oversight

FHFA's Supervisory Standards for Communication of Serious Deficiencies to Enterprise Boards and for Board Oversight of Management's Remediation Efforts are Inadequate

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-03-31.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

           Federal Housing Finance Agency
               Office of Inspector General




FHFA’s Supervisory Standards for
    Communication of Serious
 Deficiencies to Enterprise Boards
   and for Board Oversight of
Management’s Remediation Efforts
          are Inadequate




Evaluation Report  EVL-2016-005  March 31, 2016
                 Executive Summary
                 As the federal regulator of Fannie Mae and Freddie Mac (collectively, the
                 Enterprises) and of the Federal Home Loan Banks (FHLBanks), the Federal
                 Housing Finance Agency (FHFA or Agency) is tasked by statute with ensuring
                 that these entities operate safely and soundly so that they serve as a reliable
                 source of liquidity and funding for housing finance and community investment.
EVL-2016-005     Critical to FHFA’s supervision of the Enterprises and FHLBanks are on-site
                 examinations, including ongoing monitoring and targeted examinations into
March 31, 2016   strategically selected areas of high importance.

                 FHFA consistently maintains, based on the language of its authorizing statute,
                 that its supervisory authority over the entities it regulates “is virtually identical
                 to—and clearly modeled on—Federal bank regulators’ supervision of banks.”
                 Like the Office of the Comptroller of the Currency (OCC) and the Board of
                 Governors of the Federal Reserve System (Federal Reserve), FHFA conducts
                 safety and soundness examinations, reports on examination findings, and,
                 when necessary, issues findings identifying deficiencies. Supervisory
                 guidance issued by FHFA, the OCC, and the Federal Reserve holds directors
                 responsible for oversight of the affairs of a regulated entity and for its safety
                 and soundness. These regulators require boards of directors of a regulated
                 entity to ensure that the conditions and practices that gave rise to supervisory
                 concerns and deficiencies are corrected by management in a timely manner.

                 In our recent evaluation, FHFA’s Examiners Did Not Meet Requirements and
                 Guidance for Oversight of an Enterprise’s Remediation of Serious Deficiencies,
                 we explained that FHFA, like the OCC and Federal Reserve, issues Matters
                 Requiring Attention (MRA) for serious supervisory concerns or deficiencies
                 that require prompt correction. Because each of these regulators charges
                 directors of a regulated entity with responsiblility to ensure that the conditions
                 and practices that gave rise to supervisory concerns and deficiencies are corrected
                 by management, we compared the stringent requirements imposed on directors
                 for oversight of MRA remediation by the OCC and the Federal Reserve to those
                 imposed by FHFA’s Division of Enterprise Regulation (DER) on Enterprise
                 directors, and determined that requirements and guidance of FHFA and DER fall
                 far short of peer federal financial regulators. Specifically, we found:

                        The OCC and Federal Reserve require a board of directors to be
                         notified, in writing, by the exam team when an MRA issues and
                         the reasons for its issuance; FHFA examiners notify Enterprise
                         management, not Enterprise directors, that an MRA has issued.

                        The OCC and Federal Reserve require a board of directors to engage
                         early in the MRA remediation process by reviewing or approving a
                        written remedial plan to correct the MRA deficiencies; FHFA places
                        sole responsibility on Enterprise management to develop and submit a
                        remedial plan to FHFA, without review by Enterprise directors.

                       The OCC and Federal Reserve require a board of directors to oversee
                        management’s efforts to implement the proposed remedial measures
                        on an ongoing basis and ensure that management’s remediation is
EVL-2016-005            adequate and timely; FHFA does not.

March 31, 2016         The OCC and Federal Reserve expect a board of directors to keep the
                        regulator informed of the progress of the remediation; FHFA does not.

                 Under FHFA’s supervisory guidance, an Enterprise board is responsible for
                 ensuring timely and effective correction of significant supervisory deficiencies,
                 but FHFA’s supervisory practices significantly limit the ability of an Enterprise
                 board to execute its responsibilities. DER does not communicate MRAs directly
                 to an Enterprise board; rather, a board receives information concerning the most
                 serious deficiencies through a management filter. An Enterprise board has no
                 role in review or approval of a plan to remediate MRAs, which constrains the
                 board’s ability to effectively oversee management’s remedial efforts.

                 FHFA acknowledged to us that it has no supervisory expectations for an
                 Enterprise board to oversee management’s efforts to remediate an MRA on an
                 ongoing basis. According to FHFA, the responsibilities of an Enterprise board
                 are limited to monitoring MRA remediation, not oversight: an Enterprise board
                 is expected only to receive reports from management on the progress of its
                 remedial actions. Under FHFA’s current supervisory practices, there is a risk
                 that an Enterprise board could become no more than a bystander to management’s
                 efforts to remediate MRAs, and FHFA risks prolonged or inadequate resolution
                 of the most serious threats to the Enterprises’ safety and soundness.

                 We make four recommendations to FHFA to remedy the shortcomings we
                 found. FHFA agrees with three recommendations and partially agrees with one.

                 The report was prepared by Brian Stief and Brian Harris, Investigative Counsels.
                 The report has been distributed to Congress, the Office of Management and
                 Budget, and others and will be posted on our website, www.fhfaoig.gov. We
                 appreciate the assistance of the officials from FHFA in completing this evaluation.




                 Angela Choy
                 Assistant Inspector General for Evaluations
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................6

BACKGROUND .............................................................................................................................7
      MRAs: Their Role and Purpose for the Enterprises ................................................................7

FACTS AND ANALYSIS...............................................................................................................9
      Supervisory Engagement with the Board of Directors of a Regulated Entity on MRA
      Issuance and Remediation ......................................................................................................10
             Format and Communication ...........................................................................................10
             Follow-Up .......................................................................................................................13

FINDINGS .....................................................................................................................................15
      1. FHFA’s acknowledgement that DER informs only Enterprise management of an
      MRA, and then relies on management to communicate that information to an
      Enterprise board, creates a significant risk that management will put its own spin on
      the deficiencies giving rise to the MRA or will filter the information it provides to
      the Board. ................................................................................................................................15
      2. FHFA’s determination that Enterprise management is solely responsible for
      development and submission of a proposed MRA remediation plan, without
      requiring any board review or approval, creates a significant likelihood that
      Enterprise directors lack a reasonable basis on which to affirm to FHFA that
      adequate and timely corrective actions have been taken or will be taken to resolve
      the MRA, as required by the Examination Manual. ...............................................................15
      3. Because FHFA acknowledged to us that it has no supervisory expectations for
      an Enterprise board to oversee management’s efforts to remediate an MRA on an
      ongoing basis and maintained that the responsibilities of an Enterprise board are
      limited to monitoring MRA remediation based on reports from management, there is
      a risk that an Enterprise board could become no more than a bystander to
      management’s efforts to remediate an MRA, and FHFA risks prolonged or
      inadequate resolution of the most serious threats to the Enterprises’ safety and
      soundness. ...............................................................................................................................15

CONCLUSION ..............................................................................................................................15

RECOMMENDATIONS ...............................................................................................................17


                                            OIG  EVL-2016-005  March 31, 2016                                                                 4
FHFA’S COMMENTS AND OUR RESPONSE ..........................................................................17

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................18

APPENDIX A ................................................................................................................................19
      FHFA’s Comments on OIG’s Findings and Recommendations ............................................19

ADDITIONAL INFORMATION AND COPIES .........................................................................22




                                           OIG  EVL-2016-005  March 31, 2016                                                             5
ABBREVIATIONS .......................................................................

Board                      Board of Directors

Comptroller’s Handbook     Comptroller’s Handbook for the Bank Supervision Process

DBR                        Division of Federal Home Loan Bank Regulation

DER                        Division of Enterprise Regulation

Fannie Mae                 Federal National Mortgage Association

Federal Reserve            Board of Governors of the Federal Reserve System

Federal Reserve Manual     Commercial Bank Examination Manual

FHFA or Agency             Federal Housing Finance Agency

FHLBank                    Federal Home Loan Bank

Freddie Mac                Federal Home Loan Mortgage Corporation

HERA                       Housing and Economic Recovery Act of 2008

MRA                        Matter Requiring Attention

MRIA                       Matter Requiring Immediate Attention

OCC                        Office of the Comptroller of the Currency

OIG                        Federal Housing Finance Agency Office of Inspector General

ROE                        Report of Examination




                          OIG  EVL-2016-005  March 31, 2016                           6
BACKGROUND ..........................................................................

Since July 2008, FHFA has operated as the regulator of the Enterprises to ensure that they
operate safely and soundly so that they serve as a reliable source of liquidity and funding for
housing finance and community investment.1 FHFA, like other federal financial regulators,
has adopted a risk-based approach for its supervisory activities. FHFA’s Division of
Enterprise Regulation (DER) conducts supervision activities for the Enterprises, including
regular assessments to identify the risks posing the highest supervisory concerns, annual
examinations of each Enterprise consisting of ongoing monitoring and targeted examinations
into those strategically selected areas of high importance or risk, and regular communications
with senior management of each Enterprise throughout the supervisory cycle.

MRAs: Their Role and Purpose for the Enterprises

During any supervisory activity, FHFA examiners may
identify supervisory concerns or deficiencies. FHFA             FHFA issues MRAs only for the
categorizes such supervisory concerns or deficiencies           most significant deficiencies that
into one of three categories: (1) Recommendations, (2)          require prompt remediation by
Violations, or (3) Matters Requiring Attention (MRAs).          the regulated entity and timely
                                                                follow-up by FHFA to check
According to FHFA, only “the most serious supervisory
                                                                resolution consistent with a
matters” are categorized as MRAs.2 FHFA will issue              remediation plan.
MRAs for such matters as “non-compliance with laws
or regulations that result or may result in significant
risk of financial loss or damage,” “repeat deficiencies that have escalated due to insufficient
action or attention,” “unsafe or unsound practices,” “matters that have resulted, or are likely to
result, in a regulated entity being in an unsafe or unsound condition,” and “breakdowns in risk
management, significant control weaknesses, or inappropriate risk-taking.”3 As of November




1
 See Housing and Economic Recovery Act of 2008 (HERA), Pub. L. No. 110-289, § 1102, 122 Stat. 2654,
2663-64 (2008). HERA extensively amended the Federal Housing Enterprises Financial Safety and Soundness
Act of 1992, 12 U.S.C. § 4501 et seq. FHFA has also acted as the conservator of the Enterprises since 2008;
however, this evaluation assesses only the Agency’s role as regulator.
2
 FHFA, Advisory Bulletin 2012-01, Categories for Examination Findings, at 2 (Apr. 2, 2012) (online at
www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/2012_AB_2012-
01_Categories_for_Examination_Findings_508.pdf). An FHFA Advisory Bulletin may be directed to FHFA
employees, to the entities FHFA regulates, or to both. Advisory Bulletin 2012-01 is addressed to both.
3
    Id.




                                  OIG  EVL-2016-005  March 31, 2016                                         7
2015, the Enterprises, combined, had a total of 72 open MRAs, two-thirds of which were
issued in 2013 or earlier.4

FHFA’s Advisory Bulletin 2012-01, issued in April 2012,5 and Examination Manual,
issued in December 2013,6 set forth FHFA’s current requirements and guidance on MRA
remediation and supervisory follow-up. These materials are supplemented by guidance issued
by DER.7

While the Enterprises are not federally chartered banks, FHFA maintains, based on the
language of its authorizing statute,8 that its supervisory authority over the entities it regulates
“is virtually identical to—and clearly modeled on—Federal bank regulators’ supervision
of banks.”9 Like the OCC and Federal Reserve, FHFA conducts safety and soundness
examinations, prepares written reports of its examination findings, and issues findings
identifying deficiencies. FHFA’s governing statute also grants the FHFA Director authority
to use the OCC and the Federal Reserve to conduct FHFA’s supervisory activities and
instructs the Director to set compensation levels for FHFA staff that are comparable to
other federal financial regulators.10 FHFA has successfully asserted the bank examination
privilege, historically invoked by the OCC and Federal Reserve to shield from discovery
materials relating to its supervision of the Enterprises.11




4
    Since then, FHFA has informed us that it closed at least 12 of the 72 open MRAs.
5
    FHFA, Advisory Bulletin 2012-01, Categories for Examination Findings, supra note 2.
6
 FHFA, FHFA Examination Manual (Dec. 19, 2013) (online at
www.fhfa.gov/SupervisionRegulation/Documents/ExaminationProgramOverview.pdf).
7
 Prior to December 2013, DER established MRA requirements and guidance for their examiners in its
Supervisory Guide 2.0.
8
    See 12 U.S.C. §§ 4513(a)(3), 4517(e).
9
 Defendant’s Response in Opposition to Plaintiffs’ Motion to Compel Production of Certain Documents
Withheld for Privilege, at 17, Fairholme Funds, Inc. v. United States, No. 13-465C (Fed. Cl. Feb. 19, 2016).
10
     See 12 U.S.C. §§ 4515(b), 4517(c).
11
     See JPMorgan Chase & Co., 978 F. Supp. 2d at 280.



                                     OIG  EVL-2016-005  March 31, 2016                                       8
FACTS AND ANALYSIS ...............................................................

As a matter of law, the board of an organization—whether a publicly traded company, a bank
regulated by the OCC or Federal Reserve, or a financial institution regulated by FHFA—is
charged with the fiduciary responsibility to oversee the business and affairs of that
organization. To discharge that fiduciary duty, directors set policies and objectives and
oversee management’s implementation of them, establish expectations for senior management
and for the organization as a whole, and exercise appropriate oversight to ensure that those
expectations are met.12 For an entity subject to government regulation, the board is charged
with the responsibility to ensure that management corrects deficiencies found by its regulator
to bring the entity back into regulatory compliance.13

After FHFA placed the Enterprises into conservatorships in September 2008, it delegated
to the board of each Enterprise responsibility for overseeing general corporate matters.14 In
its corporate governance regulation, FHFA has directed that the board of a regulated entity
is responsible for having policies in place to assure oversight of the Enterprise’s risk
management program and of “[t]he responsiveness of executive officers…addressing all of
FHFA’s supervisory concerns in a timely and appropriate manner.”15 FHFA’s Examination


12
  See Mary Jo White, Chair, Securities and Exchange Commission, Remarks at Stanford University Rock
Center for Corporate Governance (June 23, 2014) (online at
www.sec.gov/News/Speech/Detail/Speech/1370542148863. See also Thomas J. Curry, Comptroller, OCC,
Remarks at the Prudential Bank Regulation Conference in Washington, D.C. (June 9, 2015) (online at
www.occ.treas.gov/news-issuances/speeches/2015/pub-speech-2015-82.pdf); see also Daniel K. Tarullo,
Governor, Federal Reserve, Remarks Before the U.S. Senate Committee on Banking, Housing, and Urban
Affairs (Mar. 19, 2015) (online at www.federalreserve.gov/newsevents/testimony/tarullo20150319a.htm).
13
   See, e.g., FHFA, Prudential Mgmt. and Operations Standards, 12 C.F.R. pt. 1236, App. (Standard 1, Princ.
1, 16) [hereinafter FHFA PMOS]; OCC, Bank Supervision Process, Comptroller’s Handbook, at 105 (Dec.
2015) (online at www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-bsp.pdf)
(“When discussing MRAs, examiners must be clear with management and the board of directors regarding our
supervisory concerns and expectations. Examiners must impress upon the board its responsibility to ensure
that management implements corrective actions within a reasonable period of time and to confirm that those
actions are effective. Failure to do so could lead to enforcement actions.”); Federal Reserve, Commercial Bank
Examination Manual, Section 5000.1, at 5 (Oct. 2015) (online at
www.federalreserve.gov/boarddocs/supmanual/cbem/cbem.pdf) (“Bank directors must ensure that
management corrects deficiencies found in the bank. Instructions to do so may come from the Federal Reserve
as a formal or informal supervisory action, depending on the severity of the problem.”).
14
   Upon its appointment as conservator, FHFA succeeded to, among other things, all rights and powers of any
director of the Enterprises. In November 2008, the FHFA Director delegated authority over general corporate
matters back to the Enterprises’ boards. For more information on FHFA’s delegation of authority to the
boards, see OIG, FHFA’s Conservatorships of Fannie Mae and Freddie Mac: A Long and Complicated
Journey (Mar. 25, 2015) (WPR-2015-002) (online at www.fhfaoig.gov/Content/Files/WPR-2015-002_0.pdf).
15
     See 12 C.F.R. § 1239.4(c)(1), (3).




                                      OIG  EVL-2016-005  March 31, 2016                                        9
Manual instructs that the board is ultimately responsible for ensuring that “the conditions and
practices that gave rise to examination findings are corrected in a timely manner.”16

In a recent OIG evaluation, we compared FHFA’s definition of an MRA to the definitions
adopted by the OCC and Federal Reserve and found the definitions to be substantially
similar.17 Because the OCC, Federal Reserve, and FHFA charge directors of a regulated
entity with responsibility to ensure that management corrects supervisory deficiencies, we
compared in this evaluation the stringent requirements imposed by the OCC and the Federal
Reserve on directors for oversight of MRA remediation to those imposed by FHFA on
Enterprise directors.

Supervisory Engagement with the Board of Directors of a Regulated Entity on MRA
Issuance and Remediation

       Format and Communication

In 2014 revisions to its Comptroller’s Handbook for the Bank Supervision Process
(Comptroller’s Handbook), the OCC included new guidance on MRAs to focus a board’s
“attention on supervisory concerns that require their immediate acknowledgement and
oversight.”18 According to the Comptroller’s Handbook, examiners are required to meet
with a board after an examination to discuss the examination results. The OCC directs its
examiners to communicate, in writing, MRA deficiencies to the board “when discovered.”19
In that written communication, OCC examiners must:

          Describe the MRA;

          Identify contributing factors and the root cause(s) of the MRA;

          Describe potential consequences or effects on the bank from inaction;

          Describe expectations for corrective action; and




16
     FHFA, FHFA Examination Manual, supra note 6, at 23.
17
  See OIG, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s
Remediation of Serious Deficiencies (Mar. 29, 2016) (EVL-2016-004) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-004.pdf). In this report, we found that the OCC and Federal
Reserve have more stringent requirements with respect to MRA content than FHFA.
18
     OCC, Bank Supervision Process, Comptroller’s Handbook, supra note 13, at 105.
19
     Id.




                                    OIG  EVL-2016-005  March 31, 2016                               10
           Document the bank’s commitment to corrective actions, including the time frame and
            the person(s) responsible for corrective action.

According to the Comptroller’s Handbook, “examiners must be clear with management and
the board of directors regarding [the OCC’s] supervisory concerns and expectations” for an
MRA.20 Specifically, the OCC directs examiners to “impress upon the board its responsibility
to ensure that management implements corrective actions within a reasonable period of time
and to confirm that those actions are effective.”21 Where management is unable to provide a
remedial plan to the OCC by the time the MRA issues, the OCC requires the board to review
and approve management’s remedial plan within 30 days of receipt of the MRA.

Similarly, the Federal Reserve imposes significant responsibilities on the board of a regulated
entity subject to an MRA.22 According to the Federal Reserve’s Commercial Bank Examination
Manual (Federal Reserve Manual), MRAs and Matters Requiring Immediate Attention
(MRIAs)23 resulting from supervisory activity “must [be] formally communicate[d]” in
written reports to the entity’s board of directors, or executive-level committee of the board.24
After a board reviews an MRA, the Federal Reserve requires it “to provide a written response
to the [Federal Reserve] regarding its plan, progress, and resolution of the MRA.”25 For an
MRIA, where the Federal Reserve expects immediate corrective action, “the banking
organization’s board of directors is required to respond to the [Federal Reserve] in writing
regarding corrective action taken or planned along with a commitment to corresponding time-
frames.”26


20
     Id.
21
     Id. (emphasis added).
22
  The Federal Reserve Board of Governors establishes examination standards and requirements, and the
Reserve Banks are responsible for supervising and regulating bank holding companies, Federal Reserve
System member banks, foreign branches of member banks, and other related entities to ensure safe and
sound banking practices and compliance with applicable laws and regulations. For purposes of this report,
any reference to the “Federal Reserve” includes the Reserve Banks.
23
  The primary difference between an MRA and an MRIA is the degree of urgency to remediate the identified
deficiency.
24
     Federal Reserve, Commercial Bank Examination Manual, supra note 13, Section 6000.1, at 2.
25
     Id. at 3.
26
   Id. For certain regulated entities, the Federal Reserve requires written reports to boards summarizing any
MRAs. The guidance requires such reports for all entities with overall ratings below a specified level or
entities that show signs of deterioration in condition or apparent violations of law. The summary reports must
focus on identifying problems and presenting issues succinctly and clearly, and must include specific types of
actions to be taken by the directors and management. According to Federal Reserve guidance, “summary
reports should emphasize the responsibilities of the directors to ensure that corrective actions are taken to
address all deficiencies” noted in the final report. The guidance also requires each director to read the



                                    OIG  EVL-2016-005  March 31, 2016                                          11
FHFA has inconsistent guidance with respect to notifying a board of directors of an MRA.
FHFA requires its Division of Federal Home Loan Bank Regulation (DBR), which has
supervisory authority over the FHLBanks, to identify an MRA issued to an FHLBank in its
annual written Report of Examination (ROE), including a brief description and the date by
which the MRA must be resolved if not resolved already. It is also DBR’s practice to provide
the ROE to the FHLBank’s board of directors. DBR’s internal guidance counsels DBR
examiners to discuss an MRA with the affected FHLBank board and document those
discussions in writing. However, FHFA does not require DER to notify an Enterprise board
when an MRA has issued or the reasons for the MRA, even though FHFA only issues an
MRA for “the most serious supervisory matters.” FHFA also does not require that the written
ROE include all outstanding MRAs.

FHFA’s governance regulations and Examination Manual make clear that an Enterprise
board is ultimately responsible for ensuring that the conditions and practices that gave
rise to any supervisory concerns are corrected, ensuring that executive officers have been
“responsive[]…in addressing all of FHFA’s supervisory concerns in a timely and appropriate
manner,” and holding management accountable for remediating those conditions and
practices.27 These regulations and requirements make clear that Enterprise boards are charged
with understanding the “serious deficiencies” in practices, policies, procedures, and controls
adopted by management that gave rise to an MRA and overseeing management’s efforts to
correct these deficiencies in a timely and effective manner.

Notwithstanding the obligations imposed by FHFA on an Enterprise board, FHFA reported to
us that DER’s practice is to explain only to Enterprise management the control weaknesses
that are the basis for an MRA. DER meets solely with Enterprise management at an exit
meeting to discuss the supervisory concerns and findings, and communicates an MRA in
a written conclusion letter sent only to the responsible business executive at the Enterprise,
with copies to the heads of Enterprise internal audit and compliance.28 According to FHFA,


summary report, sign a statement confirming his or her review, and return the signed document to management
to keep on file. See Federal Reserve, Commercial Bank Examination Manual, supra note 13, Section 5030.1,
at 3-4.
27
   See FHFA, FHFA Examination Manual, supra note 6, at 23; 12 C.F.R. § 1239.4(c)(1), (3); FHFA, FHFA
PMOS, supra note 13. For similar language from a peer regulator, see also, OCC, OCC Bulletin 2014-52,
Matters Requiring Attention (Oct. 30, 2014) (online at www.occ.treas.gov/news-
issuances/bulletins/2014/bulletin-2014-52.html) (bulletin directed to the chief executive officers of all national
banks and federal savings associations and all examining personnel states that the OCC expects a bank’s board
of directors to hold management accountable for the deficient practices and to ensure the timely and effective
correction of such practices).
28
   Although FHFA guidance vests the examiner-in-charge for each Enterprise with discretion whether to report
an MRA to the Enterprise board or to management (see FHFA, Advisory Bulletin 2012-01, Categories for
Examination Findings, supra note 2, at 2), FHFA informed us that the examiner-in-charge, in practice, reports
MRA issuance to management.



                                     OIG  EVL-2016-005  March 31, 2016                                             12
DER’s supervisory expectation is that Enterprise management will advise the Enterprise
board of DER’s supervisory concerns and findings (including MRAs) and that DER has
no reason to believe that an Enterprise board was not aware of an MRA or the status of
outstanding MRAs, based on its review of management presentations to the board.

While “serious deficiencies” in Enterprise management’s practices, policies, procedures, and
controls give rise to an MRA, DER defers to that same management team to report the MRA
to the Enterprise’s board. Although the OCC either requires that the remediation plan be
part of the MRA or requires the board to submit a remediation plan within 30 days, and the
Federal Reserve requires the board to submit the proposed remediation plan, FHFA leaves
development and submission of a proposed remediation plan to Enterprise management
without board review or approval. Nothing in FHFA’s requirements or guidance
contemplates board involvement in the development of a remediation plan or board approval
of the plan before its submission to FHFA. FHFA acknowledged to us that it “is a
management responsibility to develop and approve the design of MRA” remediation plans.

       Follow-Up

OCC guidance outlines a board’s responsibilities to monitor MRA remediation and to ensure
MRA resolution. In Bulletin 2014-52, the OCC advises boards of its regulated entities that
they are responsible for ensuring timely and effective correction of deficient practices
identified in an MRA.29 The bulletin sets forth specific board obligations, including:

          “[H]olding management accountable for the deficient practices”;

          “[D]irecting management to develop and implement corrective actions”;

          “[A]pproving the necessary changes to the bank’s policies, processes, procedures, and
           controls”; and

          “[E]stablishing processes to monitor progress and verify and validate the effectiveness
           of management’s corrective actions.”30

The Comptroller’s Handbook encourages frequent communication between the board and
examiners throughout management’s efforts to remediate an MRA.

The Federal Reserve also imposes oversight and reporting requirements on a board. The
Federal Reserve Manual requires a board to report on management’s plan to remediate the
deficiencies identified in an MRA, on the status of remediation progress, and on resolution of

29
     OCC, OCC Bulletin 2014-52, Matters Requiring Attention, supra note 27.
30
     Id.



                                    OIG  EVL-2016-005  March 31, 2016                              13
all deficiencies. Additionally, for an MRIA, the board must make a written commitment to a
remedial time frame.

Like the OCC and the Federal Reserve, FHFA maintains that an Enterprise board is ultimately
responsible for ensuring that “the conditions and practices that gave rise to examination
findings are corrected in a timely manner.” DER officials informed us that they did not
engage in ongoing communications directly with Enterprise boards about management’s
progress in remediating an MRA, and DER guidance does not contemplate regular
communications between an Enterprise board and DER examiners during the remedial
process.31 FHFA acknowledged to us that it has no supervisory expectations for an Enterprise
board to oversee management’s efforts to remediate an MRA on an ongoing basis. According
to FHFA, the responsibilities of an Enterprise board are limited to monitoring MRA
remediation, not oversight:32 an Enterprise board is expected only to receive reports from
management on the progress of its efforts to remediate its practices that gave rise to the MRA
issued by FHFA. As a consequence, Enterprise directors lack a reasonable basis on which to
vigorously scrutinize efforts by the executive officers to address all of FHFA’s supervisory
concerns in a timely and appropriate manner.

Internal guidance promulgated by DER tasks the Internal Audit function of an Enterprise to
determine, after management has completed its MRA remediation, the effectiveness of such
corrective actions. Because the Internal Audit function of each Enterprise reports to the Audit
Committee of an Enterprise board, FHFA suggested to us that the oversight duties of an
Enterprise board would be satisfied by receipt of the Internal Audit report on its testing
of the adequacy of MRA remediation. Such limited oversight by an Enterprise board of
management’s efforts to remediate an MRA creates the risk that an Enterprise board will be
unable to satisfy FHFA’s governance obligations.33



31
  While FHFA requires an Enterprise board to respond in writing to the annual ROE, it does not require the
ROE to identify existing MRAs.
32
   “[I]n order to be effective, a director must do more than simply monitor management’s performance.
Applicable standards require that a director must actively undertake vigorous scrutiny of the corporation’s
affairs, and must be unfailingly vigilant in requiring that management continuously provide an adequate and
frequent flow of information concerning the goals, objectives, operations, and financial condition of the
corporation.” Office of Federal Housing Enterprise Oversight, Report of the Special Examination of Fannie
Mae, at 280 (May 2006) (online at
www.fhfa.gov/Media/PublicAffairs/PublicAffairsDocuments/20060517_SpecialExaminationFannieMae_N508
.pdf).
33
   Those obligations include ensuring that the conditions and practices that gave rise to any supervisory
concerns are corrected (FHFA, FHFA Examination Manual, supra note 6, at 23); ensuring that executive
officers have been “responsive[]…in addressing all supervisory concerns of FHFA in a timely and appropriate
manner” (12 C.F.R. § 1239.4(c)(1), (3)); and holding management accountable for remediating those
conditions and practices (FHFA, FHFA PMOS, supra note 13).



                                   OIG  EVL-2016-005  March 31, 2016                                        14
FINDINGS .................................................................................

1. FHFA’s acknowledgement that DER informs only Enterprise management of an MRA, and
   then relies on management to communicate that information to an Enterprise board, creates a
   significant risk that management will put its own spin on the deficiencies giving rise to the
   MRA or will filter the information it provides to the Board.

2. FHFA’s determination that Enterprise management is solely responsible for development and
   submission of a proposed MRA remediation plan, without requiring any board review or
   approval, creates a significant likelihood that Enterprise directors lack a reasonable basis on
   which to affirm to FHFA that adequate and timely corrective actions have been taken or will
   be taken to resolve the MRA, as required by the Examination Manual.

3. Because FHFA acknowledged to us that it has no supervisory expectations for an Enterprise
   board to oversee management’s efforts to remediate an MRA on an ongoing basis and
   maintained that the responsibilities of an Enterprise board are limited to monitoring MRA
   remediation based on reports from management, there is a risk that an Enterprise board could
   become no more than a bystander to management’s efforts to remediate an MRA, and FHFA
   risks prolonged or inadequate resolution of the most serious threats to the Enterprises’ safety
   and soundness.


CONCLUSION ............................................................................

FHFA consistently maintains, based on the language of its authorizing statute, that its
supervisory authority over the institutions it regulates “is virtually identical to—and clearly
modeled on—Federal bank regulators’ supervision of banks.” MRAs have long been used by
federal banking regulators to identify and communicate significant deficiencies to regulated
financial institutions, and, since 2008, FHFA has issued MRAs for the most serious
supervisory matters requiring prompt correction. Like the OCC and the Federal Reserve,
FHFA charges Enterprise directors with responsibility for ensuring that management corrects
the conditions and practices that gave rise to an MRA in a timely manner.

For directors to be held responsible for ensuring that the conditions and practices giving rise
to an MRA are effectively and timely corrected by management, they must be aware that an
MRA has issued and the specific deficiencies identified in it, review or approve the plan to
correct the deficiencies, oversee management’s remedial efforts on an ongoing basis, confirm
that the remedial actions are effective, and hold management accountable for the deficiencies.
Requirements established by the OCC and Federal Reserve clarify the oversight
responsibilities of a board of a regulated entity to ensure timely and effective correction

                              OIG  EVL-2016-005  March 31, 2016                                 15
of MRA deficiencies before they adversely affect the entity’s safety and soundness. FHFA,
however, has elected to communicate its supervisory findings solely to Enterprise
management, to charge Enterprise management with responsibility to develop and submit
a remediation plan without board review, and to be satisfied by a board’s receipt of MRA
remediation updates solely through the lens of management. Absent clear supervisory
expectations from FHFA, there is a significant risk that an Enterprise board could become
no more than a bystander to management’s efforts to remediate MRAs, and FHFA risks
prolonged or inadequate resolution of the most serious threats to the Enterprises’ safety and
soundness.




                              OIG  EVL-2016-005  March 31, 2016                               16
RECOMMENDATIONS ...............................................................
OIG recommends that FHFA:
       1. Revise its supervision guidance to require DER to provide the Chair of the Audit
          Committee of an Enterprise Board with each conclusion letter setting forth an MRA;
       2. Revise its supervision guidance to require DER to provide the Chair of the Audit
          Committee of an Enterprise Board with each plan submitted by Enterprise
          management to remediate an MRA with associated timetables and the response
          by DER;
       3. Revise its supervision guidance to require DER to identify all open MRAs in
          the annual, written ROE and the expected timetable to complete outstanding
          remediation activities;
       4. Include in this year’s ROE, to be issued to each Enterprise for 2015 supervisory
          activities, all open MRAs and the expected timetable to complete outstanding
          remediation activities for each open MRA.


FHFA’S COMMENTS AND OUR RESPONSE .................................
We provided FHFA an opportunity to respond to a draft report of this evaluation. FHFA
provided technical comments on the draft report, which were incorporated as appropriate. In
its management response, which is reprinted in its entirety in Appendix A, FHFA agreed with
recommendations 1, 3, and 4. FHFA “partially agree[d]” with recommendation 2: it agreed to
“send the chair of the board audit committee a copy of DER’s written response to each MRA
remediation plan” but refused to agree to provide the MRA remediation plan, which provides
the basis for DER’s written response, directly to the chair of the board audit committee. Instead,
FHFA committed to communicate “to Enterprise management the supervisory expectation
for clear, timely, detailed reporting to the boards of directors on open remediation plans and
associated timetables” and its “expectations about circumstances in which remediation plans
should be provided by management to the chair of the board audit committee.”

As we demonstrate in this report, it is the responsibility of an Enterprise board to oversee
management’s efforts to correct all supervisory deficiencies identified by FHFA in a timely and
appropriate manner and to hold management accountable. No board can exercise its oversight
responsibilities if it lacks the approved remediation plans, which include the agreed upon
deliverables and timetables for completion of remediation. Lacking the approved remediation
plan with agreed upon deliverables and timetables, an Enterprise board is limited to monitoring
management’s remedial efforts, which falls far short of its oversight responsibilities under
FHFA’s governance principles and guidance.


                               OIG  EVL-2016-005  March 31, 2016                                   17
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

The objective of this report was to evaluate what responsibilities FHFA imposes on an
Enterprise’s board of directors when an MRA issues, and to compare those responsibilities to
those imposed by other federal financial regulators.

To achieve this objective, we reviewed publicly available documents, internal DER and DBR
documents, and FHFA regulations. We also reviewed publicly available guidance published
by the OCC and the Federal Reserve.

Our work was conducted under the authority of the Inspector General Act and in accordance
with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for
Inspection and Evaluations (January 2012). These standards require us to plan and perform
an evaluation based upon evidence sufficient to provide reasonable bases to support its
findings and recommendations. We believe that the findings and recommendations discussed
in this report meet these standards.

The performance period for this evaluation was from October 2015 to February 2016.




                             OIG  EVL-2016-005  March 31, 2016                                 18
APPENDIX A .............................................................................

FHFA’s Comments on OIG’s Findings and Recommendations




                           OIG  EVL-2016-005  March 31, 2016                       19
OIG  EVL-2016-005  March 31, 2016   20
OIG  EVL-2016-005  March 31, 2016   21
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                               OIG  EVL-2016-005  March 31, 2016                         22