Federal Housing Finance Agency Office of Inspector General FHFA’s Inconsistent Practices in Assessing Enterprise Remediation of Serious Deficiencies and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the Enterprises Evaluation Report EVL-2016-007 July 14, 2016 Executive Summary As the regulator of Fannie Mae and Freddie Mac (collectively, the Enterprises) and of the Federal Home Loan Banks (FHLBanks), the Federal Housing Finance Agency (FHFA) is tasked by statute to ensure that these entities operate safely and soundly so that they serve as a reliable source of liquidity and funding for housing finance and community investment. Examinations of EVL-2016-007 its regulated entities are fundamental to FHFA’s supervisory mission. July 14, 2016 FHFA has directed its Division of Enterprise Regulation (DER) to conduct supervisory activities of the Enterprises and its Division of Federal Home Loan Bank Regulation (DBR) to conduct these activities for the FHLBanks. When DER or DBR identifies a deficiency, it will classify the deficiency as a Matter Requiring Attention (MRA), a violation, or a recommendation. According to FHFA, MRAs are “the most serious supervisory matters.” FHFA requires the regulated entities to promptly remediate MRAs. Examiners are required to “check and document” the progress of MRA remediation. In FHFA Office of Inspector General’s (OIG) 2016 Audit and Evaluation Plan, we explained our intent to focus our resources on programs and operations that pose the greatest financial, governance, and reputational risk to FHFA, the Enterprises, and the FHLBanks. One of the four areas we identified was FHFA’s rigor in its supervision of the Enterprises and the FHLBanks. According to FHFA, a key component of effective supervision is close oversight of efforts by an entity it regulates to correct identified supervisory concerns. This evaluation is one in a series of OIG reports that assess the robustness of FHFA’s policies, procedures, and practices governing its oversight of remediation of supervisory concerns by a regulated entity. In this evaluation, we compared the MRA tracking systems used by two federal financial regulators and DBR to those used by the DER Fannie Mae and Freddie Mac examination teams. We found substantial weaknesses in DER’s tracking systems that limit significantly the utility of those systems as a tool to monitor the Enterprises’ efforts to remediate deficiencies giving rise to MRAs. We also reviewed a sample of open and closed MRAs issued to each Enterprise by DER to assess whether DER examiners performed independent assessments of the timeliness and adequacy of each Enterprise’s efforts to remediate the MRA. Our review found a lack of consistent independent analysis by DER examiners of the timeliness and adequacy of each Enterprise’s remedial efforts. We make six recommendations to address these shortcomings. FHFA agreed with two recommendations, partially agreed with two, and disagreed with the remaining two. This report was prepared by Minh-Tu Greenberg, Investigative Counsel, and Desiree Yang, Financial Analyst. We appreciate the cooperation of FHFA staff, as well as the assistance of all those who contributed to the preparation of this report. This report has been distributed to Congress, the Office of Management and Budget, and others and will be posted on our website, www.fhfaoig.gov. EVL-2016-007 July 14, 2016 Angela Choy Assistant Inspector General for Evaluations TABLE OF CONTENTS ................................................................ EXECUTIVE SUMMARY .............................................................................................................2 ABBREVIATIONS .........................................................................................................................6 BACKGROUND .............................................................................................................................7 FACTS .............................................................................................................................................8 FHFA Guidance on MRA Follow-Up and Documentation ......................................................8 Tracking Systems to Aid Supervisory Oversight .............................................................9 MRA Tracking Systems Used by the OCC and Federal Reserve...................................10 MRA Tracking System Used by DBR ............................................................................11 DER Lacks a Unified MRA Tracking System................................................................12 Freddie Mac Examination Team’s MRA Tracking System ...........................................12 Fannie Mae Examination Team’s MRA Tracking System .............................................14 Review of DER Oversight of 18 MRAs Issued to the Enterprises Found Inconsistent Compliance with FHFA Requirements and Guidance ...........................................................15 Freddie Mac MRAs ........................................................................................................16 Fannie Mae MRAs ..........................................................................................................18 FINDINGS .....................................................................................................................................20 1. DER’s MRA tracking systems lack important prospective dates and the tracking system for Fannie Mae MRAs does not provide ready access to underlying remediation documents, thus rendering those systems of limited utility in tracking the progress of MRA remediation. .........................................................................................20 2. DER examiners did not consistently conduct and document independent assessments of the timeliness and adequacy of the Enterprises’ remediation efforts. ............21 CONCLUSIONS............................................................................................................................22 RECOMMENDATIONS ...............................................................................................................23 FHFA COMMENTS AND OIG RESPONSE ...............................................................................24 OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................26 OIG EVL-2016-007 July 14, 2016 4 APPENDIX A ................................................................................................................................28 FHFA’s Comments on OIG’s Findings and Recommendations ............................................28 ADDITIONAL INFORMATION AND COPIES .........................................................................32 OIG EVL-2016-007 July 14, 2016 5 ABBREVIATIONS ....................................................................... AB 2012-01 FHFA’s Advisory Bulletin 2012-01, Categories for Examination Findings DBR Division of Federal Home Loan Bank Regulation DER Division of Enterprise Regulation EIC Examiner-in-Charge Enterprises Fannie Mae and Freddie Mac, collectively Federal Reserve Board of Governors of the Federal Reserve System FHFA or Agency Federal Housing Finance Agency FHLBanks Federal Home Loan Banks FMS Findings Management System MRA Matter Requiring Attention OCC Office of the Comptroller of the Currency OQA Office of Quality Assurance OIG EVL-2016-007 July 14, 2016 6 BACKGROUND .......................................................................... Since 2008, FHFA has operated as both regulator and conservator of the Enterprises and regulator of the FHLBanks. Like other federal financial regulators, FHFA uses a risk-based approach to supervision. DER, which supervises the Enterprises, conducts continuous ongoing monitoring and targeted examinations into strategically selected areas of high importance or risk at each Enterprise pursuant to an annual supervisory plan.1 DBR, which supervises the FHLBanks, conducts annual examinations, periodic visits, special reviews, and off-site monitoring. Both DER and DBR issue an annual report of examination to each Enterprise and FHLBank, respectively, after the end of each annual supervisory cycle.2 When conducting their supervisory activities, FHFA examiners may identify supervisory concerns or deficiencies occurring at a regulated entity. FHFA categorizes such examination findings into one of three categories: (1) recommendations, (2) violations, or (3) Matters Requiring Attention (MRAs). According to FHFA, only “the most serious supervisory matters” are categorized as MRAs. FHFA will issue an MRA for such matters as “non- compliance with laws or regulations that result or may result in significant risk of financial loss or damage,” “repeat deficiencies that have escalated due to insufficient action or attention,” “unsafe or unsound practices,” “matters that have resulted, or are likely to result, in a regulated entity being in an unsafe or unsound condition,” and “breakdowns in risk management, significant control weaknesses, or inappropriate risk-taking.”3 FHFA requires the regulated entities to promptly remediate MRAs. FHFA’s Advisory Bulletin 2012-01, Categories for Examination Findings (AB 2012-01) directs that an Enterprise’s remediation plan to correct MRA deficiencies contain specific milestones reflecting the seriousness of the MRA, taking into consideration the complexity of the issue and the urgency of correction. 1 Through ongoing monitoring, DER examiners evaluate the Enterprises’ operations and risk management by meeting with Enterprise management and reviewing management and board reports. Examiners may also conduct ongoing monitoring to determine the status of the Enterprises’ compliance with supervisory guidance and conservatorship directives and remediation of Matters Requiring Attention (MRAs). Targeted examinations enable examiners to conduct a deep or comprehensive assessment of selected areas of high importance or risk. DER examiners conduct targeted examinations on an as needed basis, determined by risk. DER has issued most MRAs out of targeted examinations. 2 For more information on annual reports of examination, see OIG, FHFA’s Failure to Consistently Identify Specific Deficiencies and Their Root Causes in Its Reports of Examination Constrains the Ability of the Enterprise Boards to Exercise Effective Oversight of Management’s Remediation of Supervisory Concerns (July 14, 2016) (EVL-2016-008) and OIG, FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise Boards and Obtain Written Responses from the Boards Regarding Remediation of Supervisory Concerns Identified in those Reports (July 14, 2016) (EVL-2016-009). 3 FHFA, Advisory Bulletin 2012-01, Categories for Examination Findings, at 2 (Apr. 2, 2012) (online at www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2012-01-CATEGORIES-FOR- EXAMINATION-FINDINGS.aspx (accessed July 1, 2016). OIG EVL-2016-007 July 14, 2016 7 Examiners are required to “check and document” the progress of MRA remediation “at an interval determined by the [Examiner-in-Charge] and guided by the remediation plan.” FHFA consistently maintains, based on the language of its authorizing statute,4 that its supervisory authority over its regulated entities “is virtually identical to – and clearly modeled on – Federal bank regulators’ supervision of banks.” In a recent evaluation, we compared FHFA’s requirements and supplemental guidance regarding oversight of MRA remediation by a regulated entity with those of other federal financial regulators and found the requirements and guidance to be similar.5 Specifically, we found that FHFA, and other federal financial regulators, require examiners to monitor the progress of MRA remediation by a regulated entity and to regularly assess the timeliness and adequacy of the entity’s remedial efforts. Then, we reviewed DER’s oversight of one Enterprise’s remediation efforts against the requirements and guidance issued by FHFA and DER, and found that such oversight fell far short of the mark. In that instance, we found no evidence that DER assessed the adequacy or timeliness of the Enterprise’s efforts to remediate the MRA over a 30-month period, as required by Agency requirements and guidance. In light of that finding, we performed this evaluation to determine the effectiveness of the MRA tracking systems used by the two DER examination teams and the extent to which, over a larger sample of MRAs, examiners conducted independent analyses of the Enterprises’ remediation efforts, as required by FHFA.6 FACTS ....................................................................................... FHFA Guidance on MRA Follow-Up and Documentation FHFA requirements define an examiner’s follow-up responsibilities for MRA remediation. Those responsibilities include an assessment of materials provided by the regulated entity, discussions with the responsible parties at the regulated entity, and testing (if appropriate) 4 Federal Housing Enterprises Financial Safety and Soundness Act of 1992, 12 U.S.C. § 4501 et seq. and § 4513, as amended by Sections 1101 and 1102 of the Housing and Economic Recovery Act of 2008, and § 4517(e). 5 See OIG, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s Remediation of Serious Deficiencies (Mar. 29, 2016) (EVL-2016-004) (online at www.fhfaoig.gov/Content/Files/EVL-2016-004.pdf). 6 Id. at 20 (“MRA follow-up, as defined by FHFA and DER, is not limited to listening to an Enterprise explain what actions the Enterprise has planned or is undertaking to correct MRA deficiencies. Fundamental to the requirement for DER examiner follow-up . . . is a regular assessment of the timeliness and adequacy of the Enterprise’s remedial efforts.”). OIG EVL-2016-007 July 14, 2016 8 to determine the entity’s progress against an acceptable remedial plan.7 FHFA requires examiners to document all of their follow-up activities, including details on the status of the MRA. Should examiners determine that an entity has not made progress in remediating deficiencies and/or has missed established milestones, AB 2012-01 instructs that other supervisory actions should be considered. Currently, the intervals at which FHFA examiners must “check and document progress” are “determined by the [Examiner-in-Charge] and guided by the remediation plan,” rather than by FHFA requirements or guidance. In January 2014, DER issued internal guidance governing the creation and storage of examination documents, including documents relating to MRAs.8 Pursuant to this guidance, examiners must prepare a procedures document for each MRA, prior to the commencement of fieldwork, which describes the steps examiners intend to take in monitoring and assessing an Enterprise’s remedial activities.9 Under 2014-DER-OPB-01, the procedures document is not intended to be a static document; examiners are required to update it “as necessary.” Unlike DER’s prior guidance in effect through 2013, which required examiners to update the procedures document at least quarterly with a current status of the MRA,10 its current guidance, 2014-DER-OPB-01, does not require DER examiners to update the procedures document on a regular, specified basis but directs them to “document the steps taken to achieve the objective(s)” (emphasis added) in procedures documents and to adjust the procedures document as necessary. This same guidance directs examiners to document the results of their monitoring and assessment activities in designated work papers such as correspondence, meeting notes, and analysis memoranda. Analysis memoranda “[m]ust appropriately link to the procedures document to show how the execution of the procedures resulted in the conclusions.” Procedures documents may contain links to, or may be imbedded with, important underlying work papers. Tracking Systems to Aid Supervisory Oversight To enhance effective supervisory oversight of efforts by a regulated entity to correct deficiencies identified during supervisory activities, federal financial regulators, including the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve), and FHFA use tracking systems. Although these tracking 7 See FHFA, AB 2012-01, Categories for Examination Findings, supra note 3. 8 See FHFA, DER Operating Procedures Bulletin 2014-DER-OPB-01, Guidelines for Preparing Supervisory Products and Examination Workpapers (Jan. 27, 2014) (2014-OPB-01). 9 Id. 10 FHFA, DER Supervisory Guide 2.0, at 31 (Sept. 8, 2009). OIG EVL-2016-007 July 14, 2016 9 systems vary in sophistication and capabilities, the purported purpose of each system is to enable examiners and their supervisors to quickly access deadlines in the remediation process and information about the status of remediation efforts. MRA Tracking Systems Used by the OCC and Federal Reserve The OCC has developed and implemented a tracking system that contains information for all MRAs issued to the banks it supervises. OCC requires its examiners to enter each “supervisory concern” into the tracking system, along with a description of the underlying basis for the MRA. OCC examiners also enter the critical dates and events in the remediation process, including the date the OCC issued the MRA, the date the bank is expected to complete remedial action, the date OCC examiners intend to follow up on remedial progress, the date OCC examiners expect to validate remediation,11 and the actual date that remediation is validated. The system also has a field in which examiners can enter comments or observations. Each quarter, until the MRA is closed, OCC examiners must “assess and document the board and management’s efforts to address concern(s)” directly into the OCC tracking system. Each supervisory concern in OCC’s tracking system contains a live link to the supporting documents so that examiners and OCC management can easily access important underlying work papers. OCC officials advised us that its examiners use the tracking system to generate a wide range of reports to enhance OCC’s supervision of individual banks (including banks that have failed to timely remediate MRAs or banks with a significant number of open MRAs) and to generate reports that identify trends in supervisory concerns across entities. According to these officials, reports from the tracking system help examiners follow up on MRA remediation and are reviewed regularly by supervisory managers and OCC officials. The Federal Reserve also uses a tracking system to monitor the progress of MRA remediation. Its unified tracking system contains information on all of the entities the Federal Reserve regulates. Like the OCC, Federal Reserve examiners enter a detailed description of each MRA into the system along with critical dates in the remediation process, including the date of MRA issuance, the expected response date for the remedial plan, examiner follow-up dates, and the projected date for completion of the entity’s remedial efforts. The Federal Reserve’s tracking system also contains a field in which examiners can record their comments and observations. For each entry in the Federal Reserve’s tracking system, examiners can insert a hyperlink to the source documents pertaining to the MRAs. When a tracked date approaches, the tracking system generates and sends an email reminder to designated examiners and 11 Validation is the process by which the OCC confirms the effectiveness and sustainability of corrective action(s) that the bank implemented. OIG EVL-2016-007 July 14, 2016 10 supervisors to facilitate timely follow-up.12 Similar to the OCC, the Federal Reserve uses its tracking system to generate preset and customized reports on the status of MRA remediation. Federal Reserve officials informed us that the system’s reporting function is one of its most important tools because it provides transparency to supervisory activities. MRA Tracking System Used by DBR In response to our 2012 evaluation, FHFA’s Oversight of Troubled Federal Home Loan Banks,13 DBR developed and implemented a SharePoint-based tracking system that provides DBR examiners and managers, and FHFA officials, with ready access to the status of examination findings.14 This Findings Management System (FMS) tracks all examination findings (MRAs, violations, and recommendations) issued to the FHLBanks and the Office of Finance each year. The FMS data fields include the date of the supervisory finding and the date remediation is due. DBR requires examiners to upload certain key documents into FMS and to save the remainder of the remediation work papers in FHFA’s electronic record- keeping system. To ensure the integrity of FMS data, DBR directs that a quality control review be performed, prior to the completion of each annual report of examination, to ensure consistency between the uploaded FMS data and the supporting documentation. In a recent compliance review, we tested documentation for a randomly selected sample of supervisory concerns entered into FMS and determined that DBR examiners complied with DBR procedures for ensuring the accuracy and timeliness of FMS data.15 DBR officials reported to us that FMS represents a definite improvement over DBR’s former manual processes. According to these officials, FMS allows DBR to track examination findings for one FHLBank during one DBR annual examination and to track findings for the same bank 12 Email notifications are sent to individuals on an opt-in basis. 13 In EVL-2012-001, OIG found that DBR lacked an automated management information system that provided ready access to information about the deficiencies identified in its examinations and the status of efforts to address them. At the time, DBR examiners documented their findings and tracked corrective action on individual computer spreadsheets. Different examiners used different spreadsheets, and the data entered into the spreadsheets were not readily accessible to Agency management or part of a unified reporting system. We found that those deficiencies limited DBR’s capacity to identify trends in examination findings and the FHLBanks’ progress in correcting deficiencies. Based on these findings, OIG recommended that DBR develop and implement an automated management reporting system for FHLBank examination findings. DBR agreed with the recommendation and stated that it would develop an “automated information system” to track, among other things, examination findings and planned corrective actions. See OIG, FHFA’s Oversight of Troubled Federal Home Loan Banks (Jan. 11, 2012) (EVL-2012-001) (online at www.fhfaoig.gov/Content/Files/Troubled%20Banks%20EVL-2012-001.pdf). 14 See FHFA, Operating Procedure Bulletin 2012-DBR-OPB-04, Findings Management System (Dec. 31, 2012). 15 See OIG, FHFA’s Implementation of Its Automated System to Track Deficiencies Identified in Federal Home Loan Bank Examinations (May 26, 2016) (COM-2016-003). OIG EVL-2016-007 July 14, 2016 11 over multiple annual examinations. Additionally, these officials advised us that FMS enables DBR supervisors to obtain consistent information about supervisory findings, to quickly analyze trends in findings, and to identify issues across the universe of FHLBank examinations. DER Lacks a Unified MRA Tracking System Unlike DBR, the OCC, and the Federal Reserve, DER lacks a unified system to track MRAs it issues to the Enterprises. As a result, the examination teams for Fannie Mae and Freddie Mac use different MRA tracking systems. In July 2013, FHFA’s Office of Quality Assurance (OQA), which is charged with reviewing FHFA’s supervision of the Enterprises,16 issued a report finding that DER lacked an adequate system to store, retrieve, and track examination information, including information regarding the progress of MRA remediation. In response to that report, DER committed to work with other FHFA offices to “redesign the examination record-keeping system, including MRA tracking.” DER, however, did not design a unified MRA tracking system. According to a DER official, its then-deputy director “did not have the appetite” to do so. Consequently, DER allowed the Fannie Mae and Freddie Mac examination teams to continue using separate MRA tracking systems. Freddie Mac Examination Team’s MRA Tracking System In June 2012, DER’s Freddie Mac examination team rolled out guidelines for tracking, documenting, and reporting on the status of MRA remediation. The team updates this guidance periodically, most recently in 2015. Pursuant to these guidelines, Freddie Mac examiners track and document MRA remediation in an electronic Excel spreadsheet known as Freddie MRA Tracking and Reporting (FRE MRA Tracking System). The FRE MRA Tracking System contains a number of data fields for each MRA issued to Freddie Mac, including the date the MRA issued, a description of the MRA, the date the examiners expect to receive a closure package from Freddie Mac management reporting on the completed remedial actions,17 and the date Freddie Mac’s internal audit department completes its 16 OQA is responsible for evaluating the quality of work performed by DER, DBR, and the Division of Housing Mission and Goals. 17 Freddie Mac management submits a “closure package” to its own internal audit department, with a copy to DER, when it believes it has completed the approved remedial action plan. At that point, the Enterprise’s internal audit department performs validation work. DER considers an MRA to be “validated” when the Enterprise’s internal audit function concludes that the remedial action is implemented, effective, and sustainable. After this validation is provided, DER examiners are expected to review and “confirm” internal OIG EVL-2016-007 July 14, 2016 12 validation of management’s remedial actions. It also contains comment fields for each MRA where DER examiners can – but are not required to – record their independent assessments of the adequacy of Freddie Mac’s remediation for that MRA. Guidance from the Freddie Mac examination team requires every Freddie Mac examiner to review and update the status of each MRA in the comment field of the FRE MRA Tracking System “by the end of each month.” This guidance, however, does not define the expected content of these monthly updates. The content could consist of: information reported exclusively by the Enterprise; information learned primarily from the Enterprise; or independent examiner assessments of the timeliness and adequacy of an Enterprise’s remedial progress. Unlike the tracking systems used by the OCC or Federal Reserve, the FRE MRA Tracking System lacks a dedicated field for examiners to enter the date(s) they plan to follow up on remedial progress or a dedicated field to enter the expected validation date by Freddie Mac’s internal audit department. Moreover, the FRE MRA Tracking System does not track the anticipated date that DER examiners will review and “confirm” the validation work by Freddie Mac’s internal audit. Current DER guidance does not require examiners to identify and track these dates. FHFA, through AB 2012-01, directs that examiner oversight of remedial efforts by a regulated entity “should include an assessment of materials provided by the regulated entity, discussions with the responsible parties at the regulated entity, and testing, if appropriate, to determine progress against a remediation plan.” Notwithstanding that instruction, a senior DER official advised us in a prior evaluation that DER examiners were not required to check remedial progress made by an Enterprise against the milestones in its proposed remediation plan and that any changes of such milestones would be documented by Enterprise management, not DER. Consistent with DER’s position and practice, the FRE MRA Tracking Report does not contain fields that track the due dates for interim deliverables or milestones nor does it contain fields in which examiners are required to provide written assessments of the adequacy or timeliness of Freddie Mac’s remedial efforts. For each MRA, the FRE MRA Tracking System contains a link to the folder in FHFA’s electronic record-keeping system in which all the documents relating to the MRA are required to be filed.18 In addition, there is a direct link to the procedures document (also maintained in the electronic record-keeping system), which describes the steps DER examiners intend to take in overseeing and assessing Freddie Mac’s remedial efforts and documents the steps audit’s work. Internal audit’s role in validating management’s remediation of MRAs is more fully discussed on pages 17-18 of this report. 18 Internal guidance from the Freddie Mac examination team requires all Freddie Mac examiners to store all documents related to both ongoing and completed MRA remediation in FHFA’s electronic record-keeping system, noting that a “centralized location facilitates streamlined MRA management.” OIG EVL-2016-007 July 14, 2016 13 taken when they are completed. Thus, the relevant documents relating to an MRA – including the procedures document, analysis memos, and meeting notes – are readily accessible through links from the FRE MRA Tracking System. DER’s Freddie Mac examination team generates a monthly examination status (status report) for the DER Deputy Director. The status report provides information on MRAs with information extracted from the Freddie MRA Tracking Report, including the issuance date for each MRA, a brief status update on the progress of remediation or status of each open MRA, and a list of MRAs closed during the current calendar year. It also contains, for each MRA, a link to FHFA’s electronic record-keeping system in which the remediation documents are stored. Fannie Mae Examination Team’s MRA Tracking System Beginning in 2013, the Fannie Mae examination team uses a SharePoint intranet site called FNM SharePoint Tracking System to track the progress of MRAs. The FNM SharePoint Tracking System includes data fields for the projected date by which Fannie Mae is expected to complete remediation, the actual date Fannie Mae internal audit notifies DER that its verification work is complete, and the actual date in which DER closes or rescinds the MRA. The FNM SharePoint Tracking System contains comment fields into which examiners may – but are not required to – enter their independent assessments of the adequacy of Fannie Mae’s ongoing remediation. However, the FNM SharePoint Tracking System does not contain a number of fields used in the other tracking systems described in this evaluation. It lacks fields to track the due dates of interim milestones (and deliverables) in Fannie Mae’s remediation plan,19 examiner follow- up dates, the expected validation date by Fannie Mae internal audit, and the date by which DER examiners are expected to review and confirm Fannie Mae’s internal audit validation work. While DER recognizes that the FNM SharePoint Tracking System does not contain separate fields to track these categories of information, it maintains that all of this information can be found in the examination documentation. Because the FNM SharePoint Tracking System provides no live links to the examination documentation, including the procedures documents, the documentation cannot be accessed directly from the FNM SharePoint Tracking System. The FNM SharePoint Tracking System does not provide a link to the underlying repository of MRA remediation documents. Furthermore, examiners for Fannie Mae are not required to store MRA remediation documents in FHFA’s electronic record-keeping system until after an 19 An examiner can enter interim milestones in the comments field. OIG EVL-2016-007 July 14, 2016 14 MRA is closed. Until that time, they store remediation documents on separate SharePoint sites maintained by the various examination risk groups responsible for monitoring MRAs.20 While Fannie Mae examiners can upload supporting documents into the FNM SharePoint Tracking System, two Fannie Mae examiners explained to us that the team uploads only selected documents, such as conclusion letters or non-objection letters.21 The Fannie Mae examination team does not provide monthly or regular status reports on MRA remediation to the DER Deputy Director. DER informed us that the deputy director can personally generate and run reports from the tracking system and can request reports from examiners. Review of DER Oversight of 18 MRAs Issued to the Enterprises Found Inconsistent Compliance with FHFA Requirements and Guidance In a recent evaluation, we found significant shortcomings in DER’s oversight of an Enterprise’s remediation of one MRA.22 To determine whether these shortcomings were limited to this one MRA or were more widespread, we reviewed DER materials for a random sample of eight Freddie Mac MRAs and ten Fannie Mae MRAs issued to the Enterprises between January 1, 2013, and November 6, 2015 (the review period).23 We reviewed three phases of DER’s remediation oversight: DER’s analysis of the Enterprises’ proposed remediation plans; DER’s assessment of ongoing Enterprise remediation activities; and, for those MRAs for which the Enterprise claimed complete remediation, DER’s analysis of the Enterprises’ corrective actions. For each of these three phases, we reviewed the documentation made available to us by FHFA to determine whether DER examiners performed independent analyses or assessments, or merely recorded information that the Enterprises provided. Where we found no documentation, or where the documentation recited information from an Enterprise without any analysis, or where documentation reflected that DER agreed with an Enterprise’s assertions without any supporting analysis, we concluded that no independent analysis or assessment had been performed by DER examiners. Conversely, we credited DER with performing the independent assessment 20 The Fannie Mae examination team has four different risk groups. 21 DER uses conclusion letters to communicate examination findings, including MRAs, to the Enterprises. Non-objection letters convey DER’s assent to an Enterprise’s remediation plan. 22 See OIG, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s Remediation of Serious Deficiencies, supra note 5. 23 We selected a random sample from the list of MRAs that DER issued during the review period. The population of open and closed MRAs was too small to select a representative sample. Thus, the results of our review cannot be statistically projected to the rest of the population. However, the randomness of the sampling allows for the collection of unbiased, evidential material. OIG EVL-2016-007 July 14, 2016 15 required by FHFA where the documentation reflected some independent analysis or assessment by the DER examiner, however limited. Freddie Mac MRAs We reviewed the work papers for a sample of eight MRAs issued by the Freddie Mac examination team during the review period. DER closed four of the eight during the review period, and four remained open as of November 6, 2015. Pursuant to 2013-DER-OPB-1, each Enterprise must respond to an MRA with a proposed remediation plan and DER examiners are required to review each proposed remediation plan and determine “whether the plan is sufficiently detailed and appropriate to resolve the MRA.” When that determination is made, DER issues a non-objection letter. Freddie Mac submitted a proposed remediation plan for each of the eight MRAs, and DER issued a non-objection letter in response to each of them.24 To evaluate whether the Freddie Mac examiners assessed the sufficiency of Freddie Mac’s proposed remediation plans for each of these eight MRAs, we reviewed the following documents, as available, for each MRA: Freddie Mac’s proposed remediation plan, DER’s Analysis Memo supporting its non-objection to each remediation plan, the procedures document, examiner meeting notes, and comments posted in the FRE MRA Tracking Report. For four of the eight, we found no evidence that DER examiners conducted independent analysis of the sufficiency of Freddie Mac’s proposed remediation plan, notwithstanding the requirements of 2013-DER-OPB-1. Once a non-objection letter is issued to the Enterprise for its proposed remediation plan, FHFA’s Examination Manual requires examiners to regularly analyze the adequacy of an Enterprise’s corrective actions, and AB 2012-01 requires those examiners to “check and document progress at an interval determined by the [Examiner-in-Charge] and guided by the remediation plan.” Notwithstanding those requirements, a DER manager informed us that DER considers MRA remediation to be an Enterprise business function and that examiners are not obligated to proactively assess whether the Enterprises’ ongoing corrective actions are adequate or timely, even though FHFA issues MRAs for only “the most serious supervisory matters.” Of the eight Freddie Mac MRAs in our sample, two involved remediation plans that DER accepted in February 2016. Due to the limited remediation period to date, we did not include those MRAs in this portion of our analysis.25 For each of the remaining six sampled MRAs, we sought to evaluate whether Freddie Mac examiners followed FHFA’s requirements for independent assessments of the adequacy and timeliness of Freddie Mac’s ongoing 24 Most of the remediation plans contained the anticipated internal audit validation date. 25 Remediation of these MRAs is projected to continue until August and November 2017. OIG EVL-2016-007 July 14, 2016 16 remediation, or instead followed the practice articulated by the DER manager. To conduct this evaluation, we reviewed the following work papers, when available, for each of the six MRAs: notes of meetings with Freddie Mac staff, summary memos, memos to file, and examiner comments from the FRE MRA Tracking System.26 Based on our review of these materials, we found no evidence of independent assessments of the timeliness or adequacy of Freddie Mac’s remediation efforts for five of the six of the sampled MRAs. The one MRA in which we found independent analysis during the remediation phase involved updating an Enterprise policy. For that MRA, we found a meeting note memorializing an examiner’s statement to the Enterprise that its draft revised policy lacked sufficient clarity and should be revised. Last, we evaluated the basis for DER’s closure of four Freddie Mac MRAs in our sample. In April 2013, DER issued OPB 2013-01, Matters Requiring Attention Process. This guidance sets forth the role of an Enterprise’s internal audit in validating the timeliness and efficacy of that Enterprise’s efforts to remediate an MRA: Upon completion of the action plan and management’s determination that the respective Enterprise has remediated the MRAs, internal audit or an [sic] another independent third party will review and “validate” that the action plan was implemented as intended and that the remediation is complete… The completed validation work does not mean that FHFA has “closed” the MRA… FHFA will assess remediation through on-going monitoring or related targeted examination work. If additional reviews are needed, examiners will conduct the necessary reviews to validate the remediation. DER further addressed the role of Enterprise internal audit in MRA remediation in a July 2013 response to an OQA report: DER has been working with the Internal Audit divisions at both Enterprises to appropriately shift from FHFA to Internal Audit the responsibility to assess that underlying issues associated with the MRA have been addressed. However, DER retains full and sole responsibility for ultimately assessing whether an Enterprise has successfully addressed all issues associated with an 26 The Freddie Mac examination team’s documentation of comments in the tracking report changed over the course of our sample period. During 2013, examiners entered comments quarterly. During 2014, Freddie Mac examiners entered comments on a monthly basis, but saved over the previous month’s comments. Thus, for 2014, the only comments available for our review were for the month of December. This process continued until June 2015, when examiners began retaining monthly comments. To supplement this data limitation, we reviewed the Freddie Mac examiners’ quarterly summary memos from 2013-2015, which discussed, among other things, the progress of MRA remediation. OIG EVL-2016-007 July 14, 2016 17 MRA, as determined through ongoing monitoring and related targeted examination work. FHFA’s Examination Manual, issued in December 2013, contains no guidance on the circumstances under which FHFA examiners may close an MRA in reliance on a regulated entity’s internal audit validation of the timeliness and efficacy of remediation. DER reported to us that the Enterprises’ internal audit departments are responsible for validating the effectiveness and sustainability of the remedial actions taken by the Enterprises and that DER examiners confirm validation.27 For three of the four Freddie Mac MRAs in our sample closed by DER during the review period, we determined that Freddie Mac examiners did independently assess the sufficiency of internal audit’s work or management’s remediation of the deficiency underlying the MRA. Our determination was based on our review of the procedures documents, Freddie Mac’s closure packages, Freddie Mac internal audit work papers, examiner memos to file, and analysis memos by Freddie Mac examiners in support of the closure. For the fourth MRA, we found no evidence of independent analysis by DER examiners of the sufficiency of the validation work performed by Freddie Mac’s internal audit or of management’s underlying remediation activities. Fannie Mae MRAs We reviewed a sample of ten MRAs issued by the Fannie Mae examination team during the review period. Of those ten, DER reported to us that procedures documents were not prepared for two, in disregard of FHFA and DER requirements. Fannie Mae submitted a proposed remediation plan for each of the ten MRAs, and DER issued a non-objection letter in response to each. To evaluate whether Fannie Mae examiners performed independent analyses of the sufficiency of Fannie Mae’s remediation plans, we reviewed, when available, DER’s conclusion letter that issued each MRA, Fannie Mae’s proposed remediation plans, memoranda analyzing remediation plans or supporting non- objection letters, procedures documents, examiner meeting notes, and comments saved to the FNM SharePoint Tracking System. For eight of the ten MRAs, we found evidence of independent analysis of the sufficiency of Fannie Mae’s proposed remediation plan. We found no such evidence for the other two. 27 We plan to assess, in a separate evaluation, DER’s policies, guidance, and practices regarding reliance on the Enterprises’ internal audit function to verify and validate remediation of MRAs, and whether its policies, guidance, and practices are consistent with those of DBR and other federal financial regulators. OIG EVL-2016-007 July 14, 2016 18 Next, we assessed whether Fannie Mae examiners performed independent assessments of the Enterprise’s ongoing remediation efforts. To conduct this assessment, we reviewed the following documents, as available: notes from meetings with Fannie Mae, procedures documents, summary memos, memos to file, and examiner comments saved to the FNM SharePoint Tracking System.28 Of the ten MRAs in our sample, six had a relatively short remediation period of less than three months from issuance of the non-objection letter.29 We therefore did not include those six in our review of interim examiner assessments. However, although management timely submitted closure packages for these six MRAs, we observed that Fannie Mae internal audit did not validate three of the six MRAs until almost a year later.30 For the remaining four MRAs in our sample, which involved Fannie Mae corrective actions over longer periods of time, we found no evidence that DER examiners conducted independent assessments of Fannie Mae’s remediation efforts, despite the requirements and guidance in FHFA’s Examination Manual and AB 2012-01. Finally, of the ten MRAs in our sample, DER closed four during the review period, and we examined the basis for DER’s closure.31 For each of the four, we reviewed the analysis memo justifying DER’s closure of the MRA. Of those, two contained evidence that DER examiners independently analyzed the adequacy and effectiveness of Fannie Mae’s remedial measures. For the other two, DER examiners accepted the results of Fannie Mae’s internal audit validation work without independent analysis. 28 Our review of the comment field for each of the ten MRAs in our sample in the FNM SharePoint Tracking System found few examiner entries. The entries we identified reported information provided by Fannie Mae on the status of its remediation. 29 Indeed, remediation for one of the six MRAs was completed before DER issued its non-objection letter. 30 Fannie Mae’s remediation plans do not include estimated timeframes for internal audit’s completion of its validation work and there is no required field in the FNM SharePoint Tracking System to input this information. 31 Those closures were relatively anomalous: Fannie Mae examiners advised us that, for the past few years, the examiner-in-charge (EIC) decided not to utilize examiner resources to assess the adequacy of Fannie Mae internal audit’s MRA validation work, and thus left many MRAs open. We were also informed that the EIC for Fannie Mae during the review period regularly kept MRAs open after Fannie Mae internal audit had completed its validation work in order to have the flexibility to re-visit the MRAs and continue ongoing monitoring. Of all open Fannie Mae MRAs as of November 6, 2015, 64 percent were awaiting review by DER’s Fannie Mae examination team and had not been closed. Members of the Fannie Mae examination team reported to us that they had sufficient confidence in Fannie Mae’s internal audit validation work to redeploy their resources elsewhere, without closing the MRAs. The current Fannie Mae examination team informed us that the former EIC’s practice has been discontinued and that examiners are working to address the backlog of those open MRAs. OIG EVL-2016-007 July 14, 2016 19 FINDINGS ................................................................................. 1. DER’s MRA tracking systems lack important prospective dates and the tracking system for Fannie Mae MRAs does not provide ready access to underlying remediation documents, thus rendering those systems of limited utility in tracking the progress of MRA remediation. Both the OCC and Federal Reserve track important prospective dates to promote transparency and accountability in the MRA remediation process, such as the date on which the regulated entity is expected to complete remediation, the date of examiner follow-up, and the date OCC examiners expect to validate remediation. The OCC and Federal Reserve systems also contain live links to supporting documents, giving their officials ready access to this important information. Unlike the OCC and Federal Reserve, after DER accepts an Enterprise’s remediation plan, its two systems track only one date prospectively: the date that Enterprise management is expected to submit a closing package to Enterprise internal audit for validation. FHFA guidance does not require the Enterprises to provide FHFA with the date on which Enterprise internal audit expects to validate management’s remediation of MRAs, and DER examiners are not required to provide an estimated date by which they expect to confirm the adequacy of internal audit’s validation work. DER’s tracking systems therefore lack dedicated fields in which examiners can enter those dates. As a result, DER and FHFA officials cannot access these important deadlines from the tracking system. DER’s failure to establish and track these two deadlines impedes the Agency’s ability to hold the Enterprises and DER examiners accountable for unjustified or unexplained delays in validating and confirming MRA remediation. The risk of delay in MRA remediation is far more than theoretical. Our sampling identified several instances of substantial delays in Fannie Mae internal audit’s validation of MRA remediation, and substantial delays in DER’s confirmation of the validation work that did occur. These delays were not identified or explained in the tracking system. Despite AB 2012-01, which requires examiners to “check and document” remedial progress as “guided by the remediation plan,” neither system tracks the interim remediation milestones set forth in remediation plans. This creates a risk that unjustified delays in remediation will not timely be brought to the attention of senior DER and FHFA officials. Finally, unlike the MRA tracking systems developed by the OCC and the Freddie Mac examination team, the system used by the Fannie Mae examination team does not provide ready access to the procedures document or a link to the underlying repository of remediation OIG EVL-2016-007 July 14, 2016 20 documents. In addition, the Fannie Mae examination team generally does not store work papers in FHFA’s electronic record-keeping system until after MRAs are closed. Instead, examiners store remediation documents on separate SharePoint sites maintained by the four examination risk groups. As a result, DER and FHFA officials lack ready access to important documents directly from the tracking system. 2. DER examiners did not consistently conduct and document independent assessments of the timeliness and adequacy of the Enterprises’ remediation efforts. FHFA requires examiners to periodically assess the status of MRA remediation and document their findings. Our review of a sample of 18 MRAs found a significant inconsistency between the examination teams with respect to DER’s assessment of Enterprise remediation plans: the Fannie Mae examination team conducted and documented an independent assessment of the Enterprise’s remediation plans in eight of ten MRAs, whereas the Freddie Mac examination team did so in only four of eight MRAs. FHFA and DER guidance require examiners to regularly assess and document the timeliness and adequacy of the Enterprises’ remediation of MRAs. Nonetheless, DER informed us that it does not expect examiners to proactively assess or document the Enterprises’ remedial efforts between the time DER accepts the remediation plan and the time Enterprise internal audit submits its validation work to DER. Our review of a sample of MRAs revealed that both examination teams infrequently conducted and documented independent assessments of the Enterprises’ remediation activities during this period of ongoing remediation. Regarding the closure of MRAs, our review revealed that neither examination team consistently conducted and documented an independent assessment of whether the MRAs had been fully remediated and validated. Although examiners prepared documentation to close MRAs, that documentation did not always independently analyze the Enterprises’ claims that they had fully remediated and validated the MRAs. Instead, in some cases, examiners simply stated that they reviewed and agreed with the materials provided by Enterprise internal audit, without evidence of independent analysis. OIG EVL-2016-007 July 14, 2016 21 CONCLUSIONS .......................................................................... FHFA issues MRAs for the most serious deficiencies, such as violations of law, unsafe or unsound practices, or inappropriate risk-taking. Since MRAs are the most serious supervisory finding, FHFA appropriately expects the Enterprises to remediate them without delay. DER examiners play a central and critical role in the MRA remediation process: it is their job to evaluate the Enterprises’ remediation plans, monitor and assess the progress of remediation, and assess the Enterprises’ claims that MRAs have been completely remediated. In addition, FHFA requires examiners to document their follow up activities; this documentation is expected to include details on the status of MRA remediation. In our review of a sample of 18 MRAs issued to Fannie Mae and Freddie Mac, we found a lack of consistent independent analysis by DER examiners as to the timeliness and adequacy of each Enterprise’s remedial efforts. To enhance their oversight of MRA remediation, financial supervisors, including the OCC, Federal Reserve, DBR, and the Freddie Mac and Fannie Mae examination teams, use MRA tracking systems. These systems provide a centralized repository of information for financial supervisors on outstanding (and sometimes closed) MRAs. Two important components of MRA tracking systems are their ability to track upcoming deadlines and their ability to provide ready access to underlying work papers. Neither DER system for tracking Fannie Mae and Freddie Mac MRAs tracks interim milestones, the date on which Enterprise internal audit expects to validate management’s remediation of MRAs, or the date on which DER examiners expect to confirm the adequacy of internal audit’s validation work. DER has not required due dates for Enterprise internal audit validation of MRA remediation or deadlines for examiner confirmation of MRA remediation. Consequently, validation and confirmation of MRA remediation can occur more than a year after an Enterprise submits its closing package for validation. This lax approach to oversight of MRA remediation is contrary to FHFA’s expectation that MRAs require prompt remediation. Establishing due dates for internal audit validation and DER confirmation, and tracking those dates along with interim milestones, would allow DER and FHFA officials to access those important deadlines easily, and to enhance transparency, efficiency, and accountability in the MRA remediation process. OIG EVL-2016-007 July 14, 2016 22 RECOMMENDATIONS ............................................................... We recommend that FHFA: 1. Require the Enterprises to provide, in their remediation plans, the target date in which their internal audit departments expect to validate management’s remediation of MRAs, and require examiners to enter that date into a dedicated field in the MRA tracking system. 2. Require DER, upon acceptance of an Enterprise’s remediation plan, to estimate the date by which it expects to confirm internal audit’s validation, and to enter that date into a dedicated field in the MRA tracking system. 3. Ensure that the underlying remediation documents, including the Procedures Document, are readily available by direct link or other means, through DER’s MRA tracking system(s). 4. Require DER to conduct and document, in an Analysis Memorandum or other work paper, an independent assessment of the adequacy of each Enterprise MRA remediation plan and the basis upon which such plan is either accepted or rejected, and to maintain that document in DER’s supervisory record-keeping system. 5. Require DER to track interim milestones and to independently assess and document the timeliness and adequacy of Enterprise remediation of MRAs on a regular basis. 6. Require DER, when evaluating whether to close an MRA, to conduct and document (in an Analysis Memorandum or other work paper) an independent analysis of the adequacy and sustainability of the Enterprise’s remediation activity, or where appropriate, the adequacy of the Enterprise’s internal audit validation work, and maintain that document in DER’s supervisory record-keeping system. OIG EVL-2016-007 July 14, 2016 23 FHFA COMMENTS AND OIG RESPONSE ..................................... OIG provided FHFA an opportunity to respond to a draft report of this evaluation. FHFA provided technical comments that we incorporated into the report, as appropriate. On July 7, 2016, FHFA provided its formal response to our recommendations, which is attached in its entirety in Appendix A. In its response, FHFA agreed with recommendations 4 and 6, partially agreed with recommendations 1 and 2, and disagreed with recommendations 3 and 5. As discussed below, OIG urges FHFA to reconsider its positions and to fully implement our recommendations. While FHFA partially agreed with recommendations 1 and 2, its proposed corrective actions do not address the underlying shortcomings in the Agency’s oversight of the Enterprises’ remediation of MRAs that we identified in this report. With respect to recommendation 1, FHFA chose not to require the Enterprises to provide an estimated date by which their internal audit departments will validate management’s remediation of open MRAs. FHFA does not suggest that requiring both Enterprises to consistently provide this information would cause any significant burden or inefficiencies. In fact, our sampling of MRAs revealed that Freddie Mac frequently included the expected internal audit validation date in its remediation plans, although it was not required to do so by FHFA. Tracking expected validation dates would allow FHFA to identify and perhaps prevent inordinate delays in the validation of management’s efforts to remediate MRAs. FHFA’s current approach creates a risk of lapses in FHFA oversight and of further delays in MRA remediation by the Enterprises. In our second recommendation, we proposed that FHFA direct DER to estimate the date by which it expects to confirm internal audit’s validation and to enter that date into a dedicated field in the MRA tracking systems. Our recommendation addressed one of the shortcomings identified in this report: while FHFA instructs that MRAs should be promptly remediated, we found that DER’s validation and confirmation of MRA remediation can occur more than a year after an Enterprise submits its closing package for validation. FHFA’s commitment that DER will “amend its internal guidance to provide timeframes for when an examination team must begin review” of Enterprise validation work fails to address this shortcoming. DER’s refusal to require examiners to propose a date by which they expect to confirm the Enterprises’ validation work signals a lack of concern with the volume of Enterprise closing packages that have been languishing in DER, awaiting examiner review. FHFA refused to adopt recommendation 3, in which we asked it to “[e]nsure that the underlying remediation documents, including the Procedures Document, are readily available by direct link or other means, through DER’s MRA tracking system(s).” OIG made this recommendation to enhance the efficiency of DER’s tracking of MRA remediation. As discussed in this report, the tracking systems used by the OCC, by the Federal Reserve, and OIG EVL-2016-007 July 14, 2016 24 by DER’s Freddie Mac examination team contain (or examiners may insert) live links to the supervisory documents relating to each MRA. The tracking system used by the Fannie Mae examination team, however, does not. Moreover, Fannie Mae examiners store remediation documents for open MRAs on four separate SharePoint sites, rather than in FHFA’s centralized examination record-keeping system. These remediation documents are migrated to FHFA’s electronic record-keeping system only after the Fannie Mae examination team closes an MRA. Due to DER’s large backlog in closing Fannie Mae MRAs, there is a significant number of MRAs with work papers stove-piped in separate SharePoint sites. In its management response, FHFA does not claim that it is preferable to stove-pipe Fannie Mae examination documents into separate SharePoint sites, nor does it claim that implementing our recommendation – to bring the Fannie Mae examination team in line with the Freddie Mac examination team – would somehow impose an undue burden or expense. For similar reasons, FHFA declined to adopt recommendation 5, in which we proposed that DER “track interim milestones and to independently assess and document the timeliness and adequacy of Enterprise remediation of MRAs on a regular basis.” As we explained in a recent evaluation, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s Remediation of Serious Deficiencies, prior to December 2013, applicable guidance required Fannie Mae and Freddie Mac examiners to prepare quarterly status reports for each open MRA. DER subsequently abandoned this requirement, in favor of vesting each EIC with discretion to determine the frequency in which examiners assess the adequacy and timeliness of MRA remediation. FHFA has a statutory obligation to supervise the Enterprises and, pursuant to its own Examination Manual, issues MRAs for only the most serious deficiencies identified during a supervisory activity. While FHFA asserted that its current process is sufficient to enable DER to effectively oversee the Enterprises’ MRA remediation, DER officials acknowledged to us that DER considers MRA remediation to be an Enterprise business function and that there is no expectation for DER to assess the adequacy or timeliness of the Enterprises’ corrective actions during the remediation process. Our review of a sample of MRAs found virtually no evidence of independent examiner assessments of the sufficiency of the Enterprises’ actions during their remediation. That record, combined with FHFA’s refusal to require DER examiners to regularly assess and document the timeliness and adequacy of remediation, raises a concern that, as a practical matter, FHFA may have shifted a substantial portion of its supervisory responsibilities for MRA remediation to the entities that it regulates. OIG EVL-2016-007 July 14, 2016 25 OBJECTIVE, SCOPE, AND METHODOLOGY ................................. We conducted this evaluation to assess the effectiveness of DER’s MRA tracking systems, and to determine whether DER examiners independently assess the timeliness and adequacy of the Enterprises’ efforts to remediate MRAs. First, we compared the MRA tracking systems used by the Fannie Mae and Freddie Mac examination teams to those used by two federal financial regulators and DBR. We met with representatives of two financial regulatory agencies, reviewed those agencies’ MRA remediation policies, and obtained information on their MRA tracking systems. We similarly met with DER personnel, and reviewed FHFA, DER, and DBR policies pertaining to tracking and overseeing remediation of MRAs. We reviewed publicly available documents, internal DER and DBR documents, and non-public information provided by DER, including the MRA tracking systems used by the examination teams for Fannie Mae and Freddie Mac. We also considered additional information provided by FHFA in connection with other OIG evaluations and audits. We compiled this information to compare the features and capabilities of the various MRA tracking systems. Second, we reviewed a random sample of eight Freddie Mac MRAs and ten Fannie Mae MRAs issued between January 1, 2013, and November 6, 2015, to assess whether DER examiners independently assessed the timeliness and/or adequacy of each Enterprise’s efforts to remediate MRAs. We reviewed three phases of DER’s remediation oversight: DER’s analysis of the Enterprises’ proposed remediation plans; DER’s assessment of ongoing Enterprise remediation activities; and, for those MRAs for which the Enterprise claimed complete remediation, DER’s analysis of the Enterprise’ corrective actions. For each of these three phases, we reviewed the documentation made available to us by FHFA to determine whether DER examiners performed independent analyses or assessments, or merely recorded information that the Enterprises provided. Where we found no documentation, or where the documentation recited information from an Enterprise without any analysis, or where documentation reflected that DER agreed with an Enterprise’s assertions without any supporting analysis, we concluded that no independent analysis or assessment had been performed by DER examiners. Conversely, we credited DER with performing an independent assessment where the documentation reflected some independent analysis or assessment by the DER examiner, however limited. This evaluation was conducted under the authority of the Inspector General Act and in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation (January 2012). These standards require us to plan and perform an evaluation based upon evidence sufficient to provide a reasonable basis to OIG EVL-2016-007 July 14, 2016 26 support its findings and recommendations. We believe that the findings and recommendations discussed in this report meet those standards. The fieldwork for this report was completed between November 2015 and May 2016. The review period for this evaluation was between January 1, 2013, and March 31, 2016. OIG EVL-2016-007 July 14, 2016 27 APPENDIX A ............................................................................. FHFA’s Comments on OIG’s Findings and Recommendations OIG EVL-2016-007 July 14, 2016 28 OIG EVL-2016-007 July 14, 2016 29 OIG EVL-2016-007 July 14, 2016 30 OIG EVL-2016-007 July 14, 2016 31 ADDITIONAL INFORMATION AND COPIES ................................. For additional copies of this report: Call: 202-730-0880 Fax: 202-318-0239 Visit: www.fhfaoig.gov To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or noncriminal misconduct relative to FHFA’s programs or operations: Call: 1-800-793-7724 Fax: 202-318-0358 Visit: www.fhfaoig.gov/ReportFraud Write: FHFA Office of Inspector General Attn: Office of Investigations – Hotline 400 Seventh Street SW Washington, DC 20219 OIG EVL-2016-007 July 14, 2016 32
FHFA's Inconsistent Practices in Assessing Enterprise Remediation of Serious Deficiencies and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA's Supervision of the Enterprises
Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-07-14.
Below is a raw (and likely hideous) rendition of the original report. (PDF)