Written Testimony of Laura S. Wertheimer Inspector General, Federal Housing Finance Agency before the U.S. House Committee on Financial Services Subcommittee on Oversight and Investigations concerning Oversight of the Federal Housing Finance Agency April 12, 2018 Chairman Wagner, Ranking Member Green, and Members of the Subcommittee, thank you for inviting me to testify regarding the work of the Office of Inspector General (OIG) for the Federal Housing Finance Agency (FHFA). FHFA was established by the Housing and Economic Recovery Act of 2008 (HERA), which authorizes FHFA to conduct examinations, develop regulations, and issue enforcement orders for Fannie Mae and Freddie Mac (the Enterprises) and the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities), and the FHLBanks’ fiscal agent, the Office of Finance. HERA also authorized the FHFA Director to appoint FHFA as conservator or receiver of the regulated entities. In September 2008, FHFA used its statutory authorities to place the Enterprises into conservatorship, after it determined that a substantial deterioration in the housing markets severely damaged their financial condition and left them unable to continue without government intervention. Now in their 10th year, FHFA’s conservatorships of the Enterprises are of unprecedented scope, scale, and complexity. Since September 2008, FHFA has served in a unique dual role for the Enterprises. As conservator, it is charged by HERA to take actions “necessary to put [Fannie Mae and Freddie Mac] in a sound and solvent condition”; “appropriate to carry on the business of [Fannie Mae and Freddie Mac]”; and to “preserve and conserve” their assets. As supervisor, it is tasked by HERA to ensure that the Enterprises operate safely and soundly so that they can serve as a reliable source of liquidity and funding for housing finance and community investment. HERA also authorized the establishment of an OIG to oversee the work of FHFA. FHFA-OIG began operations in October 2010 when its first Inspector General was sworn in. As a result of FHFA’s dual responsibilities as regulator of the Enterprises and the FHLBanks and as conservator of the Enterprises since September 2008, FHFA-OIG’s responsibilities are broader than those of an OIG for other prudential federal financial regulators because they include oversight of FHFA’s actions as conservator. Our mission is to promote economy, efficiency, and effectiveness in the programs and operations of FHFA and protect it and the entities it regulates against fraud, waste, and abuse. We accomplish this mission by providing independent, relevant, timely, and transparent oversight of the Agency and advising the Director of the Agency, Congress, and the public on our findings and recommendations. In doing so, we further the Agency’s statutory obligation to ensure that the regulated entities operate in a safe and sound manner and that their operations foster liquid, efficient, competitive, and resilient national housing finance markets. We also engage in robust law enforcement efforts to protect the interests of the regulated entities and American taxpayers. 2 The Value of Independent Oversight in Improving Government Operations Effective oversight makes government better and fosters positive change. Healthy skepticism through independent reviews of programs and operations, both by inspectors general and by Congress, act as the “disinfectant of sunlight” to ensure a more efficient and effective government and to identify problems, abuses, and deficiencies. Based on my professional experience, I have found that, absent such oversight, few organizations voluntarily make fundamental changes to their programs and operations. I have observed that change often is driven by three things: a significant failure in a program or operation; intense scrutiny of that program or operation; and a leadership commitment to change. Independent oversight by inspectors general and Congress is a critical and necessary ingredient to positive, constructive change. We seek to be a catalyst for effective management, accountability, and positive change in FHFA and to hold accountable those, whether inside or outside of the federal government, who waste, steal, or abuse funds in connection with FHFA and its regulated entities. Focusing on the Right Things FHFA has unique responsibilities in its dual roles as regulator of the FHLBanks and as conservator and regulator of the Enterprises. Despite their high leverage, diminished capital buffer, conservatorship status, and uncertain future, the Enterprises have grown during conservatorship and, according to FHFA, their combined market share of newly issued mortgage-backed securities is more than 60%. As of year-end 2017, the Enterprises collectively reported approximately $5.4 trillion in assets. As conservator of the Enterprises, FHFA exercises control over trillions of dollars in assets and billions of dollars in revenue and makes business and policy decisions that influence and affect the entire mortgage finance industry. As of year- end 2017, the FHLBanks collectively reported roughly $1.1 trillion in assets. Given the size and complexity of the regulated entities and the dual responsibilities of FHFA, making the right choices about what we at FHFA-OIG audit, evaluate, and investigate in our oversight efforts is critical. To assist in making those choices, we created, in 2015, the Office of Risk Analysis to enhance our ability to focus our resources on the areas of greatest risk to FHFA. The Office of Risk Analysis is tasked with identifying, analyzing, monitoring, and prioritizing emerging and ongoing risks and with educating stakeholders on those issues. Through its work, it has contributed data and information to our annual risk-based planning process for audits, evaluations, and compliance reviews. It has also made significant contributions to our online knowledge library accessible to FHFA-OIG employees. 3 Equipped with a greater understanding of current and emerging risks, we have established a rigorous process to develop oversight projects based on risk. Once we begin an oversight project, we follow the facts, wherever they lead, without fear or favor; report findings that are supported by sufficient evidence in accordance with professional standards; and recommend actions tied to our findings. Our goal is to complete each oversight project within its established timetable and to provide impactful recommendations to FHFA to address deficiencies identified through our fact-finding. My experience leading internal investigations as a lawyer in private practice taught me that recommendations to address deficiencies identified during an investigation require meaningful follow-up and oversight. To provide that follow-up and oversight, we created, in 2014, the Office of Compliance and Special Projects (Office of Compliance). That office has several responsibilities: • Closing Recommendations. When FHFA believes that its implementation efforts are well underway or that implementation is complete, FHFA provides that information to us, along with corroborating documents. We review the materials and representations submitted by the Agency to determine whether to close recommendations – and may close some recommendations based on the Agency’s representations as to corrective actions it has taken. The Office of Compliance consults with each FHFA-OIG division prior to the closure of a recommendation to facilitate application of a single standard across FHFA-OIG for closing recommendations. • Tracking Recommendations. The Office of Compliance maintains a database in which it tracks the status of all recommendations issued by FHFA-OIG in its reports. • Validation Testing. We are not always able to assess, at the time of closure, whether the implementation actions by FHFA meet the letter and spirit of the agreed-upon recommendation, nor can we always determine, at closure, whether the underlying shortcoming has been addressed. The Office of Compliance conducts validation testing on a sample of closed recommendations to hold FHFA accountable for the corrective actions it has agreed to undertake. We publish the results of that validation testing to enable our stakeholders to assess the efficacy of FHFA’s implementation of actions to correct the underlying shortcoming. Compliance reviews enhance our ability to stimulate 4 positive change in critical areas and promote economy, efficiency, and effectiveness at FHFA. 1 To date, we have issued 10 compliance reviews reporting on the validation testing of 12 closed recommendations. Our validation testing found that FHFA had fully implemented 6 of those 12 recommendations and had not fully implemented the remaining 6. Each month, we publish on our website a compendium that sets forth all open recommendations from our audits, evaluations, and other reports. Because we recognize the importance of transparency, we also report in this compendium recommendations that have been closed in light of FHFA’s stated refusal to accept and implement them. During my tenure as Inspector General, FHFA-OIG has issued 85 reports 2 to alert FHFA leadership and our stakeholders to significant issues (many of which require corrective action), which included 117 recommendations to address identified shortcomings. 3 Of those 117 recommendations, FHFA fully agreed to 95, or roughly 81%. During this same period, we questioned costs of more than $104 million. Additionally, our civil investigations during this period resulted in more than $22 billion in settlements and other monetary results, and our criminal investigations resulted in more than $784 million in forfeitures, restitution, and other monetary results. Priorities and Challenges Our risk-based work plan focuses on four significant management and performance challenges facing FHFA that we have identified and reported. 4 They are: • Conservatorship of the Enterprises 1 The Office of Compliance also conducts reviews and administrative investigations of hotline complaints alleging non-criminal misconduct and undertakes special projects. 2 This total includes performance audits of FHFA’s information security and privacy programs and its implementation of specific security and privacy controls as directed by the Cybersecurity Act of 2015, but does not include performance audits of FHFA-OIG’s information security program. Those audits were performed by an independent public accounting firm at the direction and oversight of FHFA-OIG’s Office of Audits. 3 Oversight by FHFA-OIG is not limited to independent oversight through audits, inspections, and investigations. We also conduct independent oversight through evaluations, compliance reviews, management alerts, status and special reports, and white papers. 4 OIG, Fiscal Year 2018 Management and Performance Challenges (October15, 2017) (online at https://www.fhfaoig.gov/Content/Files/FHFA%20management%20challenges%20FY2018.pdf). 5 • Supervision of the Regulated Entities • Cybersecurity • Counterparties and Third Parties At the request of this Subcommittee, my written testimony focuses on one of these four challenges: Supervision of the Regulated Entities. FHFA’s Supervision of the Enterprises As FHFA Director Watt has observed in testimony, Fannie Mae and Freddie Mac would be Systemically Important Financial Institutions (SIFIs), but for the conservatorships, and are subject to the heightened supervision requirements for SIFIs, except that they are supervised by FHFA, not the Federal Reserve. Because the asset size of the FHLBanks and Office of Finance, together, is a fraction of the asset size of the Enterprises and because the Enterprises are in conservatorship, we determined that the magnitude of risk is significantly greater for the Enterprises and, accordingly, the majority of our work on supervision issues has focused on FHFA’s supervision of the Enterprises. During my tenure, FHFA-OIG has issued 29 reports involving FHFA’s supervision program for the Enterprises. In these reports, we found this supervision program to be burdened by both design and execution shortcomings. Over an 18-month period from June 2015 to December 2016, we assessed the supervision program for the Enterprises in 12 reports. We found a number of shortcomings and made recommendations designed to address these shortcomings and upgrade FHFA’s supervision program. Based on our assessments, we identified four recurring themes reflected in these shortcomings. We issued a roll-up report, in December 2016, in which we discussed each of these four themes. 5 They are: • Many FHFA supervisory standards and much of its guidance lack the rigor of those issued by other federal financial regulators; • The flexible and less prescriptive nature of many FHFA standards and much of its guidance has resulted in inconsistent supervisory practices; • Where clear standards and guidance for specific elements of FHFA’s supervisory program exist, examiners have not consistently followed them; and 5 Safe and Sound Operation of the Enterprises Cannot Be Assumed Because of Significant Shortcomings in FHFA’s Supervision Program for the Enterprises (December 15, 2016) (OIG-2017-003) (online at www.fhfaoig.gov/Content/Files/OIG-2017-003.pdf). 6 • FHFA lacks adequate assurance that its supervisory resources are devoted to examining the highest risks of the Enterprises. Since December 2016, we have issued an additional 17 reports addressing other aspects of FHFA’s supervision program for the Enterprises, and the findings of those reports demonstrate that the concerns reflected in these four themes have continued. A list of the 29 reports follows this written testimony. Provided below are several examples of each theme from our issued reports. • Many FHFA supervisory standards and much of its guidance lack the rigor of those issued by other federal financial regulators. Unlike the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, which have supervised large financial institutions for decades, FHFA was created in 2008 and has less than 10 years of supervisory experience. While it could have used the supervisory standards and guidance issued by the OCC and the Federal Reserve as a template, we found that, for a number of elements of its supervisory program for the Enterprises, FHFA created its own less rigorous standards and guidance or, in some areas, issued no standards or guidance. We recommended in several reports that FHFA compare specific supervisory standards and guidance to those issued by the OCC and the Federal Reserve and enhance its standards and guidance, as warranted. FHFA accepted some of our recommendations and rejected others. • Flexible and less prescriptive nature of many FHFA standards and much of its guidance has resulted in inconsistent supervisory practices. Because FHFA has determined, in many areas, to issue sparse guidance and standards and/or has elected not to issue templates or instructions, we found that FHFA examiners had significant discretion in a number of critical supervisory areas. As our reports make clear, the exercise of this discretion has led to inconsistent supervisory practices and has limited the utility of some examiner work products. We recommended that FHFA develop standards and guidance, or enhance existing standards and guidance, to establish benchmarks against which to assess examiners’ work products and to assure itself that there is an adequate, supportable basis for its supervisory conclusions. FHFA agreed with many, but not all, of these recommendations. • Where clear standards and guidance for specific elements of FHFA’s supervisory program exist, examiners have not consistently followed them. Our work has identified a number of areas in which FHFA examiners, in contravention of requirements issued by 7 FHFA, failed to follow those requirements. By way of example, those include: issuance of revised supervisory plans without risk-related reasons; failure to create and maintain complete supervisory documentation in the official system of records; failure to ensure issuance of the annual reports of examination to Enterprise directors and obtain written affirmations that supervisory concerns will be addressed; failure to consistently conduct and document independent assessments of the Enterprises’ remediation activities during the period of ongoing remediation; and failure to establish a comprehensive quality control review process for examinations over a four-year period. In our view, these patterns and practices, taken together, demonstrate a lack of commitment to follow established requirements. • FHFA lacks adequate assurance that its supervisory resources are devoted to examining the highest risks of the Enterprises. Like other federal financial regulators, FHFA maintains that it uses a risk-based approach to carry out its supervisory activities. It uses the analyses in its risk assessments to prepare an annual supervisory plan that schedules specific supervisory activities. Those supervisory activities include targeted examinations and ongoing monitoring. According to FHFA, targeted examinations enable examiners to conduct a deep or comprehensive assessment of selected areas of high importance or risk, while the purpose of ongoing monitoring is to analyze real-time information and to use those analyses to identify Enterprise practices and changes in an Enterprise’s risk profile that may warrant supervisory attention. Beginning in 2011, FHFA-OIG questioned whether FHFA had a sufficient number of examiners, including commissioned examiners, to supervise the Enterprises, and we followed up on that report in 2013. Building on that work, we conducted an audit in 2016 to determine whether, for Fannie Mae and Freddie Mac, FHFA (1) supported its 2014 and 2015 high-priority planned targeted examinations identified in its annual supervisory plans with risk assessments and completed those planned high-priority examinations; and (2) performed its planned targeted examinations for each Enterprise from 2012 through 2015 and, if it did not, whether FHFA documented the deviations from its plan in accordance with policies and procedures. For Freddie Mac, our audit found that FHFA planned 90 targeted examinations from 2012 through 2015. Of those 90, our audit found that 50 were completed; 17 were cancelled; 4 were deferred; 7 were converted to ongoing monitoring; 4 were commenced but were not completed; and 8 lacked documentation as to their disposition. Overall, we found that both the number and percentage of completed targeted examinations identified in the annual supervisory plans decreased significantly during this four-year period. 8 For Fannie Mae, our audit found that 102 targeted examinations were planned from 2012 through 2015. Of these 102, we found that 43 were completed; 19 were cancelled; 9 were deferred; 14 were converted to ongoing monitoring; 7 were commenced but were not completed; and 10 lacked documentation as to their disposition. Again, we found that both the number and percentage of completed targeted examinations that were identified in the annual supervisory plans decreased significantly during this four-year period. We observed: For a federal financial regulator, responsible for supervising two Enterprises that together own or guarantee more than $5 trillion in mortgage assets and operate in conservatorship, to fail to complete a substantial number of planned targeted examinations, including completing none of its 2015 planned targeted examinations for Fannie Mae within the 2015 supervisory cycle, is an unsound supervisory practice and strategy. In 2017, we audited whether planned supervisory activities relating to cybersecurity risk management at each Enterprise for the 2016 examination cycle were completed during that cycle, in light of FHFA’s representations in its 2015 Performance and Accountability Report that “a key objective of FHFA’s supervisory work will continue to be the effective oversight of how each Enterprise manages cyber risks and addresses vulnerabilities.” For Freddie Mac, our audit found FHFA planned two targeted examinations and three ongoing monitoring activities relating to cybersecurity risks at Freddie Mac for the 2016 supervisory cycle. (It also planned an ongoing monitoring activity to oversee Freddie Mac’s effort to remediate a Matter Requiring Attention (MRA) issued previously. 6) We found that FHFA did not complete one of its planned targeted examinations until after the 2016 Report of Examination issued to Freddie Mac in March 2017, and deferred the other. We also found that FHFA completed the three planned ongoing monitoring activities relating to cybersecurity risks at Freddie Mac (as well as the planned MRA remediation ongoing monitoring activity). For Fannie Mae, our audit found that FHFA planned, based on its 2016 revised supervisory plan, to conduct one targeted examination and three ongoing monitoring activities relating to cybersecurity risks at Fannie Mae. (It also planned three ongoing monitoring activities to oversee Fannie Mae’s efforts to remediate MRAs issued in prior years.) We found that FHFA completed none of its supervisory activities relating to Fannie Mae’s cybersecurity risks planned for the 2016 examination cycle during that cycle. (However, we did find that FHFA completed 6 According to FHFA, an MRA is the most serious examination finding, issued for non-compliance with laws or regulations, repeat deficiencies, unsafe or unsound practices, significant control weaknesses, and inappropriate risk- taking. 9 its three ongoing monitoring activities of Fannie Mae’s remediation of MRAs issued in prior years and closed them during the 2016 cycle.) We found that FHFA’s failure to complete any of its planned supervisory activities relating to Fannie Mae’s cybersecurity risks during 2016, a stated key objective of FHFA’s supervision during 2016, provides additional cause for concern about the soundness of FHFA’s supervisory practices and strategy. We also assessed, in a compliance review and status reports, FHFA’s efforts to establish and implement a commissioned examiner program, which it agreed to do in response to a recommendation in our 2011 evaluation on examiner capacity. As we have reported, FHFA established a commissioned examiner program in 2013, but we identified a number of shortcomings in that program, including that it was not on track to produce commissioned examiners within the four-year completion period. As of March 2017, we found that FHFA employed a total of 45 commissioned examiners, all of whom received FHFA commissions based on prior commissions awarded by other financial regulators, which was five more than the 40 commissioned examiners employed by FHFA in 2011. At that time, FHFA had not graduated any examiners from its commissioned examiner program. These 29 reports on FHFA’s supervision of the Enterprises contained 56 recommendations to address the shortcomings that we found. FHFA agreed in full to 38 of them, or 68%. 7 Based on our fact-finding and analysis, we cautioned stakeholders in December 2016 that the safe and sound operation of Fannie Mae and Freddie Mac cannot be assumed because of significant shortcomings in FHFA’s supervision program. While the Deputy Inspectors General of our Audits and Evaluations offices have recently observed some signs indicating improvements in the supervision program, it is too early to assess whether these improvements are sustainable. As our recommendations make plain, clearer standards and guidance, training, responsibility, and accountability are necessary to remediate the shortcomings we have identified. At this juncture, we have not observed sufficient, sustained improvements to warrant removal of our caution. FHFA-OIG’s caution, however, should not be understood as our having concluded that the Enterprises are not being operated in a safe and sound manner. Pursuant to HERA, the obligation to reach a safety and soundness conclusion rests with the FHFA Director. 8 According 7 For the remaining 18, FHFA rejected 9 and “partially agreed” with 9. 8 According to FHFA, its examination framework consists of seven components: Capital; Asset quality; Management; Earnings; Liquidity; Sensitivity to market risk; and Operational risk (together, called CAMELSO). See FHFA’s 2016 Report to Congress, at 1. On an annual basis, FHFA rates each component on a scale of 1 to 5 10 to FHFA, each annual report that it issues to Congress “meets the requirement of the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended by the Housing and Economic Recovery Act of 2008 (HERA), that FHFA submit a report to Congress describing the actions undertaken by FHFA to carry out its statutory responsibilities, including a description of the financial safety and soundness of the entities the Agency regulates.” 9 In contrast, FHFA-OIG does not have the statutory charter to reach safety and soundness decisions. Our mandate, under the Inspector General Act, as amended, is to oversee the programs and operations of FHFA, which we do. The work we do does not provide us with a sufficient basis on which to make such a safety and soundness assessment for either Enterprise. FHFA’s Supervision of the Federal Home Loan Banks As explained earlier, we determined that the magnitude of the supervision risk is greater for the Enterprises, both because the asset size of the FHLBanks and Office of Finance, together, is a fraction of the asset size of the Enterprises and the Enterprises are in conservatorship. Accordingly, the majority of our work on supervision issues has focused on FHFA’s supervision of the Enterprises. By statute, FHFA must conduct an annual examination of each FHLBank, and our reports have found that such examinations have been conducted as mandated. During my tenure, we have issued 10 reports on different elements of FHFA’s supervision program for the FHLBanks. For a number of these elements, we found that FHFA has issued prescriptive standards and guidance for its bank examiners and those examiners have largely followed those standards and guidance. We also looked at a number of the same discrete elements of FHFA’s supervision programs for the Enterprises and the FHLBanks where FHFA had issued the same standards and guidance and found that FHFA’s bank examiners largely complied with those standards and guidance. Where our reports identified shortcomings, we made two recommendations to address those shortcomings. FHFA agreed with both of those recommendations. Conclusion Currently, FHFA serves in a unique role: it is both conservator of and regulator for the Enterprises and regulator for the FHLBanks. Its duties as conservator of the Enterprises, which together own or guarantee more than $5 trillion in mortgages, are fundamentally different from and then assigns a composite rating, which it reports in its annual report of examination to each of its regulated entities. Id. at Executive Summary. 9 See, e.g., Cover Letter from FHFA Director Watt to FHFA’s 2016 Report to Congress. 11 its responsibilities as their supervisor. FHFA’s stakeholders, including the Congress, American taxpayers, and others, expect FHFA, as conservator, to ensure that both Enterprises are effectively governed and employ sound risk management practices; they also expect FHFA, as regulator, to exercise vigilant supervision of its regulated entities to ensure that they operate in a safe and sound manner. FHFA-OIG has focused its efforts on four serious management and performance challenges it has identified to FHFA. To fulfill its responsibilities, FHFA must continue its efforts to address these challenges. I thank this Subcommittee for the opportunity to testify today. I am happy to answer any questions that you may have. 12 FHFA-OIG’S REPORTS ON FHFA’S SUPERVISION PROGRAM FOR THE ENTERPRISES FROM JUNE 2015 TO MARCH 2018 FHFA Failed to Ensure Freddie Mac’s Remedial Plans for a Cybersecurity MRA Addressed All Deficiencies; as Allowed by its Standard, FHFA Closed the MRA after Independently Determining the Enterprise Completed its Planned Remedial Actions (March 28, 2018) (AUD- 2018-008) (online at www.fhfaoig.gov/Content/Files/AUD-2018- 008%20FRE%20Cyber%20MRA%20Closure%20%28public%29%20Redacted.pdf) As Allowed by its Standard, FHFA Closed Three Fannie Mae Cybersecurity MRAs after Independently Determining the Enterprise Completed its Planned Remedial Actions (March 28, 2018) (AUD-2018-007) (online at www.fhfaoig.gov/Content/Files/AUD-2018- 007%20FNM%20Cyber%20MRAs%20%28public%29%20Redacted.pdf) FHFA’s Adoption of Clear Guidance on the Review of the Enterprises’ Internal Audit Work When Assessing the Sufficiency of Remediation of Serious Deficiencies Would Assist FHFA Examiners (March 28, 2018) (EVL-2018-003) (online at www.fhfaoig.gov/Content/Files/EVL- 2018-003.pdf) FHFA Requires the Enterprises’ Internal Audit Functions to Validate Remediation of Serious Deficiencies but Provides No Guidance and Imposes No Preconditions on Examiners’ Use of that Validation Work (March 28, 2018) (EVL-2018-002) (online at www.fhfaoig.gov/Content/Files/EVL-2018-002_Redacted.pdf) FHFA Should Address the Potential Disparity Between the Statutory Requirement for Fraud Reporting and its Implementing Regulation and Advisory Bulletin (March 23, 2018) (COM- 2018-002) (online at www.fhfaoig.gov/Content/Files/2018 03 23%20Enterprise%20Fraud%20Reporting.FINAL .pdf) FHFA Completed its Planned Procedures for a 2016 Representation and Warranty Framework Targeted Examination at Freddie Mac, but the Supporting Workpapers Did Not Sufficiently Document the Examination Work (March 13, 2018) (AUD-2018-006) (online at www.fhfaoig.gov/Content/Files/AUD-2018- 006%20FRE%20RWF%202016%20Targeted%20Examination%20%28public%29_Redacted.pdf) FHFA Completed its Planned Procedures for a 2015 Representation and Warranty Framework Targeted Examination at Fannie Mae, but Did Not Document a Change to Planned Testing (March 13, 2018) (AUD-2018-005) (online at www.fhfaoig.gov/Content/Files/AUD-2018- 005%20FNM%20RWF%202015%20Targeted%20Examination%20%28public%29_Redacted.pdf) 13 FHFA Did Not Complete All Planned Supervisory Activities Related to Cybersecurity Risks at Freddie Mac for the 2016 Examination Cycle (September 27, 2017) (AUD-2017-011) (online at www.fhfaoig.gov/Content/Files/AUD-2017- 011%20FRE%20Cyber%20Examinations%20%28redacted%29.pdf) FHFA Failed to Complete Non-MRA Supervisory Activities Related to Cybersecurity Risks at Fannie Mae Planned for the 2016 Examination Cycle (September 27, 2017) (AUD-2017-010) (online at www.fhfaoig.gov/Content/Files/AUD-2017- 010%20FNM%20Cyber%20Examinations%20Redacted Redacted.pdf) FHFA’s 2015 and 2016 Supervisory Activities, as Planned, Addressed Identified Risks with Freddie Mac’s New Representation and Warranty Framework (September 22, 2017) (AUD- 2017-009) (online at www.fhfaoig.gov/Content/Files/AUD-2017- 009%20FRE%20RWF%20Examinations%20%28redacted%29.pdf) FHFA’s 2015 Report of Examination to Fannie Mae Failed to Follow FHFA’s Standards Because it Reported on an Incomplete Targeted Examination of the Enterprise’s New Representation and Warranty Framework (September 22, 2017) (AUD-2017-008) (online at www.fhfaoig.gov/Content/Files/AUD-2017- 008%20FNM%20RWF%20Examinations%20%28redacted%29.pdf) The Gap in FHFA’s Quality Control Review Program Increases the Risk of Inaccurate Conclusions in its Reports of Examination of Fannie Mae and Freddie Mac (August 17, 2017) (EVL-2017-006) (online at www.fhfaoig.gov/Content/Files/EVL-2017-006.pdf) FHFA’s Compliance with its Documentary Standards for Issuing Housing Finance Examiner Commissions (July 25, 2017) (COM-2017-004) (online at www.fhfaoig.gov/Content/Files/HFEreport%2007-10-17.pdf) Closure of OIG Review of FHFA’s Supervision of an Enterprise’s Remediation of Matters Requiring Attention (June 12, 2017) (ESR-2017-005) (online at www.fhfaoig.gov/Content/Files/ESR-2017-005.pdf) FHFA’s Practice for Rotation of its Examiners Is Inconsistent between its Two Supervisory Divisions (March 28, 2017) (EVL-2017-004) (online at www.fhfaoig.gov/Content/Files/EVL-2017- 004.pdf) Update on FHFA’s Implementation of its Housing Finance Examiner Commission Program (March 22, 2017) (COM-2017-003) (online at www.fhfaoig.gov/Content/Files/Update%20on%20HFE%20Program-final.pdf) FHFA’s Examinations Have Not Confirmed Compliance by One Enterprise with its Advisory Bulletins Regarding Risk Management of Nonbank Sellers and Servicers (December 21, 2016) (EVL-2017-002) (online at www.fhfaoig.gov/Content/Files/EVL-2017-002.pdf) 14 FHFA’s Targeted Examinations of Freddie Mac: Just Over Half of the Targeted Examinations Planned for 2012 through 2015 Were Completed (September 30, 2016) (AUD-2016-007) (online at www.fhfaoig.gov/Content/Files/AUD-2016-007.pdf) FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations Planned for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were Completed Before the Report of Examination Issued (September 30, 2016) (AUD-2016-006) (online at www.fhfaoig.gov/Content/Files/AUD-2016-006.pdf) FHFA’s Supervisory Planning Process for the Enterprises: Roughly Half of FHFA’s 2014 and 2015 High-Priority Planned Targeted Examinations Did Not Trace to Risk Assessments and Most High-Priority Planned Examinations Were Not Completed (September 30, 2016) (AUD- 2016-005) (online at www.fhfaoig.gov/Content/Files/AUD-2016-005.pdf) FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise Boards and Obtain Written Responses from the Boards Regarding Remediation of Supervisory Concerns Identified in those Reports (July 14, 2016) (EVL-2016-009) (online at www.fhfaoig.gov/Content/Files/EVL-2016-009.pdf) FHFA’s Failure to Consistently Identify Specific Deficiencies and Their Root Causes in Its Reports of Examination Constrains the Ability of the Enterprise Boards to Exercise Effective Oversight of Management’s Remediation of Supervisory Concerns (July 14, 2016) (EVL-2016- 008) (online at www.fhfaoig.gov/Content/Files/EVL-2016-008.pdf) FHFA’s Inconsistent Practices in Assessing Enterprise Remediation of Serious Deficiencies and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the Enterprises (July 14, 2016) (EVL-2016-007) (online at www.fhfaoig.gov/Content/Files/EVL-2016- 007.pdf) FHFA’s Supervisory Standards for Communication of Serious Deficiencies to Enterprise Boards and for Board Oversight of Management’s Remediation Efforts are Inadequate (March 31, 2016) (EVL-2016-005) (online at www.fhfaoig.gov/Content/Files/EVL-2016-005.pdf) FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s Remediation of Serious Deficiencies (March 29, 2016) (EVL-2016-004) (online at www.fhfaoig.gov/Content/Files/EVL-2016-004.pdf) FHFA Should Map Its Supervisory Standards for Cyber Risk Management to Appropriate Elements of the NIST Framework (March 28, 2016) (EVL-2016-003) (online at www.fhfaoig.gov/Content/Files/EVL-2016-003.pdf) Utility of FHFA’s Semi-Annual Risk Assessments Would Be Enhanced Through Adoption of Clear Standards and Defined Measures of Risk Levels (January 4, 2016) (EVL-2016-001) (online at www.fhfaoig.gov/Content/Files/EVL-2016-001 0.pdf) 15 Intermittent Efforts Over Almost Four Years to Develop a Quality Control Review Process Deprived FHFA of Assurance of the Adequacy and Quality of Enterprise Examinations (September 30, 2015) (EVL-2015-007) (online at www.fhfaoig.gov/Content/Files/EVL-2015- 007.pdf) OIG’s Compliance Review of FHFA’s Implementation of Its Housing Finance Examiner Commission Program (July 29, 2015) (COM-2015-001) (online at www.fhfaoig.gov/Content/Files/COM-2015-001 1 0.pdf) 16
Written Testimony of Inspector General Wertheimer before the House Oversight and Investigations Subcommittee
Published by the Federal Housing Finance Agency, Office of Inspector General on 2018-04-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)