oversight

Compendium of Open Recommendations

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-04-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

  Federal Housing Finance Agency
      Office of Inspector General




   Compendium of
Open Recommendations




          April 1, 2016
TABLE OF CONTENTS ................................................................

ABBREVIATIONS ........................................................................................................................ 3
INTRODUCTION .......................................................................................................................... 4
     The Process by which OIG Formulates Recommendations ..................................................... 4
     Tracking of OIG Recommendations ......................................................................................... 5
     Validation Testing ..................................................................................................................... 5
OPEN RECOMMENDATIONS .................................................................................................... 7
     Supervision ............................................................................................................................... 7
     Exercise of Conservator Authorities ....................................................................................... 10
     Conservator Initiatives ............................................................................................................ 12
     Counterparties ......................................................................................................................... 14
     Information Technology ......................................................................................................... 15
     FHFA Internal Operations ...................................................................................................... 18
     Federal Home Loan Banks...................................................................................................... 18
CLOSED UNIMPLEMENTED RECOMMENDATIONS .......................................................... 19




                                                          OIG  April 1, 2016                                                                   2
ABBREVIATIONS .......................................................................

CSP                Common Securitization Platform

DBR                Division of Federal Home Loan Bank Regulation

DER                Division of Enterprise Regulation

FHFA               Federal Housing Finance Agency

MRA                Matter Requiring Attention

OIG                Federal Housing Finance Agency Office of Inspector General

SAI                Servicing Alignment Initiative




                                   OIG  April 1, 2016                              3
INTRODUCTION ........................................................................

Since the Federal Housing Finance Agency Office of Inspector General (OIG) began
operations in October 2010, we have made more than 300 recommendations1 to improve
efficiency and effectiveness and reduce fraud, waste, and abuse at the Federal Housing
Finance Agency (FHFA or Agency) and at the government-sponsored enterprises for which
the Agency acts as conservator and regulator, Fannie Mae and Freddie Mac (the Enterprises),
and at the Federal Home Loan Banks for which the Agency acts as regulator. As required
under the Inspector General Act of 1978, as amended, we provide information on open and
closed recommendations in each semiannual report to the Congress.2

To maintain the focus on opportunities for improvement that our recommendations identify,
OIG will publish a quarterly report setting forth all open recommendations from our audits,
evaluations and other studies.3 For additional information on any recommendation, please
click on the hyperlinked report number to access its underlying report. This compendium is
comprehensive as of April 1, 2016.

Because FHFA serves a unique role as both conservator and regulator of the Enterprises,
OIG’s responsibilities necessarily include oversight of FHFA’s actions in both of these roles,
in order to determine whether the Agency is fulfilling its statutory duties and responsibilities
and safeguarding the taxpayers’ resources. Our oversight role also reaches the Enterprises--
recipients of $187.5 billion in taxpayer monies-- to ensure that they are satisfying their
obligations under the authority delegated to them in the conservatorships, and third parties
(such as lenders and servicers). Through oversight, transparent reporting of results, and
robust enforcement, OIG seeks to be a voice for, and protect the interest of, those who have
funded Treasury’s investment in the Enterprises—the American taxpayers.


The Process by which OIG Formulates Recommendations
Our recommendations, like those of other inspectors general, are primarily made in written
reports issued by our Offices of Audits, Evaluations, and Compliance. We report the facts,
as found, and recommend actions to address any shortcomings we identify in FHFA’s
exercise of its statutory duties and responsibilities or by one or both Enterprises, in connection
with their execution of responsibilities delegated to them by FHFA, as conservator. Each


1
    Includes public and non-public recommendations.
2
    OIG’s semiannual reports are available at www.fhfaoig.gov/Reports/Semiannual.
3
    This report does not include recommendations under consideration for work that is in progress.



                                                 OIG  April 1, 2016                                 4
recommendation proposes a course of action to correct the shortcoming that our work has
identified.

FHFA is provided an opportunity to review each report and recommendation prior to
publication and provide a written response, which is included in OIG’s final published report.
FHFA’s written response states whether it agrees with OIG’s recommendation and, if so, the
Agency’s proposed action(s) to implement the recommendation.


Tracking of OIG Recommendations
FHFA’s determinations whether to agree with OIG’s recommendations are included in our
published reports. Once FHFA has accepted an OIG recommendation, it reports to us on its
efforts to implement the “corrective action” that is intended to respond to the
recommendation. When FHFA believes that its implementation efforts are well underway or
that implementation is complete, FHFA provides that information to us, along with
corroborating documents, and we rely on those materials in determining whether to close
recommendations. If the Agency rejects a recommendation or conclusively refuses to
implement an acceptable corrective action, then we will close the recommendation and report
it separately in this compendium.


Validation Testing
OIG typically relies on materials and representations from the Agency to close its
recommendations and may close some recommendations based on the Agency’s
representations as to the corrective actions it has taken. Accordingly, we are not able to
assess, at the time of closure, whether the implementation actions by FHFA meet the letter
and spirit of the agreed-upon recommendation, nor can we determine, at closure, the longer-
term impact of the recommendation. To better assess both the implementation and impact of
OIG recommendations, we concluded that validation testing is needed. Such testing, and
disclosure of results of that testing, provides greater accountability and adds value to FHFA
and the American taxpayers it serves.

Because our Offices of Audits and Evaluations historically had not conducted extensive
corrective action verification testing, we created the Office of Compliance and Special
Projects. The primary operational role of that office is to examine closed recommendations to
assess independently FHFA’s implementation of the corrective actions it represented to OIG
that it intended to take, as well as the impact of those actions, and to publish reports of its
validation testing in “compliance reviews.” These compliance reviews enable our
stakeholders to assess the impact of OIG’s recommendations, as well as the efficacy of the
Agency’s implementation of those recommendations. Compliance reviews enhance OIG’s


                                       OIG  April 1, 2016                                        5
ability to stimulate positive change in critical areas and promote economy, efficiency, and
effectiveness at FHFA.

Any open recommendations contained in published compliance reviews are included in this
compendium.




                                       OIG  April 1, 2016                                    6
OPEN RECOMMENDATIONS .....................................................

Supervision
 Topic Area                Recommendation                      Expected Impact           Report
Capacity       Review implementation of the 2013             Improved           Update on FHFA’s
                 Enterprise examination plans and             supervision        Efforts to Strengthen
                 document the extent to which resource                           its Capacity to
                 limitations, among other things, may                            Examine the
                 have impeded their timely and thorough                          Enterprises.
                 execution.                                                      EVL-2014-002.
                                                                                 December 19, 2013.
               Develop a process that links annual
                 Enterprise examination plans with core
                 team resource requirements.

               Establish a strategy to ensure that the
                necessary resources are in place to
                ensure timely and effective Enterprise
                examination oversight.
Commission     FHFA should determine the causes of the       Improved quality   OIG’s Compliance
Program         shortfalls in the Housing Finance Examiner                       Review of FHFA’s
                program that we have identified, and                             Implementation of
                implement a strategy to ensure the                               Its Housing Finance
                program fulfills its central objective of                        Examiner
                producing commissioned examiners who                             Commission
                are qualified to lead major risk sections                        Program.
                of government-sponsored enterprise                               COM-2015-001.
                examinations.                                                    July 29, 2015.

Quality        Ensure that the Division of Enterprise        Improved quality   Intermittent Efforts
Control          Regulation’s (DER’s) recently adopted                           Over Almost Four
                 procedures for quality control reviews                          Years to Develop a
                 meet the requirements of Supervision                            Quality Control
                 Directive 2013-01 and require DER to                            Review Process
                 document in detail the results and                              Deprived FHFA of
                 findings of each quality control review in                      Assurance of the
                 examination workpapers, including any                           Adequacy and
                 shortcomings found during the quality                           Quality of
                 control review.                                                 Enterprise
                                                                                 Examinations.
                                                                                 EVL-2015-007.
                                                                                 September 30,
                                                                                 2015.




                                       OIG  April 1, 2016                                      7
 Topic Area                Recommendation                       Expected Impact         Report
                Evaluate the effectiveness of the
                 new quality control procedures, as
                 implemented, one year after adoption.

Risk            Implement detailed risk assessment            Improved           Utility of FHFA’s
Assessments       guidance that provides minimum               understanding of   Semi-Annual Risk
                  requirements for risk assessments that       risk               Assessments Would
                  facilitate comparable analyses for each                         Be Enhanced
                  Enterprise’s risk positions, including                          Through Adoption
                  common criteria for determining whether                         of Clear Standards
                  risk levels are high, medium, or low, year                      and Defined
                  over year.                                                      Measures of Risk
                                                                                  Levels. EVL-2016-
                                                                                  001. January 4,
                                                                                  2016.
                Implement detailed risk assessment
                 guidance that provides standard
                 requirements for format and the
                 documentation necessary to support
                 conclusions in order to facilitate
                 comparisons between Enterprises and
                 reduce variability among DER’s risk
                 assessments for each Enterprise and
                 between the Enterprises.
                Direct DER to train its examiners-in-charge
                 and exam managers in the preparation of
                 semi-annual risk assessments, using
                 enhanced risk assessment guidance
                 consistent with Recommendations 1 and
                 2.
Remediation     Review FHFA’s existing requirements,          Improved           FHFA’s Examiners
of               guidance, and processes regarding             remediation of     Did Not Meet
Deficiencies     matters requiring attention (MRAs)            deficiencies       Requirements and
                 against the requirements, guidance, and                          Guidance for
                 processes adopted by the Office of the                           Oversight of an
                 Comptroller of the Currency, Federal                             Enterprise’s
                 Reserve, and other federal financial                             Remediation of
                 regulators, including, but not limited to:                       Serious Deficiencies.
                 content of an MRA, standards for                                 EVL-2016-004.
                 proposed remediation plans, approval                             March 29, 2016.
                 authority for proposed remediation plans,
                 real time assessments at regular intervals
                 of the effectiveness and timeliness of an
                 Enterprise’s MRA remediation efforts,
                 final assessment of the effectiveness and
                 timeliness of an Enterprise’s MRA



                                       OIG  April 1, 2016                                       8
Topic Area                  Recommendation                   Expected Impact         Report
                 remediation efforts, and required
                 documentation for examiner oversight of
                 MRA remediation.
                Based on the results of the review in
                 recommendation 1, assess whether any of
                 the existing requirements, guidance, and
                 processes adopted by FHFA should be
                 enhanced, and make such enhancements.
                Because DER and the Division of Federal
                 Home Loan Bank Regulation (DBR)
                 examiners are bound to follow FHFA’s
                 requirements and guidance, compare the
                 processes followed by DBR for the form,
                 content, and issuance of an MRA,
                 standards for a proposed remediation
                 plan, approval authority for a proposed
                 remediation plan, and real time
                 assessments at regular intervals of the
                 effectiveness and timeliness of MRA
                 remediation efforts to the processes
                 followed by DER.
                Based on the results of the review in
                 recommendation 3, assess whether
                 guidance issued and processes followed
                 by either DER or DBR should be enhanced,
                 and make such enhancements.
                Provide mandatory training for all FHFA
                 examiners on FHFA requirements,
                 guidance, and processes and DER and DBR
                 guidance for MRA issuance, review and
                 approval of proposed remediation plans,
                 and oversight of MRA remediation.
                Evaluate the results of quality control
                 reviews conducted by DER and DBR to
                 identify and address gaps and weaknesses
                 involving MRA issuance, review and
                 approval of proposed remediation plans,
                 and oversight of MRA remediation.
                Revise supervision guidance to require     Improved Board     FHFA’s Supervisory
                 DER to provide the Chair of the Audit      oversight          Standards for
                 Committee of an Enterprise Board with                         Communication of
                 each conclusion letter setting forth an                       Serious Deficiencies
                 MRA.                                                          to Enterprise
                                                                               Boards and for
                                                                               Board Oversight of
                                                                               Management’s



                                     OIG  April 1, 2016                                      9
 Topic Area                Recommendation                      Expected Impact            Report
                                                                                   Remediation Efforts
                                                                                   are Inadequate.
                                                                                   EVL-2016-005.
                                                                                   March 31, 2016.
               Revise supervision guidance to require
                DER to provide the Chair of the Audit
                Committee of an Enterprise Board with
                each plan submitted by Enterprise
                management to remediate an MRA with
                associated timetables and the response by
                DER.
               Revise supervision guidance to require
                DER to identify all open MRAs in the
                annual, written report of examination
                and the expected timetable to complete
                outstanding remediation activities.
               Include in this year’s report of
                examination, to be issued to each
                Enterprise for 2015 supervisory activities,
                all open MRAs and the expected timetable
                to complete outstanding remediation
                activities for each open MRA.



Exercise of Conservator Authorities
 Topic Area              Recommendation                      Expected Impact             Report
Annual         Direct each Enterprise to submit its        Improved oversight   FHFA’s Exercise of
Budgets         proposed operating budget and                                    Its Conservatorship
                supporting materials for the next fiscal                         Powers to Review
                year so that FHFA has sufficient time                            and Approve the
                before the fiscal year begins to                                 Enterprises’ Annual
                adequately analyze the proposals.                                Operating Budgets
                                                                                 Has Not Achieved
                                                                                 FHFA’s Stated
                                                                                 Purpose.
                                                                                 EVL-2015-006.
                                                                                 September 30, 2015.
               Revise the existing budget review
                 process and staff the process with
                 employees who have the qualifications
                 and experience needed for critical
                 financial assessments of the proposed
                 Enterprise budgets to permit FHFA to
                 determine whether each Enterprise’s


                                      OIG  April 1, 2016                                      10
 Topic Area               Recommendation                      Expected Impact          Report
                budget aligns with FHFA’s strategic
                direction and its safety and soundness
                priorities.
               Set a date certain during the first
                quarter of 2016 by which FHFA will take
                final action on each proposed annual
                operating budget for 2016 and approve
                the budget by that date.

               Set a date certain, prior to January 31
                 of each subsequent fiscal year, by
                 which FHFA will take final action on
                 each proposed annual operating
                 budget and approve the budget by
                 that date.

Appointment    Conduct a comprehensive evaluation           Improved           FHFA’s Oversight of
of Chief         of the Audit Committee’s effectiveness,     effectiveness of   Governance Risks
Audit            which should include: whether all           Enterprise board   Associated with
Executive        members of the Committee are                committees         Fannie Mae’s
                 independent from management;                                   Selection and
                 whether the Committee’s                                        Appointment of a
                 responsibilities are clearly articulated;                      New Chief Audit
                 whether each Committee member                                  Executive.
                 understands what is expected of                                EVL-2015-004.
                 him/her under the Committee’s Charter                          March 11, 2015.
                 and regulatory requirements; whether
                 the Committee’s interactions with
                 Fannie Mae’s financial executives,
                 Internal Audit, and the external audit
                 firm are robust and occur regularly;
                 whether the Committee raises critical
                 questions with management and the
                 Chief Audit Executive, including
                 questions that indicate the
                 Committee’s understanding of key
                 accounting policies and judgments
                 and that challenge management’s
                 judgments and conclusions; whether
                 the Committee has been responsive to
                 issues raised by the external auditor;
                 and whether the Committee
                 periodically assesses the list of top
                 risks and determines responsibility
                 for management of each risk.




                                      OIG  April 1, 2016                                       11
 Topic Area                   Recommendation                    Expected Impact              Report
Underwriting      The Division of Housing Mission and         Improved oversight    FHFA’s Oversight of
Standards          Goals should formally establish a policy                          Fannie Mae’s Single-
                   for its review process of underwriting                            Family Underwriting
                   standards and variances, including                                Standards.
                   escalation of unresolved issues                                   AUD-2012-003.
                   reflecting potential lack of agreement.                           March 22, 2012.
                                                                                     See also Compliance
                                                                                     Review of FHFA’s
                                                                                     Implementation of
                                                                                     Its Procedures for
                                                                                     Overseeing the
                                                                                     Enterprises’ Single-
                                                                                     Family Mortgage
                                                                                     Underwriting
                                                                                     Standards and
                                                                                     Variances.
                                                                                     COM-2016-001.
                                                                                     December 17, 2015.



Conservator Initiatives
   Topic Area                 Recommendation                    Expected Impact           Report
Servicing           Establish an ongoing process to           Improved servicing FHFA’s Oversight
Alignment            evaluate servicers’ Servicing             compliance and     of the Servicing
Initiative           Alignment Initiative compliance and       minimized losses   Alignment Initiative.
                     the effectiveness of the Enterprises’                        EVL-2014-003.
                     remediation efforts.                                         February 12, 2014.

                    Direct the Enterprises to provide
                     routinely their internal reports and
                     reviews for the Division of Housing
                     Mission and Goals’ assessment.
                    Regularly review Servicing Alignment
                     Initiative-related guidelines for
                     enhancements or revisions, as
                     necessary, based on servicers’ actual
                     versus expected performance.

Representation      Assess the current state of the           Improved initiative   FHFA’s Representation
and Warranty          Enterprises’ critical risk assessment    management            and Warranty
Framework             tools, representations and warranties                          Framework.
                      tracking systems, and any other                                AUD-2014-016.
                      systems, processes, or infrastructure                          September 17, 2014.
                      to determine whether the Enterprises


                                         OIG  April 1, 2016                                        12
  Topic Area                 Recommendation                    Expected Impact             Report
                    are in a position to minimize financial
                    risk that may result from the new
                    framework. The results of this
                    assessment should document any
                    areas of identified risk, planned
                    actions, and corresponding timelines
                    to mitigate each area of identified
                    risk. Further, this assessment should
                    provide an estimate of when each
                    Enterprise will be reasonably
                    equipped to work safely and soundly
                    within the new framework.

                  Establish standards requiring that         Improved initiative   Review of FHFA’s
                    modifications or suspensions of           management            Tracking and Rating of
                    Scorecard targets must be                                       the 2013 Scorecard
                    documented in writing.                                          Objective for the New
                                                                                    Representation and
                                                                                    Warranty Framework
                                                                                    Reveals Opportunities
                                                                                    to Strengthen the
                                                                                    Process. AUD-2016-
                                                                                    002. March 28, 2016.
                  Require that FHFA comments and
                   ratings on quarterly rating sheets be
                   dated.
                  Establish standards to address missed
                   or partially missed quarterly targets,
                   including requiring that every
                   quarterly rating sheet record when
                   any target was missed and the reset
                   target date.
Common            Because information in the report          Improved fraud        Reducing Risk and
Securitization     could be used to exploit vulnerabilities   prevention            Preventing Fraud in
Platform           and circumvent countermeasures, the                              the New Securitization
                   recommendations have not been                                    Infrastructure.
                   released publicly.                                               EVL-2013-010.
                                                                                    August 22, 2013.

                  Establish schedules and timeframes         Improved initiative   Status of the
                    for completing key components of          management            Development of
                    the project, as well as an overall                              the Common
                    completion date as appropriate.                                 Securitization
                                                                                    Platform.
                                                                                    EVL-2014-008.
                                                                                    May 21, 2014.



                                        OIG  April 1, 2016                                         13
  Topic Area              Recommendation                    Expected Impact            Report
                Establish cost estimates for varying
                 stages of the initiative, as well as an
                 overall cost estimate.



Counterparties
  Topic Area              Recommendation                     Expected Impact           Report
Appraisers      Ensure the portal warning messages         Improved           FHFA’s Oversight of
                 distinguish between inactive               compliance         the Enterprises’ Use
                 appraisers and unverified appraisers,                         of Appraisal Data
                 as of the date the appraisal is                               Before They Buy
                 performed.                                                    Single-Family
                                                                               Mortgages.
                                                                               AUD-2014-008.
                                                                               February 6, 2014.
                Ensure that the portal tests whether
                 appraisers are licensed and active at
                 the time the appraisal is performed.
                Change the message type, for
                 messages relating to appraiser license
                 status, from automatic override to
                 manual override or fatal, which will
                 require lenders to take action to
                 address the message prior to
                 delivering the loan. This action can
                 be taken once the system logic is
                 fixed and the historical records are
                 available to determine the status of
                 an appraiser’s license at the time the
                 appraisal work is performed, and the
                 states are updating in real-time.
Servicers       Analyze Fannie Mae’s actions and           Improved           FHFA Oversight
                 remediation plans in response to           oversight          of Fannie Mae’s
                 recommendations 1 and 2 to                                    Collection of Funds
                 determine whether Fannie Mae has                              from Servicers that
                 taken necessary steps to ensure that                          Closed Short Sales
                 servicers are held accountable for                            Below the Authorized
                 servicing violations and credit losses                        Prices.
                 are minimized. FHFA should also                               AUD-2014-015.
                 require modification by Fannie                                August 7, 2014.
                 Mae of its remediation plans, as
                 appropriate.




                                      OIG  April 1, 2016                                       14
  Topic Area            Recommendation                        Expected Impact            Report
                Quantify and aggregate its                  Improved financial   Evaluation of Fannie
                 overpayments to servicers regularly.        management           Mae’s Servicer
                                                                                  Reimbursement
                                                                                  Operations for
                                                                                  Delinquency
                                                                                  Expenses.
                                                                                  EVL-2013-012.
                                                                                  September 18, 2013.
                Implement a plan to reduce these
                  overpayments by (i) identifying their
                  root causes, (ii) creating reduction
                  targets, and (iii) holding managers
                  accountable.

                Report its findings and progress to
                  FHFA periodically.




Information Technology
  Topic Area               Recommendation                       Expected Impact             Report
OIG             Because information in the report could       Improved            Kearney & Company,
                  be abused to circumvent OIG’s internal       information         P.C.’s Independent
                  controls, the recommendations have           security            Evaluation of the
                  not been released publicly.                                      Federal Housing
                                                                                   Finance Agency Office
                                                                                   of Inspector General’s
                                                                                   Information Security
                                                                                   Program–2015. AUD-
                                                                                   2015-003. September
                                                                                   9, 2015.

FHFA            Because information in the report             Improved            Kearney & Company,
                  could be abused to circumvent FHFA’s         information         P.C.’s Independent
                  internal controls, the recommendations       security            Evaluation of the
                  have not been released publicly.                                 Federal Housing
                                                                                   Finance Agency’s
                                                                                   Information Security
                                                                                   Program–2015. AUD-
                                                                                   2015-002. September
                                                                                   9, 2015.




                                       OIG  April 1, 2016                                       15
  Topic Area                  Recommendation                    Expected Impact            Report
OIG                Because information in the report could    Improved           Kearney & Company,
                    be abused to circumvent OIG’s internal     information        P.C.’s Independent
                    controls, the recommendations have         security           Evaluation of the
                    not been released publicly.                                   Federal Housing
                                                                                  Finance Agency Office
                                                                                  of Inspector General’s
                                                                                  Information Security
                                                                                  Program–2014. AUD-
                                                                                  2014-021. September
                                                                                  30, 2014.

FHFA               Because information in the report          Improved           Kearney & Company,
                    could be abused to circumvent FHFA’s       information        P.C.’s Independent
                    internal controls, the recommendations     security           Evaluation of the
                    have not been released publicly.                              Federal Housing
                                                                                  Finance Agency’s
                                                                                  Information Security
                                                                                  Program–2014. AUD-
                                                                                  2014-019. September
                                                                                  26, 2014.
IT Examinations    Update the Information Technology          Improved risk      FHFA Should Improve
                    Risk Management Program Module to          management         its Examinations of
                    direct examiners to assess the design of                      the Effectiveness of
                    the Federal Home Loan Banks’                                  the Federal Home
                    vulnerability scans and penetration                           Loan Banks’ Cyber
                    tests when assessing the operational                          Risk Management
                    effectiveness of such controls.                               Programs by Including
                                                                                  an Assessment of the
                                                                                  Design of Critical
                                                                                  Internal Controls.
                                                                                  AUD-2016-001.
                                                                                  February 29, 2016.
                   Require examiners to document their
                    assessment of the design of the Federal
                    Home Loan Banks’ vulnerability scans
                    and penetration tests as part of their
                    assessment of the operational
                    effectiveness of such controls.
                   Take formal and timely action to           Improved risk      FHFA Should Map Its
                    compare existing regulatory guidance       management         Supervisory Standards
                    to appropriate elements of the NIST                           for Cyber Risk
                    framework and identify gaps between                           Management to
                    existing regulatory guidance and                              Appropriate Elements
                    appropriate elements of the NIST                              of the NIST
                    framework.                                                    Framework. EVL-
                                                                                  2016-003. March 28,
                                                                                  2016.


                                      OIG  April 1, 2016                                       16
  Topic Area                    Recommendation                   Expected Impact          Report
                    Determine the priority in which to
                     address the gaps.
                    Address the gaps, as prioritized, to
                     reflect and incorporate appropriate
                     elements of the NIST framework.
                    Revise existing regulatory guidance to
                     reflect and incorporate appropriate
                     elements of the NIST framework in a
                     manner that achieves consistency with
                     other federal financial regulators.
Risk Oversight      Direct the Fannie Mae Board to              Improved risk     Corporate
                     enhance Fannie Mae’s existing cyber         management        Governance: Cyber
                     risk management policies to:                                  Risk Oversight by the
                         o Require a baseline Enterprise-                          Fannie Mae Board of
                             wide cyber risk assessment with                       Directors Highlights
                             subsequent periodic updates;                          the Need for FHFA’s
                         o Describe information to be                              Closer Attention to
                             reported to the Board and                             Governance Issues.
                             committees;                                           EVL-2016-006. March
                         o Include a cyber risk framework                          31, 2016.
                             and cyber risk appetite.
                    Instruct the Fannie Mae Board to
                     establish and communicate a desired
                     target state of cyber risk management
                     for Fannie Mae that identifies and
                     prioritizes which risks to avoid, accept,
                     mitigate, or transfer through insurance.
                    Direct the Fannie Mae Board to oversee
                     management’s efforts to leverage
                     industry standards to:
                         o Protect against and detect
                             existing threats;
                         o Remain informed on emerging
                             risks;
                         o Enable timely response and
                             recovery in the event of a
                             breach; and
                         o Achieve the desired target state
                             of cyber risk management
                             identified in Recommendation 2
                             within a time period agreed
                             upon by the Board.




                                       OIG  April 1, 2016                                      17
FHFA Internal Operations
 Topic Area               Recommendation                     Expected Impact           Report
Workforce      Test the new human resource system          Improved            Women and
                 to ensure that it will provide data        opportunities and   Minorities in FHFA’s
                 sufficient to enable the Agency to         oversight           Workforce.
                 perform comprehensive analyses of                              EVL-2015-003.
                 workforce issues.                                              January 13, 2015.

               Regularly analyze Agency workforce
                 data and assess trends in hiring,
                 awards, and promotions.

               Research opportunities to partner
                 with inner-city and other high schools,
                 where feasible, to ensure compliance
                 with the Housing and Economic
                 Recovery Act.




Federal Home Loan Banks
 Topic Area               Recommendation                     Expected Impact           Report
Unsecured      To strengthen the regulatory                Improved            FHFA’s Oversight of
Credit          framework around the extension of           compliance          the Federal Home
                unsecured credit by the Federal Home                            Loan Banks’
                Loan Banks, FHFA-OIG recommends, as                             Unsecured Credit
                a component of future rulemakings,                              Risk Management
                that FHFA consider the utility of:                              Practices.
                  o Establishing maximum overall                                EVL-2012-005.
                     exposure limits;                                           June 28, 2012.
                  o Lowering the existing individual
                     counterparty limits; and
                  o Ensuring that the unsecured
                     exposure limits are consistent with
                     the Federal Home Loan Bank
                     System’s housing mission.




                                      OIG  April 1, 2016                                       18
CLOSED UNIMPLEMENTED RECOMMENDATIONS .....................

The Inspector General Act of 1978 does not authorize any federal inspector general to compel
its respective agency to adopt new policies or processes or take personnel actions to correct
shortcomings found in their audits, evaluations, and investigations. Rather, the Act empowers
inspectors general to recommend remedial actions to correct such shortcomings, and the
affected agency determines whether or not to accept the recommendations.

From time to time, FHFA will reject a recommendation made by OIG or, having agreed to the
recommendation, may fail to follow through on corrective action. In such circumstances we
engage with the Agency and attempt to reach resolution on acceptable corrective action.
When this process has been exhausted and the Agency indicates its intention to permanently
reject a recommendation, the recommendation is closed.

We believe it is important to be transparent and distinguish between recommendations
that have been closed in light of appropriate movement toward implementation and
recommendations that have been closed in light of FHFA’s refusal to take any action.
For those recommendations closed due to rejection by FHFA, we continue to stand by our
findings and believe that the Agency should have undertaken the recommended actions.

The recommendations listed below represent those that have been closed following FHFA’s
rejection and were not implemented.



    Topic Area                 Recommendation                     Expected Impact         Report
 Property            Establish uniform pre-foreclosure          Improved quality   FHFA Oversight of
 Inspectors           inspection quality standards and quality                      Enterprise Controls
                      control processes for inspectors.                             Over Pre-
                                                                                    Foreclosure
                                                                                    Property
                                                                                    Inspections. AUD-
                                                                                    2014-012. March
                                                                                    25, 2014.

 Seller/Servicers    Promptly quantify the potential benefit    Improved           FHFA Oversight of
                      of implementing a repurchase late fee      oversight          Enterprise
                      program at Fannie Mae, and then                               Handling of Aged
                      determine whether the potential cost                          Repurchase
                      of from $500,000 to $5.4 million still                        Demands.
                      outweighs the potential benefit.                              AUD-2014-009.
                                                                                    February 12, 2014.




                                         OIG  April 1, 2016                                     19
  Topic Area              Recommendation                        Expected Impact         Report
                Perform a comprehensive analysis to          Improved            FHFA’s
                 assess whether financial risks associated    framework           Representation
                 with the new representation and              management          and Warranty
                 warranty framework, including with                               Framework. AUD-
                 regard to sunset periods, are                                    2014-016.
                 appropriately balanced between the                               September 17,
                 Enterprises and sellers. This analysis                           2014.
                 should be based on consistent
                 transactional data across both
                 Enterprises, identify potential costs
                 and benefits to the Enterprises, and
                 document consideration of the Agency’s
                 objectives.

                OIG recommends that FHFA direct              Improved            FHFA’s Oversight
                  Fannie Mae and Freddie Mac to assess        compliance          of Risks Associated
                  the cost/benefit of a risk-based                                with the
                  approach to requiring their sellers and                         Enterprises Relying
                  servicers to provide independent, third-                        on Counterparties
                  party attestation reports on compliance                         to Comply with
                  with Enterprise origination and servicing                       Selling and
                  guidance.                                                       Servicing
                                                                                  Guidelines. AUD-
                                                                                  2014-018.
                                                                                  September 26,
                                                                                  2014.
                Publish Fannie Mae’s reduction targets       Improved            Evaluation of
                  and overpayment findings.                   transparency        Fannie Mae’s
                                                                                  Servicer
                                                                                  Reimbursement
                                                                                  Operations for
                                                                                  Delinquency
                                                                                  Expenses. EVL-
                                                                                  2013-012.
                                                                                  September 18,
                                                                                  2013.
Examination     Adopt a comprehensive examination            Improved            Evaluation of the
Records           workpaper index and standardize             efficiency          Division of
                  electronic workpaper folder structures                          Enterprise
                  and naming conventions between the                              Regulation’s 2013
                  two Core Teams. In addition, FHFA and                           Examination
                  DER should upgrade recordkeeping                                Records: Successes
                  practices as necessary to enhance the                           and Opportunities.
                  identification and retrieval of critical                        EVL-2015-001.
                  workpapers.                                                     October 6, 2014.




                                    OIG  April 1, 2016                                        20
  Topic Area               Recommendation                   Expected Impact         Report
Executive       Develop a strategy to enhance the         Improved           Compliance
Compensation     Executive Compensation Branch’s           oversight          Review of FHFA’s
                 capacity to review the reasonableness                        Oversight of
                 and justification of the Enterprises’                        Enterprise
                 annual proposals to compensate                               Executive
                 their executives based on Corporate                          Compensation
                 Scorecard performance. To this end,                          Based on
                 FHFA should ensure that: the                                 Corporate
                 Enterprises submit proposals containing                      Scorecard
                 information sufficient to facilitate a                       Performance.
                 comprehensive review by the Executive                        COM-2016-002.
                 Compensation Branch; the Executive                           March 17, 2016.
                 Compensation Branch tests and verifies
                 the information in the Enterprises’
                 proposals, perhaps on a randomized
                 basis; and the Executive Compensation
                 Branch follows up with the Enterprises
                 to resolve any proposals that do not
                 appear to be reasonable and justified.
                Develop a policy under which FHFA is
                 required to notify OIG within 10 days
                 of its decision not to fully implement,
                 substantially alter, or abandon a
                 corrective action that served as the
                 basis for OIG’s decision to close a
                 recommendation.




                                   OIG  April 1, 2016                                    21
ADDITIONAL INFORMATION AND COPIES .................................


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




                                        OIG  April 1, 2016                                22