oversight

FHFA's Inconsistent Practices in Assessing Enterprise Remediation of Serious Deficiencies and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA's Supervision of the Enterprises

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-07-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

           Federal Housing Finance Agency
               Office of Inspector General




  FHFA’s Inconsistent Practices in
Assessing Enterprise Remediation of
Serious Deficiencies and Weaknesses
 in its Tracking Systems Limit the
Effectiveness of FHFA’s Supervision
          of the Enterprises




 Evaluation Report  EVL-2016-007  July 14, 2016
                Executive Summary
                As the regulator of Fannie Mae and Freddie Mac (collectively, the Enterprises)
                and of the Federal Home Loan Banks (FHLBanks), the Federal Housing
                Finance Agency (FHFA) is tasked by statute to ensure that these entities
                operate safely and soundly so that they serve as a reliable source of liquidity
                and funding for housing finance and community investment. Examinations of
EVL-2016-007    its regulated entities are fundamental to FHFA’s supervisory mission.

July 14, 2016   FHFA has directed its Division of Enterprise Regulation (DER) to conduct
                supervisory activities of the Enterprises and its Division of Federal Home Loan
                Bank Regulation (DBR) to conduct these activities for the FHLBanks. When
                DER or DBR identifies a deficiency, it will classify the deficiency as a Matter
                Requiring Attention (MRA), a violation, or a recommendation. According to
                FHFA, MRAs are “the most serious supervisory matters.” FHFA requires the
                regulated entities to promptly remediate MRAs. Examiners are required to
                “check and document” the progress of MRA remediation.

                In FHFA Office of Inspector General’s (OIG) 2016 Audit and Evaluation Plan,
                we explained our intent to focus our resources on programs and operations that
                pose the greatest financial, governance, and reputational risk to FHFA, the
                Enterprises, and the FHLBanks. One of the four areas we identified was
                FHFA’s rigor in its supervision of the Enterprises and the FHLBanks.
                According to FHFA, a key component of effective supervision is close
                oversight of efforts by an entity it regulates to correct identified supervisory
                concerns. This evaluation is one in a series of OIG reports that assess the
                robustness of FHFA’s policies, procedures, and practices governing its
                oversight of remediation of supervisory concerns by a regulated entity.

                In this evaluation, we compared the MRA tracking systems used by two
                federal financial regulators and DBR to those used by the DER Fannie Mae
                and Freddie Mac examination teams. We found substantial weaknesses in
                DER’s tracking systems that limit significantly the utility of those systems as
                a tool to monitor the Enterprises’ efforts to remediate deficiencies giving rise
                to MRAs. We also reviewed a sample of open and closed MRAs issued to
                each Enterprise by DER to assess whether DER examiners performed
                independent assessments of the timeliness and adequacy of each Enterprise’s
                efforts to remediate the MRA. Our review found a lack of consistent
                independent analysis by DER examiners of the timeliness and adequacy of
                each Enterprise’s remedial efforts. We make six recommendations to address
                these shortcomings. FHFA agreed with two recommendations, partially agreed
                with two, and disagreed with the remaining two.
                This report was prepared by Minh-Tu Greenberg, Investigative Counsel, and
                Desiree Yang, Financial Analyst. We appreciate the cooperation of FHFA
                staff, as well as the assistance of all those who contributed to the preparation
                of this report.

                This report has been distributed to Congress, the Office of Management and
                Budget, and others and will be posted on our website, www.fhfaoig.gov.
EVL-2016-007

July 14, 2016

                Angela Choy
                Assistant Inspector General for Evaluations
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

ABBREVIATIONS .........................................................................................................................6

BACKGROUND .............................................................................................................................7

FACTS .............................................................................................................................................8
      FHFA Guidance on MRA Follow-Up and Documentation ......................................................8
              Tracking Systems to Aid Supervisory Oversight .............................................................9
              MRA Tracking Systems Used by the OCC and Federal Reserve...................................10
              MRA Tracking System Used by DBR ............................................................................11
              DER Lacks a Unified MRA Tracking System................................................................12
              Freddie Mac Examination Team’s MRA Tracking System ...........................................12
              Fannie Mae Examination Team’s MRA Tracking System .............................................14
      Review of DER Oversight of 18 MRAs Issued to the Enterprises Found Inconsistent
      Compliance with FHFA Requirements and Guidance ...........................................................15
              Freddie Mac MRAs ........................................................................................................16
              Fannie Mae MRAs ..........................................................................................................18

FINDINGS .....................................................................................................................................20
      1. DER’s MRA tracking systems lack important prospective dates and the tracking
      system for Fannie Mae MRAs does not provide ready access to underlying
      remediation documents, thus rendering those systems of limited utility in tracking
      the progress of MRA remediation. .........................................................................................20
      2. DER examiners did not consistently conduct and document independent
      assessments of the timeliness and adequacy of the Enterprises’ remediation efforts. ............21

CONCLUSIONS............................................................................................................................22

RECOMMENDATIONS ...............................................................................................................23

FHFA COMMENTS AND OIG RESPONSE ...............................................................................24

OBJECTIVE, SCOPE, AND METHODOLOGY .........................................................................26




                                               OIG  EVL-2016-007  July 14, 2016                                                                4
APPENDIX A ................................................................................................................................28
      FHFA’s Comments on OIG’s Findings and Recommendations ............................................28

ADDITIONAL INFORMATION AND COPIES .........................................................................32




                                             OIG  EVL-2016-007  July 14, 2016                                                            5
ABBREVIATIONS .......................................................................

AB 2012-01         FHFA’s Advisory Bulletin 2012-01, Categories for Examination Findings

DBR                Division of Federal Home Loan Bank Regulation

DER                Division of Enterprise Regulation

EIC                Examiner-in-Charge

Enterprises        Fannie Mae and Freddie Mac, collectively

Federal Reserve    Board of Governors of the Federal Reserve System

FHFA or Agency     Federal Housing Finance Agency

FHLBanks           Federal Home Loan Banks

FMS                Findings Management System

MRA                Matter Requiring Attention

OCC                Office of the Comptroller of the Currency

OQA                Office of Quality Assurance




                           OIG  EVL-2016-007  July 14, 2016                          6
BACKGROUND ..........................................................................

Since 2008, FHFA has operated as both regulator and conservator of the Enterprises and
regulator of the FHLBanks. Like other federal financial regulators, FHFA uses a risk-based
approach to supervision. DER, which supervises the Enterprises, conducts continuous
ongoing monitoring and targeted examinations into strategically selected areas of high
importance or risk at each Enterprise pursuant to an annual supervisory plan.1 DBR, which
supervises the FHLBanks, conducts annual examinations, periodic visits, special reviews,
and off-site monitoring. Both DER and DBR issue an annual report of examination to each
Enterprise and FHLBank, respectively, after the end of each annual supervisory cycle.2

When conducting their supervisory activities, FHFA examiners may identify supervisory
concerns or deficiencies occurring at a regulated entity. FHFA categorizes such examination
findings into one of three categories: (1) recommendations, (2) violations, or (3) Matters
Requiring Attention (MRAs). According to FHFA, only “the most serious supervisory
matters” are categorized as MRAs. FHFA will issue an MRA for such matters as “non-
compliance with laws or regulations that result or may result in significant risk of financial
loss or damage,” “repeat deficiencies that have escalated due to insufficient action or
attention,” “unsafe or unsound practices,” “matters that have resulted, or are likely to result,
in a regulated entity being in an unsafe or unsound condition,” and “breakdowns in risk
management, significant control weaknesses, or inappropriate risk-taking.”3 FHFA requires
the regulated entities to promptly remediate MRAs. FHFA’s Advisory Bulletin 2012-01,
Categories for Examination Findings (AB 2012-01) directs that an Enterprise’s remediation
plan to correct MRA deficiencies contain specific milestones reflecting the seriousness of the
MRA, taking into consideration the complexity of the issue and the urgency of correction.

1
 Through ongoing monitoring, DER examiners evaluate the Enterprises’ operations and risk management by
meeting with Enterprise management and reviewing management and board reports. Examiners may also
conduct ongoing monitoring to determine the status of the Enterprises’ compliance with supervisory guidance
and conservatorship directives and remediation of Matters Requiring Attention (MRAs). Targeted
examinations enable examiners to conduct a deep or comprehensive assessment of selected areas of high
importance or risk. DER examiners conduct targeted examinations on an as needed basis, determined by risk.
DER has issued most MRAs out of targeted examinations.
2
  For more information on annual reports of examination, see OIG, FHFA’s Failure to Consistently Identify
Specific Deficiencies and Their Root Causes in Its Reports of Examination Constrains the Ability of the
Enterprise Boards to Exercise Effective Oversight of Management’s Remediation of Supervisory Concerns
(July 14, 2016) (EVL-2016-008) and OIG, FHFA Failed to Consistently Deliver Timely Reports of
Examination to the Enterprise Boards and Obtain Written Responses from the Boards Regarding Remediation
of Supervisory Concerns Identified in those Reports (July 14, 2016) (EVL-2016-009).
3
 FHFA, Advisory Bulletin 2012-01, Categories for Examination Findings, at 2 (Apr. 2, 2012) (online at
www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2012-01-CATEGORIES-FOR-
EXAMINATION-FINDINGS.aspx (accessed July 1, 2016).




                                    OIG  EVL-2016-007  July 14, 2016                                        7
Examiners are required to “check and document” the progress of MRA remediation “at an
interval determined by the [Examiner-in-Charge] and guided by the remediation plan.”

FHFA consistently maintains, based on the language of its authorizing statute,4 that its
supervisory authority over its regulated entities “is virtually identical to – and clearly modeled
on – Federal bank regulators’ supervision of banks.” In a recent evaluation, we compared
FHFA’s requirements and supplemental guidance regarding oversight of MRA remediation
by a regulated entity with those of other federal financial regulators and found the
requirements and guidance to be similar.5 Specifically, we found that FHFA, and other
federal financial regulators, require examiners to monitor the progress of MRA remediation
by a regulated entity and to regularly assess the timeliness and adequacy of the entity’s
remedial efforts. Then, we reviewed DER’s oversight of one Enterprise’s remediation efforts
against the requirements and guidance issued by FHFA and DER, and found that such
oversight fell far short of the mark. In that instance, we found no evidence that DER assessed
the adequacy or timeliness of the Enterprise’s efforts to remediate the MRA over a 30-month
period, as required by Agency requirements and guidance. In light of that finding, we
performed this evaluation to determine the effectiveness of the MRA tracking systems used
by the two DER examination teams and the extent to which, over a larger sample of MRAs,
examiners conducted independent analyses of the Enterprises’ remediation efforts, as required
by FHFA.6


FACTS .......................................................................................

FHFA Guidance on MRA Follow-Up and Documentation

FHFA requirements define an examiner’s follow-up responsibilities for MRA remediation.
Those responsibilities include an assessment of materials provided by the regulated entity,
discussions with the responsible parties at the regulated entity, and testing (if appropriate)


4
  Federal Housing Enterprises Financial Safety and Soundness Act of 1992, 12 U.S.C. § 4501 et seq. and
§ 4513, as amended by Sections 1101 and 1102 of the Housing and Economic Recovery Act of 2008, and
§ 4517(e).
5
 See OIG, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s
Remediation of Serious Deficiencies (Mar. 29, 2016) (EVL-2016-004) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-004.pdf).
6
  Id. at 20 (“MRA follow-up, as defined by FHFA and DER, is not limited to listening to an Enterprise explain
what actions the Enterprise has planned or is undertaking to correct MRA deficiencies. Fundamental to the
requirement for DER examiner follow-up . . . is a regular assessment of the timeliness and adequacy of the
Enterprise’s remedial efforts.”).




                                    OIG  EVL-2016-007  July 14, 2016                                          8
to determine the entity’s progress against an acceptable remedial plan.7 FHFA requires
examiners to document all of their follow-up activities, including details on the status of the
MRA. Should examiners determine that an entity has not made progress in remediating
deficiencies and/or has missed established milestones, AB 2012-01 instructs that other
supervisory actions should be considered. Currently, the intervals at which FHFA examiners
must “check and document progress” are “determined by the [Examiner-in-Charge] and
guided by the remediation plan,” rather than by FHFA requirements or guidance.

In January 2014, DER issued internal guidance governing the creation and storage of
examination documents, including documents relating to MRAs.8 Pursuant to this guidance,
examiners must prepare a procedures document for each MRA, prior to the commencement of
fieldwork, which describes the steps examiners intend to take in monitoring and assessing an
Enterprise’s remedial activities.9 Under 2014-DER-OPB-01, the procedures document is not
intended to be a static document; examiners are required to update it “as necessary.” Unlike
DER’s prior guidance in effect through 2013, which required examiners to update the
procedures document at least quarterly with a current status of the MRA,10 its current
guidance, 2014-DER-OPB-01, does not require DER examiners to update the procedures
document on a regular, specified basis but directs them to “document the steps taken to
achieve the objective(s)” (emphasis added) in procedures documents and to adjust the
procedures document as necessary.

This same guidance directs examiners to document the results of their monitoring and
assessment activities in designated work papers such as correspondence, meeting notes, and
analysis memoranda. Analysis memoranda “[m]ust appropriately link to the procedures
document to show how the execution of the procedures resulted in the conclusions.”
Procedures documents may contain links to, or may be imbedded with, important underlying
work papers.

          Tracking Systems to Aid Supervisory Oversight

To enhance effective supervisory oversight of efforts by a regulated entity to correct
deficiencies identified during supervisory activities, federal financial regulators, including the
Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal
Reserve System (Federal Reserve), and FHFA use tracking systems. Although these tracking


7
    See FHFA, AB 2012-01, Categories for Examination Findings, supra note 3.
8
 See FHFA, DER Operating Procedures Bulletin 2014-DER-OPB-01, Guidelines for Preparing Supervisory
Products and Examination Workpapers (Jan. 27, 2014) (2014-OPB-01).
9
    Id.
10
     FHFA, DER Supervisory Guide 2.0, at 31 (Sept. 8, 2009).



                                      OIG  EVL-2016-007  July 14, 2016                             9
systems vary in sophistication and capabilities, the purported purpose of each system is to
enable examiners and their supervisors to quickly access deadlines in the remediation process
and information about the status of remediation efforts.

     MRA Tracking Systems Used by the OCC and Federal Reserve

The OCC has developed and implemented a tracking system that contains information for
all MRAs issued to the banks it supervises. OCC requires its examiners to enter each
“supervisory concern” into the tracking system, along with a description of the underlying
basis for the MRA. OCC examiners also enter the critical dates and events in the remediation
process, including the date the OCC issued the MRA, the date the bank is expected to
complete remedial action, the date OCC examiners intend to follow up on remedial progress,
the date OCC examiners expect to validate remediation,11 and the actual date that remediation
is validated. The system also has a field in which examiners can enter comments or
observations. Each quarter, until the MRA is closed, OCC examiners must “assess and
document the board and management’s efforts to address concern(s)” directly into the OCC
tracking system.

Each supervisory concern in OCC’s tracking system contains a live link to the supporting
documents so that examiners and OCC management can easily access important underlying
work papers. OCC officials advised us that its examiners use the tracking system to generate
a wide range of reports to enhance OCC’s supervision of individual banks (including banks
that have failed to timely remediate MRAs or banks with a significant number of open MRAs)
and to generate reports that identify trends in supervisory concerns across entities. According
to these officials, reports from the tracking system help examiners follow up on MRA
remediation and are reviewed regularly by supervisory managers and OCC officials.

The Federal Reserve also uses a tracking system to monitor the progress of MRA remediation.
Its unified tracking system contains information on all of the entities the Federal Reserve
regulates. Like the OCC, Federal Reserve examiners enter a detailed description of each
MRA into the system along with critical dates in the remediation process, including the date
of MRA issuance, the expected response date for the remedial plan, examiner follow-up dates,
and the projected date for completion of the entity’s remedial efforts. The Federal Reserve’s
tracking system also contains a field in which examiners can record their comments and
observations. For each entry in the Federal Reserve’s tracking system, examiners can insert a
hyperlink to the source documents pertaining to the MRAs. When a tracked date approaches,
the tracking system generates and sends an email reminder to designated examiners and

11
   Validation is the process by which the OCC confirms the effectiveness and sustainability of corrective
action(s) that the bank implemented.




                                     OIG  EVL-2016-007  July 14, 2016                                     10
supervisors to facilitate timely follow-up.12 Similar to the OCC, the Federal Reserve
uses its tracking system to generate preset and customized reports on the status of MRA
remediation. Federal Reserve officials informed us that the system’s reporting function is one
of its most important tools because it provides transparency to supervisory activities.

      MRA Tracking System Used by DBR

In response to our 2012 evaluation, FHFA’s Oversight of Troubled Federal Home Loan
Banks,13 DBR developed and implemented a SharePoint-based tracking system that provides
DBR examiners and managers, and FHFA officials, with ready access to the status of
examination findings.14 This Findings Management System (FMS) tracks all examination
findings (MRAs, violations, and recommendations) issued to the FHLBanks and the Office of
Finance each year. The FMS data fields include the date of the supervisory finding and the
date remediation is due. DBR requires examiners to upload certain key documents into FMS
and to save the remainder of the remediation work papers in FHFA’s electronic record-
keeping system. To ensure the integrity of FMS data, DBR directs that a quality control
review be performed, prior to the completion of each annual report of examination, to ensure
consistency between the uploaded FMS data and the supporting documentation.

In a recent compliance review, we tested documentation for a randomly selected sample of
supervisory concerns entered into FMS and determined that DBR examiners complied with
DBR procedures for ensuring the accuracy and timeliness of FMS data.15 DBR officials
reported to us that FMS represents a definite improvement over DBR’s former manual
processes. According to these officials, FMS allows DBR to track examination findings for
one FHLBank during one DBR annual examination and to track findings for the same bank

12
     Email notifications are sent to individuals on an opt-in basis.
13
   In EVL-2012-001, OIG found that DBR lacked an automated management information system that provided
ready access to information about the deficiencies identified in its examinations and the status of efforts to
address them. At the time, DBR examiners documented their findings and tracked corrective action on
individual computer spreadsheets. Different examiners used different spreadsheets, and the data entered into the
spreadsheets were not readily accessible to Agency management or part of a unified reporting system. We found
that those deficiencies limited DBR’s capacity to identify trends in examination findings and the FHLBanks’
progress in correcting deficiencies. Based on these findings, OIG recommended that DBR develop and
implement an automated management reporting system for FHLBank examination findings. DBR agreed with
the recommendation and stated that it would develop an “automated information system” to track, among other
things, examination findings and planned corrective actions. See OIG, FHFA’s Oversight of Troubled Federal
Home Loan Banks (Jan. 11, 2012) (EVL-2012-001) (online at
www.fhfaoig.gov/Content/Files/Troubled%20Banks%20EVL-2012-001.pdf).
14
  See FHFA, Operating Procedure Bulletin 2012-DBR-OPB-04, Findings Management System (Dec. 31,
2012).
15
  See OIG, FHFA’s Implementation of Its Automated System to Track Deficiencies Identified in Federal Home
Loan Bank Examinations (May 26, 2016) (COM-2016-003).




                                         OIG  EVL-2016-007  July 14, 2016                                        11
over multiple annual examinations. Additionally, these officials advised us that FMS enables
DBR supervisors to obtain consistent information about supervisory findings, to quickly
analyze trends in findings, and to identify issues across the universe of FHLBank
examinations.

     DER Lacks a Unified MRA Tracking System

Unlike DBR, the OCC, and the Federal Reserve, DER lacks a unified system to track MRAs it
issues to the Enterprises. As a result, the examination teams for Fannie Mae and Freddie Mac
use different MRA tracking systems.

In July 2013, FHFA’s Office of Quality Assurance (OQA), which is charged with reviewing
FHFA’s supervision of the Enterprises,16 issued a report finding that DER lacked an adequate
system to store, retrieve, and track examination information, including information regarding
the progress of MRA remediation. In response to that report, DER committed to work with
other FHFA offices to “redesign the examination record-keeping system, including MRA
tracking.”

DER, however, did not design a unified MRA tracking system. According to a DER official,
its then-deputy director “did not have the appetite” to do so. Consequently, DER allowed the
Fannie Mae and Freddie Mac examination teams to continue using separate MRA tracking
systems.

     Freddie Mac Examination Team’s MRA Tracking System

In June 2012, DER’s Freddie Mac examination team rolled out guidelines for tracking,
documenting, and reporting on the status of MRA remediation. The team updates this
guidance periodically, most recently in 2015. Pursuant to these guidelines, Freddie Mac
examiners track and document MRA remediation in an electronic Excel spreadsheet known
as Freddie MRA Tracking and Reporting (FRE MRA Tracking System). The FRE MRA
Tracking System contains a number of data fields for each MRA issued to Freddie Mac,
including the date the MRA issued, a description of the MRA, the date the examiners expect
to receive a closure package from Freddie Mac management reporting on the completed
remedial actions,17 and the date Freddie Mac’s internal audit department completes its

16
  OQA is responsible for evaluating the quality of work performed by DER, DBR, and the Division of
Housing Mission and Goals.
17
   Freddie Mac management submits a “closure package” to its own internal audit department, with a copy
to DER, when it believes it has completed the approved remedial action plan. At that point, the Enterprise’s
internal audit department performs validation work. DER considers an MRA to be “validated” when the
Enterprise’s internal audit function concludes that the remedial action is implemented, effective, and
sustainable. After this validation is provided, DER examiners are expected to review and “confirm” internal



                                     OIG  EVL-2016-007  July 14, 2016                                        12
validation of management’s remedial actions. It also contains comment fields for each MRA
where DER examiners can – but are not required to – record their independent assessments of
the adequacy of Freddie Mac’s remediation for that MRA.

Guidance from the Freddie Mac examination team requires every Freddie Mac examiner to
review and update the status of each MRA in the comment field of the FRE MRA Tracking
System “by the end of each month.” This guidance, however, does not define the expected
content of these monthly updates. The content could consist of: information reported
exclusively by the Enterprise; information learned primarily from the Enterprise; or
independent examiner assessments of the timeliness and adequacy of an Enterprise’s remedial
progress. Unlike the tracking systems used by the OCC or Federal Reserve, the FRE MRA
Tracking System lacks a dedicated field for examiners to enter the date(s) they plan to follow
up on remedial progress or a dedicated field to enter the expected validation date by Freddie
Mac’s internal audit department. Moreover, the FRE MRA Tracking System does not track
the anticipated date that DER examiners will review and “confirm” the validation work by
Freddie Mac’s internal audit. Current DER guidance does not require examiners to identify
and track these dates.

FHFA, through AB 2012-01, directs that examiner oversight of remedial efforts by a
regulated entity “should include an assessment of materials provided by the regulated entity,
discussions with the responsible parties at the regulated entity, and testing, if appropriate, to
determine progress against a remediation plan.” Notwithstanding that instruction, a senior
DER official advised us in a prior evaluation that DER examiners were not required to check
remedial progress made by an Enterprise against the milestones in its proposed remediation
plan and that any changes of such milestones would be documented by Enterprise
management, not DER. Consistent with DER’s position and practice, the FRE MRA
Tracking Report does not contain fields that track the due dates for interim deliverables or
milestones nor does it contain fields in which examiners are required to provide written
assessments of the adequacy or timeliness of Freddie Mac’s remedial efforts.

For each MRA, the FRE MRA Tracking System contains a link to the folder in FHFA’s
electronic record-keeping system in which all the documents relating to the MRA are required
to be filed.18 In addition, there is a direct link to the procedures document (also maintained in
the electronic record-keeping system), which describes the steps DER examiners intend to
take in overseeing and assessing Freddie Mac’s remedial efforts and documents the steps


audit’s work. Internal audit’s role in validating management’s remediation of MRAs is more fully discussed
on pages 17-18 of this report.
18
  Internal guidance from the Freddie Mac examination team requires all Freddie Mac examiners to store all
documents related to both ongoing and completed MRA remediation in FHFA’s electronic record-keeping
system, noting that a “centralized location facilitates streamlined MRA management.”



                                    OIG  EVL-2016-007  July 14, 2016                                       13
taken when they are completed. Thus, the relevant documents relating to an MRA – including
the procedures document, analysis memos, and meeting notes – are readily accessible through
links from the FRE MRA Tracking System.

DER’s Freddie Mac examination team generates a monthly examination status (status report)
for the DER Deputy Director. The status report provides information on MRAs with
information extracted from the Freddie MRA Tracking Report, including the issuance date for
each MRA, a brief status update on the progress of remediation or status of each open MRA,
and a list of MRAs closed during the current calendar year. It also contains, for each MRA, a
link to FHFA’s electronic record-keeping system in which the remediation documents are
stored.

      Fannie Mae Examination Team’s MRA Tracking System

Beginning in 2013, the Fannie Mae examination team uses a SharePoint intranet site called
FNM SharePoint Tracking System to track the progress of MRAs. The FNM SharePoint
Tracking System includes data fields for the projected date by which Fannie Mae is expected
to complete remediation, the actual date Fannie Mae internal audit notifies DER that its
verification work is complete, and the actual date in which DER closes or rescinds the MRA.
The FNM SharePoint Tracking System contains comment fields into which examiners may –
but are not required to – enter their independent assessments of the adequacy of Fannie Mae’s
ongoing remediation.

However, the FNM SharePoint Tracking System does not contain a number of fields used
in the other tracking systems described in this evaluation. It lacks fields to track the due dates
of interim milestones (and deliverables) in Fannie Mae’s remediation plan,19 examiner follow-
up dates, the expected validation date by Fannie Mae internal audit, and the date by which
DER examiners are expected to review and confirm Fannie Mae’s internal audit validation
work. While DER recognizes that the FNM SharePoint Tracking System does not contain
separate fields to track these categories of information, it maintains that all of this information
can be found in the examination documentation. Because the FNM SharePoint Tracking
System provides no live links to the examination documentation, including the procedures
documents, the documentation cannot be accessed directly from the FNM SharePoint
Tracking System.

The FNM SharePoint Tracking System does not provide a link to the underlying repository of
MRA remediation documents. Furthermore, examiners for Fannie Mae are not required to
store MRA remediation documents in FHFA’s electronic record-keeping system until after an

19
     An examiner can enter interim milestones in the comments field.




                                      OIG  EVL-2016-007  July 14, 2016                              14
MRA is closed. Until that time, they store remediation documents on separate SharePoint
sites maintained by the various examination risk groups responsible for monitoring MRAs.20
While Fannie Mae examiners can upload supporting documents into the FNM SharePoint
Tracking System, two Fannie Mae examiners explained to us that the team uploads only
selected documents, such as conclusion letters or non-objection letters.21

The Fannie Mae examination team does not provide monthly or regular status reports on
MRA remediation to the DER Deputy Director. DER informed us that the deputy director
can personally generate and run reports from the tracking system and can request reports from
examiners.

Review of DER Oversight of 18 MRAs Issued to the Enterprises Found Inconsistent
Compliance with FHFA Requirements and Guidance

In a recent evaluation, we found significant shortcomings in DER’s oversight of an
Enterprise’s remediation of one MRA.22 To determine whether these shortcomings were
limited to this one MRA or were more widespread, we reviewed DER materials for a random
sample of eight Freddie Mac MRAs and ten Fannie Mae MRAs issued to the Enterprises
between January 1, 2013, and November 6, 2015 (the review period).23 We reviewed
three phases of DER’s remediation oversight: DER’s analysis of the Enterprises’ proposed
remediation plans; DER’s assessment of ongoing Enterprise remediation activities; and,
for those MRAs for which the Enterprise claimed complete remediation, DER’s analysis
of the Enterprises’ corrective actions. For each of these three phases, we reviewed the
documentation made available to us by FHFA to determine whether DER examiners
performed independent analyses or assessments, or merely recorded information that the
Enterprises provided. Where we found no documentation, or where the documentation
recited information from an Enterprise without any analysis, or where documentation
reflected that DER agreed with an Enterprise’s assertions without any supporting analysis,
we concluded that no independent analysis or assessment had been performed by DER
examiners. Conversely, we credited DER with performing the independent assessment



20
     The Fannie Mae examination team has four different risk groups.
21
  DER uses conclusion letters to communicate examination findings, including MRAs, to the Enterprises.
Non-objection letters convey DER’s assent to an Enterprise’s remediation plan.
22
  See OIG, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s
Remediation of Serious Deficiencies, supra note 5.
23
   We selected a random sample from the list of MRAs that DER issued during the review period. The
population of open and closed MRAs was too small to select a representative sample. Thus, the results of our
review cannot be statistically projected to the rest of the population. However, the randomness of the sampling
allows for the collection of unbiased, evidential material.



                                      OIG  EVL-2016-007  July 14, 2016                                          15
required by FHFA where the documentation reflected some independent analysis or
assessment by the DER examiner, however limited.

      Freddie Mac MRAs

We reviewed the work papers for a sample of eight MRAs issued by the Freddie Mac
examination team during the review period. DER closed four of the eight during the review
period, and four remained open as of November 6, 2015.

Pursuant to 2013-DER-OPB-1, each Enterprise must respond to an MRA with a proposed
remediation plan and DER examiners are required to review each proposed remediation plan
and determine “whether the plan is sufficiently detailed and appropriate to resolve the MRA.”
When that determination is made, DER issues a non-objection letter. Freddie Mac submitted
a proposed remediation plan for each of the eight MRAs, and DER issued a non-objection
letter in response to each of them.24 To evaluate whether the Freddie Mac examiners assessed
the sufficiency of Freddie Mac’s proposed remediation plans for each of these eight MRAs,
we reviewed the following documents, as available, for each MRA: Freddie Mac’s proposed
remediation plan, DER’s Analysis Memo supporting its non-objection to each remediation
plan, the procedures document, examiner meeting notes, and comments posted in the FRE
MRA Tracking Report. For four of the eight, we found no evidence that DER examiners
conducted independent analysis of the sufficiency of Freddie Mac’s proposed remediation
plan, notwithstanding the requirements of 2013-DER-OPB-1.

Once a non-objection letter is issued to the Enterprise for its proposed remediation plan,
FHFA’s Examination Manual requires examiners to regularly analyze the adequacy of an
Enterprise’s corrective actions, and AB 2012-01 requires those examiners to “check and
document progress at an interval determined by the [Examiner-in-Charge] and guided by the
remediation plan.” Notwithstanding those requirements, a DER manager informed us that
DER considers MRA remediation to be an Enterprise business function and that examiners
are not obligated to proactively assess whether the Enterprises’ ongoing corrective actions are
adequate or timely, even though FHFA issues MRAs for only “the most serious supervisory
matters.”

Of the eight Freddie Mac MRAs in our sample, two involved remediation plans that DER
accepted in February 2016. Due to the limited remediation period to date, we did not include
those MRAs in this portion of our analysis.25 For each of the remaining six sampled MRAs,
we sought to evaluate whether Freddie Mac examiners followed FHFA’s requirements for
independent assessments of the adequacy and timeliness of Freddie Mac’s ongoing

24
     Most of the remediation plans contained the anticipated internal audit validation date.
25
     Remediation of these MRAs is projected to continue until August and November 2017.



                                        OIG  EVL-2016-007  July 14, 2016                        16
remediation, or instead followed the practice articulated by the DER manager. To conduct
this evaluation, we reviewed the following work papers, when available, for each of the six
MRAs: notes of meetings with Freddie Mac staff, summary memos, memos to file, and
examiner comments from the FRE MRA Tracking System.26 Based on our review of these
materials, we found no evidence of independent assessments of the timeliness or adequacy of
Freddie Mac’s remediation efforts for five of the six of the sampled MRAs.

The one MRA in which we found independent analysis during the remediation phase involved
updating an Enterprise policy. For that MRA, we found a meeting note memorializing an
examiner’s statement to the Enterprise that its draft revised policy lacked sufficient clarity
and should be revised.

Last, we evaluated the basis for DER’s closure of four Freddie Mac MRAs in our sample. In
April 2013, DER issued OPB 2013-01, Matters Requiring Attention Process. This guidance
sets forth the role of an Enterprise’s internal audit in validating the timeliness and efficacy of
that Enterprise’s efforts to remediate an MRA:

        Upon completion of the action plan and management’s determination that the
        respective Enterprise has remediated the MRAs, internal audit or an [sic]
        another independent third party will review and “validate” that the action plan
        was implemented as intended and that the remediation is complete… The
        completed validation work does not mean that FHFA has “closed” the
        MRA… FHFA will assess remediation through on-going monitoring or
        related targeted examination work. If additional reviews are needed,
        examiners will conduct the necessary reviews to validate the remediation.

DER further addressed the role of Enterprise internal audit in MRA remediation in a July
2013 response to an OQA report:

        DER has been working with the Internal Audit divisions at both Enterprises to
        appropriately shift from FHFA to Internal Audit the responsibility to assess
        that underlying issues associated with the MRA have been addressed.
        However, DER retains full and sole responsibility for ultimately assessing
        whether an Enterprise has successfully addressed all issues associated with an


26
   The Freddie Mac examination team’s documentation of comments in the tracking report changed over the
course of our sample period. During 2013, examiners entered comments quarterly. During 2014, Freddie Mac
examiners entered comments on a monthly basis, but saved over the previous month’s comments. Thus, for
2014, the only comments available for our review were for the month of December. This process continued
until June 2015, when examiners began retaining monthly comments. To supplement this data limitation, we
reviewed the Freddie Mac examiners’ quarterly summary memos from 2013-2015, which discussed, among
other things, the progress of MRA remediation.



                                   OIG  EVL-2016-007  July 14, 2016                                      17
         MRA, as determined through ongoing monitoring and related targeted
         examination work.

FHFA’s Examination Manual, issued in December 2013, contains no guidance on the
circumstances under which FHFA examiners may close an MRA in reliance on a regulated
entity’s internal audit validation of the timeliness and efficacy of remediation. DER reported
to us that the Enterprises’ internal audit departments are responsible for validating the
effectiveness and sustainability of the remedial actions taken by the Enterprises and that DER
examiners confirm validation.27

For three of the four Freddie Mac MRAs in our sample closed by DER during the review
period, we determined that Freddie Mac examiners did independently assess the sufficiency
of internal audit’s work or management’s remediation of the deficiency underlying the MRA.
Our determination was based on our review of the procedures documents, Freddie Mac’s
closure packages, Freddie Mac internal audit work papers, examiner memos to file, and
analysis memos by Freddie Mac examiners in support of the closure. For the fourth MRA,
we found no evidence of independent analysis by DER examiners of the sufficiency of the
validation work performed by Freddie Mac’s internal audit or of management’s underlying
remediation activities.

     Fannie Mae MRAs

We reviewed a sample of ten MRAs issued by the Fannie Mae examination team during
the review period. Of those ten, DER reported to us that procedures documents were not
prepared for two, in disregard of FHFA and DER requirements.

Fannie Mae submitted a proposed remediation plan for each of the ten MRAs, and DER
issued a non-objection letter in response to each. To evaluate whether Fannie Mae examiners
performed independent analyses of the sufficiency of Fannie Mae’s remediation plans, we
reviewed, when available, DER’s conclusion letter that issued each MRA, Fannie Mae’s
proposed remediation plans, memoranda analyzing remediation plans or supporting non-
objection letters, procedures documents, examiner meeting notes, and comments saved to
the FNM SharePoint Tracking System. For eight of the ten MRAs, we found evidence of
independent analysis of the sufficiency of Fannie Mae’s proposed remediation plan. We
found no such evidence for the other two.




27
   We plan to assess, in a separate evaluation, DER’s policies, guidance, and practices regarding reliance on
the Enterprises’ internal audit function to verify and validate remediation of MRAs, and whether its policies,
guidance, and practices are consistent with those of DBR and other federal financial regulators.




                                      OIG  EVL-2016-007  July 14, 2016                                         18
Next, we assessed whether Fannie Mae examiners performed independent assessments of
the Enterprise’s ongoing remediation efforts. To conduct this assessment, we reviewed the
following documents, as available: notes from meetings with Fannie Mae, procedures
documents, summary memos, memos to file, and examiner comments saved to the FNM
SharePoint Tracking System.28

Of the ten MRAs in our sample, six had a relatively short remediation period of less than
three months from issuance of the non-objection letter.29 We therefore did not include those
six in our review of interim examiner assessments. However, although management timely
submitted closure packages for these six MRAs, we observed that Fannie Mae internal audit
did not validate three of the six MRAs until almost a year later.30 For the remaining four
MRAs in our sample, which involved Fannie Mae corrective actions over longer periods
of time, we found no evidence that DER examiners conducted independent assessments
of Fannie Mae’s remediation efforts, despite the requirements and guidance in FHFA’s
Examination Manual and AB 2012-01.

Finally, of the ten MRAs in our sample, DER closed four during the review period, and we
examined the basis for DER’s closure.31 For each of the four, we reviewed the analysis memo
justifying DER’s closure of the MRA. Of those, two contained evidence that DER examiners
independently analyzed the adequacy and effectiveness of Fannie Mae’s remedial measures.
For the other two, DER examiners accepted the results of Fannie Mae’s internal audit
validation work without independent analysis.




28
  Our review of the comment field for each of the ten MRAs in our sample in the FNM SharePoint Tracking
System found few examiner entries. The entries we identified reported information provided by Fannie Mae
on the status of its remediation.
29
     Indeed, remediation for one of the six MRAs was completed before DER issued its non-objection letter.
30
    Fannie Mae’s remediation plans do not include estimated timeframes for internal audit’s completion of
its validation work and there is no required field in the FNM SharePoint Tracking System to input this
information.
31
   Those closures were relatively anomalous: Fannie Mae examiners advised us that, for the past few years,
the examiner-in-charge (EIC) decided not to utilize examiner resources to assess the adequacy of Fannie Mae
internal audit’s MRA validation work, and thus left many MRAs open. We were also informed that the EIC
for Fannie Mae during the review period regularly kept MRAs open after Fannie Mae internal audit had
completed its validation work in order to have the flexibility to re-visit the MRAs and continue ongoing
monitoring. Of all open Fannie Mae MRAs as of November 6, 2015, 64 percent were awaiting review by
DER’s Fannie Mae examination team and had not been closed. Members of the Fannie Mae examination team
reported to us that they had sufficient confidence in Fannie Mae’s internal audit validation work to redeploy
their resources elsewhere, without closing the MRAs. The current Fannie Mae examination team informed us
that the former EIC’s practice has been discontinued and that examiners are working to address the backlog of
those open MRAs.



                                      OIG  EVL-2016-007  July 14, 2016                                        19
FINDINGS .................................................................................

1. DER’s MRA tracking systems lack important prospective dates and the tracking
   system for Fannie Mae MRAs does not provide ready access to underlying
   remediation documents, thus rendering those systems of limited utility in tracking
   the progress of MRA remediation.

Both the OCC and Federal Reserve track important prospective dates to promote transparency
and accountability in the MRA remediation process, such as the date on which the regulated
entity is expected to complete remediation, the date of examiner follow-up, and the date OCC
examiners expect to validate remediation. The OCC and Federal Reserve systems also
contain live links to supporting documents, giving their officials ready access to this
important information.

Unlike the OCC and Federal Reserve, after DER accepts an Enterprise’s remediation plan,
its two systems track only one date prospectively: the date that Enterprise management is
expected to submit a closing package to Enterprise internal audit for validation. FHFA
guidance does not require the Enterprises to provide FHFA with the date on which Enterprise
internal audit expects to validate management’s remediation of MRAs, and DER examiners
are not required to provide an estimated date by which they expect to confirm the adequacy of
internal audit’s validation work. DER’s tracking systems therefore lack dedicated fields in
which examiners can enter those dates. As a result, DER and FHFA officials cannot access
these important deadlines from the tracking system. DER’s failure to establish and track
these two deadlines impedes the Agency’s ability to hold the Enterprises and DER examiners
accountable for unjustified or unexplained delays in validating and confirming MRA
remediation.

The risk of delay in MRA remediation is far more than theoretical. Our sampling identified
several instances of substantial delays in Fannie Mae internal audit’s validation of MRA
remediation, and substantial delays in DER’s confirmation of the validation work that did
occur. These delays were not identified or explained in the tracking system.

Despite AB 2012-01, which requires examiners to “check and document” remedial progress
as “guided by the remediation plan,” neither system tracks the interim remediation milestones
set forth in remediation plans. This creates a risk that unjustified delays in remediation will
not timely be brought to the attention of senior DER and FHFA officials.

Finally, unlike the MRA tracking systems developed by the OCC and the Freddie Mac
examination team, the system used by the Fannie Mae examination team does not provide
ready access to the procedures document or a link to the underlying repository of remediation


                               OIG  EVL-2016-007  July 14, 2016                                 20
documents. In addition, the Fannie Mae examination team generally does not store work
papers in FHFA’s electronic record-keeping system until after MRAs are closed. Instead,
examiners store remediation documents on separate SharePoint sites maintained by the four
examination risk groups. As a result, DER and FHFA officials lack ready access to important
documents directly from the tracking system.

2. DER examiners did not consistently conduct and document independent
   assessments of the timeliness and adequacy of the Enterprises’ remediation
   efforts.

FHFA requires examiners to periodically assess the status of MRA remediation and document
their findings. Our review of a sample of 18 MRAs found a significant inconsistency between
the examination teams with respect to DER’s assessment of Enterprise remediation plans: the
Fannie Mae examination team conducted and documented an independent assessment of the
Enterprise’s remediation plans in eight of ten MRAs, whereas the Freddie Mac examination
team did so in only four of eight MRAs.

FHFA and DER guidance require examiners to regularly assess and document the timeliness
and adequacy of the Enterprises’ remediation of MRAs. Nonetheless, DER informed us that
it does not expect examiners to proactively assess or document the Enterprises’ remedial
efforts between the time DER accepts the remediation plan and the time Enterprise internal
audit submits its validation work to DER. Our review of a sample of MRAs revealed that
both examination teams infrequently conducted and documented independent assessments
of the Enterprises’ remediation activities during this period of ongoing remediation.

Regarding the closure of MRAs, our review revealed that neither examination team
consistently conducted and documented an independent assessment of whether the MRAs had
been fully remediated and validated. Although examiners prepared documentation to close
MRAs, that documentation did not always independently analyze the Enterprises’ claims that
they had fully remediated and validated the MRAs. Instead, in some cases, examiners simply
stated that they reviewed and agreed with the materials provided by Enterprise internal audit,
without evidence of independent analysis.




                               OIG  EVL-2016-007  July 14, 2016                                21
CONCLUSIONS ..........................................................................

FHFA issues MRAs for the most serious deficiencies, such as violations of law, unsafe or
unsound practices, or inappropriate risk-taking. Since MRAs are the most serious supervisory
finding, FHFA appropriately expects the Enterprises to remediate them without delay. DER
examiners play a central and critical role in the MRA remediation process: it is their job to
evaluate the Enterprises’ remediation plans, monitor and assess the progress of remediation,
and assess the Enterprises’ claims that MRAs have been completely remediated. In addition,
FHFA requires examiners to document their follow up activities; this documentation is
expected to include details on the status of MRA remediation. In our review of a sample of
18 MRAs issued to Fannie Mae and Freddie Mac, we found a lack of consistent independent
analysis by DER examiners as to the timeliness and adequacy of each Enterprise’s remedial
efforts.

To enhance their oversight of MRA remediation, financial supervisors, including the OCC,
Federal Reserve, DBR, and the Freddie Mac and Fannie Mae examination teams, use MRA
tracking systems. These systems provide a centralized repository of information for financial
supervisors on outstanding (and sometimes closed) MRAs. Two important components of
MRA tracking systems are their ability to track upcoming deadlines and their ability to
provide ready access to underlying work papers.

Neither DER system for tracking Fannie Mae and Freddie Mac MRAs tracks interim
milestones, the date on which Enterprise internal audit expects to validate management’s
remediation of MRAs, or the date on which DER examiners expect to confirm the adequacy
of internal audit’s validation work. DER has not required due dates for Enterprise internal
audit validation of MRA remediation or deadlines for examiner confirmation of MRA
remediation. Consequently, validation and confirmation of MRA remediation can occur more
than a year after an Enterprise submits its closing package for validation. This lax approach
to oversight of MRA remediation is contrary to FHFA’s expectation that MRAs require
prompt remediation. Establishing due dates for internal audit validation and DER
confirmation, and tracking those dates along with interim milestones, would allow DER
and FHFA officials to access those important deadlines easily, and to enhance transparency,
efficiency, and accountability in the MRA remediation process.




                               OIG  EVL-2016-007  July 14, 2016                               22
RECOMMENDATIONS ...............................................................

We recommend that FHFA:

   1. Require the Enterprises to provide, in their remediation plans, the target date in which
      their internal audit departments expect to validate management’s remediation of
      MRAs, and require examiners to enter that date into a dedicated field in the MRA
      tracking system.

   2. Require DER, upon acceptance of an Enterprise’s remediation plan, to estimate the
      date by which it expects to confirm internal audit’s validation, and to enter that date
      into a dedicated field in the MRA tracking system.

   3. Ensure that the underlying remediation documents, including the Procedures
      Document, are readily available by direct link or other means, through DER’s MRA
      tracking system(s).

   4. Require DER to conduct and document, in an Analysis Memorandum or other
      work paper, an independent assessment of the adequacy of each Enterprise MRA
      remediation plan and the basis upon which such plan is either accepted or rejected, and
      to maintain that document in DER’s supervisory record-keeping system.

   5. Require DER to track interim milestones and to independently assess and document
      the timeliness and adequacy of Enterprise remediation of MRAs on a regular basis.

   6. Require DER, when evaluating whether to close an MRA, to conduct and document
      (in an Analysis Memorandum or other work paper) an independent analysis of
      the adequacy and sustainability of the Enterprise’s remediation activity, or where
      appropriate, the adequacy of the Enterprise’s internal audit validation work, and
      maintain that document in DER’s supervisory record-keeping system.




                               OIG  EVL-2016-007  July 14, 2016                                23
FHFA COMMENTS AND OIG RESPONSE .....................................

OIG provided FHFA an opportunity to respond to a draft report of this evaluation. FHFA
provided technical comments that we incorporated into the report, as appropriate. On July 7,
2016, FHFA provided its formal response to our recommendations, which is attached in its
entirety in Appendix A. In its response, FHFA agreed with recommendations 4 and 6,
partially agreed with recommendations 1 and 2, and disagreed with recommendations 3 and 5.
As discussed below, OIG urges FHFA to reconsider its positions and to fully implement our
recommendations.

While FHFA partially agreed with recommendations 1 and 2, its proposed corrective actions
do not address the underlying shortcomings in the Agency’s oversight of the Enterprises’
remediation of MRAs that we identified in this report. With respect to recommendation 1,
FHFA chose not to require the Enterprises to provide an estimated date by which their internal
audit departments will validate management’s remediation of open MRAs. FHFA does not
suggest that requiring both Enterprises to consistently provide this information would cause
any significant burden or inefficiencies. In fact, our sampling of MRAs revealed that Freddie
Mac frequently included the expected internal audit validation date in its remediation plans,
although it was not required to do so by FHFA. Tracking expected validation dates would
allow FHFA to identify and perhaps prevent inordinate delays in the validation of
management’s efforts to remediate MRAs. FHFA’s current approach creates a risk of lapses
in FHFA oversight and of further delays in MRA remediation by the Enterprises.

In our second recommendation, we proposed that FHFA direct DER to estimate the date by
which it expects to confirm internal audit’s validation and to enter that date into a dedicated
field in the MRA tracking systems. Our recommendation addressed one of the shortcomings
identified in this report: while FHFA instructs that MRAs should be promptly remediated, we
found that DER’s validation and confirmation of MRA remediation can occur more than a
year after an Enterprise submits its closing package for validation. FHFA’s commitment that
DER will “amend its internal guidance to provide timeframes for when an examination team
must begin review” of Enterprise validation work fails to address this shortcoming. DER’s
refusal to require examiners to propose a date by which they expect to confirm the
Enterprises’ validation work signals a lack of concern with the volume of Enterprise closing
packages that have been languishing in DER, awaiting examiner review.

FHFA refused to adopt recommendation 3, in which we asked it to “[e]nsure that the
underlying remediation documents, including the Procedures Document, are readily available
by direct link or other means, through DER’s MRA tracking system(s).” OIG made this
recommendation to enhance the efficiency of DER’s tracking of MRA remediation. As
discussed in this report, the tracking systems used by the OCC, by the Federal Reserve, and


                               OIG  EVL-2016-007  July 14, 2016                                 24
by DER’s Freddie Mac examination team contain (or examiners may insert) live links to the
supervisory documents relating to each MRA. The tracking system used by the Fannie Mae
examination team, however, does not. Moreover, Fannie Mae examiners store remediation
documents for open MRAs on four separate SharePoint sites, rather than in FHFA’s
centralized examination record-keeping system. These remediation documents are migrated
to FHFA’s electronic record-keeping system only after the Fannie Mae examination team
closes an MRA. Due to DER’s large backlog in closing Fannie Mae MRAs, there is a
significant number of MRAs with work papers stove-piped in separate SharePoint sites. In its
management response, FHFA does not claim that it is preferable to stove-pipe Fannie Mae
examination documents into separate SharePoint sites, nor does it claim that implementing
our recommendation – to bring the Fannie Mae examination team in line with the Freddie
Mac examination team – would somehow impose an undue burden or expense.

For similar reasons, FHFA declined to adopt recommendation 5, in which we proposed that
DER “track interim milestones and to independently assess and document the timeliness and
adequacy of Enterprise remediation of MRAs on a regular basis.” As we explained in a recent
evaluation, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an
Enterprise’s Remediation of Serious Deficiencies, prior to December 2013, applicable
guidance required Fannie Mae and Freddie Mac examiners to prepare quarterly status reports
for each open MRA. DER subsequently abandoned this requirement, in favor of vesting each
EIC with discretion to determine the frequency in which examiners assess the adequacy and
timeliness of MRA remediation.

FHFA has a statutory obligation to supervise the Enterprises and, pursuant to its own
Examination Manual, issues MRAs for only the most serious deficiencies identified during a
supervisory activity. While FHFA asserted that its current process is sufficient to enable DER
to effectively oversee the Enterprises’ MRA remediation, DER officials acknowledged to us
that DER considers MRA remediation to be an Enterprise business function and that there is
no expectation for DER to assess the adequacy or timeliness of the Enterprises’ corrective
actions during the remediation process. Our review of a sample of MRAs found virtually no
evidence of independent examiner assessments of the sufficiency of the Enterprises’ actions
during their remediation. That record, combined with FHFA’s refusal to require DER
examiners to regularly assess and document the timeliness and adequacy of remediation,
raises a concern that, as a practical matter, FHFA may have shifted a substantial portion of its
supervisory responsibilities for MRA remediation to the entities that it regulates.




                               OIG  EVL-2016-007  July 14, 2016                                  25
OBJECTIVE, SCOPE, AND METHODOLOGY .................................

We conducted this evaluation to assess the effectiveness of DER’s MRA tracking systems,
and to determine whether DER examiners independently assess the timeliness and adequacy
of the Enterprises’ efforts to remediate MRAs.

First, we compared the MRA tracking systems used by the Fannie Mae and Freddie Mac
examination teams to those used by two federal financial regulators and DBR. We met
with representatives of two financial regulatory agencies, reviewed those agencies’ MRA
remediation policies, and obtained information on their MRA tracking systems. We similarly
met with DER personnel, and reviewed FHFA, DER, and DBR policies pertaining to tracking
and overseeing remediation of MRAs. We reviewed publicly available documents, internal
DER and DBR documents, and non-public information provided by DER, including the
MRA tracking systems used by the examination teams for Fannie Mae and Freddie Mac.
We also considered additional information provided by FHFA in connection with other OIG
evaluations and audits. We compiled this information to compare the features and capabilities
of the various MRA tracking systems.

Second, we reviewed a random sample of eight Freddie Mac MRAs and ten Fannie Mae
MRAs issued between January 1, 2013, and November 6, 2015, to assess whether DER
examiners independently assessed the timeliness and/or adequacy of each Enterprise’s efforts
to remediate MRAs. We reviewed three phases of DER’s remediation oversight: DER’s
analysis of the Enterprises’ proposed remediation plans; DER’s assessment of ongoing
Enterprise remediation activities; and, for those MRAs for which the Enterprise claimed
complete remediation, DER’s analysis of the Enterprise’ corrective actions. For each of these
three phases, we reviewed the documentation made available to us by FHFA to determine
whether DER examiners performed independent analyses or assessments, or merely recorded
information that the Enterprises provided. Where we found no documentation, or where the
documentation recited information from an Enterprise without any analysis, or where
documentation reflected that DER agreed with an Enterprise’s assertions without any
supporting analysis, we concluded that no independent analysis or assessment had been
performed by DER examiners. Conversely, we credited DER with performing an
independent assessment where the documentation reflected some independent analysis or
assessment by the DER examiner, however limited.

This evaluation was conducted under the authority of the Inspector General Act and in
accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality
Standards for Inspection and Evaluation (January 2012). These standards require us to plan
and perform an evaluation based upon evidence sufficient to provide a reasonable basis to



                               OIG  EVL-2016-007  July 14, 2016                               26
support its findings and recommendations. We believe that the findings and
recommendations discussed in this report meet those standards.

The fieldwork for this report was completed between November 2015 and May 2016. The
review period for this evaluation was between January 1, 2013, and March 31, 2016.




                              OIG  EVL-2016-007  July 14, 2016                      27
APPENDIX A .............................................................................

FHFA’s Comments on OIG’s Findings and Recommendations




                            OIG  EVL-2016-007  July 14, 2016                       28
OIG  EVL-2016-007  July 14, 2016   29
OIG  EVL-2016-007  July 14, 2016   30
OIG  EVL-2016-007  July 14, 2016   31
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                                OIG  EVL-2016-007  July 14, 2016                         32