oversight

Safe and Sound Operation of the Enterprises Cannot Be Assumed Because of Significant Shortcomings in FHFA's Supervision Program for the Enterprises

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-12-15.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

         Federal Housing Finance Agency
             Office of Inspector General




  Safe and Sound Operation of the
   Enterprises Cannot Be Assumed
Because of Significant Shortcomings in
FHFA’s Supervision Program for the
             Enterprises




OIG Report  OIG-2017-003  December 15, 2016
               Executive Summary
               The Federal Housing Finance Agency (FHFA or Agency) plays a unique
               role as both conservator and regulator for Fannie Mae and Freddie Mac
               (collectively, the Enterprises) and as regulator for the Federal Home Loan
               Banks (FHLBanks). As FHFA recognizes, effective supervision of the entities
               it regulates is fundamental to ensuring their safety and soundness. Within
OIG-2017-003   FHFA, the Division of Federal Home Loan Bank Regulation (DBR) is
               responsible for supervision of the FHLBanks and the Division of Enterprise
December 15,   Regulation (DER) is responsible for supervision of the Enterprises.
    2016
               In the FHFA Office of Inspector General (OIG) 2015 and 2016 Audit and
               Evaluation Plans, we explained our intent to focus our resources on programs
               and operations that pose the greatest financial, governance, and reputational
               risk to FHFA, the Enterprises, and the FHLBanks. One of the areas of
               significant risk we identified was FHFA’s rigor in its supervision of the
               Enterprises and the FHLBanks.

               OIG published 12 evaluation, audit, and compliance review reports over the
               past 18 months in which we assessed different critical elements of DER’s
               supervision program for the Enterprises. These elements included:

                     DER’s assessment of risks at the Enterprises and documentation of
                      those risks in semiannual risk assessments;

                     DER’s plan for each annual supervisory cycle, based on the results of
                      its risk assessments, and risk-related changes and updates to that plan;

                     DER’s planned examination procedures for its supervisory activities,
                      which are designed to identify the objectives of the activity and
                      describe the examination steps to be performed, including sampling and
                      testing;

                     DER’s communication of its findings from its supervisory activities,
                      including its supervisory concerns, to each Enterprise’s board of
                      directors;

                     DER follow-up on efforts by each Enterprise to correct identified
                      deficiencies throughout the remediation period to ensure that
                      remediation is timely and adequate; and

                     DER’s communication of its examination conclusions, findings, and
                      composite/component examination ratings after the end of each annual
                      supervisory cycle to each Enterprise board of directors in a written
                      Report of Examination (ROE).
               For each element that we assessed, we found shortcomings and recommended
               actions to address these shortcomings and upgrade DER’s supervisory
               activities. We published reports setting forth the facts, findings, conclusions,
               and recommendations on each of these critical elements. (A listing of these
               reports follows the Table of Contents.) A discussion of our findings, by
               element in DER’s supervision program, can be found in the Management and
               Performance Challenges Memorandum we sent to FHFA on October 6, 2016.
OIG-2017-003   (See OIG, Fiscal Year 2017 Management and Performance Challenges, at 8-
               19 (Oct. 6, 2016) (online at
December 15,
               www.fhfaoig.gov/Content/Files/FHFA%20management%20challenges%20FY
    2016
               2017.pdf).)

               FHFA steadfastly maintains that its supervision of the Enterprises is effective
               and ensures their safe and sound operation. In our view, our evaluations,
               audits, and compliance review reports, when read together, call into question
               the effectiveness of FHFA’s supervision program for the Enterprises. Among
               our findings was that FHFA had difficulty completing its planned targeted
               examinations over four supervisory cycles from 2012 through 2015 and that
               the number of targeted examinations planned and completed during each
               supervisory cycle has fallen since 2012 for Freddie Mac and has diminished
               significantly for Fannie Mae. We found that no targeted examinations of
               Fannie Mae planned for the 2015 supervisory cycle were completed before the
               annual ROE was issued.

               Based on our assessments of different elements of DER’s supervision program,
               we identified four recurring themes. In this roll-up of these 12 reports, we
               discuss each of the following themes:

                     FHFA lacks adequate assurance that DER’s supervisory resources are
                      devoted to examining the highest risks of the Enterprises;

                     Many supervisory standards and guidance issued by FHFA and DER
                      lack the rigor of those issued by other federal financial regulators;

                     The flexible and less prescriptive nature of many requirements and
                      guidance promulgated by FHFA and DER has resulted in inconsistent
                      supervisory practices; and

                     Where clear requirements and guidance for specific elements of DER’s
                      supervisory program exist, DER Examiners-in-Charge (EICs) and
                      examiners have not consistently followed them.

               Although FHFA asserted in its management responses that it was generally
               receptive toward our recommendations, it rejected a number of them and did
               not propose alternative corrective actions for most of the recommendations it
               rejected. Given FHFA’s disagreement with a number of our recommendations
               to correct shortcomings identified in our reports as well as its unwillingness to
               propose alternative corrective actions, it is our view that these elements of
               DER’s supervisory program remain deficient. It remains to be seen whether
               the corrective actions that FHFA has agreed to take to address other
               shortcomings identified by us will, in fact, be implemented effectively.
OIG-2017-003
               Together, the Enterprises own or guarantee nearly $5 trillion in mortgages and
December 15,   are among the largest financial institutions in this country. Should either or
    2016       both Enterprises sustain losses in the future that exceed their decreasing capital
               reserves, the U.S. Treasury—and the American taxpayers—will be on the hook
               for those losses. Pursuant to HERA, FHFA is charged with ensuring the safety
               and soundness of the Enterprises. Without prompt and robust Agency
               attention to address the shortcomings we have identified, we caution
               stakeholders that the safe and sound operation of the Enterprises cannot be
               assumed from FHFA’s current supervisory program.

               Other regulators have sought the assistance of independent third parties in
               assessing the effectiveness of their supervision programs. In 1997 and again in
               2009, the Federal Reserve Bank of New York retained an outside independent
               expert to assess the effectiveness of its supervisory procedures and its internal
               processes to understand and foresee systemic problems and undertook internal
               initiatives to improve its practices and procedures. In 2013, the Office of the
               Comptroller of the Currency (OCC) asked a team of international regulators to
               provide an independent perspective on the OCC’s approach to the supervision
               of large and midsize banks and thrifts and, based on that team’s
               recommendations, the OCC reorganized its supervision programs and
               instituted practices designed to foster better communication and assessment
               of risks, among other things. FHFA has acknowledged that it considers the
               guidance and examination practices of its peer financial regulators when
               developing its own guidance and requirements. In view of FHFA’s
               unwillingness to accept a number of OIG recommendations to address
               shortcomings in critical elements of DER’s supervision program, we believe it
               would be prudent for FHFA to follow the lead of the Federal Reserve of New
               York and the OCC and engage independent external experts to review different
               critical elements of DER’s supervision program.

               This report was prepared by Kyle D. Roberts, Deputy Inspector General for
               Evaluations; Angela Choy, Assistant Inspector General for Evaluations;
               Marla A. Freedman, Deputy Inspector General for Audits; Robert Taylor,
               Assistant Inspector General for Audits; Richard Parker, Deputy Inspector
               General for Compliance and Special Projects; and David Frost, Assistant
               Inspector General for Compliance and Special Projects, with assistance from
               Jon Anders, Program Analyst. We appreciate the cooperation of FHFA staff,
               as well as the assistance of all those who contributed to the preparation of this
               report.

               The audits summarized in this report were conducted in accordance with
               generally accepted government auditing standards. The evaluations and
OIG-2017-003   compliance review summarized in this report were conducted in accordance
               with the Council of the Inspectors General on Integrity and Efficiency’s
December 15,   Quality Standards for Inspection and Evaluations (January 2012).
    2016
               This report has been distributed to Congress, the Office of Management and
               Budget, and others and will be posted on our website, www.fhfaoig.gov.
TABLE OF CONTENTS ................................................................
EXECUTIVE SUMMARY .............................................................................................................2

OIG’S RECENT REPORTS ON FHFA’S SUPERVISION PROGRAM FOR THE
ENTERPRISES................................................................................................................................8

ABBREVIATIONS .......................................................................................................................10

OVERVIEW ..................................................................................................................................11
      1. FHFA Lacks Adequate Assurance that Sufficient Supervisory Resources Are
      Devoted to Examining the Highest Risks of the Enterprises ..................................................12
             Employing Risk Assessments in Supervisory Planning .................................................12
             Completion of Targeted Examinations Planned in Annual Approved
             Supervisory Plans............................................................................................................13
             Housing Finance Examiner Commission Program .........................................................14
      2. Many Supervisory Standards and Guidance Issued by FHFA and DER Lack the
      Rigor of Those Issued by Other Federal Financial Regulators ...............................................16
             Standards for Preparation of Risk Assessments .............................................................16
             Standards for Communicating Supervisory Findings to an Enterprise Board of
             Directors and Prompt Remediation of Matters Requiring Attention ..............................17
             Standards for the Content of Its Annual Reports of Examination ..................................19
             Standards for Examiner Supervision of Enterprise Remediation of Serious
             Supervisory Matters ........................................................................................................20
             Standards for Cyber Risk Management by Regulated Entities.......................................20
      3. The More Flexible and Less Prescriptive Nature of Many Requirements and
      Guidance Promulgated by FHFA and DER Has Resulted in Inconsistent Supervisory
      Practices ..................................................................................................................................21
             ROE Structure and Content ............................................................................................21
             Communication of Annual Reports of Examination ......................................................22
             Risk Assessments............................................................................................................23
             Examiner Review and Approval of Enterprise Remediation Plans to Address
             MRAs and Review of Completed Remediation Efforts by an Enterprise ......................24




                                          OIG  OIG-2017-003  December 15, 2016                                                                 6
     4. Where Clear Requirements and Guidance for Specific Elements of DER’s
     Supervisory Program Exist, DER Examiners-in-Charge and Examiners Have Not
     Consistently Followed Them ..................................................................................................25
           Changes to Approved Supervisory Plans for Non Risk-Related Reasons in
           Contravention of DER Requirements .............................................................................25
           Lack of Complete Supervisory Documentation in DER’s Official System of
           Records in Contravention of FHFA Requirements .........................................................26
           Failure to Ensure Issuance of the Annual ROEs to Enterprise Directors and
           Obtain Written Affirmations from Enterprise Directors that Supervisory
           Concerns Will Be Remediated in Contravention of FHFA Requirements .....................26
           Failure to Oversee Enterprise Remediation of Serious Supervisory Matters in
           Disregard of FHFA Requirements ..................................................................................27
           Intermittent Efforts Over Almost Four Years to Develop a Quality Control
           Review Process Deprived FHFA of the Assurance of the Adequacy and Quality
           of DER’s Supervisory Activities ....................................................................................28

CONCLUDING OBSERVATIONS ..............................................................................................29

FHFA COMMENTS AND OIG RESPONSE ...............................................................................31

APPENDIX: FHFA COMMENTS TO OIG REPORT ................................................................32

ADDITIONAL INFORMATION AND COPIES .........................................................................34




                                     OIG  OIG-2017-003  December 15, 2016                                                       7
OIG’S RECENT REPORTS ON FHFA’S SUPERVISION
PROGRAM FOR THE ENTERPRISES ............................................

FHFA’s Targeted Examinations of Freddie Mac: Just Over Half of the Targeted
Examinations Planned for 2012 through 2015 Were Completed (Sept. 30, 2016) (AUD-2016-
007) (online at www.fhfaoig.gov/Content/Files/AUD-2016-007.pdf)

FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted
Examinations Planned for 2012 through 2015 Were Completed and No Examinations
Planned for 2015 Were Completed Before the Report of Examination Issued (Sept. 30,
2016) (AUD-2016-006) (online at www.fhfaoig.gov/Content/Files/AUD-2016-006.pdf)

FHFA’s Supervisory Planning Process for the Enterprises: Roughly Half of FHFA’s
2014 and 2015 High-Priority Planned Targeted Examinations Did Not Trace to Risk
Assessments and Most High-Priority Planned Examinations Were Not Completed (Sept.
30, 2016) (AUD-2016-005) (online at www.fhfaoig.gov/Content/Files/AUD-2016-005.pdf)

FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise
Boards and Obtain Written Responses from the Boards Regarding Remediation of
Supervisory Concerns Identified in those Reports (July 14, 2016) (EVL-2016-009) (online
at www.fhfaoig.gov/Content/Files/EVL-2016-009.pdf)

FHFA’s Failure to Consistently Identify Specific Deficiencies and Their Root Causes in
Its Reports of Examination Constrains the Ability of the Enterprise Boards to Exercise
Effective Oversight of Management’s Remediation of Supervisory Concerns (July 14,
2016) (EVL-2016-008) (online at www.fhfaoig.gov/Content/Files/EVL-2016-008.pdf)

FHFA’s Inconsistent Practices in Assessing Enterprise Remediation of Serious
Deficiencies and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s
Supervision of the Enterprises (July 14, 2016) (EVL-2016-007) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-007.pdf)

FHFA’s Supervisory Standards for Communication of Serious Deficiencies to
Enterprise Boards and for Board Oversight of Management’s Remediation Efforts are
Inadequate (Mar. 31, 2016) (EVL-2016-005) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-005.pdf)

FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an
Enterprise’s Remediation of Serious Deficiencies (Mar. 29, 2016) (EVL-2016-004) (online
at www.fhfaoig.gov/Content/Files/EVL-2016-004.pdf)



                          OIG  OIG-2017-003  December 15, 2016                          8
FHFA Should Map Its Supervisory Standards for Cyber Risk Management to
Appropriate Elements of the NIST Framework (Mar. 28, 2016) (EVL-2016-003) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-003.pdf)

Utility of FHFA’s Semi-Annual Risk Assessments Would Be Enhanced Through
Adoption of Clear Standards and Defined Measures of Risk Levels (Jan. 4, 2016) (EVL-
2016-001) (online at www.fhfaoig.gov/Content/Files/EVL-2016-001.pdf)

Intermittent Efforts Over Almost Four Years to Develop a Quality Control Review
Process Deprived FHFA of Assurance of the Adequacy and Quality of Enterprise
Examinations (Sept. 30, 2015) (EVL-2015-007) (online at
www.fhfaoig.gov/Content/Files/EVL-2015-007.pdf)

OIG’s Compliance Review of FHFA’s Implementation of Its Housing Finance Examiner
Commission Program (July 29, 2015) (COM-2015-001) (online at
www.fhfaoig.gov/Content/Files/COM-2015-001_1_0.pdf)




                         OIG  OIG-2017-003  December 15, 2016                        9
ABBREVIATIONS .......................................................................

AB                 Advisory Bulletin

DBR                Division of Federal Home Loan Bank Regulation

DER                Division of Enterprise Regulation

Enterprises        Fannie Mae and Freddie Mac, collectively

FDIC               Federal Deposit Insurance Corporation

Federal Reserve    Board of Governors of the Federal Reserve System

FFIEC              Federal Financial Institutions Examination Council

FHFA               Federal Housing Finance Agency

FHLBank            Federal Home Loan Bank

HFE                Housing Finance Examiner

IMS                Information Management System

MRA                Matter Requiring Attention

NCUA               National Credit Union Administration

OCC                Office of the Comptroller of the Currency

OIG                FHFA Office of Inspector General

OPB                Operating Procedures Bulletin

OQA                Office of Quality Assurance

ROE                Report of Examination

SD                 Supervision Directive




                        OIG  OIG-2017-003  December 15, 2016                     10
OVERVIEW ...............................................................................

FHFA’s appointment as conservator of the Enterprises did not suspend its statutory
responsibilities to ensure that each Enterprise operates in a safe and sound manner so that
they serve as a reliable source of liquidity and funding for housing finance and community
investment.1 Within FHFA, DER is charged with responsibility for supervision of the
Enterprises.

The Enterprises’ financial condition in September 2008 threatened their ability to perform
their mission and prompted FHFA to place them into conservatorship. To date, the
Enterprises have received $187.5 billion in financial support from U.S. taxpayers to enable
them to fulfill their public mission and integral role in the secondary mortgage market.2 The
Enterprises are unable to accumulate a financial cushion to absorb future losses. Pursuant to
the terms of their agreements with Treasury, the Enterprises are required to pay Treasury each
quarter a dividend equal to the excess of their net worth over an applicable capital reserve
amount, which will decrease to zero by January 1, 2018. If they sustain losses that lead them
to report a negative net worth after that time, the Enterprises would be obligated to draw more
taxpayer funds.3 Therefore, their safe and sound operation is critical. Without timely and
robust supervision by FHFA, stakeholders lack full assurance of the safe and sound operation
of the Enterprises.

Over the past 18 months, we published a dozen evaluation, audit, and compliance review
reports in which we assessed different elements of DER’s supervisory program and found
significant shortcomings. Based on our findings, we identified four recurrent themes, which
we now discuss.4




1
  12 U.S.C. § 4513(a)(1)(A), (B)(i)-(ii). See also Melvin L. Watt, FHFA Director, Prepared Remarks at the
Bipartisan Policy Center (Feb. 18, 2016) (discussing FHFA’s fulfillment of its dual roles as conservator and
regulator of the Enterprises) (online at www.fhfa.gov/Media/PublicAffairs/Pages/Prepared-Remarks-Melvin-
Watt-at-BPC.aspx).
2
  Following payment of their expected fourth quarter dividends, the Enterprises will have paid a total of $255.8
billion in dividends to the U.S. Treasury.
3
 OIG, The Continued Profitability of Fannie Mae and Freddie Mac Is Not Assured, at 2, 3 (Mar. 18, 2015)
(WPR-2015-001) (online at www.fhfaoig.gov/Content/Files/WPR-2015-001.pdf).
4
  In the Management and Performance Challenges memorandum we sent to FHFA on October 6, we discuss
our findings by element. See OIG, Fiscal Year 2017 Management and Performance Challenges, at 8-19 (Oct.
6, 2016) (online at www.fhfaoig.gov/Content/Files/FHFA%20management%20challenges%20FY2017.pdf).



                                  OIG  OIG-2017-003  December 15, 2016                                           11
1. FHFA Lacks Adequate Assurance that Sufficient Supervisory Resources Are Devoted
   to Examining the Highest Risks of the Enterprises

Like other federal financial regulators, FHFA maintains that it uses a risk-based approach
to carry out its supervisory activities. Supervision by risk requires a comprehensive, risk-
focused view of each regulated entity so that supervisory activities can be tailored to the risks
with the highest supervisory concerns. Based on the analysis in its risk assessments, DER is
to prepare an annual supervisory strategy followed by a supervisory plan that schedules the
specific supervisory activities it intends to conduct during the year. Those supervisory
activities include targeted examinations and ongoing monitoring.

In a number of our reports, we found that DER has not carried out key elements of its
supervisory responsibilities, which, in our view, calls into question whether DER has devoted
sufficient supervisory resources to examining the Enterprises’ highest risks.

    Employing Risk Assessments in Supervisory Planning

According to FHFA’s Examination Manual, risk assessments provide the critical foundation
for developing annual supervisory plans for the entities it regulates. FHFA requires all risk
assessments to be updated semiannually and “as significant changes to the risk profile occur.”
FHFA examiners are then able to leverage their resources by focusing their supervisory
activities around the risks identified as posing the highest supervisory concerns in the risk
assessments.

We found in an audit report entitled FHFA’s Supervisory Planning Process for the
Enterprises: Roughly Half of FHFA’s 2014 and 2015 High-Priority Planned Targeted
Examinations Did Not Trace to Risk Assessments and Most High-Priority Planned
Examinations Were Not Completed that DER had not used the risk assessments completed by
its examiners for their stated purpose.5 Of the 61 high-priority targeted examinations planned
for both Enterprises for the 2014 and 2015 supervisory cycles, we were able to trace only 32
to DER risk assessments and were unable to trace the remaining 29—almost half of the total.
The EIC of supervision for each Enterprise acknowledged to us that these planned high-
priority examinations were developed from information obtained by the EICs outside of the
risk assessments.6 Additionally, examiners did not revise the risk assessments, as required by
5
 OIG, FHFA’s Supervisory Planning Process for the Enterprises: Roughly Half of FHFA’s 2014 and 2015
High-Priority Planned Targeted Examinations Did Not Trace to Risk Assessments and Most High-Priority
Planned Examinations Were Not Completed, at 19 (Sept. 30, 2016) (AUD-2016-005) (online at
www.fhfaoig.gov/Content/Files/AUD-2016-005.pdf).
6
 FHFA’s examination teams for Fannie Mae and Freddie Mac are each led by an Examiner-in-Charge (EIC).
According to the Examination Manual, the EIC is “responsible for the planning, execution, and documentation
of each annual examination” and “must ensure that the activities that comprise the examination are consistent



                                 OIG  OIG-2017-003  December 15, 2016                                         12
FHFA to document the newly acquired information. For the 2014 and 2015 supervisory
cycles, we found that DER risk assessments did not provide the critical foundation for almost
half of the planned high-priority targeted examinations.

We also found that none of DER’s risk assessments rated the severity of the identified risks.
DER examiners lack guidance on prioritizing planned targeted examinations and are not
required to document the basis for the prioritizations they assign to the planned targeted
examinations. As a consequence, the risk assessments did not support, or link to, the priority
level assigned to each planned targeted examination.7

    Completion of Targeted Examinations Planned in Annual Approved Supervisory Plans

Based on the analysis in its risk assessments, DER is to prepare an annual supervisory
strategy, and then a supervisory plan that schedules the specific supervisory activities that it
intends to conduct during the year. The supervisory activities include ongoing monitoring
and targeted examinations. According to FHFA, targeted examinations enable examiners to
conduct a deep or comprehensive assessment of selected areas of high importance or risk,
while the purpose of ongoing monitoring is to analyze real-time information and to use those
analyses to identify Enterprise practices and changes in an Enterprise’s risk profile that may
warrant supervisory attention. Because each of these supervisory activities has a separate
purpose, they are not interchangeable.

Each supervisory activity must be carefully planned to ensure effective supervision and
efficient use of FHFA resources. Because targeted examinations constitute a critical
component of DER’s supervisory activities, we examined whether DER examiners conducted
and completed the targeted examinations identified in each supervisory plan for Fannie Mae
and for Freddie Mac from 2012 through 2015. Based on the results of this review, we found
that DER examiners completed less than half of the targeted examinations planned for Fannie
Mae over a four-year period and a bit more than half of the targeted examinations planned for
Freddie Mac over the same period.8 We also found that no targeted examinations of Fannie

with FHFA examination standards and support examination conclusions, findings (where applicable), and
examination ratings.” See FHFA, FHFA Examination Manual, Examination Program Overview, at 17 (Dec.
19, 2013).
7
 OIG, FHFA’s Supervisory Planning Process for the Enterprises: Roughly Half of FHFA’s 2014 and 2015
High-Priority Planned Targeted Examinations Did Not Trace to Risk Assessments and Most High-Priority
Planned Examinations Were Not Completed, at 18-19, supra note 5. See also OIG, Utility of FHFA’s Semi-
Annual Risk Assessments Would Be Enhanced Through Adoption of Clear Standards and Defined Measures of
Risk Levels, at 13 (Jan. 4, 2016) (EVL-2016-001) (online at www.fhfaoig.gov/Content/Files/EVL-2016-
001.pdf).
8
  OIG, FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations Planned
for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were Completed Before the
Report of Examination Issued, at 14 (AUD-2016-006) (Sept. 30, 2016) (online at



                               OIG  OIG-2017-003  December 15, 2016                                    13
Mae planned for the 2015 supervisory cycle were completed before the issuance of the 2015
ROE. As such, the 2015 Fannie Mae ROE could not and did not include the results and
conclusions, findings, and supervisory concerns on these areas deemed by DER to be of the
highest importance or risk for that supervisory cycle.9

For both Enterprises, we found that the number of targeted examinations planned and
completed during an annual supervisory cycle decreased significantly during this four-year
period. The reason repeatedly provided to us by DER officials for this decrease was resource
constraints, notwithstanding the consistent position of DER leadership that DER has an
adequate complement of examiners.10

     Housing Finance Examiner Commission Program

As noted earlier, FHFA maintains that it uses a risk-based approach to carry out its
supervisory activities like other federal financial regulators. Each of these regulators has
concluded that a risk-focused approach to supervisory examinations demands enhanced
knowledge and skills of examiners. To that end, each of these regulators offers a
commissioning program for its examiners to provide training in the skills needed to employ
successfully a risk-focused approach to examinations.

In a 2011 report, we found that two-thirds of FHFA’s examiners were not commissioned—the
examiners had not completed a structured process of classroom and on the job training that
would provide them with technical competencies and practical examination experience
necessary to lead major risk sections of examinations of the entities regulated by FHFA. We
found, and FHFA agreed, that the efficiency and effectiveness of FHFA’s oversight of its
regulated entities would be strengthened by a sufficient corps of commissioned examiners.

In 2013, the Agency inaugurated its Housing Finance Examiner (HFE) commission program.
Our compliance review, entitled OIG’s Compliance Review of FHFA’s Implementation of Its
Housing Finance Examiner Commission Program, assessed Agency implementation of the
HFE program during a 19-month period from August 2013 to March 2015 and found that the
HFE program was not on track to meet its central objective. Only 1 of 66 enrolled examiners


www.fhfaoig.gov/Content/Files/AUD-2016-006.pdf), and OIG, FHFA’s Targeted Examinations of Freddie
Mac: Just Over Half of the Targeted Examinations Planned for 2012 through 2015 Were Completed, at 14,
(AUD-2016-007) (Sept. 30, 2016) (online at www.fhfaoig.gov/Content/Files/AUD-2016-007.pdf).
9
  OIG, FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations Planned
for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were Completed Before the
Report of Examination Issued, at 22-23, supra note 8.
10
  Id. at 23, 25 and OIG, FHFA’s Targeted Examinations of Freddie Mac: Just Over Half of the Targeted
Examinations Planned for 2012 through 2015 Were Completed, at 21-22, 24, supra note 8.




                               OIG  OIG-2017-003  December 15, 2016                                    14
had submitted records reflecting completion of any of the 16 on the job training requirements.
Given that many of the enrolled examiners failed to progress in meeting the HFE program
requirements during its first 19 months of operation, we determined that their ability to earn
HFE commissions within the projected timeframe of four years or less was at risk.11

                                                 ***

In reports published in 2011 and 2013, we found that FHFA lacked a sufficient number of
examiners to ensure the efficiency and effectiveness of its supervisory program and FHFA
committed to add examiners, which it has done.12 In several recent reports, we found that
DER has not carried out key elements of its supervisory program:

        Almost half of its planned high-priority targeted examinations for 2014 and 2015
         could not be traced to underlying risk assessments, and none of the risk assessments
         supported the priority assigned to planned targeted examinations, which calls into
         question the utility of the risk assessments and the basis on which priorities are
         assigned to planned targeted examinations;

        It did not conduct more than half of the targeted examinations it planned for Fannie
         Mae between 2012 and 2015 and did not conduct slightly less than half of the targeted
         examinations it planned for Freddie Mac for that same period; and

        It failed to implement its commissioning program to develop a corps of commissioned
         examiners with the necessary technical competencies and practical examination
         experience to lead risk-based examinations.

In our view, these significant shortcomings in DER’s execution of its supervisory
responsibilities for the Enterprises lead us to conclude that FHFA lacks adequate assurance
that sufficient supervisory resources are devoted to examining the highest risks of the
Enterprises.



11
  OIG, OIG’s Compliance Review of FHFA’s Implementation of Its Housing Finance Examiner Commission
Program, at 3-4 (COM-2015-001) (July 29, 2015) (online at www.fhfaoig.gov/Content/Files/COM-2015-
001_1_0.pdf).
12
   OIG, Evaluation of Whether FHFA Has Sufficient Capacity to Examine the GSEs (Sept. 23, 2011) (EVL-
2011-005) (online at www.fhfaoig.gov/Content/Files/EVL-2011-005.pdf); OIG, Update on FHFA’s Efforts to
Strengthen its Capacity to Examine the Enterprises (Dec. 19, 2013) (EVL-2014-002) (online at
www.fhfaoig.gov/Content/Files/EVL-2014-002.pdf). See also FHFA, Fiscal Year 2015 Federal Housing
Finance Agency Performance and Accountability Report, at 106 (Nov. 16, 2015) (Memorandum to Director
Watt from Inspector General Wertheimer re: Fiscal Year 2016 Management and Performance Challenges)
(online at www.fhfa.gov/AboutUs/Reports/ReportDocuments/FHFA-2015-PAR.pdf).




                               OIG  OIG-2017-003  December 15, 2016                                    15
2. Many Supervisory Standards and Guidance Issued by FHFA and DER Lack the Rigor
   of Those Issued by Other Federal Financial Regulators

FHFA is part of a network of federal financial regulators that are responsible for ensuring the
safety and soundness of the regulated entities under their authority.13 Other federal financial
regulators include, but are not limited to, the OCC, the Board of Governors of the Federal
Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and
the National Credit Union Administration (NCUA). Each of these agencies conducts
examinations and issues guidance and requirements that govern examinations conducted
under their authority and updates those materials from time to time to reflect adjustments in
supervisory practices.14

FHFA consistently maintains, based on the language of its authorizing statute, that its
supervisory authority over its regulated entities “is virtually identical to—and clearly modeled
on—Federal bank regulators’ supervision of banks.” FHFA’s statutory obligations for
supervision are similar to the obligations imposed on the OCC, Federal Reserve, and FDIC
and FHFA has argued in court that it is entitled to certain privileges afforded to federal
banking regulators.15 FHFA acknowledges that it considers the examination guidance and
policies of other federal financial regulators when developing its own guidance and
requirements.

We compared the requirements and guidance issued by FHFA and DER for four critical
elements of DER’s supervision program to the requirements and guidance adopted by other
federal financial regulators for the same elements. We found that current requirements and
guidance of FHFA and DER are more limited and far less prescriptive than those adopted by
other federal financial regulators for these elements. We now summarize those findings.

     Standards for Preparation of Risk Assessments

The purpose of a risk assessment is to present a comprehensive view of each Enterprise,
identify areas of supervisory concern, serve as a platform for developing a supervisory


13
   The FHFA Director and the heads of the banking regulators serve as voting members of the Financial
Stability Oversight Council, which is charged with identifying risks to the financial stability of the U.S.,
promoting market discipline, and responding to emerging risks to the financial system.
14
   The OCC, Federal Reserve, FDIC, and NCUA are members of the Federal Financial Institutions
Examination Council (FFIEC), a formal interagency body created by Congress in 1979 to establish uniform
principles, standards, and report forms for the federal examination of financial institutions and to make
recommendations to promote uniformity in the supervision of financial institutions.
15
  FHFA has successfully asserted the bank examination privilege, which historically is invoked by the OCC
and Federal Reserve to shield from discovery materials relating to its supervision of the Enterprises. See
JPMorgan Chase & Co., 978 F. Supp.2d at 280.



                                   OIG  OIG-2017-003  December 15, 2016                                      16
strategy, and identify areas for targeted examinations and ongoing monitoring. According to
FHFA’s Examination Manual, risk assessments provide the critical foundation for developing
annual supervisory plans for the entities it regulates. FHFA examiners are then able to
leverage their resources by focusing their supervisory activities around the risks identified as
posing the highest supervisory concerns in the risk assessments.

In an evaluation report entitled Utility of FHFA’s Semi-Annual Risk Assessments Would Be
Enhanced Through Adoption of Clear Standards and Defined Measures of Risk Levels, we
compared the standards for risk assessments promulgated by FHFA and DER to those issued
by the OCC, the Federal Reserve, and NCUA and found that FHFA’s flexible guidance fell
far short of the requirements and clear guidance provided by the other regulators.16 We
showed that FHFA’s “loosely defined parameters lack standardized measures of risks,” “do
not define the risk measures that examiners must use,” and “do not require examiners to use
a common format and common, defined measures of risk,” which resulted in a lack of
consistency in defining significant risks and identifying supervisory concerns in risk
assessments for an Enterprise over a period of years.17

In a subsequent audit, we demonstrated that the deficiencies in DER’s risk assessments for
the 2014 and 2015 supervisory cycles created weaknesses in DER’s annual supervisory plans.
We were unable to trace almost half of the targeted examinations planned for those two cycles
to specific risks described in the underlying risk assessments. The then-current EIC for each
Enterprise reported that these exams were planned based on information received outside of
the risk assessments, but neither EIC updated the risk assessments with this information, as
required by FHFA.18

     Standards for Communicating Supervisory Findings to an Enterprise Board of
     Directors and Prompt Remediation of Matters Requiring Attention

Through supervisory activities, FHFA examiners may identify supervisory concerns or
deficiencies at a regulated entity. FHFA categorizes these examination findings into
one of three categories: (1) Matters Requiring Attention (MRAs), (2) Violations, or
(3) Recommendations. According to FHFA, the examiners categorize only “the most serious
supervisory matters” as MRAs. FHFA, along with the OCC and Federal Reserve, charge the

16
   OIG, Utility of FHFA’s Semi-Annual Risk Assessments Would Be Enhanced Through Adoption of Clear
Standards and Defined Measures of Risk Levels, at 13, supra note 7.
17
  In response to two of our recommendations, DER revised its internal guidance governing risk assessments in
May 2016. OIG is reviewing DER’s updated guidance to determine if it satisfies our recommendations, and
FHFA has stated its intent to assess the effectiveness of its new process in the first quarter of 2017.
18
  OIG, FHFA’s Supervisory Planning Process for the Enterprises: Roughly Half of FHFA’s 2014 and 2015
High-Priority Planned Targeted Examinations Did Not Trace to Risk Assessments and Most High-Priority
Planned Examinations Were Not Completed, at 17, supra note 5.



                                OIG  OIG-2017-003  December 15, 2016                                         17
board of directors of a regulated entity with responsibility for ensuring that management
corrects supervisory deficiencies.

For that reason, we compared FHFA’s requirements and guidance for communicating an
MRA to an Enterprise board of directors against the requirements and specific guidance of the
OCC and Federal Reserve. We found that FHFA’s standards fall far short in the evaluation
report FHFA’s Supervisory Standards for Communication of Serious Deficiencies to
Enterprise Boards and for Board Oversight of Management’s Remediation Efforts are
Inadequate. While the OCC and Federal Reserve direct that supervisory findings must be
communicated to the board of a regulated entity, we found that FHFA had no standards
requiring examiners to communicate supervisory findings to Enterprise directors. As a matter
of practice, we determined that DER examiners provided supervisory findings solely to
Enterprise management and relied on Enterprise management to communicate information
about those findings to the Enterprise board.19

In that same evaluation, we compared requirements imposed by the OCC and Federal Reserve
on the boards of directors of regulated entities to review or approve a written plan to correct
MRA deficiencies and to oversee management’s remediation of those deficiencies to FHFA’s
requirements. We learned that the OCC and the Federal Reserve require directors of
regulated entities to review or approve management’s remediation plan, while FHFA places
sole responsibility on Enterprise management to develop and submit a remedial plan to FHFA
without review by Enterprise directors. We found that the OCC and Federal Reserve task
boards of directors of regulated entities with responsibilities to oversee management’s efforts
to implement the proposed remedial measures on an ongoing basis and ensure that
management’s remediation is adequate and timely; FHFA does not.20 In our view, FHFA’s
determination to engage with Enterprise management—typically those who are responsible
for the actions or inactions which led to the MRA—on MRAs and MRA remediation, and
not provide clear supervisory expectations to the boards, creates a significant risk that an
Enterprise board could become no more than a bystander to management’s efforts to
remediate MRAs. As a result, FHFA risks prolonged or inadequate resolution of the most
serious threats to the Enterprises’ safety and soundness.21


19
   OIG, FHFA’s Supervisory Standards for Communication of Serious Deficiencies to Enterprise Boards and
for Board Oversight of Management’s Remediation Efforts are Inadequate, at 12 (Mar. 31, 2016) (EVL-2016-
005) (online at www.fhfaoig.gov/Content/Files/EVL-2016-005.pdf).
20
     Id. at 13-14.
21
  In response to our recommendations, DER revised its internal guidance to direct its examiners-in-charge to
provide to the chairs of the Enterprises’ board audit committees copies of FHFA’s conclusion letters that
communicate results from targeted exams, supervisory letters that convey MRAs resulting from ongoing
monitoring activities, responses to Enterprise remediation plans, and remediation letters that close MRAs.



                                 OIG  OIG-2017-003  December 15, 2016                                        18
     Standards for the Content of Its Annual Reports of Examination

Federal financial regulators, including FHFA, use the annual ROE to communicate
supervisory findings and examination ratings to the board of directors of each entity they
regulate because the board of directors is ultimately responsible for ensuring the safety and
soundness of the entity and management’s correction of deficiencies. In 1993, the OCC,
Federal Reserve, and FDIC created the uniform common core ROE, a format developed
collaboratively to provide a common template and to set a minimum standard for the
information provided in an ROE, such as mandatory pages for overall conclusions and
examiner comments, matters requiring the board’s attention, standardized financial condition
assessments, and discussion of each examination rating area.22 The uniformity of ROEs
across regulatory agencies is intended to reduce regulatory burdens and promote consistency.
In a July 2016 evaluation entitled FHFA’s Failure to Consistently Identify Specific
Deficiencies and Their Root Causes in Its Reports of Examination Constrains the Ability of
the Enterprise Boards to Exercise Effective Oversight of Management’s Remediation of
Supervisory Concerns,23 we found that neither FHFA nor DER has issued internal guidance
that mirrors the requirements of these other federal financial regulators.24




However, the Agency disagreed with our recommendation that DER share the Enterprises’ MRA remediation
plans and associated timetables with the audit committee chairs.
22
   The common core ROE has been augmented with agency-specific templates and detailed instructions for
bank examiners, including the requirement to clearly communicate and prioritize supervisory concerns and
deficiencies to the boards of regulated financial institutions. Examiners are also expected to include corrective
actions and record the board’s and management’s commitments to remediation in the ROE.
23
  OIG, FHFA’s Failure to Consistently Identify Specific Deficiencies and Their Root Causes in Its Reports of
Examination Constrains the Ability of the Enterprise Boards to Exercise Effective Oversight of Management’s
Remediation of Supervisory Concerns, at 13, 19 (July 14, 2016) (EVL-2016-008) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-008.pdf).
24
   We also found that FHFA’s current limited guidance on the preparation of an ROE is a significant departure
from—and relaxation of—prior DER guidance. From 2008 through 2013, DER provided instruction on
specific elements included in each ROE in its Supervision Handbook 2.1. This guidance directed that ROEs
include an overall condition statement, a core report section, separate sections addressing each of the six
components covered by the examination rating system in place at that time, and the identification of all MRAs.
DER’s Supervision Handbook 2.1 was superseded by FHFA’s Examination Manual, issued in December 2013,
but the Examination Manual did not incorporate these instructions. FHFA’s resulting wholesale lack of
requirements for ROE content and structure was at odds with the requirements of other federal financial
regulators.
In a response to one of our recommendations, FHFA issued internal guidance to require that all open MRAs be
included in ROEs.




                                  OIG  OIG-2017-003  December 15, 2016                                            19
     Standards for Examiner Supervision of Enterprise Remediation of Serious Supervisory
     Matters

Once an MRA issues and a written remediation plan to correct the underlying deficiency is
put into place, federal financial regulators, including FHFA, expect that the regulated entity
will take the specific steps set forth in the plan to address the deficiency. We compared
requirements issued by the OCC and Federal Reserve for examiner follow-up on an entity’s
progress in implementing the corrective actions to FHFA’s requirements and found FHFA’s
requirements provide greater discretion to the EICs. For example, the OCC requires its
examiners on a quarterly basis to: monitor board and management progress in implementing
corrective actions; verify and validate the effectiveness of corrective actions; and perform
timely verification after receipt of documentation. FHFA, however, has no such requirement
for quarterly oversight. While FHFA directs its examiners to engage in ongoing monitoring
“to determine the status of the Enterprise’s compliance with [ ] MRAs,” we found that the
intervals at which examiners must “check and document progress” are “determined by the
[examiner-in-charge] and guided by the remediation plan,” rather than by FHFA requirements
and guidance.25 See FHFA’s Examiners Did Not Meet Requirements and Guidance for
Oversight of an Enterprise’s Remediation of Serious Deficiencies.

     Standards for Cyber Risk Management by Regulated Entities

In addition to the four elements of supervision described above, we compared the supervisory
guidance issued by FHFA in May 2013 on cyber risk management to the cyber security
guidance issued by the Federal Financial Institutions Examination Council (FFIEC) and its
federal regulatory members. We found that FHFA’s guidance was far less prescriptive and
far more flexible than the guidance adopted by FFIEC and its federal regulatory members,
particularly in the areas of security controls implementation and risk assessments. See FHFA
Should Map Its Supervisory Standards for Cyber Risk Management to Appropriate Elements
of the NIST Framework.26


25
   We also found that DER eliminated two requirements directed to examiner oversight of Enterprise
remediation of MRAs. Prior to December 2013, DER required its examiners to submit written reports, on
a quarterly basis, detailing their assessment of an Enterprise’s remediation efforts of MRAs, and limited
approval of requests for extensions of MRA remediation deadlines to the Deputy Director of DER, upon a
showing by the Enterprise of a “convincing case for extending the due date.” FHFA’s Examination Manual,
issued in December 2013, did not include these requirements and DER did not promulgate subsequent internal
guidance to reinstate them. See OIG, FHFA’s Examiners Did Not Meet Requirements and Guidance for
Oversight of an Enterprise’s Remediation of Serious Deficiencies, at 16-17 (Mar. 29, 2016) (EVL-2016-004)
(online at www.fhfaoig.gov/Content/Files/EVL-2016-004.pdf).
26
   OIG, FHFA Should Map Its Supervisory Standards for Cyber Risk Management to Appropriate Elements of
the NIST Framework, at 13-14 (Mar. 28, 2016) (EVL-2016-003) (online at
www.fhfaoig.gov/Content/Files/EVL-2016-003.pdf).



                                OIG  OIG-2017-003  December 15, 2016                                       20
                                            ***

FHFA is one of the links in the chain formed by federal financial regulators to oversee
the nation’s financial system. FHFA’s statutory supervisory obligations are similar to the
obligations imposed on the OCC, Federal Reserve, and FDIC, and FHFA has been afforded
the same privileges as federal banking regulators. We found, however, that FHFA’s
requirements and guidance are less prescriptive and more flexible than the other federal
financial regulators for a number of elements of DER’s supervision program and FHFA has
offered no reason its requirements and guidance should be less robust than those of its peer
regulators. FHFA has consistently rejected our recommendations to revise its requirements
and guidance to align them with those adopted by other federal financial regulators.

3. The More Flexible and Less Prescriptive Nature of Many Requirements and
   Guidance Promulgated by FHFA and DER Has Resulted in Inconsistent Supervisory
   Practices

In our assessments of four elements of DER’s supervisory program, we found that the more
flexible and less prescriptive nature of requirements and guidance issued by FHFA and DER
vests significant discretion in each EIC and examination team, and the exercise of this
discretion has led to a lack of consistent supervisory practices across DER.

   ROE Structure and Content

For the five supervisory cycles we reviewed, we found that FHFA’s requirements and
guidance regarding the structure and content of the ROE consisted of four sentences in its
Examination Manual:

       The report of examination identifies supervisory concerns and contains
       examination ratings that reflect FHFA’s view of the regulated entity’s
       financial safety and soundness and risk management practices. . . . The FHFA
       issues an ROE, signed by the EIC [Examiner-in-Charge]. . . . The ROE
       communicates substantive examination conclusions, findings (when
       applicable), and the composite and component ratings. The ROE must also
       contain analysis that supports the conclusions, findings, and ratings.

FHFA’s Examination Manual contains no standardized ROE template or set of instructions
to guide the examiners’ preparation of an ROE. Beyond Advisory Bulletin (AB) 2012-03,
which announced FHFA’s adoption of the CAMELSO system, FHFA had issued no
additional guidance to examiners to explain the basis on which each component rating should
be determined or the basis on which a composite rating should be assigned. DER issued an




                            OIG  OIG-2017-003  December 15, 2016                             21
internal procedures bulletin for the preparation of an ROE that simply restates the brief
guidance, quoted above, from the Examination Manual.

As a consequence, we found that each EIC exercised substantial discretion over the content
and structure of the ROE. We determined that the content of the 10 ROEs issued by DER
to the Enterprises during the five supervisory cycles in our review varied by Enterprise and
across the five cycles. These ROEs did not consistently identify or describe specific
supervisory concerns about management practices or the root causes of those concerns. We
also found inconsistent practices in identifying open MRAs in ROEs. The five ROEs issued
to Freddie Mac during the review period contained a list of open MRAs, but three of the five
ROEs issued to Fannie Mae during this period did not.27 None of the seven ROEs that
identified open MRAs tied each open MRA to deficient practices that gave rise to it, which
constrained the directors’ ability to exercise effective oversight.28

     Communication of Annual Reports of Examination

When FHFA adopted its Examination Manual in December 2013, it rescinded then-existing
requirements for communicating directly with a board of directors of a regulated entity about
the ROE results, conclusions, and supervisory concerns. The sole requirement in the
Examination Manual for ROEs is that DER “issue” an annual ROE, signed by the EIC, to the
board of directors of each Enterprise, a requirement that FHFA has imposed since 2013. Even
this lone requirement was not followed: for the three supervisory cycles conducted under the
Examination Manual, we determined that DER’s practice, in general, was to send by email
the final ROE to Enterprise management and leave to each Enterprise’s management the
decision of whether and when to provide the final ROEs to the Enterprise board. The
elimination of other guidance on communications with a board of directors of a regulated
entity about the ROE results, conclusions, and supervisory concerns has acted to vest the EIC
and the individual examination teams to determine:

        Whether to present orally the ROE results, conclusions, and supervisory concerns to
         an Enterprise board;

        Whether this presentation occurs before or after the final ROE is issued to an
         Enterprise board of directors; and

27
   Since the issuance of the 2016 ROEs for 2015 examination activities, DER has promulgated internal
guidance instructing the two examination teams to list in the ROEs all MRAs that were open as of the end of
the examination year or that were closed during the examination year. DER revised its guidance in response to
an OIG recommendation, supra note 24.
28
  OIG, FHFA’s Failure to Consistently Identify Specific Deficiencies and Their Root Causes in Its Reports of
Examination Constrains the Ability of the Enterprise Boards to Exercise Effective Oversight of Management’s
Remediation of Supervisory Concerns, at 15-16, supra note 23.



                                 OIG  OIG-2017-003  December 15, 2016                                         22
        Who will participate in any presentation.

Our review of DER’s practices for ROE issuance in 2014, 2015, and 2016 found divergent
practices between the Fannie Mae and Freddie Mac examination teams, and within the same
examination team, which affected the ability of an Enterprise board to prepare for any
discussion at the presentation. For example, DER examiners did not finalize the Fannie Mae
ROEs, or provide the board with presentation materials, in advance of their presentation to the
Fannie Mae board in two of the three years. See FHFA Failed to Consistently Deliver Timely
Reports of Examination to the Enterprise Boards and Obtain Written Responses from the
Boards Regarding Remediation of Supervisory Concerns Identified in those Reports.29

     Risk Assessments

During our review period, the source of instructions and guidance to DER examiners on risk
assessments was FHFA’s Examination Manual, as supplemented by FHFA’s Supervision
Directive (SD) SD 2013-02, Periodic Risk Assessments, and DER’s Operating Procedures
Bulletin (OPB) 2013-DER-OPB-03.1, Supervisory Planning Process. While FHFA
acknowledges the critical importance of risk assessments in planning its supervisory
activities, its guidance, set forth in its Examination Manual, is approximately three-quarters of
one page. FHFA’s Examination Manual provides no definition of each risk level or the
elements inherent in each risk level. DER’s efforts to supplement FHFA’s guidance, 2013-
DER-OPB-03, a three-page list of “risk category components and evaluative factors” and
detailed guidance on risk category components and evaluative factors, was revised five weeks
later to one-half page, in 2013-DER-OPB-03.1, which simply restates the guidance in the
Examination Manual.

FHFA and DER provided no additional requirements or other guidance as to the content of
risk assessments. Neither defined the risk types or minimum risk measures and vested
discretion with each EIC to consider a number of factors. Because FHFA did not require that
risk assessments be prepared using a common format or template with a specific set of risk
measures to analyze risk, each EIC determined which measures to use in assessing risks and
which format to use to present their conclusions. As a result, there have been significant
variations in the content and format of DER’s risk assessments and those variations limited
the utility of these risk assessments in the development of risk-based supervisory plans and as




29
  OIG, FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise Boards and
Obtain Written Responses from the Boards Regarding Remediation of Supervisory Concerns Identified in those
Reports, at 15-16 (July 14, 2016) (EVL-2016-009) (online at www.fhfaoig.gov/Content/Files/EVL-2016-
009.pdf).




                                OIG  OIG-2017-003  December 15, 2016                                       23
a tool to compare and contrast risk exposures between the Enterprises.30 Even though both
Enterprises have virtually identical federal charters, substantially comparable business
models, and similar risk profiles, and FHFA prepares side-by-side comparison analyses of
the Enterprises in its published financial performance reports, our efforts to compare the
Enterprises’ respective risk exposures and quality of risk management and to evaluate the
level of consistency between the risk assessments were unsuccessful.

     Examiner Review and Approval of Enterprise Remediation Plans to Address MRAs and
     Review of Completed Remediation Efforts by an Enterprise

FHFA’s AB 2012-01, Categories for Examination Findings, sets forth limited requirements
for examiner oversight of Enterprise remediation of supervisory concerns. According to AB
2012-01, MRAs are the “most serious supervisory matters” and it directs that the remediation
process must begin with “written remediation plans, prepared by the regulated entity” that set
forth corrective action(s) that are acceptable to FHFA. DER, in its internal operating
procedures bulletin 2013-DER-OPB-1, requires its examiners to review each proposed
remediation plan and determine “whether the plan is sufficiently detailed and appropriate to
resolve the MRA.” Neither AB 2012-01 nor 2013-DER-OPB-1 sets forth the steps, if any,
examiners must take to determine whether the proposed remediation plan is “sufficiently
detailed and appropriate to resolve the MRA.” In a July 2016 evaluation report entitled
FHFA’s Inconsistent Practices in Assessing Enterprise Remediation of Serious Deficiencies
and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the
Enterprises, we found significant inconsistency within DER with respect to examiner review
of written Enterprise remediation plans: of the 18 MRAs in our sample, DER examiners
conducted and documented an independent assessment of the sufficiency of 12 proposed
written remediation plans before approving them but did not do so for the remaining 6.31

FHFA has issued no guidance on the specific steps that examiners should take before closing
an MRA. According to DER, the Enterprises’ internal audit departments are responsible for
validating the effectiveness and sustainability of the remedial actions taken by the Enterprises
and DER examiners are responsible to confirm validation. We evaluated the basis for DER’s
closure of eight MRAs in our sample and found that DER examiners independently assessed
the sufficiency of internal audit’s validation of Enterprise remediation of the deficiency



30
   OIG, Utility of FHFA’s Semi-Annual Risk Assessments Would Be Enhanced Through Adoption of Clear
Standards and Defined Measures of Risk Levels, at 3, 13, supra note 7. As noted above, DER issued new
guidance on the preparation of risk assessments in response to our recommendations, supra note 17.
31
   OIG, FHFA’s Inconsistent Practices in Assessing Enterprise Remediation of Serious Deficiencies and
Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the Enterprises, at 21
(July 14, 2016) (EVL-2016-007) (online at www.fhfaoig.gov/Content/Files/EVL-2016-007.pdf).



                                 OIG  OIG-2017-003  December 15, 2016                                      24
underlying the MRA for five of the eight and accepted the results of the internal audit
validation work for the remaining three.

                                                ***

The determination by FHFA and DER to refrain from adoption of defined requirements
and comprehensive standards for these elements of DER’s supervisory program leaves the
execution of these elements to the discretion of the EICs and examiners. We found that
exercise of discretion has resulted in a lack of consistency in supervisory practices for each
of these elements of DER’s supervisory program.

4. Where Clear Requirements and Guidance for Specific Elements of DER’s
   Supervisory Program Exist, DER Examiners-in-Charge and Examiners Have Not
   Consistently Followed Them

While FHFA and DER largely have issued guidance that is more flexible and less prescriptive
than other federal financial regulators for the same elements of the supervisory program, we
identified five areas where FHFA and/or DER have mandated specific requirements. We
found, however, that DER EICs and examiners have not consistently followed those
directives.

        Changes to Approved Supervisory Plans for Non Risk-Related Reasons in
        Contravention of DER Requirements

Because supervisory planning is a continuous process, supervisory plans may need to be
adjusted during each year to address newly emerging risks that require attention during the
current supervisory cycle. Beginning with the 2014 supervisory cycle, DER requires that
approved supervisory plans shall only be adjusted for risk-related reasons, must be approved
by the EIC, and be fully documented in the examination work papers. For Fannie Mae, we
found that 64 targeted examination were planned by DER for the 2014 and 2015 cycles and
only 24 were either completed or commenced but not completed as of June 17, 2016. The
remaining 40 (63%) were either not conducted or their dispositions were not documented.
The documentation produced by DER explained the change in status for 33 of the 40, but
reflected risk-related reasons for the change in status for only 11.32 For Freddie Mac, we
found that 54 targeted examinations were planned for the 2014 and 2015 cycles and only 26
were either completed or commenced but not completed as of the end of our field work. The
remaining 28 (52%) were either not conducted or their dispositions were not documented.

32
  OIG, FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations
Planned for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were Completed
Before the Report of Examination Issued, at 19-20, supra note 8.




                              OIG  OIG-2017-003  December 15, 2016                               25
The documentation produced by DER explained the change in status for 21 of the 28, but
reflected risk-related reasons for the change in status for only 4.33

        Lack of Complete Supervisory Documentation in DER’s Official System of Records
        in Contravention of FHFA Requirements

According to its operating procedures, DER must ensure that its supervisory planning and
execution is documented and incorporated into official agency records. The Information
Management System (IMS) is DER’s official system of record. Our efforts to track through
IMS whether each planned targeted examination was commenced and completed were not
successful because IMS did not contain sufficient information to permit us to complete the
tracking exercise. Despite repeated requests, DER was unable to provide any documentation
for the disposition of a significant number of planned targeted examinations during four
supervisory cycles.

We concluded that IMS was not complete and that DER lacked documentation to account for
all of its supervisory activities. We also found that DER had no operating controls in place to
ensure that supervisory documentation in IMS was complete and to accurately track the status
of planned targeted examinations through disposition.34

We consider the lack of DER’s documentation supporting its supervisory activities to create a
significant risk exposure.

        Failure to Ensure Issuance of the Annual ROEs to Enterprise Directors and Obtain
        Written Affirmations from Enterprise Directors that Supervisory Concerns Will Be
        Remediated in Contravention of FHFA Requirements

Since December 2013, guidance issued by FHFA has required DER examiners to “issue” the
ROE to the board of directors of each Enterprise. For the 2014 and 2015 supervisory cycles,
we found that DER sent the final ROE to Enterprise management by email and left to




33
  OIG, FHFA’s Targeted Examinations of Freddie Mac: Just Over Half of the Targeted Examinations
Planned for 2012 through 2015 Were Completed, at 19, supra note 8.
34
   OIG, FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations
Planned for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were Completed
Before the Report of Examination Issued, at 23-24, supra note 8, and OIG, FHFA’s Targeted Examinations of
Freddie Mac: Just Over Half of the Targeted Examinations Planned for 2012 through 2015 Were Completed,
at 22, supra note 8.




                                OIG  OIG-2017-003  December 15, 2016                                      26
Enterprise management the decision of whether and when to provide the final ROEs to the
Enterprise boards.35

Since 2013, FHFA has required each Enterprise board to respond in writing to the ROE,
acknowledge review of the ROE, and affirm that corrective action is being taken, or will be
taken, to resolve supervisory concerns. DER has issued internal guidance to underscore this
requirement. Our review of the ROEs for the 2013 and 2014 supervisory cycles found that
the Enterprises’ boards of directors had not complied with this requirement and DER
examiners failed to enforce compliance with it.36 We learned that one Enterprise board was
not even aware of the requirement, leading us to conclude that DER examiners had not
effectively communicated it to Enterprise directors.

     Failure to Oversee Enterprise Remediation of Serious Supervisory Matters in Disregard
     of FHFA Requirements

As noted above, FHFA’s AB 2012-01 prescribes the process that must be followed by FHFA
examiners to oversee a regulated entity’s efforts to correct the deficiencies underlying an
MRA. We reviewed a sample of open and closed MRAs issued to each Enterprise and found
that examiners did not, on a consistent basis, follow the requirements set forth in AB 2012-01
or the internal guidance issued by DER to supplement these requirements.37 Our reviews
found that DER examiners infrequently conducted and documented independent assessments
of the Enterprises’ remediation activities during the remediation period.38

DER officials reported to us that they do not expect examiners to assess or document the
Enterprises’ remedial efforts until management reports that the remediation is completed and
the Enterprise’s internal audit has validated the sufficiency of the corrective actions,


35
  OIG, FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise Boards and
Obtain Written Responses from the Boards Regarding Remediation of Supervisory Concerns Identified in those
Reports, at 15-16, supra note 29.
36
   After we requested board response documentation from FHFA, DER sought a response from the audit
committee of the Fannie Mae board of directors to the 2015 ROE, and the chair of the board provided a written
response. With respect to Freddie Mac, DER did not request a response to the 2015 ROE. When we inquired
with Freddie Mac about board responses to DER’s ROEs, a lawyer in its Office of General Counsel responded,
“FHFA does not require a response, acknowledgement, or receipt from the Board that it has received and
reviewed the ROE.” See Id. at 18.
37
   OIG, FHFA’s Examiners Did Not Meet Requirements and Guidance for Oversight of an Enterprise’s
Remediation of Serious Deficiencies, at 23-24, supra note 25; OIG, FHFA’s Inconsistent Practices in
Assessing Enterprise Remediation of Serious Deficiencies and Weaknesses in its Tracking Systems Limit the
Effectiveness of FHFA’s Supervision of the Enterprises, at 21, supra note 31.
38
  We also determined that the systems DER uses to track open MRAs have substantial weaknesses that limit
DER’s ability to monitor the Enterprises’ remediation efforts.




                                 OIG  OIG-2017-003  December 15, 2016                                         27
notwithstanding the clear instructions in AB 2012-01. DER’s unwritten practices, in
contravention of FHFA requirements, create the significant risk that inadequate or untimely
remediation will not be quickly identified, significant deficiencies will not be promptly
corrected, and Enterprise management will not be held accountable for such shortcomings.39

     Intermittent Efforts Over Almost Four Years to Develop a Quality Control Review
     Process Deprived FHFA of the Assurance of the Adequacy and Quality of DER’s
     Supervisory Activities

DER is responsible for ensuring that the targeted examinations it conducts comply with FHFA
standards and policies, including supervision directives. FHFA established an Office of
Quality Assurance (OQA) and charged it with reviewing the examination work of DER and
DBR. OQA issued its first quality assurance report of DER on October 7, 2011, and
recommended, among other things, that DER establish a comprehensive quality control
review process to “help ensure the adequacy of the examination reports.” In September 2012,
DER committed, in writing, that it would develop an internal quality control program by
December 31, 2012.

On March 25, 2013, FHFA issued SD 2013-01, Quality Control Program for Examinations
Conducted by the Division of Bank Regulation and Division of Enterprise Regulation, for all
examinations. In the directive, FHFA announced that, as a matter of FHFA policy, it is
“particularly important that final examination findings and conclusions are subject to a quality
control review before a report of examination or supervisory correspondence is communicated
to the regulated entity….” Pursuant to this newly adopted policy, SD 2013-01 required DER
and DBR to establish a quality control review program to “assess examination findings,
conclusions, ratings, supporting workpapers, and related documents” and required that the
quality control reviews meet specific identified standards. While DER made intermittent
efforts to develop a quality control review process to implement this FHFA directive, it had
not developed and implemented such a process as of July 1, 2015.

After our work was completed on an evaluation to assess the existence and efficacy of DER’s
quality control process, DER officials reported to us that DER adopted quality control

39
   In a special project report issued on Sept. 30, 2016, we found that DBR acknowledges that AB 2012-1
applies to its oversight of FHLBank remediation of MRA deficiencies, but its unwritten procedures and
practices, as reported to us by DBR officials and as found in our sampling of examiner documentation for
remediation of 9 MRAs, are inconsistent with AB 2012-01. For example, DBR, not the affected FHLBank,
prepared remediation plans for MRAs and those plans did not include specific interim milestones for
remediation activities. See OIG, DBR’s Unwritten Procedures and Practices for Oversight of Efforts by
Federal Home Loan Banks to Correct Deficiencies Underlying the Most Serious Supervisory Matters Are
Inconsistent with the Written Oversight Requirements Promulgated by FHFA, at 10-11, 13-14, 16 (Sept. 30,
2016) (COM-2016-006) (online at www.fhfaoig.gov/Content/Files/COM-2016-006.pdf).




                                OIG  OIG-2017-003  December 15, 2016                                     28
procedures on July 28, 2015. DER’s implementation began nearly four years after OQA
recommended that it establish such a process and more than two years after FHFA issued a
supervision directive requiring one—despite the Agency representing in its public disclosures
that it had done so already. See our evaluation report, Intermittent Efforts Over Almost Four
Years to Develop a Quality Control Review Process Deprived FHFA of Assurance of the
Adequacy and Quality of Enterprise Examinations.40

                                                  ***

Our assessments found that DER EICs and examiners, in contravention of requirements
issued by FHFA and DER: revised supervisory plans without risk-related reasons; failed to
create and maintain complete supervisory documentation in the official system of records;
failed to ensure issuance of the annual ROEs to Enterprise directors and obtain written
affirmations that supervisory concerns will be addressed; and did not consistently conduct
and document independent assessments of the Enterprises’ remediation activities during the
period of ongoing remediation. Further, DER did not establish a comprehensive quality
control review process for examinations over a four-year period, including two years in which
the Division was required to do so by Agency directive. Taken together, these practices
demonstrate a lack of commitment to follow established requirements.


CONCLUDING OBSERVATIONS ..................................................

In our 2015 and 2016 Audit and Evaluation Plans, we identified FHFA’s supervision of
the Enterprises and the FHLBanks as an area that posed significant risk. Over the past 18
months, we have published 12 evaluation, audit, and compliance review reports in which we
assessed different critical elements of DER’s supervision program for the Enterprises. We
identified shortcomings in each of these elements and recommended specific actions to FHFA
to address those shortcomings and upgrade DER’s supervisory program. Although FHFA
asserted, in its management responses, that it was generally receptive toward our
recommendations, it rejected a number of them and did not propose alternative corrective
actions.

Given FHFA’s disagreement with a number of our recommendations to address the
shortcomings we identified, as well as its unwillingness to propose alternative corrective
actions for most of them, it is our view that these elements of DER’s supervisory program
remain deficient. It remains to be seen whether the corrective actions that FHFA has agreed

40
  OIG, Intermittent Efforts Over Almost Four Years to Develop a Quality Control Review Process Deprived
FHFA of Assurance of the Adequacy and Quality of Enterprise Examinations, at 13 (EVL-2015-007) (Sept. 30,
2015) (online at www.fhfaoig.gov/Content/Files/EVL-2015-007.pdf).



                               OIG  OIG-2017-003  December 15, 2016                                       29
to take to address other shortcomings identified by us will, in fact, be implemented
effectively.

Together, the Enterprises own or guarantee nearly $5 trillion in mortgages and are among the
largest financial institutions in this country. Should either or both Enterprises sustain losses
in the future, the U.S. Treasury—and the American taxpayers—will be on the hook for those
losses. Pursuant to HERA, FHFA is charged with ensuring the safety and soundness of the
Enterprises. Without prompt and robust Agency attention to address the shortcomings we
have identified, we caution stakeholders that the safe and sound operation of the Enterprises
cannot be assumed from FHFA’s current supervisory program.

Other regulators have sought the assistance of independent third parties in assessing the
effectiveness of their supervision programs. In 1997 and again in 2009, the Federal Reserve
Bank of New York retained an outside independent expert to assess the effectiveness of its
supervisory procedures and its internal processes to understand and foresee systemic problems
and undertook internal initiatives to improve its practices and procedures. In 2013, the OCC
asked a team of international regulators to provide an independent perspective on the OCC’s
approach to the supervision of large and midsize banks and thrifts and, based on that team’s
recommendations, the OCC reorganized its supervision programs and instituted practices
designed to foster better communication and assessment of risks, among other things. FHFA
has acknowledged that it considers the guidance and examination practices of its peer
financial regulators when developing its own guidance and requirements. In view of FHFA’s
unwillingness to accept a number of OIG recommendations to address shortcomings in
critical elements of DER’s supervision program, it would be prudent for FHFA to follow the
lead of the Federal Reserve of New York and the OCC and engage independent external
experts to review different critical elements of DER’s supervision program.




                             OIG  OIG-2017-003  December 15, 2016                                30
FHFA COMMENTS AND OIG RESPONSE .....................................

OIG provided FHFA an opportunity to respond to a draft of this report. On December 12, 2016,
FHFA provided its management comments, which are reprinted in their entirety in the Appendix.
FHFA stated that no further response to this report was warranted because the report relied on
statements, conclusions, and recommendations from previously published reports, to which it had
previously responded. We note, by way of clarification, that FHFA, in its response, overstated the
rate of its acceptance of recommendations in these reports. According to FHFA, it previously
agreed to accept and implement 83 percent of the recommended corrective actions in the 12
referenced reports. Our review of FHFA’s prior responses found that FHFA accepted only
64 percent of OIG’s recommended remedial measures, partially agreed with 17 percent, and
rejected outright 19 percent.




                             OIG  OIG-2017-003  December 15, 2016                                  31
APPENDIX: FHFA COMMENTS TO OIG REPORT.........................




                 OIG  OIG-2017-003  December 15, 2016     32
OIG  OIG-2017-003  December 15, 2016   33
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                             OIG  OIG-2017-003  December 15, 2016                        34