Federal Housing Finance Agency Print

 Advisory Bulletins

 

 

Mortgage Servicing Transfers120316/11/2014 4:00:00 AMAB 2014-06<h2>​<br></h2><h2>Purpose</h2><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to communicate supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights (MSRs) or the transfer of the operational responsibilities of servicing mortgage loans owned or guaranteed by Fannie Mae and Freddie Mac (collectively, the Enterprises).</p><h2>​Background</h2><p>​The sale and transfer of MSRs or the transfer of mortgage servicing has recently increased for a number of reasons. Some servicing transfers are initiated by the Enterprises. An Enterprise may seek to facilitate or require the transfer of&#160;mortgage servicing to a different servicer in an effort to improve mortgage servicing performance. A transfer may also be necessitated by a mortgage servicer’s failure to meet contractual requirements. Servicing transfer requests may also be initiated by the owner of the MSRs or the servicer of the mortgage portfolio. For example, changes in capital regulations or servicing profitability may prompt commercial banks and financial services companies to seek to reduce MSR holdings. Some non-bank mortgage servicing companies have recently increased acquisitions of MSRs and the servicing of mortgage loans.</p><p>There are different variations for structuring transfers to the acquiring entities. Historically, both the ownership of the MSRs and the servicing of the mortgage loans were transferred to the same entity. However, the MSRs owner and the mortgage AB 2014-06 (June 11, 2014) Public servicer may be separate entities, which would necessitate one or more sub-servicer arrangements. For example, the MSRs owner may be established as a limited liability company with the primary purpose of sub-contracting servicing to one or more servicers. In some situations, more than one entity is responsible for the representations and warranties related to the origination, selling, or servicing of a transferred mortgage servicing portfolio. Different types of entities involved in MSR holding structures can impact the financial, operational, and legal risks associated with any given transfer.</p><p>Any sale and transfer of MSRs or transfer of the operational aspect of servicing mortgage loans owned or guaranteed by Fannie Mae or Freddie Mac requires the approval of the applicable Enterprise in accordance with its seller/servicer guide.</p><div><h2>​Guidance</h2><p>​An&#160;Enterprise&#160;should&#160;only&#160;approve&#160;those&#160;transactions&#160;that&#160;are&#160;consistent&#160;with&#160;sound&#160;business&#160;practice,&#160;aligned&#160;with&#160;the&#160;Enterprise’s board-approved risk appetite, and in compliance with regulatory and&#160;Conservator&#160;requirements.&#160;Certain&#160;bulk servicing transfers also require the approval of FHFA as Conservator for the Enterprises.​</p><p>Each Enterprise should have in place policies and procedures within its risk management&#160;program for evaluating risks of proposed sales or transfers of MSRs and transfers of the&#160;servicing of mortgage loans, considering the particular circumstances of the transfers&#160;(e.g., volume and profile of the loans transferred, structure and complexity of&#160;the&#160;transaction, counterparty exposure, servicing concentrations, and/or borrower&#160;experience). The Enterprise’s policies and procedures should identify, assess, and&#160;appropriately mitigate risk. The policies and procedures should provide for risk-based&#160;periodic reporting to the board of the transfers’ risk effect on the mortgage servicing&#160;portfolio. The Enterprise should maintain documentation of supporting analysis of&#160;transfer approval decisions that is sufficient to enable subsequent supervisory review.</p></div><div><p>​This advisory bulletin sets forth guidance for how each Enterprise should develop&#160;policies and procedures for reviewing and approving the sale and transfer of MSRs or the&#160;transfer of the servicing of mortgage loans. The policies and procedures should enable&#160;the Enterprise to understand its potential counterparty risk exposure resulting from&#160;servicing transfers.</p><p>​Analysis of Mortgage Servicing Transfers</p><p>The Enterprise should analyze and document the terms and conditions of all proposed&#160;transactions. The Enterprise should evaluate the risks and potential benefits of proposed&#160;transfers, taking into account relevant factors regarding the transferee, the transferor, and&#160;the borrower, as well as, the Enterprise’s overall risk management strategy for servicers.&#160;The analysis should incorporate and reflect the views of both risk management and&#160;business line management.</p><p>The analysis should reflect a risk-based approach and consideration of all relevant risks, including (but not limited to) the&#160;following factors&#58;</p><h4>Financial Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Financial strength of the transferee servicer or the MSRs owner based upon a current analysis;</span><br></li><li><span style="line-height&#58;1.6;">Existing and anticipated sources of capital and liquidity for the transferee servicer or the MSRs owner;</span><br></li><li><span style="line-height&#58;1.6;">Confirmation of the responsible party(ies) for origination and servicing representation and warranty obligations;</span><br></li><li><span style="line-height&#58;1.6;">Ability of all relevant participants to meet contractual obligations, including representations and warranties and other&#160;contractual obligations, including during adverse scenarios in which the counterparty may have trouble accessing liquidity and capital;</span><br></li><li><span style="line-height&#58;1.6;">Terms of any financial support arrangements (e.g., letters of credit, net worth or other guarantees, or other investment structures that securitize the servicing income or the advance receivables); and</span><br></li><li><span style="line-height&#58;1.6;">Complexity of the counterparty financial structure, including financial arrangements with other parties.</span><br></li></ul><h4>​Operational Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">The Enterprise’s, the transferee’s, and the transferor’s business objective for the proposed transfer;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s status as an “approved” servicer by the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s delegations and authority to conduct business on behalf of the Enterprise in relation to the servicing portfolio being transferred;</span><br></li><li><span style="line-height&#58;1.6;">Organizational structure, location, management team, and operations of the transferee servicer and any sub-servicers;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s expertise and performance record, including the results of recently conducted Enterprise on-site reviews;</span><br></li><li><span style="line-height&#58;1.6;">Servicing fee distribution between the MSRs owner and the transferee servicer to ensure proper alignment of incentives and coverage of costs;</span><br></li><li><span style="line-height&#58;1.6;">Servicer capacity, taking into account staffing, facilities, information technology systems, and any sub-servicing arrangements;</span><br></li><li><span style="line-height&#58;1.6;">Outstanding obligations and past performance regarding repurchase recoveries and compensatory fee recoveries;</span><br></li><li><span style="line-height&#58;1.6;">Operational complexity of the transaction;</span><br></li><li><span style="line-height&#58;1.6;">Third party service providers or vendors contractually obligated to the servicer, but not to the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Adequacy of the transferee servicer’s business continuity plan, inclusive of any applicable sub-servicers or material vendors;</span><br></li><li><span style="line-height&#58;1.6;">Current and potential effects of the transfer on borrowers, including those associated with in-process workouts, bankruptcies, and litigation; and</span><br></li><li><span style="line-height&#58;1.6;">Overall effect of the transfer on the servicer relationship and any resulting counterparty concentrations for an Enterprise.</span><br></li></ul><h4>Legal and Compliance Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Potential compliance risk associated with the characteristics of the mortgage loans being serviced;</span><br></li><li><span style="line-height&#58;1.6;">Based upon publicly available information, the transferor servicer’s, transferee servicer’s, and any sub-servicer’s record of compliance with consumer protection laws, including provisions of the Consumer Financial Protection Bureau’s Regulation X, which implements the Real Estate Settlement Procedures Act;</span><br></li><li><span style="line-height&#58;1.6;">Extent to which the transferor servicer, transferee servicer, and any sub-servicer is subject to federal or state regulatory oversight; and</span><br></li><li><span style="line-height&#58;1.6;">Any public regulatory or other enforcement actions relating to safety and soundness, legal, or compliance issues (e.g., consumer compliance, fraud, financial reporting) of the servicers or sub-servicers.</span><br></li></ul><p>Policies and procedures should be consistent with prudent counterparty risk management practices and with FHFA&#160;guidance, including risk-based contingency planning in accordance with FHFA Advisory Bulletin AB-2013-01, Contingency Planning for High-Risk or High-Volume Counterparties, as appropriate.</p><div><p><em class="ms-rteFontSize-2">Transfer Execution Monitoring</em></p><p>The Enterprise’s policies and procedures should clearly outline its expectations to facilitate the transfer of data and records. Further, the Enterprise should have a risk-based process to monitor the execution of the transfers so that all servicing transfers occur in a timely manner and in accordance with approved terms, servicing guide requirements, and applicable mortgage servicing transfer-related laws and regulations. The Enterprise should also have a process to update and&#160;maintain its systems to accurately identify all parties involved in the servicing of a particular loan portfolio.</p><p>Monitoring should cover the transfer of loan records, information regarding loans with loss mitigation in process (including loan modifications), compliance with laws and regulations relating to mortgage servicing transfers, compliance with&#160;approved terms including loan product types and status of loans to be transferred, and quality control review results. For loans that are subject to existing loss mitigation agreements or have loan modification agreements in process, the&#160;transfer terms should require the transferee servicer to honor and abide by such agreements or propose options that are no less beneficial to the borrower, and provide for the transferee servicer to obtain all information needed to complete the modification. Transfer execution monitoring should encompass consideration of all relevant participants, including the MSRs owners, servicers, sub-servicers, and third party service providers and vendors, as appropriate.</p><p>Policies and procedures for Enterprise approval determinations should incorporate assessments of the effectiveness of any prior transfers. Transfer execution monitoring AB 2014-06 (June 11, 2014) Public​&#160;should continue for a sufficient period of time post-transfer to enable the Enterprise to evaluate the effectiveness of the transfer and incorporate that evaluation in future approval decisions.</p><h2>​Related Guidance</h2><p>​​Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.</p><div><br></div></div></div>8/7/2014 6:21:06 PM718http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Cyber Risk Management Guidance120285/19/2014 4:00:00 AMAB 2014-05 <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p><strong>​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p><strong>AB 2014-05&#160;</strong><br></p><p><strong>Cyber Risk Management Guidance&#160;</strong></p></td></tr></tbody></table><p> <br><strong style="text-decoration&#58;underline;"><em>Purpose</em></strong> </p><p>This advisory bulletin provides Federal H​ousing Finance Agency (FHFA) guidance on cyber risk&#160;management. This guidance is applicable to Fannie Mae and Freddie Mac (the Enterprises), the&#160;Federal Home Loan Banks (FHLBanks) (collectively, the Regulated Entities) and the Office of&#160;Finance. This advisory bulletin discusses considerations and expectations for cyber risk&#160;management and is intended to be applied using a risk-based approach. Cyber risk management&#160;practices should be proportional to the unique cyber risks faced by each Regulated Entity and the&#160;Office of Finance. As cyber risks may arise unevenly across an institution, methods should be&#160;tailored to address vulnerabilities at the institutional, business, and operational levels.</p><p>The guidance in this advisory bulletin is principles-based and technology-neutral (i.e., the guidance&#160;does not prescribe specific technology solutions). It focuses on seven main components&#58;​</p><div><ol><li><p>Proportionality – A cyber risk management program should be proportional to the unique&#160;cyber risks of a Regulated Entity or the Office of Finance.​<br></p></li><li><p>Cyber Risk Management – Cyber risk management should leverage existing risk&#160;management practices.​<br></p></li><li><p>Risk Assessments – Risk assessments should be conducted to identify, understand, and&#160;prioritize cyber risks.​<br></p></li><li><p>Monitoring and Response – Identified cyber risk concerns should be monitored and&#160;responded to through the cyber risk management program.<br></p></li><li><p>System, Patch, and Vulnerability Management – The Regulated Entity or the Office of&#160;Finance should have processes that facilitate the regular assessment and timely repair of&#160;vulnerabilities in its systems and applications.​<br></p></li><li><p>Third Party Management – As part of a risk management process, substantial risks arising&#160;from third parties that have access to material information, systems, or assets, or upon&#160;whom the institution has a material reliance, should be identified, monitored, and&#160;prioritized.<br></p></li><li><p>Privacy and Data Protection – The Regulated Entity or the Office of Finance should protect&#160;sensitive, confidential, or personally identifiable information in its possession to reasonably&#160;safeguard against concerns that may include legal and reputational risk.<br></p></li></ol><p style="text-decoration&#58;underline;"><strong><em>Background</em></strong></p><p>Cyber risk has become an increasing concern to the financial services industry, including housing&#160;finance. Types of cyber-related risks that may be encountered include distributed denial-of-service&#160;(DDoS) attacks, computer trespass, insider threats, corporate or national espionage, terrorism,&#160;hacktivism, or the compromise of industry utilities. These risks might cause the compromise of&#160;sensitive, confidential, or personally identifiable information. They may also affect the integrity&#160;and availability of data and information.</p><p>Operational or third party breakdowns or changes may also pose risks and highlight the importance&#160;of system, patch, and vulnerability management. For example, a third party’s termination of&#160;support for an operating system or application suite would result in a need to review the&#160;effectiveness of existing system and patch management programs, and to manage the risks&#160;associated with discontinuation of support. In addition to operational concerns, unpatched&#160;​environments present opportunities for exploitation by malicious parties. Established attack&#160;vectors by such parties include running vulnerability or code scanning on a targeted organization to&#160;search for unpatched systems or taking advantage of known vulnerabilities that are several years&#160;old and have readily available patches that were not implemented.</p><p>The cyber threat landscape continues to change and can affect the Regulated Entities and the Office&#160;of Finance in varying ways. The sophistication of cyber threats has increased significantly. While&#160;the risk of discrete, one-off threats, such as the actions of a disgruntled employee, represent one&#160;​part of this landscape, larger, more coordinated threats, commonly referred to as advanced&#160;persistent threats, have emerged and become more commonplace. The originators of these types of&#160;threats and others may be nation and non-nation states, criminals, or “hacktivists”. These groups&#160;may be loosely organized into collectives or highly coordinated and managed. They may seek to&#160;cause financial or reputational harm, compromise the privacy of individuals, disrupt capital&#160;markets, or incite terror.</p><p>The cyber risk management approaches of the Regulated Entities and the Office of Finance depend&#160;on, among other things, their cyber risk profile and posture, operational and technology models,&#160;third party relationships, governance structure, and the level of involvement of the board of&#160;directors (board) and senior management. FHFA Prudential Management and Operations&#160;Standards (PMOS) (12 CFR Part 1236) address ten areas relating to management and operations.&#160;Although multiple standards address aspects of cyber risk management, the primary PMOS are&#160;Standard 1 (Internal Controls and Information Systems), Standard 8 (Overall Risk Management&#160;Processes) and Standard 10 (Maintenance of Adequate Records). FHFA might evaluate an​&#160;institution’s cyber risk&#160;management program as part of its examinations.</p></div><p style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></p><p>This advisory bulletin describes the characteristics of a cyber risk management program that the&#160;FHFA believes will enable&#160;the Regulated Entities and the Office of Finance to successfully&#160;perform their responsibilities and protect their &#160;environments.&#160;Although institutions cannot&#160;eliminate cyber risks, these risks can be effectively managed.​</p><div><p><em>Proportionality</em></p><p>Cyber risk can manifest itself differently between and among institutions of similar business&#160;profiles, such as across the FHLBanks or between the Enterprises. Additionally, the types of cyber&#160;risks may differ significantly within areas of an individual institution, and multiple risks can exist&#160;and interact concurrently. For example, a DDoS attack on an organization’s public website by a&#160;malicious party may be designed to distract attention from the true intent of exfiltrating personally&#160;identifiable information from a server unrelated to the public website. FHFA expects the cyber risk&#160;management program implemented by a Regulated Entity or the Office of Finance to be&#160;commensurate with its own cyber risks at the institutional, business, and operational levels, and&#160;that the cyber risk management program meets prevailing technology, industry, and government&#160;standards.</p></div><p><em>Cyber Risk Management</em></p><p>The board (or a delegated committee of the board) establishes the overall cyber risk management&#160;policy and appropriate board-level reporting. The policy should define the institution’s governance&#160;and risk management structure; prioritize cyber risk management efforts in alignment with&#160;institution goals and objectives; establish risk tolerance levels and escalation procedures; define&#160;how the institution will assess and respond to cyber risks; and ensure the board or its designees&#160;receive appropriate reporting. The policy should be periodically evaluated and updated to reflect&#160;changes to the institution’s cyber risks.​</p><p>Senior management, and business and operational personnel at their respective program levels,&#160;should implement board-established policy. Within each descending management and operational&#160;tier, management should implement the cyber risk management program with specificity&#160;appropriate to each level and consistent with board-established priorities, risk tolerances, and&#160;response goals across the institution. Appropriate industry protocols and standards should be&#160;considered as source material when building out programs. Examples may include appropriate&#160;aspects of the International Organization for Standardization (ISO) 27000 family of standards for&#160;securing information assets, the National Institute of Standards and Technology (NIST) &#160;Framework for Improving Critical Infrastructure Cybersecurity, and the Information Systems&#160;Audit and Control Association (ISACA) Control Objectives for Information and Related&#160;Technology (COBIT) framework.</p><div><p>Cyber risk management practices should be established within the existing risk management&#160;framework to enable an institution to identify its exposures. For certain cyber risks, it may be&#160;possible to execute the program and operational practices in a common manner across the&#160;institution. For example, an institution may develop a corporate-level system patch deployed&#160;through its technology infrastructure that adequately addresses a specific institution-wide cyber&#160;risk. A common approach, however, may not be appropriate for all cyber risks. Certain cyber risks&#160;emerge in some areas within an organization but not in others. For example, a department with&#160;web-connected computers or a business unit with servers containing sensitive, confidential, or&#160;personally identifiable information may face risks unlike other areas of the same institution.</p><p>Precautionary measures should be taken to mitigate insider threats. Such threats may emanate&#160;from disgruntled or terminated employees, contractors, or third parties, each of whom may have&#160;access and organizational knowledge to inflict distinctive harm. Precautionary measures against&#160;insider threats may include regular internal audits and enterprise risk assessments; internal&#160;surveillance; monitoring and controls; implementation and enforcement of entitlement&#160;management; use of layered security; and prompt deactivation of system access following&#160;termination, resignation, or transfer by an employee or contractor. An institution’s internal and&#160;external audit findings around such issues can serve as a basis for updating its program. The&#160;Regulated Entities also need to comply with their obligations pursuant to FHFA’s Financial&#160;Instrument Fraud Reporting Rule (12 CFR 1233.3) upon discovery of insider fraud or suspicion of&#160;possible insider fraud.</p><p><em>Risk Assessments</em><br></p><div><p>Regular risk assessments should be conducted to identify, understand, and prioritize cyber risks&#160;involving business operations, information technology architecture, and third parties. It is&#160;important to have an informed view of the institution’s cyber risks and related vulnerabilities,&#160;including the risk of events occurring alone or in tandem, and the likelihood of occurrence. Risk&#160;assessments should be conducted on a regular schedule appropriate to the individual institution’s&#160;risk profile and exposures. Risk assessments should address risks associated with third parties&#160;upon whom the institution has material reliance or who have access to material information,&#160;systems, or assets at the institution. An institution may employ outside experts to perform risk&#160;assessments or conduct internal reviews to inform its program.</p></div><p>Risk assessments should also occur when material events at a Regulated Entity or the Office of&#160;Finance necessitate a reevaluation of its cyber risk posture. If an institution identifies or becomes&#160;aware of a significant vulnerability or weakness, it should conduct an appropriate assessment and&#160;make suitable enhancements or adjustments to its risk management activities to address the issue.&#160;An institution may uncover a vulnerability through its own internal reviews. It may also learn of a&#160;breach at an organization with a similar cyber risk profile during monitoring of current industry&#160;developments. In certain cases, an institution may be unaware of concerns until it is contacted by&#160;an external source. Such contact may come in the form of a federal or state law enforcement&#160;inquiry into an intrusion of an institution’s system, a security alert on a relevant vulnerability, or a&#160;third party notification about a potential weakness in the institution’s perimeter.</p><p><em>Monitoring and Response</em><br></p><div><p>Based on an institution’s risk assessments, it should have a program in place to monitor cyber risks&#160;and respond to identified concerns. The program should be clearly outlined; be communicated&#160;across the organization; have repeatable and executable processes; and be incorporated within the&#160;institution’s cyber risk management framework. The program should facilitate a response that is&#160;appropriate and proportional to the characteristics of the identified exposure. In some&#160;circumstances, a Regulated Entity or the Office of Finance may determine its preferred risk&#160;response may not be feasible to implement or be cost-prohibitive. In such circumstances, its&#160;response can consider alternative approaches, for example, mitigating the risk to an acceptable&#160;level or transferring it in a reasonable and justifiable manner.</p><p>In addition to front-end risk monitoring executed through the risk assessment process, the back-end&#160;implementation and performance of risk responses should be monitored. Monitoring should define&#160;roles, responsibilities and accountabilities; enable the verification of implementation; evaluate&#160;response effectiveness; and identify any changes that may impact the effectiveness of a response.&#160;Appropriate information on risk responses should be communicated to the proper persons or&#160;committees to ensure decision makers are suitably informed. An institution should also&#160;periodically test or otherwise validate the implementation and effectiveness of its measures. For&#160;example, the operation of an incident response plan developed to address breaches should be&#160;compared against the documented, written plan itself.</p></div><p><em>System, Patch, and Vulnerability Management</em><br></p><div><p>An institution should have processes that facilitate the regular assessment and timely repair of&#160;vulnerabilities in its systems and applications. These processes may be incorporated within an&#160;institution’s existing entity-wide change management program. Unsupported or out-of-date&#160;systems or applications may lead to operational breakdowns as functionality and performance&#160;degrade. If an institution or a third party continues operating unsupported software, the institution&#160;should have a process in place to identify, monitor, and respond to new vulnerabilities in legacy&#160;systems. Further, the effectiveness and management of the system and patch management&#160;programs of third parties upon which the institution has material reliance and third parties that have&#160;access to material information, systems, or assets at the institution should be reviewed.​</p></div><div><p>Prior to deploying fixes, there should be a testing and approval process in place to mitigate risks&#160;associated with patch failures or unforeseen consequences. Sometimes patching can be done on an&#160;automated basis while in other circumstances a manual, phased roll-out is more appropriate. Aninstitution should be aware that often when a change is made in one area of its technology&#160;environment, the change may have an unforeseen or unintended impact in another area.​</p><p>There may be instances where a particular vulnerability does not have a related patch. In instances&#160;where such a vulnerability presents a significant risk to an institution, it should consider alternative&#160;methods to mitigate the risk. Such alternative methods may include employee training, additional&#160;monitoring, or special system configurations.</p><p>An institution should also assess the viability of replacement or retirement of systems or&#160;applications as part of a system development lifecycle program. Highly customized systems can&#160;become outdated and unsupported while still being heavily utilized by an institution. Retirement or&#160;replacement should be considered during evaluations instead of continued patching.</p></div><p><em>Third Party Management</em><br></p><div><p>FHFA expects the Regulated Entities and the Office of Finance to identify, monitor, and prioritize&#160;substantial risks at or within the operations of third parties upon whom the institution has material&#160;reliance or for those that have access to material information, systems, or assets at the institution.&#160;The internal securities policies of such parties should be in alignment or compliance with those of&#160;the institution. As part of its risk assessments, an institution should request the information it needs&#160;to reach reasonable conclusions as to a third party’s cyber risk management protocols. In addition&#160;to declarations and certifications provided by a third party, an institution should consider&#160;preserving legal and contractual rights to conduct onsite assessments, as necessary, to verify such&#160;statements. In those cases when a third party asserts that certain information cannot be provided&#160;directly because it is proprietary, the institution should obtain sufficient comparable information to&#160;develop an informed assessment, such as through the review of Statement on Standards for&#160;Attestation Engagement (SSAE) No. 16 reports. An institution should also include in its business&#160;continuity and contingency planning provisions for when cyber risk events should result in&#160;substitution or replacement of services provided by third parties.</p><p>An institution should also understand if a third party outsources a service upon which the&#160;institution has a material reliance, and what additional exposures that may create.</p><p><em>Privacy and Data Protection</em></p><p>Due to the nature of their respective businesses, the Regulated Entities and the Office of Finance&#160;may possess sensitive, confidential, or personally identifiable information. If such information is&#160;not adequately protected from loss, harm, alteration, or exploit, an institution may become subject&#160;to legal and reputational risks.</p><div><p>As part of its risk assessment, each institution should have a comprehensive view of where&#160;sensitive, confidential, or personally identifiable information resides within the institution; how it is&#160;managed and used; and how it is transmitted, transported, and protected. Information may be&#160;protected through a variety of means, such as through the use of front and back end controls on&#160;user access, and through the use of encryption. Each institution should determine the nature and&#160;extent of precautions necessary to address its distinctive risk areas. As part of its program to&#160;monitor and respond to cyber risks, an institution should determine the effectiveness of its&#160;precautions taken to protect information and data.</p><p>The cyber risk management program, including policies, procedures, and/or technology solutions,&#160;should be tailored to address the risks faced by each institution and responsive to the seven&#160;components outlined in this guidance. The seven components are inter-related and should be&#160;considered as part of an effective program.</p><p style="text-decoration&#58;underline;"><strong><em>Related Guidance</em></strong></p><p><em><a href="/SupervisionRegulation/FannieMaeandFreddieMac/Documents/OFHEO%20Policy%20Guidances/2001/121901pg01002.pdf">Safety and Soundness Standards for Information</a></em>, Office of Federal Housing Enterprise Oversight&#160;Policy Guidance PG-01-002, December 19, 2001.</p><p><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-04-Guidance-on-the-Retirement-of-the-Microsoft-Windows-XP-Operating-System.aspx"><em>Guidance on the Retirement of the Microsoft Windows XP Operating System</em></a><em></em>, Federal Housing&#160;Finance Agency Advisory Bulletin AB-2014-04, March 20, 2014.​</p><p><br>&#160;</p></div><p><br>&#160;</p></div><br>​</div>7/10/2014 12:50:20 PM533http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on the Retirement of the Microsoft Windows XP Operating System120273/20/2014 4:00:00 AMAB 2014-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​<strong><font face="Times New Roman"><p align="LEFT">​ADVISORY BULLETIN </p> <p align="LEFT">AB 2014-04 </p> <p>Guidance on the Retirement of the Microsoft Windows XP Operating System </p></font></strong></td></tr></tbody></table><p><br>This advisory bulletin is being issued by the Federal Housing Finance Agency (FHFA) to ensure that Fannie Mae, Freddie Mac, the Federal Home Loan Banks (collectively, the Regulated Entities), and the Office of Finance are aware of and responsive to the retirement and ending of support of Windows XP and Office 2003. This advisory bulletin is consistent with guidance issued by other federal financial regulatory agencies.</p><p>The Windows XP operating system and Office 2003 are no longer receiving technical assistance from Microsoft, including updates and patching, after April 8, 2014. While the technology will continue to function, without support it may become more prone to operational breakdowns and security risks.</p><p>The Regulated Entities and the Office of Finance should review the effectiveness of their system and patch management programs to ensure that the risks associated with this retirement are appropriately understood and mitigated. The review should also consider exposures from third party services providers and other vendors that use Windows XP or Office 2003 upon which the Regulated Entity or the Office of Finance has a material reliance.</p>6/16/2014 2:17:53 PM162http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Rescission of the Federal Home Loan Bank Examination Manual and the Division of Enterprise Regulation Supervision Handbook120263/11/2014 4:00:00 AMAB 2014-03<p>​​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2014-03 </p><p>Rescission of the Federal Home Loan Bank Examination Manual and the Division of Enterprise Regulation Supervision Handbook </p></td></tr></tbody></table><p><br><strong>PURPOSE </strong></p><p>This advisory bulletin rescinds the Federal Housing Finance Board Federal Home Loan Bank (FHLBank) Examination Manual and Federal Housing Finance Agency (FHFA) Division of Enterprise Regulation Supervision Handbook. </p><p><strong>ISSUE </strong><br>The documents identified have been superseded by the FHFA Examination Manual. </p><p><strong>BACKGROUND </strong></p><p>The FHFA Examination Manual was issued on December 19, 2013. The FHFA Examination Manual represents the result of an agency initiative to implement a common examination program for the examinations of Fannie Mae and Freddie Mac, the FHLBanks, and the Office of Finance. </p><p><strong>RESCINDED SUPERVISION GUIDANCE </strong></p><p>The following documents are rescinded&#58; </p><ul><li>Federal Housing Finance Board FHLBank Examination Manual </li><li>FHFA Division of Enterprise Regulation Supervision Handbook </li></ul><p><strong>EFFECTIVE DATE </strong></p><p>The advisory bulletin is effective immediately. </p>7/10/2014 12:58:45 PM300http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Liquidity Risk Management120242/19/2014 5:00:00 AMAB 2014–01 <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​ <p align="LEFT">​ADVISORY BULLETIN </p><p align="LEFT">AB 2014 – 01 </p><p align="LEFT">LIQUIDITY RISK MANAGEMENT </p></td></tr></tbody></table> <font face="Times New Roman"> </font><font face="Times New Roman"> <h2> <br>Introduction</h2> </font><font face="Times New Roman"> <p align="LEFT">This Advisory Bulletin establishes guidelines for liquidity risk management at Fannie Mae and Freddie Mac (the Enterprises). The guidelines describe the principles the Enterprises should follow to identify, measure, monitor, and control liquidity risk. The Division of Enterprise Regulation (DER) will evaluate the Enterprises’ liquidity risk management programs as part of the examinations.</p> <p align="LEFT">This guidance does not supplant existing regulations that pertain to risk management at the Enterprises.</p> </font><font face="Times New Roman"> <h2>Background</h2> </font><font face="Times New Roman"> <p align="LEFT">Liquidity risk is the risk that an Enterprise is unable to meet its financial obligations as they come due or meet the credit needs of its customers in a timely and cost-efficient manner. The Enterprises must be financially sound to perform their public missions and should have a comprehensive liquidity risk management framework to limit and control liquidity risk exposures.</p> <p align="LEFT">Federal Housing Finance Agency (FHFA) Prudential Management and Operations Standards (PMOS) were effective August 7, 2012, and supplement existing FHFA regulations. They address ten separate areas relating to the management and operation of the Enterprises. Standard 5 (Adequacy and Maintenance of Liquidity and Reserves) highlights the need for each Enterprise to establish a liquidity management framework, articulate liquidity risk tolerances, and establish a process for identifying, measuring, monitoring, controlling, and reporting its liquidity position and liquidity risk exposures. In addition, Standard 5 includes requirements for conducting stress tests to identify sources of potential liquidity strain and requirements for establishing contingency funding plans (CFP). Standard 8 (Overall Risk Management Processes) establishes the responsibilities of boards of directors and senior management and the need for the Enterprises to establish risk management practices that measure, monitor, and control liquidity risk.</p> </font><font face="Times New Roman"> <h2>Guidance</h2> </font><font face="Times New Roman"> <p align="LEFT">Each Enterprise’s risk management processes should enable it to identify, measure, monitor, and control their liquidity exposures. Management should be able to accurately identify and quantify the primary sources of risk to liquidity. To properly identify the sources of risk, management should understand both existing and emerging risks. </p> <p align="LEFT">Key elements of an effective risk management process include adequate board of directors (board) and senior management oversight; appropriate liquidity management policies, procedures, and limits; appropriate risk measurement methodology, monitoring, and reporting systems; adequate management information systems and internal controls; an effective contingency funding plan; adequate levels of highly liquid assets; a funding strategy that provides appropriate diversification of funding, regularly assesses market access, and identifies alternative sources of funding; and active management of intraday liquidity and collateral.</p></font><font face="Times New Roman"> <h3>Adequate board of directors and senior management oversight</h3> </font><font face="Times New Roman"> <p align="LEFT">The board is ultimately responsible for the liquidity risk assumed by the Enterprise and for guiding the strategic direction of liquidity management. The board, or a committee thereof, should establish and approve appropriate liquidity risk tolerances and limits, and should oversee the establishment and approval of liquidity management strategies, policies, and procedures, and review them at least annually. In addition, the board should have a fundamental understanding of the Enterprise’s business activities and associated liquidity risks and should ensure that senior management has the necessary expertise to effectively manage liquidity.</p> <p align="LEFT">Senior management oversees the daily and long-term management of liquidity and is responsible for carrying out the strategic objectives of the board. Senior management should develop liquidity risk management strategies, policies, and practices for approval by the board, implement sound internal controls for managing liquidity risk, and establish effective information systems and contingency funding plans. In addition, senior management must also establish reporting systems that produce timely and accurate information on the Enterprise’s liquidity position and sources of risk exposure, and provide regular reports to the board. </p> <p align="LEFT">Senior management should also maintain an organizational structure that clearly assigns responsibility, authority, and relationships for managing liquidity risk and ensure that personnel are appropriately trained and competent with regard to the Enterprise’s established policies and tolerances.</p> </font><font face="Times New Roman"> <h3>Appropriate liquidity management policies, procedures, and limits</h3> </font><font face="Times New Roman"> <p align="LEFT">Each Enterprise should implement a risk management policy that addresses standards regarding day-to-day operational liquidity needs and plans for dealing with contingent liquidity needs, including potential temporary, intermediate-term, and long-term liquidity disruptions. Policies should specify the Enterprise’s board established liquidity risk tolerances and procedures for controlling risk exposures within those limits. The policy should be consistent with the Enterprise’s overall business strategy.</p> <p align="LEFT">The policy should include&#58; an enumeration of specific types of investments to be held for liquidity purposes, a description of the Enterprise’s ability to access capital markets during periods of market stress, and the methodology to be used for determining the Enterprise’s operational and contingency liquidity needs. Policy guidelines should include both quantitative and qualitative targets and should contain provisions for documenting and periodically reviewing assumptions used in liquidity projections. In addition, the policy should specify the nature and frequency of liquidity risk reporting for management and the board, and establish responsibilities and accountability at every level of the management structure, particularly in regard to actions to be taken if limits or positions are breached.</p> </font><font face="Times New Roman"> <h3>Appropriate risk measurement methodology, monitoring, and reporting systems</h3> </font><font face="Times New Roman"> <p align="LEFT">Each Enterprise should establish appropriate models to accurately measure its liquidity exposures, identify potential liquidity shortfalls, and simulate various market scenarios. Measurement systems should include robust methods for projecting cash flows and an Enterprise’s liquidity needs over appropriate time horizons, including intraday, day-to-day, short-term weekly and monthly horizons, medium-term horizons of up to one year, and longerterm liquidity needs of one year or more. These systems should also measure tenor and provider concentrations to ensure reliance on certain funding structures or sources of funds is appropriately identified and controlled.</p> <p align="LEFT">Cash flow and model assumptions should be reasonable, appropriate, and adequately documented, and should be periodically reviewed by senior management. Measuring and reporting systems should capture all significant on- and off-balance-sheet items and be adjusted as products or risks change.</p> <p align="LEFT">Each Enterprise should ensure that assets are properly valued according to relevant financial reporting and supervisory standards. In determining potential liquidity needs and risk management strategies, the possibility of losses and deterioration in valuations from potential credit and market events should be considered and the Enterprise should take this into account in assessing the feasibility and impact of asset sales on its liquidity position during stress events.</p> </font><font face="Times New Roman"> <h4>Stress Testing</h4> </font><font face="Times New Roman"> <p align="LEFT">Each Enterprise should conduct stress tests on a regular basis for a variety of Enterprise-specific and market-wide stress scenarios across a range of time horizons. Stress test results should be used to identify sources of potential liquidity strain, to ensure that current exposures remain in accordance with established risk tolerances, and to analyze effects on the Enterprise’s cash flows, profitability, and solvency. Management should use results of stress tests to adjust liquidity management policies and positions and to develop effective contingency plans.</p> </font><font face="Times New Roman"> <h4>Collateral Position Management</h4> </font> <p align="LEFT">An Enterprise should have the ability to calculate all of its collateral positions in a timely manner, including the value of assets currently pledged relative to the amount of security required and unencumbered assets available to be pledged. An Enterprise should be aware of the operational and timing requirements associated with accessing the collateral given its physical location (i.e., the custodian entity or securities settlement system with which the collateral is held). The Enterprises should also fully understand the potential demand for additional collateral arising from various types of contractual contingencies during periods of both market-wide and Enterprise-specific stress.</p><h4>Management Reporting</h4><p align="LEFT"> Senior management should receive reports on the adequacy of an Enterprise’s liquidity, including the level and trend of risks to the Enterprise’s liquidity at least monthly; the board, or a committee thereof, should receive reports at least quarterly. If liquidity risk is high or if it is moderate and increasing, the reports should be more frequent. These reports should convey how much risk the Enterprise is assuming, its compliance with risk limits, and whether strategies are consistent with the board’s expressed risk tolerance. Additional reportable items may include cash flow projections, critical assumptions used in cash flow projections, asset and funding concentrations, key early warning or risk indicators, funding availability, status of contingent funding sources, or collateral usage.</p><h2>Adequate management information systems and internal controls</h2><p align="LEFT">Senior management should establish adequate internal controls to ensure board-established liquidity risk policies and objectives will be achieved. Adequate internal controls should address items such as the Enterprise’s compliance with policies, procedures, and regulations, and the effectiveness of risk measurement and reporting.</p><p align="LEFT">Internal audit should regularly review and evaluate the various components of the Enterprise’s liquidity risk management process. These reviews should assess the extent to which the Enterprise’s liquidity risk management practices comply with both supervisory guidance and industry sound practices, and should report instances of noncompliance to management and the board. The reviews should ensure that front- and back-office systems capably support current and projected operations.</p><h3>An effective contingency funding plan (CFP)</h3><p align="LEFT">Each Enterprise should have a formal contingency funding plan that clearly sets out strategies for addressing liquidity shortfalls in emergencies. The CFP should represent management’s best estimate of balance sheet changes that may result from a liquidity event based on stress testing and scenario analysis. The CFP should be clearly integrated into the Enterprise’s overall liquidity risk management framework. It should provide plans, courses of actions, clear lines of responsibility, and escalation procedures to ensure liquidity sources are sufficient to fund normal operations during potential temporary, intermediate-term, and long-term liquidity disruptions. The CFP should provide a framework with significant flexibility so an Enterprise can respond quickly to a variety of situations.</p><p align="LEFT">Effective contingency funding plans should identify Enterprise-specific and market-wide stress events and scenarios that may have a significant effect on an Enterprise’s liquidity. A CFP should then identify minimum and maximum liquidity needs under various stress events and weigh alternative courses of action designed to meet those needs. The result should be a realistic analysis of cash inflows, outflows, and funds availability at different time intervals during the potential liquidity stress event in order to measure the Enterprise’s ability to fund operations and address intraday liquidity needs. A CFP should also identify alternative contingent liquidity resources that can be employed under adverse liquidity circumstances.</p><p align="LEFT">To ensure the Enterprise can make timely and well-informed decisions, the CFP should clearly specify roles and responsibilities, including the authority to invoke the CFP and alternates for key roles, and include realistic action plans to execute the various elements of the plan for given levels of stress. The CFP should provide for more frequent and more detailed liquidity risk reporting as the stress situation intensifies and should establish a plan to deliver timely, clear, consistent, and frequent communication to internal and external parties, as appropriate.</p><p align="LEFT">A CFP should establish a monitoring framework for contingent events, including the use of early-warning indicators and event triggers. Early-warning signals should identify the emergence of increased liquidity risk and may include, but are not limited to, negative publicity concerning an asset class owned by the Enterprise, increased potential for deterioration in the Enterprise’s financial condition, widening debt spreads, growing concentrations in assets or liabilities, difficulty accessing funding, or increasing funding costs.</p><p align="LEFT">Each Enterprise’s CFP should be revised and updated regularly to reflect changes in market or business conditions. In addition, a CFP should be tested to assess its reliability and operational soundness under stress conditions. Testing should ensure that roles and responsibilities are up-to-date and appropriate; that legal and operational documents are up-to-date and appropriate; that cash and collateral can be moved where and when needed; and that contingent liquidity lines can be drawn when needed.</p><h3>Adequate levels of highly liquid assets</h3><p align="LEFT">An Enterprise should maintain adequate reserves of highly liquid assets, including adequate reserves of unencumbered, marketable securities that can be liquidated to meet unexpected needs. These assets should have no legal, regulatory, or operational impediments and should be held as insurance against a range of liquidity stress scenarios including those that involve the loss or impairment of typically available unsecured and secured funding sources.</p><p align="LEFT">The quality of unencumbered liquid assets is important as it will ensure accessibility during the time of most need. The size of the liquidity cushion should be supported by estimates of liquidity needs performed under an Enterprise’s stress testing, as well as aligned with the risk tolerance and risk profile of the Enterprise.</p><h3>A funding strategy that provides appropriate diversification of funding, regularly assesses market access, and identifies alternative sources of funding</h3><p align="LEFT"> The Enterprises should each establish funding strategies that provide effective diversification of funding. In general, funding concentrations should be avoided. The Enterprises should diversify available funding sources in the short-, medium-, and long-term. Funding strategies should take into account correlations between sources of funds and market conditions.</p><p align="LEFT">An essential component of ensuring funding diversity is maintaining market access. Market access is critical for effective liquidity risk management as it affects both the ability to raise new funds and to liquidate assets. Senior management should identify the main factors that affect the Enterprise’s ability to raise funds and monitor those factors and should ensure that market access is being actively managed, monitored, and tested by the appropriate staff.</p><p align="LEFT">An Enterprise should identify alternative sources of funding that strengthen its capacity to withstand a variety of severe Enterprise-specific and market-wide liquidity shocks. Depending upon the nature, severity, and duration of the liquidity disruption, potential sources of funding include, but are not limited to, the following&#58;</p><ul><li style="margin&#58;0px;padding&#58;0px;"><p> Cash and highly liquid US government securities </p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Issuance of unsecured or longer-term debt instruments</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Asset securitization</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Sale (either outright or through repurchase agreements) or pledging of liquid assets.</p></li></ul><h3>Active management of intraday liquidity and collateral</h3><p align="LEFT">The Enterprises should actively manage their intraday liquidity and collateral to meet payment and settlement obligations in a timely manner under both normal and stressed conditions. Senior management should establish an intraday liquidity strategy that allows the Enterprise to identify time-specific and other critical obligations, and sequence payments based on priority. In addition, the intraday strategy should&#58;</p><ul><li style="margin&#58;0px;padding&#58;0px;"><p> Monitor and measure expected daily gross liquidity inflows and outflows.</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Manage and mobilize collateral when necessary to obtain intraday credit.</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Ensure that liquidity planners understand the amounts of collateral and liquidity needed to perform payment-system obligations when assessing the Enterprise’s overall liquidity needs.</p></li></ul><h2>Related Guidance</h2><p align="LEFT">12 CFR Part 1720 Safety and Soundness Standards, which addresses balance sheet growth and management and non-mortgage liquidity investments.</p><p align="LEFT">12 CFR Part 1236 Prudential Management and Operations Standards.</p>This Advisory Bulletin establishes guidelines for liquidity risk management at Fannie Mae and Freddie Mac. The guidelines describe the principles the Enterprises should follow to identify, measure, monitor, and control liquidity risk.8/7/2014 6:32:02 PM278http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Operational Risk Management120252/19/2014 5:00:00 AMAB 2014–02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​​​ADVISORY BULLETIN </p><p>AB 2014 – 02 </p><p>OPERATIONAL RISK MANAGEMENT </p></td></tr></tbody></table><p>&#160;</p><h2>Introduction</h2><p>This advisory bulletin (AB) applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks), and the Office of Finance (for purposes of this AB collectively, the regulated entities). The AB describes the four basic components of a program to manage operational risk effectively&#58; risk identification and assessment; measurement and modeling; reporting; and risk management decision-making. It also addresses governance aspects of operational risk management, i.e., the duties and responsibilities of management and the board of directors.</p><p>For the Enterprises, this AB rescinds and replaces the Office of Federal Housing Enterprise Oversight (OFHEO) Enterprise Guidance on Operational Risk Management PG-08-002, dated September 23, 2008. FHFA will issue additional guidance on collecting data about operational risk events and reporting such events to management and boards of directors of the regulated entities, and to FHFA. Until that guidance is issued, the Enterprises are to continue collecting data and reporting to FHFA pursuant to the August 10, 2007 letters from OFHEO Director Lockhart and the June 25, 2012 operational event data collection instructions.</p><h2>Background</h2><p>In its examination rating system (CAMELSO<sup id="ref1"><a href="#ft1">[1]</a></sup>) and its Prudential Management and Operations Standards (PMOS<sup id="ref2"><a href="#ft2">[2]</a></sup>), FHFA identified matters examiners may assess when evaluating a regulated entity’s management of its operational risk. This AB provides further guidance to the regulated entities on the effective management of operational risk and is intended to promote the safety and soundness of the regulated entities by providing specific guidance upon which each regulated entity should manage operational risk. To be effective, a regulated entity’s operational risk policies, procedures and practices should&#58; (1) reflect the complexity, operations, conditions and strategic plans of the regulated entity, as well as the economic and legal environment within which the regulated entity conducts business; and (2) be appropriate for the scale and nature of the regulated entity’s business.<sup id="ref3"><a href="#ft3">[3]</a></sup> FHFA expects that each regulated entity’s operational risk management program will evolve over time, just as industry and supervisory standards such as the work of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission and the Basel Committee on Banking Supervision have evolved.</p><p>Sound management of operational risk includes developing and applying operational risk management policies, procedures and processes consistently across the regulated entity. A regulated entity’s operational risk management program should conform to professional practices, comply with regulatory requirements, and achieve results consistent with the regulated entity’s objectives. The scope of the operational risk management program should encompass&#58;</p><ul><li style="margin&#58;0px;padding&#58;0px;"><p>risk identification- including defining operational risk;</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>risk assessment-including analysis of the severity and likelihood of operational events given the effectiveness of controls in place;</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>measurement-including the direction and magnitude of changes in risk profile and may include modeling-including the treatment of diverse loss types in a common and analytical framework;</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>reporting-including operational event reporting that provides timely and actionable information to management; and</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>risk management decision-making-including evidence that management decisions about operational risk mitigation strategies are informed by data and information gathered in the other processes of the program.</p></li></ul><p>A regulated entity should establish&#58; (1) an operational risk management culture across the regulated entity to identify and address operational risks; and (2) a measurement system that quantifies operational risk. The regulated entity’s overall risk management program should integrate operational risk management processes. An effective operational risk management program should result in demonstrable benefits to the regulated entity, including managers and staff at the regulated entities identifying and economically managing operational risks.</p><h2>Guidance</h2><h3>A. Components of Operational Risk Management</h3><p>Effective operational risk management includes four key components&#58;</p><ol><li>identification and assessment;</li><li>measurement and modeling;</li><li>reporting; and</li><li>risk management decision-making.</li></ol><p>Each of these components is described below.</p><h4>1. Identification and Assessment</h4><p>Before identifying and assessing operational risk, a regulated entity needs to define and effectively communicate across the regulated entity what is meant by “operational risk.” At a minimum, the regulated entity’s definition should consider the definition adopted for purposes of this bulletin; specifically, operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. The regulated entity’s definition should encompass risks related to housing mission-related activities, including activities related to affordable housing programs or goals. The regulated entity should formulate its definition of operational risk to communicate clearly the elements of risk that are and are not included within its definition of operational risk. That definition should fit into the regulated entity’s overall risk management framework so that all significant risks that the entity is exposed to can be appropriately managed. As part of its role in overseeing and assessing management’s efforts to implement a common risk language and a risk awareness culture across the regulated entity, the regulated entity’s board of directors should review and approve the definition of operational risk as part of its approval of the regulated entity’s operational risk management policy.</p><p>The regulated entity should develop processes and mechanisms to assist in identifying operational risks. These should be appropriate for the scale and nature of the regulated entity’s business, operations, and condition. According to current best practices of risk management, these processes and mechanisms generally should include risk-control self-assessments (RCSA), key risk indicators (KRIs), and key performance indicators (KPIs).</p><p>The regulated entity’s assessment of operational risk should include processes that evaluate both the severity and likelihood of operational events and give consideration to the quality of controls and infrastructure that are designed to prevent, avoid, or reduce the likelihood of operational events from occurring and their impact should they occur. The regulated entity should have a process for assessing changes in the business environment and its impact on operational risk. This should include assessing the impact of changes in the volume and complexity of the regulated entity’s operations due to developments in the financial, legal, and regulatory environment. The regulated entity should establish a process to identify and assess the level and trends in operational risk and related internal control structures. Assessments should be current and comprehensive (i.e., address the factors listed in the Operational Risk section in AB 2012-03 of CAMELSO, and the standards related to operational risk in PMOS) across the regulated entity. The regulated entity’s process for risk assessments should be sufficiently flexible to accommodate increasing complexity, new activities, and changes in internal control systems.</p><p>Details on FHFA expectations related to the sources for identifying operational risk follow.</p><ol style="list-style-type&#58;lower-alpha;"><li><p> <em>Internal Operational Event and Loss Data</em> – A regulated entity’s operational risk measurement system should incorporate event and loss data derived from an operational event tracking system. The database may draw upon multiple sources of information including business-line level databases that report and/or track exceptions and issues. Definitions and scope of critical information that feed into the operational event database should be consistently applied across the regulated entity. The database should ultimately include operational event and loss data covering a meaningful time span, normally five or more years. Data, even if deemed ‘stale’ because of implementation of a new control or other management action, should not be discarded since it remains relevant for other uses such as scenario analysis, regulatory compliance reporting, and “lessons learned” materials for management. In addition, operational events are often complex and evolutionary and, thus, events that are apparently unconnected or contained may turn out to have further ramifications or be tied to subsequent events.</p></li><li><p> <em>Business Environment Assessment </em>– A regulated entity’s operational risk measurement system should incorporate a process for assessing changes in the business environment and the impact on operational risk. This should include assessing the impact of changes in the volume and complexity of the regulated entity’s operations caused by developments in the financial, legal, and regulatory environment. The regulated entity should establish a process to identify and assess the level and trends in operational risk and related internal control structures. Assessments should be current and comprehensive across the regulated entity. The process should be sufficiently flexible to accommodate increasing complexity, new activities, and changes in internal control systems.</p></li><li><p> <em>Internal Risk and Control Environment Assessment </em>– A regulated entity’s operational risk measurement system should have a component that takes into account the condition of the internal control environment. The regulated entity may adjust measures of operational risk (including operational risk capital measures) based on measurement tools and indicators that gauge, in a forward- looking manner, improvement or deterioration in an entity’s operational risk exposure and/or control environment. Sources may include internally generated KRIs and performance triggers, internal and external audit reports, examination findings and other periodic reviews such as RCSA.</p></li><li><p> <em>External Loss Data and Scenario Analysis</em> – Scenario analysis (identifying events that have not occurred, but could occur at the regulated entity) and external data on industry operational loss events can be important tools of an effective operational risk management program if carefully designed and integrated into the processes and systems for risk measurement and management. The regulated entity’s operational risk measurement system should include a review of external data to gain an understanding of operational loss experience of similarly sized organizations in similar lines of business. External data can complement internal operational event data as an input into a system for measuring the entity’s operational risk exposure or to inform scenario analysis.</p></li><li><p> <em>Evaluation </em>- A timely evaluation and update of a regulated entity’s operational risk measurement system is appropriate whenever the entity becomes aware of information that may have a material effect on the estimate of operational risk exposure. A complete evaluation of the entity’s operational risk management program, should be conducted by a qualified, independent team of experts, staffed either internally or externally, often enough to reflect the possibility of changes in the entity’s risk environment, normally at least annually.</p></li></ol><p>The framework for identifying and assessing risks should be applied across the regulated entity and should be periodically reviewed and independently validated.</p><h4>2. Measurement and Modeling</h4><p>A regulated entity should have effective means of measuring operational risks in order to manage those risks. Management and the board of directors should establish qualitative and quantitative risk measures that indicate the direction and magnitude of the regulated entity’s operational risk profile (and changes in the risk profile). Also, management and the board should have current and complete information about the limitations of those risk measures. The measures should be appropriate for the scale and nature of the regulated entity’s business.</p><p>A regulated entity’s internal operational risk measurement system should be supported by data about the incidence of, and losses (including potential losses) related to, operational events. The operational risk measurement system should take into account the condition of the regulated entity’s internal control environment. The regulated entity may adjust measures of operational risk based on measurement tools and indicators that gauge in a forward-looking manner improvement or deterioration in a regulated entity’s operational risk exposure and/or control environment. Sources of such qualitative and quantitative information could include internally gathered key risk indicators and performance triggers, internal and external audit reports, examination findings, and other periodic reviews.</p><p>The regulated entity’s operational risk measurement system should include a review of external data to gain an understanding of operational loss experience at peer institutions and within the industry. External data may serve a number of different purposes in an operational risk measurement system. For example, external data can complement internal loss data as an input into a system for measuring the regulated entity’s operational risk. Even where external loss data are not an explicit input into the measurement system, such data may provide a means to assess the adequacy of the regulated entity’s internal data. External data may also inform scenario analysis, provide additional data for severity distributions, or be used for validating an economic capital model. If a regulated entity incorporates scenario analysis into its operational risk measurement system, it should document the process for conducting scenario analysis including the manner in which the scenarios are generated; the frequency with which they are updated; the scope and coverage of operational loss events they are intended to reflect; and the results of the analysis and how these results impact operational risk measurement.</p><p>If a regulated entity determines its risk profile warrants modeling one or more components of its operational risk, the models should connect the real and probabilistic sides of operational risk management, and treat diverse loss types in a common analytical framework.<sup id="ref4"><a href="#ft4">[4]</a></sup> The reasoning for differential incorporation of the risk assessment components in the model should be transparent and consistently applied.</p><p>Regardless of the methodologies the regulated entity uses for measuring and modeling operational risk, the measures and models should&#58;</p><ul><li>be consistent with the regulated entity’s definition of operational risk;</li><li>use valid data acquired from reliable system(s) or process(es);</li><li>be periodically updated to reflect new risks;</li><li>be tested for sensitivity changes in data, assumptions, and model specifications; and</li><li>be periodically and independently validated (for example, by the internal audit function).</li></ul><h4>3. Risk Reporting</h4><p>In order to carry out their respective responsibilities, senior management and the board of directors should receive regular reports with appropriate and timely information, relevant to their respective roles, related to operational risk events and the regulated entity’s operational risk profile. Reports for the board of directors should provide sufficient information for the board to carry out its oversight responsibilities, and reports for management should include actionable information that supports business and risk-management decisions.<br>A regulated entity should have a reporting structure that provides for consistent reporting and escalation procedures across business units and functions. The regulated entity’s operational risk event reporting system should be entity-wide, rely on established reporting thresholds that do not exclude important internal operational event data, and support the assessment of the regulated entity’s operational risk exposure. The particular risk profile of a business line may be considered when establishing risk limits and reporting and escalation thresholds (what is significant in one business line may not be in another), but the establishment of and adjustments to thresholds and limits should be a systematic procedure applied consistently across the regulated entity<br>While the level of detail in reports to the board of directors and management may vary, reports to both about operational risk would normally be expected to address, at a minimum&#58;</p><ul><li><p>significant operational loss events in the prior quarter, including near misses;</p></li><li><p>significant changes, including to the regulated entity’s business environment that may signal actual or potential increased or decreased risk of future losses;</p></li><li><p>significant changes to the regulated entity’s processes or resources, including comparisons to previous reports and using specific indicators or metrics; and</p></li><li><p>policy and risk tolerance exceptions.</p></li></ul><h4>4. Risk Management Decision-Making</h4><p>Effective operational risk management includes making decisions, when appropriate, based on operational risk identification and assessment, measurement and modeling, and reporting. Such decisions may include, for example, deciding to avoid, transfer, or mitigate unwanted risk, and monitor and allocate resources appropriately to operational risks explicitly accepted.</p><p>The link between risk management decision-making and risk identification and assessment, measurement and modeling, and reporting can be demonstrated, for example, by&#58; (1) processes that encourage effective management based on the assessment and reporting of changes in operational risk, and discourage behavior that weakens risk management or the internal control environment; or (2) an internal written communication documenting that management at the regulated entity takes the results of the operational risk measurement and reporting systems into account when making business decisions.</p><p>For example, FHFA expects that that the FHLBanks will incorporate the documented results of operational risk assessments and/or models into their retained earnings plans; and that the Enterprises will base the allocations of economic capital, in part, on documented analysis of the other components of the operational risk identification and assessment, measurement and modeling, and reporting. While the Enterprises’ allocations should be consistent with the broader economic capital measurement and allocation systems, operational risk capital allocation should be demonstrably commensurate with the operational risk in a particular area or business and should serve as an incentive mechanism to implement cost-effective controls and active management of operational risk including techniques of avoidance, transfer, mitigation, and appropriate monitoring and resource allocation for explicitly retained risks.</p><p>Consistent application of a decision framework ensures a common marginal risk/return trade-off across the firm’s lines of business, translating into risk mitigation strategies and investments consistent with each other and the entity’s risk policies. Choosing among available risk mitigation strategies should involve an appropriate management review informed by one or more decision frameworks such as cost/benefit analysis, estimation of risk-adjusted return on capital (RAROC), expected utility analysis, or other approaches.</p><p>The regulated entity’s operational risk management decision-making should be supported by the periodic review and updating of the other components of the operational risk management program (risk identification and assessment, measurement and modeling and reporting). To facilitate improved risk management decision-making, the regulated entities should regularly and independently validate the components of their operational risk management program against changes in the internal control environment, risk profile, and external business and market developments.</p><h3>B. Governance of Operational Risk Management</h3><p>Five important governance components of operational risk management are&#58; (1) an operational risk policy; (2) board oversight; (3) executive and senior management leadership; (4) operational risk officer implementation; and (5) business unit management and staff commitment.</p><h4>1. Operational Risk Policy</h4><p>A comprehensive operational risk management policy forms the foundation of effective operational risk management. The policy should define operational risk as well as the roles and responsibilities of key stakeholders and of entitywide operational risk management functions. These roles and responsibilities should support and promote an operational risk management culture across the regulated entity that effectively identifies and economically manages operational risks. While the operational risk governance structure will vary depending on the scale and nature of the regulated entity’s business, it should be fully integrated into the regulated entity’s overall risk management governance structure, and should demonstrate the status of operational risk management within the regulated entity.</p><p>The roles and responsibilities should be designed to minimize the potential for conflicts of interest, and should support&#58;</p><ul><li><p>the prudent acceptance of operational risk;</p></li><li><p>the efficient and consistent efforts to manage operational risk; and</p></li><li><p>the effective and timely communication – vertically and horizontally across the entity – about operational risk exposures and management.</p></li></ul><h4>2. Board Oversight</h4><p>The board of directors is responsible for establishing an appropriate “tone at the top” that promotes a strong and effective risk management culture, including operational risk management, at the regulated entity. The board or its risk management committee is responsible for approving the operational risk management program and overseeing that adequate resources are available and allocated to effectively manage operational risk. The board or its risk management committee should maintain awareness and understanding of the sources of operational risk, the strategies employed across the regulated entity to manage operational risk, and the level and direction of operational risk at the regulated entity. The board or its risk management committee is responsible for overseeing management’s efforts to keep the level of operational risk within established limits. Specific board or board risk management committee responsibilities related to the governance aspects of operational risk management include&#58;</p><ul><li><p>ensuring the independent operational risk management function is at a sufficiently senior level in the organization to provide the appropriate stature for the position and support a strong risk management culture;</p></li><li><p>setting and/or approving operational risk limits and tolerances;</p></li><li><p>overseeing the periodic review and independent assessment of the processes and methodologies used to identify, assess, measure, and model operational risk;</p></li><li><p>reviewing and analyzing regular reports from the operational risk officer and other sources on the level and composition of operational risk; and</p></li><li><p>holding management accountable for unacceptable results or conditions under its purview.</p></li></ul><h4>3. Executive and Senior Management</h4><p>Executive and senior management are also responsible for fostering a tone that promotes the strong and effective management of operational risk across the regulated entity. These highest levels of management are responsible for implementing board approved strategies and policies, and ensuring that controls are in place to keep operational risk within established limits and tolerances. Executive and senior management are responsible for&#58; (1) ensuring that the operational risk policy and standards are consistently applied across the regulated entity’s business lines, units, and operations; and (2) allocating sufficient resources to operational risk management functions throughout the regulated entity. Specific executive and senior management responsibilities related to operational risk management include&#58;</p><ul><li><p>reviewing annually (and updating as appropriate) operational risk-related policies and procedures, and submitting policies to the board for approval;</p></li><li><p>ensuring all staff receive appropriate training and tools to implement the operational risk management program effectively;</p></li><li><p>enforcing board established operational risk limits and tolerances;</p></li><li><p>ensuring the independent assessment of the processes and methodologies used to identify, assess, measure, and model operational risk; and reviewing the results and taking appropriate action in light of the independent assessments; and</p></li><li><p>preparing, reviewing and analyzing accurate and timely regular reports on the level and composition of operational risk for decision-making and oversight, including reports on operational events, risk and control assessments, and the effectiveness of the operational risk management function.</p></li></ul><h4>4. Operational Risk Officer</h4><p>This guidance encompasses risk-management execution responsibilities in the term “operational risk officer.” It may not be necessary that there actually be an officer with that title to effectively implement this guidance. For example, the ORO functions may be carried out by the CRO, or some other configuration of officers.<br><br>The operational risk officer (ORO) is responsible for the day-to-day implementation (including the operation, maintenance and improvement) of the operational risk management program. The ORO is independent of the business lines. The ORO works collaboratively and cooperatively with the regulated entity’s business units and internal audit function. The ORO is responsible for developing, recommending and implementing strategies for&#58; identifying, assessing, measuring, monitoring, reporting, avoiding, transferring, mitigating and monitoring operational risk across the regulated entity. The ORO is responsible for developing and implementing policies and procedures for operational risk management; the regulated entity’s operational risk assessment methodology; and the operational event data collection and reporting system. Specific ORO responsibilities would normally include&#58;</p><ul><li><p>maintaining operational risk management policy and procedure documentation that identifies roles and responsibilities of executive and senior management, business unit management, internal audit, and the operational risk management function;</p></li><li><p>developing the regulated entity’s operational risk management strategy;</p></li><li><p>collecting and reporting operational event data that meets internal and FHFA reporting needs and requirements;</p></li><li><p>developing an effective analytic framework that uses operational event data for calculating operational risk exposure; and for the Enterprises, economic capital, and for the FHLBanks, retained earnings and overall capital adequacy;</p></li><li><p>developing and administering the self-assessment of operational risk and internal controls for business units across the regulated entity; and</p></li><li><p>establishing and enforcing criteria (such as content, distribution, frequency) for management reporting of operational risk from the business units through senior and executive management to the board of directors.</p></li></ul><h4>5. Business Unit Management and Staff</h4><p>Business unit management and staff are responsible for demonstrating a commitment to an effective operational risk management and internal control function by implementing operational risk management-related policies and procedures. They are responsible for&#58; taking actions that are consistent with the articulated risk appetite; safeguarding resources; producing reliable management reports; complying with applicable laws and regulations; and minimizing the potential for human error and fraud. They are also responsible for using operational risk management tools such as self-assessments, and for reporting the results of such assessments as directed by the ORO.</p><p>FHFA examiners will evaluate the regulated entities’ operational risk management practices as part of the annual examination.<br>Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. This bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy, or Carol Connelly, Principal Examiner, Examination Standards Branch with comments or questions pertaining to this bulletin. This Advisory Bulletin is a Public document.</p><p>&#160;</p><hr width="33%" align="left" /><p> <sup id="ft1"> <a href="#ref1">[1]</a></sup> AB 2012-03 FHFA Examination Rating System (December 19, 2012).</p><p> <sup id="ft2"> <a href="#ref2">[2]</a></sup> 12 CFR part 1236, Appendix A.</p><p> <sup id="ft3"> <a href="#ref3">[3]</a></sup> For example, the limited nature of the business of the Office of Finance will result in operational risk policies, procedures and practices that are significantly different from those of either the FHLBanks or the Enterprises.</p><p> <sup id="ft4"><a href="#ref4">[4]</a></sup> FHFA guidance on model risk management may be found in AB 2013-07 Model Risk Management Guidance (November 20, 2013).</p>7/10/2014 2:05:09 PM602http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Model Risk Management Guidance1202011/20/2013 5:00:00 AMAB 2013-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <font face="Times New Roman"> <p>ADVISORY BULLETIN</p> <p align="left">AB 2013-07</p> <p>Model Risk Management Guidance</p></font></td></tr></tbody></table><h2>&#160;</h2><h2>Purpose </h2><p>This advisory bulletin replaces Federal Housing Finance Agency Advisory Bulletin 2009-AB-03 (Validation and Documentation of Models and Related Controls on Internal Processes). The earlier advisory bulletin provided guidance on model risk management for the Federal Home Loan Bank (FHLBank) System. This guidance’s scope includes Fannie Mae and Freddie Mac in addition to the FHLBanks and the Office of Finance (collectively, the Regulated Entities).<sup id="ref1"><a href="#ft1">[1]</a></sup> A Regulated Entity’s model risk management framework should reflect the entity’s size, complexity and extent of model use and level of risk exposure. Large, complex entities that develop their own models should have an appropriately rigorous framework in place. Both Fannie Mae and Freddie Mac are considered to be large, complex enterprises for purposes of this bulletin. As less complex entities, based on the current extent and scale of their model development, the FHLBanks should have a framework that is commensurate with their model use and risk exposure.</p><p>This advisory bulletin sets the minimum thresholds, based on the extent and scale of each Regulated Entity’s model development, for the Federal Housing Finance Agency’s supervisory expectations for model risk management by outlining the framework of baseline control and governance requirements. This bulletin is intended to be applied using a risk-based approach to models, model-based applications, modeling processes and significant end-user computing tools that are used to help make key business and financial decisions. Regulated Entities should apply the same principles outlined in this advisory bulletin to internally-developed and vendor-provided models, whether used and managed in-house or externally by a vendor.</p><p>This advisory bulletin draws on FHFA’s supervisory experience at the Regulated Entities and is consistent with related guidance issued by other federal financial regulatory agencies.<sup id="ref2"><a href="#ft2">[2]</a></sup></p><h2>Background and Key Points</h2><p>The Regulated Entities use models in a variety of areas including but not limited to financial instrument valuation, compliance, capital reserves measurement, loss allowance, financial reporting, and market and credit risk measurement and control. Although models are often essential, reliance on inaccurate or inappropriate models may lead to poor or costly decisions.</p><p>Effective risk-based model risk management entails a comprehensive approach in identifying risk throughout the model lifecycle. A Regulated Entity should embed a risk management framework in its policies, procedures, roles and responsibilities of model stakeholders, and a well-coordinated committee structure. This framework promotes periodic monitoring and reporting of model risk horizontally and vertically across a Regulated Entity. It envisions the placement of stronger process control where risk arises; an appropriate organizational structure to promote transparency of risk; an independent model risk management group; and clear direction from a Regulated Entity’s compliance units, senior management, and its board of directors (the board). The board’s risk committee sets the model risk appetite at the corporate level. Model stakeholders including model users, developers, owners, and oversight groups should have clear accountabilities to promote compliance with model risk limits and management guidelines.</p><p>This framework incorporates recent trends in model risk management. Specifically, it adopts the practice of managing inherent model risk at the source – the assignment of model risk management responsibilities to model developers, owners and users. Also, the framework expands the risk management group’s role from one solely performing validation activities to one that is more proactive in risk identification and measurement. Additionally, the framework recommends that the board and senior management exercise oversight through working groups and committees. Working groups and management committees provide model stakeholders forums in which to discuss model issues and approve mitigating actions. The framework likewise expands the assurance function of internal audit in large, complex enterprises to include continuous monitoring of model controls and an enhanced ability to review the effectiveness of the validation function. For less complex entities, internal audit’s role could be more limited and focus on compliance with relevant policies and procedures.</p><p>Critical to the success of managing model risk is full ownership by model developers, owners and users of the responsibilities of managing risk consistent with the view that model risk is a risk management responsibility rather than a compliance obligation. Model risk is best managed at its source through a structured and disciplined approach in model development, testing, implementation, validation, and use. This is executed through a formalized control framework with a highly specific set of control procedures and standards present through the model lifecycle. Model owners and developers manage risk through proper development and implementation of models in accordance with these guidelines. Similarly, the model user takes guidance from specific control procedures to ensure that the model is used appropriately and all manner of model use is&#160;reported and inventoried. Examples of control guidelines include model documentation standards, model performance standards, model change and control procedures, and technical model development standards to guide model implementation.</p><p>An independent model risk management group provides a secondary layer of control by identifying and measuring residual model risk via its model validation, periodic review, and ongoing monitoring activities.</p><p align="left">Senior management and the board perform vital governance and oversight functions through their review and approval of proposed remediation or mitigation approaches. Management committees provide the appropriate forums where corporate model strategies are discussed and management approves short-term model risk mitigation actions and longer-term model risk remediation approaches. At large, complex enterprises, internal audit assesses the design and effectiveness of the overall model risk management framework through its model and business process audits and its assessment of the validation function’s effectiveness.</p><p align="left">In establishing this framework, senior management should ensure that roles and responsibilities are clear and that model risk issues are identified and reported horizontally and vertically across a Regulated Entity. Clear accountability is needed to ensure that model stakeholders have the proper incentives to manage their respective risk areas.</p><p align="left">Senior management should create an appropriate organizational structure to promote effective organizational challenge of models. Key elements of having effective organizational challenge to models include findings management, performance tracking, reporting, and an escalation process. The independent validation group should be adequately staffed and have the requisite skills and experience to assess the conceptual design of the modeling approach. Model risk should be transparent and reported to the board and senior management. Remedial actions should be timely and escalation procedures clear. All stakeholders, including modelers, model users and independent validators, should participate actively to influence model development planning and prioritization. The support of senior management and the board is vital in promoting a culture of collaborative model risk awareness across a Regulated Entity.</p><p align="left">Regulated Entities should customize their model risk management framework based on the extent and complexity of model use and their level of risk exposure. Large, complex enterprises that develop their own models should have a more rigorous and extensive framework in place. Less complex and smaller entities should design their framework to ensure minimum supervisory requirements are met in a cost-effective manner.</p><p align="left"> <strong>See Attached for FHFA Model Risk Management Guidance Handbook</strong></p><p align="left">&#160;</p><hr width="33%" align="left" /><p style="text-align&#58;left;"> <sup id="ft1"> <a href="#ref1">[1]</a></sup> Although the Office of Finance is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended, for purposes of convenience, this advisory bulletin includes the Office of Finance when referring to the Regulated Entities collectively, unless otherwise noted.</p><p> <sup id="ft2"> <a href="#ref2">[2]</a></sup> Board of Governors of the Federal Reserve System and Office of the Comptroller of the Currency. Supervisory Guidance on Model Risk Management. OCC 2011-12 (April 4, 2011).</p>6/16/2014 2:16:02 PM850http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Mangement of Deficiency Balances120189/16/2013 4:00:00 AMAB 2013–05<p>​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2013 – 05 </p><p>MANAGEMENT OF DEFICIENCY BALANCES </p></td></tr></tbody></table><h2><strong>&#160;</strong></h2><h2>Introduction </h2><strong><em><span style="text-decoration&#58;underline;"><font size="3"></font></span></em></strong><p>This advisory bulletin establishes supervisory expectations for deficiency balance management at Fannie Mae and Freddie Mac (the Enterprises). The bulletin describes factors that should be considered when deciding whether to pursue recovery of deficiency balances as part of a deficiency balance management program. The guidance in this bulletin is not intended to require actions to recover deficiency balances from borrowers who have made efforts to cure their default or to participate in a refinance, modification, or other foreclosure avoidance program. </p><h2>Background </h2><strong><em><span style="text-decoration&#58;underline;"><font size="3"></font></span></em></strong><font face="Times New Roman,Times New Roman" size="3"><font face="Times New Roman,Times New Roman" size="3"><p>There is a deficiency balance when the proceeds from a foreclosure sale are insufficient to satisfy the outstanding unpaid principal balance, accrued but unpaid interest, and other expenses associated with a defaulted loan. When permitted under federal law and the laws of the jurisdiction governing the foreclosure, Fannie Mae and Freddie Mac may take action to recover the deficiency balance from the defaulting borrower. Such actions may include obtaining a deficiency judgment and other collection efforts. Pursuing recovery of a deficiency balance when economically beneficial to the Enterprise will reduce credit losses, and may act as a deterrent to so-called &quot;strategic defaulters,&quot; that is, borrowers who possess the financial ability to meet their mortgage loan contractual obligations but choose to stop making payments. </p></font></font><h2>Guidance </h2><strong><em><span style="text-decoration&#58;underline;"><font size="3"></font></span></em></strong><font face="Times New Roman,Times New Roman" size="3"><p>The Enterprises should maintain formal policies and procedures for managing and monitoring their deficiency balance collection decisions and processes consistent with prudent practices utilized in the financial services industry. An effective deficiency balance management program requires coordination among all parties involved in recovery activities, including third-party service providers. The Enterprises should establish controls to monitor the activities of these counterparties to ensure that deficiency balance management processes are timely, effective, and efficient, and consider possible remedial actions if they are not.</p><font size="3"><p>The Enterprises’ deficiency balance management programs should identify relevant factors to consider when determining whether to take action to recover a deficiency balance and the appropriate form of action. Those factors should include, but are not limited to, the following&#58; </p><ol><span style="text-decoration&#58;underline;"><font size="3"></font></span><font size="3"><li><p><span style="text-decoration&#58;underline;">Jurisdiction of Foreclosure&#58; </span>The laws governing foreclosure processes and collection of deficiency balances vary by state. Some states prohibit the practice and others place restrictions and timeframes on a lender’s ability to obtain and collect deficiency judgments. It is important that each Enterprise and its vendors comply with the applicable statute of limitations in order to preserve the ability to pursue collection. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Federal and other Law&#58; </span>The Enterprise should consider whether a borrower has filed for bankruptcy or there is other litigation involving the property. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Mortgage Insurance&#58; </span>For federally insured loans, the Department of Housing and Urban Development or the Department of Veterans Affairs may require the lender to pursue a deficiency judgment. For loans with private mortgage insurance, the terms of the policy that may affect the Enterprise’s ability to pursue a deficiency judgment must be considered. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Loss Mitigation Efforts&#58; </span>A borrower’s efforts to cure the default or pursue an alternative to foreclosure, such as loan refinance or modification program offered by the Enterprise. An additional factor is the borrower’s participation in the Enterprise’s short sale or deed-in-lieu programs, which provide for a waiver of the Enterprise’s right to pursue deficiency judgments. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Loan/Borrower-related Factors&#58; </span>An Enterprise should take into account particular characteristics of the loan and borrower that may indicate the likelihood of success of deficiency judgment in a particular case. These factors would include, for example, whether the foreclosed property was owner-occupied or purchased for investment purposes; whether the borrower defaulted on more than one mortgage held by the Enterprise; and available information (e.g., in a credit report) about whether the borrower has kept other financial obligations current. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Elements of Bad Faith&#58;</span> Characteristics of strategic default behavior or possible fraudulent acts, such as loan documents that appear inaccurate or falsified, should be considered. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Business Judgment&#58;</span> The decision to pursue collection should make economic sense to the Enterprise and reflect that the associated costs are in line with the Enterprise’s loss mitigation strategies. The amount of the deficiency, the reason for the default, the financial condition of the borrower, legal fees, and the availability and cost of qualified collection vendor(s) might all influence the decision to pursue a deficiency balance. </p></li></font></ol><font size="3"></font></font><font size="3"><font size="3"><p align="justify">The Enterprise’s determinations regarding deficiency balances should indicate relative weights of the different factors considered by the Enterprise. The Enterprise’s documented process in place for deficiency balance determinations should include a risk-based process for internal review of decisions as appropriate. </p><p>Examiners will review policies, procedures, and practices when examining Fannie Mae and Freddie Mac’s deficiency balance management programs. Each Enterprise should maintain documented analysis to support decisions regarding actions to recover deficiency balances. </p></font></font></font>6/16/2014 2:15:44 PM128http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
FHFA Enforcement Policy120165/31/2013 4:00:00 AMAB 2013-03<p>​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​<font size="3">ADVISORY BULLETIN </font></p><p><font size="3">AB 2013-03 </font></p><p><font size="3">FHFA ENFORCEMENT POLICY</font></p></td></tr></tbody></table><h2>&#160; </h2><h2>PURPOSE </h2><strong><font size="3"></font></strong><font face="Times New Roman,Times New Roman" size="3"><p>This advisory bulletin disseminates the Federal Housing Finance Agency (FHFA) policy for taking enforcement actions, when determined appropriate, to address compliance with laws, rules, or regulations; supervisory guidance, examination findings, or failure to comply with final agency orders; capital deficiencies; failure to meet prudential standards; and/or unsafe or unsound practices or conditions. </p><p>The enforcement policy provides FHFA guidance for internal agency purposes. FHFA is sharing the policy with the public as a means to promote supervisory transparency. The policy is not intended, does not, and may not be relied upon, to create rights, substantive or procedural, enforceable at law or in any administrative proceeding. </p><h2>SCOPE </h2><strong><font size="3"></font></strong><font face="Times New Roman,Times New Roman" size="3"><font face="Times New Roman,Times New Roman" size="3"></font></font><p>The enforcement policy is applicable to FHFA actions pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. Actions may take the form of informal enforcement actions; formal enforcement actions, such as cease-and-desist proceedings under 12 USC 4631; cease-and-desist orders and civil money penalties under 12 USC 4566(c)(1) and (c)(7), 12 USC 4581 and 4585, and 1430c(d); prompt corrective action directives under 12 USC 4611 et seq.; prudential management and operations standards orders under 12 USC 4513b; prompt supervisory responses under 12 CFR part 1777, subpart A; or some combination thereof. </p><font face="Times New Roman,Times New Roman" size="3"><font face="Times New Roman,Times New Roman" size="3"><p>The enforcement policy rescinds and replaces the FHFA Division of Federal Home Loan Bank Regulation Enforcement Policy (2012-DBR-01) issued in August 2012. The policy does not supersede or limit the applicability of any other FHFA regulation or policy that may provide more explicit guidance and direction, or establish supplemental procedures. The guidance provided in the enforcement policy does not remove or limit FHFA’s discretion and judgment in making decisions about whether to take an enforcement action, or determining which type of enforcement action may be appropriate in a given set of circumstances. </p><font size="3"></font></font></font></font>6/16/2014 2:15:23 PM114http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Clarification of Implementation for Advisory Bulletin 2012-02120155/13/2013 4:00:00 AMAB 2013-02<p>​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2013-02 </p><p>Clarification of Implementation for Advisory Bulletin 2012-02, Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention </p></td></tr></tbody></table><p align="justify">&#160;</p><strong><h2>Background </h2><strong><em><font size="3"></font></em></strong><p>On April 9, 2012, the Federal Housing Finance Agency (FHFA) issued Advisory Bulletin 201202, Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention. That guidance establishes a standard methodology for classifying loans, other real estate owned, and certain other assets, excluding investment securities, and prescribes the timing of asset charge-offs based on these classifications. Advisory Bulletin 2012-02 was effective upon issuance; however, FHFA has subsequently clarified details of the implementation date. </p><font size="3"><h2>Guidance </h2></font><p>Implementation of the asset classification framework may occur in two phases. The asset classification provisions in Advisory Bulletin 2012-02 should be implemented by January 1, 2014. The charge-off provisions have been extended and should be implemented no later than January 1, 2015. </p><font size="3"></font></strong>6/16/2014 2:15:12 PM350http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2014 Federal Housing Finance Agency