Written Testimony of Inspector General Wertheimer before the House Oversight and Investigations Subcommittee

Published by the Federal Housing Finance Agency, Office of Inspector General on 2018-04-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

     Written Testimony of Laura S. Wertheimer
Inspector General, Federal Housing Finance Agency
                     before the
    U.S. House Committee on Financial Services
   Subcommittee on Oversight and Investigations
 Oversight of the Federal Housing Finance Agency

                 April 12, 2018
Chairman Wagner, Ranking Member Green, and Members of the Subcommittee, thank you for
inviting me to testify regarding the work of the Office of Inspector General (OIG) for the Federal
Housing Finance Agency (FHFA).

FHFA was established by the Housing and Economic Recovery Act of 2008 (HERA), which
authorizes FHFA to conduct examinations, develop regulations, and issue enforcement orders for
Fannie Mae and Freddie Mac (the Enterprises) and the Federal Home Loan Banks (FHLBanks)
(collectively, the regulated entities), and the FHLBanks’ fiscal agent, the Office of Finance.

HERA also authorized the FHFA Director to appoint FHFA as conservator or receiver of
the regulated entities. In September 2008, FHFA used its statutory authorities to place the
Enterprises into conservatorship, after it determined that a substantial deterioration in the
housing markets severely damaged their financial condition and left them unable to continue
without government intervention. Now in their 10th year, FHFA’s conservatorships of the
Enterprises are of unprecedented scope, scale, and complexity. Since September 2008, FHFA
has served in a unique dual role for the Enterprises. As conservator, it is charged by HERA to
take actions “necessary to put [Fannie Mae and Freddie Mac] in a sound and solvent condition”;
“appropriate to carry on the business of [Fannie Mae and Freddie Mac]”; and to “preserve and
conserve” their assets. As supervisor, it is tasked by HERA to ensure that the Enterprises operate
safely and soundly so that they can serve as a reliable source of liquidity and funding for housing
finance and community investment.

HERA also authorized the establishment of an OIG to oversee the work of FHFA. FHFA-OIG
began operations in October 2010 when its first Inspector General was sworn in. As a result of
FHFA’s dual responsibilities as regulator of the Enterprises and the FHLBanks and as
conservator of the Enterprises since September 2008, FHFA-OIG’s responsibilities are broader
than those of an OIG for other prudential federal financial regulators because they include
oversight of FHFA’s actions as conservator.

Our mission is to promote economy, efficiency, and effectiveness in the programs and operations
of FHFA and protect it and the entities it regulates against fraud, waste, and abuse. We
accomplish this mission by providing independent, relevant, timely, and transparent oversight of
the Agency and advising the Director of the Agency, Congress, and the public on our findings
and recommendations. In doing so, we further the Agency’s statutory obligation to ensure that
the regulated entities operate in a safe and sound manner and that their operations foster liquid,
efficient, competitive, and resilient national housing finance markets. We also engage in robust
law enforcement efforts to protect the interests of the regulated entities and American taxpayers.

The Value of Independent Oversight in Improving Government Operations

Effective oversight makes government better and fosters positive change. Healthy skepticism
through independent reviews of programs and operations, both by inspectors general and by
Congress, act as the “disinfectant of sunlight” to ensure a more efficient and effective
government and to identify problems, abuses, and deficiencies.

Based on my professional experience, I have found that, absent such oversight, few organizations
voluntarily make fundamental changes to their programs and operations. I have observed that
change often is driven by three things: a significant failure in a program or operation; intense
scrutiny of that program or operation; and a leadership commitment to change. Independent
oversight by inspectors general and Congress is a critical and necessary ingredient to positive,
constructive change. We seek to be a catalyst for effective management, accountability, and
positive change in FHFA and to hold accountable those, whether inside or outside of the federal
government, who waste, steal, or abuse funds in connection with FHFA and its regulated entities.

Focusing on the Right Things

FHFA has unique responsibilities in its dual roles as regulator of the FHLBanks and as
conservator and regulator of the Enterprises. Despite their high leverage, diminished capital
buffer, conservatorship status, and uncertain future, the Enterprises have grown during
conservatorship and, according to FHFA, their combined market share of newly issued
mortgage-backed securities is more than 60%. As of year-end 2017, the Enterprises collectively
reported approximately $5.4 trillion in assets. As conservator of the Enterprises, FHFA exercises
control over trillions of dollars in assets and billions of dollars in revenue and makes business
and policy decisions that influence and affect the entire mortgage finance industry. As of year-
end 2017, the FHLBanks collectively reported roughly $1.1 trillion in assets. Given the size and
complexity of the regulated entities and the dual responsibilities of FHFA, making the right
choices about what we at FHFA-OIG audit, evaluate, and investigate in our oversight efforts is

To assist in making those choices, we created, in 2015, the Office of Risk Analysis to enhance
our ability to focus our resources on the areas of greatest risk to FHFA. The Office of Risk
Analysis is tasked with identifying, analyzing, monitoring, and prioritizing emerging and
ongoing risks and with educating stakeholders on those issues. Through its work, it has
contributed data and information to our annual risk-based planning process for audits,
evaluations, and compliance reviews. It has also made significant contributions to our online
knowledge library accessible to FHFA-OIG employees.

Equipped with a greater understanding of current and emerging risks, we have established a
rigorous process to develop oversight projects based on risk. Once we begin an oversight
project, we follow the facts, wherever they lead, without fear or favor; report findings that are
supported by sufficient evidence in accordance with professional standards; and recommend
actions tied to our findings. Our goal is to complete each oversight project within its established
timetable and to provide impactful recommendations to FHFA to address deficiencies identified
through our fact-finding.

My experience leading internal investigations as a lawyer in private practice taught me that
recommendations to address deficiencies identified during an investigation require meaningful
follow-up and oversight. To provide that follow-up and oversight, we created, in 2014, the
Office of Compliance and Special Projects (Office of Compliance). That office has several

   •   Closing Recommendations. When FHFA believes that its implementation efforts are well
       underway or that implementation is complete, FHFA provides that information to us,
       along with corroborating documents. We review the materials and representations
       submitted by the Agency to determine whether to close recommendations – and may
       close some recommendations based on the Agency’s representations as to corrective
       actions it has taken. The Office of Compliance consults with each FHFA-OIG division
       prior to the closure of a recommendation to facilitate application of a single standard
       across FHFA-OIG for closing recommendations.

   •   Tracking Recommendations. The Office of Compliance maintains a database in which it
       tracks the status of all recommendations issued by FHFA-OIG in its reports.

   •   Validation Testing. We are not always able to assess, at the time of closure, whether
       the implementation actions by FHFA meet the letter and spirit of the agreed-upon
       recommendation, nor can we always determine, at closure, whether the underlying
       shortcoming has been addressed. The Office of Compliance conducts validation testing
       on a sample of closed recommendations to hold FHFA accountable for the corrective
       actions it has agreed to undertake. We publish the results of that validation testing to
       enable our stakeholders to assess the efficacy of FHFA’s implementation of actions to
       correct the underlying shortcoming. Compliance reviews enhance our ability to stimulate

        positive change in critical areas and promote economy, efficiency, and effectiveness at
        FHFA. 1

To date, we have issued 10 compliance reviews reporting on the validation testing of 12 closed
recommendations. Our validation testing found that FHFA had fully implemented 6 of those 12
recommendations and had not fully implemented the remaining 6.

Each month, we publish on our website a compendium that sets forth all open recommendations
from our audits, evaluations, and other reports. Because we recognize the importance of
transparency, we also report in this compendium recommendations that have been closed in light
of FHFA’s stated refusal to accept and implement them.

During my tenure as Inspector General, FHFA-OIG has issued 85 reports 2 to alert FHFA
leadership and our stakeholders to significant issues (many of which require corrective action),
which included 117 recommendations to address identified shortcomings. 3 Of those 117
recommendations, FHFA fully agreed to 95, or roughly 81%.

During this same period, we questioned costs of more than $104 million. Additionally, our civil
investigations during this period resulted in more than $22 billion in settlements and other
monetary results, and our criminal investigations resulted in more than $784 million in
forfeitures, restitution, and other monetary results.

Priorities and Challenges

Our risk-based work plan focuses on four significant management and performance challenges
facing FHFA that we have identified and reported. 4 They are:

    •   Conservatorship of the Enterprises

 The Office of Compliance also conducts reviews and administrative investigations of hotline complaints alleging
non-criminal misconduct and undertakes special projects.
  This total includes performance audits of FHFA’s information security and privacy programs and its
implementation of specific security and privacy controls as directed by the Cybersecurity Act of 2015, but does
not include performance audits of FHFA-OIG’s information security program. Those audits were performed by an
independent public accounting firm at the direction and oversight of FHFA-OIG’s Office of Audits.
  Oversight by FHFA-OIG is not limited to independent oversight through audits, inspections, and investigations.
We also conduct independent oversight through evaluations, compliance reviews, management alerts, status and
special reports, and white papers.
  OIG, Fiscal Year 2018 Management and Performance Challenges (October15, 2017) (online at

    •   Supervision of the Regulated Entities
    •   Cybersecurity
    •   Counterparties and Third Parties

At the request of this Subcommittee, my written testimony focuses on one of these four
challenges: Supervision of the Regulated Entities.

FHFA’s Supervision of the Enterprises

As FHFA Director Watt has observed in testimony, Fannie Mae and Freddie Mac would be
Systemically Important Financial Institutions (SIFIs), but for the conservatorships, and are
subject to the heightened supervision requirements for SIFIs, except that they are supervised by
FHFA, not the Federal Reserve. Because the asset size of the FHLBanks and Office of Finance,
together, is a fraction of the asset size of the Enterprises and because the Enterprises are in
conservatorship, we determined that the magnitude of risk is significantly greater for the
Enterprises and, accordingly, the majority of our work on supervision issues has focused on
FHFA’s supervision of the Enterprises.

During my tenure, FHFA-OIG has issued 29 reports involving FHFA’s supervision program for
the Enterprises. In these reports, we found this supervision program to be burdened by both
design and execution shortcomings.

Over an 18-month period from June 2015 to December 2016, we assessed the supervision
program for the Enterprises in 12 reports. We found a number of shortcomings and made
recommendations designed to address these shortcomings and upgrade FHFA’s supervision
program. Based on our assessments, we identified four recurring themes reflected in these
shortcomings. We issued a roll-up report, in December 2016, in which we discussed each of
these four themes. 5 They are:

    •   Many FHFA supervisory standards and much of its guidance lack the rigor of those
        issued by other federal financial regulators;
    •   The flexible and less prescriptive nature of many FHFA standards and much of its
        guidance has resulted in inconsistent supervisory practices;
    •   Where clear standards and guidance for specific elements of FHFA’s supervisory
        program exist, examiners have not consistently followed them; and

 Safe and Sound Operation of the Enterprises Cannot Be Assumed Because of Significant Shortcomings in FHFA’s
Supervision Program for the Enterprises (December 15, 2016) (OIG-2017-003) (online at

   •   FHFA lacks adequate assurance that its supervisory resources are devoted to examining
       the highest risks of the Enterprises.

Since December 2016, we have issued an additional 17 reports addressing other aspects of
FHFA’s supervision program for the Enterprises, and the findings of those reports demonstrate
that the concerns reflected in these four themes have continued. A list of the 29 reports follows
this written testimony.

Provided below are several examples of each theme from our issued reports.

   •   Many FHFA supervisory standards and much of its guidance lack the rigor of those
       issued by other federal financial regulators. Unlike the Office of the Comptroller of
       the Currency (OCC) and the Federal Reserve, which have supervised large financial
       institutions for decades, FHFA was created in 2008 and has less than 10 years of
       supervisory experience. While it could have used the supervisory standards and guidance
       issued by the OCC and the Federal Reserve as a template, we found that, for a number of
       elements of its supervisory program for the Enterprises, FHFA created its own less
       rigorous standards and guidance or, in some areas, issued no standards or guidance. We
       recommended in several reports that FHFA compare specific supervisory standards and
       guidance to those issued by the OCC and the Federal Reserve and enhance its standards
       and guidance, as warranted. FHFA accepted some of our recommendations and rejected

   •   Flexible and less prescriptive nature of many FHFA standards and much of its guidance
       has resulted in inconsistent supervisory practices. Because FHFA has determined, in
       many areas, to issue sparse guidance and standards and/or has elected not to issue
       templates or instructions, we found that FHFA examiners had significant discretion in
       a number of critical supervisory areas. As our reports make clear, the exercise of this
       discretion has led to inconsistent supervisory practices and has limited the utility of some
       examiner work products. We recommended that FHFA develop standards and guidance,
       or enhance existing standards and guidance, to establish benchmarks against which to
       assess examiners’ work products and to assure itself that there is an adequate, supportable
       basis for its supervisory conclusions. FHFA agreed with many, but not all, of these

   •   Where clear standards and guidance for specific elements of FHFA’s supervisory
       program exist, examiners have not consistently followed them. Our work has identified a
       number of areas in which FHFA examiners, in contravention of requirements issued by

       FHFA, failed to follow those requirements. By way of example, those include: issuance
       of revised supervisory plans without risk-related reasons; failure to create and maintain
       complete supervisory documentation in the official system of records; failure to ensure
       issuance of the annual reports of examination to Enterprise directors and obtain written
       affirmations that supervisory concerns will be addressed; failure to consistently conduct
       and document independent assessments of the Enterprises’ remediation activities during
       the period of ongoing remediation; and failure to establish a comprehensive quality
       control review process for examinations over a four-year period. In our view, these
       patterns and practices, taken together, demonstrate a lack of commitment to follow
       established requirements.

   •   FHFA lacks adequate assurance that its supervisory resources are devoted to examining
       the highest risks of the Enterprises. Like other federal financial regulators, FHFA
       maintains that it uses a risk-based approach to carry out its supervisory activities. It uses
       the analyses in its risk assessments to prepare an annual supervisory plan that schedules
       specific supervisory activities. Those supervisory activities include targeted
       examinations and ongoing monitoring. According to FHFA, targeted examinations
       enable examiners to conduct a deep or comprehensive assessment of selected areas of
       high importance or risk, while the purpose of ongoing monitoring is to analyze real-time
       information and to use those analyses to identify Enterprise practices and changes in an
       Enterprise’s risk profile that may warrant supervisory attention.

Beginning in 2011, FHFA-OIG questioned whether FHFA had a sufficient number of examiners,
including commissioned examiners, to supervise the Enterprises, and we followed up on that
report in 2013. Building on that work, we conducted an audit in 2016 to determine whether, for
Fannie Mae and Freddie Mac, FHFA (1) supported its 2014 and 2015 high-priority planned
targeted examinations identified in its annual supervisory plans with risk assessments and
completed those planned high-priority examinations; and (2) performed its planned targeted
examinations for each Enterprise from 2012 through 2015 and, if it did not, whether FHFA
documented the deviations from its plan in accordance with policies and procedures.

For Freddie Mac, our audit found that FHFA planned 90 targeted examinations from 2012
through 2015. Of those 90, our audit found that 50 were completed; 17 were cancelled; 4 were
deferred; 7 were converted to ongoing monitoring; 4 were commenced but were not completed;
and 8 lacked documentation as to their disposition. Overall, we found that both the number and
percentage of completed targeted examinations identified in the annual supervisory plans
decreased significantly during this four-year period.

For Fannie Mae, our audit found that 102 targeted examinations were planned from 2012
through 2015. Of these 102, we found that 43 were completed; 19 were cancelled; 9 were
deferred; 14 were converted to ongoing monitoring; 7 were commenced but were not completed;
and 10 lacked documentation as to their disposition. Again, we found that both the number and
percentage of completed targeted examinations that were identified in the annual supervisory
plans decreased significantly during this four-year period. We observed:

         For a federal financial regulator, responsible for supervising two Enterprises that
         together own or guarantee more than $5 trillion in mortgage assets and operate in
         conservatorship, to fail to complete a substantial number of planned targeted
         examinations, including completing none of its 2015 planned targeted
         examinations for Fannie Mae within the 2015 supervisory cycle, is an unsound
         supervisory practice and strategy.

In 2017, we audited whether planned supervisory activities relating to cybersecurity risk
management at each Enterprise for the 2016 examination cycle were completed during that
cycle, in light of FHFA’s representations in its 2015 Performance and Accountability Report that
“a key objective of FHFA’s supervisory work will continue to be the effective oversight of how
each Enterprise manages cyber risks and addresses vulnerabilities.”

For Freddie Mac, our audit found FHFA planned two targeted examinations and three ongoing
monitoring activities relating to cybersecurity risks at Freddie Mac for the 2016 supervisory
cycle. (It also planned an ongoing monitoring activity to oversee Freddie Mac’s effort to
remediate a Matter Requiring Attention (MRA) issued previously. 6) We found that FHFA did
not complete one of its planned targeted examinations until after the 2016 Report of Examination
issued to Freddie Mac in March 2017, and deferred the other. We also found that FHFA
completed the three planned ongoing monitoring activities relating to cybersecurity risks at
Freddie Mac (as well as the planned MRA remediation ongoing monitoring activity).

For Fannie Mae, our audit found that FHFA planned, based on its 2016 revised supervisory
plan, to conduct one targeted examination and three ongoing monitoring activities relating to
cybersecurity risks at Fannie Mae. (It also planned three ongoing monitoring activities to
oversee Fannie Mae’s efforts to remediate MRAs issued in prior years.) We found that FHFA
completed none of its supervisory activities relating to Fannie Mae’s cybersecurity risks planned
for the 2016 examination cycle during that cycle. (However, we did find that FHFA completed

  According to FHFA, an MRA is the most serious examination finding, issued for non-compliance with laws or
regulations, repeat deficiencies, unsafe or unsound practices, significant control weaknesses, and inappropriate risk-

its three ongoing monitoring activities of Fannie Mae’s remediation of MRAs issued in prior
years and closed them during the 2016 cycle.) We found that FHFA’s failure to complete any of
its planned supervisory activities relating to Fannie Mae’s cybersecurity risks during 2016, a
stated key objective of FHFA’s supervision during 2016, provides additional cause for concern
about the soundness of FHFA’s supervisory practices and strategy.

We also assessed, in a compliance review and status reports, FHFA’s efforts to establish
and implement a commissioned examiner program, which it agreed to do in response to a
recommendation in our 2011 evaluation on examiner capacity. As we have reported, FHFA
established a commissioned examiner program in 2013, but we identified a number of
shortcomings in that program, including that it was not on track to produce commissioned
examiners within the four-year completion period. As of March 2017, we found that FHFA
employed a total of 45 commissioned examiners, all of whom received FHFA commissions
based on prior commissions awarded by other financial regulators, which was five more than the
40 commissioned examiners employed by FHFA in 2011. At that time, FHFA had not graduated
any examiners from its commissioned examiner program.

These 29 reports on FHFA’s supervision of the Enterprises contained 56 recommendations to
address the shortcomings that we found. FHFA agreed in full to 38 of them, or 68%. 7

Based on our fact-finding and analysis, we cautioned stakeholders in December 2016 that the
safe and sound operation of Fannie Mae and Freddie Mac cannot be assumed because of
significant shortcomings in FHFA’s supervision program. While the Deputy Inspectors
General of our Audits and Evaluations offices have recently observed some signs indicating
improvements in the supervision program, it is too early to assess whether these improvements
are sustainable. As our recommendations make plain, clearer standards and guidance, training,
responsibility, and accountability are necessary to remediate the shortcomings we have
identified. At this juncture, we have not observed sufficient, sustained improvements to warrant
removal of our caution.

FHFA-OIG’s caution, however, should not be understood as our having concluded that the
Enterprises are not being operated in a safe and sound manner. Pursuant to HERA, the
obligation to reach a safety and soundness conclusion rests with the FHFA Director. 8 According

    For the remaining 18, FHFA rejected 9 and “partially agreed” with 9.
 According to FHFA, its examination framework consists of seven components: Capital; Asset quality;
Management; Earnings; Liquidity; Sensitivity to market risk; and Operational risk (together, called CAMELSO).
See FHFA’s 2016 Report to Congress, at 1. On an annual basis, FHFA rates each component on a scale of 1 to 5

to FHFA, each annual report that it issues to Congress “meets the requirement of the Federal
Housing Enterprises Financial Safety and Soundness Act of 1992, as amended by the Housing
and Economic Recovery Act of 2008 (HERA), that FHFA submit a report to Congress
describing the actions undertaken by FHFA to carry out its statutory responsibilities, including
a description of the financial safety and soundness of the entities the Agency regulates.” 9 In
contrast, FHFA-OIG does not have the statutory charter to reach safety and soundness decisions.
Our mandate, under the Inspector General Act, as amended, is to oversee the programs and
operations of FHFA, which we do. The work we do does not provide us with a sufficient basis
on which to make such a safety and soundness assessment for either Enterprise.

FHFA’s Supervision of the Federal Home Loan Banks

As explained earlier, we determined that the magnitude of the supervision risk is greater for
the Enterprises, both because the asset size of the FHLBanks and Office of Finance, together,
is a fraction of the asset size of the Enterprises and the Enterprises are in conservatorship.
Accordingly, the majority of our work on supervision issues has focused on FHFA’s supervision
of the Enterprises. By statute, FHFA must conduct an annual examination of each FHLBank,
and our reports have found that such examinations have been conducted as mandated.

During my tenure, we have issued 10 reports on different elements of FHFA’s supervision
program for the FHLBanks. For a number of these elements, we found that FHFA has issued
prescriptive standards and guidance for its bank examiners and those examiners have largely
followed those standards and guidance. We also looked at a number of the same discrete
elements of FHFA’s supervision programs for the Enterprises and the FHLBanks where FHFA
had issued the same standards and guidance and found that FHFA’s bank examiners largely
complied with those standards and guidance. Where our reports identified shortcomings, we
made two recommendations to address those shortcomings. FHFA agreed with both of those


Currently, FHFA serves in a unique role: it is both conservator of and regulator for the
Enterprises and regulator for the FHLBanks. Its duties as conservator of the Enterprises, which
together own or guarantee more than $5 trillion in mortgages, are fundamentally different from

and then assigns a composite rating, which it reports in its annual report of examination to each of its regulated
entities. Id. at Executive Summary.
    See, e.g., Cover Letter from FHFA Director Watt to FHFA’s 2016 Report to Congress.

its responsibilities as their supervisor. FHFA’s stakeholders, including the Congress, American
taxpayers, and others, expect FHFA, as conservator, to ensure that both Enterprises are
effectively governed and employ sound risk management practices; they also expect FHFA, as
regulator, to exercise vigilant supervision of its regulated entities to ensure that they operate in a
safe and sound manner.

FHFA-OIG has focused its efforts on four serious management and performance challenges it
has identified to FHFA. To fulfill its responsibilities, FHFA must continue its efforts to address
these challenges.

I thank this Subcommittee for the opportunity to testify today. I am happy to answer any
questions that you may have.


FHFA Failed to Ensure Freddie Mac’s Remedial Plans for a Cybersecurity MRA Addressed
All Deficiencies; as Allowed by its Standard, FHFA Closed the MRA after Independently
Determining the Enterprise Completed its Planned Remedial Actions (March 28, 2018) (AUD-
2018-008) (online at www.fhfaoig.gov/Content/Files/AUD-2018-

As Allowed by its Standard, FHFA Closed Three Fannie Mae Cybersecurity MRAs after
Independently Determining the Enterprise Completed its Planned Remedial Actions (March 28,
2018) (AUD-2018-007) (online at www.fhfaoig.gov/Content/Files/AUD-2018-

FHFA’s Adoption of Clear Guidance on the Review of the Enterprises’ Internal Audit Work
When Assessing the Sufficiency of Remediation of Serious Deficiencies Would Assist FHFA
Examiners (March 28, 2018) (EVL-2018-003) (online at www.fhfaoig.gov/Content/Files/EVL-

FHFA Requires the Enterprises’ Internal Audit Functions to Validate Remediation of Serious
Deficiencies but Provides No Guidance and Imposes No Preconditions on Examiners’ Use of
that Validation Work (March 28, 2018) (EVL-2018-002) (online at

FHFA Should Address the Potential Disparity Between the Statutory Requirement for Fraud
Reporting and its Implementing Regulation and Advisory Bulletin (March 23, 2018) (COM-
2018-002) (online at
www.fhfaoig.gov/Content/Files/2018 03 23%20Enterprise%20Fraud%20Reporting.FINAL .pdf)

FHFA Completed its Planned Procedures for a 2016 Representation and Warranty Framework
Targeted Examination at Freddie Mac, but the Supporting Workpapers Did Not Sufficiently
Document the Examination Work (March 13, 2018) (AUD-2018-006) (online at

FHFA Completed its Planned Procedures for a 2015 Representation and Warranty Framework
Targeted Examination at Fannie Mae, but Did Not Document a Change to Planned Testing
(March 13, 2018) (AUD-2018-005) (online at www.fhfaoig.gov/Content/Files/AUD-2018-

FHFA Did Not Complete All Planned Supervisory Activities Related to Cybersecurity Risks at
Freddie Mac for the 2016 Examination Cycle (September 27, 2017) (AUD-2017-011) (online at

FHFA Failed to Complete Non-MRA Supervisory Activities Related to Cybersecurity Risks at
Fannie Mae Planned for the 2016 Examination Cycle (September 27, 2017) (AUD-2017-010)
(online at www.fhfaoig.gov/Content/Files/AUD-2017-
010%20FNM%20Cyber%20Examinations%20Redacted Redacted.pdf)

FHFA’s 2015 and 2016 Supervisory Activities, as Planned, Addressed Identified Risks with
Freddie Mac’s New Representation and Warranty Framework (September 22, 2017) (AUD-
2017-009) (online at www.fhfaoig.gov/Content/Files/AUD-2017-

FHFA’s 2015 Report of Examination to Fannie Mae Failed to Follow FHFA’s Standards
Because it Reported on an Incomplete Targeted Examination of the Enterprise’s New
Representation and Warranty Framework (September 22, 2017) (AUD-2017-008) (online at

The Gap in FHFA’s Quality Control Review Program Increases the Risk of Inaccurate
Conclusions in its Reports of Examination of Fannie Mae and Freddie Mac (August 17, 2017)
(EVL-2017-006) (online at www.fhfaoig.gov/Content/Files/EVL-2017-006.pdf)

FHFA’s Compliance with its Documentary Standards for Issuing Housing Finance Examiner
Commissions (July 25, 2017) (COM-2017-004) (online at

Closure of OIG Review of FHFA’s Supervision of an Enterprise’s Remediation of Matters
Requiring Attention (June 12, 2017) (ESR-2017-005) (online at

FHFA’s Practice for Rotation of its Examiners Is Inconsistent between its Two Supervisory
Divisions (March 28, 2017) (EVL-2017-004) (online at www.fhfaoig.gov/Content/Files/EVL-2017-

Update on FHFA’s Implementation of its Housing Finance Examiner Commission Program
(March 22, 2017) (COM-2017-003) (online at

FHFA’s Examinations Have Not Confirmed Compliance by One Enterprise with its Advisory
Bulletins Regarding Risk Management of Nonbank Sellers and Servicers (December 21, 2016)
(EVL-2017-002) (online at www.fhfaoig.gov/Content/Files/EVL-2017-002.pdf)

FHFA’s Targeted Examinations of Freddie Mac: Just Over Half of the Targeted Examinations
Planned for 2012 through 2015 Were Completed (September 30, 2016) (AUD-2016-007) (online
at www.fhfaoig.gov/Content/Files/AUD-2016-007.pdf)

FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations
Planned for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were
Completed Before the Report of Examination Issued (September 30, 2016) (AUD-2016-006)
(online at www.fhfaoig.gov/Content/Files/AUD-2016-006.pdf)

FHFA’s Supervisory Planning Process for the Enterprises: Roughly Half of FHFA’s 2014 and
2015 High-Priority Planned Targeted Examinations Did Not Trace to Risk Assessments and
Most High-Priority Planned Examinations Were Not Completed (September 30, 2016) (AUD-
2016-005) (online at www.fhfaoig.gov/Content/Files/AUD-2016-005.pdf)

FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise Boards
and Obtain Written Responses from the Boards Regarding Remediation of Supervisory
Concerns Identified in those Reports (July 14, 2016) (EVL-2016-009) (online at

FHFA’s Failure to Consistently Identify Specific Deficiencies and Their Root Causes in Its
Reports of Examination Constrains the Ability of the Enterprise Boards to Exercise Effective
Oversight of Management’s Remediation of Supervisory Concerns (July 14, 2016) (EVL-2016-
008) (online at www.fhfaoig.gov/Content/Files/EVL-2016-008.pdf)

FHFA’s Inconsistent Practices in Assessing Enterprise Remediation of Serious Deficiencies and
Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the
Enterprises (July 14, 2016) (EVL-2016-007) (online at www.fhfaoig.gov/Content/Files/EVL-2016-

FHFA’s Supervisory Standards for Communication of Serious Deficiencies to Enterprise
Boards and for Board Oversight of Management’s Remediation Efforts are Inadequate (March
31, 2016) (EVL-2016-005) (online at www.fhfaoig.gov/Content/Files/EVL-2016-005.pdf)

FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an
Enterprise’s Remediation of Serious Deficiencies (March 29, 2016) (EVL-2016-004) (online at

FHFA Should Map Its Supervisory Standards for Cyber Risk Management to Appropriate
Elements of the NIST Framework (March 28, 2016) (EVL-2016-003) (online at

Utility of FHFA’s Semi-Annual Risk Assessments Would Be Enhanced Through Adoption of
Clear Standards and Defined Measures of Risk Levels (January 4, 2016) (EVL-2016-001) (online
at www.fhfaoig.gov/Content/Files/EVL-2016-001 0.pdf)

Intermittent Efforts Over Almost Four Years to Develop a Quality Control Review Process
Deprived FHFA of Assurance of the Adequacy and Quality of Enterprise Examinations
(September 30, 2015) (EVL-2015-007) (online at www.fhfaoig.gov/Content/Files/EVL-2015-

OIG’s Compliance Review of FHFA’s Implementation of Its Housing Finance Examiner
Commission Program (July 29, 2015) (COM-2015-001) (online at
www.fhfaoig.gov/Content/Files/COM-2015-001 1 0.pdf)