Federal Housing Finance Agency Print

 Advisory Bulletins



Internal Audit Governance and Function21390All10/7/2016 4:00:00 AMAB 2016-05<p>​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN</p><p>AB 2016-05</p><p>INTERNAL AUDIT GOVERNANCE AND FUNCTION</p></td></tr></tbody></table><p style="text-decoration&#58;underline;"><strong style="font-size&#58;15pt;"><em></em></strong><br></p><p style="text-decoration&#58;underline;"><strong style="font-size&#58;15px;"><em>Purpose</em></strong></p><p>This Advisory Bulletin (AB) applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities), and the FHLBanks' Office of Finance (OF).&#160; References to the regulated entities<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[1]</span></a> in this AB equally apply to the OF.&#160; This AB rescinds and replaces the following guidance&#58;</p><ul><li>2002-AB-05&#58;&#160; <em>Risk Assessment – Internal Auditor Independence;</em></li><li>1999-AB-10&#58;&#160; <em>Internal Audit Department External Reviews; </em>and</li><li>1996-AB-01&#58;&#160; <em>Examination Reviews of Audit Independence, Audit Committee Oversight of Selection, Compensation and Performance Evaluation of the Audit Director</em>.<br>&#160;<br>The Federal Housing Finance Agency (FHFA) requires the regulated entities to establish independent Internal Audit (IA) functions and expects those IA functions to provide timely feedback to management and assurance to audit committees on the effectiveness of regulated entities' internal controls, risk management, and governance.&#160; Timely and reliable information about elevated risks and internal control systems are important so that management can make prompt corrections.&#160; This AB sets forth FHFA guidance and supervisory expectations regarding&#58;</li></ul><ol><li>Audit Committee Oversight of the IA Function; &#160;</li><li>IA Independence and Objectivity; and</li><li>IA Attributes and Operations - including IA's role in reporting to the audit committee on the regulated entity's identification of significant risks and the existence and effectiveness of related internal controls.<br><br>A regulated entity's risk management framework generally comprises&#58;<br>&#160;</li></ol><ul><li>Units engaged in business operations, which take and manage risks and report directly to management;<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[2]</span></a></li><li>Independent risk management (including enterprise risk management, compliance, and other risk control functions), which monitors risk-taking activities, assesses risks and issues independent of business operations units, and is separate from first-line operating management but still under the direction and control of senior management; and</li><li>IA, which reports independently to the audit committee on risks, risk management, and the effectiveness of the regulated entity's system of internal controls.<br>&#160;</li></ul><p>This structure is commonly known as the &quot;three lines of defense,&quot; and together these elements should form a strong and effective risk management framework.&#160; The guidance in this AB is consistent with the three lines of defense framework and sets forth FHFA's expectation that IA, as the third line of defense, is independent, objective, and effective at identifying and informing management and the audit committee about the regulated entity's risks and related controls.</p><p>FHFA expects Chief Audit Executives (CAEs)<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;"><sup>[3]</sup></span></a> to establish and audit committees to oversee IA functions that&#58;&#160; </p><ul><li>Are independent and objective;</li><li>Continuously monitor key activities and associated risks;&#160; </li><li>Adapt audit approaches and activities to address changes; and</li><li>Identify and communicate internal control deficiencies and emerging, previously unidentified, or undervalued risks (<em>i.e.</em>, risks that have become more significant) to the audit committee and management.&#160;&#160;&#160;&#160;<br><br>FHFA further expects audit committees, through their direction to and oversight of CAEs and IA functions, to validate that staffing and resource decisions take appropriate account of the risks at the regulated entity.&#160; FHFA expects that these decisions consider the entity's size, scale, complexity of operations, pace of innovation, and financial standing.</li></ul><p style="text-decoration&#58;underline;"><strong style="font-size&#58;15px;"><em>Background</em></strong></p><p>FHFA recently published a revised rule, 12 CFR Parts 1236 and 1239, <em>Responsibilities</em><em> of Boards of </em><em>Directors, Corporate Practices,</em><em> and Corporate</em><em> Governance</em><em> </em><em>Matters</em>, that in part addresses regulated entities' audit committees' oversight of IA functions at the FHLBanks and the Enterprises.&#160; In addition, FHFA's standards for the FHLBanks and Enterprises specifically related to their audit committees and IA functions are in Standard 2 of the <em>FHFA</em><em> </em><em>Prudential</em><em> </em><em>Management</em><em> </em><em>and Operations Standards</em><em> </em>(PMOS) (12 CFR Part 1236, Appendix).&#160; FHFA requirements relating to the OF's audit committee are set forth at 12 CFR 1273.9.</p><p>For the FHLBanks, the regulations prescribe specific details about the composition of the audit committee, the independence of its members, the content of the audit committee charter, and the duties and responsibilities of the audit committee, including its oversight responsibilities with respect to the IA function.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[4]</span></a> </p><p>The OF is the FHLBanks' fiscal agent.&#160; It compiles and publishes the FHLBanks' Combined Financial Reports.&#160; The OF's audit committee composition, responsibilities, and charter are addressed in 12 CFR 1273.9 and are similar to those applicable to FHLBanks.&#160; The OF is not a Securities and Exchange Commission registrant.</p><p>For the Enterprises, regulations in 12 CFR 1239.5(b) require that all the board committees comply with requirements established by the New York Stock Exchange (NYSE) and that the audit committees also comply with the requirements of Section 301 of the Sarbanes-Oxley Act of 2002.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[5]</span></a>&#160; Relevant portions of the NYSE rules address the composition of the audit committee, the independence of its members, the general requirements for its charter, the responsibilities and duties of the audit committee (which include assisting the board in oversight of the IA function), and the need for audit committees to meet separately and periodically with management, CAEs, and independent auditors.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[6]</span></a>&#160; </p><p>Because the existing regulations and guidelines provide general requirements for oversight of the IA function, FHFA is issuing this AB to provide an additional level of detail on the responsibilities of audit committees in their oversight of the IA function, as well as on the independence and operation of the IA function.&#160; This guidance reflects FHFA's supervisory expectations that the audit committee actively and rigorously oversees the IA function and that the function is independent, objective, and effective.&#160; Further, this guidance is informed by FHFA's understanding of industry best practices for IA governance and operations at larger and more complex financial institutions.</p><p>In addition, the provisions of this AB are consistent with IA guidance issued by the federal banking regulatory agencies.&#160; That guidance includes the <em>Interagency Policy Statement on the Internal Audit Function and its Outsourcing</em> (March 17, 2003) and the Federal Reserve Board's <em>Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing</em> (January 23, 2013).&#160; This AB is also consistent with the <em>OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; </em><a href="https&#58;//www.federalregister.gov/regulations/1557-AD78/occ-guidelines-establishing-heightened-standards-for-certain-large-national-banks-federal-savings-as"><span style="text-decoration&#58;underline;"><em>Integration of 12 CFR Parts 30 and 170</em></span></a> (effective November 10, 2014) and with guidance in the October 27, 2009 FHFA <em>Examination for Accounting Practices</em> document, which remains in effect.&#160; </p><p style="text-decoration&#58;underline;"><em style="font-size&#58;15px;"><strong>Guidance</strong></em></p><p>&#160;&#160;&#160;&#160;&#160; <strong>I.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>Audit </strong><strong>Committee Oversight of the </strong><strong>IA Function</strong></p><p>The board of directors of each regulated entity is required to have an audit committee responsible for overseeing the IA function and an individual responsible for the IA function (referred to in this document as the CAE, regardless of that individual's title).&#160; The audit committee should have regular and open communications with the CAE.</p><p>The audit committee should direct the CAE to structure the IA function so that it is appropriately designed, independent, and objective, and so that it effectively identifies and assesses risks.&#160; The committee should confirm that the regulated entity's IA audit methodology is established and activities are conducted in accordance with appropriate professional standards, such as the Institute of Internal Auditors' <em>International</em><em> </em><em>Standards for the Professional </em><em>Practice </em><em>of Internal Auditing</em><em> </em><em>(IIA Standards). </em>&#160;The CAE should periodically review IA's audit methodology with the committee and the committee should approve the methodology and significant changes thereto.&#160; Further, the audit committee should oversee the process by which issues that are reported by IA are promptly addressed and satisfactorily resolved by management.</p><p>A.&#160;&#160;&#160; <em>Audit </em><em>Committee</em><em> </em><em>Charter</em><em> </em><em>and the </em><em>Internal</em><em> Audit </em><em>Function</em></p><p>The audit committee is required to operate pursuant to a written charter,<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[7]</span></a> which should be reviewed at least annually by the audit committee and full board of directors (board), and be re-approved at least every three years by the board.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[8]</span></a> &#160;</p><p>FHFA expects that, at a minimum, the audit committee charter will address the following matters regarding the IA function&#58;<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[9]</span></a></p><ul><li>CAE selection, evaluation, compensation, and where appropriate, replacement&#58;&#160; The charter should establish that the CAE may be hired or removed only with audit committee approval.</li><li>CAE reporting relationships&#58; &#160;The charter should establish that the CAE reports directly to the audit committee and is ultimately accountable to the audit committee and board of directors in order to maintain independence and objectivity.</li><li>CAE access to the audit committee&#58; &#160;The charter should provide the CAE with unrestricted access to the committee without the need for any prior management knowledge or approval and should establish executive session meetings with the CAE. </li><li>Annual review and approval of the Audit Plan&#58; &#160;The committee should confirm that the scope of IA's activities is appropriate and approve the annual Audit Plan and significant changes thereto.</li><li>Annual review and approval of the IA department's budget&#58; &#160;The committee should confirm that IA has sufficient resources to accomplish its objectives and approve the department's budget.<br>&#160;</li></ul><p>B.&#160;&#160;&#160; <em>Audit </em><em>Committee Communication</em><em> with </em><em>Internal</em><em> </em><em>Audit</em></p><p>The audit committee and the CAE, including IA staff, should have unrestricted access to each other without prior management knowledge or approval. &#160;FHFA expects audit committee leadership to discuss audit matters with the CAE between and apart from regular audit committee meetings to stay current on IA operations, emerging risks, and other relevant matters. &#160;If significant issues arise in these discussions, they should be covered timely with the committee. &#160;Regular executive sessions with the CAE are essential to ensure open and complete communications. &#160;These executive sessions should be confidential, closed to management, and should be regularly scheduled.</p><p>An important component of effective communications between the CAE and audit committee are the regular written reports to the audit committee prior to each meeting and otherwise as warranted.&#160; Regular written reports from IA to the committee should generally address&#58;</p><ul><li>Audit Findings and Risk Analyses&#58;</li><ul><li>Audit reports focusing on less than satisfactory findings;</li><li>Significant and higher-risk issue follow-up information, including potential impact, aging, past-due status, root-cause analysis, progress towards remediating significant findings, and thematic trends;</li><li>Clear, timely, detailed reporting on open remediation plans, along with associated timetables that were agreed upon by stakeholders for significant open audit issues;</li><li>Information on significant industry and institution trends in risks and controls;&#160; </li><li>An assessment of risk management processes, including whether monitoring processes are appropriate and the effectiveness of management's self-assessment and remediation of identified issues; and</li><li>Aggregate information on the nature of significant trends, if any, in audit findings and observations that have been communicated to management but not detailed in reports to the audit committee.</li></ul><li>Audit Department Performance and Processes&#58;</li><ul><li>Audit coverage and completion versus the Audit Plan;</li><li>Budgeted versus actual audit hours;</li><li>Any updates or amendments to the Audit Plan, including support for changes;</li><li>Results of internal and external quality assurance reviews;</li><li>Updates on the status of IA annual goals and objectives;</li><li>Significant changes in audit staffing levels and the status of required staff training;</li><li>Information on major projects and initiatives; and</li><li>Any significant changes in IA processes, including a periodic review of key IA policies and procedures.</li></ul></ul><p>C.&#160;&#160;&#160; <em>Monitoring</em><em> and </em><em>Performance </em><em>Assessments</em></p><p>The audit committee should maintain a robust process for monitoring and, at least annually, formally assessing and evaluating CAE performance and the effectiveness of the IA function.&#160; The process should generally incorporate input from senior management and external auditors, from any outside peer reviews or assessments including regulatory examinations, and from the audit committee's own observations of and interactions with the CAE and IA staff.&#160; The audit committee should document its assessments of the CAE's and IA function's performance.</p><p>&#160;&#160;&#160; <strong>II.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>IA Independence and Objectivity</strong></p><p>A.&#160;&#160;&#160; <em>Conflicts</em><em> of </em><em>Interest</em></p><p>Before appointing a CAE, and thereafter at least annually, the audit committee should confirm with the CAE and document whether the CAE has any actual or apparent conflicts of interest and should develop appropriate limits for the CAE's activities accordingly.&#160; If an audit committee considers a candidate for CAE with potential conflicts of interest, the conflicts, and any mitigating considerations, should be disclosed to and discussed by the audit committee and should be clearly documented in audit committee records.</p><p>Similarly, the CAE should regularly assess whether IA staff has actual, potential, or apparent conflicts of interest and appropriately restrict the activities of the staff to avoid those conflicts.&#160; At least annually, the CAE should confirm IA activities' independence to the audit committee.&#160; To help maintain the highest level of objectivity in the IA function, CAEs should consider rotating assignments for lead auditors and audit staff when feasible.</p><p>B.&#160;&#160;&#160; <em>Placement</em><em> of</em><em> </em><em>IA</em><em> </em><em>in the</em><em> Organization</em></p><p>Properly positioning the CAE and the IA function in a regulated entity's organization helps achieve objectivity and independence of the IA function and minimizes the opportunity for management to unduly influence, override, or limit IA activities or findings. &#160;The most structurally independent organizational arrangement for the IA function would have the CAE report directly to the audit committee regarding both audit issues and administrative matters.&#160; However, the CAE may report administratively to the Chief Executive Officer (CEO) if the audit committee so approves.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[10]</span></a></p><p>Board and senior management engagement and cooperation with IA are essential to its effectiveness.&#160; Boards and management should give IA full and unconditional access to any records and data, including access to management information systems and records and the minutes of all board and management committee meetings.&#160; FHFA expects IA to have access to management committee meetings and related materials in an ex-officio capacity, and any exceptions should be discussed and reconciled with the audit committee.&#160; Boards and management should also require timely remediation of audit issues.</p><ol><li><em>Scope </em><em>Limitations</em></li></ol><p>Should management attempt to hinder IA's objectivity and independence, for example, by restricting IA's access to records or personnel, IA staff should disclose to and discuss such attempts with the CAE. &#160;If the scope of an audit is affected by management's action, the limitation should be disclosed in the audit report and documented in the associated work papers.&#160; The CAE should report any attempts to hinder IA's objectivity and independence or limit the scope of an audit activity to the audit committee, generally through the chair, immediately for appropriate resolution.</p><p>D.&#160;&#160;&#160; <em>Internal</em><em> </em><em>Audit </em><em>Compensation</em><em> </em><em>Arrangements</em></p><p>CAE compensation, which should be approved by the audit committee, should include an appropriate focus on performing audit activities and should only include incentives tied to actions and outcomes within the CAE's control and influence.&#160; Audit committees should not link CAE incentive compensation to the regulated entity's financial position, results of operations, achieving growth or volume targets, business unit compliance levels, or other measures or metrics that could impair or appear to impair IA independence or objectivity.&#160; CAE compensation should be reasonable and comparable with compensation for employment in other similar businesses (including publicly held financial institutions or major financial services companies) involving similar duties and responsibilities.&#160; To these ends, consulting with and obtaining input from a regulated entity's compensation committee may provide useful insights. </p><p style="text-align&#58;justify;">&#160; <strong>III.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>IA Attributes and Operations </strong><br></p><p>A.&#160;&#160;&#160; <em>IA Function Attributes</em><br></p><p>1.&#160;&#160;&#160;&#160; <em>Internal Audit</em><em> </em><em>Department</em><em> Charter</em></p><p>The IA department should have a written charter, which should be reviewed at least annually and be approved by the audit committee every three years or whenever substantive changes are made.&#160; The charter should define the purposes, authorities, and responsibilities of the IA function.&#160; The charter is the foundational document governing all IA activities.&#160; The charter should generally cover&#58;</p><p>&#160;</p><ul><li>IA Department Structure and Independence</li><ul><li>Indicate the IA function's placement within the regulated entity, the CAE's and IA function's authority, the CAE's functional reporting relationship to the audit committee, and the CAE's administrative reporting to senior management, if any;</li><li>Stipulate that IA has unrestricted access to the audit committee and authorize staff to access all regulated entity records and personnel needed to carry out their function; and</li><li>Require the IA function to maintain its independence and objectivity, particularly if IA provides non-attest services, such as consulting on internal controls design for information technology projects, performing financial reporting internal controls testing under management direction, and/or identifying potential operating inefficiencies for management.</li></ul><li>Applicable Standards and Codes of Ethics</li><ul><li>Identify standards applicable to the IA function and staff, including any professional standards, such as the Institute of Internal Auditors (IIA) Standards; and</li><li>Identify codes of ethics and requirements with which IA staff must comply.&#160; These may include both the regulated entity's own written code and one or more professional standard codes, such as the IIA's Code of Ethics.</li></ul><li>Reporting</li><ul><li>Indicate regular reports and items that the IA function is required to provide to the audit committee, including audit plans and annual budget and resource requirements; </li><li>Require timely reporting of significant deviations from approved plans; and</li><li>Require the IA function to monitor and report its activities and management's responses to IA findings, and track, assess, and regularly report on management's remedial actions regarding significant open compliance and regulatory examination issues.</li></ul><li>Performance Assessment and Quality Assurance</li><ul><li>Require the IA function to regularly assess its performance, including its performance relative to the Audit Plan;</li><li>Require the IA function to maintain internal quality assurance processes and programs, and document how weaknesses identified as a result of such processes and programs are addressed; and</li><li>Establish the timeframe for regular external quality reviews (at a minimum every five years) and require the IA function to document how any weaknesses, recommendations, or best practice suggestions identified as a result of such external quality reviews are addressed.</li></ul></ul><p>2.&#160;&#160;&#160;&#160; <em>IA</em><em> Staffing </em><em>and</em><em> Professional </em><em>Competence</em></p><p>The IA function needs sufficient staff with the requisite knowledge, skills, professional competence, resources, and stature within the regulated entity to assess the effectiveness of the regulated entity's controls and to credibly challenge management.</p><p>A regulated entity should have policies and procedures designed to reinforce that&#58;</p><ul><li>The IA function hires and maintains sufficient, technically competent staff to provide adequate audit coverage of the regulated entity's risks;</li><li>IA staff are provided appropriate training and professional development opportunities to enable them to remain current in both technical matters and professional standards; and</li><li>IA staff understand their duties, including the duty to report instances of non-compliance with laws, regulations, regulatory guidance, generally accepted accounting principles, professional standards, or the regulated entity's own policies to the CAE, management, and/or the audit committee, as appropriate. </li></ul><p>Collectively, IA staff, supplemented as needed by external resources, should have the knowledge and skills, as evidenced by education and audit, industry, and technical experience, to audit the entire regulated entity. &#160;Relevant and current professional certifications and licenses provide evidence of certain technical knowledge and skills.&#160; Generally, IA staff should audit business units or functions related to their areas of expertise.</p><p>At least annually, the CAE is expected to assess and document the knowledge, skills, and abilities of IA staff and compare those with both the Audit Plan and the universe of risks in the regulated entity. &#160;When assessing the knowledge, skills, and abilities of IA staff, the CAE may consider management feedback and internal or external quality assurance assessments.&#160; If the assessment identifies gaps within IA staff knowledge, skill, and abilities, the CAE should identify a means for filling those gaps, which might include staff training, hiring new staff, and/or using co-sourcing or outsourcing arrangements.&#160; The CAE should report the results of the assessment to the audit committee.</p><p>The CAE should confirm that he/she and all IA staff receive ongoing formal training.&#160; CAEs and staff should generally receive a minimum of forty hours of training per year. &#160;The IA function should have a process to evaluate and monitor the quality and appropriateness of training.&#160; In addition to formal training, IA staff may benefit from staff rotations, both within the IA department and with business and risk management functions, in order to provide IA staff with broader exposure to those functions and opportunities to develop additional areas of expertise.&#160; We encourage such rotations where they are feasible and can be done without compromising audit coverage and IA independence.</p><ol><li><em>Co-sourcing</em><em> and</em><em> Outsourcing</em><em> </em><em>Internal</em><em> </em><em>Audit</em><em> </em><em>Activities</em></li></ol><p>The IA function may be staffed using IA employees solely or by supplementing them with co-sourced or outsourced resources.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[11]</span></a>&#160; Co-sourcing or outsourcing engagements are generally entered into when a regulated entity has insufficient staff to complete planned audits in a timely manner or needs technical expertise beyond that of the IA staff.&#160; The CAE retains responsibility for managing and providing the audit committee with reports to enable the audit committee to oversee all IA work, whether done by IA staff, co-sourced, or outsourced.</p><p>Co-sourcing is a partnership between IA and an outside vendor (auditor or firm) that works with and often alongside, but does not replace, existing IA staff. &#160;In co-sourcing, IA staff takes an active part in project planning and decision making and may participate in preparing final reports.&#160; Further, IA manages and/or works alongside the specially-skilled partner(s) or vendor(s).&#160; One objective of co-sourcing may be to transfer knowledge from the vendor to IA. &#160;In a co-sourcing arrangement, the vendor has a dual reporting relationship to IA and the vendor's own management.&#160; The CAE should require in associated contracts with co-sourced partners that work complies with applicable IA policies and standards and that the workpapers associated with the co-sourced work are retained by IA, not the vendor.&#160; </p><p>Under an outsourcing arrangement, the outside vendor (auditor or firm) is responsible for performing discrete IA engagements.&#160; The CAE maintains ownership of the entire IA function, including outsourced activities.&#160; When outsourcing audit work, the CAE should approve the scope of work and procedures to be performed. &#160;The CAE remains responsible for results of outsourced work, including findings, conclusions, and recommendations.</p><p>Before hiring a vendor to perform IA work, the CAE should confirm that&#58;&#160; the vendor and staff who will work on the engagement have the technical knowledge and ability to perform the work; the engagement will be effectively managed; the vendor's work will be well-documented; that all control weaknesses and other significant findings, including any apparent regulatory violations, will be timely communicated to the CAE and other stakeholders; and that the regulated entity has appropriate contingency plans should a vendor be released or terminated before completing the engagement.</p><p>Co-sourced and outsourced audit work should be completed pursuant to an engagement letter or similar agreement covering all significant aspects of the engagement.&#160; Such engagement letters should generally&#58;</p><ul><li>Describe expectations and responsibilities for the regulated entity and the vendor;</li><li>Define the work to be performed and the amount and timing of fees to be paid;</li><li>Describe the responsibilities for providing and receiving information, including the type and frequency of contract work status reporting to the CAE and the audit committee;</li><li>Describe the process for changing engagement terms, such as for expanding work if significant issues are identified;</li><li>Define conditions that would constitute default and remedies including canceling the engagement;</li><li>Establish who bears the cost of damages arising from errors, omissions, and negligence;</li><li>State that the vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with American Institute of Certified Public Accountants, Securities and Exchange Commission, Public Company Accounting Oversight Board, and other relevant professional standards, and other applicable regulatory guidance; and</li><li>For any engagements where reports or workpapers will be retained by the vendor&#58;</li><ul><li>Establish that reports created by the vendor during the engagement are the property of the regulated entity, that the regulated entity will be provided with any copies of the related workpapers it deems necessary, and that employees authorized by the regulated entity will have reasonable and timely access to the workpapers prepared by the vendor;</li><li>Specify the locations of reports and the related workpapers and the length of time vendors must maintain workpapers;</li><li>State that FHFA examination staff will have full and timely access to vendor-created IA reports and related workpapers. </li></ul></ul><p><strong>&#160;</strong></p><p>B.&#160;&#160;&#160; <em>Internal Audit Operations</em><br></p><p>1.&#160;&#160;&#160;&#160; <em>Internal Audit Risk </em><em>Assessments</em></p><p>Regulated entities' IA universes (comprising all auditable entities<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[12]</span></a> that are significant and subject to risks for which controls should be reviewed) should be regularly updated for organizational changes.&#160; Audit plans should be formulated to provide reasonable assurance that a regulated entity's system of controls is well-designed, operates effectively, and manages risks to an acceptable level.&#160; At least annually, IA should perform a risk assessment that includes reviews of its IA universe and Audit Plan to ensure that all auditable entities receive audit coverage over an appropriate period of time commensurate with associated risks.&#160; </p><p>The IA risk assessment should include four basic steps&#58; &#160;1) identify inherent risks to the regulated entity; 2) understand management's controls over those inherent risks; 3) assess residual or remaining risks to establish the frequency with which activities should be audited; and 4) prioritize auditable entities from the audit universe for audit coverage. &#160;The IA risk assessment should also consider multiple approaches.&#160; For example a &quot;top-down&quot; approach could complement a bottom-up approach.&#160; A top-down approach begins with identifying industry, environmental, and other enterprise-wide current or emerging risks.&#160; A bottom-up approach starts with the audit universe, then assesses and aggregates risks attributable to auditable entities within the audit universe.&#160; </p><p>The CAE should perform the risk assessment annually and should document the IA staff's understanding of the entity's significant business activities and the associated risks.&#160; To facilitate risk assessment and audit planning, IA should maintain (or regularly review if such an inventory is maintained by independent risk management) a complete inventory of all of the regulated entity's material processes, product lines, services, and functions, and then assess the risks, including emerging risks, associated with each.&#160; The risk assessment should consider and address risks to the regulated entity from all sources, both internal and external.&#160; These include, but are not limited to, credit, market, operational, governance, reputational, fraud, and compliance risk.&#160; The assessment should also consider thematic control issues and layered or aggregated risks that cross business units or lines of business.&#160; The risk assessment should analyze and prioritize key risks and risk management functions.</p><p>While the risk assessment should reflect IA's independent analysis, IA may consider all available information, for example, input from management self-assessments. &#160;While the formal risk assessment is performed annually, IA should update it as needed for major organizational changes, infrastructure changes, or changes in the regulated entity's external business or regulatory environment.</p><p>As underlying technology has advanced, more business entities are using &quot;Continuous Monitoring&quot; (CM) tools to continuously assess and provide management feedback on whether business processes are performing effectively and &quot;Continuous Auditing&quot; (CA) tools, which allow IA to gather and review control-related business process data. &#160;</p><p>FHFA expects IA functions to employ formal CA and/or CM practices.&#160; CA and CM can be conducted by IA staff and/or through technological tools.&#160; In either case, it should be done pursuant to written policies and procedures that support consistent and comparable results.&#160; CA and CM should be documented through business metrics, management reporting, reports to audit committees, and through any related adjustments made to audit risk assessments and plans.&#160; IA should continuously monitor key business metrics and performance indicators. &#160;IA should work to understand changes and their drivers in order to help identify potential audit issues and changes in the business environment and to adjust risk assessments and audit plans, if needed, in a timely manner.</p><p>2.&#160;&#160;&#160;&#160; <em>Internal</em><em> </em><em>Audit</em><em> </em><em>Planning</em></p><p>At least annually, IA should review and update the Audit Plan.&#160; The Audit Plan should be based on the risk assessment and should consider key risks and related controls within each significant business and functional activity, the timing and frequency of planned IA work, and a resource budget. &#160;During the planning process, IA should analyze the regulated entity's specific risks, mitigating controls, and level of residual risk. &#160;The CAE should have a contingency plan to mitigate any significant disruption to audit coverage, particularly for high-risk areas. &#160;Documentation supporting the Audit Plan should reference the IA program that describes the objectives of the audit work and the audit work expected to be performed during each IA activity.</p><p>The audit planning process should include evaluating management's root cause and lessons learned analyses performed after a significant adverse event.&#160; IA should consider management's analysis of reasons for the adverse event and whether it resulted from a control breakdown or failure.&#160; IA should confirm that management correctly identified the measures needed to prevent a similar event from occurring in the future.&#160; In certain situations, IA should conduct its own lessons learned analysis outlining the remediation procedures necessary to detect, correct, and/or prevent future internal control breakdowns (including improvements in IA processes).</p><p>The audit planning process should also be designed to inform the board's responsibilities for risk oversight to include&#58;&#160; overseeing the regulated entity's operational and risk management; remaining informed about the regulated entity's operations and condition; and remaining informed about the entity's risk exposures and senior management's actions to address them. &#160;The Audit Plan should be designed to provide the audit committee with the depth and breadth of IA assurance it needs to inform those responsibilities.</p><p>3.&#160;&#160;&#160;&#160; <em>Internal Audit Coverage of Risk Management and Regulatory Compliance Programs</em></p><p>FHFA regulations require the Enterprises and FHLBanks to appoint a Chief Risk Officer (CRO) to implement and maintain appropriate enterprise-wide risk management practices and a Compliance Officer (CO) to head a compliance program designed to assure that they comply with applicable laws, rules, regulations, and internal controls.&#160; Both officers should regularly report to the board (in addition, the CRO reports to the Risk Committee) and to the CEO.&#160; These functions are part of the regulated entity's second line of defense, its independent risk management function, and are &#160;separate from first-line operating management but still under the direction and control of senior management.</p><p>IA is the regulated entity's third line of defense.&#160; IA should, through its risk assessment and auditing processes, provide the audit committee with independent assurance that enterprise risk management and compliance programs are working effectively, that those programs have identified and reported timely enterprise and compliance risks, and that significant risks are managed to an acceptable level.&#160; </p><p>4.&#160;&#160;&#160;&#160; <em>Internal Audit Frequency</em></p><p>Internal audits should generally cover the entire audit universe over a maximum four year period. &#160;High-risk areas should generally be audited annually, and moderate- and low-risk audits should be scheduled every 12 to 48 months (or one to four years) based on a risk assessment and ranking that is regularly reviewed and updated.&#160; FHFA expects that IA will weigh both inherent and residual risk when deciding on how frequently to audit an area and in considering the audit approach, including the nature and extent of testing. &#160;The CAE should confirm that higher level risks, including thematic trends and control issues, are not underreported due to being separately captured in moderate- or low-risk audits.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[13]</span></a>&#160; Audit plans should be dynamic and include time to expand audit work when unexpected or higher risks are identified through CM activities, scheduled audits, or otherwise.&#160; The CAE should regularly report significant changes to the audit universe or audit plans to the audit committee, along with an analysis supporting the changes.</p><p>5.&#160;&#160;&#160;&#160; <em>Internal</em><em> </em><em>Audit</em><em> </em><em>Reports</em></p><p>IA reports should generally present the purpose, scope, objectives, and results of the audit, including findings, conclusions, observations, and/or recommendations however styled.&#160; Final reports should also document management's response to findings.&#160; IA should maintain work papers that document the work performed and support the audit report.</p><p>IA should establish and implement a documented methodology that employs appropriate criteria to prioritize and rank audit issues.&#160; The criteria should be sufficiently objective to promote consistent application of judgment and appropriate prioritization of audit issue severity.&#160;&#160;&#160;&#160; </p><p>6.&#160;&#160;&#160;&#160; <em>Internal Audit Issues Monitoring and Tracking</em></p><p>Audit committees should regularly receive clear, timely, and detailed reports on significant open violations, findings, weaknesses, and other issues, regardless of their original source.&#160; Issues that FHFA requires to be reported to audit committee chairs, whether by FHFA or regulated entities' management, including all FHFA Matters Requiring Attention (MRAs), should be presumed significant.&#160; Issues may originate from IA audits and reviews, external audit, regulatory examinations, management self-identification, outside consultants' work, and other sources.&#160; IA should also verify that significant risks and/or control deficiencies identified by first- and second-line of defense units, external auditors, or other parties are adequately assessed and communicated to management and board stakeholders.&#160; To facilitate the timely and effective remediation of open audit issues, IA and management or the board (as warranted) should agree on a resolution date and on interim milestones, if appropriate.&#160; </p><p>IA should establish standards for performing timely and appropriately rigorous validation work once management asserts that remediation of significant audit issues (to include MRAs) has occurred.&#160; When management or the board indicates that they have performed the required remediation, IA should validate that revised processes and controls are in place, operating, and sustainable before closing the issue.&#160; The level of validation work that IA should perform to close an issue will vary based on the issue's risk, complexity, and associated interdependencies.&#160; For higher-risk issues, IA should verify that sufficient testing is performed over an appropriate period of time to validate that the issue is sustainably resolved. </p><p>IA reports should include key information about open remediation plans and associated timetables agreed on by stakeholders.&#160; Reports should highlight significant issues with delayed remediation, including those for which management has made agreed-upon corrective steps and/or control design changes that are pending validation, until testing is complete.&#160; These steps should help to verify that control changes are effective and sustainable and to identify issues for which the planned remediation may need to be amended.</p><p>Regulated entities should establish and implement policies and/or procedures as appropriate for documenting, monitoring, tracking, and reporting on management's acceptance of risks for any management decision not to remediate audit issues, or for time extensions to perform agreed-upon remediation.&#160; If such accepted risks are individually or in aggregate more than insignificant, the CAE should consult with senior management and the audit committee as appropriate.</p><p>7.&#160;&#160;&#160;&#160; <em>Quality</em><em> Assurance </em><em>Program</em></p><p>An effective IA Quality Assurance Program (QAP) should be implemented to help minimize audit risk, including the risk that an audit reaches inaccurate conclusions.&#160; A QAP should include regular internal processes and reviews, as well as an external Quality Assurance Review (QAR) to be performed at least every five years.&#160; </p><p>The internal QAP review should include rigorous reviews by IA management and/or peer reviews of reports and work papers for clarity, adherence to IA policies and procedures, and consistency with relevant professional standards.&#160; The QAP should help confirm that IA policies, procedures, and processes comply with applicable regulatory and industry guidance; are appropriate for the size, complexity, and risk profile of the regulated entity; are updated to reflect changes to internal and external risk factors, emerging risks, and improvements in industry; and are followed consistently.&#160; QAP reviews and self-assessments may be activity driven or ongoing.&#160; Gaps identified should be documented and addressed timely.&#160; The CAE should report the results of the QAP to the audit committee at least annually and results from the QAR and any other external review, as received.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[1]</span></a> The OF is not a &quot;regulated entity&quot; as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. &#160;However, for convenience, references to the &quot;regulated entities&quot; in this AB should be read to also apply to the OF.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[2]</span></a> &quot;Management&quot; as the term is used in this guidance generally comprises the CEO and subordinate managers, who engage in business operations.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[3]</span></a> As used in this guidance, the term &quot;Chief Audit Executive&quot;&#160;means the individual responsible for the internal audit function at a regulated entity.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR 1239.32.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[5]</span></a> Section 301 of the Sarbanes-Oxley Act does not directly address the audit committee's oversight of the IA function.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[6]</span></a> NYSE Listed Company Manual, Rule 303A.07.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[7]</span></a> 12 CFR 1239.5(c).</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[8]</span></a> For the FHLBanks, annual review by the committee and the full board, and re-approval by the board at least every three years are required by regulation.&#160; 12 CFR 1239.32(d).</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[9]</span></a> For the FHLBanks, these items, except audit committee approval of IA department budget approval, are regulatory requirements. &#160;12 CFR 1239.32(d) (3), (e) (3).</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[10]</span></a> 12 CFR Part 1273.9 (b) (5), which relates to the OF only, states &quot;the internal auditor shall report directly to the Audit Committee and administratively to executive management.&quot;</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[11]</span></a> Co-sourced and outsourced audit engagements should be awarded in compliance with the requirements for equal opportunity in employment and contracting under applicable provisions of the Minority and Women Inclusion and Diversity at Regulated Entities and the Office of Finance regulation, 12 CFR 1207.21.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[12]</span></a> Auditable entities collectively comprise the potential audit universe and may represent business units, departments, processes, general ledger accounts, or other functions at a regulated entity that are suitable for audit.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Content.Outlook/JP2QTDS2/Final%20AB%20Internal%20Audit%202016-05%202016.docx"><span style="text-decoration&#58;underline;">[13]</span></a> For example, if a regulated entity relies on user-developed spreadsheets across its operations, and IA has identified high level or thematic control issues regarding such spreadsheets, the incremental spreadsheet control risk in moderate- or low-risk auditable entities should be aggregated, addressed, and reported appropriately.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.&#160; This Advisory Bulletin is effective January 1, 2017. &#160;Contact David R. Poston, Deputy Chief Accountant, Office of Chief Accountant at <a href="mailto&#58;David.Poston@fhfa.gov"><span style="text-decoration&#58;underline;">David.Poston@fhfa.gov</span></a> or 202-649-3467, or Nicholas J. Satriano, Chief Accountant, at <a href="mailto&#58;Nicholas.Satriano@fhfa.gov"><span style="text-decoration&#58;underline;">Nicholas.Satriano@fhfa.gov</span></a> or 202-649-3450, with comments or questions pertaining to this bulletin.</td></tr></tbody></table><p>&#160;</p>10/7/2016 9:16:05 PM474http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Data Management and Usage21352Fannie Mae & Freddie Mac9/29/2016 4:00:00 AMAB 2016-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​<strong>ADVISORY BULLETIN</strong></p><p> <strong>AB 2016-04</strong></p><p> <strong>DATA MANAGEMENT AND USAGE<span aria-hidden="true"></span></strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"><strong><em><br></em></strong></p><p style="text-decoration&#58;underline;"> <strong><em>Purpose</em></strong></p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations for the management of data, including expectations for data governance, architecture, quality, and security. Strong data management supports safe and sound operations by enabling an Enterprise to provide secure, accurate, and accessible data to meet business needs and for use in risk management and compliance processes.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>Data management is the development, implementation, and enforcement of policies, procedures, and standards throughout the data lifecycle that establish how data are defined, shared, stored, protected, retrieved, and purged. Strong data management enables an Enterprise to reduce its exposure to operational, financial, and reputational risks. Consistent data management methods can reduce the likelihood of operational errors, adverse business decisions, and financial loss.</p><p>FHFA’s general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236. Standard 1 (Internal Controls and Information Systems) articulates the considerations for the board of directors and management to evaluate when establishing internal controls and information systems. FHFA expects the Enterprises to provide relevant, accurate, and timely information to decision-makers and personnel in risk management and compliance functions; to establish and test contingency arrangements for information systems storing data; and to communicate policies and procedures to all personnel with regard to their respective duties and responsibilities. Effective data management includes compliance with applicable laws and regulations and adherence to FHFA supervisory guidance.</p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>FHFA expects each Enterprise to have enterprise-wide data management policies, procedures, and standards. Data architecture should be integrated and provide scalable accessibility and effective utilization across the Enterprise as appropriate. Each Enterprise should establish data quality requirements so that data used for decision-making are relevant, accurate, complete, timely, and consistent. Data management practices should allow users to identify and access appropriate data for business, risk management, and compliance activities and functions. FHFA expects the confidentiality, integrity, and availability of data to be consistent with sound business practices and regulatory requirements.</p><p>Fundamental requirements in the following areas are detailed below&#58;</p><ul><li>Data Governance<br></li><li>Data Architecture<br></li><li>Data Quality<br></li><li>Data Security<br></li><li>Data Usage<br></li></ul><p> <em>Data Governance</em></p><p>Data governance provides the necessary framework to control and support data used in decision-making and risk management. Each Enterprise should establish a data strategy that supports organizational goals through data management, and effective policies, procedures, and standards to maintain the confidentiality, integrity, and availability of Enterprise data throughout the data lifecycle. Policies, procedures, and standards should cover, at a minimum, data architecture, data quality, data security, and data usage. Policies and procedures should establish data requirements; controls for assessing and monitoring data; assignment and coordination of individuals’ roles and responsibilities, including their authority to manage the data; and&#160;management support and accountability of data-related issues. Policies, procedures, and standards should be reviewed and updated at least annually and aligned with legal and regulatory requirements for records management.</p><p>In order to assure data oversight and accountability, an Enterprise should designate individuals to be responsible for managing data and representing the interests of relevant stakeholders. Defined responsibilities should include, at a minimum, identifying and monitoring controls for processing or storing data; managing content of both structured and unstructured data; and controlling data from internal and external sources. A senior-level management official should be responsible for and report on effective data management practices for each business unit or control function.</p><p>The Enterprises should monitor and enforce data policies, procedures, and standards. Instances of non-compliance should be identified and tracked through to resolution. Metrics to measure and communicate the effectiveness of the Enterprise’s data strategy should be developed and adopted.</p><p> <em>Data Architecture</em></p><p>Data architecture should define and support data requirements and formats, direct the integration of data, and align data investments with the data strategy. An Enterprise should establish data standardization requirements across the organization that are consistent with the data strategy and that reflect the needs of business and risk management functions. Adherence to those requirements should be confirmed throughout the data lifecycle. Each Enterprise should deploy data in a way that reduces redundancy and encourages the use of a single-source system of record for each element. Data should be maintained or archived pursuant to business, legal, and risk requirements to allow for recovery or evaluation of historical data outputs, whether stored in an Enterprise’s data center or in a hosted cloud environment. The use of data virtualization should consider appropriate data synchronization and integration.</p><p>Data models define the Enterprise’s technical requirements for data and the structure to support those requirements. Data modeling, in conformance with established standards, can support reliable data quality and reduce disparate data. In order to standardize data and track the flow of data, both business and technical metadata should be used to describe data characteristics for purposes of organization, collection, storage, and usage. Metadata can improve business collaboration, integration, and efficiency by providing organizational understanding of data and the business processes used by the Enterprises.</p><p> <em>Data Quality</em></p><p>An Enterprise should take steps designed to ensure that data are of an acceptable quality to meet business requirements and control function needs. Data should be sufficiently accurate, complete, timely, and consistent to enable the Enterprise to generate reliable results, such as for reporting and risk modeling. An Enterprise should have comprehensive data quality management policies and procedures that include outlining roles and responsibilities regarding the collection, dissemination, and maintenance of data, both created and acquired; defining data quality requirements for created data; defining data quality checks for acquired data; and requiring a mechanism for assessing and verifying data quality, data quality metrics, and data conformance requirements.</p><p>Data should be validated at different points in the lifecycle to assure it meets integrity requirements. An Enterprise should have a methodology for identifying and addressing data inconsistencies, problems, and defects. An Enterprise should design and implement controls intended to ensure quality of data in use, at rest, and moving through applications or databases. Data standardization should consider the relationships of data and how to maintain integrity of data from multiple sources. Tools and techniques should be employed to assure conformity to data quality standards. Data used for decision making should have auditable trails to confirm the quality of data.</p><p> <em>Data Security</em></p><p>Data must be protected against unauthorized and inappropriate use, modification, disclosure, and purging. Each Enterprise should have policies and procedures for monitoring and managing data security that are intended to ensure confidentiality, integrity, and appropriate availability of data. This includes the creation and maintenance of data classifications and controls consistent with the internal standards established in data governance, data architecture, and data quality management.</p><p>Data security management should contain specific security requirements established for categories of data, such as personally identifiable information, intellectual property, and non-public information. Data security controls should be commensurate with the security requirements. Each Enterprise should have procedures and processes to ensure that the controls are documented, reviewed, and tested related to those requirements. In order to secure data, an Enterprise should maintain a comprehensive inventory of databases and contents to identify and protect their data and dataflow. An Enterprise should identify and implement encryption controls that are consistent with industry standards and supervisory guidance.</p><p> <em>Data Usage</em></p><p>Data management enables relevant data to be used by an Enterprise to meet its business needs; manage business risks; and support risk management and compliance functions. Enterprise data, whether generated internally or acquired, should be available to business and risk functions to provide comprehensive, clear, and useful outputs. Reporting or risk modeling processes should accurately aggregate data and be able to be reconciled and validated. Reliance on manual processes to manipulate data should be limited to reduce the possibility of human error. Each Enterprise should establish procedures intended to ensure that reports conveying the same data are consistent enterprise-wide. Sufficient controls should be implemented to appropriately protect the confidentiality of distributed information derived from data.</p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p> <em>Information Technology Investment Management, </em>Federal Housing Finance Agency Advisory Bulletin AB-2015-06, September 21, 2015.</p><p> <em>Cyber Risk Management Guidance, </em>Federal Housing Finance Agency Advisory Bulletin AB-2014-05, May 19, 2014.</p><p> <em>Operational Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin AB-2014-02, February 18, 2014.</p><p> <em>Model Risk Management Guidance, </em>Federal Housing Finance Agency Advisory Bulletin AB- 2013-07, November 20, 2013.</p><p>12 CFR Part 1236 Prudential Management and Operations Standards, June 8, 2012.</p><p> <em>Safety and Soundness Standards for Information, </em>Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. This advisory bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a> or Annie Golden, Supervisory Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Annie.Golden@fhfa.gov">Annie.Golden@fhfa.gov</a> with comments or questions pertaining to this bulletin. </td></tr></tbody></table>9/29/2016 10:04:40 PM383http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Fraud Risk Management18654Fannie Mae & Freddie Mac9/29/2015 4:00:00 AMAB 2015-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-07</strong><br></p><p> <strong>FRAUD RISK MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <span style="text-decoration&#58;underline;"><strong><em>Purpose</em></strong></span></p><p>This Advisory Bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency's (FHFA) supervisory expectations for fraud risk management, including the establishment and maintenance of internal controls to prevent, deter, and detect fraud or possible fraud.&#160; </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Effective fraud risk management is essential to the safe and sound operations of the Enterprises.&#160; Potential exposure to the risk of fraud exists in Enterprise business operations.&#160; For example, single-family and multifamily mortgage operations have exposure to the risk of fraud associated with activities of borrowers, loan originators, mortgage brokers, loan sellers, attorneys, servicers, appraisers, property managers, and third parties engaged to perform functions relating to loans or the collateral securing the loans.&#160; Capital markets activities may expose an Enterprise to fraud committed by counterparties involved in securitizations.&#160; The Enterprises also have potential exposure to fraud risk resulting from insider malfeasance.<a id="ref1" href="#1"><font color="#0066cc">[1]</font></a></p><p>Fraud may subject an Enterprise to financial, operational, legal, or reputational harm.&#160; For example, mortgage fraud may result in financial losses for an Enterprise if a seller does not have the financial ability and willingness to honor its obligation to repurchase fraudulent loans.&#160; Other types of fraud may result in financial losses if the fraud is not fully covered by fidelity bond insurance.&#160; An Enterprise may be exposed to litigation or civil money penalties for failure to comply with fraud-related statutes and regulations.&#160; Further, fraud may cause reputational risk if an Enterprise's operations are used or perceived to be used to perpetrate fraud. &#160;While experience demonstrates that fraud may not be prevented completely, it may be deterred or reduced through appropriate anti-fraud procedures that are maintained and reviewed over time.</p><p> <span style="text-decoration&#58;underline;">Examples of Fraud</span> </p><p>The Enterprises may encounter various types of fraud.&#160; For example, mortgage fraud may occur in mortgage loans purchased for an Enterprise's own portfolios or for securitization.&#160; Fraud may be committed as part of the origination, underwriting, or closing process or in conjunction with the servicing of a loan on behalf of an Enterprise.&#160; </p><p>Mortgage-related fraud may be committed by various participants in the origination, selling, and servicing of mortgage loans.&#160; Borrowers may provide false identification, employment, or income information to obtain approval for a mortgage loan.&#160; Parties involved in loan originations, such as appraisers, attorneys, and title agencies, may engage in misrepresentation of collateral or performance of contracted responsibilities, or through diversion of funds.&#160; Sellers of mortgage loans may misrepresent underwriting standards or deliver a single mortgage loan multiple times.&#160; Servicers may divert custodial or other funds received to accounts used for their own purposes.&#160; </p><p>Mortgage-related fraud may be part of larger schemes that include originating mortgage loans through the use of straw borrowers, illegal property flipping, double-pledging of collateral, and builder bailouts.&#160; Post-origination mortgage fraud may target financially distressed borrowers to steal equity in or secure title to a property through fraudulent workout schemes or short sales.&#160; </p><p>Insider fraud (<em>i.e.</em>, fraud involving current or former employees and contractors) may include accounting fraud, payroll fraud, embezzlement, or collaboration with external parties in a fraud against an Enterprise or other financial institution.&#160; </p><p>The wide variation of possible fraudulent activities creates a broad range of fraud risk; therefore, an Enterprise should implement a risk-based approach to fraud risk management that takes into account the scope and potential harm to the Enterprise of possible fraud.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></span></p><p>This Advisory Bulletin describes FHFA's expectations for the oversight of fraud risk management, key elements of a risk-based approach to fraud risk management, and the training and independent testing functions that should accompany an Enterprise's fraud risk management approach. &#160;As described below, FHFA expects the Enterprises will take steps to manage fraud risk in all business lines and operational functions.<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Fraud-Risk-Management.aspx#footnote2"><font color="#0066cc">[2]</font></a></p><p> <span style="text-decoration&#58;underline;">Oversight of Fraud Risk Management</span></p><p>Each Enterprise's board of directors has a responsibility to ensure that the Enterprise's management is committed to effective fraud risk management and that the Enterprise has appropriate policies for preventing and detecting fraud or possible fraud.&#160; The Enterprise should have documented processes in place to appropriately inform the board about fraud risk management activities and significant instances of fraud or possible fraud.&#160; Fraud risk should be included in the risk management policies that are approved by the board or a committee thereof, and reviewed on a periodic basis.&#160; </p><p>The policies should establish the Enterprise's standards and reporting processes relating to fraud and possible fraud.&#160; The policies should designate the management official(s) responsible for the oversight of fraud risk management and define specific roles and responsibilities for personnel with fraud risk management responsibilities.&#160; </p><p>Enterprise management should develop and oversee the implementation of business unit policies and procedures to implement and support anti-fraud and regulatory reporting programs and controls consistent with the Enterprise's policies.&#160; Business unit policies should detail the Enterprise's fraud risk management processes, including risk assessments, internal controls, training, independent testing, fraud response protocols, and board and senior management reporting.&#160; </p><p>The Enterprise should provide for appropriate coordination across business lines and functions of fraud risk management activities and resources.&#160; Areas of coordination may include risk assessments, oversight of the design and implementation of anti-fraud and regulatory reporting programs and controls, and reporting to senior management and the board or a committee thereof, as appropriate, the results of the Enterprise's fraud risk management efforts.&#160; </p><p> <span style="text-decoration&#58;underline;">Elements of Fraud Risk Management</span></p><p>Effective fraud risk management should include&#58;</p><ul style="list-style-type&#58;disc;"><li>Ongoing risk assessments to determine areas of heightened risk for possible fraud and adequacy of the control environment. </li><li>Risk-based internal controls that are designed to prevent and deter fraud from occurring.</li><li>Risk-based internal controls that are designed to detect fraud when it occurs.</li><li>Processes for responding to and reporting fraud or possible fraud.</li></ul><p> <em>Risk Assessments</em> </p><p>An Enterprise should have an ongoing process for performing risk assessments to identify and assess risk of fraud and to evaluate controls in place to mitigate risk.&#160; Risk assessments should consider factors such as products, services, customers, counterparties, and geographic locations, and should cover business units and operational and control functions.&#160; Fraud risk assessments should provide the basis for internal controls to prevent and deter fraud and to detect fraud or possible fraud.&#160; An Enterprise should have in place a process for periodically updating fraud risk assessments and making associated changes to internal controls.&#160; </p><p> <em>Fraud Prevention and Deterrence</em></p><p>Each Enterprise should maintain effective internal controls designed to prevent and deter fraud.&#160; The type and scale of internal controls will vary depending on the operational area, product type, and fraud risk.&#160; Types of controls include segregation of duties; a system of proper authorizations; physical safeguards to prohibit access to assets and records; a system of independent checks; and records to provide an audit trail.&#160; </p><p>Internal controls should be clearly documented and subject to ongoing review to determine whether they are followed, are effective, and reflect current industry sound practices.&#160; With regard to potential insider fraud, policies related to the consequences of committing or concealing fraud should be communicated clearly to all personnel.&#160; </p><p> <em>Fraud Detection </em></p><p>The complexity and extent of the internal controls for detection of different types of potential fraud in different business activities should be based on the fraud risk assessment, in light of the size, structure, risks, complexity, and vulnerability to fraud of the particular activity.&#160; Fraud detection controls and tools may include, but are not limited to, internal and external tip hotlines; whistleblower vehicles; audits; quality control reviews; and analysis of financial, operational, and transaction data.&#160; Detection methods may involve a review of transactions for possible fraud and, where possible, should include a review for red flags that indicate fraud or possible fraud.&#160; Examples of red flags may include patterns of inconsistency in borrower information, loan documentation, servicer records, and significant servicer performance issues, as well as adverse public information. &#160;Additionally, an Enterprise may identify individuals and firms known to have been involved in fraud. &#160;Fraud detection procedures should document when findings will warrant the expansion of the scope of review consistent with current risk assessments.</p><p>Each Enterprise should have adequate information systems to timely capture information needed to detect fraud or possible fraud and comply with regulatory reporting requirements.&#160; </p><p> <em>Fraud Response and Reporting</em></p><p>Each Enterprise should have documented processes for evaluating and responding to various types of possible fraud and for complying with regulatory reporting requirements.&#160; An Enterprise should take steps to make its employees and third parties aware of methods by which they may report possible fraud relating to Enterprise operations.&#160; Furthermore, an Enterprise should ensure that its procedures and resources are sufficient to timely investigate possible fraud.&#160; </p><p>An Enterprise's process should address investigation procedures, protocols for gathering evidence, decision-making authority, internal and regulatory reporting, escalation protocols, remedial action, and disclosure.&#160; Individuals assigned to investigations should have the necessary training, authority, and skills to evaluate possible fraud and determine the appropriate course of action.&#160; The process should include a tracking or case management system(s) where allegations of fraud are logged.&#160; As appropriate, an Enterprise's procedures should also include a review of incidents to determine if improvements need to be made to processes or internal control systems to prevent future incidents of possible fraud.&#160; </p><p>Each Enterprise should have effective, risk-based processes to timely investigate potential fraud to minimize and prevent loss.&#160; Procedures should be in place for reporting investigation findings regarding fraud or possible fraud in accordance with regulatory requirements and Enterprise policy.&#160; </p><p> <span style="text-decoration&#58;underline;">Training</span></p><p>Each Enterprise should promote fraud awareness by conveying the importance of fraud prevention and penalties for fraud to all employees. &#160;Each Enterprise should provide and document adequate fraud risk management training that is risk-based and commensurate with trainees' roles and specific responsibilities.&#160; Training should include instruction on regulatory requirements and the Enterprise's policies and procedures to comply with those requirements.&#160; Board and senior management training should reflect their oversight role.&#160; Training should be updated as needed to reflect regulatory changes and industry sound practices, as well as changes to the Enterprise's risk assessments and internal controls.&#160; </p><p> <span style="text-decoration&#58;underline;">Independent Testing</span></p><p>Each Enterprise should conduct regular independent testing in all business lines to determine the overall adequacy and effectiveness of the Enterprise's fraud risk management.&#160; Testing scope, procedures performed, and findings should be documented.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Related FHFA Guidance</em></strong></span></p><p> <em>Enterprise Fraud Reporting</em>, Federal Housing Finance Agency Advisory Bulletin 2015-02, March 26, 2015, communicates to the Enterprises FHFA's fraud reporting requirements pursuant to 12 CFR Part 1233.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014, communicates to the Enterprises FHFA's supervisory expectations for managing counterparty risk associated with their relationships with single-family Seller/Servicers.</p><p> <em>Suspended Counterparty Program at 12 CFR Part 1227, </em>generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. &#160;FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.</p><p>________________________________ </p><p> <a id="1" href="#ref1">[1]</a> For purposes of this Advisory Bulletin, fraud occurs when a person(s), knowingly and willfully (1) falsifies, conceals, or covers up a material fact by any trick, scheme, or device; (2) makes any materially false, fictitious, or fraudulent statement or representation; or (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry. </p><p> <a id="2" href="#ref2">[2]</a> The risk management guidance in this Advisory Bulletin complements the requirements for reporting fraud and possible fraud found in&#58; (i) 12 C.F.R. Part 1233, Reporting of Fraudulent Financial Instruments; (ii) 31 C.F.R. Parts 1010 and 1030, Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises; and (iii) Advisory Bulletin 2015-02, Enterprise Fraud Reporting (March 26, 2015).</p><div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, Kathy Beach, Principal Advisor, Office os Supervision Policy at <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov</a> or (202) 649-3521, or Ellen Joyce, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Ellen.Joyce@fhfa.gov">Ellen.Joyce@fhfa.gov</a> or (202) 649-3409 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table></div>9/29/2015 1:00:27 PM1663http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Information Technology Investment Management18591Fannie Mae & Freddie Mac9/21/2015 4:00:00 AMAB 2015-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-06</strong><br></p><p> <strong>INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong> </p><p>This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on information technology (IT) investment management by Fannie Mae and Freddie Mac (the Enterprises).&#160; FHFA expects that each Enterprise's IT investment management will include sound governance and effective monitoring and reporting that reflect relevant risk assessments of the Enterprise.&#160; &#160;&#160;</p><div><div style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></div><div> <br> &#160;</div><div><p>The Enterprises' investments to maintain and improve their IT environments are critical to the success of business operations and strategic initiatives.&#160; Effective IT investment management contributes to safe and sound operations by enabling an Enterprise to confirm that IT investments are aligned with strategic priorities, support business operations, and deliver expected returns on investment. &#160;An effective process for funding IT projects should assist an Enterprise to assess costs and benefits of investments, manage interdependencies among related projects, identify risk exposures to third-party vendors, and plan the funding of multi-year projects over multiple budget cycles.&#160; </p><p>FHFA's standards for safe and sound operations are generally set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236.&#160; In particular, PMOS Standard 1.4 (Internal Controls and Information Systems, Framework) articulates the requirement for an effective system of internal controls, which includes a board-approved organizational structure that clearly assigns responsibility, authority, and reporting relationships, as well as appropriate segregation of duties.&#160;&#160;</p></div><div> <em> <span style="text-decoration&#58;underline;"> <strong>Guidance</strong></span></em></div><div> <br> &#160;</div><div> <span style="line-height&#58;1.6;">FHFA expects that each Enterprise's IT investment management will include sound governance and effective monitoring and reporting that reflect relevant risk assessments of the Enterprise. &#160;</span><span style="line-height&#58;1.6;">An Enterprise may develop and refine its IT investment management based on sound industry practices, such as the Control Objectives for Information and Related Technology (COBIT) framework issued by the Information Systems Audit and Control Association (ISACA).</span><span style="line-height&#58;1.6;">&#160;</span> <p></p><p> <em>Governance</em></p><p>Each Enterprise should maintain sound governance over IT investments using a risk-based approach at both the portfolio level and at the project level to confirm that the Enterprise's IT investments are aligned with enterprise strategic priorities and line of business objectives.&#160; Governance should address funding of IT projects and prioritization of project funding based upon risk assessments for proposed investments, cost-benefit analyses, and requirements for diversity and inclusion practices in contracting, <strong> </strong><a id="ref1" href="#1"><strong> </strong><span><strong> </strong><font color="#0066cc"><strong>[1]</strong></font></span></a><strong>&#160;</strong>among other factors.</p><p>The governance over IT investments should clearly define the roles and responsibilities of stakeholders, including the board of directors, business leads, and IT management.&#160; Delegations of authority should be established and subject to periodic review, and exceptions to delegated authority should be documented.&#160; The governance process should confirm that appropriate risk control functions have input into IT funding decisions at both project and portfolio levels. &#160;</p><p>Setting IT investment priorities is a key component of governance.&#160; Risk assessments should be performed for IT funding proposals to identify potential risks at the project and portfolio level.&#160; In addition, cost-benefit analyses should be conducted to inform the prioritization of IT investments and funding decisions.&#160; </p><p>Ensuring sustainability of IT investments is essential for mitigating risks such as operational disruptions, security lapses, or system degradation.&#160; Strong governance and oversight of IT investments should be designed to enable an Enterprise to ensure that its IT environment remains current and that IT investments are sustainable.&#160; Budgeting should include long-term IT investments over multiple budget cycles, not only for new projects, but also for ongoing maintenance such as routine service, periodic modification, equipment replacement, enhancement of security features, and patch management.&#160; Effective IT investment governance should also include a regular review function to monitor project management practices against established standards, practices, and internal controls.&#160; </p><p> <em>Monitoring and Reporting</em></p><p>Each Enterprise should maintain a process for tracking IT investments and the performance of funded projects.&#160; Monitoring and reporting are essential tools for management to ensure timely identification of changes to project schedules or budgets and the opportunity to ensure that issues are addressed through appropriate governance mechanisms. &#160;Effective monitoring and reporting &#160;for IT investments should assist management in ensuring ongoing alignment of the IT project portfolio with strategic objectives and business operating plans, and in maintaining current information on budgets, timelines, and project interdependencies.&#160; </p><p>IT investment management requires periodic performance reporting that provides senior management and the board of directors with appropriate dashboards or similar reports to capture results for performance objectives.&#160; Such reports should inform decision-makers about the sustainability and viability of both existing and future projects.</p><p style="text-decoration&#58;underline;"> <i> <strong>Related Guidance</strong></i></p><p> <em>Guidance on Cyber Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin AB‑2014-05, May 19, 2014.</p><p> <em>Guidance on the Retirement of the Microsoft Windows XP Operating System</em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-04, March 20, 2014. </p><p> <em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin AB‑2014‑02, February 18, 2014. </p><p> <em>Safety and Soundness Standards for Information</em>, Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001.&#160;</p><p>​________________________________</p><p></p><p> <a id="1" href="#ref1"> [1]</a> 12 CFR § 1207.21 requires that the Enterprises develop, implement, and maintain policies and procedures to ensure, to the maximum extent possible in balance with financially safe and sound business practices, the inclusion and utilization of minorities, women, individuals with disabilities, and minority-, women-, and disabled-owned businesses in procurement and all types of contracts.</p></div></div><div>​ <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance,&#160;Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, John McNicholas, Senior Examiner (Policy), Examination Standards Branch&#160;at <a href="mailto&#58;John.McNicholas@fhfa.gov">John.McNicholas@fhfa.gov</a> or&#160;(202) 649-3525&#160;or&#160;Anne Paulin, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Anne.Paulin@FHFA.gov">Anne.Paulin@fhfa.gov</a> or (202) 649-3421 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table> ​</div>9/28/2015 7:07:16 PM921http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Rescission of Division of Enterprise Regulation Guidance Documents17619Fannie Mae & Freddie Mac3/26/2015 4:00:00 AMAB 2015-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-03</strong><br></p><p> <strong>RESCISSION OF DIVISION OF ENTERPRISE REGULATION GUIDANCE DOCUMENTS&#160;</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong> </p><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to rescind five examination guidance documents issued by the Office of Federal Housing Enterprise Oversight (OFHEO).</p><div><div> <br> &#160;</div><div style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></div><div> <br> &#160;</div><p>In an effort to keep guidance related to the examination process current, FHFA regularly reviews outstanding guidance, including guidance issued by its predecessor agencies. &#160;As a result of the most current review, FHFA has determined that five guidance documents issued by OFHEO should be rescinded. &#160;These five guidance documents have been superseded by FHFA guidance, or restate regulations without providing additional guidance, or are no longer relevant or applicable in the current environment. &#160;</p><div> <br> &#160;</div><div style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></div><div> <br> &#160;</div><div>This Advisory Bulletin rescinds&#58;</div><div>&#160;</div><div><ul><li>PG-00-001&#58; Minimum Safety and Soundness Requirements (12/19/2000)<br></li><li>PG-00-002&#58; Non-Mortgage Liquidity Investments (12/19/2000)<br></li><li>PG-06-001&#58; Examination for Corporate Governance (11/8/2006)<br></li><li>PG-06-003&#58; Examination for Accounting Practices (11/8/2006)<br></li><li>PG-08-002&#58; Standards for Enterprise Use of the Fair Value Option (4/21/2008)<br></li></ul></div></div><div>​<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;Contact Bobbi Montoya, Associate Director, Office of Supervision Policy at (202)&#160;649-3406 or <a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a> or Carol Connelly, Principal Examiner, Examination Standards Branch, at (202) 649-3232 or <a href="mailto&#58;Carol.Connelly@fhfa.gov">Carol.Connelly@fhfa.gov​</a>, with comments or questions pertaining to this bulletin.&#160;&#160;</p></td></tr></tbody></table><br>​</div>3/26/2015 5:00:19 PM1489http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Enterprise Fraud Reporting17620Fannie Mae & Freddie Mac3/26/2015 4:00:00 AMAB 2015-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-02</strong><br></p><p><strong>ENTERPRISE FRAUD REPORTING</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"><em>Purpose</em></strong> </p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) fraud reporting requirements pursuant to 12 CFR Part 1233 (FHFA Regulation).</p><p>This advisory bulletin rescinds and replaces FHFA’s Regulatory Policy Guidance RPG-2011-001, <em>Reporting of Fraudulent Financial Instruments</em>, dated March 2011.</p><div><p style="text-decoration&#58;underline;"><strong><em>Background</em></strong></p><p>​The Housing and Economic Recovery Act of 2008 (HERA) subjects the Enterprises to fraud reporting (12 U.S.C. Section 4642) and requires an Enterprise to submit to FHFA a &quot;timely&quot; report upon discovery that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument.&#160; </p><p>The FHFA Regulation implements the timely reporting requirement of HERA (12 CFR Section 1233.3(a)(1)) and requires immediate notification to the Director of FHFA upon the discovery of any situation that would have a significant impact on an Enterprise (12 CFR Section 1233.3(a)(2)).&#160; The FHFA Regulation grants the Director authority to determine procedures by which the Enterprises will submit such reports (12 CFR Section 1233.3(b)).&#160;&#160;</p><p style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></p><p>The Enterprises should adhere to the guidelines in this advisory bulletin for reporting fraud or possible fraud to FHFA in compliance with the FHFA Regulation and for super​visory oversight purposes. &#160;&#160;</p><p><em>Immediate Notification</em></p><p>To comply with the immediate notification requirement in the FHFA Regulation, an Enterprise should notify the Director’s designee(s) electronically, through secure methods established by FHFA, within one calendar day from when an Enterprise becomes aware of fraud or possible fraud as defined in the FHFA Regulation that may have a significant impact on the Enterprise. &#160;Fraud or possible fraud is considered to have a significant impact if it may create substantial financial or operational risk for the Enterprise, whether from a single event/incident or because it is systemic. &#160;Fraud or possible fraud is also considered significant if it involves a member of the board of directors, officer, employee, or a contractor temporarily engaged to fill a position or perform a particular function at an Enterprise or other individual similarly engaged by an Enterprise. &#160;</p><p>The Enterprise should provide periodic updates to its board of directors, or a committee thereof, of all fraud or possible fraud requiring immediate notification.</p><p><em>Timely Reporting</em></p><p>To comply with the timely reporting requirement in the FHFA Regulation, an Enterprise should adhere to the following two reporting requirements.&#160;</p><p style="text-decoration&#58;underline;">Monthly Fraud Status Report</p><p>The Enterprises should submit a monthly fraud status report to FHFA. &#160;The monthly fraud status report shall contain requested information for each occurrence during the month in which the Enterprise has&#58;</p></div><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><div><ol><li><span style="line-height&#58;22px;">Filed a suspicious activity report (SAR) with the U.S. Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) or</span><br></li><li><span style="line-height&#58;22px;">Discovered that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument, and the Enterprise has not filed a SAR.</span><br></li></ol></div></blockquote><span style="line-height&#58;22px;">FHFA will provide a template that describes the format of the monthly fraud status report and defines the information to be included.</span><div><font color="#404040"><span style="line-height&#58;22px;"><br></span></font><div><div><p>Each Enterprise should provide the Director’s designee(s) with the monthly fraud status report within ten (10) calendar days after the end of each month, regardless of whether the Enterprise has a reportable event during the period covered by the report. &#160;The report should be sent electronically through secure methods established by FHFA. &#160; </p><p style="text-decoration&#58;underline;">Quarterly Fraud Status Report</p><p>On a quarterly basis, the Enterprises should also report to FHFA the status of any entry required to be reported in the monthly fraud status report for which the Enterprise’s fraud unit has opened a case. &#160;The quarterly fraud status report shall include cases that (1) remain ongoing as of the quarterly report date or (2) were closed during the quarter covered by the report.&#160;</p><p>FHFA will provide a template that describes the format of the quarterly fraud status report and defines the information to be included.</p><p>Each Enterprise should provide the Director’s designee(s) with the quarterly fraud status report within ten (10) calendar days after the end of each calendar quarter. &#160;The report should be sent electronically through secure methods established by FHFA. &#160;</p><p style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></p><p>This advisory bulletin becomes effective on June 1, 2015. &#160;The RPG-2011-001 guidance for Immediate Notifications (Section II.A.), Fraud Reports (Section II.C.), and Quarterly Status Submission (Section II.D.) shall continue through the May 31, 2015 reporting period. &#160;All other requirements of RPG-2011-001 are discontinued immediately, including the Annual Review and Conformance Report.&#160;​<span style="line-height&#58;1.6;">​</span></p></div></div> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy at <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a>, or Kathy Beach, Principal Advisor, Office of Supervision Policy at <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov</a>, with comments or questions pertaining to this bulletin.&#160;&#160;</p></td></tr></tbody></table></div>3/26/2015 5:00:20 PM2060http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Single-Family Seller/Servicer Relationships16002Fannie Mae & Freddie Mac12/1/2014 5:00:00 AMAB 2014-07​ <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​ADVISORY BULLETIN&#160;</strong><br><strong></strong></p><p> <strong>AB 2014-07&#160;</strong><br><strong></strong></p><p> <strong>Oversight of Single-Family Seller/Servicer Relationships</strong></p></td></tr></tbody></table><h2> <br> </h2><h2>Purpose</h2><p>This a​dvisory bulletin communicates the Federal Housing Finance Agency’s (FHFA) supervisory expectation that Fannie Mae and Freddie Mac (collectively, the Enterprises) maintain the safety and soundness of their operations by effectively managing counterparty risks. FHFA expects each Enterprise to assess financial, operational, legal, compliance, and reputation risks associated with its single-family Seller/Servicer counterparties and to take appropriate action to mitigate those risks or reduce the Enterprise’s exposure. Toward this end, each Enterprise should implement a board-approved risk management framework that specifically includes risk-based oversight of single-family Seller/Servicers. Enterprise oversight should be performed pursuant to policies and procedures as described in this advisory bulletin.</p><h2>​Background</h2><p>The business relationships between the Enterprises and Seller/Servicers are a fundamental component of the Enterprises’ delegated business models. Seller/Servicers engage in business transactions with and on behalf of the Enterprises, principally selling loans and performing servicing functions, under the terms of each Enterprise’s respective selling and servicing guide and other contractual provisions. The term “Seller/Servicer” as used in this advisory bulletin includes all entities that sell single-family mortgage loans to the Enterprises or perform single-family mortgage loan servicing for the Enterprises.</p><p>Seller/Servicers may engage in all aspects of a mortgage loan’s lifecycle or specialize in phases of the lifecycle (e.g., servicing delinquent mortgage loans). Individual Seller/Servicers may present unique risks due to their organizational structure and complexity; operational and technological capabilities and capacity; experience; access to financial resources, both funding and capital; and scope of regulatory oversight.</p><h2>Guidance</h2><p> <em>Risk Management Framework</em><br></p><p>The board of directors is responsible for overseeing the Enterprise’s overall risk management. The use of a third party does not relieve the Enterprise’s board of directors and senior management of their respective responsibilities to oversee and manage the risks that arise out of the Enterprise’s Seller/Servicer relationships.</p><p>FHFA expects each Enterprise to have a risk management framework for Seller/Servicers as part of its enterprise-wide risk management program. An effective risk management framework addresses the Seller/Servicer relationship for the duration of its lifecycle, including due diligence and selection, contract negotiation, ongoing monitoring (including performance review and issue resolution), and termination.</p><p>The framework should incorporate a policy for the oversight of Seller/Servicer relationships. The policy should establish standards for identifying, assessing, monitoring, and managing risks associated with Seller/Servicer relationships. The policy should assign clear roles and responsibilities and require that significant decisions with respect to Seller/Servicers be documented and include all appropriate Enterprise stakeholders, including Enterprise risk management. The policy should require that significant issues related to a Seller/Servicer or exceptions to the policy be reported to senior management. The policy should identify criteria for when significant issues will be reported to the board of directors (or a committee thereof). The policy should be implemented by business line-level policies and procedures that establish processes and controls.</p><p> <em>Selection of Seller/Servicers&#160;</em></p><p> <em></em> <span style="line-height&#58;22px;">Prior to entering into a contractual relationship with a Seller/Servicer, the Enterprise should perform due diligence and document the results. The due diligence should evaluate relevant risks related to a potential Seller/Servicer and should be informed by the factors below. The framework may provide for due diligence to be conducted using a risk-based approach, pursuant to defined criteria.&#160;</span><br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> ​<span style="text-decoration&#58;underline;">Financial Risk Factors</span>&#160;</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>​​Financial risk is the risk of loss due to the Seller/Servicer’s inability to meet its financial obligations. Financial risk may arise due to deterioration in the Seller/Servicer’s financial condition, significant growth, or an unexpected event that causes financial hardship. The Enterprises should consider the following in assessing each potential Seller/Servicer’s financial risk, as appropriate&#58;</p><ul><li> <span style="line-height&#58;22px;">Overall financial strength and financial ratio trends;&#160;</span><br></li><li> <span style="line-height&#58;22px;">B</span><span style="line-height&#58;22px;">usiness plan, expertise, and loan production sources;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Ability to meet selling and servicing guides and other contractual provisions, including representations and warranties, under stable and adverse economic scenarios;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Existing and anticipated sources of income, capital, and liquidity;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Quality of loans;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Projected levels of loans, mortgage servicing rights (MSRs), and other servicing assets (e.g., MSR strips, servicing advances);&#160;</span><br></li><li> <span style="line-height&#58;22px;">Adequacy of fidelity bond and errors and omissions insurance coverage; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Complexity of the Seller/Servicer’s financial structure, in</span><span style="line-height&#58;22px;">cluding the terms of any financial arrangements with other parties.&#160;</span><br></li></ul><p style="text-decoration&#58;underline;"> Operational Risk Factors</p><p>Operational risk is the exposure to loss from inadequate or failed internal processes, people, and systems, or from external events. Operational risk may arise when a Seller/Servicer cannot effectively perform the duties that it has contracted to perform due to deficiencies in its operations or controls. The Enterprises should consider the following in assessing each potential Seller/Servicer’s operational risk, as appropriate&#58;&#160;</p><ul><li> <span style="line-height&#58;22px;">Current and prospective resources and capacity regarding staffing, facilities, technology infrastructure, and any sub-servicing arrangements;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Organizational structure, complexity, and ownership, including affiliates;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Key personnel, principals, and controlling shareholders, including information from background checks, when appropriate;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Reliance on, exposure to, and performance of sub-servicers, location of subservicers, and the Seller/Servicer’s ongoing monitoring program and quality control testing of sub-servicers;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Seller/Servicer oversight of third-party service providers (e.g., mortgage brokers, appraisers) contractually obligated to the Seller/Servicer, not the Enterprise;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Risk management program, internal controls and results of audits or reviews, including independent post-closing loan review process;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Business continuity and contingency planning; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information technology management program, including an information security framework.&#160;</span><br></li></ul><p> <span style="text-decoration&#58;underline;">Legal, Compliance, and Reputation Risk Factors</span>&#160;</p><p>Legal, compliance, and reputation risk exists when a Seller/Servicer’s operations are not consistent with laws, regulations, sound practices, or an Enterprise’s selling and servicing guides and other contracts. The Enterprises should consider the following in assessing the legal, compliance, and reputation risk associated with potential Seller/Servicers, as appropriate&#58;&#160;</p><ul><li> <span style="line-height&#58;22px;">Maintenance of the appropriate federal and state charters or licenses required for or relevant to operating their business;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Scope of federal and state regulatory oversight, both prudential and consumer protection;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Compliance programs for all applicable laws and regulations, including consumer protection laws;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Record of compliance with applicable laws </span><span style="line-height&#58;22px;">and regulations, based upon publicly available information;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information known or reasonably available to an Enterprise about loan originators used by the Seller/Servicer and their compliance with consumer protection laws;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Publicly available information about supervisory and legal actions, including criminal and civil actions, taken against the Seller/Servicer, key personnel, principals or controlling shareholders, and affiliates;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Publicly available information about investigations and litigation initiated by federal and state authorities, and agreements reached in conjunction with those actions, including the assessment of fines;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Orders issued under the FHFA Suspended Counterparty Program; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Significant consumer complaints or a pattern of consumer complaints</span><span style="line-height&#58;22px;">.&#160;</span><br></li></ul></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"> <span style="line-height&#58;22px;">Evaluation of these risk factors should be consistent with, and supportive of, the standards for approving Seller/Servicers articulated in the risk management policy.&#160;</span></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"> <span style="line-height&#58;22px;"><br></span></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>Ongoing Monitoring</em>&#160;</p><div> <span style="line-height&#58;22px;">​Monitoring of the Seller/Servicer for the duration of the relationship is essential to an Enterprise’s ability to manage Seller</span><span style="line-height&#58;22px;">/Servicer risks. As part of ongoing monitoring, each Enterprise should have risk-based procedures that require updating information obtained during the approval process and performing subsequent analysis to evaluate changes in a Seller/Servicer’s risk. FHFA expects that ongoing monitoring will be risk-based, so it will vary among individual Seller/Servicers and may change over time for a particular Seller/Servicer. Enterprise policy regarding the scope and frequency of ongoing monitoring activities should be commensurate with the risk associated with the particular Seller/Servicer.&#160;</span><br></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">The documented analysis should take into account factors assessed during the approval process, as well as the following factors, as appropriate&#58;&#160;</span></div><div><ul><li> <span style="line-height&#58;22px;">Volume of loans sold; MSRs retained, sold, transferred, or pledged; and servicing transfer activity, noting rapid or significant changes;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Outstanding obligations and past performance regarding recoveries of repurchases and compensatory fees;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Adherence to approved terms of business, including capital requirements, sales volume, and product limitations;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Delivery and servicing performance record;&#160;</span></li><li> <span style="line-height&#58;22px;">Contractual ability of the Enterprise to access Seller/Servicer records and conduct onsite visits;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Results of operational reviews performed by the Enterprise;&#160;</span></li><li> <span style="line-height&#58;22px;">Results of the Enterprise’s review of a Seller/Servicer for the Seller/Servicer’s compliance with consumer protection and other laws where the Enterprise may have legal liability as a result of the Seller/Servicer’s noncompliance;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information about a Seller/Servicer’s compliance with consumer protection laws where the Enterprise may be exposed to significant risk as a result of the Seller/Servicer’s noncompliance;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Record of compliance with Seller/Servicer guides and other contractual terms, including compliance with laws and regulations, based on Enterprise compliance and quality control reviews;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Results of fraud and data integrity reviews;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Volume, type, and pattern of Seller/Servicer guide waivers considering documented justification for waivers, and results of ongoing performance reviews of loans with waivers relative to justification and expectations;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Sufficiency and timeliness of performance data to evaluate the quality and effectiveness of Seller/Servicer processes for actual and projected volumes;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Accuracy and completeness of loan recordkeeping, including loan data systems and loan documentation, throughout the life of the loan;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Changes in the Seller/Servicer’s business model, strategies, or practices; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Operational and system complexity, including after an acquisition or merger involving multiple locations, systems, and processes.&#160;</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">&#160;</span></li></ul></div></blockquote><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;"> <em>Managem​ent</em>&#160;</span></div><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;"> <br></span></div><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">The risk management framework should include policies for the escalation to and subsequent tracking of issues by the Enterprise’s senior management or board of directors (or committee thereof), depending on the type of issue and the risk posed to the Enterprise. In addition, the policies should address the remediation of deficiencies or weaknesses identified in performance criteria or risk areas, as appropriate. The policies should also include standards for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer, including, for example, against a Seller/Servicer that fails to meet an Enterprise’s standards of performance or that poses reputation risk because of noncompliance with applicable laws and regulations or unso</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">und business practices.&#160;</span><br></div><div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div> <span style="line-height&#58;22px;"> <br></span></div></blockquote><h2> Related Guidance and Regulations </h2><div> <em style="color&#58;#404040;font-family&#58;'source sans pro', sans-serif;font-size&#58;14px;line-height&#58;22px;">Mortgage Servicing Transfers</em><span style="line-height&#58;22px;">, Federal Housing Finance Agency Advisory Bulletin 2014-06, June 11, 2014, communicates FHFA’s supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights or the transfer of the operational responsibilities for servicing mortgage loans owned or guaranteed by the Enterprises.&#160;</span><br></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;"> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1227 <em>Suspended Counterparty Program</em> generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1233 <em>Reporting of Fraudulent Financial Instruments </em>requires each regulated entity to make a report to FHFA upon discovery that it has purchased or sold a fraudulent loan or financial instrument or suspects a possible fraud relating to the purchase or sale of any loan or financial instrument.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1236 <em>Prudential Management and Operations Standards, Standard 9 – Management of Credit and Counterparty Risk </em>provides guidelines on the management of credit and counterparty risk.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">Department of the Treasury Financial Crimes Enforcement Network 31 CFR Parts 1010 and 1030 <em>Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises </em>requires each regulated entity to file suspicious activity reports and develop an anti-money laundering program.&#160;</span><br> <div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">​</span></div></div></div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​</strong><span style="font-style&#58;normal;font-variant&#58;normal;line-height&#58;22px;">Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. This bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy at 202-649-3405 or <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a>, or Kathy Beach, Office of Supervision Policy, at 202-649-3521 or <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov​</a> with comments or questions pertaining to this bulletin<strong>.</strong><em></em></span></p></td></tr></tbody></table>12/1/2014 7:02:56 PM5144http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Mortgage Servicing Transfers12031Fannie Mae & Freddie Mac6/11/2014 4:00:00 AMAB 2014-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p><strong>ADVISORY BULLETIN&#160;</strong><br><strong></strong></p><p><strong>AB 2014-06&#160;</strong><br><strong></strong></p><p><strong>Mortgage Servicing Transfers&#160;</strong></p></td></tr></tbody></table><h2>Purpose</h2><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to communicate supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights (MSRs) or the transfer of the operational responsibilities of servicing mortgage loans owned or guaranteed by Fannie Mae and Freddie Mac (collectively, the Enterprises).</p><h2>​Background</h2><p>​The sale and transfer of MSRs or the transfer of mortgage servicing has recently increased for a number of reasons. Some servicing transfers are initiated by the Enterprises. An Enterprise may seek to facilitate or require the transfer of&#160;mortgage servicing to a different servicer in an effort to improve mortgage servicing performance. A transfer may also be necessitated by a mortgage servicer’s failure to meet contractual requirements. Servicing transfer requests may also be initiated by the owner of the MSRs or the servicer of the mortgage portfolio. For example, changes in capital regulations or servicing profitability may prompt commercial banks and financial services companies to seek to reduce MSR holdings. Some non-bank mortgage servicing companies have recently increased acquisitions of MSRs and the servicing of mortgage loans.</p><p>There are different variations for structuring transfers to the acquiring entities. Historically, both the ownership of the MSRs and the servicing of the mortgage loans were transferred to the same entity. However, the MSRs owner and the mortgage AB 2014-06 (June 11, 2014) Public servicer may be separate entities, which would necessitate one or more sub-servicer arrangements. For example, the MSRs owner may be established as a limited liability company with the primary purpose of sub-contracting servicing to one or more servicers. In some situations, more than one entity is responsible for the representations and warranties related to the origination, selling, or servicing of a transferred mortgage servicing portfolio. Different types of entities involved in MSR holding structures can impact the financial, operational, and legal risks associated with any given transfer.</p><p>Any sale and transfer of MSRs or transfer of the operational aspect of servicing mortgage loans owned or guaranteed by Fannie Mae or Freddie Mac requires the approval of the applicable Enterprise in accordance with its seller/servicer guide.</p><div><h2>​Guidance</h2><p>​An&#160;Enterprise&#160;should&#160;only&#160;approve&#160;those&#160;transactions&#160;that&#160;are&#160;consistent&#160;with&#160;sound&#160;business&#160;practice,&#160;aligned&#160;with&#160;the&#160;Enterprise’s board-approved risk appetite, and in compliance with regulatory and&#160;Conservator&#160;requirements.&#160;Certain&#160;bulk servicing transfers also require the approval of FHFA as Conservator for the Enterprises.​</p><p>Each Enterprise should have in place policies and procedures within its risk management&#160;program for evaluating risks of proposed sales or transfers of MSRs and transfers of the&#160;servicing of mortgage loans, considering the particular circumstances of the transfers&#160;(e.g., volume and profile of the loans transferred, structure and complexity of&#160;the&#160;transaction, counterparty exposure, servicing concentrations, and/or borrower&#160;experience). The Enterprise’s policies and procedures should identify, assess, and&#160;appropriately mitigate risk. The policies and procedures should provide for risk-based&#160;periodic reporting to the board of the transfers’ risk effect on the mortgage servicing&#160;portfolio. The Enterprise should maintain documentation of supporting analysis of&#160;transfer approval decisions that is sufficient to enable subsequent supervisory review.</p></div><div><p>​This advisory bulletin sets forth guidance for how each Enterprise should develop&#160;policies and procedures for reviewing and approving the sale and transfer of MSRs or the&#160;transfer of the servicing of mortgage loans. The policies and procedures should enable&#160;the Enterprise to understand its potential counterparty risk exposure resulting from&#160;servicing transfers.</p><p>​Analysis of Mortgage Servicing Transfers</p><p>The Enterprise should analyze and document the terms and conditions of all proposed&#160;transactions. The Enterprise should evaluate the risks and potential benefits of proposed&#160;transfers, taking into account relevant factors regarding the transferee, the transferor, and&#160;the borrower, as well as, the Enterprise’s overall risk management strategy for servicers.&#160;The analysis should incorporate and reflect the views of both risk management and&#160;business line management.</p><p>The analysis should reflect a risk-based approach and consideration of all relevant risks, including (but not limited to) the&#160;following factors&#58;</p><h4>Financial Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Financial strength of the transferee servicer or the MSRs owner based upon a current analysis;</span><br></li><li><span style="line-height&#58;1.6;">Existing and anticipated sources of capital and liquidity for the transferee servicer or the MSRs owner;</span><br></li><li><span style="line-height&#58;1.6;">Confirmation of the responsible party(ies) for origination and servicing representation and warranty obligations;</span><br></li><li><span style="line-height&#58;1.6;">Ability of all relevant participants to meet contractual obligations, including representations and warranties and other&#160;contractual obligations, including during adverse scenarios in which the counterparty may have trouble accessing liquidity and capital;</span><br></li><li><span style="line-height&#58;1.6;">Terms of any financial support arrangements (e.g., letters of credit, net worth or other guarantees, or other investment structures that securitize the servicing income or the advance receivables); and</span><br></li><li><span style="line-height&#58;1.6;">Complexity of the counterparty financial structure, including financial arrangements with other parties.</span><br></li></ul><h4>​Operational Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">The Enterprise’s, the transferee’s, and the transferor’s business objective for the proposed transfer;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s status as an “approved” servicer by the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s delegations and authority to conduct business on behalf of the Enterprise in relation to the servicing portfolio being transferred;</span><br></li><li><span style="line-height&#58;1.6;">Organizational structure, location, management team, and operations of the transferee servicer and any sub-servicers;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s expertise and performance record, including the results of recently conducted Enterprise on-site reviews;</span><br></li><li><span style="line-height&#58;1.6;">Servicing fee distribution between the MSRs owner and the transferee servicer to ensure proper alignment of incentives and coverage of costs;</span><br></li><li><span style="line-height&#58;1.6;">Servicer capacity, taking into account staffing, facilities, information technology systems, and any sub-servicing arrangements;</span><br></li><li><span style="line-height&#58;1.6;">Outstanding obligations and past performance regarding repurchase recoveries and compensatory fee recoveries;</span><br></li><li><span style="line-height&#58;1.6;">Operational complexity of the transaction;</span><br></li><li><span style="line-height&#58;1.6;">Third party service providers or vendors contractually obligated to the servicer, but not to the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Adequacy of the transferee servicer’s business continuity plan, inclusive of any applicable sub-servicers or material vendors;</span><br></li><li><span style="line-height&#58;1.6;">Current and potential effects of the transfer on borrowers, including those associated with in-process workouts, bankruptcies, and litigation; and</span><br></li><li><span style="line-height&#58;1.6;">Overall effect of the transfer on the servicer relationship and any resulting counterparty concentrations for an Enterprise.</span><br></li></ul><h4>Legal and Compliance Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Potential compliance risk associated with the characteristics of the mortgage loans being serviced;</span><br></li><li><span style="line-height&#58;1.6;">Based upon publicly available information, the transferor servicer’s, transferee servicer’s, and any sub-servicer’s record of compliance with consumer protection laws, including provisions of the Consumer Financial Protection Bureau’s Regulation X, which implements the Real Estate Settlement Procedures Act;</span><br></li><li><span style="line-height&#58;1.6;">Extent to which the transferor servicer, transferee servicer, and any sub-servicer is subject to federal or state regulatory oversight; and</span><br></li><li><span style="line-height&#58;1.6;">Any public regulatory or other enforcement actions relating to safety and soundness, legal, or compliance issues (e.g., consumer compliance, fraud, financial reporting) of the servicers or sub-servicers.</span><br></li></ul><p>Policies and procedures should be consistent with prudent counterparty risk management practices and with FHFA&#160;guidance, including risk-based contingency planning in accordance with FHFA Advisory Bulletin AB-2013-01, Contingency Planning for High-Risk or High-Volume Counterparties, as appropriate.</p><div><p><em class="ms-rteFontSize-2">Transfer Execution Monitoring</em></p><p>The Enterprise’s policies and procedures should clearly outline its expectations to facilitate the transfer of data and records. Further, the Enterprise should have a risk-based process to monitor the execution of the transfers so that all servicing transfers occur in a timely manner and in accordance with approved terms, servicing guide requirements, and applicable mortgage servicing transfer-related laws and regulations. The Enterprise should also have a process to update and&#160;maintain its systems to accurately identify all parties involved in the servicing of a particular loan portfolio.</p><p>Monitoring should cover the transfer of loan records, information regarding loans with loss mitigation in process (including loan modifications), compliance with laws and regulations relating to mortgage servicing transfers, compliance with&#160;approved terms including loan product types and status of loans to be transferred, and quality control review results. For loans that are subject to existing loss mitigation agreements or have loan modification agreements in process, the&#160;transfer terms should require the transferee servicer to honor and abide by such agreements or propose options that are no less beneficial to the borrower, and provide for the transferee servicer to obtain all information needed to complete the modification. Transfer execution monitoring should encompass consideration of all relevant participants, including the MSRs owners, servicers, sub-servicers, and third party service providers and vendors, as appropriate.</p><p>Policies and procedures for Enterprise approval determinations should incorporate assessments of the effectiveness of any prior transfers. Transfer execution monitoring AB 2014-06 (June 11, 2014) Public​&#160;should continue for a sufficient period of time post-transfer to enable the Enterprise to evaluate the effectiveness of the transfer and incorporate that evaluation in future approval decisions.</p><h2>​Related Guidance</h2><p>​​Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.</p><div><br></div></div></div>9/18/2014 7:25:23 PM5272http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Cyber Risk Management Guidance12028All5/19/2014 4:00:00 AMAB 2014-05 <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p><strong>​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p><strong>AB 2014-05&#160;</strong><br></p><p><strong>Cyber Risk Management Guidance&#160;</strong></p></td></tr></tbody></table><p> <br><strong style="text-decoration&#58;underline;"><em>Purpose</em></strong> </p><p>This advisory bulletin provides Federal H​ousing Finance Agency (FHFA) guidance on cyber risk&#160;management. This guidance is applicable to Fannie Mae and Freddie Mac (the Enterprises), the&#160;Federal Home Loan Banks (FHLBanks) (collectively, the Regulated Entities) and the Office of&#160;Finance. This advisory bulletin discusses considerations and expectations for cyber risk&#160;management and is intended to be applied using a risk-based approach. Cyber risk management&#160;practices should be proportional to the unique cyber risks faced by each Regulated Entity and the&#160;Office of Finance. As cyber risks may arise unevenly across an institution, methods should be&#160;tailored to address vulnerabilities at the institutional, business, and operational levels.</p><p>The guidance in this advisory bulletin is principles-based and technology-neutral (i.e., the guidance&#160;does not prescribe specific technology solutions). It focuses on seven main components&#58;​</p><div><ol><li><p>Proportionality – A cyber risk management program should be proportional to the unique&#160;cyber risks of a Regulated Entity or the Office of Finance.​<br></p></li><li><p>Cyber Risk Management – Cyber risk management should leverage existing risk&#160;management practices.​<br></p></li><li><p>Risk Assessments – Risk assessments should be conducted to identify, understand, and&#160;prioritize cyber risks.​<br></p></li><li><p>Monitoring and Response – Identified cyber risk concerns should be monitored and&#160;responded to through the cyber risk management program.<br></p></li><li><p>System, Patch, and Vulnerability Management – The Regulated Entity or the Office of&#160;Finance should have processes that facilitate the regular assessment and timely repair of&#160;vulnerabilities in its systems and applications.​<br></p></li><li><p>Third Party Management – As part of a risk management process, substantial risks arising&#160;from third parties that have access to material information, systems, or assets, or upon&#160;whom the institution has a material reliance, should be identified, monitored, and&#160;prioritized.<br></p></li><li><p>Privacy and Data Protection – The Regulated Entity or the Office of Finance should protect&#160;sensitive, confidential, or personally identifiable information in its possession to reasonably&#160;safeguard against concerns that may include legal and reputational risk.<br></p></li></ol><p style="text-decoration&#58;underline;"><strong><em>Background</em></strong></p><p>Cyber risk has become an increasing concern to the financial services industry, including housing&#160;finance. Types of cyber-related risks that may be encountered include distributed denial-of-service&#160;(DDoS) attacks, computer trespass, insider threats, corporate or national espionage, terrorism,&#160;hacktivism, or the compromise of industry utilities. These risks might cause the compromise of&#160;sensitive, confidential, or personally identifiable information. They may also affect the integrity&#160;and availability of data and information.</p><p>Operational or third party breakdowns or changes may also pose risks and highlight the importance&#160;of system, patch, and vulnerability management. For example, a third party’s termination of&#160;support for an operating system or application suite would result in a need to review the&#160;effectiveness of existing system and patch management programs, and to manage the risks&#160;associated with discontinuation of support. In addition to operational concerns, unpatched&#160;​environments present opportunities for exploitation by malicious parties. Established attack&#160;vectors by such parties include running vulnerability or code scanning on a targeted organization to&#160;search for unpatched systems or taking advantage of known vulnerabilities that are several years&#160;old and have readily available patches that were not implemented.</p><p>The cyber threat landscape continues to change and can affect the Regulated Entities and the Office&#160;of Finance in varying ways. The sophistication of cyber threats has increased significantly. While&#160;the risk of discrete, one-off threats, such as the actions of a disgruntled employee, represent one&#160;​part of this landscape, larger, more coordinated threats, commonly referred to as advanced&#160;persistent threats, have emerged and become more commonplace. The originators of these types of&#160;threats and others may be nation and non-nation states, criminals, or “hacktivists”. These groups&#160;may be loosely organized into collectives or highly coordinated and managed. They may seek to&#160;cause financial or reputational harm, compromise the privacy of individuals, disrupt capital&#160;markets, or incite terror.</p><p>The cyber risk management approaches of the Regulated Entities and the Office of Finance depend&#160;on, among other things, their cyber risk profile and posture, operational and technology models,&#160;third party relationships, governance structure, and the level of involvement of the board of&#160;directors (board) and senior management. FHFA Prudential Management and Operations&#160;Standards (PMOS) (12 CFR Part 1236) address ten areas relating to management and operations.&#160;Although multiple standards address aspects of cyber risk management, the primary PMOS are&#160;Standard 1 (Internal Controls and Information Systems), Standard 8 (Overall Risk Management&#160;Processes) and Standard 10 (Maintenance of Adequate Records). FHFA might evaluate an​&#160;institution’s cyber risk&#160;management program as part of its examinations.</p></div><p style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></p><p>This advisory bulletin describes the characteristics of a cyber risk management program that the&#160;FHFA believes will enable&#160;the Regulated Entities and the Office of Finance to successfully&#160;perform their responsibilities and protect their &#160;environments.&#160;Although institutions cannot&#160;eliminate cyber risks, these risks can be effectively managed.​</p><div><p><em>Proportionality</em></p><p>Cyber risk can manifest itself differently between and among institutions of similar business&#160;profiles, such as across the FHLBanks or between the Enterprises. Additionally, the types of cyber&#160;risks may differ significantly within areas of an individual institution, and multiple risks can exist&#160;and interact concurrently. For example, a DDoS attack on an organization’s public website by a&#160;malicious party may be designed to distract attention from the true intent of exfiltrating personally&#160;identifiable information from a server unrelated to the public website. FHFA expects the cyber risk&#160;management program implemented by a Regulated Entity or the Office of Finance to be&#160;commensurate with its own cyber risks at the institutional, business, and operational levels, and&#160;that the cyber risk management program meets prevailing technology, industry, and government&#160;standards.</p></div><p><em>Cyber Risk Management</em></p><p>The board (or a delegated committee of the board) establishes the overall cyber risk management&#160;policy and appropriate board-level reporting. The policy should define the institution’s governance&#160;and risk management structure; prioritize cyber risk management efforts in alignment with&#160;institution goals and objectives; establish risk tolerance levels and escalation procedures; define&#160;how the institution will assess and respond to cyber risks; and ensure the board or its designees&#160;receive appropriate reporting. The policy should be periodically evaluated and updated to reflect&#160;changes to the institution’s cyber risks.​</p><p>Senior management, and business and operational personnel at their respective program levels,&#160;should implement board-established policy. Within each descending management and operational&#160;tier, management should implement the cyber risk management program with specificity&#160;appropriate to each level and consistent with board-established priorities, risk tolerances, and&#160;response goals across the institution. Appropriate industry protocols and standards should be&#160;considered as source material when building out programs. Examples may include appropriate&#160;aspects of the International Organization for Standardization (ISO) 27000 family of standards for&#160;securing information assets, the National Institute of Standards and Technology (NIST) &#160;Framework for Improving Critical Infrastructure Cybersecurity, and the Information Systems&#160;Audit and Control Association (ISACA) Control Objectives for Information and Related&#160;Technology (COBIT) framework.</p><div><p>Cyber risk management practices should be established within the existing risk management&#160;framework to enable an institution to identify its exposures. For certain cyber risks, it may be&#160;possible to execute the program and operational practices in a common manner across the&#160;institution. For example, an institution may develop a corporate-level system patch deployed&#160;through its technology infrastructure that adequately addresses a specific institution-wide cyber&#160;risk. A common approach, however, may not be appropriate for all cyber risks. Certain cyber risks&#160;emerge in some areas within an organization but not in others. For example, a department with&#160;web-connected computers or a business unit with servers containing sensitive, confidential, or&#160;personally identifiable information may face risks unlike other areas of the same institution.</p><p>Precautionary measures should be taken to mitigate insider threats. Such threats may emanate&#160;from disgruntled or terminated employees, contractors, or third parties, each of whom may have&#160;access and organizational knowledge to inflict distinctive harm. Precautionary measures against&#160;insider threats may include regular internal audits and enterprise risk assessments; internal&#160;surveillance; monitoring and controls; implementation and enforcement of entitlement&#160;management; use of layered security; and prompt deactivation of system access following&#160;termination, resignation, or transfer by an employee or contractor. An institution’s internal and&#160;external audit findings around such issues can serve as a basis for updating its program. The&#160;Regulated Entities also need to comply with their obligations pursuant to FHFA’s Financial&#160;Instrument Fraud Reporting Rule (12 CFR 1233.3) upon discovery of insider fraud or suspicion of&#160;possible insider fraud.</p><p><em>Risk Assessments</em><br></p><div><p>Regular risk assessments should be conducted to identify, understand, and prioritize cyber risks&#160;involving business operations, information technology architecture, and third parties. It is&#160;important to have an informed view of the institution’s cyber risks and related vulnerabilities,&#160;including the risk of events occurring alone or in tandem, and the likelihood of occurrence. Risk&#160;assessments should be conducted on a regular schedule appropriate to the individual institution’s&#160;risk profile and exposures. Risk assessments should address risks associated with third parties&#160;upon whom the institution has material reliance or who have access to material information,&#160;systems, or assets at the institution. An institution may employ outside experts to perform risk&#160;assessments or conduct internal reviews to inform its program.</p></div><p>Risk assessments should also occur when material events at a Regulated Entity or the Office of&#160;Finance necessitate a reevaluation of its cyber risk posture. If an institution identifies or becomes&#160;aware of a significant vulnerability or weakness, it should conduct an appropriate assessment and&#160;make suitable enhancements or adjustments to its risk management activities to address the issue.&#160;An institution may uncover a vulnerability through its own internal reviews. It may also learn of a&#160;breach at an organization with a similar cyber risk profile during monitoring of current industry&#160;developments. In certain cases, an institution may be unaware of concerns until it is contacted by&#160;an external source. Such contact may come in the form of a federal or state law enforcement&#160;inquiry into an intrusion of an institution’s system, a security alert on a relevant vulnerability, or a&#160;third party notification about a potential weakness in the institution’s perimeter.</p><p><em>Monitoring and Response</em><br></p><div><p>Based on an institution’s risk assessments, it should have a program in place to monitor cyber risks&#160;and respond to identified concerns. The program should be clearly outlined; be communicated&#160;across the organization; have repeatable and executable processes; and be incorporated within the&#160;institution’s cyber risk management framework. The program should facilitate a response that is&#160;appropriate and proportional to the characteristics of the identified exposure. In some&#160;circumstances, a Regulated Entity or the Office of Finance may determine its preferred risk&#160;response may not be feasible to implement or be cost-prohibitive. In such circumstances, its&#160;response can consider alternative approaches, for example, mitigating the risk to an acceptable&#160;level or transferring it in a reasonable and justifiable manner.</p><p>In addition to front-end risk monitoring executed through the risk assessment process, the back-end&#160;implementation and performance of risk responses should be monitored. Monitoring should define&#160;roles, responsibilities and accountabilities; enable the verification of implementation; evaluate&#160;response effectiveness; and identify any changes that may impact the effectiveness of a response.&#160;Appropriate information on risk responses should be communicated to the proper persons or&#160;committees to ensure decision makers are suitably informed. An institution should also&#160;periodically test or otherwise validate the implementation and effectiveness of its measures. For&#160;example, the operation of an incident response plan developed to address breaches should be&#160;compared against the documented, written plan itself.</p></div><p><em>System, Patch, and Vulnerability Management</em><br></p><div><p>An institution should have processes that facilitate the regular assessment and timely repair of&#160;vulnerabilities in its systems and applications. These processes may be incorporated within an&#160;institution’s existing entity-wide change management program. Unsupported or out-of-date&#160;systems or applications may lead to operational breakdowns as functionality and performance&#160;degrade. If an institution or a third party continues operating unsupported software, the institution&#160;should have a process in place to identify, monitor, and respond to new vulnerabilities in legacy&#160;systems. Further, the effectiveness and management of the system and patch management&#160;programs of third parties upon which the institution has material reliance and third parties that have&#160;access to material information, systems, or assets at the institution should be reviewed.​</p></div><div><p>Prior to deploying fixes, there should be a testing and approval process in place to mitigate risks&#160;associated with patch failures or unforeseen consequences. Sometimes patching can be done on an&#160;automated basis while in other circumstances a manual, phased roll-out is more appropriate. Aninstitution should be aware that often when a change is made in one area of its technology&#160;environment, the change may have an unforeseen or unintended impact in another area.​</p><p>There may be instances where a particular vulnerability does not have a related patch. In instances&#160;where such a vulnerability presents a significant risk to an institution, it should consider alternative&#160;methods to mitigate the risk. Such alternative methods may include employee training, additional&#160;monitoring, or special system configurations.</p><p>An institution should also assess the viability of replacement or retirement of systems or&#160;applications as part of a system development lifecycle program. Highly customized systems can&#160;become outdated and unsupported while still being heavily utilized by an institution. Retirement or&#160;replacement should be considered during evaluations instead of continued patching.</p></div><p><em>Third Party Management</em><br></p><div><p>FHFA expects the Regulated Entities and the Office of Finance to identify, monitor, and prioritize&#160;substantial risks at or within the operations of third parties upon whom the institution has material&#160;reliance or for those that have access to material information, systems, or assets at the institution.&#160;The internal securities policies of such parties should be in alignment or compliance with those of&#160;the institution. As part of its risk assessments, an institution should request the information it needs&#160;to reach reasonable conclusions as to a third party’s cyber risk management protocols. In addition&#160;to declarations and certifications provided by a third party, an institution should consider&#160;preserving legal and contractual rights to conduct onsite assessments, as necessary, to verify such&#160;statements. In those cases when a third party asserts that certain information cannot be provided&#160;directly because it is proprietary, the institution should obtain sufficient comparable information to&#160;develop an informed assessment, such as through the review of Statement on Standards for&#160;Attestation Engagement (SSAE) No. 16 reports. An institution should also include in its business&#160;continuity and contingency planning provisions for when cyber risk events should result in&#160;substitution or replacement of services provided by third parties.</p><p>An institution should also understand if a third party outsources a service upon which the&#160;institution has a material reliance, and what additional exposures that may create.</p><p><em>Privacy and Data Protection</em></p><p>Due to the nature of their respective businesses, the Regulated Entities and the Office of Finance&#160;may possess sensitive, confidential, or personally identifiable information. If such information is&#160;not adequately protected from loss, harm, alteration, or exploit, an institution may become subject&#160;to legal and reputational risks.</p><div><p>As part of its risk assessment, each institution should have a comprehensive view of where&#160;sensitive, confidential, or personally identifiable information resides within the institution; how it is&#160;managed and used; and how it is transmitted, transported, and protected. Information may be&#160;protected through a variety of means, such as through the use of front and back end controls on&#160;user access, and through the use of encryption. Each institution should determine the nature and&#160;extent of precautions necessary to address its distinctive risk areas. As part of its program to&#160;monitor and respond to cyber risks, an institution should determine the effectiveness of its&#160;precautions taken to protect information and data.</p><p>The cyber risk management program, including policies, procedures, and/or technology solutions,&#160;should be tailored to address the risks faced by each institution and responsive to the seven&#160;components outlined in this guidance. The seven components are inter-related and should be&#160;considered as part of an effective program.</p><p style="text-decoration&#58;underline;"><strong><em>Related Guidance</em></strong></p><p><em><a href="/SupervisionRegulation/FannieMaeandFreddieMac/Documents/OFHEO%20Policy%20Guidances/2001/121901pg01002.pdf">Safety and Soundness Standards for Information</a></em>, Office of Federal Housing Enterprise Oversight&#160;Policy Guidance PG-01-002, December 19, 2001.</p><p><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-04-Guidance-on-the-Retirement-of-the-Microsoft-Windows-XP-Operating-System.aspx"><em>Guidance on the Retirement of the Microsoft Windows XP Operating System</em></a><em></em>, Federal Housing&#160;Finance Agency Advisory Bulletin AB-2014-04, March 20, 2014.​</p><p><br>&#160;</p></div><p><br>&#160;</p></div><br>​</div>7/10/2014 12:50:20 PM4232http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on the Retirement of the Microsoft Windows XP Operating System12027All3/20/2014 4:00:00 AMAB 2014-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​<strong><font face="Times New Roman"><p align="left">​ADVISORY BULLETIN </p><p align="left">AB 2014-04 </p><p>Guidance on the Retirement of the Microsoft Windows XP Operating System </p></font></strong></td></tr></tbody></table><p><br>This advisory bulletin is being issued by the Federal Housing Finance Agency (FHFA) to ensure that Fannie Mae, Freddie Mac, the Federal Home Loan Banks (collectively, the Regulated Entities), and the Office of Finance are aware of and responsive to the retirement and ending of support of Windows XP and Office 2003. This advisory bulletin is consistent with guidance issued by other federal financial regulatory agencies.</p><p>The Windows XP operating system and Office 2003 are no longer receiving technical assistance from Microsoft, including updates and patching, after April 8, 2014. While the technology will continue to function, without support it may become more prone to operational breakdowns and security risks.</p><p>The Regulated Entities and the Office of Finance should review the effectiveness of their system and patch management programs to ensure that the risks associated with this retirement are appropriately understood and mitigated. The review should also consider exposures from third party services providers and other vendors that use Windows XP or Office 2003 upon which the Regulated Entity or the Office of Finance has a material reliance.</p>10/30/2014 1:18:31 PM1038http://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2016 Federal Housing Finance Agency