with applicable law, to direct or restrict the activities at the regulated entity, including the activities of the board of directors and executive management. In addition, the conservator or receiver is not subject to most mandatory PCA [Prompt Corrective Action directive] requirements that would apply to an undercapitalized, significantly undercapitalized, or critically undercapitalized regulated entity that was not placed into conservatorship or receivership, because those requirements are superseded by the conservator’s or receiver’s powers and responsibilities, including, in the case of a conservator, to put the regulated entity in a sound and solvent condition, and to carry on its business and preserve and conserve its assets, and in the case of a receiver, to liquidate the regulated entity, which may include transferring assets to a limited life regulated entity. 18 Pursuant to its charter, OQA is primarily responsible for evaluating the quality of work performed by DER, DBR, and the Division of Housing Mission and Goals. 19 See FHFA, Office of Quality Assurance Review Report (July 23, 2013). OIG EVL-2016-004 March 29, 2016 14 eight MRAs, and these eight MRAs remained open between 15 months and five years. As a result, OQA was unable to reach any conclusions about the adequacy of DER’s follow-up processes for 25% of its sample. For the remaining 24 MRAs in the sample, monitoring documents for at least 16 were not stored pursuant to FHFA’s record keeping system. While DER subsequently provided “much” of the exam documentation, that documentation was retrieved from numerous sources outside of DER’s centralized records storage for examination documentation. Shortcomings in required Procedures Documents. Supervisory Guide 2.0 required the lead examiner assigned to monitor MRA remediation to prepare a Procedures Document outlining the exam steps to be taken to determine if an Enterprise was addressing the deficiencies in the MRA. Based on the OQA report, it appears that OQA found only 18 Procedures Documents for the 32 MRAs sampled (or 56%), and these 18 were all for closed MRAs. None was updated on a regular basis, as required by Supervisory Guide 2.0. In addition, six Procedures Documents failed to meet existing DER requirements: three did not identify the steps for determining if the MRA has been corrected, and were not updated to reflect the work performed or facts discovered; and three were dated after DER determined that Enterprise remediation was complete. Unauthorized extensions of time. Of the 32 MRAs in the sample, extensions of remediation deadlines were granted in three instances without written authorization from the DER Deputy Director and without a finding that the Enterprise “made a convincing case for extending the due date,” as required by Supervisory Guide 2.0. Inadequate DER policies and procedures for MRA monitoring. DER policies and procedures lacked a clear assignment of responsibility for MRA tracking and lacked a means to ensure consistency in examiners’ documentation. Lack of a comprehensive quality control process.20 Work papers and reports prepared by examiners were not subject to a comprehensive quality control review process. OQA noted that a quality control process helps ensure the accuracy and consistency of the examination reports and supporting work papers and may help DER management self-identify and resolve these issues. DER’s Response to the Findings of the 2013 Internal FHFA Review In its written response to the OQA report, DER concurred with “the spirit and intent of the report’s recommendations.” DER asserted that it had updated its policies and procedures for 20 OQA noted that it had identified DER’s lack of formal quality control process in a 2011 report that looked at DER’s 2010 Reports of Examination. OIG EVL-2016-004 March 29, 2016 15 monitoring Enterprise remediation of MRAs and acknowledged the importance of effective record keeping. DER also acknowledged that its examiners were required to document their efforts to monitor Enterprises remediation of MRAs. DER also committed to establish and adopt a formal internal quality control process, and represented that implementation of the process would have a significant positive effect on ensuring appropriate documentation of actions related to all aspects of examination activities. As we explained in a recent evaluation, we found that DER repeatedly committed to implement a formal quality control review process from 2012 until year end 2014, but failed to do so until July 28, 2015, after our evaluation was completed.21 DER also advised OQA that it was working with the Enterprises’ Internal Audit divisions to “appropriately shift from FHFA to Internal Audit the responsibility to assess that underlying issues associated with the MRA have been addressed.” DER stated, however, that it would retain “full and sole responsibility for ultimately assessing whether an Enterprise has successfully addressed all issues associated with an MRA, as determined through ongoing monitoring and related targeted examination work.” In December 2014, OQA closed its outstanding recommendations directed toward improvement of DER’s efforts to monitor MRA remediation. Subsequent to issuance of the OQA report, FHFA and DER took action to eliminate a number of the requirements at issue in the OQA report. As discussed, Supervisory Guide 2.0 required an examiner to prepare quarterly reports assessing an Enterprise’s remediation efforts and OQA found that no quarterly monitoring reports on remediation activity were prepared for any of the 32 MRAs in the sample. When FHFA issued the Examination Manual in December 2013, it did not include the quarterly assessment requirement and DER did not include the requirement in any supplemental guidance. As a consequence, the only remaining guidance to DER examiners on the obligation to assess an Enterprise’s MRA remediation efforts is contained in FHFA’s Advisory Bulletin 2012-01, which allows the examiner-in- charge to set the intervals at which examiners should check on and document progress by an entity in remediating an MRA. Further, DER officials maintained to us, in disregard of the plain requirements in Supervisory Guide 2.0, which was in effect at the time this MRA issued, that they interpreted the Guide to permit DER examiners to review remediation efforts as part of ongoing monitoring covering the risk area addressed by the MRA without a separate Procedures Document. Finally, DER subsequently eliminated from its guidance the requirement in Supervisory Guide 2.0 that extensions of an MRA remediation deadline could 21 See OIG, Intermittent Efforts Over Almost Four Years to Develop a Quality Control Review Process Deprived FHFA of Assurance of the Adequacy and Quality of Enterprise Examinations (Sept. 30, 2015) (EVL- 2015-007) (online at www.fhfaoig.gov/Content/Files/EVL-2015-007.pdf). OIG EVL-2016-004 March 29, 2016 16 only be made by the DER Deputy Director and only upon a showing by an Enterprise of a “convincing case for extending the due date.” Notwithstanding DER’s Concurrence with the “Spirit and Intent” of OQA’s Recommendations, Review of its MRA Monitoring Efforts Found No Improvement and a Continued Lack of Compliance with Existing FHFA Requirements and Guidance In July 2013, DER conducted a targeted examination of one Enterprise’s controls and found significant deficiencies relating to its continued use of .22 DER issued an MRA requiring the Enterprise to mitigate shortcomings in its . The MRA directed the Enterprise, among other things, to provide dates by which it planned to remediate its , in priority order. DER Approved a Remediation Plan Which Did Not Identify the Specific Deficiencies to Be Corrected and Which Lacked Any Plan or Milestones to Remediate All of the Shortcomings DER requires that remediation plans outline “specific and detailed steps” to address the MRA and “ensure that a sustainable solution will be put in place.” In its remediation plan, the Enterprise reported that it had identified a specific number of shortcomings for which remediation was required by the MRA, but did not provide any information about any of these shortcomings. The Enterprise proposed to develop and implement a sustainable plan to 22 OIG EVL-2016-004 March 29, 2016 17 address all of the specific number of unidentified shortcomings by December 15, 2013, and proposed to complete implementation of its plan for 59% of the unidentified shortcomings within year one. Nowhere in the Enterprise’s remediation plan did it identify the shortcomings or propose a timeline to remediate the remaining 41% of the unidentified shortcomings. FHFA’s Advisory Bulletin 2012-01 directs that a remediation plan to correct MRA deficiencies contain specific milestones reflecting the seriousness of the MRA, taking into consideration the complexity of the issue and the urgency of correction. The 2013 MRA involved shortcomings in controls , an area that FHFA reported to Congress, in its recent Performance and Accountability Report for FY 2015, 23 As discussed above, the Enterprise’s remediation plan contained no milestones to remediate 41% of the unidentified shortcomings, and no end date by which these unidentified shortcomings would be corrected. Notwithstanding these flaws in the Enterprise’s remediation plan, DER approved the plan. At no time subsequently did DER require the Enterprise to amend its plan to identify the specific shortcomings that were going to be remediated or to provide a timeline for remediation of the outstanding 41% of the shortcomings. DER Examiners Failed to Prepare a Required Procedures Document at the Outset of Monitoring DER officials informed us that examiner oversight of an Enterprise’s efforts to correct MRA deficiencies is critical to the Agency’s mission of ensuring the safety and soundness of the Enterprises. At the time DER issued the MRA in July 2013, Supervisory Guide 2.0 was in effect. As we discussed previously, Supervisory Guide 2.0 directed DER examiners to prepare a Procedures Document identifying the intended examination steps to monitor an Enterprise’s remediation of an MRA; to provide quarterly updates reporting on the supervisory activity during that period; and to finalize the Procedures Document when remediation was complete to “provide an auditable trail of supervisory work.” We showed that OQA’s July 2013 report was critical of DER’s failure in many instances to prepare Procedures Documents, and of the lack of documentation to show efforts made by DER examiners to monitor and assess MRA remediation. DER’s ongoing monitoring of the Enterprise’s remediation of the July 2013 MRA began after its receipt of the OQA report. We found no Procedures Document prepared in 2013, which DER officials confirmed. 23 See FHFA, Fiscal Year 2015 Performance and Accountability Report (Nov. 16, 2015) (online at www.fhfa.gov/AboutUs/Reports/ReportDocuments/FHFA-2015-PAR.pdf) (accessed Feb. 10, 2016). OIG EVL-2016-004 March 29, 2016 18 DER’s examiner-in-charge for the Enterprise when the July 2013 MRA was issued reported to us that he was “not sure” that a Procedures Document was required for monitoring remediation of the MRA and that he was not concerned by the lack of a Procedures Document. While he acknowledged to us that DER monitors MRA remediation through ongoing monitoring, he was dismissive of the need to document that monitoring. FHFA’s Examination Manual, issued in December 2013, directs that examiners are to follow an Enterprise’s MRA remediation efforts through ongoing monitoring, and OPB 2014-01 requires examiners to prepare a Procedures Document to record the steps that they intend to take for ongoing monitoring activities, which include monitoring an Enterprise’s remediation of an MRA. DER officials asserted to us that they did not read the requirements in examiner guidance to require a separate Procedures Document specific to each MRA and that an examiner’s review of remediation could be included in ongoing monitoring covering the risk area that encompasses the MRA. DER officials also acknowledged to us that no Procedures Document was prepared from December 2013 through December 2014, but reported that “in 2015, examination activity related to tracking [the Enterprise’s] remediation” of the MRA was included in a Procedures Document. In short, DER did not follow its established requirements for a Procedures Document for the MRA in 2013 and 2014, even though it had previously agreed with the “spirit and intent” of the 2013 OQA report. The examiner-in-charge when the MRA was issued asserted to us that his team of examiners prepared analysis memoranda to document their assessments of the Enterprise’s remedial efforts, which he maintained was permitted by FHFA’s Examination Manual. The Examination Manual, issued five months after this MRA, permits examiners to document their ongoing monitoring activities with analysis memoranda. In response to our requests, DER provided no analysis memoranda detailing DER’s efforts to monitor the Enterprise’s remediation of the MRA at any point in time. FHFA-Mandated Examiner Follow-up on an Enterprise’s Remediation Efforts Requires More than Participation in Meetings with Enterprise Employees and Attendance at Briefings by Enterprise Employees DER officials reported to us that DER examiners engaged in ongoing monitoring of the Enterprise’s remediation efforts through participation in frequent meetings with Enterprise staff in which updates were provided by the Enterprise on the progress of its remedial efforts, receipt and review of materials from the Enterprise on its remediation, and detailed tracking of the progress of remediation of the MRA. Many of these meetings and entries in the tracking system, these officials explained, related to the Enterprise’s efforts to that included the scope of this MRA. OIG EVL-2016-004 March 29, 2016 19 We do not question DER’s representations that its examiners attended frequent meetings with Enterprise staff and were present during numerous presentations by Enterprise staff relating to actions planned and taken with respect to its . We reviewed all of the Enterprise materials provided to us by DER and its entries in its tracking system and found copious information from the Enterprise relating to its presentations. We credit DER’s statements that examiners learned a great deal of information from the Enterprise during their meetings and review of the Enterprise materials. But MRA follow-up, as defined by FHFA and DER, is not limited to listening to an Enterprise explain what actions the Enterprise has planned or is undertaking to correct MRA deficiencies. Fundamental to the requirement for DER examiner follow-up of an Enterprise’s efforts to correct MRA deficiencies contained in DER’s Supervisory Guide 2.0, FHFA’s Advisory Bulletin 2012-01 and Examination Manual, and DER’s OPB 2013-01, is a regular assessment of the timeliness and adequacy of the Enterprise’s remedial efforts. While each of these guidance documents uses different words, all express the same concept – MRA follow-up requires examiners to measure and assess an Enterprise’s progress in remediating the deficiencies identified in the MRA:24 DER’s Supervisory Guide 2.0, issued in 2009: examiners will conduct quarterly assessments of the Enterprise’s progress; FHFA’s Advisory Bulletin 2012-01, issued in 2012: “timely” action by FHFA examiners is needed “to check for resolution consistent with a remediation plan” at “an interval determined by the [examiner-in-charge] and guided by the remediation plan,” which includes “an assessment of materials provided by the regulated entity, discussions with the responsible parties at the regulated entity, and testing, if appropriate, to determine progress against a remediation plan”; FHFA’s Examination Manual, issued in 2013: DER examiners must engage in ongoing monitoring “to determine the status of the Enterprise’s compliance with [ ] MRAs”; the “purpose of ongoing monitoring is to analyze real-time information and to use those analyses to identify Enterprise practices and changes in an Enterprise’s risk profile that may warrant supervisory attention”; DER’s OPB 2013-01: examiners will assess the remediation of the MRA through ongoing monitoring or related targeted examination work. 24 Advisory Bulletin 2012-01 states that the timeframe for the Enterprise’s response to FHFA’s MRA “should reflect the seriousness of the MRA, taking into consideration the complexity of the issue, and the urgency regarding correction.” OIG EVL-2016-004 March 29, 2016 20 It is axiomatic that an assessment of the adequacy and timeliness of remedial efforts requires knowledge of deficiencies or shortcomings to be corrected and the timeline for those remedial efforts. The Enterprise’s 2013 remediation plan neither disclosed the specific shortcomings it planned to correct nor proposed a timeline for remediating 41% of these non-disclosed shortcomings, and we found no supplemental plan provided by the Enterprise that addressed remediation of the remaining 41%. Whatever actions were taken by DER examiners from December 2013 through October 2015 in connection with this MRA, these actions cannot constitute ongoing monitoring because the remediation plan did not specifically identify the shortcomings that were being remediated or the timetable to remediate 41% of them. Consequently, they could not, and did not, assess the adequacy of the corrective actions taken by the Enterprise or the timeliness of remediation for 41% of the unidentified shortcomings. DER Documentation of its Ongoing Monitoring Contains No Assessment by DER Examiners of the Adequacy or Timeliness of the Enterprise’s Efforts to Remediate the MRA As discussed, the 2013 OQA review found that DER examiners had not documented their quarterly assessments of Enterprise remediation for any of the 32 MRAs in the OQA sample, as required by DER’s Supervisory Guide 2.0. While DER subsequently eliminated the quarterly assessment requirement, both DER and FHFA still require examiners to document their follow-up of an Enterprise’s efforts to remediate an MRA. We reviewed all materials represented by DER to constitute its documentation of ongoing monitoring of the Enterprise’s efforts to correct the shortcomings in response to the July 2013 MRA. These materials were voluminous and consisted of numerous chart decks and PowerPoint presentations from the Enterprise on its initiative to controls, entries in DER’s MRA tracking system for this MRA, and several sets of meeting notes from examiners taken during meetings with Enterprise employees. By way of example, the only notes that include any reference to MRA remediation are two sets reporting that the Enterprise provided short reports on its corrective actions, without any description of those efforts. None of the materials provided by DER to us contained observations, assessments, or conclusions by DER examiners on the adequacy or timeliness of the Enterprise’s remediation efforts. Based on our review, we observed that DER’s ongoing monitoring was confined to receiving reports and information from the Enterprise. Several DER examiners we interviewed validated that observation: in their experience, DER relied on representations about the progress of ongoing remediation activities made by the Enterprise management and on materials supplied by the Enterprise for its monitoring effort. DER’s reliance on the Enterprise is contrary to FHFA requirements and DER guidance directing examiners to analyze, in real-time, information received from the entity engaged in MRA remediation, and testing, as appropriate, to validate the sufficiency of the remediation. OIG EVL-2016-004 March 29, 2016 21 The Enterprise’s Failure to Meet its Internal Deadlines for Validation Testing Prompted No Response or Inquiry from DER In its December 2013 update on the status of its remedial efforts, the Enterprise reported that it had corrected almost 60% of the unidentified shortcomings in response to the MRA. Separately, and at a later date, the Enterprise represented that its Internal Audit division would complete validation testing of that remediation by December 15, 2014, a step described in OPB 2013-01. DER officials acknowledged in October 2015 that testing was not completed in 2014, and had not been completed as of the conclusion of the fieldwork for this report. They represented to us that DER agreed to postpone this milestone because remediation of the MRA was a subset of a broader issue for review by Internal Audit, and that DER determined there was a reasonable basis for the postponement. We found no contemporaneous documentation that DER examiners made any inquiries to understand the reasons that Internal Audit delayed validation testing, and DER examiners confirmed to us that DER made no such inquiries. FHFA’s Representations to the Public Respecting the Timeliness of MRA Remediation Is Questionable As we have shown, DER set no specific milestones for completion of specific remedial activities for this MRA. Its approval of the Enterprise’s remediation plan amounted to its agreement to a December 2014 milestone for remediation of 59% of the shortcomings, a milestone that, according to the Enterprise, it met. However, the Enterprise never proposed a completion date for remediation of the remaining 41% of the shortcomings to address the MRA, and FHFA never imposed one. The MRA remains open more than 30 months after it issued, notwithstanding FHFA’s mandate that all MRAs be promptly remediated. In its 2014 Report to Congress, FHFA stated that it assessed the remediation of MRAs previously issued to both the Enterprises and the FHLBanks through examination activities. In its most recent Performance and Accountability Report, FHFA identified 24 measures to help evaluate and assess its progress toward meeting the three goals announced in its Strategic Plan for Fiscal Years 2015-2019. Under Strategic Goal 1, “Ensure Safe and Sound Regulated Entities,” FHFA established Performance Goal 1.3: “Require timely remediation of risk management weaknesses.” Included in this Performance Goal is Strategic Goal 1.3.1: “Regulated entities complete remedial action for Matters Requiring Attention within agreed upon timeframes.” FHFA reported in the Performance and Accountability Report that this Performance Goal was “MET” and that the Enterprise “reported a 100% compliance rate” with the goal. We cannot determine the basis for these representations, given that no timeframe for remediation of 41% of the shortcomings to address the July 2013 MRA was established or agreed to by DER. OIG EVL-2016-004 March 29, 2016 22 FINDINGS ................................................................................. 1. FHFA guidance with respect to the content of MRAs falls short of the guidance of other federal financial regulators. As part of their safety and soundness missions, federal financial regulators such as FHFA, the OCC, and the Federal Reserve are responsible for examining the financial institutions they regulate and reporting any deficiencies they find to the institutions’ boards of directors and management. According to FHFA, its statutory supervision authority over Fannie Mae, Freddie Mac, and the FHLBanks “is virtually identical to – and clearly modeled on – Federal bank regulators’ supervision of banks.” Like the OCC and Federal Reserve, FHFA issues MRAs to communicate serious deficiencies requiring prompt remediation by the regulated institution. We compared FHFA’s guidance for MRA content and remediation to the guidance of the OCC and Federal Reserve. We found that FHFA’s standards for MRA content are less rigorous than those of the other regulators. Both the OCC and the Federal Reserve require their examiners to communicate, in writing, detailed supervisory findings that resulted in the MRA. The OCC goes as far as prescribing the specific elements that the examiners must apply in documenting an MRA, using its “Five C’s” format. In contrast, there is no FHFA requirement that the examination team provide details about the practices that resulted in the MRA, or the potential consequences if the MRA is not remediated. FHFA’s guidance for the content of an MRA does not require the examination team to describe the actions that the Enterprises must take to remediate the identified deficiency, or that examiners provide a time frame in which the corrective actions must be completed. Similarly, FHFA does not require that the regulated institution provide, as part of its remediation plan, a completion date for remediation of deficiencies identified in the MRA. 2. Although FHFA’s requirements and guidance for monitoring MRA remediation are similar to that of other financial regulators, DER examiners have not adhered to the requirements and guidance in their oversight of remediation of a MRA. FHFA’s guidance with respect to follow-up and oversight of MRA remediation is similar to that of the OCC and Federal Reserve. All three regulators require specific and timely follow- up activities, documentation of corrective actions taken by the regulated institution, and documented assessments of these corrective actions. FHFA guidance instructs that examiners will track and assess MRA remediation through ongoing monitoring or related targeted examination work, and that examiners are to use specific documents to assess corrective actions by the Enterprises. OIG EVL-2016-004 March 29, 2016 23 In July 2013, DER issued an MRA to an Enterprise finding certain deficiencies and risks related to its . We evaluated DER’s oversight of the Enterprise’s remediation of the MRA against FHFA and DER requirements. We found that DER’s oversight did not meet the Agency’s own standards for oversight of MRA remediation. DER accepted a proposed remediation plan from the Enterprise that was incomplete. The proposed plan failed to identify the specific deficiencies covered by the MRA for which remediation was required and failed to provide any milestones, or ultimate completion date, for remediating 41% of the non-disclosed shortcomings. DER examiners did not prepare a Procedures Document, as required by governing DER guidance for ongoing monitoring of MRA remediation. Although DER examiners dutifully summarized the Enterprise’s remedial actions to correct the MRA deficiencies, we found no evidence of any active, regular assessments by DER of the effectiveness or timeliness of these corrective actions. We found no evidence that DER inquired about the reasons that the Enterprise’s Internal Audit division delayed validation testing of remediation efforts. As of the completion of our field work, the MRA remains open and unresolved more than 30 months after it was issued. We found no evidence that DER has performed any assessment of the adequacy and timeliness of the Enterprise’s efforts to remediate the deficiencies that gave rise to the MRA. CONCLUSION ............................................................................ Similar to other federal financial regulators, FHFA issues MRAs only for the most significant supervisory concerns. However, certain FHFA requirements and supplemental guidance on MRA content and the Enterprises’ proposed remediation plans fall short of the requirements and specific guidance of other financial regulators. FHFA requirements and guidance related to follow-up of MRA remediation are similar to that of other financial regulators; however, DER examiners have not always adhered to these requirements and guidance. In July 2013, DER issued an MRA to an Enterprise finding deficiencies and risks related to its . Our evaluation of DER’s supervision of the Enterprise’s efforts to remediate the MRA found that DER did not meet FHFA requirements and guidance. Apart from the examiner-in-charge’s representations to us that DER examiners engaged in ongoing monitoring of the Enterprise’s remediation efforts, we found no documentation that DER assessed the adequacy and timeliness of those efforts. As of the completion of our field work, FHFA had yet to assess and verify whether the deficiencies, which relate to an area that FHFA deems a “significant risk,” had been corrected. OIG EVL-2016-004 March 29, 2016 24 RECOMMENDATIONS ............................................................... Consonant with FHFA’s assertion that its supervisory authority over its regulated entities is virtually identical to other Federal bank regulators’ supervision of banks, we recommend that FHFA: 1. Review FHFA’s existing requirements, guidance, and processes regarding MRAs against the requirements, guidance, and processes adopted by the OCC, Federal Reserve, and other federal financial regulators including, but not limited to, content of an MRA; standards for proposed remediation plans; approval authority for proposed remediation plans; real time assessments at regular intervals of the effectiveness and timeliness of an Enterprise’s MRA remediation efforts; final assessment of the effectiveness and timeliness of an Enterprise’s MRA remediation efforts; and required documentation for examiner oversight of MRA remediation. 2. Based on the results of the review in recommendation 1, assess whether any of the existing requirements, guidance, and processes adopted by FHFA should be enhanced, and make such enhancements. 3. Because DER and DBR examiners are bound to follow FHFA’s requirements and guidance, compare the processes followed by DBR for the form, content, and issuance of an MRA, standards for a proposed remediation plan, approval authority for a proposed remediation plan, and real time assessments at regular intervals of the effectiveness and timeliness of MRA remediation efforts to the processes followed by DER. 4. Based on the results of the review in recommendation 3, assess whether guidance issued and processes followed by either DER or DBR should be enhanced, and make such enhancements. 5. Provide mandatory training for all FHFA examiners on FHFA requirements, guidance, and processes and DER and DBR guidance for MRA issuance, review and approval of proposed remediation plans, and oversight of MRA remediation. 6. Evaluate the results of quality control reviews conducted by DER and DBR to identify and address gaps and weaknesses involving MRA issuance, review and approval of proposed remediation plans, and oversight of MRA remediation. OIG EVL-2016-004 March 29, 2016 25 FHFA COMMENTS AND OIG RESPONSE ..................................... OIG provided FHFA an opportunity to respond to a draft report of this evaluation. FHFA provided several technical comments that we incorporated into the report, as appropriate. On March 18, 2016, FHFA provided its formal response to our recommendations. In its response, FHFA disagreed with recommendations 1 and 2 and agreed with recommendations 3, 4, 5, and 6. FHFA’s complete response is attached as Appendix A to this report. With respect to its disagreement with recommendations 1 and 2, FHFA stated that its existing requirements and guidance “appropriately enable FHFA to meet [its] statutory obligations.” FHFA also asserted that it “will continue . . . to be informed as appropriate” by the guidance, requirements, and processes of other regulatory agencies. FHFA claimed, however, that a review of the requirements, guidance, and processes adopted by the OCC, Federal Reserve, and other financial regulators would be “unduly burdensome” and that the costs of such a review would “far outweigh” the benefits. FHFA’s position that its existing requirements and guidance are sufficient to meet its statutory obligations misses the central point of this evaluation that FHFA’s regulatory guidance related to MRA content and remediation falls short of the guidance of its peer federal financial regulators. FHFA’s statutory obligation with respect to the institutions it regulates is clear and straightforward: to ensure the financial safety and soundness of Fannie Mae, Freddie Mac, and the FHLBanks through, among other things, regular examinations of these institutions. Other federal financial regulators, such as the OCC and Federal Reserve, have a similar statutory obligation to examine the institutions they regulate. The statutory obligations are parallel; the issue is that FHFA’s regulatory guidance in support of its statutory obligation is less disciplined than that of other regulators charged with the same statutory obligation. Further, FHFA, in line with the other financial regulators, elects to use MRAs to describe serious deficiencies discovered during examinations of the regulated entities. Like other regulators, FHFA states that an MRA must be promptly remediated in accordance with an approved remediation plan. As we explained in the report, FHFA’s guidance deviates from the detailed guidance of other regulators with respect to the content of an MRA, communication of an MRA to the board of directors of the regulated entity, and the board’s role in overseeing the remediation of an MRA. FHFA’s response to our recommendation does not dispute these observations. For these reasons, FHFA’s focus on its statutory obligation to examine the institutions it regulates, as opposed to its regulatory implementation governing how it satisfies that obligation, is misplaced. OIG EVL-2016-004 March 29, 2016 26 Moreover, FHFA’s statements that reviewing other agencies’ guidance would be “unduly burdensome” and that the costs of conducting such a review “would far outweigh the benefits” are not supported by any facts and are inconsistent with other representations in FHFA’s response. FHFA includes the accompanying statement that it “will continue, as [it has] in the past, to be informed, as appropriate by requirements, guidance, and processes” of other regulators. If FHFA already keeps itself informed as to the requirements, guidance, and processes of other regulators, it is unclear to OIG what “undue burden” would befall FHFA by implementing our recommendation to review the guidance of other regulators and identify opportunities to enhance existing practice. Regarding FHFA’s claim that the costs of implementing OIG’s recommendations “would far outweigh the benefits,” FHFA provides no facts to support its position. During our field work for this evaluation, we identified and reviewed the relevant regulatory guidance materials from the OCC and Federal Reserve. These materials comprise fewer than ten documents and, with respect to MRA content and remediation, a small and manageable number of pages. FHFA did not provide its reasoning behind its statement that the cost of performing a similar review “would far outweigh” the benefits to the Agency of enhancing its MRA-related guidance to achieve parity with regulatory best practice. FHFA is a financial regulator with supervisory and examination responsibilities and authorities comparable to those of the other financial regulators, and has formally acknowledged that it modeled its examination program after the examination programs of these other regulators. Shortly after its creation, FHFA adopted the examination term “Matters Requiring Attention,” a term that was in common usage among the financial regulators to describe serious deficiencies at a financial institution. An MRA is the most serious examination finding FHFA issues. FHFA has also drawn favorable comparisons between its examination program and those of other financial regulators. Most recently, the FHFA Director remarked in a public forum that “[l]ike other federal financial regulators, FHFA conducts safety and soundness supervision with a deliberate distance between FHFA and the Enterprises. Members of our supervision staff . . . conduct examinations that focus on areas of highest risk to the Enterprises. They produce reports of examination and make findings as to whether the Enterprises need to make corrective actions in particular areas.” OIG believes that recommendations 1 and 2, if implemented, position FHFA to enhance its practices to keep pace with best practices among federal financial regulators. Given the potential benefit to FHFA and the lack of an articulated burden, it is unfortunate that FHFA has declined to adopt these recommendations. OIG EVL-2016-004 March 29, 2016 27 OBJECTIVE, SCOPE, AND METHODOLOGY ................................. The objective of this evaluation was to assess FHFA’s oversight of an Enterprise’s remediation of deficiencies in its . To achieve this objective, we interviewed officials from FHFA’s examination division, DER. We also reviewed information provided by the Enterprise and FHFA. The information used in this report covered 2013 through October 2015. Our work was conducted under the authority of the Inspector General Act and in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation (January 2012). These standards require us to plan and perform an evaluation based upon evidence sufficient to provide reasonable bases to support its findings and recommendations. We believe that the findings and recommendations discussed in this report meet these standards. Field work for this evaluation was performed from February to October 2015. OIG EVL-2016-004 March 29, 2016 28 APPENDIX A ............................................................................. FHFA’s Comments on OIG’s Recommendations OIG EVL-2016-004 March 29, 2016 29 OIG EVL-2016-004 March 29, 2016 30 OIG EVL-2016-004 March 29, 2016 31 ADDITIONAL INFORMATION AND COPIES ................................. For additional copies of this report: Call: 202-730-0880 Fax: 202-318-0239 Visit: www.fhfaoig.gov To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or noncriminal misconduct relative to FHFA’s programs or operations: Call: 1-800-793-7724 Fax: 202-318-0358 Visit: www.fhfaoig.gov/ReportFraud Write: FHFA Office of Inspector General Attn: Office of Investigations – Hotline 400 Seventh Street SW Washington, DC 20219 OIG EVL-2016-004 March 29, 2016 32
FHFA's Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise's Remediation of Serious Deficiencies
Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-03-29.
Below is a raw (and likely hideous) rendition of the original report. (PDF)