Federal Housing Finance Agency Print

 Advisory Bulletins



Fraud Risk Management18654Fannie Mae & Freddie Mac9/29/2015 4:00:00 AMAB 2015-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-07</strong><br></p><p> <strong>FRAUD RISK MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <span style="text-decoration&#58;underline;"><strong><em>Purpose</em></strong></span></p><p>This Advisory Bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency's (FHFA) supervisory expectations for fraud risk management, including the establishment and maintenance of internal controls to prevent, deter, and detect fraud or possible fraud.&#160; </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Effective fraud risk management is essential to the safe and sound operations of the Enterprises.&#160; Potential exposure to the risk of fraud exists in Enterprise business operations.&#160; For example, single-family and multifamily mortgage operations have exposure to the risk of fraud associated with activities of borrowers, loan originators, mortgage brokers, loan sellers, attorneys, servicers, appraisers, property managers, and third parties engaged to perform functions relating to loans or the collateral securing the loans.&#160; Capital markets activities may expose an Enterprise to fraud committed by counterparties involved in securitizations.&#160; The Enterprises also have potential exposure to fraud risk resulting from insider malfeasance.<a id="ref1" href="#1"><font color="#0066cc">[1]</font></a></p><p>Fraud may subject an Enterprise to financial, operational, legal, or reputational harm.&#160; For example, mortgage fraud may result in financial losses for an Enterprise if a seller does not have the financial ability and willingness to honor its obligation to repurchase fraudulent loans.&#160; Other types of fraud may result in financial losses if the fraud is not fully covered by fidelity bond insurance.&#160; An Enterprise may be exposed to litigation or civil money penalties for failure to comply with fraud-related statutes and regulations.&#160; Further, fraud may cause reputational risk if an Enterprise's operations are used or perceived to be used to perpetrate fraud. &#160;While experience demonstrates that fraud may not be prevented completely, it may be deterred or reduced through appropriate anti-fraud procedures that are maintained and reviewed over time.</p><p> <span style="text-decoration&#58;underline;">Examples of Fraud</span> </p><p>The Enterprises may encounter various types of fraud.&#160; For example, mortgage fraud may occur in mortgage loans purchased for an Enterprise's own portfolios or for securitization.&#160; Fraud may be committed as part of the origination, underwriting, or closing process or in conjunction with the servicing of a loan on behalf of an Enterprise.&#160; </p><p>Mortgage-related fraud may be committed by various participants in the origination, selling, and servicing of mortgage loans.&#160; Borrowers may provide false identification, employment, or income information to obtain approval for a mortgage loan.&#160; Parties involved in loan originations, such as appraisers, attorneys, and title agencies, may engage in misrepresentation of collateral or performance of contracted responsibilities, or through diversion of funds.&#160; Sellers of mortgage loans may misrepresent underwriting standards or deliver a single mortgage loan multiple times.&#160; Servicers may divert custodial or other funds received to accounts used for their own purposes.&#160; </p><p>Mortgage-related fraud may be part of larger schemes that include originating mortgage loans through the use of straw borrowers, illegal property flipping, double-pledging of collateral, and builder bailouts.&#160; Post-origination mortgage fraud may target financially distressed borrowers to steal equity in or secure title to a property through fraudulent workout schemes or short sales.&#160; </p><p>Insider fraud (<em>i.e.</em>, fraud involving current or former employees and contractors) may include accounting fraud, payroll fraud, embezzlement, or collaboration with external parties in a fraud against an Enterprise or other financial institution.&#160; </p><p>The wide variation of possible fraudulent activities creates a broad range of fraud risk; therefore, an Enterprise should implement a risk-based approach to fraud risk management that takes into account the scope and potential harm to the Enterprise of possible fraud.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></span></p><p>This Advisory Bulletin describes FHFA's expectations for the oversight of fraud risk management, key elements of a risk-based approach to fraud risk management, and the training and independent testing functions that should accompany an Enterprise's fraud risk management approach. &#160;As described below, FHFA expects the Enterprises will take steps to manage fraud risk in all business lines and operational functions.<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Fraud-Risk-Management.aspx#footnote2"><font color="#0066cc">[2]</font></a></p><p> <span style="text-decoration&#58;underline;">Oversight of Fraud Risk Management</span></p><p>Each Enterprise's board of directors has a responsibility to ensure that the Enterprise's management is committed to effective fraud risk management and that the Enterprise has appropriate policies for preventing and detecting fraud or possible fraud.&#160; The Enterprise should have documented processes in place to appropriately inform the board about fraud risk management activities and significant instances of fraud or possible fraud.&#160; Fraud risk should be included in the risk management policies that are approved by the board or a committee thereof, and reviewed on a periodic basis.&#160; </p><p>The policies should establish the Enterprise's standards and reporting processes relating to fraud and possible fraud.&#160; The policies should designate the management official(s) responsible for the oversight of fraud risk management and define specific roles and responsibilities for personnel with fraud risk management responsibilities.&#160; </p><p>Enterprise management should develop and oversee the implementation of business unit policies and procedures to implement and support anti-fraud and regulatory reporting programs and controls consistent with the Enterprise's policies.&#160; Business unit policies should detail the Enterprise's fraud risk management processes, including risk assessments, internal controls, training, independent testing, fraud response protocols, and board and senior management reporting.&#160; </p><p>The Enterprise should provide for appropriate coordination across business lines and functions of fraud risk management activities and resources.&#160; Areas of coordination may include risk assessments, oversight of the design and implementation of anti-fraud and regulatory reporting programs and controls, and reporting to senior management and the board or a committee thereof, as appropriate, the results of the Enterprise's fraud risk management efforts.&#160; </p><p> <span style="text-decoration&#58;underline;">Elements of Fraud Risk Management</span></p><p>Effective fraud risk management should include&#58;</p><ul style="list-style-type&#58;disc;"><li>Ongoing risk assessments to determine areas of heightened risk for possible fraud and adequacy of the control environment. </li><li>Risk-based internal controls that are designed to prevent and deter fraud from occurring.</li><li>Risk-based internal controls that are designed to detect fraud when it occurs.</li><li>Processes for responding to and reporting fraud or possible fraud.</li></ul><p> <em>Risk Assessments</em> </p><p>An Enterprise should have an ongoing process for performing risk assessments to identify and assess risk of fraud and to evaluate controls in place to mitigate risk.&#160; Risk assessments should consider factors such as products, services, customers, counterparties, and geographic locations, and should cover business units and operational and control functions.&#160; Fraud risk assessments should provide the basis for internal controls to prevent and deter fraud and to detect fraud or possible fraud.&#160; An Enterprise should have in place a process for periodically updating fraud risk assessments and making associated changes to internal controls.&#160; </p><p> <em>Fraud Prevention and Deterrence</em></p><p>Each Enterprise should maintain effective internal controls designed to prevent and deter fraud.&#160; The type and scale of internal controls will vary depending on the operational area, product type, and fraud risk.&#160; Types of controls include segregation of duties; a system of proper authorizations; physical safeguards to prohibit access to assets and records; a system of independent checks; and records to provide an audit trail.&#160; </p><p>Internal controls should be clearly documented and subject to ongoing review to determine whether they are followed, are effective, and reflect current industry sound practices.&#160; With regard to potential insider fraud, policies related to the consequences of committing or concealing fraud should be communicated clearly to all personnel.&#160; </p><p> <em>Fraud Detection </em></p><p>The complexity and extent of the internal controls for detection of different types of potential fraud in different business activities should be based on the fraud risk assessment, in light of the size, structure, risks, complexity, and vulnerability to fraud of the particular activity.&#160; Fraud detection controls and tools may include, but are not limited to, internal and external tip hotlines; whistleblower vehicles; audits; quality control reviews; and analysis of financial, operational, and transaction data.&#160; Detection methods may involve a review of transactions for possible fraud and, where possible, should include a review for red flags that indicate fraud or possible fraud.&#160; Examples of red flags may include patterns of inconsistency in borrower information, loan documentation, servicer records, and significant servicer performance issues, as well as adverse public information. &#160;Additionally, an Enterprise may identify individuals and firms known to have been involved in fraud. &#160;Fraud detection procedures should document when findings will warrant the expansion of the scope of review consistent with current risk assessments.</p><p>Each Enterprise should have adequate information systems to timely capture information needed to detect fraud or possible fraud and comply with regulatory reporting requirements.&#160; </p><p> <em>Fraud Response and Reporting</em></p><p>Each Enterprise should have documented processes for evaluating and responding to various types of possible fraud and for complying with regulatory reporting requirements.&#160; An Enterprise should take steps to make its employees and third parties aware of methods by which they may report possible fraud relating to Enterprise operations.&#160; Furthermore, an Enterprise should ensure that its procedures and resources are sufficient to timely investigate possible fraud.&#160; </p><p>An Enterprise's process should address investigation procedures, protocols for gathering evidence, decision-making authority, internal and regulatory reporting, escalation protocols, remedial action, and disclosure.&#160; Individuals assigned to investigations should have the necessary training, authority, and skills to evaluate possible fraud and determine the appropriate course of action.&#160; The process should include a tracking or case management system(s) where allegations of fraud are logged.&#160; As appropriate, an Enterprise's procedures should also include a review of incidents to determine if improvements need to be made to processes or internal control systems to prevent future incidents of possible fraud.&#160; </p><p>Each Enterprise should have effective, risk-based processes to timely investigate potential fraud to minimize and prevent loss.&#160; Procedures should be in place for reporting investigation findings regarding fraud or possible fraud in accordance with regulatory requirements and Enterprise policy.&#160; </p><p> <span style="text-decoration&#58;underline;">Training</span></p><p>Each Enterprise should promote fraud awareness by conveying the importance of fraud prevention and penalties for fraud to all employees. &#160;Each Enterprise should provide and document adequate fraud risk management training that is risk-based and commensurate with trainees' roles and specific responsibilities.&#160; Training should include instruction on regulatory requirements and the Enterprise's policies and procedures to comply with those requirements.&#160; Board and senior management training should reflect their oversight role.&#160; Training should be updated as needed to reflect regulatory changes and industry sound practices, as well as changes to the Enterprise's risk assessments and internal controls.&#160; </p><p> <span style="text-decoration&#58;underline;">Independent Testing</span></p><p>Each Enterprise should conduct regular independent testing in all business lines to determine the overall adequacy and effectiveness of the Enterprise's fraud risk management.&#160; Testing scope, procedures performed, and findings should be documented.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Related FHFA Guidance</em></strong></span></p><p> <em>Enterprise Fraud Reporting</em>, Federal Housing Finance Agency Advisory Bulletin 2015-02, March 26, 2015, communicates to the Enterprises FHFA's fraud reporting requirements pursuant to 12 CFR Part 1233.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014, communicates to the Enterprises FHFA's supervisory expectations for managing counterparty risk associated with their relationships with single-family Seller/Servicers.</p><p> <em>Suspended Counterparty Program at 12 CFR Part 1227, </em>generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. &#160;FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.</p><p>________________________________ </p><p> <a id="1" href="#ref1">[1]</a> For purposes of this Advisory Bulletin, fraud occurs when a person(s), knowingly and willfully (1) falsifies, conceals, or covers up a material fact by any trick, scheme, or device; (2) makes any materially false, fictitious, or fraudulent statement or representation; or (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry. </p><p> <a id="2" href="#ref2">[2]</a> The risk management guidance in this Advisory Bulletin complements the requirements for reporting fraud and possible fraud found in&#58; (i) 12 C.F.R. Part 1233, Reporting of Fraudulent Financial Instruments; (ii) 31 C.F.R. Parts 1010 and 1030, Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises; and (iii) Advisory Bulletin 2015-02, Enterprise Fraud Reporting (March 26, 2015).</p><div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, Kathy Beach, Principal Advisor, Office os Supervision Policy at <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov</a> or (202) 649-3521, or Ellen Joyce, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Ellen.Joyce@fhfa.gov">Ellen.Joyce@fhfa.gov</a> or (202) 649-3409 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table></div>9/29/2015 1:00:27 PM279http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Information Technology Investment Management18591Fannie Mae & Freddie Mac9/21/2015 4:00:00 AMAB 2015-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-06</strong><br></p><p> <strong>INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong> </p><p>This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on information technology (IT) investment management by Fannie Mae and Freddie Mac (the Enterprises).&#160; FHFA expects that each Enterprise's IT investment management will include sound governance and effective monitoring and reporting that reflect relevant risk assessments of the Enterprise.&#160; &#160;&#160;</p><div><div style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></div><div> <br> &#160;</div><div><p>The Enterprises' investments to maintain and improve their IT environments are critical to the success of business operations and strategic initiatives.&#160; Effective IT investment management contributes to safe and sound operations by enabling an Enterprise to confirm that IT investments are aligned with strategic priorities, support business operations, and deliver expected returns on investment. &#160;An effective process for funding IT projects should assist an Enterprise to assess costs and benefits of investments, manage interdependencies among related projects, identify risk exposures to third-party vendors, and plan the funding of multi-year projects over multiple budget cycles.&#160; </p><p>FHFA's standards for safe and sound operations are generally set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236.&#160; In particular, PMOS Standard 1.4 (Internal Controls and Information Systems, Framework) articulates the requirement for an effective system of internal controls, which includes a board-approved organizational structure that clearly assigns responsibility, authority, and reporting relationships, as well as appropriate segregation of duties.&#160;&#160;</p></div><div> <em> <span style="text-decoration&#58;underline;"> <strong>Guidance</strong></span></em></div><div> <br> &#160;</div><div> <span style="line-height&#58;1.6;">FHFA expects that each Enterprise's IT investment management will include sound governance and effective monitoring and reporting that reflect relevant risk assessments of the Enterprise. &#160;</span><span style="line-height&#58;1.6;">An Enterprise may develop and refine its IT investment management based on sound industry practices, such as the Control Objectives for Information and Related Technology (COBIT) framework issued by the Information Systems Audit and Control Association (ISACA).</span><span style="line-height&#58;1.6;">&#160;</span> <p></p><p> <em>Governance</em></p><p>Each Enterprise should maintain sound governance over IT investments using a risk-based approach at both the portfolio level and at the project level to confirm that the Enterprise's IT investments are aligned with enterprise strategic priorities and line of business objectives.&#160; Governance should address funding of IT projects and prioritization of project funding based upon risk assessments for proposed investments, cost-benefit analyses, and requirements for diversity and inclusion practices in contracting, <strong> </strong><a id="ref1" href="#1"><strong> </strong><span><strong> </strong><font color="#0066cc"><strong>[1]</strong></font></span></a><strong>&#160;</strong>among other factors.</p><p>The governance over IT investments should clearly define the roles and responsibilities of stakeholders, including the board of directors, business leads, and IT management.&#160; Delegations of authority should be established and subject to periodic review, and exceptions to delegated authority should be documented.&#160; The governance process should confirm that appropriate risk control functions have input into IT funding decisions at both project and portfolio levels. &#160;</p><p>Setting IT investment priorities is a key component of governance.&#160; Risk assessments should be performed for IT funding proposals to identify potential risks at the project and portfolio level.&#160; In addition, cost-benefit analyses should be conducted to inform the prioritization of IT investments and funding decisions.&#160; </p><p>Ensuring sustainability of IT investments is essential for mitigating risks such as operational disruptions, security lapses, or system degradation.&#160; Strong governance and oversight of IT investments should be designed to enable an Enterprise to ensure that its IT environment remains current and that IT investments are sustainable.&#160; Budgeting should include long-term IT investments over multiple budget cycles, not only for new projects, but also for ongoing maintenance such as routine service, periodic modification, equipment replacement, enhancement of security features, and patch management.&#160; Effective IT investment governance should also include a regular review function to monitor project management practices against established standards, practices, and internal controls.&#160; </p><p> <em>Monitoring and Reporting</em></p><p>Each Enterprise should maintain a process for tracking IT investments and the performance of funded projects.&#160; Monitoring and reporting are essential tools for management to ensure timely identification of changes to project schedules or budgets and the opportunity to ensure that issues are addressed through appropriate governance mechanisms. &#160;Effective monitoring and reporting &#160;for IT investments should assist management in ensuring ongoing alignment of the IT project portfolio with strategic objectives and business operating plans, and in maintaining current information on budgets, timelines, and project interdependencies.&#160; </p><p>IT investment management requires periodic performance reporting that provides senior management and the board of directors with appropriate dashboards or similar reports to capture results for performance objectives.&#160; Such reports should inform decision-makers about the sustainability and viability of both existing and future projects.</p><p style="text-decoration&#58;underline;"> <i> <strong>Related Guidance</strong></i></p><p> <em>Guidance on Cyber Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin AB‑2014-05, May 19, 2014.</p><p> <em>Guidance on the Retirement of the Microsoft Windows XP Operating System</em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-04, March 20, 2014. </p><p> <em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin AB‑2014‑02, February 18, 2014. </p><p> <em>Safety and Soundness Standards for Information</em>, Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001.&#160;</p><p>​________________________________</p><p></p><p> <a id="1" href="#ref1"> [1]</a> 12 CFR § 1207.21 requires that the Enterprises develop, implement, and maintain policies and procedures to ensure, to the maximum extent possible in balance with financially safe and sound business practices, the inclusion and utilization of minorities, women, individuals with disabilities, and minority-, women-, and disabled-owned businesses in procurement and all types of contracts.</p></div></div><div>​ <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance,&#160;Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, John McNicholas, Senior Examiner (Policy), Examination Standards Branch&#160;at <a href="mailto&#58;John.McNicholas@fhfa.gov">John.McNicholas@fhfa.gov</a> or&#160;(202) 649-3525&#160;or&#160;Anne Paulin, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Anne.Paulin@FHFA.gov">Anne.Paulin@fhfa.gov</a> or (202) 649-3421 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table> ​</div>9/28/2015 7:07:16 PM234http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Rescission of Division of Enterprise Regulation Guidance Documents17619Fannie Mae & Freddie Mac3/26/2015 4:00:00 AMAB 2015-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-03</strong><br></p><p> <strong>RESCISSION OF DIVISION OF ENTERPRISE REGULATION GUIDANCE DOCUMENTS&#160;</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong> </p><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to rescind five examination guidance documents issued by the Office of Federal Housing Enterprise Oversight (OFHEO).</p><div><div> <br> &#160;</div><div style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></div><div> <br> &#160;</div><p>In an effort to keep guidance related to the examination process current, FHFA regularly reviews outstanding guidance, including guidance issued by its predecessor agencies. &#160;As a result of the most current review, FHFA has determined that five guidance documents issued by OFHEO should be rescinded. &#160;These five guidance documents have been superseded by FHFA guidance, or restate regulations without providing additional guidance, or are no longer relevant or applicable in the current environment. &#160;</p><div> <br> &#160;</div><div style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></div><div> <br> &#160;</div><div>This Advisory Bulletin rescinds&#58;</div><div>&#160;</div><div><ul><li>PG-00-001&#58; Minimum Safety and Soundness Requirements (12/19/2000)<br></li><li>PG-00-002&#58; Non-Mortgage Liquidity Investments (12/19/2000)<br></li><li>PG-06-001&#58; Examination for Corporate Governance (11/8/2006)<br></li><li>PG-06-003&#58; Examination for Accounting Practices (11/8/2006)<br></li><li>PG-08-002&#58; Standards for Enterprise Use of the Fair Value Option (4/21/2008)<br></li></ul></div></div><div>​<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;Contact Bobbi Montoya, Associate Director, Office of Supervision Policy at (202)&#160;649-3406 or <a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a> or Carol Connelly, Principal Examiner, Examination Standards Branch, at (202) 649-3232 or <a href="mailto&#58;Carol.Connelly@fhfa.gov">Carol.Connelly@fhfa.gov​</a>, with comments or questions pertaining to this bulletin.&#160;&#160;</p></td></tr></tbody></table><br>​</div>3/26/2015 5:00:19 PM994http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Enterprise Fraud Reporting17620Fannie Mae & Freddie Mac3/26/2015 4:00:00 AMAB 2015-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-02</strong><br></p><p><strong>ENTERPRISE FRAUD REPORTING</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"><em>Purpose</em></strong> </p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) fraud reporting requirements pursuant to 12 CFR Part 1233 (FHFA Regulation).</p><p>This advisory bulletin rescinds and replaces FHFA’s Regulatory Policy Guidance RPG-2011-001, <em>Reporting of Fraudulent Financial Instruments</em>, dated March 2011.</p><div><p style="text-decoration&#58;underline;"><strong><em>Background</em></strong></p><p>​The Housing and Economic Recovery Act of 2008 (HERA) subjects the Enterprises to fraud reporting (12 U.S.C. Section 4642) and requires an Enterprise to submit to FHFA a &quot;timely&quot; report upon discovery that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument.&#160; </p><p>The FHFA Regulation implements the timely reporting requirement of HERA (12 CFR Section 1233.3(a)(1)) and requires immediate notification to the Director of FHFA upon the discovery of any situation that would have a significant impact on an Enterprise (12 CFR Section 1233.3(a)(2)).&#160; The FHFA Regulation grants the Director authority to determine procedures by which the Enterprises will submit such reports (12 CFR Section 1233.3(b)).&#160;&#160;</p><p style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></p><p>The Enterprises should adhere to the guidelines in this advisory bulletin for reporting fraud or possible fraud to FHFA in compliance with the FHFA Regulation and for super​visory oversight purposes. &#160;&#160;</p><p><em>Immediate Notification</em></p><p>To comply with the immediate notification requirement in the FHFA Regulation, an Enterprise should notify the Director’s designee(s) electronically, through secure methods established by FHFA, within one calendar day from when an Enterprise becomes aware of fraud or possible fraud as defined in the FHFA Regulation that may have a significant impact on the Enterprise. &#160;Fraud or possible fraud is considered to have a significant impact if it may create substantial financial or operational risk for the Enterprise, whether from a single event/incident or because it is systemic. &#160;Fraud or possible fraud is also considered significant if it involves a member of the board of directors, officer, employee, or a contractor temporarily engaged to fill a position or perform a particular function at an Enterprise or other individual similarly engaged by an Enterprise. &#160;</p><p>The Enterprise should provide periodic updates to its board of directors, or a committee thereof, of all fraud or possible fraud requiring immediate notification.</p><p><em>Timely Reporting</em></p><p>To comply with the timely reporting requirement in the FHFA Regulation, an Enterprise should adhere to the following two reporting requirements.&#160;</p><p style="text-decoration&#58;underline;">Monthly Fraud Status Report</p><p>The Enterprises should submit a monthly fraud status report to FHFA. &#160;The monthly fraud status report shall contain requested information for each occurrence during the month in which the Enterprise has&#58;</p></div><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><div><ol><li><span style="line-height&#58;22px;">Filed a suspicious activity report (SAR) with the U.S. Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) or</span><br></li><li><span style="line-height&#58;22px;">Discovered that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument, and the Enterprise has not filed a SAR.</span><br></li></ol></div></blockquote><span style="line-height&#58;22px;">FHFA will provide a template that describes the format of the monthly fraud status report and defines the information to be included.</span><div><font color="#404040"><span style="line-height&#58;22px;"><br></span></font><div><div><p>Each Enterprise should provide the Director’s designee(s) with the monthly fraud status report within ten (10) calendar days after the end of each month, regardless of whether the Enterprise has a reportable event during the period covered by the report. &#160;The report should be sent electronically through secure methods established by FHFA. &#160; </p><p style="text-decoration&#58;underline;">Quarterly Fraud Status Report</p><p>On a quarterly basis, the Enterprises should also report to FHFA the status of any entry required to be reported in the monthly fraud status report for which the Enterprise’s fraud unit has opened a case. &#160;The quarterly fraud status report shall include cases that (1) remain ongoing as of the quarterly report date or (2) were closed during the quarter covered by the report.&#160;</p><p>FHFA will provide a template that describes the format of the quarterly fraud status report and defines the information to be included.</p><p>Each Enterprise should provide the Director’s designee(s) with the quarterly fraud status report within ten (10) calendar days after the end of each calendar quarter. &#160;The report should be sent electronically through secure methods established by FHFA. &#160;</p><p style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></p><p>This advisory bulletin becomes effective on June 1, 2015. &#160;The RPG-2011-001 guidance for Immediate Notifications (Section II.A.), Fraud Reports (Section II.C.), and Quarterly Status Submission (Section II.D.) shall continue through the May 31, 2015 reporting period. &#160;All other requirements of RPG-2011-001 are discontinued immediately, including the Annual Review and Conformance Report.&#160;​<span style="line-height&#58;1.6;">​</span></p></div></div> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy at <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a>, or Kathy Beach, Principal Advisor, Office of Supervision Policy at <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov</a>, with comments or questions pertaining to this bulletin.&#160;&#160;</p></td></tr></tbody></table></div>3/26/2015 5:00:20 PM1042http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Single-Family Seller/Servicer Relationships16002Fannie Mae & Freddie Mac12/1/2014 5:00:00 AMAB 2014-07​ <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​ADVISORY BULLETIN&#160;</strong><br><strong></strong></p><p> <strong>AB 2014-07&#160;</strong><br><strong></strong></p><p> <strong>Oversight of Single-Family Seller/Servicer Relationships</strong></p></td></tr></tbody></table><h2> <br> </h2><h2>Purpose</h2><p>This a​dvisory bulletin communicates the Federal Housing Finance Agency’s (FHFA) supervisory expectation that Fannie Mae and Freddie Mac (collectively, the Enterprises) maintain the safety and soundness of their operations by effectively managing counterparty risks. FHFA expects each Enterprise to assess financial, operational, legal, compliance, and reputation risks associated with its single-family Seller/Servicer counterparties and to take appropriate action to mitigate those risks or reduce the Enterprise’s exposure. Toward this end, each Enterprise should implement a board-approved risk management framework that specifically includes risk-based oversight of single-family Seller/Servicers. Enterprise oversight should be performed pursuant to policies and procedures as described in this advisory bulletin.</p><h2>​Background</h2><p>The business relationships between the Enterprises and Seller/Servicers are a fundamental component of the Enterprises’ delegated business models. Seller/Servicers engage in business transactions with and on behalf of the Enterprises, principally selling loans and performing servicing functions, under the terms of each Enterprise’s respective selling and servicing guide and other contractual provisions. The term “Seller/Servicer” as used in this advisory bulletin includes all entities that sell single-family mortgage loans to the Enterprises or perform single-family mortgage loan servicing for the Enterprises.</p><p>Seller/Servicers may engage in all aspects of a mortgage loan’s lifecycle or specialize in phases of the lifecycle (e.g., servicing delinquent mortgage loans). Individual Seller/Servicers may present unique risks due to their organizational structure and complexity; operational and technological capabilities and capacity; experience; access to financial resources, both funding and capital; and scope of regulatory oversight.</p><h2>Guidance</h2><p> <em>Risk Management Framework</em><br></p><p>The board of directors is responsible for overseeing the Enterprise’s overall risk management. The use of a third party does not relieve the Enterprise’s board of directors and senior management of their respective responsibilities to oversee and manage the risks that arise out of the Enterprise’s Seller/Servicer relationships.</p><p>FHFA expects each Enterprise to have a risk management framework for Seller/Servicers as part of its enterprise-wide risk management program. An effective risk management framework addresses the Seller/Servicer relationship for the duration of its lifecycle, including due diligence and selection, contract negotiation, ongoing monitoring (including performance review and issue resolution), and termination.</p><p>The framework should incorporate a policy for the oversight of Seller/Servicer relationships. The policy should establish standards for identifying, assessing, monitoring, and managing risks associated with Seller/Servicer relationships. The policy should assign clear roles and responsibilities and require that significant decisions with respect to Seller/Servicers be documented and include all appropriate Enterprise stakeholders, including Enterprise risk management. The policy should require that significant issues related to a Seller/Servicer or exceptions to the policy be reported to senior management. The policy should identify criteria for when significant issues will be reported to the board of directors (or a committee thereof). The policy should be implemented by business line-level policies and procedures that establish processes and controls.</p><p> <em>Selection of Seller/Servicers&#160;</em></p><p> <em></em> <span style="line-height&#58;22px;">Prior to entering into a contractual relationship with a Seller/Servicer, the Enterprise should perform due diligence and document the results. The due diligence should evaluate relevant risks related to a potential Seller/Servicer and should be informed by the factors below. The framework may provide for due diligence to be conducted using a risk-based approach, pursuant to defined criteria.&#160;</span><br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> ​<span style="text-decoration&#58;underline;">Financial Risk Factors</span>&#160;</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>​​Financial risk is the risk of loss due to the Seller/Servicer’s inability to meet its financial obligations. Financial risk may arise due to deterioration in the Seller/Servicer’s financial condition, significant growth, or an unexpected event that causes financial hardship. The Enterprises should consider the following in assessing each potential Seller/Servicer’s financial risk, as appropriate&#58;</p><ul><li> <span style="line-height&#58;22px;">Overall financial strength and financial ratio trends;&#160;</span><br></li><li> <span style="line-height&#58;22px;">B</span><span style="line-height&#58;22px;">usiness plan, expertise, and loan production sources;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Ability to meet selling and servicing guides and other contractual provisions, including representations and warranties, under stable and adverse economic scenarios;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Existing and anticipated sources of income, capital, and liquidity;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Quality of loans;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Projected levels of loans, mortgage servicing rights (MSRs), and other servicing assets (e.g., MSR strips, servicing advances);&#160;</span><br></li><li> <span style="line-height&#58;22px;">Adequacy of fidelity bond and errors and omissions insurance coverage; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Complexity of the Seller/Servicer’s financial structure, in</span><span style="line-height&#58;22px;">cluding the terms of any financial arrangements with other parties.&#160;</span><br></li></ul><p style="text-decoration&#58;underline;"> Operational Risk Factors</p><p>Operational risk is the exposure to loss from inadequate or failed internal processes, people, and systems, or from external events. Operational risk may arise when a Seller/Servicer cannot effectively perform the duties that it has contracted to perform due to deficiencies in its operations or controls. The Enterprises should consider the following in assessing each potential Seller/Servicer’s operational risk, as appropriate&#58;&#160;</p><ul><li> <span style="line-height&#58;22px;">Current and prospective resources and capacity regarding staffing, facilities, technology infrastructure, and any sub-servicing arrangements;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Organizational structure, complexity, and ownership, including affiliates;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Key personnel, principals, and controlling shareholders, including information from background checks, when appropriate;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Reliance on, exposure to, and performance of sub-servicers, location of subservicers, and the Seller/Servicer’s ongoing monitoring program and quality control testing of sub-servicers;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Seller/Servicer oversight of third-party service providers (e.g., mortgage brokers, appraisers) contractually obligated to the Seller/Servicer, not the Enterprise;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Risk management program, internal controls and results of audits or reviews, including independent post-closing loan review process;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Business continuity and contingency planning; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information technology management program, including an information security framework.&#160;</span><br></li></ul><p> <span style="text-decoration&#58;underline;">Legal, Compliance, and Reputation Risk Factors</span>&#160;</p><p>Legal, compliance, and reputation risk exists when a Seller/Servicer’s operations are not consistent with laws, regulations, sound practices, or an Enterprise’s selling and servicing guides and other contracts. The Enterprises should consider the following in assessing the legal, compliance, and reputation risk associated with potential Seller/Servicers, as appropriate&#58;&#160;</p><ul><li> <span style="line-height&#58;22px;">Maintenance of the appropriate federal and state charters or licenses required for or relevant to operating their business;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Scope of federal and state regulatory oversight, both prudential and consumer protection;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Compliance programs for all applicable laws and regulations, including consumer protection laws;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Record of compliance with applicable laws </span><span style="line-height&#58;22px;">and regulations, based upon publicly available information;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information known or reasonably available to an Enterprise about loan originators used by the Seller/Servicer and their compliance with consumer protection laws;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Publicly available information about supervisory and legal actions, including criminal and civil actions, taken against the Seller/Servicer, key personnel, principals or controlling shareholders, and affiliates;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Publicly available information about investigations and litigation initiated by federal and state authorities, and agreements reached in conjunction with those actions, including the assessment of fines;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Orders issued under the FHFA Suspended Counterparty Program; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Significant consumer complaints or a pattern of consumer complaints</span><span style="line-height&#58;22px;">.&#160;</span><br></li></ul></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"> <span style="line-height&#58;22px;">Evaluation of these risk factors should be consistent with, and supportive of, the standards for approving Seller/Servicers articulated in the risk management policy.&#160;</span></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"> <span style="line-height&#58;22px;"><br></span></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>Ongoing Monitoring</em>&#160;</p><div> <span style="line-height&#58;22px;">​Monitoring of the Seller/Servicer for the duration of the relationship is essential to an Enterprise’s ability to manage Seller</span><span style="line-height&#58;22px;">/Servicer risks. As part of ongoing monitoring, each Enterprise should have risk-based procedures that require updating information obtained during the approval process and performing subsequent analysis to evaluate changes in a Seller/Servicer’s risk. FHFA expects that ongoing monitoring will be risk-based, so it will vary among individual Seller/Servicers and may change over time for a particular Seller/Servicer. Enterprise policy regarding the scope and frequency of ongoing monitoring activities should be commensurate with the risk associated with the particular Seller/Servicer.&#160;</span><br></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">The documented analysis should take into account factors assessed during the approval process, as well as the following factors, as appropriate&#58;&#160;</span></div><div><ul><li> <span style="line-height&#58;22px;">Volume of loans sold; MSRs retained, sold, transferred, or pledged; and servicing transfer activity, noting rapid or significant changes;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Outstanding obligations and past performance regarding recoveries of repurchases and compensatory fees;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Adherence to approved terms of business, including capital requirements, sales volume, and product limitations;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Delivery and servicing performance record;&#160;</span></li><li> <span style="line-height&#58;22px;">Contractual ability of the Enterprise to access Seller/Servicer records and conduct onsite visits;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Results of operational reviews performed by the Enterprise;&#160;</span></li><li> <span style="line-height&#58;22px;">Results of the Enterprise’s review of a Seller/Servicer for the Seller/Servicer’s compliance with consumer protection and other laws where the Enterprise may have legal liability as a result of the Seller/Servicer’s noncompliance;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information about a Seller/Servicer’s compliance with consumer protection laws where the Enterprise may be exposed to significant risk as a result of the Seller/Servicer’s noncompliance;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Record of compliance with Seller/Servicer guides and other contractual terms, including compliance with laws and regulations, based on Enterprise compliance and quality control reviews;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Results of fraud and data integrity reviews;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Volume, type, and pattern of Seller/Servicer guide waivers considering documented justification for waivers, and results of ongoing performance reviews of loans with waivers relative to justification and expectations;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Sufficiency and timeliness of performance data to evaluate the quality and effectiveness of Seller/Servicer processes for actual and projected volumes;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Accuracy and completeness of loan recordkeeping, including loan data systems and loan documentation, throughout the life of the loan;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Changes in the Seller/Servicer’s business model, strategies, or practices; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Operational and system complexity, including after an acquisition or merger involving multiple locations, systems, and processes.&#160;</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">&#160;</span></li></ul></div></blockquote><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;"> <em>Managem​ent</em>&#160;</span></div><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;"> <br></span></div><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">The risk management framework should include policies for the escalation to and subsequent tracking of issues by the Enterprise’s senior management or board of directors (or committee thereof), depending on the type of issue and the risk posed to the Enterprise. In addition, the policies should address the remediation of deficiencies or weaknesses identified in performance criteria or risk areas, as appropriate. The policies should also include standards for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer, including, for example, against a Seller/Servicer that fails to meet an Enterprise’s standards of performance or that poses reputation risk because of noncompliance with applicable laws and regulations or unso</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">und business practices.&#160;</span><br></div><div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div> <span style="line-height&#58;22px;"> <br></span></div></blockquote><h2> Related Guidance and Regulations </h2><div> <em style="color&#58;#404040;font-family&#58;'source sans pro', sans-serif;font-size&#58;14px;line-height&#58;22px;">Mortgage Servicing Transfers</em><span style="line-height&#58;22px;">, Federal Housing Finance Agency Advisory Bulletin 2014-06, June 11, 2014, communicates FHFA’s supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights or the transfer of the operational responsibilities for servicing mortgage loans owned or guaranteed by the Enterprises.&#160;</span><br></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;"> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1227 <em>Suspended Counterparty Program</em> generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1233 <em>Reporting of Fraudulent Financial Instruments </em>requires each regulated entity to make a report to FHFA upon discovery that it has purchased or sold a fraudulent loan or financial instrument or suspects a possible fraud relating to the purchase or sale of any loan or financial instrument.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1236 <em>Prudential Management and Operations Standards, Standard 9 – Management of Credit and Counterparty Risk </em>provides guidelines on the management of credit and counterparty risk.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">Department of the Treasury Financial Crimes Enforcement Network 31 CFR Parts 1010 and 1030 <em>Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises </em>requires each regulated entity to file suspicious activity reports and develop an anti-money laundering program.&#160;</span><br> <div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">​</span></div></div></div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​</strong><span style="font-style&#58;normal;font-variant&#58;normal;line-height&#58;22px;">Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. This bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy at 202-649-3405 or <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a>, or Kathy Beach, Office of Supervision Policy, at 202-649-3521 or <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov​</a> with comments or questions pertaining to this bulletin<strong>.</strong><em></em></span></p></td></tr></tbody></table>12/1/2014 7:02:56 PM3152http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Mortgage Servicing Transfers12031Fannie Mae & Freddie Mac6/11/2014 4:00:00 AMAB 2014-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p><strong>ADVISORY BULLETIN&#160;</strong><br><strong></strong></p><p><strong>AB 2014-06&#160;</strong><br><strong></strong></p><p><strong>Mortgage Servicing Transfers&#160;</strong></p></td></tr></tbody></table><h2>Purpose</h2><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to communicate supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights (MSRs) or the transfer of the operational responsibilities of servicing mortgage loans owned or guaranteed by Fannie Mae and Freddie Mac (collectively, the Enterprises).</p><h2>​Background</h2><p>​The sale and transfer of MSRs or the transfer of mortgage servicing has recently increased for a number of reasons. Some servicing transfers are initiated by the Enterprises. An Enterprise may seek to facilitate or require the transfer of&#160;mortgage servicing to a different servicer in an effort to improve mortgage servicing performance. A transfer may also be necessitated by a mortgage servicer’s failure to meet contractual requirements. Servicing transfer requests may also be initiated by the owner of the MSRs or the servicer of the mortgage portfolio. For example, changes in capital regulations or servicing profitability may prompt commercial banks and financial services companies to seek to reduce MSR holdings. Some non-bank mortgage servicing companies have recently increased acquisitions of MSRs and the servicing of mortgage loans.</p><p>There are different variations for structuring transfers to the acquiring entities. Historically, both the ownership of the MSRs and the servicing of the mortgage loans were transferred to the same entity. However, the MSRs owner and the mortgage AB 2014-06 (June 11, 2014) Public servicer may be separate entities, which would necessitate one or more sub-servicer arrangements. For example, the MSRs owner may be established as a limited liability company with the primary purpose of sub-contracting servicing to one or more servicers. In some situations, more than one entity is responsible for the representations and warranties related to the origination, selling, or servicing of a transferred mortgage servicing portfolio. Different types of entities involved in MSR holding structures can impact the financial, operational, and legal risks associated with any given transfer.</p><p>Any sale and transfer of MSRs or transfer of the operational aspect of servicing mortgage loans owned or guaranteed by Fannie Mae or Freddie Mac requires the approval of the applicable Enterprise in accordance with its seller/servicer guide.</p><div><h2>​Guidance</h2><p>​An&#160;Enterprise&#160;should&#160;only&#160;approve&#160;those&#160;transactions&#160;that&#160;are&#160;consistent&#160;with&#160;sound&#160;business&#160;practice,&#160;aligned&#160;with&#160;the&#160;Enterprise’s board-approved risk appetite, and in compliance with regulatory and&#160;Conservator&#160;requirements.&#160;Certain&#160;bulk servicing transfers also require the approval of FHFA as Conservator for the Enterprises.​</p><p>Each Enterprise should have in place policies and procedures within its risk management&#160;program for evaluating risks of proposed sales or transfers of MSRs and transfers of the&#160;servicing of mortgage loans, considering the particular circumstances of the transfers&#160;(e.g., volume and profile of the loans transferred, structure and complexity of&#160;the&#160;transaction, counterparty exposure, servicing concentrations, and/or borrower&#160;experience). The Enterprise’s policies and procedures should identify, assess, and&#160;appropriately mitigate risk. The policies and procedures should provide for risk-based&#160;periodic reporting to the board of the transfers’ risk effect on the mortgage servicing&#160;portfolio. The Enterprise should maintain documentation of supporting analysis of&#160;transfer approval decisions that is sufficient to enable subsequent supervisory review.</p></div><div><p>​This advisory bulletin sets forth guidance for how each Enterprise should develop&#160;policies and procedures for reviewing and approving the sale and transfer of MSRs or the&#160;transfer of the servicing of mortgage loans. The policies and procedures should enable&#160;the Enterprise to understand its potential counterparty risk exposure resulting from&#160;servicing transfers.</p><p>​Analysis of Mortgage Servicing Transfers</p><p>The Enterprise should analyze and document the terms and conditions of all proposed&#160;transactions. The Enterprise should evaluate the risks and potential benefits of proposed&#160;transfers, taking into account relevant factors regarding the transferee, the transferor, and&#160;the borrower, as well as, the Enterprise’s overall risk management strategy for servicers.&#160;The analysis should incorporate and reflect the views of both risk management and&#160;business line management.</p><p>The analysis should reflect a risk-based approach and consideration of all relevant risks, including (but not limited to) the&#160;following factors&#58;</p><h4>Financial Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Financial strength of the transferee servicer or the MSRs owner based upon a current analysis;</span><br></li><li><span style="line-height&#58;1.6;">Existing and anticipated sources of capital and liquidity for the transferee servicer or the MSRs owner;</span><br></li><li><span style="line-height&#58;1.6;">Confirmation of the responsible party(ies) for origination and servicing representation and warranty obligations;</span><br></li><li><span style="line-height&#58;1.6;">Ability of all relevant participants to meet contractual obligations, including representations and warranties and other&#160;contractual obligations, including during adverse scenarios in which the counterparty may have trouble accessing liquidity and capital;</span><br></li><li><span style="line-height&#58;1.6;">Terms of any financial support arrangements (e.g., letters of credit, net worth or other guarantees, or other investment structures that securitize the servicing income or the advance receivables); and</span><br></li><li><span style="line-height&#58;1.6;">Complexity of the counterparty financial structure, including financial arrangements with other parties.</span><br></li></ul><h4>​Operational Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">The Enterprise’s, the transferee’s, and the transferor’s business objective for the proposed transfer;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s status as an “approved” servicer by the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s delegations and authority to conduct business on behalf of the Enterprise in relation to the servicing portfolio being transferred;</span><br></li><li><span style="line-height&#58;1.6;">Organizational structure, location, management team, and operations of the transferee servicer and any sub-servicers;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s expertise and performance record, including the results of recently conducted Enterprise on-site reviews;</span><br></li><li><span style="line-height&#58;1.6;">Servicing fee distribution between the MSRs owner and the transferee servicer to ensure proper alignment of incentives and coverage of costs;</span><br></li><li><span style="line-height&#58;1.6;">Servicer capacity, taking into account staffing, facilities, information technology systems, and any sub-servicing arrangements;</span><br></li><li><span style="line-height&#58;1.6;">Outstanding obligations and past performance regarding repurchase recoveries and compensatory fee recoveries;</span><br></li><li><span style="line-height&#58;1.6;">Operational complexity of the transaction;</span><br></li><li><span style="line-height&#58;1.6;">Third party service providers or vendors contractually obligated to the servicer, but not to the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Adequacy of the transferee servicer’s business continuity plan, inclusive of any applicable sub-servicers or material vendors;</span><br></li><li><span style="line-height&#58;1.6;">Current and potential effects of the transfer on borrowers, including those associated with in-process workouts, bankruptcies, and litigation; and</span><br></li><li><span style="line-height&#58;1.6;">Overall effect of the transfer on the servicer relationship and any resulting counterparty concentrations for an Enterprise.</span><br></li></ul><h4>Legal and Compliance Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Potential compliance risk associated with the characteristics of the mortgage loans being serviced;</span><br></li><li><span style="line-height&#58;1.6;">Based upon publicly available information, the transferor servicer’s, transferee servicer’s, and any sub-servicer’s record of compliance with consumer protection laws, including provisions of the Consumer Financial Protection Bureau’s Regulation X, which implements the Real Estate Settlement Procedures Act;</span><br></li><li><span style="line-height&#58;1.6;">Extent to which the transferor servicer, transferee servicer, and any sub-servicer is subject to federal or state regulatory oversight; and</span><br></li><li><span style="line-height&#58;1.6;">Any public regulatory or other enforcement actions relating to safety and soundness, legal, or compliance issues (e.g., consumer compliance, fraud, financial reporting) of the servicers or sub-servicers.</span><br></li></ul><p>Policies and procedures should be consistent with prudent counterparty risk management practices and with FHFA&#160;guidance, including risk-based contingency planning in accordance with FHFA Advisory Bulletin AB-2013-01, Contingency Planning for High-Risk or High-Volume Counterparties, as appropriate.</p><div><p><em class="ms-rteFontSize-2">Transfer Execution Monitoring</em></p><p>The Enterprise’s policies and procedures should clearly outline its expectations to facilitate the transfer of data and records. Further, the Enterprise should have a risk-based process to monitor the execution of the transfers so that all servicing transfers occur in a timely manner and in accordance with approved terms, servicing guide requirements, and applicable mortgage servicing transfer-related laws and regulations. The Enterprise should also have a process to update and&#160;maintain its systems to accurately identify all parties involved in the servicing of a particular loan portfolio.</p><p>Monitoring should cover the transfer of loan records, information regarding loans with loss mitigation in process (including loan modifications), compliance with laws and regulations relating to mortgage servicing transfers, compliance with&#160;approved terms including loan product types and status of loans to be transferred, and quality control review results. For loans that are subject to existing loss mitigation agreements or have loan modification agreements in process, the&#160;transfer terms should require the transferee servicer to honor and abide by such agreements or propose options that are no less beneficial to the borrower, and provide for the transferee servicer to obtain all information needed to complete the modification. Transfer execution monitoring should encompass consideration of all relevant participants, including the MSRs owners, servicers, sub-servicers, and third party service providers and vendors, as appropriate.</p><p>Policies and procedures for Enterprise approval determinations should incorporate assessments of the effectiveness of any prior transfers. Transfer execution monitoring AB 2014-06 (June 11, 2014) Public​&#160;should continue for a sufficient period of time post-transfer to enable the Enterprise to evaluate the effectiveness of the transfer and incorporate that evaluation in future approval decisions.</p><h2>​Related Guidance</h2><p>​​Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.</p><div><br></div></div></div>9/18/2014 7:25:23 PM3578http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Cyber Risk Management Guidance12028All5/19/2014 4:00:00 AMAB 2014-05 <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p><strong>​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p><strong>AB 2014-05&#160;</strong><br></p><p><strong>Cyber Risk Management Guidance&#160;</strong></p></td></tr></tbody></table><p> <br><strong style="text-decoration&#58;underline;"><em>Purpose</em></strong> </p><p>This advisory bulletin provides Federal H​ousing Finance Agency (FHFA) guidance on cyber risk&#160;management. This guidance is applicable to Fannie Mae and Freddie Mac (the Enterprises), the&#160;Federal Home Loan Banks (FHLBanks) (collectively, the Regulated Entities) and the Office of&#160;Finance. This advisory bulletin discusses considerations and expectations for cyber risk&#160;management and is intended to be applied using a risk-based approach. Cyber risk management&#160;practices should be proportional to the unique cyber risks faced by each Regulated Entity and the&#160;Office of Finance. As cyber risks may arise unevenly across an institution, methods should be&#160;tailored to address vulnerabilities at the institutional, business, and operational levels.</p><p>The guidance in this advisory bulletin is principles-based and technology-neutral (i.e., the guidance&#160;does not prescribe specific technology solutions). It focuses on seven main components&#58;​</p><div><ol><li><p>Proportionality – A cyber risk management program should be proportional to the unique&#160;cyber risks of a Regulated Entity or the Office of Finance.​<br></p></li><li><p>Cyber Risk Management – Cyber risk management should leverage existing risk&#160;management practices.​<br></p></li><li><p>Risk Assessments – Risk assessments should be conducted to identify, understand, and&#160;prioritize cyber risks.​<br></p></li><li><p>Monitoring and Response – Identified cyber risk concerns should be monitored and&#160;responded to through the cyber risk management program.<br></p></li><li><p>System, Patch, and Vulnerability Management – The Regulated Entity or the Office of&#160;Finance should have processes that facilitate the regular assessment and timely repair of&#160;vulnerabilities in its systems and applications.​<br></p></li><li><p>Third Party Management – As part of a risk management process, substantial risks arising&#160;from third parties that have access to material information, systems, or assets, or upon&#160;whom the institution has a material reliance, should be identified, monitored, and&#160;prioritized.<br></p></li><li><p>Privacy and Data Protection – The Regulated Entity or the Office of Finance should protect&#160;sensitive, confidential, or personally identifiable information in its possession to reasonably&#160;safeguard against concerns that may include legal and reputational risk.<br></p></li></ol><p style="text-decoration&#58;underline;"><strong><em>Background</em></strong></p><p>Cyber risk has become an increasing concern to the financial services industry, including housing&#160;finance. Types of cyber-related risks that may be encountered include distributed denial-of-service&#160;(DDoS) attacks, computer trespass, insider threats, corporate or national espionage, terrorism,&#160;hacktivism, or the compromise of industry utilities. These risks might cause the compromise of&#160;sensitive, confidential, or personally identifiable information. They may also affect the integrity&#160;and availability of data and information.</p><p>Operational or third party breakdowns or changes may also pose risks and highlight the importance&#160;of system, patch, and vulnerability management. For example, a third party’s termination of&#160;support for an operating system or application suite would result in a need to review the&#160;effectiveness of existing system and patch management programs, and to manage the risks&#160;associated with discontinuation of support. In addition to operational concerns, unpatched&#160;​environments present opportunities for exploitation by malicious parties. Established attack&#160;vectors by such parties include running vulnerability or code scanning on a targeted organization to&#160;search for unpatched systems or taking advantage of known vulnerabilities that are several years&#160;old and have readily available patches that were not implemented.</p><p>The cyber threat landscape continues to change and can affect the Regulated Entities and the Office&#160;of Finance in varying ways. The sophistication of cyber threats has increased significantly. While&#160;the risk of discrete, one-off threats, such as the actions of a disgruntled employee, represent one&#160;​part of this landscape, larger, more coordinated threats, commonly referred to as advanced&#160;persistent threats, have emerged and become more commonplace. The originators of these types of&#160;threats and others may be nation and non-nation states, criminals, or “hacktivists”. These groups&#160;may be loosely organized into collectives or highly coordinated and managed. They may seek to&#160;cause financial or reputational harm, compromise the privacy of individuals, disrupt capital&#160;markets, or incite terror.</p><p>The cyber risk management approaches of the Regulated Entities and the Office of Finance depend&#160;on, among other things, their cyber risk profile and posture, operational and technology models,&#160;third party relationships, governance structure, and the level of involvement of the board of&#160;directors (board) and senior management. FHFA Prudential Management and Operations&#160;Standards (PMOS) (12 CFR Part 1236) address ten areas relating to management and operations.&#160;Although multiple standards address aspects of cyber risk management, the primary PMOS are&#160;Standard 1 (Internal Controls and Information Systems), Standard 8 (Overall Risk Management&#160;Processes) and Standard 10 (Maintenance of Adequate Records). FHFA might evaluate an​&#160;institution’s cyber risk&#160;management program as part of its examinations.</p></div><p style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></p><p>This advisory bulletin describes the characteristics of a cyber risk management program that the&#160;FHFA believes will enable&#160;the Regulated Entities and the Office of Finance to successfully&#160;perform their responsibilities and protect their &#160;environments.&#160;Although institutions cannot&#160;eliminate cyber risks, these risks can be effectively managed.​</p><div><p><em>Proportionality</em></p><p>Cyber risk can manifest itself differently between and among institutions of similar business&#160;profiles, such as across the FHLBanks or between the Enterprises. Additionally, the types of cyber&#160;risks may differ significantly within areas of an individual institution, and multiple risks can exist&#160;and interact concurrently. For example, a DDoS attack on an organization’s public website by a&#160;malicious party may be designed to distract attention from the true intent of exfiltrating personally&#160;identifiable information from a server unrelated to the public website. FHFA expects the cyber risk&#160;management program implemented by a Regulated Entity or the Office of Finance to be&#160;commensurate with its own cyber risks at the institutional, business, and operational levels, and&#160;that the cyber risk management program meets prevailing technology, industry, and government&#160;standards.</p></div><p><em>Cyber Risk Management</em></p><p>The board (or a delegated committee of the board) establishes the overall cyber risk management&#160;policy and appropriate board-level reporting. The policy should define the institution’s governance&#160;and risk management structure; prioritize cyber risk management efforts in alignment with&#160;institution goals and objectives; establish risk tolerance levels and escalation procedures; define&#160;how the institution will assess and respond to cyber risks; and ensure the board or its designees&#160;receive appropriate reporting. The policy should be periodically evaluated and updated to reflect&#160;changes to the institution’s cyber risks.​</p><p>Senior management, and business and operational personnel at their respective program levels,&#160;should implement board-established policy. Within each descending management and operational&#160;tier, management should implement the cyber risk management program with specificity&#160;appropriate to each level and consistent with board-established priorities, risk tolerances, and&#160;response goals across the institution. Appropriate industry protocols and standards should be&#160;considered as source material when building out programs. Examples may include appropriate&#160;aspects of the International Organization for Standardization (ISO) 27000 family of standards for&#160;securing information assets, the National Institute of Standards and Technology (NIST) &#160;Framework for Improving Critical Infrastructure Cybersecurity, and the Information Systems&#160;Audit and Control Association (ISACA) Control Objectives for Information and Related&#160;Technology (COBIT) framework.</p><div><p>Cyber risk management practices should be established within the existing risk management&#160;framework to enable an institution to identify its exposures. For certain cyber risks, it may be&#160;possible to execute the program and operational practices in a common manner across the&#160;institution. For example, an institution may develop a corporate-level system patch deployed&#160;through its technology infrastructure that adequately addresses a specific institution-wide cyber&#160;risk. A common approach, however, may not be appropriate for all cyber risks. Certain cyber risks&#160;emerge in some areas within an organization but not in others. For example, a department with&#160;web-connected computers or a business unit with servers containing sensitive, confidential, or&#160;personally identifiable information may face risks unlike other areas of the same institution.</p><p>Precautionary measures should be taken to mitigate insider threats. Such threats may emanate&#160;from disgruntled or terminated employees, contractors, or third parties, each of whom may have&#160;access and organizational knowledge to inflict distinctive harm. Precautionary measures against&#160;insider threats may include regular internal audits and enterprise risk assessments; internal&#160;surveillance; monitoring and controls; implementation and enforcement of entitlement&#160;management; use of layered security; and prompt deactivation of system access following&#160;termination, resignation, or transfer by an employee or contractor. An institution’s internal and&#160;external audit findings around such issues can serve as a basis for updating its program. The&#160;Regulated Entities also need to comply with their obligations pursuant to FHFA’s Financial&#160;Instrument Fraud Reporting Rule (12 CFR 1233.3) upon discovery of insider fraud or suspicion of&#160;possible insider fraud.</p><p><em>Risk Assessments</em><br></p><div><p>Regular risk assessments should be conducted to identify, understand, and prioritize cyber risks&#160;involving business operations, information technology architecture, and third parties. It is&#160;important to have an informed view of the institution’s cyber risks and related vulnerabilities,&#160;including the risk of events occurring alone or in tandem, and the likelihood of occurrence. Risk&#160;assessments should be conducted on a regular schedule appropriate to the individual institution’s&#160;risk profile and exposures. Risk assessments should address risks associated with third parties&#160;upon whom the institution has material reliance or who have access to material information,&#160;systems, or assets at the institution. An institution may employ outside experts to perform risk&#160;assessments or conduct internal reviews to inform its program.</p></div><p>Risk assessments should also occur when material events at a Regulated Entity or the Office of&#160;Finance necessitate a reevaluation of its cyber risk posture. If an institution identifies or becomes&#160;aware of a significant vulnerability or weakness, it should conduct an appropriate assessment and&#160;make suitable enhancements or adjustments to its risk management activities to address the issue.&#160;An institution may uncover a vulnerability through its own internal reviews. It may also learn of a&#160;breach at an organization with a similar cyber risk profile during monitoring of current industry&#160;developments. In certain cases, an institution may be unaware of concerns until it is contacted by&#160;an external source. Such contact may come in the form of a federal or state law enforcement&#160;inquiry into an intrusion of an institution’s system, a security alert on a relevant vulnerability, or a&#160;third party notification about a potential weakness in the institution’s perimeter.</p><p><em>Monitoring and Response</em><br></p><div><p>Based on an institution’s risk assessments, it should have a program in place to monitor cyber risks&#160;and respond to identified concerns. The program should be clearly outlined; be communicated&#160;across the organization; have repeatable and executable processes; and be incorporated within the&#160;institution’s cyber risk management framework. The program should facilitate a response that is&#160;appropriate and proportional to the characteristics of the identified exposure. In some&#160;circumstances, a Regulated Entity or the Office of Finance may determine its preferred risk&#160;response may not be feasible to implement or be cost-prohibitive. In such circumstances, its&#160;response can consider alternative approaches, for example, mitigating the risk to an acceptable&#160;level or transferring it in a reasonable and justifiable manner.</p><p>In addition to front-end risk monitoring executed through the risk assessment process, the back-end&#160;implementation and performance of risk responses should be monitored. Monitoring should define&#160;roles, responsibilities and accountabilities; enable the verification of implementation; evaluate&#160;response effectiveness; and identify any changes that may impact the effectiveness of a response.&#160;Appropriate information on risk responses should be communicated to the proper persons or&#160;committees to ensure decision makers are suitably informed. An institution should also&#160;periodically test or otherwise validate the implementation and effectiveness of its measures. For&#160;example, the operation of an incident response plan developed to address breaches should be&#160;compared against the documented, written plan itself.</p></div><p><em>System, Patch, and Vulnerability Management</em><br></p><div><p>An institution should have processes that facilitate the regular assessment and timely repair of&#160;vulnerabilities in its systems and applications. These processes may be incorporated within an&#160;institution’s existing entity-wide change management program. Unsupported or out-of-date&#160;systems or applications may lead to operational breakdowns as functionality and performance&#160;degrade. If an institution or a third party continues operating unsupported software, the institution&#160;should have a process in place to identify, monitor, and respond to new vulnerabilities in legacy&#160;systems. Further, the effectiveness and management of the system and patch management&#160;programs of third parties upon which the institution has material reliance and third parties that have&#160;access to material information, systems, or assets at the institution should be reviewed.​</p></div><div><p>Prior to deploying fixes, there should be a testing and approval process in place to mitigate risks&#160;associated with patch failures or unforeseen consequences. Sometimes patching can be done on an&#160;automated basis while in other circumstances a manual, phased roll-out is more appropriate. Aninstitution should be aware that often when a change is made in one area of its technology&#160;environment, the change may have an unforeseen or unintended impact in another area.​</p><p>There may be instances where a particular vulnerability does not have a related patch. In instances&#160;where such a vulnerability presents a significant risk to an institution, it should consider alternative&#160;methods to mitigate the risk. Such alternative methods may include employee training, additional&#160;monitoring, or special system configurations.</p><p>An institution should also assess the viability of replacement or retirement of systems or&#160;applications as part of a system development lifecycle program. Highly customized systems can&#160;become outdated and unsupported while still being heavily utilized by an institution. Retirement or&#160;replacement should be considered during evaluations instead of continued patching.</p></div><p><em>Third Party Management</em><br></p><div><p>FHFA expects the Regulated Entities and the Office of Finance to identify, monitor, and prioritize&#160;substantial risks at or within the operations of third parties upon whom the institution has material&#160;reliance or for those that have access to material information, systems, or assets at the institution.&#160;The internal securities policies of such parties should be in alignment or compliance with those of&#160;the institution. As part of its risk assessments, an institution should request the information it needs&#160;to reach reasonable conclusions as to a third party’s cyber risk management protocols. In addition&#160;to declarations and certifications provided by a third party, an institution should consider&#160;preserving legal and contractual rights to conduct onsite assessments, as necessary, to verify such&#160;statements. In those cases when a third party asserts that certain information cannot be provided&#160;directly because it is proprietary, the institution should obtain sufficient comparable information to&#160;develop an informed assessment, such as through the review of Statement on Standards for&#160;Attestation Engagement (SSAE) No. 16 reports. An institution should also include in its business&#160;continuity and contingency planning provisions for when cyber risk events should result in&#160;substitution or replacement of services provided by third parties.</p><p>An institution should also understand if a third party outsources a service upon which the&#160;institution has a material reliance, and what additional exposures that may create.</p><p><em>Privacy and Data Protection</em></p><p>Due to the nature of their respective businesses, the Regulated Entities and the Office of Finance&#160;may possess sensitive, confidential, or personally identifiable information. If such information is&#160;not adequately protected from loss, harm, alteration, or exploit, an institution may become subject&#160;to legal and reputational risks.</p><div><p>As part of its risk assessment, each institution should have a comprehensive view of where&#160;sensitive, confidential, or personally identifiable information resides within the institution; how it is&#160;managed and used; and how it is transmitted, transported, and protected. Information may be&#160;protected through a variety of means, such as through the use of front and back end controls on&#160;user access, and through the use of encryption. Each institution should determine the nature and&#160;extent of precautions necessary to address its distinctive risk areas. As part of its program to&#160;monitor and respond to cyber risks, an institution should determine the effectiveness of its&#160;precautions taken to protect information and data.</p><p>The cyber risk management program, including policies, procedures, and/or technology solutions,&#160;should be tailored to address the risks faced by each institution and responsive to the seven&#160;components outlined in this guidance. The seven components are inter-related and should be&#160;considered as part of an effective program.</p><p style="text-decoration&#58;underline;"><strong><em>Related Guidance</em></strong></p><p><em><a href="/SupervisionRegulation/FannieMaeandFreddieMac/Documents/OFHEO%20Policy%20Guidances/2001/121901pg01002.pdf">Safety and Soundness Standards for Information</a></em>, Office of Federal Housing Enterprise Oversight&#160;Policy Guidance PG-01-002, December 19, 2001.</p><p><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-04-Guidance-on-the-Retirement-of-the-Microsoft-Windows-XP-Operating-System.aspx"><em>Guidance on the Retirement of the Microsoft Windows XP Operating System</em></a><em></em>, Federal Housing&#160;Finance Agency Advisory Bulletin AB-2014-04, March 20, 2014.​</p><p><br>&#160;</p></div><p><br>&#160;</p></div><br>​</div>7/10/2014 12:50:20 PM2604http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on the Retirement of the Microsoft Windows XP Operating System12027All3/20/2014 4:00:00 AMAB 2014-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​<strong><font face="Times New Roman"><p align="left">​ADVISORY BULLETIN </p><p align="left">AB 2014-04 </p><p>Guidance on the Retirement of the Microsoft Windows XP Operating System </p></font></strong></td></tr></tbody></table><p><br>This advisory bulletin is being issued by the Federal Housing Finance Agency (FHFA) to ensure that Fannie Mae, Freddie Mac, the Federal Home Loan Banks (collectively, the Regulated Entities), and the Office of Finance are aware of and responsive to the retirement and ending of support of Windows XP and Office 2003. This advisory bulletin is consistent with guidance issued by other federal financial regulatory agencies.</p><p>The Windows XP operating system and Office 2003 are no longer receiving technical assistance from Microsoft, including updates and patching, after April 8, 2014. While the technology will continue to function, without support it may become more prone to operational breakdowns and security risks.</p><p>The Regulated Entities and the Office of Finance should review the effectiveness of their system and patch management programs to ensure that the risks associated with this retirement are appropriately understood and mitigated. The review should also consider exposures from third party services providers and other vendors that use Windows XP or Office 2003 upon which the Regulated Entity or the Office of Finance has a material reliance.</p>10/30/2014 1:18:31 PM844http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Rescission of the Federal Home Loan Bank Examination Manual and the Division of Enterprise Regulation Supervision Handbook12026All3/11/2014 4:00:00 AMAB 2014-03<p>​​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2014-03 </p><p>Rescission of the Federal Home Loan Bank Examination Manual and the Division of Enterprise Regulation Supervision Handbook </p></td></tr></tbody></table><p><br><strong>PURPOSE </strong></p><p>This advisory bulletin rescinds the Federal Housing Finance Board Federal Home Loan Bank (FHLBank) Examination Manual and Federal Housing Finance Agency (FHFA) Division of Enterprise Regulation Supervision Handbook. </p><p><strong>ISSUE </strong><br>The documents identified have been superseded by the FHFA Examination Manual. </p><p><strong>BACKGROUND </strong></p><p>The FHFA Examination Manual was issued on December 19, 2013. The FHFA Examination Manual represents the result of an agency initiative to implement a common examination program for the examinations of Fannie Mae and Freddie Mac, the FHLBanks, and the Office of Finance. </p><p><strong>RESCINDED SUPERVISION GUIDANCE </strong></p><p>The following documents are rescinded&#58; </p><ul><li>Federal Housing Finance Board FHLBank Examination Manual </li><li>FHFA Division of Enterprise Regulation Supervision Handbook </li></ul><p><strong>EFFECTIVE DATE </strong></p><p>The advisory bulletin is effective immediately. </p>7/10/2014 12:58:45 PM1130http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Liquidity Risk Management12024Fannie Mae & Freddie Mac2/18/2014 5:00:00 AMAB 2014–01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​ <p align="left">​ADVISORY BULLETIN </p><p align="left">AB 2014 – 01 </p><p align="left">LIQUIDITY RISK MANAGEMENT </p></td></tr></tbody></table><font face="Times New Roman"></font><font face="Times New Roman"><h2><br>Introduction</h2></font><font face="Times New Roman"><p align="left">This Advisory Bulletin establishes guidelines for liquidity risk management at Fannie Mae and Freddie Mac (the Enterprises). The guidelines describe the principles the Enterprises should follow to identify, measure, monitor, and control liquidity risk. The Division of Enterprise Regulation (DER) will evaluate the Enterprises’ liquidity risk management programs as part of the examinations.</p><p align="left">This guidance does not supplant existing regulations that pertain to risk management at the Enterprises.</p></font><font face="Times New Roman"><h2>Background</h2></font><font face="Times New Roman"><p align="left">Liquidity risk is the risk that an Enterprise is unable to meet its financial obligations as they come due or meet the credit needs of its customers in a timely and cost-efficient manner. The Enterprises must be financially sound to perform their public missions and should have a comprehensive liquidity risk management framework to limit and control liquidity risk exposures.</p><p align="left">Federal Housing Finance Agency (FHFA) Prudential Management and Operations Standards (PMOS) were effective August 7, 2012, and supplement existing FHFA regulations. They address ten separate areas relating to the management and operation of the Enterprises. Standard 5 (Adequacy and Maintenance of Liquidity and Reserves) highlights the need for each Enterprise to establish a liquidity management framework, articulate liquidity risk tolerances, and establish a process for identifying, measuring, monitoring, controlling, and reporting its liquidity position and liquidity risk exposures. In addition, Standard 5 includes requirements for conducting stress tests to identify sources of potential liquidity strain and requirements for establishing contingency funding plans (CFP). Standard 8 (Overall Risk Management Processes) establishes the responsibilities of boards of directors and senior management and the need for the Enterprises to establish risk management practices that measure, monitor, and control liquidity risk.</p></font><font face="Times New Roman"><h2>Guidance</h2></font><font face="Times New Roman"><p align="left">Each Enterprise’s risk management processes should enable it to identify, measure, monitor, and control their liquidity exposures. Management should be able to accurately identify and quantify the primary sources of risk to liquidity. To properly identify the sources of risk, management should understand both existing and emerging risks. </p><p align="left">Key elements of an effective risk management process include adequate board of directors (board) and senior management oversight; appropriate liquidity management policies, procedures, and limits; appropriate risk measurement methodology, monitoring, and reporting systems; adequate management information systems and internal controls; an effective contingency funding plan; adequate levels of highly liquid assets; a funding strategy that provides appropriate diversification of funding, regularly assesses market access, and identifies alternative sources of funding; and active management of intraday liquidity and collateral.</p></font><font face="Times New Roman"><h3>Adequate board of directors and senior management oversight</h3></font><font face="Times New Roman"><p align="left">The board is ultimately responsible for the liquidity risk assumed by the Enterprise and for guiding the strategic direction of liquidity management. The board, or a committee thereof, should establish and approve appropriate liquidity risk tolerances and limits, and should oversee the establishment and approval of liquidity management strategies, policies, and procedures, and review them at least annually. In addition, the board should have a fundamental understanding of the Enterprise’s business activities and associated liquidity risks and should ensure that senior management has the necessary expertise to effectively manage liquidity.</p><p align="left">Senior management oversees the daily and long-term management of liquidity and is responsible for carrying out the strategic objectives of the board. Senior management should develop liquidity risk management strategies, policies, and practices for approval by the board, implement sound internal controls for managing liquidity risk, and establish effective information systems and contingency funding plans. In addition, senior management must also establish reporting systems that produce timely and accurate information on the Enterprise’s liquidity position and sources of risk exposure, and provide regular reports to the board. </p><p align="left">Senior management should also maintain an organizational structure that clearly assigns responsibility, authority, and relationships for managing liquidity risk and ensure that personnel are appropriately trained and competent with regard to the Enterprise’s established policies and tolerances.</p></font><font face="Times New Roman"><h3>Appropriate liquidity management policies, procedures, and limits</h3></font><font face="Times New Roman"><p align="left">Each Enterprise should implement a risk management policy that addresses standards regarding day-to-day operational liquidity needs and plans for dealing with contingent liquidity needs, including potential temporary, intermediate-term, and long-term liquidity disruptions. Policies should specify the Enterprise’s board established liquidity risk tolerances and procedures for controlling risk exposures within those limits. The policy should be consistent with the Enterprise’s overall business strategy.</p><p align="left">The policy should include&#58; an enumeration of specific types of investments to be held for liquidity purposes, a description of the Enterprise’s ability to access capital markets during periods of market stress, and the methodology to be used for determining the Enterprise’s operational and contingency liquidity needs. Policy guidelines should include both quantitative and qualitative targets and should contain provisions for documenting and periodically reviewing assumptions used in liquidity projections. In addition, the policy should specify the nature and frequency of liquidity risk reporting for management and the board, and establish responsibilities and accountability at every level of the management structure, particularly in regard to actions to be taken if limits or positions are breached.</p></font><font face="Times New Roman"><h3>Appropriate risk measurement methodology, monitoring, and reporting systems</h3></font><font face="Times New Roman"><p align="left">Each Enterprise should establish appropriate models to accurately measure its liquidity exposures, identify potential liquidity shortfalls, and simulate various market scenarios. Measurement systems should include robust methods for projecting cash flows and an Enterprise’s liquidity needs over appropriate time horizons, including intraday, day-to-day, short-term weekly and monthly horizons, medium-term horizons of up to one year, and longerterm liquidity needs of one year or more. These systems should also measure tenor and provider concentrations to ensure reliance on certain funding structures or sources of funds is appropriately identified and controlled.</p><p align="left">Cash flow and model assumptions should be reasonable, appropriate, and adequately documented, and should be periodically reviewed by senior management. Measuring and reporting systems should capture all significant on- and off-balance-sheet items and be adjusted as products or risks change.</p><p align="left">Each Enterprise should ensure that assets are properly valued according to relevant financial reporting and supervisory standards. In determining potential liquidity needs and risk management strategies, the possibility of losses and deterioration in valuations from potential credit and market events should be considered and the Enterprise should take this into account in assessing the feasibility and impact of asset sales on its liquidity position during stress events.</p></font><font face="Times New Roman"><h4>Stress Testing</h4></font><font face="Times New Roman"><p align="left">Each Enterprise should conduct stress tests on a regular basis for a variety of Enterprise-specific and market-wide stress scenarios across a range of time horizons. Stress test results should be used to identify sources of potential liquidity strain, to ensure that current exposures remain in accordance with established risk tolerances, and to analyze effects on the Enterprise’s cash flows, profitability, and solvency. Management should use results of stress tests to adjust liquidity management policies and positions and to develop effective contingency plans.</p></font><font face="Times New Roman"><h4>Collateral Position Management</h4></font><p align="left">An Enterprise should have the ability to calculate all of its collateral positions in a timely manner, including the value of assets currently pledged relative to the amount of security required and unencumbered assets available to be pledged. An Enterprise should be aware of the operational and timing requirements associated with accessing the collateral given its physical location (i.e., the custodian entity or securities settlement system with which the collateral is held). The Enterprises should also fully understand the potential demand for additional collateral arising from various types of contractual contingencies during periods of both market-wide and Enterprise-specific stress.</p><h4>Management Reporting</h4><p align="left">Senior management should receive reports on the adequacy of an Enterprise’s liquidity, including the level and trend of risks to the Enterprise’s liquidity at least monthly; the board, or a committee thereof, should receive reports at least quarterly. If liquidity risk is high or if it is moderate and increasing, the reports should be more frequent. These reports should convey how much risk the Enterprise is assuming, its compliance with risk limits, and whether strategies are consistent with the board’s expressed risk tolerance. Additional reportable items may include cash flow projections, critical assumptions used in cash flow projections, asset and funding concentrations, key early warning or risk indicators, funding availability, status of contingent funding sources, or collateral usage.</p><h2>Adequate management information systems and internal controls</h2><p align="left">Senior management should establish adequate internal controls to ensure board-established liquidity risk policies and objectives will be achieved. Adequate internal controls should address items such as the Enterprise’s compliance with policies, procedures, and regulations, and the effectiveness of risk measurement and reporting.</p><p align="left">Internal audit should regularly review and evaluate the various components of the Enterprise’s liquidity risk management process. These reviews should assess the extent to which the Enterprise’s liquidity risk management practices comply with both supervisory guidance and industry sound practices, and should report instances of noncompliance to management and the board. The reviews should ensure that front- and back-office systems capably support current and projected operations.</p><h3>An effective contingency funding plan (CFP)</h3><p align="left">Each Enterprise should have a formal contingency funding plan that clearly sets out strategies for addressing liquidity shortfalls in emergencies. The CFP should represent management’s best estimate of balance sheet changes that may result from a liquidity event based on stress testing and scenario analysis. The CFP should be clearly integrated into the Enterprise’s overall liquidity risk management framework. It should provide plans, courses of actions, clear lines of responsibility, and escalation procedures to ensure liquidity sources are sufficient to fund normal operations during potential temporary, intermediate-term, and long-term liquidity disruptions. The CFP should provide a framework with significant flexibility so an Enterprise can respond quickly to a variety of situations.</p><p align="left">Effective contingency funding plans should identify Enterprise-specific and market-wide stress events and scenarios that may have a significant effect on an Enterprise’s liquidity. A CFP should then identify minimum and maximum liquidity needs under various stress events and weigh alternative courses of action designed to meet those needs. The result should be a realistic analysis of cash inflows, outflows, and funds availability at different time intervals during the potential liquidity stress event in order to measure the Enterprise’s ability to fund operations and address intraday liquidity needs. A CFP should also identify alternative contingent liquidity resources that can be employed under adverse liquidity circumstances.</p><p align="left">To ensure the Enterprise can make timely and well-informed decisions, the CFP should clearly specify roles and responsibilities, including the authority to invoke the CFP and alternates for key roles, and include realistic action plans to execute the various elements of the plan for given levels of stress. The CFP should provide for more frequent and more detailed liquidity risk reporting as the stress situation intensifies and should establish a plan to deliver timely, clear, consistent, and frequent communication to internal and external parties, as appropriate.</p><p align="left">A CFP should establish a monitoring framework for contingent events, including the use of early-warning indicators and event triggers. Early-warning signals should identify the emergence of increased liquidity risk and may include, but are not limited to, negative publicity concerning an asset class owned by the Enterprise, increased potential for deterioration in the Enterprise’s financial condition, widening debt spreads, growing concentrations in assets or liabilities, difficulty accessing funding, or increasing funding costs.</p><p align="left">Each Enterprise’s CFP should be revised and updated regularly to reflect changes in market or business conditions. In addition, a CFP should be tested to assess its reliability and operational soundness under stress conditions. Testing should ensure that roles and responsibilities are up-to-date and appropriate; that legal and operational documents are up-to-date and appropriate; that cash and collateral can be moved where and when needed; and that contingent liquidity lines can be drawn when needed.</p><h3>Adequate levels of highly liquid assets</h3><p align="left">An Enterprise should maintain adequate reserves of highly liquid assets, including adequate reserves of unencumbered, marketable securities that can be liquidated to meet unexpected needs. These assets should have no legal, regulatory, or operational impediments and should be held as insurance against a range of liquidity stress scenarios including those that involve the loss or impairment of typically available unsecured and secured funding sources.</p><p align="left">The quality of unencumbered liquid assets is important as it will ensure accessibility during the time of most need. The size of the liquidity cushion should be supported by estimates of liquidity needs performed under an Enterprise’s stress testing, as well as aligned with the risk tolerance and risk profile of the Enterprise.</p><h3>A funding strategy that provides appropriate diversification of funding, regularly assesses market access, and identifies alternative sources of funding</h3><p align="left">The Enterprises should each establish funding strategies that provide effective diversification of funding. In general, funding concentrations should be avoided. The Enterprises should diversify available funding sources in the short-, medium-, and long-term. Funding strategies should take into account correlations between sources of funds and market conditions.</p><p align="left">An essential component of ensuring funding diversity is maintaining market access. Market access is critical for effective liquidity risk management as it affects both the ability to raise new funds and to liquidate assets. Senior management should identify the main factors that affect the Enterprise’s ability to raise funds and monitor those factors and should ensure that market access is being actively managed, monitored, and tested by the appropriate staff.</p><p align="left">An Enterprise should identify alternative sources of funding that strengthen its capacity to withstand a variety of severe Enterprise-specific and market-wide liquidity shocks. Depending upon the nature, severity, and duration of the liquidity disruption, potential sources of funding include, but are not limited to, the following&#58;</p><ul><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>Cash and highly liquid US government securities </p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>Issuance of unsecured or longer-term debt instruments</p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>Asset securitization</p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>Sale (either outright or through repurchase agreements) or pledging of liquid assets.</p></li></ul><h3>Active management of intraday liquidity and collateral</h3><p align="left">The Enterprises should actively manage their intraday liquidity and collateral to meet payment and settlement obligations in a timely manner under both normal and stressed conditions. Senior management should establish an intraday liquidity strategy that allows the Enterprise to identify time-specific and other critical obligations, and sequence payments based on priority. In addition, the intraday strategy should&#58;</p><ul><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>Monitor and measure expected daily gross liquidity inflows and outflows.</p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>Manage and mobilize collateral when necessary to obtain intraday credit.</p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>Ensure that liquidity planners understand the amounts of collateral and liquidity needed to perform payment-system obligations when assessing the Enterprise’s overall liquidity needs.</p></li></ul><h2>Related Guidance</h2><p align="left">12 CFR Part 1720 Safety and Soundness Standards, which addresses balance sheet growth and management and non-mortgage liquidity investments.</p><p align="left">12 CFR Part 1236 Prudential Management and Operations Standards.</p>This Advisory Bulletin establishes guidelines for liquidity risk management at Fannie Mae and Freddie Mac. The guidelines describe the principles the Enterprises should follow to identify, measure, monitor, and control liquidity risk.9/18/2014 7:31:21 PM1679http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2015 Federal Housing Finance Agency