About Us

Performance and
Accountability Report

This annual report describes FHFA's accomplishments, as well as challenges, the agency faced in meeting the strategic goals and objectives during the past fiscal year.

FHFA Values

Fairness	We value varied perspectives and thoughts and treat others with impartiality.
Accountability	We are responsible for carrying out our work with transparency and professional excellence.
Integrity	We are committed to the highest ethical and professional standards to inspire trust and confidence in our work.
Respect	We treat others with dignity, share information and resources, and collaborate.

Supervision
& Regulation

Annual Report to Congress

Read about the agency’s 2020 examinations
of Fannie Mac, Freddie Mac and
the Home Loan Bank System.

Plans and Reports

We Want to Hear From You

Submit comments and provide input on FHFA Rules Open for Comment by clicking on Rulemaking and Federal Register.

Conservatorship

Conservatorship of Fannie Mae
and Freddie Mac

As conservator, FHFA is focused on ensuring that each Enterprise builds capital and improves its safety and soundness.

Conservatorship
Performance Goals

1.	Operate the business in a safe and sound manner.
2.	Promote sustainable and equitable access to affordable housing.

2023 Scorecard

Data & Tools

Downloadable Data
& Data Reports

FHFA experts provide reliable data, including all states, about activity in the U.S. mortgage market through its House Price Index, Refinance Report, Foreclosure Prevention Report, and Performance Report.

House Price Index Release Dates

See HPI Release Dates for 2023

Policy, Programs & Research

Source: FHFA

FHFA economists and policy experts provide reliable research and policy analysis about critical topics impacting the nation’s housing finance sector. Meet the experts...

Mortgage Translations
Mortgage Translations

Glossaries

COVID-19 Resources

Advisory Bulletins List

Fannie Mae & Freddie Mac

Federal Home Loan Bank System

Examiner Resources

Legal Documents & Suspensions

Rulemaking and Federal Register

Advisory Bulletins

Advisory Bulletins List

Rescinded Advisory Bulletins

Dodd-Frank Act Stress Tests

LIBOR Transition

Home / Supervision & Regulation / Advisory Bulletins / Advisory Bulletins List

Advisory Bulletins List

Questions about Advisory Bulletins should be directed to SupervisionPolicy@FHFA.gov.

Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management

39067

All

1/13/2023 5:00:00 AM

AB 2023-02

<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin:0px;padding:0px;line-height:inherit;font-family:"source sans pro", sans-serif;font-size:14px;vertical-align:baseline;table-layout:fixed;border-spacing:0px;font-stretch:inherit;background-color:#ffffff;"><tbody style="font:inherit;margin:0px;padding:0px;border:0px currentcolor;vertical-align:baseline;"><tr style="font:inherit;margin:0px;padding:0px;border:0px currentcolor;vertical-align:baseline;"><td class="ms-rteTable-default" style="font:inherit;margin:0px;width:776px;"> <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;">ADVISORY BULLETIN <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;">AB 2023-02:  Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;"> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2023-02_Supplemental-Guidance-to-Advisory-Bulletin-2017-02-Information-Security-Management.pdf">[view PDF of Advisory Bulletin 2023-02]</a>    </td></tr></tbody></table><h1> Purpose</h1>The Federal Housing Finance Agency (FHFA) is issuing this Advisory Bulletin (AB) as supplemental guidance to FHFA AB 2017-02: Information Security Management, published on September 28, 2017.<a href="#footnote1" class="super-script">[1]</a> This AB is applicable to Freddie Mac, Fannie Mae,<a href="#footnote2" class="super-script">[2]</a> the Federal Home Loan Banks, and the Office of Finance (OF) (collectively, the regulated entities<a href="#footnote3" class="super-script">[3]</a>) and clarifies FHFA’s existing guidance and provides insight on industry trends.<h1> Background</h1>Since the publication of AB 2017-02: Information Security Management, new cybersecurity threats have emerged, and existing threats have evolved. As the cyber landscape continues to change, FHFA expects the policies, procedures, and practices that the regulated entities use to ensure safe and sound information security risk management to evolve accordingly. The regulated entities’ information security management program should be commensurate with the level of risk and complexity of its threats and should be periodically reviewed to verify that it reflects industry standards. This AB elaborates on and clarifies elements of AB 2017-02: Information Security Management, and FHFA expects each regulated entity to individually assess the risks associated with protecting the confidentiality, integrity, and availability of its information. FHFA expects the regulated entities to protect their information technology (IT) environments using a risk-based approach to determine the appropriate activities to include in a comprehensive program. <h1> Guidance</h1>This AB’s guidance is organized by illustrative questions that a reader may have when considering the emergence of new cybersecurity threats and the evolution of existing threats since the publication of AB 2017-02: Information Security Management. Each regulated entity’s program should consider adopting appropriate industry standards commensurate with the complexity and risk profile of the entity, such as those promulgated by the National Institute of Standards and Technology (NIST).<a href="#footnote4" class="super-script">[4]</a> 1.  How does cyber resiliency factor into AB 2017-02: Information Security Management?Cyber resiliency can be defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”<a href="#footnote5" class="super-script">[5]</a> The regulated entities should secure their IT systems in order to continually deliver business operations during cyber events and incidents and/or breaches; remain prepared to detect and respond to compromises to mission critical functions from potential threats; and minimize disruption from an event, incident, or breach.<a href="#footnote6" class="super-script">[6]</a>The confidentiality, integrity, and availability of key regulated entity systems and data should inform information security management at the regulated entities. Incidents affecting the confidentiality, integrity, and availability of systems can significantly impair the operations of the regulated entities. For these reasons, the regulated entities should consider adopting cyber resiliency standards such as those outlined in NIST publications,<a href="#footnote7" class="super-script">[7]</a> such as planned redundancy, network segmentation, and strategic contingency planning with third parties to maximize the continuity of business operations. 2.  How can the regulated entities manage the risk from current information security threats?The regulated entities should be able to react to and consider the threats outlined below, among others, that expand on the concepts outlined in AB 2017-02: Information Security Management. The regulated entities should also remain familiar with emerging risks and mitigants within the industry by participating in financial sector information sharing workstreams (e.g., FSSCC, FS-ISAC).<a href="#footnote8" class="super-script">[8]</a> FHFA expects a continual practice of cyber hygiene such as scanning for and timely patching of vulnerabilities and conducting penetration tests.Social EngineeringSocial engineering exploits weaknesses in people rather than in technology. Often, social engineering attackers gather information to support the beginning stages of a sophisticated attack. By improving awareness and implementing technical measures, the regulated entities reduce the chance of social engineering leading to a successful cyberattack.Phishing, or similar business email compromise (BEC) attacks, continues to be a commonly used social engineering tactic. Cyber attackers can be innovative and adopt new and creative social engineering tactics to trick company employees into disclosing their credentials or other non-public information. Email and web gateway servers can help defend against BEC attacks through URL filtering. The regulated entities should ensure that these defenses are frequently updated. Additionally, the regulated entities should, as a matter of routine, ensure they update security awareness trainings regularly, conduct social engineering testing (e.g., phishing simulations), and review network device configurations to ensure only legitimate traffic is allowed. Malware & RansomwareWhile the regulated entities may not be able to prevent being the target of malware and ransomware attacks, having appropriate operational resiliency measures can reduce the effect of these incidents on business operations. Each regulated entity should maintain a communications plan with response and notification procedures for a ransomware incident within its broader incident response plan. The procedures and plans should be tested regularly. All critical information should be regularly backed up as immutable data. Each regulated entity should test the ability to resume critical business processes using backups in a timely manner. The regulated entities should enable spam filters to prevent phishing emails from reaching end users, authenticate inbound email, and use behavior-based malware protection on servers and endpoints. Furthermore, the regulated entities should analyze the need to financially insure against ransomware. AccountsThe regulated entities should have individually attributable accounts for accessing IT assets and prohibit the sharing of user accounts. The use of shared accounts increases the risk of sharing passwords and typically will not allow for an attributable audit trail of activity. Furthermore, the regulated entities should enforce security controls over individual and privileged accounts, such as multi-factor authentication. Privileged accounts should be managed centrally and more stringently than non-privileged user accounts. Privileged accounts should be limited to only those who require elevated privileges for specific actions. For example, a privileged account should only be used for approved business purposes. Cybersecurity Supply Chain Risk Management <a href="#footnote9" class="super-script">[9]</a> The regulated entities increasingly rely on suppliers to support critical functions, which potentially exposes the regulated entities to additional cybersecurity risk. These suppliers have their own suppliers, creating extended supply chains. Complex supply chains and cyber threat actors targeting supplier and acquirer networks increase the importance of supply chain resilience, business continuity, and disaster recovery planning. The regulated entities should consider the following supply chain risk mitigation activities to enhance their third-party risk and business resiliency management programs.<a href="#footnote10" class="super-script">[10]</a>The regulated entities should manage risk from unexpected interruptions to the supply chain to ensure business continuity. Examples of potential disruptions include suppliers ceasing support for hardware and software, merger, acquisition, or change in leadership.<a href="#footnote11" class="super-script">[11]</a> The regulated entities should proactively identify risks arising from potential disruptions and mitigate the risks accordingly. The regulated entities will benefit from including contractual provisions to modify or terminate a contract if the supplier is no longer able to meet regulated entity’s requirements. Furthermore, the regulated entities should consider incorporating lessons learned from prior supply chain incidents into planning, response, and recovery processes, and sharing such lessons learned with appropriate parties within the regulated entity.The regulated entities should consider strengthening their supplier management programs to monitor for potential security and privacy risks. This includes ensuring that suppliers are meeting regulated entity cybersecurity requirements and remediating any identified issues per agreed-upon timelines. The regulated entities should assess significant suppliers on a regular basis to identify potential changes to the suppliers’ risk profile. 3.  How do third-party provider relationships introduce user access management risks?To elaborate on the security risks identified in AB 2018-08: Oversight of Third-Party Provider Relationships, the regulated entities’ engagement with third-party providers can increase user access management risks if external users access the regulated entity’s network and data. If the third-party provider’s contract does not outline specific user access requirements, third-party users may not be subject to sufficiently stringent access controls, and the regulated entities may have insufficient transparency and visibility into the third party’s controls over their users. Finally, poor user access management within third-party providers’ own networks can increase the risk of disclosure of non-public information. As a result, the regulated entities should consider the cyber posture of a third party prior to engagement with the third party. The regulated entities should incorporate the access management guidance provided in this AB into the third-party risk management program, as well as the policies and procedures that implement the guidance detailed in AB 2016-04: Data Management and Usage.<a href="#footnote12" class="super-script">[12]</a> 4.  How can information security be addressed at third-party providers?Information security risks should be addressed as early as possible during the third-party provider risk management life cycle. The degree of due diligence performed on the third-party providers’ information security program should be commensurate with the risk to the regulated entity’s confidentiality, integrity, and availability of systems and information. The regulated entity should determine if the third party has cybersecurity insurance and the extent and provisions of its coverage. If the third party uses subcontractors,<a href="#footnote13" class="super-script">[13]</a> the regulated entity should understand the third party’s ability to control the subcontractors’ access. The regulated entity should approve subcontractor access to its IT systems or data based on the potential risk to the regulated entity. If applicable, the third party should fully disclose the extent of the subcontractors’ access to regulated entity data. Furthermore, if a third party loses or otherwise compromises regulated entity data, the third party should be contractually obligated to notify the affected regulated entity within an agreed-upon timeframe. The third party should have policies, procedures, certifications, and/or accreditations describing its information security program. Information security related expectations for the third party should be explicitly outlined in the contract.In addition to performing due diligence and contract negotiation, the regulated entities should conduct ongoing monitoring (and where necessary, on-site reviews) of a third-party provider’s information security program. Periodically, third-party providers should be required to attest that they meet contractually agreed-upon information security requirements, including robust risk management over their own third parties. The regulated entities should also review independent reports on a third-party provider’s security program, such as ISO 27001 certification, and PCI compliance and control reports (e.g., Service Organization Control). As part of ongoing monitoring of the third-party provider, the regulated entities should regularly monitor news, social media, and intelligence feeds for issues that may raise concerns regarding a third-party provider’s information security posture. In scenarios that warrant heightened risk monitoring, the regulated entities may use external third-party providers that specialize in supply chain cyber risk assessments to perform ongoing monitoring over the extended supply chain. 5.  What are examples of appropriate password safeguards?To address common attacks, industry best practices recommend a defense-in-depth strategy.<a href="#footnote14" class="super-script">[14]</a> Multi-factor authentication is a strong preventative measure against most password attacks. To elaborate on AB 2017-02: Information Security Management, each regulated entity’s program should align with appropriate industry standards on multi-factor authentication, such as those promulgated by NIST, commensurate with the complexity and risk profile of the entity.<a href="#footnote15" class="super-script">[15]</a> The regulated entities should also use detective measures such as logging and monitoring failed authentication attempts. Because industry best practices, such as password composition recommendations, adapt frequently to the changing threat landscape, the regulated entities should also review authentication protocols and rules at least annually.Additionally, employees and/or contractors should be given the least privilege necessary to perform their job duties. The regulated entity should identify an appropriate party to review privileges regularly, commensurate with the asset’s risk profile. Actions taken using elevated privileges should be monitored. Logs of elevated privilege actions should be parsed into a security information and event management (SIEM) tool.To elaborate on the guidance on remote access management set forth in AB 2017-02: Information Security Management, the regulated entities should account for “non-traditional” device<a href="#footnote16" class="super-script">[16]</a> access to the network and adapt password security policies, procedures, and standards accordingly. The regulated entity’s management and monitoring of all mobile devices connected to its network through an established mobile device or application management program is critical to promoting sound endpoint security.As part of a strong information security culture, training users on security awareness and strong password management techniques can help employees mitigate user access risks. In addition to requiring training on regulated entity policies, procedures, and standards, regulated entities should periodically educate employees on both common and novel password security threats. 6.  How can the regulated entities address user access management risk given the new threat environment?The regulated entities’ information security programs should address risks associated with user access management. In recent years, cyber attackers accessed more entry points (e.g., off-premises “non-traditional” devices, traditional on-premises systems, and the Internet of Things<a href="#footnote17" class="super-script">[17]</a>) and used more sophisticated methods of targeting users. Cyber attackers have targeted users with network access to escalate their own privileges and pivot within the network. Thus, the regulated entities should monitor user access, conduct user access reviews, and remove user access when no longer needed. Furthermore, the regulated entity should identify the access necessary for a user to perform job duties before granting access. 7.  What measures can be taken to mitigate the risk of unauthorized privilege escalation?Measures taken to mitigate the risk of privilege escalation may be incorporated into multiple layers of the regulated entity’s defense-in-depth posture. Security researchers note that efforts should start with defending against intrusions early in the chain of activities leading to privilege escalation. The regulated entities should disable unnecessary or unused services, block unnecessary or unused ports, and use automated command-shell tools (e.g., PowerShell) with discretion. Additionally, the regulated entities should harden defenses at endpoints by appropriately configuring applications such as email and web browsers and limiting executables. Attacks using remote desktop protocol and software have increased as more employees work remotely. Unauthorized parties may remotely access a network and escalate privileges to conduct an attack. The regulated entities should avoid the use of default passwords and reliance on default settings for remote desktop technology. The regulated entities may further secure remote access by enforcing strong controls such as requiring multi-factor authentication, patching, and updating software, and restricting access using firewalls. Additionally, unauthorized privileged escalation risk may be mitigated by applying principles such as “Zero Trust”<a href="#footnote18" class="super-script">[18]</a> from industry best practices of granular and specific access permissions: <ul><li style="line-height:1.4;font-size:14px;font-family:"source sans pro", sans-serif !important;">The regulated entities may consider continuously reauthenticating a user rather than granting static authentication at the beginning of a user’s session.</li><li style="line-height:1.4;font-size:14px;font-family:"source sans pro", sans-serif !important;">Regularly review users with administrative or otherwise privileged access and deprovision access once the user no longer needs it.<a href="#footnote19" class="super-script">[19]</a></li></ul> 8.  How can the regulated entities mitigate risks presented by incorporating new technology into existing infrastructure?New technology may require a learning curve before it is managed effectively. Therefore, it is beneficial for the regulated entities to have reliable and proven processes in place for designing and maintaining a secure and resilient enterprise IT architecture before introducing new technologies. Systems should be evaluated in a test environment before they are incorporated into the production environment. The regulated entities may consider developing a risk-based security strategy integrated with the business strategy that defines its appetite for risks posed by new technology. Furthermore, the regulated entities should establish appropriate governance processes for new technology, including risk assessment, and ensure relevant controls are in place prior to the new technology’s implementation. Once the new technology is in use, the regulated entity should continue to monitor and evaluate its risks. If new technology is replacing old technology, the regulated entities should ensure that they properly secure and retire any legacy infrastructure. The regulated entities should have a process in place to train users on any system migrating into production. This can be either formal training or a transfer of knowledge from users of a system in the test environment. 9.  How does information security management of cloud environments differ from information security management of on-premises environments?Whereas AB 2018-04: Cloud Computing Risk Management,<a href="#footnote20" class="super-script">[20]</a> covers differences between the cloud environment and the on-premises environment and details third-party cloud provider management and information security, the sections below provide additional detail to the cloud information security operations topics parallel to Section III: Operations in AB 2017-02: Information Security Management. Continuous MonitoringThe regulated entity should integrate any cloud monitoring and logging tools into an existing SIEM platform for centralized threat detection and management. Most leading cloud service providers (CSP) offer built-in monitoring and logging tools, but the customers are responsible for configuring these tools. If a regulated entity chooses to use a CSP tool, the regulated entity should understand the tool’s capabilities. Vulnerability ManagementThe vulnerability management concepts outlined in AB 2017-02: Information Security Management apply to the cloud environment. Vulnerability management of cloud infrastructure is typically managed by the CSP; however, in a platform-as-a-service and infrastructure-as-a-service model, the customer is responsible for vulnerability management in the cloud. The regulated entities should prioritize vulnerability management for cloud applications at the start of the cloud build processes rather than as an afterthought at the end. Baseline ConfigurationRegulated entities should include cloud-based IT assets in the IT inventories referenced in AB 2017-02: Information Security Management. The process for baselining and monitoring IT asset configurations should be the same for both on-premises and cloud-hosted assets. Baseline configurations are especially important for virtual servers that are decommissioned and then recommissioned using established baselines. Secure baseline configurations should be established based on manufacturer or industry best practice. Additionally, leading CSPs provide security configuration guidelines for foundational services used for establishing connectivity, authentication, data access, and encryption settings. The regulated entities should identify and adopt appropriate baseline configuration standards that ensure a comprehensive view of potential security configuration gaps within all its cloud-based services and provide assurance that the cloud-based IT environment is configured to maintain the expected level of protection against threats to data. Asset LifecycleWith more critical processes moving to cloud environments, some asset management responsibilities could shift to the CSP. The regulated entities should continue to maintain an asset lifecycle program as detailed in AB 2017-02: Information Security Management. While the regulated entities may have fewer physical infrastructure assets such as servers, the regulated entities may need to enhance asset lifecycle policies and procedures to reflect trends such as BYOD (bring your own device) and increased teleworking. The regulated entities should consider how “nontraditional” devices fit into their asset lifecycle. Incident Response and RecoveryThe regulated entities should evaluate the design and operating effectiveness of the CSP’s incident response controls. Each Enterprise is expected to meet the provisions of AB 2020-05: Enterprise Cybersecurity Incident Reporting, in the event of a cybersecurity incident at a CSP that compromises the confidentiality, integrity, or availability of an Enterprise asset.<a href="#footnote21" class="super-script">[21]</a> Similarly, each Federal Home Loan Bank is expected to meet data reporting provisions established by FHFA’s Division of Federal Home Loan Bank Regulation. Awareness and TrainingThe regulated entities should consider how using cloud technology affects the existing information security culture. Existing policies and procedures may need to be modified or supplemented to provide personnel with adequate information on securely developing and using cloud-based applications. As needed, the regulated entities should administer cloud-specific training to provide personnel with a baseline understanding of cloud systems. The regulated entities should administer role-based training to users with access to cloud systems, with more rigorous training required for those with privileged access. User Access ManagementWhen virtually connecting to a CSP, the regulated entities should extend existing user identity and access management policies such as federation<a href="#footnote22" class="super-script">[22]</a> to the cloud. The regulated entities should tie identities to a centralized internal identity and consider the use of identity brokers where appropriate. Threat Intelligence SharingMost cloud industry leaders offer built-in threat intelligence services and publish whitepapers on using these services. Cloud customers are responsible for enabling and configuring these services. CSPs, federal agencies such as the Cybersecurity and Infrastructure Security Agency, and third-party security providers also produce alerts. The regulated entities’ existing SIEM framework should incorporate these alerts. The regulated entities should continue to participate in private and public threat intelligence coordination. As a small number of CSPs are heavily used within the financial sector, information exchange on threats affecting these platforms promotes financial sector security and resiliency. EncryptionIn addition to the guidance provided in Section III of AB 2017-02: Information Security Management, the regulated entities should also incorporate cloud encryption and key management concepts into policies and procedures. The regulated entities should define what data need to be encrypted and where the data are stored and then implement encryption and key management accordingly. For certain types of data that have specific regulatory or statutory requirements, each regulated entity should carefully evaluate whether the encryption of such data and the location in which such data are stored within a cloud environment comply with these requirements. Regulated entity information security personnel should work with their organization’s compliance and legal staff to clearly understand all applicable encryption-related laws and regulation and to ensure ongoing compliance. Many CSPs offer key management services; therefore, the regulated entities and their CSPs should agree upon roles and responsibilities for key storage and management services and document them in their service contracts. The regulated entities should adopt NIST standards to implement encryption and key management appropriately.<a href="#footnote23" class="super-script">[23]</a> 10.  How should the information security program adapt to changing privacy laws?As many privacy laws are enacted at the state rather than the federal level, the regulated entities should continuously monitor the applicability of and their compliance with new and changing state privacy laws, as well as any relevant federal laws. These laws may require changes to the regulated entity’s information security program, as privacy laws may have implications on how and where certain data can be stored, the level of security needed to protect that data, and specific data retention and deletion requirements. For example, some state-specific privacy laws stipulate the level and type of encryption needed for certain kinds of data, the circumstances under which certain information can be shared with a third-party provider, notification requirements for data breaches, and the deletion of certain kinds of information on request. Data encryption should be balanced with data transparency to ensure that the relevant data can be easily located and removed when the law requires it to be deleted. Privacy laws underscore the necessity for the regulated entities to understand what data they own, where it is housed, who has access and for what purposes, and how the data is protected. The regulated entities should maintain a comprehensive and current inventory of all data they own, where data is located, with which third parties their data was shared, and for what purpose. Additionally, because laws may have different requirements and applicability depending on the location of the consumer and the kinds of data involved, regulated entity information security personnel should work with the regulated entity’s privacy, compliance, and legal offices to clearly understand the applicable requirements, best practices, and to ensure ongoing compliance with privacy laws. To effectively anticipate and address the implications of any new activity on privacy compliance and information security, the regulated entities should perform a privacy assessment prior to approving any new activities (including pilot initiatives and the commencement of any new third-party service provider relationship). 11.  What are avenues for discovering vulnerabilities? Penetration TestingThe regulated entities should engage third parties to perform independent penetration testing,<a href="#footnote24" class="super-script">[24]</a> as well as perform internal penetration testing as necessary. Though penetration testing may proactively identify potential vulnerabilities during the development lifecycle, it generally is used to test a deployed system at any specific point in time and should not be used as a substitute for secure development practices. The regulated entities should conduct penetration tests on systems periodically post-deployment. Threat ModelingThe regulated entities may also use established frameworks to perform threat modeling<a href="#footnote25" class="super-script">[25]</a> on their systems. The regulated entities should embed security protections into information systems by creating a feedback loop of identifying, mitigating, and reassessing threats. Rather than finding vulnerabilities in pre-deployed or deployed systems, the regulated entities may find them during the development process if security is prioritized in the design of the system. Additionally, both technical and non-technical vulnerabilities can be highlighted if threat modeling is performed by both the technical and functional stakeholders throughout the software development lifecycle. The regulated entities may incorporate threat modeling into the ongoing management and monitoring of high-risk systems. Vulnerability Disclosure ProgramA Vulnerability Disclosure Program (VDP) may enable the regulated entity to learn of vulnerabilities through external parties, such as IT and information security researchers, ethical hackers, etc. The discovery and shared disclosure of previously unknown vulnerabilities enables faster identification and remediation. Additionally, a VDP may potentially mitigate reputational risk if the regulated entities are informed of vulnerabilities through a non-public communication channel rather than through exploitation or publication of the vulnerability on public channels.<h1> Related Guidance</h1> Enterprise Risk Management Program, FHFA AB 2020-06, December 11, 2020. Business Resiliency Management, FHFA AB 2019-01, May 7, 2019. Oversight of Third-Party Provider Relationships, FHFA AB 2018-08, September 28, 2018. Cloud Computing Risk Management, FHFA AB 2018-04, August 14, 2018. Information Security Management, FHFA AB 2017-02, September 28, 2017. Internal Audit Governance and Function, FHFA AB 2016-05, October 7, 2016. Data Management and Usage, FHFA AB 2016-04, September 29, 2016. Operational Risk Management, FHFA AB 2014-02, February 18, 2014. <hr /> <a name="footnote1" class="super-script">[1]</a><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2017-02.pdf">AB 2017-02: Information Security Management, September 2017</a>. <a name="footnote2" class="super-script">[2]</a> Common Securitization Solutions, LLC (CSS) is an “affiliate” of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended. 12 U.S.C. 4502(1), and this AB applies to it. <a name="footnote3" class="super-script">[3]</a> The OF is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. See 12 U.S.C. 4502(20). However, for convenience, references to the “regulated entities” in this AB should be read to also apply to the OF. <a name="footnote4" class="super-script">[4]</a> If a regulated entity chooses not to adopt or adhere to the NIST standards, the regulated entity could nevertheless meet FHFA’s supervisory expectations by demonstrating to the examiner’s satisfaction that adoption and adherence to a comparable set of current industry standards is safe and sound information security management. <a name="footnote5" class="super-script">[5]</a> Defined in NIST SP 800-160 Vol. 2 Rev. 1, December 2021. <a name="footnote6" class="super-script">[6]</a> Refer to <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB_2019-01-Business-Resiliency-ManagementV2.pdf">AB 2019-01: Business Resiliency Management</a>, for more information related to an entity’s ability to minimize disruptions and maintain business operations at predefined levels. <a name="footnote7" class="super-script">[7]</a>See footnote 4. <a name="footnote8" class="super-script">[8]</a>E.g., The Financial Services Sector Coordinating Council and Financial Services Information Sharing and Analysis Center. <a name="footnote9" class="super-script">[9]</a> Defined in NIST SP 800-161r1, May 2022. <a name="footnote10" class="super-script">[10]</a> Refer to <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB2018-08_Oversight-of-Third-Party-Provider-Relationships.pdf">AB 2018-08: Oversight of Third-Party Provider Relationships</a>, for expectations related to the regulated entities’ risk management of third-party suppliers. <a name="footnote11" class="super-script">[11]</a>See NIST IR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry. <a name="footnote12" class="super-script">[12]</a><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB2016-04_Data-Management-and-Usage-AB.pdf">AB 2016-04: Data Management and Usage, September 2016</a>. <a name="footnote13" class="super-script">[13]</a> Subcontractors are also referred to as fourth parties. <a name="footnote14" class="super-script">[14]</a> Defined in NIST SP 800-53 Rev. 5, September 2020. <a name="footnote15" class="super-script">[15]</a>See footnote 4. <a name="footnote16" class="super-script">[16]</a>E.g., smartphones, tablets, wearable technology. <a name="footnote17" class="super-script">[17]</a> Defined in NIST SP 800-172, February 2020. <a name="footnote18" class="super-script">[18]</a> Defined in NIST SP 800-207, August 2020. <a name="footnote19" class="super-script">[19]</a> For more information on “Zero Trust” principles, see <a href="https://doi.org/10.6028/NIST.SP.800-207" class="external-link">NIST Special Publication 800-207: Zero Trust Architecture</a> (2020). <a name="footnote20" class="super-script">[20]</a><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2018-04-Cloud-Computing-Risk-Management.pdf">AB 2018-04: Cloud Computing Risk Management, August 2018</a>. <a name="footnote21" class="super-script">[21]</a>See<a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2020-05_Enterprise-Cybersecurity-Incident-Reporting.pdf">AB 2020-05: Enterprise Cybersecurity Incident Reporting</a>, for FHFA’s definition of a “reportable cybersecurity incident.” <a name="footnote22" class="super-script">[22]</a> Defined in NIST SP 800-63 Rev. 3, June 2017. <a name="footnote23" class="super-script">[23]</a>See footnote 4. <a name="footnote24" class="super-script">[24]</a> Defined in NIST SP 800-95, August 2007. <a name="footnote25" class="super-script">[25]</a> Defined in NIST SP 800-53 Rev. 5, September 2020. <div><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-family:"source sans pro", sans-serif;font-size:14px;font-style:normal;font-weight:400;"><tbody><tr><td class="ms-rteTable-default" style="width:776px;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to: <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>.    </td></tr></tbody></table> <div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 8819e645-2d86-4863-88e0-14ff19bb1a84" id="div_8819e645-2d86-4863-88e0-14ff19bb1a84" unselectable="on"></div><div id="vid_8819e645-2d86-4863-88e0-14ff19bb1a84" unselectable="on" style="display:none;"></div></div> </div></div>

1/14/2023 4:17:39 PM

Home / Supervision & Regulation / Advisory Bulletins / Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management Advisory Bulletin

2564

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Valuation of Mortgage Servicing Rights for Managing Counterparty Credit Risk

39045

Fannie Mae & Freddie Mac

1/12/2023 5:00:00 AM

AB 2023-01

1/12/2023 7:00:40 PM

Home / Supervision & Regulation / Advisory Bulletins / Valuation of Mortgage Servicing Rights for Managing Counterparty Credit Risk Advisory Bulletin

5128

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Model Risk Management Guidance

38732

All

12/21/2022 5:00:00 AM

AB 2022-03

<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin:0px;padding:0px;line-height:inherit;font-family:"source sans pro", sans-serif;font-size:14px;vertical-align:baseline;table-layout:fixed;border-spacing:0px;font-stretch:inherit;background-color:#ffffff;"><tbody style="font:inherit;margin:0px;padding:0px;border:0px currentcolor;vertical-align:baseline;"><tr style="font:inherit;margin:0px;padding:0px;border:0px currentcolor;vertical-align:baseline;"><td class="ms-rteTable-default" style="font:inherit;margin:0px;width:776px;"> <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;">ADVISORY BULLETIN <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;">AB 2022-03:  Supplemental Guidance to Advisory Bulletin 2013-07 - Model Risk Management Guidance <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;"> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2022-03_Supplemental-Guidance-to-AB-2013-07-Model-Risk-Management-Guidance.pdf">[view PDF of Advisory Bulletin 2022-03]</a> </td></tr></tbody></table><h1> PURPOSE</h1>The Federal Housing Finance Agency (FHFA) is issuing this Advisory Bulletin (AB) as supplemental guidance to FHFA AB 2013-07: Model Risk Management Guidance, published on November 20, 2013. This AB is applicable to Freddie Mac, Fannie Mae,<a href="#footnote1" class="super-script">[1]</a> the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities<a href="#footnote2" class="super-script">[2]</a>) and clarifies and expounds on various topics covered in FHFA's existing guidance.   The intent of this AB's guidance, formatted as Frequently Asked Questions (FAQs), is to provide supplemental guidelines that will address some of the gaps in AB 2013-07 prompted by changes in model-related technologies and questions generated from the expanded use of complex models by the FHLBanks. The supplemental guidance also addresses model documentation, the communication of model limitations, model performance tracking, on-top adjustments, challenger models, model consistency, and internal stress testing.  <h1> BACKGROUND</h1>Since the publication of AB 2013-07, we have observed changes in model-related technologies which have prompted changes in guidance and generated questions regarding existing guidance. The advent of cloud technology and artificial intelligence/machine learning techniques have led to FHFA's issuance of specific guidance on these topics.<a href="#footnote3" class="super-script">[3]</a> However, the issuance of that guidance has created gaps in AB 2013-07.  In addition, the FHLBanks have increased the use of models, employing internally developed models as well as complex vendor models. Since the issuance of AB 2013-07, FHFA has also amended the regulation addressing FHLBank capital requirements<a href="#footnote4" class="super-script">[4]</a> and issued related FHLBank guidance on modeling. Specifically, FHFA issued additional guidance on market risk models (AB 2016-02; AB 2018-01) and mortgage credit risk models (AB 2018-02).<a href="#footnote5" class="super-script">[5]</a> The FHLBanks' expanded model use as well as recent FHFA regulations and guidance applicable to the FHLBanks have also created the need for expanded clarification of AB 2013-07.<a href="#footnote6" class="super-script">[6]</a>     <h1> GUIDANCE</h1> 1.  Model Risk Management Framework 1(a).  How should “less complex" entities address expectations in AB 2013-07? Model risk management should be commensurate with a regulated entity's model use and risk exposure. AB 2013-07 provides a distinction between “complex" (Fannie Mae and Freddie Mac) and “less complex" (FHLBanks and OF) entities. Over time, the FHLBanks have expanded the scope, scale, and complexity of their modeling activities. Thus, the FHLBanks and OF should be attentive to changes in the complexity, impact, and scope of their modeling environments and modify their model risk management practices accordingly. Pointedly, the distinction between “complex" and “less complex" does not exempt “less complex" regulated entities from the expectations in AB 2013-07, but it could affect the frequency and rigor of certain model risk management practices. 1(b).  Does the existing definition of “model use" in AB 2013-07 encompass all potential model applications considering recent changes to model uses? AB 2013-07 defines model use “as using a model's output as a key basis for informing business decision-making, managing risk, or developing financial reports." The adoption of artificial intelligence and machine learning techniques has expanded the definition of model use beyond business decision-making, risk management, and the development of financial reports. The regulated entities employ artificial intelligence and machine learning for various business processes (e.g., productivity tools such as facial recognition for access management and document digitization).  Although FHFA has articulated expectations for risk management of artificial intelligence and machine learning in AB 2022-02: Artificial Intelligence/Machine Learning Risk Management (Feb. 10, 2022), the governance for models used for business decision-making, risk management, and financial reporting should still adhere to the expectations outlined in AB 2013-07. Models not directly used for those purposes should follow a governance framework commensurate to the risk, consistent with AB 2013-07. For example, if a model is used for scanning and digitizing documents, controls appropriate to the process should be developed to manage the risk. In addition to AB 2013-07, other appropriate FHFA guidance should be considered and applied in those instances.<a href="#footnote7" class="super-script">[7]</a> 1(c).  What are the expectations for mapping of key dependencies on external model-related data, software, storage, and technology? Since the publication of AB 2013-07, FHFA has observed a wider adoption of technologies in the mortgage industry. Many of these technologies reside externally to the regulated entities and are largely outside of the regulated entities' control. Examples of such technologies are cloud servers, vendor models, and external data used by the regulated entities as inputs for their models. Although FHFA has published guidance related to externally sourced technologies such as AB 2018-04: Cloud Computing Risk Management (Aug. 14, 2018) and AB 2018-08: Oversight of Third-Party Provider Relationships (Sept. 28, 2018), FHFA expects the regulated entities to take a macro-prudential view of the risks posed by externally sourced data and technologies. The regulated entities should map their external dependencies to significant internal systems and processes to determine their systemic dependencies and interconnections. In particular, the regulated entities should have an inventory of key dependencies on externally sourced models, data, software, and cloud providers. This inventory should be regularly updated and reviewed by senior management and presented to the board of directors, as deemed appropriate. 1(d).  How should a regulated entity treat processes or components of modeling processes that incorporate qualitative elements or judgements? AB 2013-07, in its definition of models, covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment, provided that the output is quantitative in nature.  2.  Model Documentation 2(a).  What elements should the regulated entities' model use policies and procedures include to ensure that model documentation is sufficient? For all model uses, a regulated entity should have policies and procedures in place to ensure model owners compile and maintain comprehensive model documentation that is sufficiently detailed to enable a qualified third party to independently operate and maintain a model for each model use. A regulated entity's processes should be designed and operated reliably to maintain comprehensive model documentation that is complete prior to the independent model validation for a specific use. A regulated entity should have processes in place for revising or augmenting the documentation based on the results of the model validation prior to model implementation. Procedures and policies that require updates to model documentation are important to memorialize all model components correctly and comprehensively for each model use.  2(b).  How should a regulated entity address and mitigate the risks associated with model limitations across the model lifecycle? The regulated entities should clearly document significant model limitations within the model documentation, along with any root causes and mitigation strategies where appropriate. A regulated entity should document and clearly communicate to the model user community model limitations identified during model development and model validation. Model limitations do not only arise from technical limitations. Limitations arise in part from weaknesses in the model because of its various shortcomings, approximations, and uncertainties. Limitations are also a consequence of assumptions underlying a model that may restrict the scope of appropriate use to a limited set of specific circumstances and situations. Decision makers need to understand the limitations of a model to avoid using it in ways that are not consistent with the original intent. 3.  Model Validation Program 3(a).  Should a regulated entity's internal model validation guidelines provide specific standards for an independent validation? A regulated entity's internal model validation guidelines and practices should align with AB 2013-07's specific standards to ensure independent review and challenge to model assumptions, mathematical formulae, and inputs. The internal guidelines should include a sufficient level of detail to ensure that qualified experts perform the review at a sufficient breadth and depth. Further, the model validation report should include thorough descriptions of these reviews and relevant outcomes. An independent model validation should extend beyond an affirmation of the model's correctness and reasonableness.  3(b).  How should the regulated entities evaluate third-party model validations? When using an external vendor to complete an independent model validation, the regulated entity's model validation group is accountable for the quality, recommendations, and opinions of any third-party review. When evaluating a third-party model validation, a regulated entity should implement model risk management policies and practices that align the vendor-completed specific standards for an independent validation with the specific standards included in AB 2013-07.  3(c).  How should model validation findings and other model risk issues be monitored and reported? A regulated entity should establish processes for monitoring the remediation status of identified model validation findings and other model risk issues and for providing reports to senior management and management-level committees. Findings and issues with production models that are significant in nature should be governed in accordance with the regulated entity's issues management program.   3(d).  What are acceptable practices for effective challenge? Model risk management policies, as AB 2013-07 notes, should include acceptable practices for “effective challenge" of models. Effective challenge involves critical analysis by independent, informed parties who can identify model limitations, evaluate assumptions, and recommend appropriate changes. The efficacy of effective challenge depends on a combination of incentives, competence, and influence. For example, effective challenge requires that the regulated entities invest human capital resources in qualified personnel and ensure the distinct separation of the model challenge process from the model development process. In addition, the regulated entity should foster a corporate culture where senior levels of management give those responsible for effective challenge processes explicit authority, support, and stature within the organization.  3(e).  Do challenger or benchmark models play a role in the effective challenge of models? The regulated entities should have a well-developed effective challenge process in place to assess the effectiveness of models and the reasonableness of key assumptions. This may include a champion-challenger framework in which challenger models give an alternative perspective to a primary, or champion model, and provide a point of comparison allowing for analysis of model results and sensitivity of the output. It is desirable that potential challenger models are well vetted, and employ alternative approaches to estimation, which may include theoretical or methodological differences from the primary model. Effective challenge should be in place at all levels of estimation where model or estimation risk is affected – this includes overall loss estimates, component level estimates, assumptions, and component level inputs. The regulated entities should document the effective challenge process as well as any changes that result from it and the rationale for their decisions. Although benchmark models may never be considered to be replacements for the primary model, they provide a point of comparison for understanding how the primary model results differ from other widely-referenced available models used in industry. Benchmark models may also aid in understanding the primary model.    3(f).  What should a regulated entity consider when deciding if an end-user computing tool (EUC) or calculator should be subject to the guidance set forth in AB 2013-07? The increase in the complexity and reliance on EUCs and calculators to carry out critical financial operations has also fostered the requirement for enhanced EUC/calculator risk mitigation.  For example, a regulated entity should classify a significant or important EUC, calculator, or other data generating process as a model if the EUC, calculator, or process (1) feeds into or out of a model; (2) makes assumptions; and/or (3) incorporates thresholds or quantitative methodologies. Additionally, EUCs and calculators may be integrated into broader modeling processes. When applicable, a regulated entity should also treat integrated EUCs and calculators as models and subject the EUCs, calculators, or processes to model validations and governance in accordance with the frequency and rigor outlined in the regulated entity's model risk management policies and procedures. A regulated entity that includes EUCs and calculators as part of the broader modeling process is likely already subjecting those EUCs and calculators to the guidance set forth in AB 2013-07. 4.  Model Control Framework 4(a).  How is model performance tracking integral to the model control framework? A regulated entity should have policies and procedures in place for ongoing model performance tracking (MPT) for each significant model use prior to model production implementation. Performance tracking preemptively ensures model integrity through the business cycle. Properly designed model performance tracking metrics, thresholds, and alerts provide the model diagnostics necessary to identify and measure sources of model error. Model diagnostics are intended to capture model performance degradation timely and facilitate the appropriate corrective action. MPT metrics and thresholds should be tied to both downstream use effects and a model's integrity as measured by the accuracy of the key outputs. Model owners are expected to involve model users and model risk management teams to ensure MPT metrics are appropriate, and thresholds are set below the risk tolerance of the business unit. 4(b).  What should a regulated entity consider when establishing thresholds for model performance tracking? Ongoing model performance tracking should include well-supported and documented thresholds and procedures for responding to outputs outside these thresholds. A regulated entity should select, fully document, and reevaluate, on an ongoing basis, thresholds for each significant model use. As models alone do not drive these business decisions and risk management, model performance thresholds and alerts should be set at a level below the point where model error approximates or equals management risk limits or risk appetite. 4(c).  Should model performance tracking include an evaluation of model adjustments?   Ongoing model performance tracking should also include monitoring and analysis of any model overrides, on-top adjustments, recalibration, and use of (or changes to) tuning parameters. This monitoring should include documented, ongoing analysis establishing that any adjustments are appropriate for the model uses to which they are applied. 4(d).  How should a regulated entity use model performance tracking metrics and reports? MPT results show the model's reasonableness, robustness, and range with respect to its historical performance.  Backward-looking performance metrics provide a useful measure of error due to the model. In both normal and stressed economic environments, model performance reports can help identify a model's fundamental flaws or weaknesses. Model performance reports should include aggregate model errors that directly affect business decisions and risk management. Upstream models errors can propagate to downstream models which could amplify the errors. 4(e).  Should regulated entities document support for on-top adjustments that align model predictions to actual results? Periodically, model outputs will require on-top adjustments to produce more accurate results. These adjustments can occur at the component level or be applied to the overall result depending on the need for the adjustment. The regulated entities should develop and document a clear and transparent process for determining (1) when on-top adjustments to models are needed; (2) how the adjustment will be applied; and (3) the length of time for having these adjustments in place before finding a permanent solution. 4(f).  Is it sufficient to state that assumptions or on-top adjustments are conservative? Simply indicating that model assumptions or on-top adjustments are “conservative" is a qualitative assessment and does not provide sufficient support for a quantitative assumption or adjustment. A regulated entity should provide documentation to support significant modeling assumptions or on-top adjustments whether they are “conservative" or not. 4(g).  What role does effective challenge play in establishing on-top adjustments? When on-top adjustments are applied, the regulated entities should document the justification for the on-top adjustment, articulate the effect of the adjustment, and state for how long it will be applied. On-top adjustments should also be subjected to effective challenge. Model risk management should also track and review on-top adjustments to get a broad view that may reveal an enterprise-wide issue. 4(h).  How should a regulated entity manage the recurrent use of on-top adjustments? The use of on-top adjustments should initiate a review process to determine the reason for the on-top adjustment. The recurrent use of on-top adjustments in model estimates can be an indicator of an insufficient model or process robustness and should trigger a review. This review should assess whether the causes leading to use of the on-top adjustment are temporary. If the on-top adjustment is deemed to be recurrent rather than temporary, then the model or forecast process may require updating. If updates are necessary, the regulated entities should have in place a feedback process that engages with the relevant committees, business units, or individuals in a manner that allows model owners to promptly execute any necessary updates to the models. With the continued use of on-top adjustments, a regulated entity's documentation of the need to maintain the adjustments during the next validation cycle is an important feature of any review process. Full documentation of the findings of the review process, and the rationale for any decision and outcome, is another important element concluding the review process. 4(i).  Is a regulated entity expected to incorporate modeling assumptions and inputs in the same manner across various model uses? The regulated entities' policies and procedures should ensure that models, assumptions, and inputs, such as housing price appreciation or macroeconomic factors, are used in a consistent manner across the various financial and business practices where applicable. However, model flexibility is desirable to address circumstances in which models and assumptions cannot be used consistently. For example, if accounting rules prescribe a specific use, then the regulated entity would need a process to address that use and to evaluate and assess the effect of the inconsistency. The regulated entity should document the occurrence, the reason for the differences, and if it has a material effect, determine what steps may be needed to mitigate the effect.  4(j).  What are model implementation risks and how can these be mitigated? Errors can occur at any point from design through implementation, thus model risk management should include disciplined and knowledgeable development, testing and implementation processes. Data and other model inputs used to generate model results often rely on EUCs, upstream models, or other supplemental data generating processes that can be subject to human error or operational errors. A regulated entity should regularly evaluate and confirm that data or other input generating processes align with the documented model theory and have not been subject to human error.  5.  Internal Scenario and Sensitivity Analysis and Stress Testing 5(a).  What are FHFA's model expectations for scenario analysis? A regulated entity should use scenario analyses to assess the reliability, effectiveness, and stability of forecasts the models produce in a variety of situations and to identify potential issues with the models that can lead to inaccurate results. Scenario analysis should be distinguished from stress testing as both can be applied enterprise-wide and will often employ the regulated entities' most significant models. Internal scenario analysis and stress testing should be conducted on a recurring basis but should also be conducted as needed. 5(b).  What are FHFA's model expectations for sensitivity analyses? Sensitivity analysis can be conducted to assess the effect of many model-related factors (e.g., variables, model specification, key assumptions, constraints on intermediate outputs such as a loss severity floor). Because models are highly influenced by underlying assumptions in forecasted values, the regulated entity should assess how different assumptions and processes can affect the estimates. The regulated entity should use realistic expectations and an approach that makes intuitive sense when stressing key variables. Sensitivity analyses should be completed for each significant component model as well as the overall model or forecast. A regulated entity should vet thresholds or criteria they use for sensitivity analysis to ensure they are meaningful and realistic. 5(c).  What are FHFA's model expectations for internal stress testing? Stress testing is a critical tool for a regulated entity's risk management because it alerts senior management to unexpected adverse outcomes for a range of potential risks. Stress testing also may enable the regulated entity to better understand its models' expected losses by exposing model behavior or risk factor behavior that may not be otherwise realized. This may lead to reconsideration of existing model formulations that improve performance or enhance the usefulness of the model. Stress test scenarios should be designed to capture risks relevant to model predictions for each model use. Stress test scenarios should be developed using reasonable, potential scenarios and incorporate historical events and hypothetical future events, or those not observed historically, (e.g., scenarios without government intervention). Stress test scenarios should also consider potential systematic issues that may adversely affect the model's forecasts.  A stress test is designed to simulate the eﬀect of one or more shocks or prolonged downturns on the entire regulated entity. A “shock" is a large, sudden, adverse change in the state of the external world or the internal state of a regulated entity. A shock appears suddenly, and its eﬀects are felt immediately. A “prolonged downturn" is a large, adverse change in the state of the world that emerges and becomes apparent slowly over time. Stress scenarios should be designed to ensure that, in the aggregate, the scenario is sufficiently stressful to challenge the risk management processes, capital, and earnings positions of the regulated entity. Scenario severity should consider countercyclical scenario design principles (i.e., a more pronounced economic downturn when current conditions are stronger and a less pronounced economic downturn when current conditions are weak). Each scenario variable follows a predetermined path over time. For computational ease, a stress test can assume that the regulated entity has “exact foresight," a more deterministic approach where at each point in time within the planning horizon the regulated entity knows the exact path that a variable will follow. Alternatively, a stress test can assume that a regulated entity has only “incomplete foresight" – that at each point in time the regulated entity can only imperfectly forecast a variable's future path. To ensure that stress tests are realistic regarding what can be known ex ante about the future, stress tests should include incomplete foresight when feasible. Incomplete foresight incorporates a more stochastic approach to scenario generation of variables where outcomes are random or uncertain. In addition, stress tests should provide a range of potential losses in addition to point estimates, and these results should be regularly reported to senior management so that they are aware of the output uncertainties associated with models. <h1> RELATED GUIDANCE AND REGULATIONS</h1> Model Risk Management Guidance, FHFA AB 2013-07 (Nov. 20, 2013). Operational Risk Management, FHFA AB 2014-02 (Feb. 18, 2014). FHLBanks Changes to Internal Market Risk Models, FHFA AB 2016-02 (Apr. 21, 2016). Data Management and Usage, FHFA AB 2016-04 (Sept. 29, 2016). Information Security Management, FHFA AB 2017-02 (Sept. 28, 2017). Scenario Determination for Market Risk Models Used for Risk-Based Capital, FHFA AB 2018-01 (Feb. 7, 2018). FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk, FHFA AB 2018-02 (Apr. 26, 2018). Cloud Computing Risk Management, FHFA AB 2018-04 (Aug. 14, 2018). Oversight of Third-Party Provider Relationships, FHFA AB 2018-08 (Sept. 28, 2018). Business Resiliency Management, FHFA AB 2019-01 (May 7, 2019). Compliance Risk Management, FHFA AB 2019-05 (Oct. 3, 2019). Enterprise Risk Management Program, FHFA AB 2020-06 (Dec. 11, 2020). Artificial Intelligence/Machine Learning Risk Management, FHFA AB 2022-02 (Feb. 10, 2022). 12 CFR part 1236, Appendix, Prudential Management and Operations Standards 12 CFR part 1277, Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans. <hr /> <a name="footnote1" class="super-script">[1]</a> Common Securitization Solutions, LLC (CSS) is an “affiliate" of both Fannie Mae and Freddie Mac, as defined inthe Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended.  12 U.S.C. 4502(1), and this AB applies to it. <a name="footnote2" class="super-script">[2]</a> The OF is not a “regulated entity" as the term is defined in the Federal Housing Enterprises FinancialSafety and Soundness Act as amended.  See 12 U.S.C. 4502(20).  However, for convenience, references to the “regulated entities" in this AB should be read to also apply to the OF. <a name="footnote3" class="super-script">[3]</a> Cloud Computing Risk Management, FHFA AB 2018-04 (Aug. 14, 2018).  Artificial Intelligence/Machine Learning Risk Management, FHFA AB 2022-02 (Feb. 10, 2022). <a name="footnote4" class="super-script">[4]</a> 12 CFR part 1277—Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans; see 84 Fed. Reg. 5426 (Feb. 20, 2019) (amending FHFA's regulation on FHLBank capital requirements). <a name="footnote5" class="super-script">[5]</a> FHLBank Changes to Internal Market Risk Models, FHFA AB 2016-02 (Apr. 21, 2016); Scenario Determination for Market Risk Models Used for Risk-Based Capital, FHFA AB 2018-01 (Feb. 7, 2018); FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk, FHFA AB 2018-02 (Apr. 26, 2018). <a name="footnote6" class="super-script">[6]</a> The capital rule (12 CFR part 1277—Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans) requires the FHLBanks to use models for credit risk (as opposed to their previous reliance on credit ratings). FHFA's Division of Bank Regulation (DBR) can direct an FHLBank to revise its credit risk methodology or model to address any deficiencies identified by FHFA. DBR's capital rule also requires that the FHLBanks seek approval for changes to their market risk models. A Bank making a change to a market risk model should follow the process outlined in AB 2016-02.  <a name="footnote7" class="super-script">[7]</a> Other appropriate FHFA guidance includes, for example:  Artificial Intelligence/Machine Learning Risk Management, FHFA AB 2022-02 (Feb. 10, 2022); Enterprise Risk Management Program, FHFA AB 2020-06 (Dec. 11, 2020); Compliance Risk Management, FHFA AB 2019-05 (Oct. 3, 2019); Business Resiliency Management, FHFA AB 2019-01 (May 7, 2019); Oversight of Third-Party Provider Relationships, FHFA AB 2018-08 (Sept. 28, 2018); Information Security Management, FHFA AB 2017-02 (Sept. 28, 2017); Data Management and Usage, FHFA AB 2016-04 (Sept. 29, 2016); Operational Risk Management, FHFA AB 2014-02 (Feb. 18, 2014).   <div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-family:"source sans pro", sans-serif;font-size:14px;font-style:normal;font-weight:400;"><tbody><tr><td class="ms-rteTable-default" style="width:776px;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to: <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>.    </td></tr></tbody></table> </div>

1/17/2023 10:42:17 PM

Home / Supervision & Regulation / Advisory Bulletins / Model Risk Management Guidance Advisory Bulletin AB 2022-03: Supplemental Guidance to Advisory Bulletin 2013-07

4339

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Artificial Intelligence/Machine Learning Risk Management

38730

Fannie Mae & Freddie Mac

2/10/2022 5:00:00 AM

AB 2022-02

<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin:0px;padding:0px;line-height:inherit;font-family:"source sans pro", sans-serif;font-size:14px;vertical-align:baseline;table-layout:fixed;border-spacing:0px;font-stretch:inherit;background-color:#ffffff;"><tbody style="font:inherit;margin:0px;padding:0px;border:0px currentcolor;vertical-align:baseline;"><tr style="font:inherit;margin:0px;padding:0px;border:0px currentcolor;vertical-align:baseline;"><td class="ms-rteTable-default" style="font:inherit;margin:0px;width:776px;"> <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;">ADVISORY BULLETIN <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;">AB 2022-03:  Supplemental Guidance to Advisory Bulletin 2013-07 - Model Risk Management Guidance <span style="margin:0px;padding:0px;border:0px currentcolor;line-height:inherit;font-family:inherit;font-size:inherit;font-style:inherit;font-variant:inherit;vertical-align:baseline;font-stretch:inherit;font-weight:700 !important;"><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Advisory-Bulletin-2022-02.pdf">[view PDF of Advisory Bulletin 2022-02]</a> </td></tr></tbody></table><h1> </h1> Purpose This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae and Freddie Mac (collectively, the Enterprises)<a href="#footnote1">[1]</a> on managing risks associated with the use of artificial intelligence and machine learning (AI/ML). This AB is intended to highlight key risks inherent in the use of AI/ML that are applied across a variety of business and operational functions, and considerations for effectively managing these risks. FHFA recognizes that AI/ML is an evolving field and encourages the responsible innovation and use of AI/ML that is consistent with the safe and sound operations of the Enterprises. BackgroundFor purposes of this AB, artificial intelligence broadly refers to the development and application of computational tools and computer systems able to perform tasks normally requiring human intelligence, and machine learning is a sub-category of AI described as algorithms that optimize automatically through experience and with limited or no human intervention.<a href="#footnote2">[2]</a> The combined term, AI/ML, encompasses the sub-categories of AI, such as computer vision and natural language processing, as well as the various methods used in ML, such as supervised learning, unsupervised learning, reinforcement learning, deep learning, and neural networks. AI/ML can be leveraged in models, applications, tools, and systems throughout its lifecycle. Generally, the AI/ML lifecycle includes stages addressing proof-of-concept, development, implementation and deployment, production use, and retirement. The use of AI/ML presents benefits and risks as it increases the opportunity for decisions to be made and relied upon with significantly less human involvement. With increases in computing power, AI/ML can be used by the Enterprises to process vast datasets, identify complex relationships, and improve efficiencies and operations with reduced error and cost. However, AI/ML applications can also expose the Enterprises to financial, compliance, reputational, model, and other risks. For example, AI/ML algorithms developed using incomplete or unrepresentative data with unclear relationships between model inputs and outputs could exacerbate existing risks and result in poor or costly business decisions. As AI/ML continues to advance, the associated risks will also evolve—posing challenges to existing risk management practices. For instance, as AI/ML becomes more automated and integrated into business processes within and across business lines, the interconnected nature of the risks can introduce more complexity in risk management. Reliance on AI/ML without sufficient risk oversight and transparency can create heightened risks for the Enterprises. FHFA's Prudential Management and Operations Standards (PMOS), Appendix to 12 CFR Part 1236, sets forth general responsibilities of the board and senior management, as well as specific responsibilities for management and operations relating to ten enumerated standards, adopted as guidelines. Standard 1 (Internal Controls and Information Systems) and Standard 8 (Overall Risk Management Processes) highlight the need for the Enterprises to establish risk management practices that identify, assess, control, monitor, and report risk exposures, and the need to have appropriate risk management policies, standards, procedures, controls, and reporting systems in place. These guidelines are especially relevant to the Enterprises' use and risk management of AI/ML. Guidance The Enterprise should incorporate the following guidance to manage the risks posed by the use of AI/ML, taking into consideration existing laws, regulations, and other FHFA supervision guidance. The sophistication of the AI/ML risk management activity should be proportionate to each Enterprise's size, complexity, and risk profile. The Enterprise should leverage enterprise- wide risk management and control frameworks, including those used for model, data, technology, information security, third-party, and compliance risk management, to the extent practicable. These frameworks, however, may need to be enhanced and adapted with the considerations highlighted in this guidance to address the heightened risks that AI/ML can pose to business operations. Given the evolving nature of AI/ML, risk management should be flexible to accommodate changes in the adoption, development, implementation, and use of AI/ML at the Enterprise. The degree and scope of risk management and controls addressing AI/ML should be risk-based and commensurate with the extent and complexity of AI/ML development and use at the Enterprise, as well as the level of risk exposure. For example, high-risk AI/ML use cases— such as those that affect the Enterprise's critical business functions, invoke compliance with laws and regulations, or involve highly complex and opaque methods—warrant more robust risk management considerations than AI/ML uses that are low risk or transparent. I.      Governance AI/ML tools and systems can support a range of functions across the Enterprise, such as customer engagement, risk analysis, credit decision-making, fraud detection, and information security. The use of AI/ML can also expose the Enterprise to heightened risks, including compliance, financial, operational, and model risks. Effective governance of AI/ML should address these varied, cross-sectional risks in the context of the complexity and sophistication of the AI/ML methods used and the extent and materiality of each AI/ML use case. The Enterprise should develop an enterprise-wide strategy for responsible AI/ML adoption that identifies the goals, benefits, and risks of AI/ML and clearly documents the corresponding risk management approach and framework for ensuring the application of appropriate risk governance. This strategy should be consistent with a risk culture and applicable risk appetite that integrates AI/ML core ethical principles into business processes and operations.<a href="#footnote3">[3]</a> The existing enterprise-wide risk management framework and governance processes should be leveraged to the extent practicable and updated to incorporate AI/ML concepts and risk management considerations. The Enterprise should consider the following as foundational components when establishing a safe and sound AI/ML governance structure:<ul><li> AI/ML Core Ethical Principles – A set of core ethical principles should guide the Enterprise's use of AI/ML and facilitate consistent governance across various business activities and functions, taking into consideration legal and compliance risks as well as how humans should interact with AI/ML systems. Personnel should be trained and aware of when and how these principles apply. These principles can include, but are not limited to, the following:</li><ul><li> Transparency – Provide adequate clarity regarding how and why AI/ML is used, in addition to sufficient understanding, interpretability,<a href="#footnote4">[4]</a> and explainability,<a href="#footnote5">[5]</a> allowing for objective assessment and conceptual soundness validation.</li><li> Accountability – Assign appropriate human responsibility for AI/ML outcomes with adequate explanation and justification throughout each lifecycle stage in order to avoid and mitigate adverse outcomes.</li><li> Fairness and Equity – Implement processes that drive fair and equitable AI/ML outcomes across different groups. Fairness is evaluated in consideration of the conditions and objectives of the AI/ML activity, and when applicable, in light of social, economic, political, or cultural biases.</li><li> Diversity and Inclusion – Adequately address explicit and implicit biases in AI/ML systems that hinder diversity, inclusiveness, and representativeness across groups, in accordance with 12 CFR Part 1223, and addressing explicit and implicit biases in AI/ML systems.</li><li> Reliability – Design AI/ML capabilities to operate as intended throughout each lifecycle stage, taking into account purpose, values, accuracy, and safety.</li><li> Privacy and Security – Respect and protect privacy rights and data used for development and use of AI/ML throughout each lifecycle stage using industry best practices, as applicable.</li></ul><li>AI/ML Definitions and Taxonomy – An enterprise-wide definition and taxonomy for AI/ML terms and capabilities fosters a common vocabulary and understanding across the enterprise in a field that is rapidly evolving. Examples of capabilities include, but are not limited to, techniques such as prediction, classification, natural language, vision, web scraping. Examples of AI/ML terms include, but are not limited to, techniques such as supervised learning, unsupervised learning, reinforcement learning, neural networks, and deep learning. A taxonomy with clear definitions of AI/ML terms and capabilities should facilitate the effective identification and management of AI/ML risks. This taxonomy should include what the Enterprise is and is not classifying as an AI/ML model.</li><li> AI/ML Inventory – A comprehensive inventory that captures the Enterprise's AI/ML use cases across business lines, can provide the Enterprise with a holistic view of how to best manage its AI/ML associated risks. The Enterprise should determine the degree to which it needs to identify and document AI/ML techniques in addition to use cases, understanding that AI/ML can be embedded in models, applications, systems, platforms, tools, and services—either developed in-house or procured from third-party vendors. The AI/ML inventory should be appropriate for the Enterprise's size, complexity, and risk profile, and include AI/ML use cases that range from proof-of-concept through production. To the extent practicable, the AI/ML inventory should be aligned with existing enterprise-wide inventory systems, such as those used for models, IT assets, and third parties. </li></ul> A.      Roles and Responsibilities Consistent with the Enterprise's overall enterprise risk management (ERM) program,<a href="#footnote6">[6]</a> the board of directors (board) is responsible for overseeing enterprise-wide risk management and fostering an effective risk culture. An enterprise-wide approach to managing AI/ML risks should be incorporated into the Enterprise's ERM program and managed within the Enterprise's risk appetite and applicable risk limits framework. Senior management is responsible for executing the AI/ML strategy and the specific risk management practices for AI/ML. Senior management should consider an interdisciplinary approach to AI/ML business decision-making, risk management, and risk oversight that includes sufficient representation from first-line business functions and second-line oversight functions when developing, implementing, and using AI/ML. Effective AI/ML risk management includes the following considerations commensurate with the risk and complexity involved in the Enterprise's use of AI/ML: <ul><li> Assigned AI/ML risk management roles that are clearly defined and include accountability;</li><li> Clear reporting lines and communication protocols for reporting relevant AI/ML metrics and escalating conflicts;</li><li> Appropriately allocated resources for AI/ML that are in line with business needs and consider the benefits and risks;</li><li> The sufficiency of technical expertise and appropriateness of resources for the complexity and scope of AI/ML techniques;</li><li> The ability of designated personnel to provide current and appropriate guidance on AI/ML adoption and use strategy;</li><li> The training of personnel across the three lines of defense on AI/ML applications, risks, and controls;</li><li> The regular updating of AI/ML related policies, standards, and procedures and the appropriate integration of these into business lines; and</li><li> The timely remediation of issues or concerns identified by FHFA or internal audit, or self-identified by the business.</li></ul> B.     Policies, Standards, and Procedures The Enterprise's risk policies, standards, and procedures should incorporate measures for identifying, assessing, controlling, monitoring, and reporting AI/ML risks. The Enterprise should develop and maintain processes that promote safe and sound practices throughout the AI/ML lifecycle, incorporating independent review and effective challenge of AI/ML by the second line. Policies, standards, and procedures should also clearly define roles and responsibilities, strategies, risk appetite, and documentation requirements. AI/ML core ethical principles, definitions, taxonomy, and inventory should also be incorporated into policies, standards, and procedures to ensure consistent application across the enterprise. To accommodate the rapidly changing nature of AI/ML, related policies, standards, and procedures may need to be updated on a more frequent basis than non-AI/ML related governing documents. II.      Risk Identification and Assessment The Enterprise's decision of whether to develop, acquire, and use AI/ML should begin with effective and timely risk identification and risk assessment processes that capture the risks and benefits associated with AI/ML.<a href="#footnote7">[7]</a> This should include analyzing and addressing past incidents and lessons learned from the Enterprise's use of AI/ML. Given the rapid technological advancement of AI/ML and the ability of AI/ML models to dynamically update over time, the identification and assessment of AI/ML risks may need to be done frequently, as needed. For example, a risk assessment conducted when an AI/ML tool was in a proof-of-concept stage can quickly become outdated if the scope of use expands in production. As risks can manifest across the Enterprise beyond a single use case, it is critical to know whether an AI/ML approach that was independently reviewed initially has significantly evolved over time. Whether AI/ML is developed in house or procured from a third party, risk identification and assessment of AI/ML risks should be incorporated in a timely manner into existing risk management processes. This includes identifying when AI/ML meets the definition of a model<a href="#footnote8">[8]</a> and determining the appropriate risk management processes that apply. This process should follow clear criteria and document the Enterprise's rationale to pursue a particular use case. Risk identification and assessment should incorporate cross-collaboration and review among stakeholders across divisions, business lines, and risk teams to comprehensively capture AI/ML risks. The Enterprise should have personnel with adequate AI/ML and data analytics subject matter expertise in key positions across all three lines of defense to accurately identify and assess AI/ML risks at appropriate junctures in the AI/ML lifecycle. For instance, AI/ML may be embedded into third-party software and hardware used in customer decisioning or interface that is not readily apparent but influences performance. In this example, stakeholders in technology, modeling, and third-party risk management should be involved in order to adequately identify and assess risks. The financial, compliance, legal, reputational, and operational risks that are typically assessed for any business activity should be evaluated with respect to the use of AI/ML. Risks may become heightened given the complexity and speed of AI/ML innovation and use, which can manifest in unfamiliar ways, thus making AI/ML risks harder to identify in an effective and timely manner. Key risk considerations are discussed in more detail below. A.     Model Risks For AI/ML, the following are heightened model risks: <ul><li>Black Box Risk – There can be an inherent tradeoff between model complexity, accuracy, and transparency when using AI/ML models. Complex AI/ML models may not offer clear relationships between model inputs and outputs that are readily understandable by humans. A lack of interpretability, explainability, and transparency – or “black box risk" – can translate into higher levels of uncertainty about the conceptual soundness and suitability of the AI/ML approach. Related to this is the risk of a lack of expertise among model developers in building and users in applying AI/ML models.</li><li>Overfitting – Model out-of-sample performance may be significantly worse than in- sample performance when a model learns from idiosyncratic patterns in the training data that is not representative of the population being modeled.<a href="#footnote9">[9]</a> While overfitting is a common risk with traditional models, the risk is heightened with the use of AI/ML models. Undetected overfitting could result in incorrect predictions or categorizations.</li><li>Model Drift – The risk of model performance degradation over time is also heightened with the use of AI/ML models. This can be driven by data drift—which occurs when there are changes in the population being modeled thereby affecting the representativeness of input data--or concept drift, which occurs when the relationships between model inputs and outputs change.</li><li>Model Calibration and Feedback – Dynamic model calibration, self-updating, and continuous feedback with the use of certain AI/ML models can present heightened model risks, as these models may create a feedback loop that is not well understood. The accuracy of the AI/ML model's results may degrade rapidly if compromised feedback is not detected in a timely manner. More opaque and complex AI/ML models can also present challenges in understanding why a particular approach experiences performance degradation due to a lack of transparency. </li><li>Bias<a href="#footnote10">[10]</a> – Bias in AI/ML models contributes to poor predictability and can lead to discriminatory or unfair outcomes that benefit or harm some individuals, groups, or communities disproportionately. Bias can arise from the data used and can be amplified by the algorithm itself.</li><li>Model Misuse – Business users may lack an adequate level of understanding of the AI/ML model's output and limitations. Model misuse may also be driven by misalignment between the model methodology or algorithm and the business problem to be addressed and quantified by the model.</li><li>Vendor Models – The use of vendor AI/ML models may heighten existing vendor model risks because of increased model and data complexity and lack of transparency due to the proprietary nature of such models. </li></ul><ul></ul> B.     Data Risks The quality and appropriateness of data used in AI/ML is crucial in producing reliable decisions or predictions. Large and diverse datasets drive many AI/ML algorithms. Unrepresentative and unsuitable data reduces the accuracy and utility of AI/ML. The following data risks are heightened with the use of AI/ML: <ul><li>Appropriateness and suitability of data for purpose (e.g., data source and selection of data).</li><li>Appropriateness and suitability of the dataset for a particular stage of use (e.g., data for training versus production, testing, and validation).</li><li>Accuracy and quality of data used in training and production.</li><li>Appropriateness of data sampling techniques used that could result in imbalanced datasets.</li><li>Bias in selection of data such as omission bias or stereotype bias, and bias in data processing.</li><li>Complex, high-dimensional data, and new, unfamiliar data sources, such as third-party data or unstructured data.</li><li>Time and cost associated with acquiring, curating, and preparing data.</li><li>Lack of data lineage preservation and the failure to identify root causes of errors or risks associated with the storage and movement of data that could affect data integrity.</li><li>Security of data from unintentional and intentional manipulation of data, such as data poisoning.</li></ul> C.     Other Operational Risks The use of AI/ML involves other operational risks, such as information technology, information security, third-party, and business resiliency risks. Depending on the scope and complexity of AI/ML use cases, the following are areas of potential risk: <ul><li>IT infrastructure – Legacy IT systems may not be able to support the storage, transfer, and processing of big datasets for AI/ML. Implementing AI/ML can also place a high demand on IT infrastructure and cloud-based services. Insufficient computing power and hardware can degrade network latency and performance standards per established key indicators. For example, AI/ML models that require reliable computing speed to handle model complexity and frequent recalibration needed for production readiness may be negatively impacted by ill-equipped IT systems.</li><li>Information security – Adopting AI/ML systems may pose risks to existing processes that can compromise the confidentiality, integrity, and availability of information. Open source software or application program interfaces (APIs) embedded into AI/ML technology may also present susceptibility to adversarial attacks.</li><li>Business continuity – Business functions supported by AI/ML can feed into downstream business processes or other AI/ML systems that can cause significant disruptions across the enterprise if AI/ML performance is degraded or compromised.</li><li>Use of AI/ML through third-party providers – Third-party provided products and services—ranging from those with embedded AI/ML to cloud providers hosting AI/ML platforms—present potential business resiliency and concentration risks if AI/ML services are limited to a few vendors.<a href="#footnote11">[11]</a> </li></ul> D.     Regulatory and Compliance Risks The use of AI/ML presents regulatory and compliance risks, such as compliance with consumer protection, fair lending, privacy, and employment discrimination laws and regulations. For example, the use of AI/ML-based credit underwriting models in credit decision-making can present compliance risks due to a lack of explainability of the model, interpretability of the model output, and adequacy of controls in the decision-making process that may be mandated by consumer protection and fair lending laws and regulations. Additionally, personal data used in AI/ML may be subject to complex data governance and privacy laws with requirements such as anonymizing data, securing consent to use the data, and maintaining a record of how data is used, accessed, and stored. III.     Control Framework The degree and scope of risk management and controls addressing AI/ML should be commensurate with the extent and complexity of AI/ML development and use at the Enterprise and level of risk exposure. The Enterprise should consider the evolving nature of AI/ML when evaluating, adjusting, or adding mitigating controls. Appropriate stakeholders should determine whether controls are in line with applicable risk appetite metrics. Controls mitigating AI/ML risk should be embedded in policies, standards, and procedures, and in the roles and responsibilities of all stakeholders throughout the AI/ML lifecycle. Key control considerations are discussed in more detail below. A.     Model Controls While FHFA guidance for model risk management and model controls framework<a href="#footnote12">[12]</a> applies to AI/ML models, the Enterprise should also consider: <ul><li> Whether model risk policies, standards, procedures, and practices sufficiently address AI/ML concepts such as—but not limited to—model interpretability, explainability, transparency, bias, fairness, dimensionality reduction, hyperparameter selection, feature engineering, and dynamic retraining and updating. Existing model risk management practices may need to be adapted to address non-traditional use cases, such as chatbots, cybersecurity, and human resources analytics. </li><li> Whether the Enterprise has staff across all lines of defense with appropriate knowledge, skills, and experience in AI/ML data science, analytics, and modeling. For example, model owners and users should have a sufficient understanding of the underlying AI/ML model assumptions and limitations. </li><li> Whether the Enterprise has an AI/ML model development process that guides initial determinations on data quality and suitability, model conceptual soundness, explainability, and appropriateness of use. </li><li> Whether the Enterprise has tools and techniques to determine drivers of AI/ML model decisions and to assist in model interpretability, bias detection, and performance testing. </li><li> Whether the frequency of AI/ML model performance tracking and ongoing monitoring is adequate to observe changes in model drift and degradation, dynamic updating, and the adequacy of corresponding model change management processes. For example, AI/ML models may update more frequently than traditional models, requiring recalibration and tuning as the algorithm learns from new data. To accommodate this more frequent update cycle, the AI/ML model should be dynamically monitored to detect changes in performance and impact on business usage. </li></ul><ul><li> Whether the frequency and scope of model validation and effective challenge processes is adequate to sufficiently address AI/ML models and related concepts. For example, point- in-time independent model risk management and model validation approaches may need to be adapted as AI/ML models may not be static between reviews. </li><li> All AI/ML models are expected to go through model validation. This includes AI/ML models used by internal audit and other functions that may not traditionally use model output such as the information technology functions. In all cases, the second line model risk management function should perform the validation, or contract with a third party for the validation should additional expertise be necessary. </li><li> Model risk management processes for identification of material model changes may need to be enhanced, given the more frequent AI/ML model change management cycle. </li><li> Whether model documentation requirements and frequency of update are adequate to reflect current AI/ML model input and output relationships and model operation. </li><li> Whether consideration of ethical principles, such as fairness and bias, are adequately addressed throughout all lifecycle stages. </li><li> Whether an adequate independent assessment of third-party AI/ML models is performed to evaluate the conceptual soundness, security, and integrity of the AI/ML model's development and performance. </li></ul>Challenger Models Challenger models are developed as an alternative to a champion or production model, allowing for testing of alternative theoretical or estimation methodologies. Challenger models may be developed internally or by external vendors, subject to the same principles as internally developed challenger models. The criteria for determining champion and challenger models should be clear and measurable, and provide adequate support for why one model is chosen to be the champion model along with analysis of model performance and related assumptions. The Enterprise should take a risk-based approach with regard to the intensity and frequency of a challenger model's validation and effective challenge and, to the extent AI/ML techniques are utilized, ensure heightened risk management considerations as described in this AB are considered. B.     Data Controls Data risk management strategies, governance, policies, procedures, and standards may need to be enhanced to address increased data risks associated with the use of AI/ML.<a href="#footnote13">[13]</a> The Enterprise should consider the following when evaluating the data risks associated with AI/ML: <ul><li>The adequacy of data risk management roles and responsibilities such as data ownership and management. For example, there may need to be more frequent and robust data accountability roles and approval processes to address data quality, relevance, and compliance concerns.</li><li>The strength of practices and processes to mitigate the sources of data bias, such as data proxies and use of over- or under-represented data.</li><li>The efficacy of each stage of data management, including the acquisition and sourcing of data, data preparation and processing, data quality review, and data sampling to address data bias, appropriateness, quality, and preservation.</li><li>The adequacy of documentation requirements for each stage of data management, such as usage rights and data permissions.</li><li>The strength of data lineage practices with all types of data formats, such as unstructured data, that adequately captures the transformations and modifications to data.</li><li>The adequacy of enterprise-wide data architecture and systems to accommodate the storage, processing, and movement of vast, complex data sets and various data types used for AI/ML while ensuring business operations are not adversely affected.</li><li>The degree and frequency of monitoring data at each stage of use to identify risks such as data drift and data anomalies.</li><li>The adequacy of data testing measures and remediation to ensure data issues are resolved.</li><li>The sufficiency of data security measures from internal and external threats and compromises to data. </li></ul> C.     Other Operational Controls To address other operational risks raised with the use of AI/ML, the Enterprise should consider the following risk mitigation solutions: <ul><li>Scalable infrastructure to support data storage and computing power necessary to meet operational and business needs. </li><li>Business continuity plans and incident response plans that are adapted to AI/ML tools, systems, and applications, including third-party AI/ML products and services. </li><li>Contingency plans, including manual override functions, when automated AI/ML dependent processes become skewed. </li><li>Workarounds that address interconnectivities and dependencies of data. </li><li>Sufficient and consistent testing of in-house and third-party AI/ML tools, applications, and systems to assess integrity, security, and business resiliency. </li><li>Appropriate change management practices and procedures to accommodate evolving AI/ML techniques. </li><li>Security measures to monitor and protect cloud-based AI/ML models and data. </li><li>Open-source software controls.</li><li>Contractual requirements with third-party providers of AI/ML models and data that ensure transparency and accountability with use. </li></ul> D.     Regulatory and Compliance Controls The Enterprise may need to adapt its existing regulatory and compliance risk management practices and controls to accommodate AI/ML associated risks, including the following: <ul><li>Revising policies, procedures, and standards to address AI/ML explainability, interpretability, and transparency, and compliance with applicable laws and regulations.</li><li>Designing a compliance risk management program,<a href="#footnote14">[14]</a> that includes analysis of relevant consumer protection, employment discrimination, privacy, and other laws and regulations as they apply to the use of personal and alternative data.</li><li>Involving qualified compliance personnel during AI/ML development and implementation to ensure data and methodologies comply with applicable laws and regulations.</li><li>Integrating fair lending reviews and testing, as appropriate, through all lifecycle stages. </li></ul> IV.      Risk Monitoring, Reporting, and CommunicationThe Enterprise should establish appropriate key risk indicators (KRIs) and key performance indicators (KPIs) for monitoring and analyzing AI/ML risks and risk management practices in line with risk appetite. These KRIs and KPIs can indicate whether existing risk management practices are effective or need to be modified. AI/ML related risk and performance metrics should be reported and communicated to the appropriate stakeholders across the enterprise. Reporting and communication protocols may need to be reviewed and adjusted more frequently to optimally capture and timely convey AI/ML associated risks as they evolve and change. The Enterprise should consider the following when monitoring, reporting, and communicating AI/ML risks within and across business lines: <ul><li>The degree and frequency of monitoring needed to adequately capture the scope of AI/ML risks, including model, data, compliance, information security, and other operational risks.</li><li>The relevancy and effectiveness of KPIs and KRIs in measuring changes to the risk profile associated with AI/ML risks, and the frequency to which they need to be evaluated and reviewed for changes. Such metrics should also reveal the comparative business advantages or disadvantages of using AI/ML. </li><li>The benefits and risks associated with AI/ML powered monitoring applications and the appropriate level of human involvement and discretion needed for monitoring AI/ML risks.</li><li>The adequacy of reporting within and across business units, lines, and the enterprise, including board and senior management, to effectively communicate AI/ML risks. </li><li>The type of information regarding AI/ML performance and risks that needs to be conveyed to different stakeholders across the enterprise and escalated to senior management and the board. For example, first line data scientists and modelers may rely on granular AI/ML metrics while second line risk management may utilize broader, aggregated AI/ML data. </li></ul><div> Related Guidance and Regulations12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Matters. 12 CFR Part 1236, Appendix, Prudential Management and Operations Standards. 12 CFR Part 1223, Minority and Women Inclusion.Model Risk Management Guidance, Federal Housing Finance Agency Advisory Bulletin 2013- 07, November 20, 2013. Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016. Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016. Information Security Management, Federal Housing Finance Agency Advisory Bulletin 2017- 02, September 28, 2017. Cloud Computing Risk Management, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018. Oversight of Third-Party Provider Relationships, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018. Business Resiliency Management, Federal Housing Finance Agency Advisory Bulletin 2019- 01, May 7, 2019.Compliance Risk Management, Federal Housing Finance Agency Advisory Bulletin 2019-05, October 3, 2019. Enterprise Risk Management Program, Federal Housing Finance Agency Advisory Bulletin 2020-06, December 11, 2020. Enterprise Fair Lending and Fair Housing Compliance, Federal Housing Finance Agency Advisory Bulletin 2021-04, December 20, 2021. _______________________________ </div><div> <a name="footnote1">[1]</a> Common Securitization Solutions, LLC (CSS) is an “affiliate" of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended. 12 USC 4502(1). <a name="footnote2">[2]</a> There are no industry-wide definitions for AI/ML, but for purposes of this AB, definitions from the Financial Stability Board are used. See Financial Stability Board, Artificial Intelligence and Machine Learning in Financial Services (November 2017). <a name="footnote3">[3]</a>  See FHFA Advisory Bulletin 2020-06, Enterprise Risk Management Program (Dec. 11, 2020). <a name="footnote4">[4]</a> Interpretability refers to the extent to which a human can understand the choices taken by a model in the algorithmic decision-making process. <a name="footnote5">[5]</a> Explainability refers to how an AI/ML approach uses inputs to produce outputs (i.e., can the outcome be explained). <a name="footnote6">[6]</a>  See FHFA Advisory Bulletin 2020-06, Enterprise Risk Management Program (Dec. 11, 2020). <a name="footnote7">[7]</a> Consistent with FHFA Advisory Bulletin 2020-06, Enterprise Risk Management Program (Dec. 11, 2020), and FHFA Advisory Bulletin 2014-02, Operational Risk Management (Feb. 18, 2014). <a name="footnote8">[8]</a>  See FHFA Advisory Bulletin 2013-07, Model Risk Management Guidance (Nov. 20, 2013). <a name="footnote9">[9]</a> In-sample performance is model performance based on the training sample, while out-of-sample performance is model performance generated using data excluded from the training sample. <a name="footnote10">[10]</a>  See, e.g., National Institute of Standards and Technology (NIST) research on identifying and managing bias in artificial intelligence. <a name="footnote11">[11]</a>  See FHFA Advisory Bulletin 2018-08, Oversight of Third-Party Provider Relationships (Sept. 28, 2018). <a name="footnote12">[12]</a>  See FHFA Advisory Bulletin 2013-07, Model Risk Management Guidance (Nov. 20, 2013). <a name="footnote13">[13]</a>  See FHFA Advisory Bulletin 2016-04, Data Management and Usage (Sept. 29, 2016). <a name="footnote14">[14]</a>  See FHFA Advisory Bulletin 2019-05, Compliance Risk Management (Oct. 3, 2019). </div><h2> <table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style:normal;font-weight:400;font-size:14px;font-family:"source sans pro", sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width:776px;">FHFA has statutory responsibility to ensure  the safe and sound operations of the regulated entities and the Office of Finance.  Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to: <a>SupervisionPolicy@fhfa.gov. </a> <a> </a></td></tr></tbody></table> </h2>

2/10/2023 5:52:43 PM

Home / Supervision & Regulation / Advisory Bulletins / Artificial Intelligence/Machine Learning Risk Management Advisory Bulletin [view PDF of Advisory Bulletin 2022-02

2426

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Office of Minority and Women Inclusion Supervisory Letter on AI/ML - February 2022

36790

Fannie Mae & Freddie Mac

2/10/2022 5:00:00 AM

This Supervisory Letter,  issued in conjunction with <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Artificial-Intelligence-Machine-Learning-Risk-Management.aspx" style="font-size:14px;font-family:"source sans pro", sans-serif;">AB 2022-02, </a>provides additional guidance to Fannie Mae and Freddie Mac (Enterprises) and establishes the Agency's expectations for the consideration of diversity and inclusion in the Enterprises' use of Artificial Intelligence and Machine Learning.

2/10/2022 4:14:55 PM

Home / Supervision & Regulation / Advisory Bulletins / Office of Minority and Women Inclusion Supervisory Letter on AI/ML - February 2022 Advisory Bulletin

6035

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Insider Trading Risk Management

36768

Fannie Mae & Freddie Mac

2/8/2022 5:00:00 AM

AB 2022-01

<table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style:normal;font-weight:400;font-size:14px;font-family:"source sans pro", sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width:776px;"> ADVISORY BULLETIN AB 2022-01:  Insider Trading Risk Management <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2022-01.pdf">[view PDF of Advisory Bulletin 2022-01]</a></td></tr></tbody></table> PurposeThis advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (collectively, the Enterprises)<a href="#footnote1">[1]</a> Federal Housing Finance Agency's (FHFA) supervisory guidance for managing insider trading risk and related conflicts of interest to support a safe and sound operating environment. Insider trading risk management is a key component of an Enterprise's compliance risk management program. BackgroundInsider trading risk is the risk of legal or regulatory sanctions, damage to current or projected financial condition, damage to business resilience,<a href="#footnote2">[2]</a> or damage to reputation resulting from nonconformance with U.S. Securities and Exchange Commission (SEC) insider trading laws and disclosure requirements,<a href="#footnote3">[3]</a> rules, prescribed practices, internal policies and procedures, and ethical and related conflict-of-interest standards (insider trading obligations). The phrase “insider trading" may refer to legal and illegal conduct. Insider trading is legal when an investor trades a security<a href="#footnote4">[4]</a> but does not have material nonpublic information (MNPI) or when the trade is made pursuant to a Rule 10b5-1 passive investment plan.<a href="#footnote5">[5]</a> Illegal insider trading occurs when a person or entity in possession of MNPI, obtained through their employment or other involvement with a company, purchases, sells or otherwise trades their own company's securities or non-company securities based on MNPI, or when a person or entity improperly discloses MNPI to a third party<a href="#footnote6">[6]</a> (collectively, illegal insider trading activity). Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act),<a href="#footnote7">[7]</a> other securities laws,<a href="#footnote8">[8]</a> and common law obligations broadly prohibit fraudulent activities of any kind in connection with the offer, purchase, or sale of securities.<a href="#footnote9">[9]</a> SEC regulations<a href="#footnote10">[10]</a> do not define the terms "material" and "nonpublic" but rely on definitions established in case law. Material information can be positive or negative and can relate to virtually any aspect of the Enterprise's business or to a type of security. Information is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision<a href="#footnote11">[11]</a> or if there is a substantial likelihood that it would be viewed “by the reasonable investor as having significantly altered the 'total mix' of information made available."<a href="#footnote12">[12]</a> Information is nonpublic if it has not been made generally available to investors.<a href="#footnote13">[13]</a>Insider trading risks include exposure to private civil actions or civil, criminal, and administrative actions by regulators, law enforcement, or other government agencies, such as:<ul><li>The SEC's enforcement of Sections 10(b), 16, and 20(a) of the Exchange Act<a href="#footnote14">[14]</a> and Rule 10b-5;<a href="#footnote15">[15]</a></li><li>The U.S. Department of Justice's (DOJ) criminal prosecution of individuals and corporations related to insider trading and securities fraud under Section 807 of the Sarbanes-Oxley Act of 2002;<a href="#footnote16">[16]</a></li><li>FHFA's enforcement of fraud reporting requirements related to insider trading activity pursuant to the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended by the Housing and Economic Recovery Act of 2008 (Safety and Soundness Act);<a href="#footnote17">[17]</a></li><li>FHFA's enforcement of applicable laws, regulations, orders, or adverse examination findings and communications;<a href="#footnote18">[18]</a></li><li>Enforcement of applicable state laws and regulations addressing insider trading activities that violate corporate fiduciary duties of care and loyalty;<a href="#footnote19">[19]</a> and </li><li>Recourse for misappropriation of MNPI.</li></ul> Additionally, effective management of insider trading risk requires compliance with the following FHFA regulations:<ul><li> 12 CFR 1239.10 (Code of Conduct and Ethics);</li><li>12 CFR 1239.11 (Risk Management); and</li><li>12 CFR 1239.12 (Compliance Program).</li></ul>Effective insider trading risk management also requires consideration of the guiding principles of sound risk management set forth in the Appendix to 12 CFR Part 1236, Prudential Management and Operations Standards (PMOS). With respect to various risk-management areas, the PMOS articulate guidelines on general responsibilities of the Enterprises' boards and senior management; establishment of policies, standards, and procedures; adequate resources, systems, and controls; and an adequate internal audit function.<a href="#footnote20">[20]</a> GuidanceThe Enterprise is expected to establish and maintain an effective compliance program based on enterprise-wide risk assessment processes<a href="#footnote21">[21]</a> to manage insider trading activities and the inherent risks of those processes. Through its risk assessments, the Enterprise identifies business areas and roles presenting heightened insider trading risk and identifies effective controls to minimize that risk. To mitigate insider trading risk, the Enterprise should examine the nature of its business and its prior history of insider trading risk events, determine what types of illegal insider trading activities pose the greatest risk, and adopt effective controls to detect and prevent such misconduct.<a href="#footnote22">[22]</a> By implementing a well-designed, adequately resourced, and effective compliance program, an Enterprise can make it less likely that covered parties<a href="#footnote23">[23]</a> will engage in illegal insider trading activity.<a href="#footnote24">[24]</a> I.          Corporate Governance A.         Roles and ResponsibilitiesThe Enterprise's board of directors (board) plays a pivotal role in the effective governance of insider trading risk.<a href="#footnote25">[25]</a> The Enterprise is responsible for establishing and maintaining a written code of conduct and ethics that is reasonably designed to assure that its directors, officers, and employees discharge their duties and responsibilities in an objective and impartial manner that promotes honest and ethical conduct, compliance with applicable laws, rules, and regulations, accountability for adherence to the code, and prompt internal reporting of violations of the code to appropriate persons identified in the code (Code of Conduct).<a href="#footnote26">[26]</a> The Code of Conduct is an invaluable resource helping employees locate relevant governing documents, services, and other resources related to insider trading, ethics, and compliance generally. The Enterprise may also benefit from adopting a separate Code of Conduct for members of the Board of Directors (Director Code). An appropriate Director Code reflects that Directors have higher exposure to insider trading risk given their access to MNPI. The Code of Conduct and the Director Code should encourage high ethical standards, promote a culture of compliance with insider trading obligations,<a href="#footnote27">[27]</a> and discourage unethical behavior or circumvention of compliance obligations.<a href="#footnote28">[28]</a> Promoting a culture of compliance with insider trading obligations includes documenting and communicating clear expectations about compliance with insider trading laws; clearly communicating related conflict of interest and business ethics standards and expectations; articulating the principle that employees and management conduct all activities in accordance with both the letter and the spirit of insider trading obligations; and creating an environment where employees are encouraged to raise legal, compliance, and ethics questions and concerns without fear of retaliation.<a href="#footnote29">[29]</a> B.         Insider Trading Governing Documents Committee charters, delegations of authority, policies, standards, and procedures that address insider trading obligations (insider trading governing documents) are excellent communication tools.<a href="#footnote30">[30]</a> The insider trading governing documents should assign clear and consistent roles and responsibilities for managing insider trading risk and for reviewing and resolving related conflicts of interest. An Enterprise's insider trading governing documents should include change management procedures for effectively monitoring and operationalizing new or modified insider trading obligations and for communicating these changes across the three lines of defense. C.        Illegal Insider Trading Prohibitions An Enterprise's insider trading governing documents should address statutory and regulatory prohibitions against illegal insider trading activities.<a href="#footnote31">[31]</a> An Enterprise's insider trading governing documents should make clear that an Enterprise's exposure to insider trading risk is increased when an Enterprise fails to supervise staff in possession of MNPI, fails to establish adequate policies and procedures for handling MNPI,<a href="#footnote32">[32]</a> and fails to report instances of insider trading to the appropriate regulators.<a href="#footnote33">[33]</a> D.        Conflicts of Interest Misuse of MNPI for personal benefit in securities transactions is a conflict of interest related to insider trading.<a href="#footnote34">[34]</a> An Enterprise's insider trading governing documents should establish procedures for reviewing and resolving potential material conflicts of interest related to insider trading; responding to requests for waivers or exceptions to trading prohibitions and addressing any other insider trading obligations or restrictions set forth in the insider trading governing documents. Each Enterprise should maintain written records of all identified material conflicts of interest related to insider trading. II.        Risk Identification and AssessmentThe insider trading governing documents should operationalize insider trading risk-management obligations into the Enterprise's day-to-day business processes, job duties, and responsibilities. The Enterprise's insider trading governing documents should: identify potential MNPI; determine which transactions, disclosures, and personnel are covered by the insider trading obligations; evaluate the quality of risk management; assess residual insider trading risk; and promote independent reviews, escalation, and tracking of identified issues. The insider trading governing documents should also include methods of measuring insider trading risk (e.g., by using key risk indicators) and use such measurements to enhance compliance risk assessments.<a href="#footnote35">[35]</a> A.         Identifying MNPIManagement, with appropriate board oversight, should establish effective information management systems<a href="#footnote36">[36]</a> to protect MNPI and other sensitive information. Data security management policies, standards, and procedures should contain specific security requirements established for categories of sensitive data.<a href="#footnote37">[37]</a> B.         Identifying Covered TransactionsEffective insider trading governing documents highlight the broad scope of insider trading obligations and make clear that these obligations apply to the purchase and sale of all securities and not just common stock. Prohibitions against illegal trading apply to the purchase and sale of an Enterprise's stock, hedging Enterprise securities, purchase and sales of Enterprise securities pledged in a margin account or as collateral for a loan, trading debt securities issued by the Enterprise and any other securities issued by the Enterprise. The prohibitions also apply to securities of non-Enterprise companies, including securities of third parties, if a covered party (defined below) learns information in the course of his or her duties that may affect the value of those other non-Enterprise securities. Effective insider trading governing documents and risk assessment procedures may include a list of examples of transactions subject to the insider trading obligations (covered transactions) as well as lists of institutions and securities that are covered or restricted. An Enterprise's insider trading governing documents should also address permissible trading windows, pre-clearance of acceptable transactions, and blackout periods, as applicable, when the Enterprise prohibits trading and the extent to which various covered parties are subject to such terms. C.        Covered PartiesFHFA expects an Enterprise to make clear that insider trading obligations apply to the Enterprise, its employees, officers, directors, select contingent workers, other third parties with access to MNPI, and individuals receiving “tips" of MNPI, if the person receiving the tip is a family member or has a meaningfully close personal relationship with the party improperly disclosing the MNPI (covered parties). The Enterprise should establish standards and procedures for determining which third parties, counterparties, vendors, business partners, consultants, or advisers are considered covered parties. Such selection standards should include consideration of the relationship with the third party and the extent to which the third party has access to MNPI.<a href="#footnote38">[38]</a> Not all elements of the Enterprise's insider trading compliance program are anticipated to apply equally to all covered parties. The insider trading governing documents should also describe procedures for adding and removing covered parties from monitoring requirements based on changes in job responsibilities or access to MNPI.<a href="#footnote39">[39]</a> D.        Evaluating Quality of Risk Management and Assessing Residual RiskAn Enterprise's risk assessment processes should include risk-control self-assessments, key risk indicators, and key performance indicators.<a href="#footnote40">[40]</a> An Enterprise's assessment of insider trading risk should include processes that evaluate the likelihood of noncompliance with insider trading obligations. The risk assessment and insider trading governing documents should also include processes for evaluating the effectiveness of controls in place to manage insider trading risk and to protect and prevent improper disclosure of MNPI,<a href="#footnote41">[41]</a> and include processes for reviewing whether regulatory, legal, or other related compliance risk categories' residual risk levels align with risk appetite.<a href="#footnote42">[42]</a> III.       ControlsIn addition to establishing an effective governance framework, comprehensive insider trading governing documents, and an effective risk identification and assessment system, an Enterprise's robust internal controls should also include identifying, managing, and reporting on insider trading-related controls.<a href="#footnote43">[43]</a> A.         Managing and Protecting MNPIThe insider trading governing documents and associated controls should be designed to ensure that MNPI is properly protected.<a href="#footnote44">[44]</a> Covered parties should understand that they are responsible for treating confidential information that may be MNPI in accordance with the expectations in the Enterprise's insider trading governing documents. Covered parties are prohibited from disclosing MNPI to others (including other people within the Enterprise, family members, friends, or employees of a director's member institution, etc.) unless the person has a need to know the information for legitimate Enterprise-related reasons.The development of information barriers is important to securing MNPI.<a href="#footnote45">[45]</a> These barriers may include organizational, technological, and physical workspace separation of people with access to MNPI from people who do not need access.<a href="#footnote46">[46]</a> Information barriers may also include processes such as watch lists, restricted lists, accompanying reviews of employee and proprietary trading, written procedures, and documentation of reviews.<a href="#footnote47">[47]</a> B.         Acknowledgments and Nondisclosure AgreementsThe Enterprise should establish procedures to determine the need for covered parties to execute annual acknowledgements and nondisclosure agreements based upon the materiality of the relationship with the covered party and the extent to which that party has access to MNPI. C.        Post-Employment ControlsThe Enterprise should implement controls designed to ensure that all MNPI in the possession of a covered party will be returned to the Enterprise or destroyed at the termination of his or her relationship with the Enterprise. Covered parties should understand that if their employment or contract period with the Enterprise terminates at a time when they possess MNPI, they continue to be responsible for protecting that information and continue to be prohibited from disclosing or trading on that information until the information is disclosed to the public or until the information is no longer material. It is the covered party's obligation to determine whether these conditions are met. D.        TrainingEnterprise employees should be held accountable and be aware of their insider risk management roles and responsibilities.<a href="#footnote48">[48]</a> An Enterprise should require all employees, board members, and third-party providers with access to MNPI to annually review or be trained on the relevant provisions of the insider trading governing documents and complete annual training covering key insider trading topics including conflicts of interest. IV.       Internal Surveillance and MonitoringInsider trading risk should be monitored regularly to identify changes or trends in exposures over time.<a href="#footnote49">[49]</a> The insider trading governing documents should include procedures for: Determining whether a covered party's trading and MNPI protection activities will be monitored, and if so how; Automating processes for monitoring and scanning covered parties' brokerage accounts;Ensuring that annual certifications and employment contracts address post-employment, post-contract trading and disclosures and prohibit improper disclosures and improper trading until MNPI is disclosed to the public or until the information is no longer material;Evaluating whether a covered party's access to MNPI warrants oversight related to personal trade activity or other MNPI related restrictions;Identifying and assessing business processes with heightened risk for illegal insider activity; Investigating, tracking, and reporting possible illegal insider activity; Detecting illegal insider activity if and when it occurs; Evaluating and responding to illegal insider activity; and Monitoring and independently testing business lines to determine overall adequacy and effectiveness of insider trading risk management. V.        Disclosures and Reporting A.         Internal Reporting An effective compliance program should generate periodic internal disclosures, notifications, and reporting information on insider trading risk in a form that comports with the insider trading governing documents. The compliance officer's reports to the chief executive officer<a href="#footnote50">[50]</a> and to the board<a href="#footnote51">[51]</a> must address the adequacy of the Enterprise's compliance policies and procedures, including those related to insider trading.<a href="#footnote52">[52]</a> The substance of such reporting should be relevant, accurate, complete, timely, consistent, and comprehensive, and should enable the execution of sound and informed risk management decisions.<a href="#footnote53">[53]</a> Such reports should contain sufficient information to ensure effective oversight, escalation and timely resolution of insider trading noncompliance and control deficiencies.<a href="#footnote54">[54]</a> These internal reports should be designed to ensure that the board and relevant committees are properly informed of the Enterprise's insider risk management activities<a href="#footnote55">[55]</a> and the outcomes of such activities, including significant instances of noncompliance with insider trading obligations.<a href="#footnote56">[56]</a> B.         External Reporting The Enterprise's insider trading governing documents should address the Enterprise's obligation<a href="#footnote57">[57]</a> to submit timely reports to FHFA, Financial Crimes Enforcement Network, SEC, and other applicable regulators when the Enterprise discovers or suspects possible insider trading, or other fraud related to the purchase or sale of any loan or financial instrument.<a href="#footnote58">[58]</a> Enterprise policies, standards and procedures should incorporate the reporting obligations and limitations set forth in Section 16 of the Exchange Act.<a href="#footnote59">[59]</a> Section 16 establishes regulatory filing responsibilities of specified reporting insiders, such as Section 16 officers<a href="#footnote60">[60]</a> and members of the board of directors.<a href="#footnote61">[61]</a> Insider trading governing documents should also comply with applicable laws and regulations pertaining to the full and fair disclosure of information to the public.<a href="#footnote62">[62]</a> Related Guidance and Regulations12 CFR Part 1236, Appendix, Prudential Management and Operations Standards.12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance. Enterprise Risk Management Program, Federal Housing Finance Agency Advisory Bulletin 2020-06, December 11, 2020. Financial Reporting and Disclosure and External Audit, Federal Housing Finance Agency Advisory Bulletin 2020-04, August 20, 2020. Compliance Risk Management, Federal Housing Finance Agency Advisory Bulletin 2019-05, October 3, 2019. Enterprise Fraud Reporting, Federal Housing Finance Agency Advisory Bulletin 2019-04, September 18, 2019. Business Resiliency Management, Federal Housing Finance Agency Advisory Bulletin 2019-01, May 7, 2019. Oversight of Third-Party Provider Relationships, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018. Information Security Management, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017. Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016–05, October 7, 2016. Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016. Fraud Risk Management, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015. Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. FHFA Enforcement Policy, Federal Housing Finance Agency Advisory Bulletin 2013-03, May 31, 2013. _______________________________ <a name="footnote1">[1]</a> Common Securitization Solutions, LLC is an “affiliate" of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended. 12 U.S.C. § 4502(1), and this AB applies to it. <a name="footnote2">[2]</a>See FHFA Advisory Bulletin 2019-01, Business Resiliency Management (May 7, 2019). <a name="footnote3">[3]</a>See 17 CFR 243.100–243.103 (Regulation FD), 17 CFR 240.10b5–1 (Rule 10b5-1), and 17 CFR 240.10b5–2 (Rule 10b5-2). <a name="footnote4">[4]</a>See 15 U.S.C. § 78c(a)(10) for definition of “security." <a name="footnote5">[5]</a> Rule 10b5-1 plans are passive investment plans through which companies and corporate insiders relinquish direct control over transactions. <a name="footnote6">[6]</a>See discussion in Section II.C. below. <a name="footnote7">[7]</a> 15 U.S.C. § 78a et seq. <a name="footnote8">[8]</a> Sections 10(b), 16 and 21A(b)(1) of the Exchange Act. See generally U.S. Securities and Exchange Commission: The Laws that Govern the Securities Industry. Retrieved from www.investor.gov/introduction-investing/investing-basics/role-sec/laws-govern-securities-industry. <a name="footnote9">[9]</a> SEC: Rules and Regulations for the Securities and Exchange Commission and Major Securities Laws. Retrieved from www.sec.gov/about/laws/secrulesregs.htm. <a name="footnote10">[10]</a>See SEC's Final Rule: Selective Disclosure and Insider Trading, 65 FR 51715, 51721 (August 24, 2000) (hereinafter Final Fair Disclosure Rule). See also 17 CFR 243.100–243.103 (Regulation FD), 17 CFR 240.10b5–1 (Rule 10b5-1), and 17 CFR 240.10b5–2 (Rule 10b5-2). <a name="footnote11">[11]</a> Final Fair Disclosure Rule, footnote 38. <a name="footnote12">[12]</a> Id., footnote 39. <a name="footnote13">[13]</a> Id., footnote 40. <a name="footnote14">[14]</a> 15 U.S.C. § 78u (identifying civil penalties for insider trading). <a name="footnote15">[15]</a>See 17 CFR 240.10b-5. <a name="footnote16">[16]</a> 18 U.S.C § 1348 (Jan. 14, 2019). <a name="footnote17">[17]</a> 12 U.S.C. § 4642. See also 12 CFR 1233.3(a); FHFA Advisory Bulletin 2019-04: Enterprise Fraud Reporting (Sept. 18, 2019); and FHFA Advisory Bulletin 2015-07: Fraud Risk Management (Sept. 29, 2015). <a name="footnote18">[18]</a>See FHFA Advisory Bulletin 2013-03, FHFA Enforcement Policy (May 31, 2013). See also FHFA Advisory Bulletin 2017–01, Classifications of Adverse Examination Findings (Mar. 13, 2017). <a name="footnote19">[19]</a> For Fannie Mae, see Del. Code Ann. § 141(a) (2011). For Freddie Mac, see Va. Code Ann. § 13.1-690(A) (2012). <a name="footnote20">[20]</a> For the internal audit function, see also FHFA Advisory Bulletin 2016–05, Internal Audit Governance and Function (Oct. 7, 2016). <a name="footnote21">[21]</a> PMOS, Standard 1, Principle 8. <a name="footnote22">[22]</a>See FHFA Advisory Bulletin 2019-05, Compliance Risk Management (Oct. 3, 2019) (AB 2019-05). See also U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (June 1, 2020), <a href="https://www.justice.gov/criminal-fraud/page/file/937501/download">https://www.justice.gov/criminal-fraud/page/file/937501/download</a> (DOJ Guidance on Compliance Programs). <a name="footnote23">[23]</a>See discussion in Section II.C. below. <a name="footnote24">[24]</a> 12 CFR 1239.11(a). See also AB 2019-05. <a name="footnote25">[25]</a> The Enterprise is required to establish and maintain a comprehensive risk management program in accordance with all applicable laws and regulations. See Corporate Governance Rule, 12 CFR Part 1239. See also FHFA Advisory Bulletin 2020-06, Enterprise Risk Management Program (Dec. 11, 2020) (AB 2020-06), AB 2019-05, and PMOS, Responsibilities of the Board of Directors and Senior Management: Principles 1, 4 – 7 and Standard 8, Principles 1 and 3. <a name="footnote26">[26]</a> 12 CFR 1239.10. <a name="footnote27">[27]</a> PMOS, Responsibilities of the Board of Directors and Senior Management: Principle 9. See also PMOS, Standard 1, Principles 3, 4, and 16. <a name="footnote28">[28]</a>See Section 1, AB 2019-05, and AB 2020-06. <a name="footnote29">[29]</a>See AB 2019-05. Additionally, the Sarbanes-Oxley Act protects corporate whistleblowers for providing information about insider trading, securities fraud, shareholder fraud, bank fraud, a violation of any SEC rule or regulation, mail fraud, or wire fraud. See<a href="https://www.sec.gov/whistleblower/retaliation">https://www.sec.gov/whistleblower/retaliation</a>. <a name="footnote30">[30]</a>See PMOS, Standard 1, Principles 2 and 16. See AB 2019-05, page 5. <a name="footnote31">[31]</a>See 12 CFR 1239.3(a) and 12 CFR 1239.11(a)(3)(ii). <a name="footnote32">[32]</a>See DOJ Guidance on Compliance Programs. The document is designed to assist “prosecutors in making informed decisions as to whether, and to what extent, the corporation's compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations)." <a name="footnote33">[33]</a>See Sections 20(a) and 21A(b)(1) of the Exchange Act. See alsoGraham v. SEC, 222 F.3d 994, 1000 (D.C. Cir. 2000) (reviewing the elements of aiding and abetting liability). <a name="footnote34">[34]</a> This AB addresses conflicts of interest arising from misuse of MNPI for personal benefit in securities transactions. This AB does not address supervisory expectations related to managing risks associated with other types of conflicts of interest, such as outside activities, political activities, and business courtesies. <a name="footnote35">[35]</a>See AB 2019-05, Section 2, page 5. <a name="footnote36">[36]</a>See FHFA Advisory Bulletin 2016-04, Data Management and Usage (Sept. 29, 2016) (AB 2016-04), page 1. <a name="footnote37">[37]</a>See AB 2016-04, page 4. See also FHFA Advisory Bulletin 2017-02, Information Security Management (Sept. 28, 2017) (AB 2017-02), page 10. <a name="footnote38">[38]</a>See FHFA Advisory Bulletin 2018-08, Oversight of Third-Party Provider Relationships (Sept. 28, 2018). <a name="footnote39">[39]</a>See 15 U.S.C. § 78u-1(a)(1)(B). <a name="footnote40">[40]</a>See FHFA Advisory Bulletin 2014-02, Operational Risk Management (Feb. 18, 2014) (ORM AB), page 3. <a name="footnote41">[41]</a> PMOS, Standard 1, Principles 4 and 5. See also ORM AB, page 3. <a name="footnote42">[42]</a> AB 2020-06, Sections I.A, B, and C. <a name="footnote43">[43]</a> PMOS, Standard 1, Principle 10. <a name="footnote44">[44]</a>See AB 2017-02. <a name="footnote45">[45]</a> SEC defines “information barriers" as written policies and procedures reasonably designed to prevent misuse of MNPI in violation of the securities laws. See discussion in Section III.A. below. See generally SEC, Staff of the Office of Compliance Inspections and Examinations, Staff Summary Report on Examinations of Information Barriers (Sept. 27, 2012) (Information Barrier Summary Report), located at <a href="https://www.sec.gov/about/offices/ocie/informationbarriers.pdf">https://www.sec.gov/about/offices/ocie/informationbarriers.pdf</a>. <a name="footnote46">[46]</a> AB 2017-02. <a name="footnote47">[47]</a> Information Barrier Summary Report, page 7. <a name="footnote48">[48]</a>See 12 CFR 1239.11(a)(3) and PMOS, Standard 8. <a name="footnote49">[49]</a> AB 2020-06, Section III. <a name="footnote50">[50]</a> 12 CFR 1239.12. <a name="footnote51">[51]</a> Ibid. <a name="footnote52">[52]</a> Ibid. See also AB 2019-05. <a name="footnote53">[53]</a>See 12 CFR 1239.11(c)(3)(ii) and AB 2016-04. <a name="footnote54">[54]</a> ORM AB, page 5. See also AB 2016-04. <a name="footnote55">[55]</a>See AB 2020-06 (“Systems and processes supporting risk and control reporting should align under a common data architecture to facilitate and support the Enterprise's risk aggregation and enterprise-wide reporting.") <a name="footnote56">[56]</a> 12 CFR 1239.11(b), 12 CFR 1239.11(c)(3)(iv), and 1239.12. <a name="footnote57">[57]</a> 12 U.S.C. § 4642. <a name="footnote58">[58]</a>See 12 CFR 1233.3(a) and the guidelines in FHFA Advisory Bulletin 2019-04: Enterprise Fraud Reporting (Sept. 18, 2019). See also FHFA Advisory Bulletin 2020-04, Financial Reporting and Disclosure and External Audit (Aug. 20, 2020). <a name="footnote59">[59]</a> Section 16 of the Securities and Exchange Act of 1934, specifies mandatory disclosure requirements for “[e]very person who is directly or indirectly the beneficial owner of more than 10 percent of any class of any equity security (other than an exempted security) which is registered pursuant to 12, or who is a director or an officer of the issuer of such security." Exchange Act. See also 17 CFR 240.16a-2 (Persons and transactions subject to Section 16 of the Exchange Act). <a name="footnote60">[60]</a> Section 16 officers refers to officers of the Enterprise as defined by Rule 16a-1(f) under the Exchange Act. <a name="footnote61">[61]</a>See SEC: Investor Bulletin Insider Transactions and Forms 3, 4, and 5. Retrieved at www.sec.gov/files/forms-3-4-5.pdf. <a name="footnote62">[62]</a>See Final Fair Disclosure Rule. <div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style:normal;font-weight:400;font-size:14px;font-family:"source sans pro", sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width:776px;">FHFA has statutory responsibility to ensure  the safe and sound operations of the regulated entities and the Office of Finance.  Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to: <a>SupervisionPolicy@fhfa.gov. </a> <a> </a></td></tr></tbody></table> </div>

2/8/2022 3:01:00 PM

Home / Supervision & Regulation / Advisory Bulletins / Insider Trading Risk Management Advisory Bulletin AB 2022-01: Insider Trading Risk Management

7392

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Enterprise Fair Lending and Fair Housing Compliance

36635

Fannie Mae & Freddie Mac

12/20/2021 5:00:00 AM

AB 2021-04

<table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-stretch:inherit;font-size:14px;line-height:inherit;font-family:"source sans pro", sans-serif;vertical-align:baseline;margin:0px;padding:0px;border-spacing:0px;table-layout:fixed;background-color:#ffffff;"><tbody style="border:0px;font:inherit;vertical-align:baseline;margin:0px;padding:0px;"><tr style="border:0px;font:inherit;vertical-align:baseline;margin:0px;padding:0px;"><td class="ms-rteTable-default" style="font:inherit;margin:0px;width:776px;"> <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;">ADVISORY BULLETIN <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;">AB 2021-04:  Enterprise Fair Landing and Fair Housing Compliance<span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;"><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB%202021-04%20Enterprise%20Fair%20Lending%20and%20Fair%20Housing%20Compliance.pdf">[view PDF of Advisory Bulletin 2021-04]</a></td></tr></tbody></table><p style="border:0px;font-stretch:inherit;font-size:14px;line-height:22px;font-family:"source sans pro", sans-serif;vertical-align:baseline;padding:0px;background-color:#ffffff;text-align:justify;color:#404040 !important;"> <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;"> <em style="border:0px;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;text-decoration-line:underline;"> <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;">Purpose FHFA’s Enterprise fair lending examination program is conducted by the Office of Fair Lending Oversight (“OFLO”) within the Division of Housing Mission and Goals. The purpose of this advisory bulletin is to provide FHFA’s supervisory expectations and guidance to Fannie Mae and Freddie Mac (the Enterprises) on fair lending compliance. FHFA considers ensuring Enterprise compliance with fair lending laws part of FHFA’s obligation to affirmatively further the purposes of the Fair Housing Act in its program of regulatory and supervisory oversight over the Enterprises and its responsibility to ensure the Enterprises comply with all applicable laws.<a href="#footnote1">[1]</a>  <p style="border:0px;font-stretch:inherit;font-size:14px;line-height:22px;font-family:"source sans pro", sans-serif;vertical-align:baseline;padding:0px;background-color:#ffffff;text-decoration-line:underline;color:#404040 !important;"> <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;"> BackgroundThe federal fair lending laws that apply to the Enterprises include:<ul><li>Fair Housing Act – 42 U.S.C. 3601 et seq.</li><ul><li>Discriminatory Conduct Under the Fair Housing Act – 24 CFR part 100</li></ul><li>Equal Credit Opportunity Act (ECOA) – 15 U.S.C. 1691 et seq.</li><ul><li>Equal Credit Opportunity Act (Regulation B) – 12 CFR part 1002</li></ul><li>Safety and Soundness Act fair housing provision – 12 U.S.C. 4545</li><ul><li>HUD's Regulation of Fannie Mae and Freddie Mac – 24 CFR part 81, subpart C  </li></ul></ul>FHFA's fair lending policy statement generally articulates its policy on fair lending and how it uses its authorities to ensure compliance with fair lending laws.<a href="#footnote2">[2]</a> The Enterprises are subject to several associated fair lending requirements such as requirements to obtain and maintain data relevant to ensuring compliance with fair lending laws, report certain information to FHFA pursuant to FHFA's reporting order on fair lending,<a href="#footnote3">[3]</a> include certain information related to fair lending in their annual housing reports, and comply with fair lending requirements associated with other FHFA processes and requirements. The Enterprises are also subject to Department of Housing and Urban Development (“HUD") oversight related to fair housing. FHFA and HUD have signed a memorandum of understanding regarding cooperation and coordination with respect to fair housing and fair lending.<a href="#footnote4" style="font-family:"source sans pro", sans-serif;font-size:14px;">[4]</a> In certain circumstances, FHFA provides notification to HUD and DOJ of information that suggests a violation of the Fair Housing Act or that indicates a possible pattern or practice of discrimination in violation of the Fair Housing Act.<a href="#footnote5" style="font-family:"source sans pro", sans-serif;font-size:14px;">[5]</a> The Enterprises play a unique and important role in the mortgage market, and their operations and policies can promote fair lending compliance and further the purposes of fair lending laws and the public interest in the primary mortgage market. Guidance Each Enterprise must fully comply with all applicable fair lending laws in its operations. FHFA expects each Enterprise to maintain a fair lending program that effectively identifies, assesses, monitors, and mitigates fair lending risk and prevents the occurrence of fair lending violations in Enterprise operations. Each Enterprise must fully comply with associated fair lending requirements. FHFA encourages each Enterprise to affirmatively further the purposes of the Fair Housing Act, including promoting fair lending compliance among their business counterparties while furthering their public purposes in the mortgage market and within their own activities relating to housing and urban development. <h3>I.                    Compliance with Fair Lending Laws</h3>The following section provides general guidance with respect to Enterprise compliance with fair lending laws. It is not intended to provide authoritative or definitive statements of fair lending law and is intended to give practical guidance for fair lending compliance with respect to Enterprise operations based on a combined application of all fair lending laws noted in the Background section. The examples provided are general in nature. When determining whether a fair lending violation has occurred, close scrutiny of the facts and law are warranted in all cases. However, even situations where conduct is close to the line of illegality with respect to fair lending raise questions about appropriate risk management and effectiveness of or support for the fair lending program. The fact that an aspect of fair lending law is not covered explicitly in this advisory bulletin should not be construed to mean that FHFA will not enforce that aspect as part of fair lending supervision. <h4>A.      Prohibited Bases</h4>Prohibited bases<a href="#footnote6">[6]</a> protected from discrimination under the Federal fair lending laws noted above are:<ul><li>Race</li><li>Color</li><li>Religion</li><li>National Origin</li><li>Sex, Sexual Orientation, and Gender Identity<a href="#footnote7">[7]</a></li><li>Marital Status</li><li>Age</li><li>Receipt of income derived from any public assistance program</li><li>Exercise, in good faith, of any right under the Consumer Credit Protection Act<a href="#footnote8">[8]</a></li><li>Familial status</li><li>Disability<a href="#footnote9">[9]</a></li><li>Consideration of the age of a dwelling or age of the neighborhood in a manner that has an unjustified discriminatory effect</li><li>Consideration of the location of a dwelling or the census tract where the dwelling is located in a manner that has an unjustified discriminatory effect </li></ul><div> </div><div>An Enterprise may not discriminate on a prohibited basis because of the characteristics of:</div><div> </div><div><ul><li> An applicant, prospective applicant, or borrower</li><li> A person associated with an applicant, prospective applicant, or borrower (for example, a co-applicant, spouse, business partner, or live-in aide)</li><li> The present or prospective occupants of the subject property, or</li><li> The characteristics of the neighborhood or other area where the subject property is located<a href="#footnote10">[10]</a> </li></ul><div> </div><h4>B.      Covered Enterprise Activities</h4> Enterprise activities covered by fair lending laws include but are not limited to:<ul><li> Purchasing residential estate loans (including setting terms and conditions for purchase);<a href="#footnote11">[11]</a></li> <a href="#footnote11"></a> <li> <a href="#footnote11"> Providing loans or financial assistance for residential real estate;</a><a href="#footnote12">[12]</a></li><li>Participating in credit decisions<a href="#footnote13">[13]</a> </li><li> Selling dwellings (such as through REO disposition);<a href="#footnote14">[14]</a> </li><li> Advertising, communications, and statements (including among employees);<a href="#footnote15">[15]</a></li><li> Setting standards for appraisals and relying on appraisals in purchasing real estate loans;<a href="#footnote16">[16]</a></li><li> Making decisions related to loss mitigation in servicing of real estate loans (including establishing standards for such decisions);<a href="#footnote17">[17]</a></li><li> Pooling, packaging, and securitizing residential real estate loans and marketing and selling such securities;<a href="#footnote18">[18]</a></li><li> Multifamily purchasing and lending, setting standards for such purchasing and lending, servicing multifamily loans, and pooling or securitization related to multifamily dwellings;<a href="#footnote19">[19]</a></li><li> Making housing unavailable;<a href="#footnote20">[20]</a> and</li><li> Models related to these activities</li></ul> Methods of proving discrimination under these fair lending laws include: <ul><li> Overt or direct evidence of disparate treatment;</li><li> Comparative or indirect evidence of disparate treatment (including code word or redlining evidence); and</li><li> Evidence of disparate impact where the Enterprise did not demonstrate a legitimate business justification</li></ul> Additional types of prohibited discrimination that are relevant in Enterprise fair lending compliance include: <ul><li> Discriminatory statements, steering, and discouragement;</li><li> Use of discriminatory appraisals;<a href="#footnote21">[21]</a> and</li><li> Discriminatory interference or retaliation</li></ul> <h4>C.      Direct and Vicarious Liability</h4>The Fair Housing Act imposes liability for violations through both direct and vicarious liability, including the conduct of employees and agents and third parties in certain circumstances.<a href="#footnote22">[22]</a>An Enterprise is directly responsible for a fair housing violation resulting from its own conduct, and vicariously responsible for a fair housing violation that results from the conduct of its agents and employees, regardless of whether the Enterprise knew or should have known of the conduct of its agents and employees, consistent with agency law.<a href="#footnote23">[23]</a> An Enterprise is also responsible for failing to take prompt action to correct and end a fair housing violation in certain circumstances, including:<ul><li> Such a violation by the Enterprise's employee or agent where the Enterprise knew or should have known of the discriminatory conduct; and</li><li> Such a violation by a third-party, where the Enterprise knew or should have known of the discriminatory conduct and had the power to correct it, depending on the extent of the Enterprise's control or other legal responsibility an Enterprise may have with respect to the third party's conduct.<a href="#footnote24">[24]</a> </li></ul><div><h4>D.      Disparate Treatment</h4>Disparate treatment occurs when an Enterprise treats a borrower or property differently based on one of the prohibited bases. It does not require any showing that the treatment was motivated by prejudice or a conscious intention to discriminate beyond the difference in treatment itself. Disparate treatment may more likely occur in the treatment of borrowers or properties that are neither clearly well-qualified nor clearly unqualified or where discretionary processes are present.The existence of illegal disparate treatment may be established either by statements revealing that an Enterprise explicitly considered prohibited factors (overt evidence) or by differences in treatment that are not fully explained by legitimate nondiscriminatory factors (comparative evidence). Disparate treatment can also be shown through appropriate statistical analysis. <h5>1.       Overt or Direct Evidence of Disparate Treatment</h5>There is overt evidence of discrimination when oral or written statements indicate an Enterprise discriminates on a prohibited basis without need for inference or comparative evidence. <a href="#footnote26">[25]</a></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise asset manager for REO properties decides not to repair or upgrade a property in the capital city of a tribal nation before putting it on the market and justifies the decision because it is near “Indian nation public housing" and “buyers may have a problem with that." The decision would be a violation because it was made because of the race of nearby residents of the neighborhood.<a href="#footnote26">[26]</a> </div></div></blockquote><div><div><h5>2.       Comparative or Indirect Evidence of Disparate Treatment </h5>If an Enterprise has apparently treated similarly situated borrowers or properties differently on the basis of a prohibited factor, it must provide a legitimate non-discriminatory explanation for the difference in treatment. If the Enterprise's explanation is found to be not credible or not applied consistently to similarly situated borrowers or properties, FHFA may find that the entity discriminated.<a href="#footnote27">[27]</a> </div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise asset manager for REO properties repairs or upgrades an REO property in a white neighborhood when “only cosmetic" repairs are needed but does not repair an REO property with similar characteristics in a minority neighborhood when “only cosmetic" repairs or upgrades are needed. Suppose also that there is no clear policy on how to handle cosmetic repairs, leaving it to the asset manager's discretion. The decision would be a violation because it treated similarly situated properties in minority and white neighborhoods differently without a credible legitimate non-discriminatory explanation or consistent application.</div></div><div><div> Example: Suppose an Enterprise determines it will stop doing business with a minority multifamily sponsor due to property maintenance concerns. A white multifamily sponsor presents similar property maintenance concerns, but instead, receives a warning. The Enterprise is unable to provide evidence explaining the difference in treatment between the two sponsors. The decision would be a violation because it treated two similarly situated sponsors of different race/ethnic backgrounds differently without a credible legitimate non-discriminatory explanation or consistent application.</div></div></blockquote><div><div><h5>3.      Redlining </h5>Redlining is a form of illegal disparate treatment in which an Enterprise treats borrowers or properties differently because of the race, color, national origin, or other prohibited characteristic(s) of the residents of the area without any legitimate business reason. It is often shown by overt evidence, comparative evidence of differences in treatment, and can be supported by maps showing differences in outcomes for borrowers or properties in neighborhoods with different racial characteristics.<a href="#footnote28">[28]</a></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise provides discretion to multifamily underwriters to accept or reject purchases of multifamily loans. For the past two years, this Enterprise accepted nearly four times as many applications for properties located in white neighborhoods compared with properties located in Black neighborhoods. Maps of Metropolitan Statistical Areas (“MSAs") depicting accepted and rejected purchases showed avoidance of majority-Black neighborhoods, and where there were accepted loans in majority-Black neighborhoods, they were almost exclusively along the edges of those neighborhoods in close proximity to white neighborhoods. This policy would present fair lending risk and could be a violation because the Enterprise's discretionary policies resulted in redlining.</div></div></blockquote><div><h5>4.       Code Word Evidence of Disparate Treatment </h5>Use of certain code words can be evidence of disparate treatment. Whether a code word is evidence of disparate treatment depends on the context, inflection (if spoken), tone of voice (if spoken), custom, and historical usage.<a href="#footnote29">[29]</a> Examples of potential code words include describing minority neighborhoods as “crime-ridden," “inner city" neighborhoods, or lacking “pride of ownership."<a href="#footnote30">[30]</a> Code word evidence should be carefully evaluated in its full context before drawing conclusions.<h4>E.      Disparate Impact </h4>When a neutral policy or practice disproportionately excludes or burdens certain persons or neighborhoods on a prohibited basis, the policy or practice is described as having a "disparate impact." The fact that a policy or practice creates a disparity on a prohibited basis is not alone proof of a violation. When a disparate impact is identified, the next step is to determine whether the policy or practice is necessary to achieve one or more substantial, legitimate, nondiscriminatory objectives. Factors that may be relevant to the justification could include cost, profitability, or compliance with legal requirements, among others. Even if a policy or practice that has a disparate impact on a prohibited basis can be justified by a legitimate nondiscriminatory objective, the policy or practice still may be found to be in violation of the Fair Housing Act if an alternative policy or practice could serve the legitimate nondiscriminatory interests by another practice with less discriminatory effect. Evidence of discriminatory intent is not necessary to establish a violation based on disparate impact. Appropriate statistical analysis is usually necessary to evaluate whether a policy creates a disparity and may also be relevant in assessing justification and potential less discriminatory alternatives.<a href="#footnote31">[31]</a> A fair lending self-evaluation of a policy or practice, assessing its impact and considering whether potential less discriminatory alternatives would serve the Enterprise's legitimate nondiscriminatory objective, could be part of an effective compliance risk management process, and provide helpful support for concluding that the policy or practice is not a disparate impact violation, especially when evidence indicates that the least discriminatory alternative was adopted. </div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise has a special Guide requirement in place for properties in Puerto Rico. This policy has been in place without review for a substantial period of time to determine its effectiveness or need in preventing significant costs or losses. The Enterprise does not subject any other state or territory to this requirement with similar or greater risk. This policy disproportionately affects Latino borrowers as the predominant residents of Puerto Rico. The policy would be a violation because it has a significant disparate impact but lacks clear justification.</div></div><div><div> Example: Suppose an Enterprise's automated underwriting model includes a factor that leads to significantly lower disproportionate acceptance rates for Black borrowers. The factor improves the model's ability to predict risk, but only marginally so. The model is still a sound, predictive model that meets the Enterprise's business needs without the factor Including the factor would be a violation because it has a significant disparate impact but the model without the factor would be a less discriminatory alternative.<a href="#footnote32">[32]</a></div></div><div><div> Example: Suppose an Enterprise's business policy treats properties with a current market value of lower than $100,000 less favorably than properties above that threshold. The policy disproportionately affects more properties in minority neighborhoods than white neighborhoods. The policy has a legitimate business purpose, but other means having less disproportionate impact are available to achieve that purpose. The policy would be a violation because less discriminatory alternative policies are available. </div></div></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise underwriting model has a higher cutoff score for certain metro areas. The higher cutoff score is based on an Enterprise's risk assessment of a specific factor for that metro and is unknown to applicants and lenders. The policy has a disproportionate impact on Black and Latino applicants who are rejected by this higher cutoff score at higher rates than white applicants. The Enterprise generally does not take metro-area differences into account in underwriting in other ways. The projected stress losses of not using the higher cutoff score for certain metro areas are minimal. The policy would be a violation because a less-discriminatory alternative exists in the Enterprise's general policy of not taking into account metro-area differences. Prudent fair lending risk management is especially warranted of location-based criteria that have a disparate impact given the Enterprise's obligations under its statutory charter and the Safety and Soundness Act.<a href="#footnote33">[33]</a> </div></div></blockquote><div><div><h4>F.      Discriminatory Statements, Steering, and Discouragement</h4>Making or publishing advertisements, statements, or notices that indicate a preference, limitation or discrimination on a prohibited basis violate the Fair Housing Act.<a href="#footnote34">[34]</a> Such statements could be made to the public, or to agents or employees if made as part of a decision-making process.<a href="#footnote35">[35]</a> Selecting media or locations for publication or the form of advertisements (such as the repeated absence of non-white models) may also constitute discriminatory advertisements or statements. Whether a statement is a violation does not depend on the intent of the speaker or writer, but on whether a reasonable person would interpret the statement to indicate a preference, limitation, or discrimination.Unlawful steering also constitutes a violation of the Fair Housing Act.<a href="#footnote36">[36]</a> Steering involves restricting or attempting to restrict neighborhood choice by word or conduct to perpetuate segregated housing patterns or discourage or obstruct free neighborhood choice. Examples include statements that discourage home purchases on a prohibited basis by exaggerating the drawbacks or failing to note the desirable features of a home or neighborhood and statements that indicate a person would not be comfortable or compatible with existing neighborhood residents. It is also a violation to make oral or written statements to applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application for credit.<a href="#footnote37">[37]</a> </div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise advertises an REO property on its website and notes its location in a “culturally diverse area." The residents of the neighborhood where the property is located are nearly all Black. This statement would be a violation because it describes the neighborhood in racial terms. It also could constitute a steering violation because it can reasonably be interpreted to indicate who may or may not be comfortable living near the existing residents of the neighborhood. </div></div></blockquote><div><div><h4>G.      Reliance on Discriminatory Property Valuation</h4>It is a Fair Housing Act violation to use a property valuation in connection with the sale or financing of a dwelling when an Enterprise knows or reasonably should know that the property valuation improperly takes into consideration a prohibited basis.<a href="#footnote38">[38]</a> Further, the Safety and Soundness Act fair housing provision, implemented by HUD regulations, prohibits an Enterprise from discriminating in any manner in the purchase of a mortgage, including discriminatory property valuation.<a href="#footnote39">[39]</a> </div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise relies on an appraisal that undervalues a property in a minority neighborhood in establishing the loan-to-value ratio for a loan purchase and the appraisal includes comments from the appraiser that the neighborhood is “predominately Hispanic," the residents have “assimilated their culture heritage" into the neighborhood, and it was now “one spicy neighborhood." The reliance would be a violation because the Enterprise should have known the appraisal improperly considered a prohibited basis.</div></div></blockquote><div><div><h4>H.       Retaliation or Interference</h4>It is a Fair Housing Act violation to coerce, intimidate, threaten, or interfere with any person for having aided or encouraged any other person in the exercise of fair housing rights.  This includes such conduct toward Enterprise employees or agents that report fair housing violations to an Enterprise or other authorities including FHFA or HUD or who take steps to try to correct such violations.<a href="#footnote40">[40]</a></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise employee believes an Enterprise operational area is violating fair lending laws and seeks to correct the problem. The employee's manager threatens to reassign him to a different practice group if he does not immediately drop the matter and reverse his assessment. The conduct would be a violation because the employee engaged in protected activity by trying to uphold fair housing rights and the manager's actions interfered with that activity in circumstances indicating it was motivated by the protected activity.  </div></div></blockquote><div><div><h4>I.       Reasonable Accommodations </h4>It is a Fair Housing Act violation for an Enterprise to fail to refuse to make reasonable accommodations in rules, policies, practices, or services, when such accommodations may be necessary to afford a person with disabilities equal opportunity to use and enjoy a dwelling unit. </div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><div><div> Example: Suppose an Enterprise policy offers single-family mortgage underwriting flexibility for legal guardians of adults with developmental disabilities but not legal guardians of adults with traumatic brain injuries. The Fair Housing Act protects persons with disabilities and persons associated with them broadly, and the policy would be a violation because it treats persons associated with persons with traumatic brain injuries less favorably without any apparent justification. The policy would effectively provide a reasonable accommodation to some borrowers protected by the Fair Housing Act but not to others also protected by the Act who are similarly situated. </div></div></blockquote><div><div><h4>J.      Recognized Exceptions </h4>There are activities that may appear to be violations of fair lending law but are recognized exceptions to the law. If conducted by an Enterprise according to appropriate legal standards, supervisory action would generally not be warranted in these circumstances. <h5></h5><h5>1.       Special Purpose Credit Programs </h5>The ECOA and Regulation B allow for-profit creditors, including an Enterprise, to establish special-purpose credit programs benefiting applicants who meet certain eligibility requirements. Generally, these programs target an economically disadvantaged class of individuals and are authorized by federal or state law. This could include eligibility requirements involving one or more prohibited bases. The requirements for special purpose credit programs are provided for in Regulation B.<a href="#footnote41">[41]</a> Prudent risk management by an Enterprise offering such a program would also counsel good-faith conformity with the advisory opinion of the Consumer Financial Protection Bureau (CFPB) in implementation of any special purpose credit program, which would provide liability protection under section 706(e) of ECOA.<a href="#footnote42">[42]</a> HUD confirmed in legal guidance that special purpose credit programs complying with ECOA and Regulation B do not violate the Fair Housing Act,<a href="#footnote43">[43]</a> and the Department of Justice has recognized special purpose credit programs in a remedial settlement agreement that includes the Fair Housing Act.<a href="#footnote44">[44]</a> <h5></h5><h5>2.       Age-Restricted Properties </h5>The Fair Housing Act provides for occupant age-restricted housing under certain circumstances when the housing meets conditions under HUD's regulations.<a href="#footnote45">[45]</a> Enterprise programs that allow for purchase of occupant age-restricted properties meeting Fair Housing Act standards are permissible.<h5>3.       Affirmative Marketing</h5> Affirmative advertising that attempts to reach members of traditionally disadvantaged groups or to reach persons who are least likely to apply for a program is a compliant strategy for advertising and outreach under the Fair Housing Act and the Equal Credit Opportunity Act.<a href="#footnote46">[46]</a> <h3>II.                    Effective Enterprise Fair Lending Program</h3>The following section provides general guidance on FHFA's supervisory expectations for effective Enterprise fair lending programs. Note: this guidance does not affect or supersede other FHFA supervisory guidance on risk management, including compliance risk management and model risk management. FHFA expects each Enterprise to maintain a fair lending program that effectively identifies, assesses, monitors, and mitigates fair lending risk and prevents the occurrence of fair lending violations in Enterprise operations. Fair lending risk includes violations of fair lending law or conditions that permit the occurrence of fair lending violations, but also issues that subject an Enterprise to reputational harm related to issues such as fair lending and serving the Enterprise's public purposes. In this way, fair lending risk poses both management and operational risks. The responsibility for an effective fair lending program goes beyond specific personnel responsible for fair lending. An effective fair lending program requires appropriate board and management oversight and support for the fair lending program, and the cooperation from business and operational areas at an Enterprise. Clear expectations that operational areas must take steps necessary to implement controls to mitigate fair lending risk and prevent the occurrence of fair lending violations should be underscored by board and management support. The fair lending program should have board and management support in conducting its work free from interference or retaliation. Cooperation with FHFA and HUD in their fair housing oversight of the Enterprise is also an important element of an effective fair lending program and a supervisory expectation of FHFA. <h4>A.      Identifying Fair Lending Risk</h4>Identifying fair lending risk involves personnel knowledgeable in fair lending, Enterprise activities and business operations, and recurring risk assessment to identify operational areas where fair lending risk may be present. <h4>B.       Assessing Fair Lending Risk</h4>Assessing fair lending risk involves the assessment of operational areas using both qualitative and quantitative methods to accurately assess the amount and nature of the fair lending risk present in an operational area.<h4>C.      Monitoring Fair Lending Risk</h4>Monitoring fair lending risk involves having processes in place to monitor the identification and assessment of fair lending risk in an operational area to ensure that the identification and assessment remain up to date and accurate. It can involve both qualitative assessment of changes in the operational area, as well as regular statistical analysis to monitor fair lending risk.<h4>D.      Mitigating Fair Lending Risk</h4>Mitigating fair lending risk involves creating and supporting a control environment around operational areas where fair lending risk is identified and assessed to effectively mitigate the risk. Appropriate fair lending training both at a general level and a specific level to an operational area's specific fair lending risks are an important component of mitigating fair lending risk. Because an Enterprise's responsibility for fair lending extends to agents and, in some cases, other third parties, third party risk management is also an important component of mitigating fair lending risk. Development and assessment of less discriminatory alternatives in key business areas is an important component of mitigating fair lending risk, as well as preventing the occurrence of fair lending violations. <h4>E.       Preventing the Occurrence of Fair Lending Violations</h4>Preventing the occurrence of fair lending violations is a core component of an effective fair lending program, and failure to prevent the occurrence of fair lending violations is an indication that fair lending risk has not been appropriately identified, assessed, and mitigated. Such failure can also indicate an operational area has not adequately implemented controls or taken the steps identified by the fair lending program necessary to mitigate fair lending risk—a broader compliance issue for that operational area and an issue implicating board and management support for fair lending and oversight of the operations of the Enterprise.<a href="#footnote47">[47]</a><h4>F.      Cooperation</h4>Cooperation is an important element of an effective fair lending program and a supervisory expectation of FHFA for all Enterprise operational areas. Cooperation is expected of both business and operational areas with respect to the Enterprise's internal fair lending program, as well as with FHFA and HUD in conducting fair lending supervision. Cooperation includes the sharing of complete information requested by FHFA or HUD in fair lending supervision. FHFA's policy statement on fair lending encourages self-reporting of potential fair lending violations, and FHFA views self-reporting favorably in exercising its supervisory and enforcement discretion.<a href="#footnote48">[48]</a><h3>III.                    Fair Lending Risk Factors</h3>Certain risk factors are commonly associated with higher fair lending risk and the existence of conditions under which fair lending violations may occur. FHFA's supervisory expectation is that an effective Enterprise fair lending program will take account of these risks and establish appropriate compliance controls when they are present. Failure to appropriately mitigate fair lending risk that occurs because of fair lending risk factors can result in supervisory findings depending on the facts and circumstances.Risk factors commonly associated with higher fair lending risk include: <ul><li>Substantial discretion to make decisions on transactions or properties</li><li>Lack of clear policies, procedures, business rules, or decision criteria</li><li>Use of factors in decision-making that are subjective rather than objective</li><li>Use of geographic factors or different treatment of geographies</li><li>Policies impacting outcomes that lack clear business justification</li><li>Policies impacting outcomes that have not undergone review for effectiveness or need for a significant period of time</li><li>Compensation criteria or other incentives that could lead to disparities in outcomes</li><li>Reliance on third parties without appropriate oversight</li><li>Unreliable or incomplete data</li><li>Consumer complaints</li><li>Employee statements indicating aversion to doing business in certain areas with relatively high concentration of residents sharing a protected class characteristic</li></ul><h3>IV.                    Associated Fair Lending Requirements</h3>Requirements associated with fair lending not discussed above include requirements related to ECOA notices, data collection and reporting, the Annual Housing Activities Report, credit score approval, new activities and new products, fulfillment of HUD requirements, and FHFA conservatorship requirements. It is an FHFA supervisory expectation that an Enterprise comply with these requirements. <h4>A.      ECOA Notice Requirements</h4>The Equal Credit Opportunity Act requires notice to applicants when a creditor participating in the credit decision takes certain actions.<a href="#footnote49">[49]</a> This includes certain servicing decisions.<a href="#footnote50">[50]</a> FHFA's supervisory expectation is that an Enterprise will comply with applicable ECOA requirements in the appropriate business lines and operational areas.<h4>B.       Data Collection and Reporting Requirements</h4>Each Enterprise is required by law to collect and report underlying race, ethnicity, and other demographic data used for fair lending monitoring and analysis for various purposes.<a href="#footnote51">[51]</a>  The Enterprises are required to report certain fair lending information to FHFA on a quarterly basis and additional information upon request pursuant to FHFA's Enterprise Compliance and Information Submission with Respect to Fair Lending Order.<a href="#footnote52">[52]</a><h4>C.      Annual Housing Activities Report</h4>Each Enterprise, in its Annual Housing Activities Report, is required to assess underwriting standards, business practices, repurchase requirements, pricing, fees, and procedures that affect the purchase of mortgages for low- and moderate-income families, or that may yield disparate results based on the race, color, religion, sex, handicap, familial status, age, or national origin of the borrower, including revisions thereto to promote affordable housing or fair lending.<a href="#footnote53">[53]</a> FHFA expects that an Enterprise will engage in a meaningful analysis of its standards, practices, and requirements that may yield disparate results on prohibited bases and provide transparency to the public into its analysis and the revisions it undertook to promote fair lending.<h4>D.       Validation and Approval of Credit Score Models</h4>The FHFA regulation for validation and approval of credit score models contains requirements related to fair lending. Each application under the process must meet the standards set forth in the regulation related to fair lending compliance and certification for applications, as well as any additional requirements related to fair lending in the credit score solicitation.<a href="#footnote54">[54]</a> Each Enterprise must conduct a fair lending assessment as part of assessment process under the rule.<a href="#footnote55">[55]</a><h4>E.       Requirements related to HUD and Federal ECOA-enforcing Agencies</h4>Each Enterprise is required to undertake certain actions related to fair lending enforcement in the primary mortgage market at the direction of HUD, including providing certain information to HUD regarding lenders and servicers either to assist HUD or Federal agencies enforcing ECOA, and to undertake remedial actions against certain lenders at the direction of HUD.<a href="#footnote56">[56]</a> FHFA expects that an Enterprise will fully cooperate with HUD in any such direction. <h4>F.      FHFA Conservatorship Requirements</h4>While the Enterprises are in conservatorship, FHFA's conservatorship function for each Enterprise also includes fair lending oversight. FHFA conservatorship directives may include requirements associated with fair lending compliance or intended to further fair lending principles. FHFA expects each Enterprise to comply with these conditions and have available information demonstrating compliance for supervisory review. <h3>V.                    Steps to Promote Fair Housing and Fair Lending</h3>The Enterprises play a unique and important role in the mortgage market, and their operations and policies can promote fair housing and fair lending compliance and further the purposes of fair lending laws and the public interest in the primary mortgage market. Historically, the Enterprises have often played a leading role in adopting standards to promote fair lending. FHFA encourages each Enterprise to promote among their business counterparties fair lending compliance and the purposes of fair lending laws while furthering their public purposes in the mortgage market. While such Enterprise actions are not a substitute for ensuring fair lending compliance in an Enterprise's own operations, an effective fair lending program, or compliance with associated fair lending requirements, they demonstrate a commitment to promoting fair lending that FHFA encourages and recognizes. An Enterprise that takes such actions to promote fair lending is encouraged to document them and to provide them to FHFA during FHFA's fair lending oversight, even when not required to by other FHFA requirements. Additionally, FHFA has established the Equitable Housing Finance Plan framework as conservator, under which an Enterprise is required to engage in ongoing barrier identification, planning, and goal-setting, and to undertake meaningful actions to address those barriers.<a href="#footnote57">[57]</a> Each Enterprise is also required to report progress on such plans annually. FHFA's supervisory expectation is that an Enterprise's efforts under the Equitable Housing Finance Plan will demonstrate full compliance with the framework.<h2> </h2><h2> Related Guidance and Regulations</h2><h3>I.                    Federal Fair Lending Laws and Regulations</h3>Fair Housing Act – 42 U.S.C. 3601 et seq.Discriminatory Conduct Under the Fair Housing Act – 24 CFR part 100 Equal Credit Opportunity Act – 15 U.S.C. 1691 et seq.Equal Credit Opportunity Act (Regulation B) – 12 CFR part 1002 Safety and Soundness Act fair housing provision – 12 U.S.C. 4545 HUD's Regulation of Fannie Mae and Freddie Mac – 24 CFR part 81, subpart C  <h3>II.                    FHFA Fair Lending Guidance and Requirements</h3> <a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">FHFA Fair Lending Policy Statement</a> <a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">FHFA Fair Lending Reporting Orders</a> <a href="/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf">FHFA-HUD Memorandum of Understanding Regarding Fair Housing and Fair Lending Coordination </a>  <h3>III.                  Federal Fair Lending Guidance</h3>These resources are issued by Federal agencies related to fair lending matters. They may provide helpful guidance on the application of fair lending laws or exam and investigation procedures and methods in a variety of contexts. While FHFA considers the resources relevant and helpful guidance, the list of resources is not intended to be comprehensive. FHFA carefully considers the full context of the facts and law in any particular matter involving the Enterprises' fair lending compliance. <h4>A.      General Federal Fair Lending Guidance</h4>General guidance from Federal agencies regarding fair lending can provide helpful guidance in particular matters. <a href="https://www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm">1994 Policy Statement on Discrimination in Lending</a> <a href="https://www.federalreserve.gov/boarddocs/caletters/2009/0906/09-06_attachment.pdf">Interagency Fair Lending Exam Procedures</a> <a href="https://www.hud.gov/program_offices/administration/hudclips/handbooks/fheo/80241">HUD Fair Housing Act Complaint intake, Investigation, and Conciliation Handbook</a> <a href="https://files.consumerfinance.gov/f/201307_cfpb_ecoa_baseline-review-module-fair-lending.pdf">CFPB ECOA Baseline Review Modules</a><h4>B.       Federal Enforcement Actions and Administrative Decisions</h4>Complaints, administrative opinions, consent orders, and similar actions by Federal agencies that enforce fair lending laws can provide helpful guidance on particular matters. <a href="https://www.justice.gov/crt/housing-and-civil-enforcement-section-cases-1">DOJ Housing and Civil Enforcement Section Cases</a> <a href="https://www.hud.gov/program_offices/hearings_appeals/cases/fha">HUD Administrative Law Judge Fair Housing Act Decisions</a> <a href="https://orders.fdic.gov/s/">FDIC Enforcement Actions</a> <a href="https://www.federalreserve.gov/supervisionreg/enforcementactions.htm">Federal Reserve Enforcement Actions</a> <a href="https://apps.occ.gov/EASearch/">Office of the Comptroller of the Currency Enforcement Actions</a> <h4>C.      Specific Federal Fair Lending Guidance</h4>Guidance from Federal agencies regarding specific topics as they relate to fair lending can provide helpful guidance in particular matters. <h5>1.       Accessibility (Design and Construction), Group Homes, Reasonable Accommodation, Service Animals</h5> <a href="https://www.justice.gov/sites/default/files/crt/legacy/2013/05/03/jointstatement_accessibility_4-30-13.pdf">Accessibility (Design and Construction) Requirements for Covered Multifamily Dwellings under the Fair Housing Act</a> <a href="https://www.hud.gov/sites/dfiles/PA/documents/HUDAsstAnimalNC1-28-2020.pdf">Assessing a Person's Request to Have an Animal as a Reasonable Accommodation Under the Fair Housing Act (HUD FHEO-2020-01)</a> <a href="https://www.justice.gov/sites/default/files/crt/legacy/2013/05/03/jointstatement_accessibility_4-30-13.pdf">Reasonable Accommodations under the Fair Housing Act</a> <a href="https://www.justice.gov/crt/page/file/909956/download">State and Local Land Use Laws and Practices and the Application of the Fair Housing Act</a><h5>2.       Advertising, Discriminatory Statements</h5> <a href="http://www.montanafairhousing.org/forms/24CFR_109.pdf">Fair Housing Act Advertising Guidelines (former 24 CFR part 109)</a> <a href="https://www.hud.gov/sites/documents/DOC_7784.PDF">Memorandum on Guidance Regarding Advertisements Under 804(c) of the Fair Housing Act</a><h5>3.       Criminal Background Checks</h5> <a href="https://www.hud.gov/sites/documents/HUD_OGCGUIDAPPFHASTANDCR.PDF">Application of Fair Housing Act Standards to the Use of Criminal Records by Providers of Housing and Real Estate-Related Transactions</a> <h5>4.       Gender Identity, Sexual Orientation</h5> <a href="https://www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf">Implementation of Executive Order 13988 on Enforcement of the Fair Housing Act</a> <h5>5.       Limited English Proficiency</h5> <a href="https://www.hud.gov/sites/documents/LEPMEMO091516.PDF">Fair Housing Act Protections for Persons with Limited English Proficiency</a> <h5>6.       Low-Income Housing Tax Credit Properties</h5> <a href="https://www.justice.gov/crt/memorandum-understanding-among-department-treasury-department-housing-and-urban-development-an-0">Inter-governmental Agreement on Low-Income Housing Tax Credit Properties</a> <h5>7.       Models</h5> <a href="https://ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf">OCC Bulletin 97-24 (Disparate Treatment and Disparate Impact sections)</a> <h5>8.       Occupancy Standards</h5> <a href="https://www.hud.gov/sites/documents/DOC_35681.PDF">Fair Housing Enforcement – Occupancy Standards Notice of Statement of Policy</a> <h5>9.       Public Assistance Income</h5> <a href="https://files.consumerfinance.gov/f/201505_cfpb_bulletin-section-8-housing-choice-voucher-homeownership-program.pdf">Section 8 Housing Choice Voucher Homeownership Program (CFPB Bulletin 2015-02)</a> <a href="https://files.consumerfinance.gov/f/201411_cfpb_bulletin_disability-income.pdf">Social Security Disability Income Verification (CFPB Bulletin 2014-03)</a><h5>10.       Real Estate Owned Property</h5> <a href="https://www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf">Questions and Answers for Federal Reserve-Regulated Institutions Related to the Management of Other Real Estate Owned (OREO) Assets (Fair Housing Act portions)</a> <h5>11.       Special Purpose Credit Programs</h5> <a href="https://www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/">Advisory Opinion on Special Purpose Credit Programs</a> <a href="https://www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf">Office of General Counsel Guidance on the Fair Housing Act's Treatment of Certain Special Purpose Credit Programs That Are Designed and Implemented in Compliance with the Equal Credit Opportunity Act and Regulation B</a><h5>12.       Tribal Housing</h5> <a href="https://www.hud.gov/sites/documents/DOC_8818.PDF">Limiting Housing to Indian Families or Tribal Members (HUD Notice PIH 2009-4)</a> <h3>IV.                    Other Relevant FHFA Guidance</h3> <a href="https://www.ecfr.gov/cgi-bin/text-idx?node=pt12.10.1236&rgn=div5#ap12.10.1236_15.1">Appendix to Part 1236, Prudential Management Operating Standards</a> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Enterprise-Risk-Management-Program.aspx">AB 2020-06 Enterprise Risk Management Program</a> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Compliance-Risk-Management.aspx">AB 2019-05 Compliance Risk Management</a> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Third-Party-Provider-Relationships.aspx">AB 2018-08 Oversight of Third-Party Provider Relationships</a> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Classifications-of-Adverse-Examination-Findings.aspx">AB 2017-01 Classification of Adverse Examination Findings</a> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-07-Model-Risk-Management-Guidance.aspx">AB 2013-07 Model Risk Management Guidance</a> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-03-FHFA-ENFORCEMENT-POLICY.aspx">AB 2013-03 FHFA Enforcement Policy</a> <div style="font-style:normal;font-weight:400;font-size:14px;font-family:"source sans pro", sans-serif;">__________________ </div></div></div> <a name="footnote1">[1]</a> 12 U.S.C. 4511(b)(2), 42 U.S.C. 3608(d). <a name="footnote2">[2] </a><a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">https://www.fhfa.gov/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx</a> <a name="footnote3">[3] </a><a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">https://www.fhfa.gov/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx</a> <a name="footnote4">[4]</a> <a href="/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf" style="font-family:"source sans pro", sans-serif;font-size:14px;font-style:normal;">https://www.fhfa.gov/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf</a> <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;"> <a name="footnote5">[5]</a> Executive Order 12892 section 2-204, available at: <a href="https://www.govinfo.gov/content/pkg/WCPD-1994-01-24/pdf/WCPD-1994-01-24-Pg110.pdf" style="font-family:"source sans pro", sans-serif;font-size:14px;font-style:normal;">https://www.govinfo.gov/content/pkg/WCPD-1994-01-24/pdf/WCPD-1994-01-24-Pg110.pdf</a>. <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;"> <a name="footnote6">[6]</a> See, e.g., 12 U.S.C. 4545, 15 U.S.C. 1691(a), 42 U.S.C. 3601 et seq. <a name="footnote7">[7]</a> The Department of Housing and Urban Development has determined that the Fair Housing Act's prohibition on sex discrimination includes discrimination on the basis of sexual orientation or gender identity. See Implementation of Executive Order 13988 on the Enforcement of the Fair Housing Act, available at: <a href="https://www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf">https://www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf</a>. FHFA supervises and enforces the Fair Housing Act consistent with HUD's interpretation. <a name="footnote8">[8]</a> Interference claims are also cognizable under the Fair Housing Act and its implementing regulation. See supra Section H, Retaliation or Interference; e.g., 42 U.S.C. 3617 (“It shall be unlawful to coerce, intimidate, threaten, or interfere with any person in the exercise or enjoyment of, or on account of his having exercised or enjoyed, or on account of his having aided or encouraged any other person in the exercise or enjoyment of, any right granted or protected by section 3603, 3604, 3605, or 3606 of this title."); 24 CFR 100.400. <a name="footnote9">[9]</a> The Fair Housing Act uses the term “handicap" instead of the term "disability." Both terms have the same legal meaning. See Bragdon v. Abbott, 524 U.S. 624, 631 (1998) (noting that definition of “disability" in the Americans with Disabilities Act is drawn almost verbatim “from the definition of 'handicap' contained in the Fair Housing Amendments Act of 1988"). This document uses the term "disability," which is more generally accepted. <a name="footnote10">[10]</a> See, e.g., 12 CFR 1002, Official Interpretations, comment 2(z)-1; 24 CFR part 100.70(a). <a name="footnote11">[11]</a> See, e.g., 24 CFR 100.125. <a name="footnote12">[12]</a> See, e.g., 24 CFR 100.120. <a name="footnote13">[13]</a> See, e.g., 12 CFR 1002, Official Interpretations, comment 2(l)-1. <a name="footnote14">[14]</a> See, e.g., 24 CFR 100.60. <a name="footnote15"> [15]</a> See, e.g., 24 CFR 100.75, 100.75(c)(2). <a name="footnote16">[16]</a> See, e.g., 24 CFR 100.135(d)(1). <a name="footnote17">[17]</a> See, e.g., 24 CFR 100.130(b)(3); see also Federal Reserve CA 09-13 (Dec. 4, 2009) (ECOA guidance for loss mitigation under HAMP program). <a name="footnote18">[18]</a> See, e.g., 24 CFR 100.125(b)(2), (3). <a name="footnote19">[19]</a> See, e.g., 24 CFR 100.20 (definition of “dwelling") <a name="footnote20">[20]</a> See, e.g., 24 CFR 100.70(b). <a name="footnote21">[21]</a> See, e.g., 24 CFR 100.135. <a name="footnote22">[22]</a> See, e.g., 24 CFR 100.7. <a name="footnote23">[23]</a> See, e.g., 24 CFR 100.7(a)(1) and (b). <a name="footnote24">[24]</a> See, e.g., 24 CFR 100.7(a)(1)(iii). <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;"> <a name="footnote25">[25]</a> See, e.g., 1994 Policy Statement on Discrimination in Lending, available at: <a href="https://www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm" style="font-style:normal;font-size:14px;font-family:"source sans pro", sans-serif;">https://www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm</a>; Federal Financial Institutions Examination Council Interagency Fair Lending Exam Procedures, available at: <a href="https://www.ffiec.gov/PDF/fairlend.pdf" style="font-style:normal;font-size:14px;font-family:"source sans pro", sans-serif;">https://www.ffiec.gov/PDF/fairlend.pdf</a>.   <span style="border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;margin:0px;padding:0px;font-weight:700 !important;"> <a name="footnote26">[26]</a> See, e.g., 42 U.S.C. 3604(b), 24 CFR 100.65(b)(2), Nat'l Fair Hous. Alliance v. Bank of Am., N.A., 401 F. Supp. 3d 619, 639 (D.Md. July 18, 2019), Questions and Answers For Federal Reserve-Regulated Institutions Related to the Management of Other Real Estate Owned (OREO) Assets, June 27, 2012, available at: <a href="https://www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf" style="font-style:normal;font-size:14px;font-family:"source sans pro", sans-serif;">https://www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf</a>   (“[I]nstitutions may not avoid or delay the maintenance or repairs of dwellings based on the racial or ethnic composition of the geographic area where they are located.") <div> <a name="footnote27">[27]</a> See, e.g., 1994 Policy Statement, Interagency Fair Lending Exam Procedures. <a name="footnote28">[28]</a> See, e.g., 1994 Policy Statement on Discrimination in Lending, FFIEC Interagency Fair Lending Exam Procedures. </div> <a name="footnote29">[29]</a> Ash v. Tyson Foods, Inc., 546 U.S. 454, 456 (2006). See Avenue 6E Investments, LLC v. City of Yuma, 818 F.3d 493, 506 (9th Cir. 2016) (applying Ash v. Tyson standard in a Fair Housing Act case). In general, when analyzing the custom factor, FHFA looks at real estate and mortgage industry standards and practices rather than “local" custom as suggested by the Supreme Court in the employment context. <a name="footnote30">[30]</a> See, e.g., Toledo Fair Hous. Ctr. v. Nationwide Mut. Ins. Co., 704 N.E.2d 667, 674 (Ct. Com.Pl. Ohio 1997) (noting “pride of ownership" as subjective, discriminatory criteria in insurance underwriting); Consent Decree in United States v. Nationwide Mut. Ins. Co., C2-97-291 (S.D. Ohio Mar. 10, 1997), available at <a href="https://www.justice.gov/crt/housing-and-civil-enforcement-cases-documents-367">https://www.justice.gov/crt/housing-and-civil-enforcement-cases-documents-367</a> (banning “pride of ownership" in insurer's underwriting as discriminatory); Avenue 6E Investments, LLC v. City of Yuma, 818 F.3d at 499  (noting “pride of ownership" as discriminatory comment in public opposition to affordable housing development); Uniform Standards of Professional Appraisal Practice, Advisory Opinion 16 (advising appraisers not to use the term “high-crime area" in fair housing advisory opinion from Appraisal Advisory Board). See Greater New Orleans Fair Hous. Action Ctr. v. St. Bernard Parish, 641 F.Supp.2d 563, 571–72 (E.D.La.2009) (finding references to crime “racially-loaded"); Atkins v. Robinson, 545 F. Supp. 852, 874 (E.D.Va.1982) (reference to “an abundance of crime" “may be interpreted as [a] veiled reference[ ] to race"); Pierce v. Metropolitan Liability & Property Ins. Co., 1983 U.S. Dist. LEXIS 11368, *18 (S.D. Ohio 1983) (“This report stated, in part, that the Plaintiffs' house was located in an area where there were a number of vacant or run-down houses, that the area of Plaintiffs' residence was located in a center city with a high frequency of reports of crime and vice. Based upon these facts, one could infer that Plaintiffs' house was located in a predominantly minority area."); Barrick Realty, Inc. v. City of Gary, 354 F. Supp. 126 (N.D. Ind. 1973) (“Among the fears of white residents as non-whites begin to move into their neighborhood are rising crime rates, overcrowded schools, declining property values, and a generally lower quality of life."). <a name="footnote31">[31]</a> See, e.g., 24 CFR 100.500, 12 CFR 1002.6(a), 1994 Policy Statement on Discrimination in Lending, FFIEC Interagency Fair Lending Exam Procedures. <a name="footnote32">[32]</a> See, e.g., OCC Bulletin 97-24, available at: <a href="https://ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf">https://ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf</a> (“National banks should avoid including in their credit scoring systems variables that have little influence on the total credit score, yet disadvantage applicants on a prohibited basis to a statistically significant degree.").  <a name="footnote33">[33]</a> 12 U.S.C. 4545(1), 24 CFR 81.42; 12 U.S.C. 1716(4) (Fannie Mae charter); 1451(b)(4) (Freddie Mac charter). <a name="footnote34">[34]</a> 24 CFR 100.75. Affirmative marketing meeting certain requirements may be considered an exception to this prohibition. See supra I.J, Recognized Exceptions.. <a name="footnote35">[35]</a> 24 CFR 100.75(c)(2). <a name="footnote36">[36]</a> 24 CFR 100.70. <a name="footnote37">[37]</a> 12 CFR 1002.4(b). <a name="footnote38">[38]</a> 24 CFR 100.135(d)(1). The Fair Housing Act does include a limited exemption for appraisers, who may “take into consideration factors other than race, color, religion, national origin, sex, [disability]. . ., or familial status" regardless of other requirements in the statute. 42 U.S.C. 3605(c). <a name="footnote39">[39]</a> 12 U.S.C. 4545(1), (6). <a name="footnote40">[40]</a> 24 CFR 100.400. <div> <a name="footnote41">[41]</a> See 12 CFR 1002.8. <a name="footnote42">[42]</a> See Advisory Opinion on Special Purpose Credit Programs (Dec. 21, 2020), available at: <a href="https://www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/">https://www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/</a>. <a name="footnote43">[43]</a> See Office of General Counsel Guidance on the Fair Housing Act's Treatment of Certain Special Purpose Credit Programs That Are Designed and Implemented in Compliance with the Equal Credit Opportunity Act and Regulation B (Dec. 6, 2021), available at: <a href="https://www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf">https://www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf</a>. <a name="footnote44">[44]</a> See, e.g., Settlement Agreement between the United States of America and Kleinbank, May 8, 2018, available at: <a href="https://www.justice.gov/opa/press-release/file/1060996/download">https://www.justice.gov/opa/press-release/file/1060996/download</a>.  <a name="footnote45">[45]</a> 24 CFR part 100 subpart E. <a name="footnote46">[46]</a> 12 CFR 1002.4 comment 4(b)-2. <a name="footnote47">[47]</a> See, e.g., 12 CFR part 1236. <a name="footnote48">[48]</a> <a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">https://www.fhfa.gov/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx</a>. <a name="footnote49">[49]</a> See, e.g., 12 CFR 1002.9. <a name="footnote50">[50]</a> See, e.g., Federal Reserve Consumer Affairs Letter 09-13, available at: <a href="https://www.federalreserve.gov/boarddocs/caletters/2009/0913/caltr0913.htm">https://www.federalreserve.gov/boarddocs/caletters/2009/0913/caltr0913.htm</a>. <a name="footnote51">[51]</a> 12 U.S.C. 1456(e), 1723a(m), 4544(b)(3), 4545(2)-(3), 4561(d)(1). Primary mortgage market lenders are required to collect data for government fair lending monitoring as well under 12 CFR 1002.13 and 12 CFR part 1003. The Enterprises' Uniform Residential Loan Application (URLA) is a vehicle frequently used for the collection of this data across the mortgage industry. <a name="footnote52">[52]</a> See In Re: Enterprise Compliance and Information Submission with Respect to Fair Lending, Order No. 2021-OR-FNMA-2 and Order No. 2021-OR-FHLMC-2, available at: <a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">https://www.fhfa.gov/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx</a>. <a name="footnote53">[53]</a> 24 CFR 81.43. <a name="footnote54">[54]</a> 12 CFR 1254.6(a), (a)(2). <a name="footnote30">[55]</a> 12 CFR 1254.8(b)(2). <a name="footnote30">[56]</a> 24 CFR 81.244, 81.46. <a name="footnote57">[57]</a> <a href="/Media/PublicAffairs/PublicAffairsDocuments/Equitable-Housing-Finance-Plans-RFI.pdf" style="font-style:normal;font-size:14px;font-family:"source sans pro", sans-serif;">https://www.fhfa.gov/Media/PublicAffairs/PublicAffairsDocuments/Equitable-Housing-Finance-Plans-RFI.pdf</a>.</div><div> </div><div><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style:normal;font-weight:400;font-size:14px;font-family:"source sans pro", sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width:776px;">FHFA has statutory responsibility to ensure  that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes and applicable law.  Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact James Wylie at <a href="mailto:James.Wylie@FHFA.gov">James.Wylie@FHFA.gov</a> or by phone at 1-202-649-3209. </td></tr></tbody></table> </div></div>

12/20/2021 9:43:06 PM

Home / Supervision & Regulation / Advisory Bulletins / Enterprise Fair Lending and Fair Housing Compliance Advisory Bulletin AB 2021-04: Enterprise Fair Landing and Fair

9290

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Supervisory Letter on FHLBank Membership Issues - September 2021

35450

FHL Banks

9/9/2021 4:00:00 AM

A number of issues relating to Federal Home Loan Bank (FHLBank or Bank) membership eligibility have arisen recently both through the examination process and as a result of inquiries to the Federal Housing Finance Agency (FHFA). FHFA has issued this supervisory letter to ensure that all FHLBanks are aware of these issues and to provide uniform guidance in the event other Banks encounter similar circumstances.

9/9/2021 4:30:40 PM

Home / Supervision & Regulation / Advisory Bulletins / Supervisory Letter on FHLBank Membership Issues - September 2021 Advisory Bulletin A number of issues relating to

6322

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention

34027

FHLB & Fannie Mae & Freddie Mac

8/25/2021 4:00:00 AM

AB 2021-03

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2021-03:  FRAMEWORK FOR ADVERSELY CLASSIFYING LOANS, OTHER REAL ESTATE OWNED, AND OTHER ASSETS AND LISTING ASSETS FOR SPECIAL MENTION</td></tr></tbody></table> Purpose This Advisory Bulletin (Advisory Bulletin, or guidance) establishes guidelines for adverse and non-adverse classification of assets (assets refer to on-balance sheet or off-balance sheet credit exposures) at Fannie Mae and Freddie Mac (Enterprises) and the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities).  These guidelines describe sound practices for managing credit risk at the regulated entities.  This guidance does not apply to investment securities.<a href="#footnote1">[1]</a>  This Advisory Bulletin rescinds and replaces Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets For Special Mention (AB 2012-02), and rescinds Clarification of Implementation for Advisory Bulletin 2012-02, Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention (AB 2013-02). FHFA examiners will evaluate how the regulated entities apply this guidance to their classification practices. BackgroundThe purpose of this Advisory Bulletin is to establish a standard and uniform methodology for classifying regulated entity assets based on their credit quality, as well as to affirm the basis for writing off loans classified as Loss.  Asset classification is a critical element in evaluating the risk profile of the regulated entities.  Asset classification also provides a mechanism to validate the regulated entity's internal risk identification processes and establishes a common set of classification definitions to serve as the basis for asset quality metrics.  In addition, this Advisory Bulletin describes procedures for listing assets for Special Mention, which can be an effective method to identify and rectify weaknesses in credit management practices before deterioration occurs.  This guidance considers and is generally consistent with the Uniform Retail Credit Classification and Account Management Policy  issued by the Federal Financial Institutions Examination Council (FFIEC) in June 2000, which established specific procedures for the adverse classification of residential mortgage loans and other retail loans. This Advisory Bulletin is intended to be consistent with applicable statutes, regulations, and Generally Accepted Accounting Principles (GAAP).  It does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards, i.e., GAAP.  Any conflicts should be resolved to comply with applicable laws and regulations, and to conform to applicable accounting standards.   Guidance I. DefinitionsThe following definitions apply when considering the adverse classification of assets at the regulated entities. An asset classified Substandard is protected inadequately by the current net worth and paying capacity of the obligor, or by the collateral pledged, if any.  Assets so classified must have a well-defined weakness or weaknesses that jeopardize the liquidation of the debt.  They are characterized by the distinct possibility that the institution will sustain some loss if the deficiencies are not corrected. An asset classified Doubtful has all the weaknesses inherent in one classified Substandard with the added characteristic that the weaknesses make collection or liquidation in full, on the basis of currently existing facts, conditions, and values, highly questionable and improbable. An asset, or portion thereof, classified Loss is considered uncollectible, and of such little value that its continuance on the books is not warranted.  This classification does not mean that the asset has absolutely no recovery or salvage value; rather, it is not practical or desirable to defer writing off an essentially worthless asset (or portion thereof), even though partial recovery may occur in the future. II. Adverse Classification of Assets<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"> A. Single-Family Residential Mortgage Loans</blockquote> Single-family residential mortgage loans, including FHLBank Acquired Member Assets (AMA),<a href="#footnote2" style="font-family:"source sans pro", sans-serif;font-size:14px;">[2]</a> consist of first mortgages secured by one-to-four family residential real estate.  Given their size, general homogeneity, and the volume of residential mortgage loans at the Enterprises and the FHLBanks, it may be impractical to individually review specific loans to determine credit quality.  Such loans should be classified using the following guidelines:<ul><li> Single-family residential real estate loans that are delinquent 90 days or more with loan-to-value ratios greater than 60 percent, should be classified Substandard.</li><li> A current assessment of value should be made before a single-family residential mortgage loan with a loan-to-value ratio greater than 60 percent is more than 180 days past due.  Any outstanding loan balance in excess of the sum of (i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding<a href="#footnote3" style="font-family:"source sans pro", sans-serif;font-size:14px;">[3]</a> credit enhancements should be classified Loss not later than when the loan is 180 days delinquent.  Properly secured residential real estate loans with loan-to-value ratios equal to or less than 60 percent are generally not classified based solely on delinquency status.</li><li> When a borrower is in bankruptcy, a portion of the loan should be classified as Loss and written down to the fair value of the collateral, less costs to sell, within 60 days of receipt of the notification of filing from the bankruptcy court or within the delinquency time frames specified in this policy, whichever is shorter, unless it can be clearly demonstrated and documented that repayment is likely to occur.  Any loan balance remaining after write-off should be classified Substandard until the borrower demonstrates the ability and willingness to repay for a period of at least six consecutive months.</li><li> Fraudulent loans, if not covered by any existing representations and warranties in the loan purchase agreement, should be classified as Loss and written off within 90 days of discovery of the fraud, or within the delinquency time frames specified in this adverse classification policy, whichever is shorter.</li></ul>Regulated entities should write off the portion of the asset adversely classified as Loss except in certain limited circumstances.<a href="#footnote4">[4]</a>  A write-off should result in the balance of the asset being reduced by the amount of the loss.  The write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses. If the regulated entity can clearly document that the delinquent loan is well-secured and in the process of collection, such that collection will occur regardless of delinquency status, then the loan need not be adversely classified.  A well-secured loan is collateralized by a perfected security interest in real property with an estimated fair value, less costs to sell, sufficient to recover the loan balance.  "In the process of collection" means that either a collection effort or legal action is proceeding and is reasonably expected to result in recovery of the loan balance or restoration of the loan to a current status, generally within the next 90 days.  Other exceptions to this adverse classification policy might be for loans that are supported by valid insurance claims, such as federal loan guarantee programs.In determining a single-family mortgage loan's delinquency status, the regulated entity should use one of two methods to recognize partial payments.  A payment equivalent to 90 percent or more of the contractual payment may be considered a full payment in computing delinquency.  Alternatively, the regulated entity may aggregate payments and give credit for any partial payment received.  For example, if a regular payment is $300 and the borrower makes payments of only $150 per month for a six-month period, the loan would be $900, or three full months delinquent.  A regulated entity may use either or both methods for loans in its portfolio but may not use both methods simultaneously with a single loan. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"> B. Multifamily Residential Mortgage Loans </blockquote>Multifamily residential mortgage loans consist of first mortgages secured by multifamily (5 units or more) residential real estate.  Multifamily real estate loans should not be adversely classified if they are current and are adequately protected by the underlying collateral value and debt service capacity of the property, or a guarantor with demonstrated ability and willingness to perform on the loan.  The following applies to the adverse classification of multifamily residential mortgage loans.To determine the appropriate adverse classification, examiners will evaluate the prospects that the loan will be repaid in the normal course of business considering all relevant information.  This includes information on the borrower's creditworthiness and payment record, the nature and degree of protection provided by the cash flow and value of the underlying collateral, and any support provided by financially responsible guarantors.  As a general principle, a performing multifamily real estate loan should not automatically be adversely classified or written off solely because the value of the underlying collateral has declined to an amount that is less than the loan balance.  Similarly, loans to sound borrowers that are refinanced or renewed in accordance with prudent underwriting standards and have not been formally restructured due to troubled condition should not be adversely classified unless well-defined weaknesses exist that jeopardize repayment in the normal course of business.  However, it would be appropriate to adversely classify a performing loan when well-defined weaknesses exist that jeopardize repayment – such as the lack of credible support from reliable sources – using the definitions of Substandard, Doubtful, and Loss set forth above. Multifamily loans with well-defined weaknesses that subject the regulated entity to the possibility of loss, even if the loan is not seriously delinquent (90 days or more), should be classified Substandard.  For a multifamily loan where there are no available and reliable sources of repayment other than the sale of the underlying real estate collateral, any portion of the loan balance that exceeds the sum of (i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding credit enhancements, should be classified Loss and written off.  The remaining portion of the loan balance that is adequately secured should generally be classified no worse than Substandard.  The amount of the loan balance in excess of the value of the collateral, or portions thereof, should be classified Doubtful, and not Loss, only when the potential for loss may be mitigated by the outcome of certain near-term (generally, within 90 days) pending events.  The Doubtful classification is seldom used and is reserved for situations like those described here. Regulated entities should write off the portion of the asset adversely classified as Loss except in certain limited circumstances.<a href="#footnote5">[5]</a>  A write-off should result in the balance of the asset being reduced by the amount of the loss.  The write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses. When analyzing a formally restructured multifamily loan, the examiner will focus on the borrower's ability to repay the loan in accordance with its modified terms.  Adversely classifying a formally restructured loan would be appropriate, if, after the restructuring, well-defined weaknesses continue to exist that jeopardize the repayment of the loan in accordance with the modified terms. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"> C. Other Real Estate Owned</blockquote>Other Real Estate Owned (REO) should be evaluated for possible adverse classification of Substandard, Doubtful or Loss.  The regulated entity should make periodic (at least annual) reappraisals of the value of the REO.  In cases when a reliable appraisal is not available, or the appraisal on file is outdated, there are other acceptable methods the regulated entity can use for determining and documenting the value of the REO.  For purposes of classification, any portion of the balance of the REO in excess of fair value, less costs to sell, should be classified Loss.  However, the portion of the held-for-sale REO classified as Loss should not be written off.  Examiners will review all relevant factors in evaluating the regulated entity's adverse classification of the remaining book value of the REO. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"> D. Other Assets (including Off-Balance Sheet Credit Exposures)</blockquote>Although not specifically enumerated, the regulated entities may have other assets such as accrued interest receivables, property tax and insurance advance receivables, reverse repurchase (repo) receivables, and insurance benefit receivables that warrant adverse classification.  Similarly, off-balance sheet credit exposures such as standby letters of credit and financial guarantees may also warrant adverse classification.  Examiners will review all relevant factors in evaluating the regulated entity's adverse classification of the assets and off-balance sheet credit exposures. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"> E. FHLBank Advances</blockquote>Advances made by the FHLBanks to their members and housing associates generally pose minimal credit risk.  Advances must be fully secured by eligible collateral and, in the case of member advances, are further secured by the borrowing members' FHLBank capital stock.  In addition, the Federal Home Loan Bank Act grants each FHLBank a priority lien over the liens of other similarly-situated creditors on assets securing member advances.<a href="#footnote6">[6]</a>  However, there may be instances in which collateral adequacy may be uncertain and/or the priority lien may not be relied upon, such as in the case of advances to  housing associates, or where another creditor has a superior lien under applicable law (for example, where the other creditor's lien is perfected, but the FHLBank's lien is not).  In such cases, examiners will evaluate the facts and circumstances to determine whether it is appropriate to adversely classify the advance. III. Non-Adverse Classification of Assets – Special Mention In some instances, it may be appropriate to list an asset for Special Mention.  The following definition should be used for listing an asset for Special Mention: A Special Mention asset has potential weaknesses that deserve management's close attention.  If left uncorrected, these potential weaknesses may result in deterioration of the assets' repayment prospects or may cause deterioration in the regulated entity's credit position at some future date.  Special Mention assets are not adversely classified and do not expose a regulated entity to sufficient risk to warrant adverse classification. Ordinarily, assets listed for Special Mention have deficiencies in the administration of those assets which corrective management action might remedy, for example, weak loan origination and/or weak servicing policies.  While inadequate policies and practices could ultimately result in deterioration of the asset and adverse classification, an asset should not be adversely classified unless it also meets one or more of the adverse classification indicators.  The Special Mention classification serves as an indicator of the quality of the asset portfolio and should be used to provide direction to management on corrective measures that might be taken to strengthen an asset to avoid potential deterioration in the asset's quality. Mortgages held by the regulated entities that are in loss mitigation, or have been modified and are performing according to the terms of the modification, should be listed as Special Mention but not adversely classified.  The loan no longer needs to be listed as Special Mention after performance according to the terms of the modification has occurred for a period of six consecutive months.  If the loan becomes delinquent after modification, adverse classification could apply according to the previously described criteria. The level of adversely classified assets or assets listed for Special Mention is an indicator of the regulated entity's asset quality and overall risk profile, and may indicate whether risk management practices regarding underwriting and loan administration are effective.  At a minimum, management and boards of directors of the regulated entities should evaluate risk management and other asset-specific policies and procedures annually to ensure that appropriate risk controls have been implemented.<a href="#footnote7">[7]</a>  If the level of adversely classified assets suggests deterioration in any asset category, more frequent evaluations of the related policies and procedures are appropriate.  Risk management and other policies will be reviewed by FHFA as part of its supervision program. Related Guidance and Regulations FASB ASC 326-20, Financial Instruments - Credit Losses – Measured at Amortized Cost Uniform Retail Credit Classification and Account Management Policy, FFIEC <div> <a name="footnote1">[1]</a> Investment securities refer to securities subject to the guidance of the Financial Accounting Standards Board (FASB)'s Accounting Standards Codification (ASC), Topic 320, Investments – Debt Securities, and Subtopic 325-40, Investments – Other - Beneficial Interests in Securitized Financial Assets. <a name="footnote2">[2]</a> The AMA regulation (12 CFR part 1268) authorizes FHLBanks to acquire certain assets (principally, conforming residential mortgage loans) from their members and housing associates and prescribes the parameters within which each FHLBank may do so.  <a name="footnote3">[3]</a> Examples of non-freestanding credit enhancements include, but are not limited to, private mortgage insurance, the Federal Housing Administration's (FHA) insurance, the Department of Veteran Affairs' (VA) guarantee, and for the FHLBanks' Acquired Member Assets (AMA) program, the various types of permissible agreements to share credit losses in purchased loans with the selling members. <a name="footnote4">[4]</a> 1) As required to maintain compliance with GAAP.  2) For loans classified as Held For Sale (HFS) and loans which a regulated entity has elected to account for under the Fair Value Option (FVO), no portion classified as Loss would be written off. <a name="footnote5">[5]</a> 1) As required to maintain compliance with  GAAP. 2) For loans classified as Held For Sale (HFS) and loans which a regulated entity has elected to account for under the Fair Value Option (FVO), no portion classified as Loss would be written off. <a name="footnote6">[6] </a>See 12 U.S.C. § 1430(e).  Although this provision grants FHLBank liens priority over those of similarly-situated creditors, it does not grant FHLBank liens priority over those of creditors with liens entitled to priority under otherwise applicable law. <a name="footnote7">[7]</a> See 12 CFR part 1236, Appendix (Prudential Management and Operations Standards).   </div><div> </div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.  Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.  Questions about this advisory bulletin should be directed to:  <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>

8/25/2021 2:00:32 PM

Home / Supervision & Regulation / Advisory Bulletins / Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special

6368

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Agency Commercial Mortgage-Backed Securities Risk Management

35784

FHL Banks

8/16/2021 4:00:00 AM

AB 2021-02

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2021-02: AGENCY COMMERCIAL MORTGAGE-BACKED SECURITIES RISK MANAGEMENT</td></tr></tbody></table> Purpose This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance regarding Federal Home Loan Banks' (individually Bank, or collectively Banks) investments in Agency Commercial Mortgage-Backed Securities (CMBS) issued and guaranteed by either the U.S. Government (Ginnie Mae) or by one of the Government-Sponsored Enterprises (Fannie Mae and Freddie Mac, or collectively the Enterprises). The guidance recommends risk management practices, including the establishment of certain limits, to address the risks associated with unexpected prepayments of Agency CMBS investments.  FHFA encourages early adherence to this AB.  However, by December 31, 2021, all Banks should have appropriate Agency CMBS concentration risk limits in place.  Background The Banks have exposures to Agency CMBS within their investment portfolios.<a href="#footnote1">[1]</a>  Agency CMBS include prepayment protection clauses that are not offered on Agency Residential Mortgage-Backed Securities (RMBS).  Prepayment (i.e., call) protection features included on the underlying loans within Agency CMBS are designed to discourage borrower prepayments and protect investors through the payment of fees if voluntary prepayments occur.  The additional prepayment protection offered by Agency CMBS makes these investments attractive alternatives to Agency RMBS.  The loans included in Agency CMBS may include varying call protection features such as lockout periods, yield maintenance, point penalties, and defeasance.  In addition, these loans may have complex structures, including amortization schedules beyond thirty years and floating interest rates.  The variability of call protection features combined with the complexity of loan structures make estimating Agency CMBS prepayments difficult, leaving investors at risk when prepayments occur unexpectedly.  Voluntary prepayments may occur when borrowers determine that the benefits associated with prepayment exceed the cost of any resulting penalties.  For example:  <ul><li>When short term interest rates rise and the interest rate curve flattens, borrowers with floating-rate loans may refinance into fixed-rate products.  </li><li>When interest rates decrease, borrowers with fixed-rate loans may refinance into lower fixed- or floating-rate loans.</li><li>Borrowers with loans secured by properties with significant appreciation may leverage the equity through cash-out refinances or more favorable loan terms and/or rates.</li><li>Certain loans are structured so that the penalties decline over their lives.  Borrowers may be more likely to prepay these loans when they become more seasoned. </li></ul>Additionally, Agency CMBS may include floating-rate loans where borrowers are assessed only partial or no penalties for early prepayments, provided the loans are refinanced with specified loan products.<a href="#footnote2">[2]</a>  When this occurs, Agency CMBS investors receive minimal or no compensation for voluntary prepayments.  Furthermore, involuntary prepayments, or defaults, may occur.  Involuntary prepayments are more likely to occur in periods of economic downturn generally driven by weakened real estate market fundamentals, such as declining property values, rising vacancies, breaches of lender representations and warranties, and possibly rising interest rates for adjustable rate borrowers.  Although Ginnie Mae and the Enterprises guarantee timely principal payments to bondholders upon default, investors do not receive any prepayment fees under these involuntary prepayment scenarios.  In summary, unexpected prepayments may force Banks to reinvest in lower yielding assets, write off any premiums when valued above par, and incur the costs of associated debt overhang and transactions to unwind hedges.  Depending on the nature of Agency CMBS and prepayment, a Bank may receive limited or no penalty fees to cover these costs.  GuidanceAs described above, prepayments on Agency CMBS investments expose Banks to potential losses.  Agency CMBS investments with a relatively high premium to par value increase Banks' exposure to prepayment risk and the resulting losses.  To minimize the risk of losses from Agency CMBS investments, Banks should consider incorporating the following risk management practices into their existing market and model risk management programs. Pre-purchase Analytics Banks should analyze each Agency CMBS prior to purchase.  The analysis should include a careful assessment of the security's structure, including prepayment protection features, price variability, and prepayment history for a comparable benchmark Agency CMBS.  Most importantly, the pre-purchase analysis should include stress scenarios to compare the amount of call protection premiums or fees the Bank will receive versus any loss of income resulting from the reinvestment of the prepayment proceeds under various stressed interest rate scenarios.  In addition, a Bank's pre-purchase analysis should ensure that the security the Bank is considering for purchase conforms to the Bank's investment strategy and is consistent with the Bank's board-approved strategic plans and risk appetite. Minimum Risk-Adjusted Spread RequirementEach Bank should establish a minimum acceptable risk-adjusted spread requirement for Agency CMBS investments.  Banks should consider factors such as their risk appetite when establishing the required minimum.<a href="#footnote3">[3]</a>  Regardless of the approach, Banks should make certain each Agency CMBS purchase meets the established minimum risk-adjusted spread requirement. Concentration LimitsTo limit exposure to both voluntary and involuntary prepayments, Banks should diversify their Agency CMBS investments to prevent concentrations of loans with shared characteristics.  To accomplish this, Banks should establish appropriate limits based on the characteristics of the underlying loans within Agency CMBS investments.  For example, Banks should consider individual loan size limits within a securitization, especially for single loan pool CMBS.  In addition, Banks should consider implementing limits for loans, as a percentage of all Agency CMBS loans, for the following:<ul><li>Floating-rate securities versus fixed-rate securities;</li><li>Geographic location of collateral such as region, state, city, zip code, or Metropolitan Statistical Area (MSA);</li><li>Collateral types – multifamily, student housing, senior living;</li><li>Loan products with minimal or no prepayment penalties under certain conditions of refinance, as available and determined by the Bank at acquisition; and</li><li>Loan originators.</li></ul> Reporting Banks should monitor and report on Agency CMBS investments as a separate investment segment.  A Bank's Asset-Liability Committee (ALCO) and a responsible board committee should receive quarterly reporting on Agency CMBS investments.  At a minimum, quarterly reporting should include the following:<ol><li> Minimum Risk-adjusted Spread – Current minimum acceptable risk-adjusted spread requirement and monthly conformance with this minimum.</li><li> Concentration Limits – Current limits for Agency CMBS loans with specific characteristics and monthly conformance with these limits.</li><li> Earnings - Income or loss associated with Agency CMBS investments.</li><li> Strategy – Any planned changes to the existing funding and hedging strategies for purchases and portfolio rebalancing.</li></ol> Prepayment Projections Currently, Banks use static prepayment assumptions and/or vendor supplied multifamily prepayment models for Agency CMBS valuations.  To support and improve the accuracy of Agency prepayment projections, Banks may use Bank-derived curves or vendor models which meet the principles outlined in FHFA AB 2013-07, and should further consider the following:<ol><li>Developing research-based prepayment curves for fixed- and floating-rate Agency CMBS.  Once developed, Banks should perform periodic reevaluations of the constructed curves by comparing them to appropriate third-party curves (if using static prepayment assumptions). </li><li>Performing prepayment back-testing at appropriate levels to provide meaningful assessments of the Agency CMBS portfolio's performance.</li><li>When relying on a prepayment model, benchmarking the model's performance against third-party prepayment projections as appropriate.  </li><li>Based on portfolio composition, periodically assessing and stress-testing the key drivers of prepayment performance, for example, stressful interest rate levels, yield curve shape changes, and spread widening scenarios. </li><li>Establishing appropriate analytical threshold(s) for prepayment differences ascertained during prepayment back-testing and benchmarking analyses that would trigger investigations into the causes of differences in prepayment behavior and changes to prepayment modeling assumptions.</li></ol>While the above actions will improve upon current prepayment estimations, a Bank may need a vendor-provided prepayment model in concert with a stochastic interest rate model to more accurately estimate the prepayment behavior of Agency CMBS.  Each Bank should carefully evaluate the available modeling alternatives and determine if any single model, or a combination of multiple models, is suitable to meet its Agency CMBS portfolio's analytical needs.  In acquiring the model(s), Banks should make certain that the model's estimation process fully and accurately incorporates the prepayment penalties charged to borrowers and passed on to the investors.  Any mitigating risk factors such as tranche priority in sequential pay structures should be documented.   Related Guidance and Regulations The following provides a summary of some of FHFA's regulation and guidance for governance and investments: <ul><li> Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Regulation.  This regulation provides that the management of each regulated entity shall be by or under the direction of its board of directors.<a href="#footnote4">[4]</a>  It states, “while a board of directors may delegate the execution of operational functions to officers and employees of the regulated entity, the ultimate responsibility of each entity's board of directors for that entity's oversight is non-delegable."<a href="#footnote5">[5]</a> Included in the responsibilities of each Bank's board of directors is the establishment of a risk management program that aligns with the Bank's risk appetite and that each of the Bank's business lines has appropriate risk limitations.<a href="#footnote6">[6]</a> </li></ul><ul><li> Prudential Management and Operating Standards (PMOS).  FHFA addresses limits on investments and management of assets in guidelines set out in the appendix to its PMOS regulation, including the following:<a href="#footnote7">[7]</a> </li></ul><ul><ul><li>Standard 3 (Management of Market Risk Exposure) which highlights the expectation that each regulated entity has a clearly defined and well documented strategy for managing market risk and establishes responsibilities for the board and senior management;</li><li>Standard 4 (Management of Market Risk – Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting) includes guidelines for market risk management in these areas;</li><li>Standard 6 (Management of Asset and Investment Portfolio Growth);</li><li>Standard 7 (Investments and Acquisitions of Assets);</li><li>Standard 8 (Overall Risk Management Processes) includes responsibilities for internal audit, the board, and senior management along with an independent risk management function; and</li><li>Standard 9 (Management of Credit and Counterparty Risk).</li></ul></ul>The failure to meet any of the PMOS may constitute an unsafe or unsound practice for purposes of FHFA's administrative enforcement authority<a href="#footnote8">[8]</a>  If FHFA determines that a Bank has failed to meet a standard, it also may require the Bank to submit a corrective plan.<a href="#footnote9">[9]</a> <hr /> <a name="footnote1">[1]</a> The Federal Home Loan Bank Investments regulation permits investments in Agency CMBS.  See 12 CFR part 1267. <a name="footnote2"> [2]</a> For example, Fannie Mae's Structured Adjustable-Rate Mortgages (SARM) allow borrowers to convert their floating-rate loans to one of Fannie Mae's fixed-rate loan programs by paying a one percent premium which is not passed on to investors. <a name="footnote3"> [3]</a> If a Bank cannot use an option-adjusted spread approach to determine the risk-adjusted spread for each Agency CMBS, then the Bank may choose to apply a purchase price premium, duration, or net interest income spread approach.  <a name="footnote4"> [4]</a> 12 CFR § 1239.4. <a name="footnote5">[5]</a> 12 CFR § 1239.4(a). <a name="footnote6"> [6]</a> 12 CFR § 1239.11(a). <a name="footnote7"> [7]</a> 12 CFR part 1236, Appendix. <a name="footnote8">[8]</a> 12 CFR § 1236.3(d).  FHFA has authority to address unsafe or unsound practices through issuance of an order to cease-and-desist, assessment of civil money penalties, or removal from office.  See 12 U.S.C. §§ 4631(a)(1), 4636(b)(2)(A), 4636a(a)(1), 4636a(a)(2)(A). <a name="footnote9" style="text-decoration:underline;">[9]</a> 12 CFR § 1236.4. <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>

8/18/2021 3:44:30 PM

Home / Supervision & Regulation / Advisory Bulletins / Agency Commercial Mortgage-Backed Securities Risk Management Advisory Bulletin FHFA encourages early adherence to this

10155

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Board Diversity Data Collection

33110

FHLB & Office of Finance

3/17/2021 4:00:00 AM

AB 2021-01

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2021-01: BOARD DIVERSITY DATA COLLECTION</td></tr></tbody></table> PurposeThis Advisory Bulletin (AB) applies to the Federal Home Loan Banks (Banks) and the Banks’ Office of Finance (OF). The AB provides guidance on standards for data collection relating to the diversity of boards of directors (Boards) of each Bank and the OF. This AB outlines the expectations set by the Federal Housing Finance Agency (FHFA or Agency) Office of Minority and Women Inclusion (OMWI) regarding the content and frequency of data reporting on the demographic makeup of the Boards. BackgroundSection 1116 of the Housing and Economic Recovery Act of 2008 requires the regulated entities to develop and implement standards and procedures to ensure the inclusion and utilization of minorities and women, and minority- and women-owned businesses, in all business and activities of the regulated entity at all levels.<a href="#footnote1">[1]</a> FHFA’s regulations implementing those statutory requirements, located at 12 CFR Part 1223,  include several provisions addressing the diversity of Banks’ boards. The regulations include a provision  encouraging the consideration of diversity in nominating or soliciting nominees for positions on the Boards of each regulated entity, see 12 CFR 1223.21(b)(7), and require each Bank and the OF to report annually the numbers of individuals who comprise their Boards by minority and gender classification, see 12 CFR 1223.23(b)(10)(i). <a> Among other things, the regulation also requires the regulated entities to adopt strategic plans to promote and ensure the inclusion of minorities, women, and individuals with disabilities in their workforce at all levels of the organization, as well as minority-, women-, and disabled-owned businesses in their contracting activities and financial activities. See 12 CFR 1223.21(d). Consistent with FHFA’s corporate governance regulation, the Board has ultimate responsibility for its regulated entity’s achievement of the  requirements of the regulation. See 12 CFR 1239.4(a). </a> On July 9, 2020, FHFA issued an AB on Board diversity, <a href="#footnote2">[2]</a> which provides guidance on how each Board should oversee the regulated entity’s diversity and inclusion (D&I) efforts and how the Banks and the OF should routinely assess the skills of Board members to ensure that they are able to meet their obligations to manage the regulated entity’s D&I efforts and initiatives. The 2020 AB also speaks to the importance of Board diversity and notes that a Board’s efforts to develop, maintain, and sustain a diverse Board should be a combination of seeking diverse representation on the Board, as well as looking for individuals possessing the required knowledge, skills, and abilities to contribute to the execution of the Board’s D&I oversight responsibilities.In conjunction with AB 2020-02, and to assist the Banks and the OF in thoroughly assessing the results of their D&I efforts, the Banks and the OF should implement diversity data collection standards to evaluate the levels of diversity on their Boards. In furtherance of FHFA’s efforts to ensure that the Banks and the OF are taking appropriate steps to promote D&I within their organizations and on their Boards, and to clarify the steps the regulated entities should take for data collection, FHFA is issuing this AB to illustrate standards all Banks and the OF should adopt for the collection of Board diversity data required to be reported under 12 CFR 1223.23(b)(10)(i). GuidanceCollecting Board diversity data in accordance with the standards outlined herein is the responsibility of the full Board at each Bank and the OF, with key support from each Board Chair, Vice Chair, and OMWI Officer. Board diversity data collection and handling requirements should be included in the regulated entity’s policies such as the D&I policy, and Board diversity data collection and handling processes should be defined through documented roles and responsibilities in a procedures document. Data collection standards adopted by a Bank or the OF in accordance with this AB should align with and adhere to other internal Bank and OF D&I program data handling requirements and FHFA OMWI data reporting guidelines, as noted in the FHFA OMWI Data Reporting Manual (DRM). Data collection standards should protect the confidentiality of the demographic information of individual Board members. Data handling practices should adhere to Bank and OF policies on information security and records retention. Board Diversity Data Collection StandardsThe following Board Diversity Data Collection standards are intended to address all aspects of Board diversity data collection, handling, and reporting in accordance with applicable regulations and other requirements as communicated in other forms of supervisory guidance, as well as individual management policies. Each regulated entity is responsible for meeting the criteria within each standard described herein. Furthermore, each Bank and the OF should ensure policies, processes, and procedures are in place to ensure Board diversity data collection and reportingadheres to FHFA OMWI DRM and OMWI Annual Report and quarterly data reporting (QDR) instructions and guidance. 1. Board Diversity Data Collection and Reporting FrequencyEach regulated entity should, no less than annually, perform a voluntary Board diversity self-identification survey to capture the diversity demographics of the full Board (existing and newly elected). The survey should be provided to all directors (current and newly elected), and each regulated entity should establish a deadline for timely response. Non-responses to surveys should be clearly noted in the Bank and the OF’s OMWI Annual Report and QDR submissions and be captured separately from responses that did not self-identify demographic information.In situations where incumbent directors vacate positions mid-term (planned or unplanned), the regulated entity has the option to relaunch the Board diversity self-identification survey to the full Board, capturing all new and existing director responses. This practice supports confidentiality of all director submissions and avoids confidentiality issues that might arise with the collection of only one response from a new director. FHFA recognizes, however, that this practice may become impractical or burdensome in the event a Bank or the OF encounters multiple Board vacancies in a single year. Therefore, at a minimum, the regulated entities should collect the diversity information of all new directors when they onboard. FHFA is not suggesting that the regulated entities conduct a full survey every time a new director onboards if the entities are able to ensure the confidentiality of the data collection process when they have only a single response. Further, the regulated entities are not required to submit a new report to FHFA each time this happens if a report is not otherwise due. To ensure the confidentiality of the data, the regulated entity should adhere to the data reporting schedules in the FHFA OMWI DRM and OMWI Annual Report and QDR guidance.2. Self- Identification Survey Template AttributesEach Bank and the OF should develop a Board diversity self-identification survey (survey) template with defined attributes that comply with current FHFA OMWI reporting requirements and guidance. The survey will capture gender, race/ethnicity, and disability data using defined Equal Employment Opportunity Commission categories consistent with FHFA OMWI Board of Directors and Workforce Reporting for QDR submissions. The survey template may be electronic or paper, and handling of the directors’ survey responses should adhere to Bank or OF policies on information security and records retention. The survey template should include the following attributes <a href="#footnote3">[3]</a> in each reporting section: Gender: Male, Female Race/Ethnicity: Hispanic or Latino, White (Not Hispanic or Latino), Black or African American (Not Hispanic or Latino), Native Hawaiian or Pacific Islander (Not Hispanic or Latino), Asian (Not Hispanic or Latino), American Indian or Alaska Native (Not Hispanic or Latino), and Two or More Races Disability: I do not have a disability; I have a disability    Entities may elect to collect other diversity attributes (such as veteran status), or they may choose to add other descriptors within a designated attribute (such as non-binary gender options under the gender reporting section). Additional attributes, however, are not needed for reporting to FHFA OMWI at this time. Survey Administration and Data Handling PracticesEach Bank and OF’s D&I Policy should require that the regulated entities develop a documented process or procedure for administering the Board diversity self-identification survey. This process or procedure should identify roles and responsibilities that establish and define involvement of the Bank and OF’s OMWI Officer in reviewing the reported data, as well as the subsequent reporting of Board diversity demographics to the FHFA OMWI in both QDR and OMWI Annual Reports. Each Bank and the OF should define the records retention period for the data, consistent with their records retention policies and practices. Survey administration timing may be determined by the Board’s election and incumbent seat lifecycles. Data Reporting/SubmissionsThe Banks’ and the OF’s OMWI Officers (or OMWI staff as directed by the OMWI Officer) are responsible for oversight of the Board diversity demographic data collection and reporting in the aggregate. All data reporting should comply with FHFA OMWI data reporting guidelines.All data reporting and data reporting frequency should comply with FHFA requirements for reporting under 12 CFR Part 1223. <hr width="25%" align="left" /> <a> </a><a name="footnote1">[1]</a> P.L. 110-289, July 30, 2008, codified at 12 U.S.C. § 4520. <a name="footnote2"> [2]</a> AB 2020-02, Board Diversity, <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Board-Diversity.aspx">https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Board-Diversity.aspx</a>. <a name="footnote3"> [3]</a> The Banks and the OF are permitted to include additional descriptors, including a response option of “Wish to Not Self Identify.” However, any additional information collected beyond the data points listed herein may or may not be collected in the annual or quarterly reports to FHFA.   <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes. Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact Paul Priest at <a href="mailto:Paul.Priest@fhfa.gov">Paul.Priest@fhfa.gov</a> or (202) 649-3490, or Felicia Bland at <a href="mailto:Felicia.Bland@fhfa.gov">Felicia.Bland@fhfa.gov</a> or (202) 365-7471.</td></tr></tbody></table>

3/17/2021 6:00:54 PM

Home / Supervision & Regulation / Advisory Bulletins / Board Diversity Data Collection Advisory Bulletin AB 2021-01: BOARD DIVERSITY DATA COLLECTION The 2020 AB also speaks to

5940

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Enterprise Risk Management Program

31536

Fannie Mae & Freddie Mac

12/11/2020 5:00:00 AM

AB 2020-06

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2020-06: ENTERPRISE RISK MANAGEMENT PROGRAM (<a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2020-06_Enterprise-Risk-Management-Program.pdf">PDF</a>)</td></tr></tbody></table> PurposeThis advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for an effective enterprise risk management (ERM) program to maintain safe and sound operations at Fannie Mae and Freddie Mac (the Enterprises).<a href="#footnote1">[1]</a>  The ERM program establishes the foundation and sets the framework for an Enterprise’s enterprise-wide risk management practices and processes.  Therefore, this AB applies to all risk management activities undertaken by the Enterprises and is consistent with risk area-specific guidance.  The sophistication of the ERM program should be commensurate with the Enterprise’s capital structure, risk appetite, size, complexity, activities, and other appropriate risk-related factors. BackgroundMinimum regulatory standards relating to the responsibilities of each Enterprise's board of directors (board), corporate practices, and corporate governance are prescribed in FHFA's regulation, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Matters (Corporate Governance Rule), 12 CFR Part 1239.  The Corporate Governance Rule prescribes requirements for an Enterprise to adopt and establish an ERM program that incorporates the Enterprise's risk appetite, aligns the risk appetite with the Enterprise's strategies and objectives, addresses the Enterprise's material risk exposures, and complies with all applicable FHFA regulations and policies.  FHFA's Prudential Management and Operations Standards (PMOS), Appendix to 12 CFR Part 1236, set forth the general responsibilities of the board and senior management, as well as specific responsibilities for management and operations relating to ten enumerated standards, adopted as guidelines.  Standard 1 (Internal Controls and Information Systems) and Standard 8 (Overall Risk Management Processes) highlight the need for the Enterprises to establish risk management practices that identify, assess, control, monitor, and report enterprise-wide risk exposures and the need to have appropriate risk management policies, standards, procedures, controls, and reporting systems. This AB articulates FHFA's supervisory expectations that the Enterprises' ERM programs and processes are designed to be consistent with safety and soundness standards and applicable laws and regulations.  FHFA is issuing this AB to provide an additional level of detail regarding ERM governance and organizational structure, risk appetite and limit-setting, and risk identification, assessment, control, monitoring, and reporting processes.  This guidance reflects FHFA's supervisory expectations for the Enterprises to develop a holistic, enterprise-wide view of the most significant risks to the achievement of strategic and business objectives and a framework for effectively managing risk within bounds of risk appetite and tolerance.  An effective ERM program considers the overlap and interrelationship of risks; however, that does not relieve an Enterprise from its obligation to identify and manage all on- and off-balance sheet risks that may be more localized or contained within specific portfolios and business line-levels.  Additionally, this guidance is informed by FHFA's understanding of current industry standards and enterprise-wide risk management best practices at large, complex financial institutions, incorporating principles and concepts from the Committee of Sponsoring Organizations of the Treadway Commission (COSO),<a href="#footnote2">[2]</a> the Financial Stability Board,<a href="#footnote3">[3]</a> and enterprise-wide risk management guidance issued by the federal banking regulators.<a href="#footnote4">[4]</a> GuidanceThe Enterprises are required to establish and maintain a comprehensive ERM program in accordance with all applicable laws and regulations.  Pursuant to the Corporate Governance Rule, an Enterprise must establish and maintain a comprehensive ERM program that establishes the Enterprise's risk appetite and aligns the risk appetite with the Enterprise's strategies and objectives.<a href="#footnote5">[5]</a>  The ERM program must include business line-appropriate risk limits consistent with risk appetite and provisions for monitoring compliance with the risk limit structure.<a href="#footnote6">[6]</a>  The ERM program must also have appropriate corporate risk policies and procedures relating to risk management governance, risk oversight infrastructure, processes and systems for identifying and reporting risks, including emerging risks, and timely implementation of corrective actions.<a href="#footnote7">[7]</a>  Corporate risk policies should be supported, as applicable, by appropriate standards defining minimum requirements.  Additionally, the ERM program must include provisions specifying ERM management’s authority and independence to carry out risk management responsibilities and the integration of risk management with Enterprise management’s goals and compensation structure.<a href="#footnote8">[8]</a> An Enterprise’s ERM program should have interrelated components that work together to ensure comprehensive and integrated enterprise-wide risk management practices and oversight approaches that are the basis for managing risk in a consistent manner.  The ERM program should include the following components:<blockquote dir="ltr" style="margin-right:0px;">I.  ERM Governance and Organizational Structure II.  Risk Appetite Framework III.  ERM Identification, Assessment, Control, and Monitoring Processes IV.  ERM Reporting and Communication Processes</blockquote> I.  ERM Governance and Organizational Structure<blockquote dir="ltr" style="margin-right:0px;"> A. Governance Structure </blockquote>The board must establish a board-level risk committee to assist in carrying out its responsibility for enterprise-wide risk management oversight.<a href="#footnote9">[9]</a>  The board risk committee must periodically review and recommend to the full board for approval an appropriate ERM program commensurate with the Enterprise’s capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors.<a href="#footnote10">[10]</a>  An enterprise risk committee (ERC) should be established as the central management-level risk oversight committee, chaired by the enterprise-wide Chief Risk Officer (CRO), with membership across business functions and risk areas in order to drive a consistent approach to risk oversight.  ERC responsibilities should include monitoring and overseeing risk across the Enterprise, which includes reviewing, and, as applicable, approving corporate risk policies and supporting standards; reviewing risk appetite and limits for approval by the board; monitoring key risk indicators; and reviewing risk reports and issues escalated by subordinate management-level risk committees.  An Enterprise may establish other management-level committees aligned to specific risk and business-line areas to facilitate enterprise-wide risk oversight duties.  Additional first-line risk committees may also be established to facilitate discussion, reporting, and escalation.  Collectively, these committees support effective risk governance by providing a forum for transparent communication and documentation of risk management <a href="#footnote11">[11]</a> and control activities across functional lines.  They also provide an organized pathway for risk reporting, escalation, and issue resolution management.  The Enterprise’s risk management organizational structure and the assignment of roles and responsibilities should generally comprise a “three lines model” and approach to risk management.  The three lines model forms a strong risk management framework and enables effective enterprise-wide risk management practices.  The three lines are: <a href="#footnote12">[12]</a> <ul><li>First-line business units and corporate support functions, which are accountable for identifying, assessing, controlling, monitoring, and reporting on all risks in executing their functions and operating in a sound control environment;  </li><li>Second-line risk management, which provides independent risk oversight and effective challenge of the first line business unit and support functions.  Second-line risk management includes the ERM function, along with compliance <a href="#footnote13">[13]</a> and other risk oversight functions, as deemed applicable, that monitor risk-taking activities and assess risks and issues independent of first line business units and functions, but still under the direction and control of senior management; and</li><li>Third-line internal audit, which provides timely feedback to management and independent assurance to the board audit committee on the effectiveness of the Enterprise’s system of internal controls, risk management, and governance.<a href="#footnote14">[14]</a>  Third-line internal audit maintains objectivity and independence from management.</li></ul><blockquote dir="ltr" style="margin-right:0px;"> B. Roles and Responsibilities </blockquote>The board is ultimately responsible for enterprise-wide risk management oversight.<a href="#footnote15">[15]</a>  The board is responsible for approving and periodically reviewing the ERM program, and having it in effect at all times.<a href="#footnote16">[16]</a>  The board’s responsibility for reviewing and approving the ERM program includes establishing the Enterprise’s risk appetite and overseeing alignment of risk appetite with the Enterprise’s strategies and objectives.<a href="#footnote17">[17]</a>  The board is responsible for approving the Enterprise’s risk appetite addressing material risk exposures and risk limits appropriate to each business line of the Enterprise.<a href="#footnote18">[18]</a>  The board-level risk committee is responsible for reviewing and recommending the ERM program to the board for approval.<a href="#footnote19">[19]</a>  Management is responsible for providing adequate reporting to permit the board to remain sufficiently informed about the nature and level of the Enterprise’s overall risk exposures so that it can understand the possible short- and long-term effects of those exposures on the financial and operational health of the Enterprise, including the possible consequences to earnings, liquidity, and economic value.<a href="#footnote20">[20]</a>An Enterprise must appoint an enterprise-wide CRO to head the independent ERM function, with responsibilities for implementing and maintaining appropriate enterprise-wide risk management practices for the Enterprise.<a href="#footnote21">[21]</a>  The ERM function is responsible for: (1) establishing appropriate corporate risk policies and supporting standards related to risk management governance, practices, and controls; (2) developing appropriate enterprise-wide processes and systems for identifying and reporting current and emerging risks; (3) developing the risk appetite framework, including establishing and recommending for board approval risk appetite statements and risk limits; (4) establishing business-line appropriate risk limits in line with risk appetite and monitoring compliance with such limits; (5) monitoring the level and trend of risk exposures, testing controls, verifying measures for risk exposures used by the business; and (6) communicating enterprise-wide risk management issues and emerging risks, and monitoring effective and timely issue resolution.  Independence from the risk-taking business units and functional areas is a cornerstone of an effective ERM function.  Although staff performing the ERM function should work closely and coordinate with business unit personnel, they should maintain independence by performing the appropriate oversight and assisting business units with risk analyses.  ERM staff should have the expertise to critically review and the independence to effectively challenge the Enterprise’s business practices and risk-taking activities.The CRO must report directly to the board risk committee and to the Chief Executive Officer (CEO) on significant risk exposures and related controls, changes to risk appetite, risk management strategies, results of risk management reviews, and emerging risks.<a href="#footnote22">[22]</a>  The CRO is also responsible for regularly reporting on the Enterprise’s compliance with, and adequacy of, its corporate risk management policies, and must recommend any adjustments as necessary and appropriate.<a href="#footnote23">[23]</a>  The CRO should also report on compliance with, and adequacy of, supporting corporate risk standards.  Individual business or functional risk officers may be designated and delegated risk authority of specific risk areas and functions, as appropriate, to facilitate enterprise-wide risk oversight.  First-line business units and corporate support functions are responsible for managing risks that arise in the execution of their functions.  This includes responsibility for identifying, assessing, controlling, monitoring, and reporting risks in alignment with the methodologies as established in corporate risk policies and supporting standards.  First-line functions should be aware of applicable risk appetite limits, thresholds, and indicators and their responsibilities associated with managing risks within appetite and escalation and corrective action in the event of breach.  All divisions, inclusive of second-line and third-line functions, have operating function responsibilities for managing risks that arise in the execution of their activities.  <blockquote dir="ltr" style="margin-right:0px;"> C. Policies, Standards, and Procedures </blockquote>The ERM program must include appropriate corporate risk policies and procedures related to risk management governance and practices.<a href="#footnote24">[24]</a>   At a minimum, this should include a board-approved ERM policy that establishes an integrated framework for managing risks enterprise-wide, describes the risk governance and risk oversight structure, and specifies roles and responsibilities.  The ERM function should be responsible for developing and overseeing the implementation of the ERM policy and any supporting corporate risk standards describing the minimum criteria for identifying, assessing, controlling, monitoring, and reporting risks, including emerging risks.  First-line functions should have procedures that are designed to implement the expectations for effective risk management as described in the ERM policy and applicable supporting standards.  The Enterprise should also have a corporate risk taxonomy that defines common risk categories and classifies hierarchies of risks.  The Enterprise should also have in place risk type corporate policies, standards, and implementing procedures consistent with its risk taxonomy categorizations.  These risk type policies, standards, and procedures should be consistent with the ERM policy and supporting standards, but further define responsibilities and requirements for managing specific risks.An enterprise-wide policy or supporting standard should also define expectations for developing, measuring, monitoring, communicating, and reporting on risk appetite, clearly defining roles and responsibilities of the board, management, and business units for managing risk within risk appetite and taking action when in breach of limits.  While the ERM function is responsible for designing and overseeing the risk appetite framework, input and engagement across the first line business units and corporate functions should occur to develop risk appetite and the supporting metrics and limits that are ultimately reviewed and approved by the board.  A comprehensive set of risk metrics, limits, and associated monitoring activities must be in place to confirm that risk exposures remain within established risk limits.<a href="#footnote25">[25]</a>   Board risk limits should be supported by defined and actionable thresholds, set at a lower level than the limit to support risk monitoring and prompt management action before the limit is breached.  The Enterprise should have processes defining escalation protocols and expectations for timely corrective action in the event of breach of thresholds and limits.  This includes a mechanism for reporting breaches of risk limits to senior management and the board or board risk committee.<a href="#footnote26">[26]</a>   The process for policy approval, exception protocols, and delegations of authority should be clear.  Corporate risk policies, supporting standards, and implementing procedures should be reviewed, and updated periodically to consider changes in risk practices and regulatory expectations.  The ERM function should regularly monitor first-line implementation and adherence to the ERM policy and related corporate risk policies and supporting standards.<blockquote dir="ltr" style="margin-right:0px;"> D. Risk Culture</blockquote>The board and senior management should set the “tone at the top” in a manner that fosters an effective risk culture.  Risk culture constitutes the shared values, attitudes, competencies, and behaviors that guide risk decision-making and governance practices throughout the Enterprise.  Risk culture emphasizes risk awareness and communicates the Enterprise’s expectations for risk management and operating within established risk appetite and limits.  An effective risk culture (1) promotes high ethical standards,<a href="#footnote27">[27]</a>  safety and soundness, compliance, and effective risk management; (2) establishes clear responsibility and accountability; (3) emphasizes the importance of internal control; and (4) promotes risk awareness, collaboration, transparency, and proactive discussion at all levels.  Enterprise personnel are expected to be individually accountable, risk aware, perform risk management functions associated with their day-to-day business activities, engage in risk discussions, and escalate risk issues.    Employees at all levels should receive regular training on corporate risk policies, supporting standards, and implementing procedures to enable effective understanding and management of risks.  Processes should be in place to ensure employees are accountable and aware of their risk management roles and responsibilities.  An effective risk culture is evidenced when the Enterprise’s overall risk appetite is aligned with its mission and business objectives; risk reporting is timely, accurate, and informative; and risk management is integrated with management’s performance goals, objectives, and compensation structure.<a href="#footnote28">[28]</a>  The board or board risk committee and senior management should ensure that the CRO and the ERM function have adequate resources, including a well-trained and capable staff.  The CRO should have stature and risk management expertise that is commensurate with the Enterprise’s capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors.  The CRO’s performance evaluation and compensation should be structured to provide for an objective and independent assessment of the risks taken by the Enterprise.  II.  Risk Appetite Framework The ERM program sets the foundation for identifying, measuring, monitoring, and reporting on individual and aggregate levels of risks in relation to established risk appetite and risk limits.  <blockquote dir="ltr" style="margin-right:0px;"> A. Risk Appetite’s Relationship to Strategy and Objective Setting </blockquote>Specific requirements for a board-approved strategic business plan are contained in the Corporate Governance Rule, including, among other things, that the strategic business plan must identify current and emerging risks of the Enterprise’s significant existing activities or new activities and include discussion of how the Enterprise plans to address such risks while furthering its public purposes and mission in a safe and sound manner.<a href="#footnote29">[29]</a>  The Corporate Governance Rule also requires that the Enterprise’s risk appetite align with its strategies and business objectives <a href="#footnote30">[30]</a> and that the ERM program align with its risk appetite.<a href="#footnote31">[31]</a>  Risk appetite should be linked to business decision-making, and be considered in light of the Enterprise’s business model.  The CEO or President should be responsible for integrating and aligning the board-approved risk appetite with the Enterprise’s strategic business plan.  The ERM program should be integrated into the processes for developing and reviewing the Enterprise’s strategic business plan to ensure alignment.<blockquote dir="ltr" style="margin-right:0px;"> B. Risk Appetite Statement and Risk Limits</blockquote>The Corporate Governance Rule defines risk appetite as the aggregate level and types of risk the board of directors and management are willing to assume to achieve the Enterprise’s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.<a href="#footnote32">[32]</a>  Risk appetite should be grounded in the concept of risk capacity, or the maximum amount of risk the Enterprise can absorb before breaching capital, liquidity, and other constraints.  An Enterprise’s risk appetite should be less than its risk capacity, and its risk profile should not exceed risk appetite.  Conceptually, these elements work together to provide a basis for communicating the Enterprise’s risk profile and ensuring risk exposures are managed within risk appetite.  An Enterprise’s risk appetite framework should include a risk appetite statement and related quantitative risk metrics and limits.  The risk appetite statement is an articulation of risk appetite in written form.  It should be easy to communicate and understand, such that the board and senior management obtain a holistic but concise and easy to absorb view of the Enterprise’s aggregate risk position, aggregated within and across each material risk type, and based on forward-looking assumptions.  It should also be easy to communicate and cascade down to the first-line risk taking functions such that it is easy to understand and apply in daily operations.  The overall risk appetite statement may be designed as a series of qualitative summary statements describing the Enterprise’s aggregate risk appetite by material risk type.  The overall statement, and as appropriate summary statements, should articulate clearly the motivations for accepting or avoiding that type of risk and set clear boundaries and expectations to enable risk monitoring and reporting.  The statement should provide context by describing the current business activities that give rise to the risk, the desired risk tolerance, and corresponding mitigating controls and processes in place to allow operation within the stated risk appetite.  The statement should include a scale identifying the risk appetite level for each material risk type in a clear and succinct manner.  For example, each material risk type should be assigned a single-word consistent with the scale that clearly identifies the Enterprise’s posture with regard to that risk type.  While the qualitative risk appetite statement expresses a broad view of the risk in written form, the Enterprise should establish a comprehensive set of quantitative risk metrics, limits, thresholds, and indicators that allocate the Enterprise’s risk appetite across material risk types, complement the qualitative statement, and set the overall tone for the Enterprise’s approach to risk taking.  The Enterprise must have board-approved risk limits <a href="#footnote33">[33]</a> and they should be set corresponding to a metric or set of metrics designed to measure a specific risk exposure or portfolio.  The board risk limit should be supported by defined and actionable thresholds, set at a lower level than the limit to support risk monitoring and prompt management action before the limit is breached.  An Enterprise may establish additional cascading, lower-level management limits and notification thresholds, as appropriate, that are designed to prompt management action.  Board-level risk limits are not meant to be exceeded, and therefore an Enterprise should establish a framework for triggering escalations when limits are breached, with defined escalation and reporting protocols.  All risk limits should be regularly monitored so that risk exposures remain within established thresholds.<a href="#footnote34">[34]</a> If a risk type cannot be quantified into limits and thresholds, qualitative measures and early warning indicators should be developed in order to provide an early signal of increasing risk exposures.  These early warning indicators, or other key risk indicators, should be tracked to identify changes to the risk profile and emerging risks.  Regular reassessment and update of early warning indicators should occur based on changing environmental and operational conditions.Risk metrics should reflect attributes of the risk exposure being measured, and be consistent with applicable capital, liquidity, and other regulatory requirements.  The limits corresponding to the metric should be set at a level to govern risk-taking within the defined risk appetite.  Risk limits should be specific, measurable, actionable, sensitive to portfolio composition, reportable, and based on forward-looking assumptions.  Risk limits should be expressed relative to earnings, capital, liquidity, or other relevant measures as appropriate.<a href="#footnote35">[35]</a>  In setting risk limits, the Enterprise should consider the interaction between risks within and across business lines, and their correlated or compounding impact on exposures and outcomes.  As appropriate, the Enterprise should utilize scenario analysis and stress testing results to inform the risk appetite limit setting process in order to ensure that the Enterprise understands what events might push it outside its risk appetite or capacity.  Risk limits may require model output to measure and monitor exposures and on-top adjustment subject to model risk management and review as appropriate.<a href="#footnote36">[36]</a>  The Enterprise’s risk appetite framework should be re-evaluated on at least an annual basis to ensure it is representative of any changes in risk profile of the Enterprise and continued alignment to strategic and business objectives.  The review should consider significant market and business changes, new business initiatives, risk event occurrences, and other changes to the Enterprise’s risk profile.  Additional ad hoc reviews should occur periodically during the year considering any major changes outside of the ordinary annual cycle. III.  ERM Identification, Assessment, Control, and Monitoring ProcessesThe ERM program supports the management of risk exposures through enterprise-wide risk management processes designed to identify, assess, control, monitor, and report risk.The Enterprise should have processes in place to identify current, new, top, emerging, and changing risks and methods for evaluating the level of exposure to risk.  Risks should be rated based upon measures of the likelihood of a risk’s occurrence and the severity of its impact.  Forward-looking assessments and scenarios should also be used to identify risks that could pose the most significant impacts to the Enterprise, both during periods of normal economic conditions and periods of stress.  Risk identification and assessment processes should occur regularly and include comprehensive self-assessment of material risks on at least an annual basis.<a href="#footnote37">[37]</a>   The risk assessment process should start with a rating of inherent risk, which represents the level of exposure to a risk absent any management actions to alter the risk’s likelihood or impact.  The design and operating effectiveness of controls in place to mitigate the risk should then be evaluated.  A residual risk rating should result, considering the likelihood and impact of the risk’s occurrence taking into account the application and effectiveness of these mitigating controls.  An additional risk response is then determined considering the residual risk and applicable risk appetite.  Risk responses should result in either accepting, reducing, transferring, pursuing, or avoiding the risk.  Risk acceptance results in no action taken to affect the residual risk.  Risk reduction results in designing and implementing processes to effectively apply additional mitigating controls to reduce residual risk to an acceptable level.  Risk transference results in sharing or transferring a portion of the risk to reduce residual risk to an acceptable level.  Risk pursuance results in action taken that accepts increased risk in order to achieve increased performance.  Risk avoidance results in discontinuing the activities which give rise to the risk all together.  Management’s response decision should be informed by risk appetite and other criteria for determining the acceptability of residual risk to the Enterprise.  Risks should be regularly monitored to determine the current status and identify changes or trends in risk exposures over time.  First line functions are responsible for establishing monitoring processes on risks arising from the activities for which they are accountable and managing those risks within the established risk appetite.  The second line ERM function is responsible for overseeing first line risk monitoring activities and monitoring adherence to risk appetite.  Regular monitoring for adherence to the risk appetite and limit structure is necessary to ensure risk exposures remain within established risk limits.<a href="#footnote38">[38]</a>  The overall effectiveness of the Enterprise’s internal control system should be monitored on an ongoing basis and ensure that business units conduct periodic evaluations.  Internal control deficiencies should be reported to senior management and the board on a timely basis and addressed promptly.<a href="#footnote39">[39]</a> The Enterprise should have processes in place to identify and define issues that may arise due to internal control gaps or weaknesses or internal process deficiencies.  Issues may be identified through regular risk assessment and monitoring processes, second line oversight activities, internal audit reviews, or FHFA examinations, or management self-identified through the normal course of business.  Issues should be documented, rated to assess priority, assigned ownership, and addressed in a timely manner.  Issue remediation should be regularly monitored and reported to senior management and the board or appropriate board committee.  IV. ERM Reporting and Communication ProcessesInformation generated from risk management processes should be reported in a form that is relevant, accurate, complete, timely, consistent, and comprehensive to enable the execution of sound and informed risk management decisions.<a href="#footnote40">[40]</a>  The Enterprise should have risk management information systems that generate, at an appropriate frequency, the information needed to manage risk.  Risk data should be aggregated to develop a comprehensive and accurate view of the Enterprise’s aggregate risk position and to facilitate integrated enterprise-wide risk reporting.  Systems and processes supporting risk and control reporting should align under a common data architecture to facilitate and support the Enterprise’s risk aggregation and enterprise-wide reporting.  Standardized data that is consistently defined is key when producing enterprise-wide reports that aggregate or combine risk data from different risk management processes.  Consistent and standardized risk data is also important for preparing reports that compare risks over time for meaningful trend analysis.  Risk reports should be defined to ensure that the reports produced are comprehensive, at an appropriate level, and consistent across board, senior management, and business-line levels.  Risks identified at process- and business-line levels should be consistent with and flow up to a portfolio and aggregated enterprise-wide view of risk.The ERM function is responsible for providing a comprehensive enterprise-wide view of risk to the board risk committee and appropriate levels of management for consideration and action.  The CRO must report to the board risk committee and to the CEO on significant risk exposures and related controls, adherence to risk appetite and limits, risk management strategies, results of risk management reviews, and emerging risks.<a href="#footnote41">[41]</a>  The CRO must also report any significant issues related to first-line compliance with corporate risk policies and related exceptions, and regularly assess and make recommended adjustments as necessary or appropriate.<a href="#footnote42">[42]</a>  This should include reporting on significant issues related to first-line compliance with related corporate risk standards and exceptions as well.  The ERM function should also have processes in place to assess and report on the impact of the board-approved strategic business plan to the Enterprise’s risk profile, and risk events that may adversely impact the achievement of strategic and business operating objectives.  These processes should also include regular assessment and reporting on new business initiatives that significantly impact the Enterprise’s risk profile or require regulatory review and approval.  ERM should provide an aggregated view of enterprise risks and report on key risk indicators that provide a consistent view of top and emerging risk across business lines and processes.  The frequency and variety of reporting should be a function of the risks, changes in the risks, and impact to decisions. Related Guidance and Regulations12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Matters.12 CFR Part 1236, Appendix, Prudential Management and Operating Standards. Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013. Model Risk Management Guidance, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013. Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. Oversight of Single-Family Seller/Servicer Relationships, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014. Fraud Risk Management, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015. Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016. Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016. Information Security Management, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017. Cloud Computing Risk Management, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018. Oversight of Multifamily Seller Servicers, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018. Liquidity Risk Management, Federal Housing Finance Agency Advisory Bulletin 2018-06, August 22, 2018. Oversight of Third-Party Provider Relationships, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018. Interest Rate Risk Management, Federal Housing Finance Agency Advisory Bulletin 2018-09, September 28, 2018. Business Resiliency Management, Federal Housing Finance Agency Advisory Bulletin 2019-01, May 7, 2019. Enterprise Fraud Reporting, Federal Housing Finance Agency Advisory Bulletin 2019-04, September 18, 2019. Compliance Risk Management, Federal Housing Finance Agency Advisory Bulletin 2019-05, October 3, 2019. Credit Risk Transfer Analysis and Reporting, Federal Housing Finance Agency Advisory Bulletin 2019-06, November 14, 2019. <hr width="25%" align="left" /> <a name="footnote1">[1]</a> Common Securitization Solutions, LLC (CSS) is an “affiliate” of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended.  12 USC 4502(1). <a name="footnote2">[2]</a> See Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management – Integrating with Strategy and Performance (2017). <a name="footnote3"> [3]</a> See, e.g., Financial Stability Board, Principles for an Effective Risk Appetite Framework (2013). <a name="footnote4">[4]</a> See, e.g., Office of the Comptroller of the Currency, Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations (12 CFR Parts 30, 168, and 170) (2014). <a name="footnote5">[5]</a> 12 CFR 1239.11(a). <a name="footnote6">[6]</a> 12 CFR 1239.11(a)(3). <a name="footnote7">[7]</a> 12 CFR 1239.11(a)(3). <a name="footnote8">[8]</a> 12 CFR 1239.11(a)(3). <a name="footnote9">[9]</a> 12 CFR 1239.11(b). <a name="footnote10">[10]</a> 12 CFR 1239.11(b)(2)(i). <a name="footnote11">[11]</a> Regarding documentation of board risk committee meetings, see 12 CFR 1239.11(b)(1)(iv). Documentation of management-level meetings may include memorializing committee discussions in committee minutes and meeting materials. <a name="footnote12">[12]</a> Some organizational units or functions within an Enterprise, such as those that provide legal services to the Enterprise, do not generally fall within a three lines model. <a name="footnote13">[13]</a> See FHFA Advisory Bulletin 2019-05, Compliance Risk Management (Oct. 3, 2019). <a name="footnote14">[14]</a> See FHFA Advisory Bulletin 2016-05, Internal Audit Governance and Function (Oct. 7, 2016). <a name="footnote15">[15]</a> 12 CFR 1239.4(c). <a name="footnote16">[16]</a> 12 CFR 1239.11(a)(1). <a name="footnote17">[17]</a> 12 CFR 1239.11(a)(2). <a name="footnote18">[18]</a> The Corporate Governance Rule defines these as being inclusive of credit, market, liquidity, business, and operational risk. 12 CFR 1239.11(a). <a name="footnote19">[19]</a> 12 CFR 1239.11(b)(2)(i). <a name="footnote20">[20]</a> See generally, 12 CFR Part 1236, Appendix (PMOS), Responsibilities of the Board of Directors, Principle 4. <a name="footnote21">[21]</a> 12 CFR 1239.11(c). <a name="footnote22">[22]</a> 12 CFR 1239.11(c)(5). <a name="footnote23">[23]</a> 12 CFR 1239.11(c)(5). <a name="footnote24">[24]</a> 12 CFR 1239.11(a)(3). <a name="footnote25">[25]</a> See 12 CFR 1239.11(a) and 12 CFR Part 1236, Appendix (PMOS), Standard 8. <a name="footnote26">[26]</a> See 12 CFR 1236, Appendix (PMOS), Standard 8. <a name="footnote27">[27]</a> An Enterprise must establish and adhere to a written code of conduct and ethics that is reasonably designed to assure that directors, officers, and employees discharge their duties and responsibilities in an objective an impartial manner that promotes honest and ethical conduct, compliance, and accountability. 12 CFR Part 1239.10(a). <a name="footnote28">[28]</a> See 12 CFR Part 1239.11(a)(3) and 12 CFR Part 1236, Appendix (PMOS), Standard 8. <a name="footnote29">[29]</a> 12 CFR Part 1239.14(a)(5). <a name="footnote30">[30]</a> 12 CFR Part 1239.11(a). <a name="footnote31">[31]</a> 12 CFR Part 1239.11(a)(2). <a name="footnote32">[32]</a> 12 CFR Part 1239.2. <a name="footnote33">[33]</a> 12 CFR Part 1239.11(a)(3)(i). See also 12 CFR Part 1236, Appendix (PMOS), Standard 8. <a name="footnote34">[34]</a> See 12 CFR Part 1239.11(a)(3) and 12 CFR Part 1236, Appendix (PMOS), Standard 8. <a name="footnote35">[35]</a> The PMOS lays out expectations regarding specific risk area risk limit-setting, measurement, and escalation. <a name="footnote36">[36]</a> See FHFA Advisory Bulletin 2013-07, Model Risk Management Guidance (Nov. 20, 2013). <a name="footnote37">[37]</a> 12 CFR Part 1236, Appendix (PMOS), Standard 8. <a name="footnote38">[38]</a> 12 CFR Part 1236, Appendix (PMOS), Standard 8. <a name="footnote39">[39]</a> 12 CFR Part 1236, Appendix (PMOS), Standard 1. <a name="footnote40">[40]</a> See FHFA Advisory Bulletin 2016-04, Data Management and Usage (Sept. 29, 2016). <a name="footnote41">[41]</a> 12 CFR Part 1239.11(c)(2) and (5). <a name="footnote42">[42]</a> 12 CFR Part 1239.11(c)(5).   <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto:SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </td></tr></tbody></table>

12/11/2020 5:14:30 PM

Home / Supervision & Regulation / Advisory Bulletins / Enterprise Risk Management Program Advisory Bulletin AB 2020-06: ENTERPRISE RISK MANAGEMENT PROGRAM (PDF

10718

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Enterprise Cybersecurity Incident Reporting

27878

Fannie Mae & Freddie Mac

8/21/2020 4:00:00 AM

AB 2020-05

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2020-05: ENTERPRISE CYBERSECURITY INCIDENT REPORTING</td></tr></tbody></table> PurposeThis advisory bulletin (AB) communicates Federal Housing Finance Agency's (FHFA) supervisory expectations for cybersecurity incident reporting to maintain safe and sound operations at Fannie Mae and Freddie Mac (the Enterprises). <a href="#footnote1"> [1]</a> BackgroundAs part of an effective information security management program, the Enterprises need to be able to effectively respond to cybersecurity events that could affect the confidentiality, availability, and integrity of information.  The continuous monitoring of systems to detect anomalies as well as successful and attempted attacks, including unauthorized activity on or intrusion into information systems, is an activity that underlies robust incident response.Prioritizing the handling of cybersecurity incidents is a critical factor in the success or failure of an incident response process. By prioritizing incidents, Enterprises identify situations that are of greater severity and demand immediate attention.  The Enterprises should communicate to FHFA incidents that affect or have the potential to affect the security of their information.  This AB informs the Enterprises of supervisory expectations for assessing the Enterprise reports on cybersecurity incident data sent to FHFA. GuidanceThis guidance explains the need for cybersecurity incident information that is supplemental to what is otherwise regularly, consistently, and systematically collected for use in supervisory oversight.  The information reported in line with this guidance is adjunct to other more formal reports, but it is important for both the Enterprises and FHFA to compile and use the information specifically in evaluating cybersecurity incident responses and readiness to confront cybersecurity threats to safety and soundness. Definition of Cybersecurity IncidentFor the purpose of the AB, FHFA defines a reportable cybersecurity incident as an occurrence that:<ul><li>occurs at the Enterprise or at a third party that actually or potentially jeopardizes the confidentiality, integrity, or availability of an Enterprise system or Enterprise information the system processes, stores, or transmits, or;</li><li>constitutes a violation or imminent threat of violation of the Enterprise's security policies, security procedures, or acceptable use policies. <a href="#footnote2"> [2]</a></li></ul> Incident Severity ScoringEffective reporting of cybersecurity incidents begins with the Enterprises determining a cybersecurity incident's severity by evaluating the confirmed impacts as well as potential impacts of the incident that they anticipate are likely to occur. Outlined below is an Incident Severity Score framework that will be consistent in meaning across both Enterprises and will facilitate the Enterprises' accurately advising FHFA of the seriousness of each incident. <a href="#footnote3"> [3]</a>  As analysis of a cybersecurity incident progresses, the Enterprises should continuously re-evaluate the severity level for each incident and report to FHFA as described below. Severity 1: Major.  Cybersecurity incidents that interrupt one or more mission critical functions or result in the inability to achieve one or more mission critical objectives.  Major Incidents are likely to have a substantial negative impact on customers and/or counterparties and may pose reputational risk to the Enterprise.  Cybersecurity incidents that include personally identifiable information may also be considered a Major Incident.  Severity 2: Significant.  Cybersecurity incidents that interrupt or result in a degradation to one or more mission critical functions or core services.  Significant Incidents may have a negative impact on customers and/or counterparties and may pose reputational risk to the Enterprise.  Cybersecurity incidents that include substantial non-public information may also be considered Significant Incidents. Severity 3: Moderate.  Cybersecurity incidents that interrupt or result in a degradation to one or more production systems or applications.  Moderate Incidents may have a negative impact on customers and/or counterparties but are unlikely to pose substantial reputational risk to the Enterprise.  Cybersecurity incidents that include a moderate amount of non-public information may also be considered Moderate Incidents. Severity 4: Minor.  Cybersecurity incidents that result in a degradation to a production system or application or an outage of multiple non-production systems or applications.  Minor Incidents are unlikely to have negative impact on customers and/or counterparties and pose no reputational risk to the Enterprise.  Cybersecurity incidents that include minor amounts of data loss may also be considered.  Minor Incidents may result in minor amounts of data loss that cannot be retrieved or deleted. Severity 5: Insignificant.  Cybersecurity incidents that interrupt or result in an outage of a single non-production system or application or the degradation of one or more non-production systems or applications.  Insignificant Incidents may also include a violation of security policies, security procedures, or acceptable use policies that has no impact on systems and applications.  Insignificant Incidents are unlikely to have a negative impact on customers and/or counterparties and pose no reputational risk to the Enterprise.  Cybersecurity incidents that include minor amounts of data loss that can be retrieved may also be considered Insignificant Incidents. Timely Reporting Timely reporting from each Enterprise is critical to effective supervision. Immediate NotificationFHFA expects the Enterprises to prioritize responding to, and taking corrective action for, the identified incident or potential threat and to notify and provide a description of any Major Incident as soon as possible to the Examiner-in-Charge (EIC) for the Enterprise.  The notification can occur via email, telephone, or in person so long as the Enterprise confirms receipt of the notification.  In addition to contacting the EIC, the Enterprise should send a report describing the Major Incident to FHFA through secure methods established by FHFA.  The Enterprise should continue to provide updates on any Major Incident throughout the incident response and remediation to the EIC or his/her designee. 24-hour NotificationFHFA expects the Enterprises to notify and report a description of any Significant Incident within 24 hours of determination.  The notice and report should be made to the EIC for the Enterprise.  The notification can occur via email, telephone, or in person so long as the Enterprise confirms receipt of the notification.  In addition to contacting the EIC, a report of any Significant Incident should be sent electronically through secure methods established by FHFA.  The Enterprise should continue to provide updates on any Significant Incident throughout the incident response and remediation to the EIC or his/her designee.  Monthly Cybersecurity Incident ReportConsistency of incident reporting is necessary to assess the effectiveness of each Enterprise's incident response process.  Threats may occur simultaneously, sequentially, or randomly and FHFA needs to be sufficiently informed of incidents to evaluate effective detection and responses across the Enterprises. By submitting a monthly cybersecurity incident report to FHFA, the Enterprises and FHFA will be better prepared and aware of security challenges that could compromise safety and soundness.  FHFA will provide a template describing the format as well as the standard content with corresponding definitions and examples that should be included in the monthly cybersecurity incident report.Each Enterprise should submit the monthly cybersecurity incident report within fifteen (15) calendar days after the end of each month, even if there are no reportable cybersecurity incidents during the reporting period.  The report should be sent electronically through secure methods established by FHFA. Effective DateThis AB becomes effective on October 1, 2020 Related Guidance12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.   Oversight of Third-Party Provider Relationships, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.  Cloud Computing Risk Management, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.  Information Security Management, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.  Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.  Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.  Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.  <hr width="25%" align="left" /> <a name="footnote1"> [1]</a> Common Securitization Solutions, LLC (CSS) is an “affiliate" of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended.  12 USC 4502(1). <a name="footnote2"> [2]</a> This definition is adapted from the National Institute of Standards and Technology. <a name="footnote3">[3]</a> The Incident Scoring is not meant to replace severity or priority scoring established internally by the Enterprises.   <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto:SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </td></tr></tbody></table>

8/24/2020 5:00:30 PM

Home / Supervision & Regulation / Advisory Bulletins / Enterprise Cybersecurity Incident Reporting Advisory Bulletin AB 2020-05: ENTERPRISE CYBERSECURITY INCIDENT REPORTING

6849

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Financial Reporting and Disclosure and External Audit

28435

All

8/20/2020 4:00:00 AM

AB 2020-04

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2020-04: FINANCIAL REPORTING AND DISCLOSURE AND EXTERNAL AUDIT</td></tr></tbody></table> PurposeThis Advisory Bulletin (AB) articulates the Federal Housing Finance Agency's (FHFA) supervisory expectations for oversight and management of financial reporting and disclosures and of the external audit function. This AB applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks), and the FHLBanks' Office of Finance (OF) (collectively, the regulated entities) <a href="#footnote1"> [1]</a> and is effective immediately.  This AB rescinds, and along with AB 2016-05 Internal Audit Governance and Function, replaces FHFA's Examination for Accounting Practices guidance.  Transparent financial reporting and disclosures, subject to strong internal control over financial reporting (ICFR) and confirmed by a high-quality external audit, help ensure that published financial information is reliable and free from material misstatements for all stakeholders.    Timely, accurate, complete, and meaningful reporting and disclosures regarding financial condition and performance support FHFA's risk-focused supervision of the regulated entities.  For FHFA as a prudential regulator, such reporting facilitates effective risk assessments, off-site monitoring, and examination planning.  Financial condition and performance metrics for capital adequacy, liquidity, earnings adequacy, and asset quality are based on information in these reports. BackgroundThe Office of Federal Housing Enterprise Oversight (OFHEO) issued the Examination for Accounting Practices guidance to the Enterprises in 2006.  FHFA revised and updated that guidance in 2009 and expanded its application to the FHLBanks.  With the issuance of this financial reporting and external audit guidance and AB 2016-05 Internal Audit Governance and Function, FHFA has updated and revised the 2009 guidance to reflect our regulatory experience and that of other financial regulators, and to more clearly communicate FHFA's supervisory expectations in these areas to the regulated entities. Regarding financial reporting and external audit, the regulated entities are governed by different, yet generally concordant, FHFA and/or Securities and Exchange Commission (SEC) regulations and auditing standards. <a href="#footnote2"> [2]</a>  Notably: <ul><li>The Enterprises are SEC registrants. Their external audits are subject to Public Company Accounting Oversight Board (PCAOB) auditing standards.  Under FHFA regulations, the Enterprises are subject to specified New York Stock Exchange (NYSE) requirements.</li><li>The FHLBanks are SEC registrants.  Their external audits are subject to PCAOB auditing standards and under FHFA regulations, are subject to Generally Accepted Auditing Standards (GAAS) and Generally Accepted Government Auditing Standards (GAGAS). <a href="#footnote3"> [3]</a>  Applicable FHFA rules further detail specific requirements for audit committees regarding external audit and financial reporting oversight.</li><li>The OF is not an SEC registrant.  Under FHFA regulations, FHLBank System combined financial reports are subject to GAAS and GAGAS. <a href="#footnote4"> [4]</a>  The regulations also address oversight of the external auditor for the combined financial reports. <a href="#footnote5"> [5]</a></li></ul>Each Enterprise and FHLBank is covered by FHFA's Prudential Management and Operations Standards (PMOS) and each regulated entity reports financial information in conformance with U.S. Generally Accepted Accounting Principles (GAAP). <a href="#footnote6"> [6]</a>  Enterprise and FHLBank management assess the effectiveness of their respective entity's ICFR based on the criteria in the Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The referenced FHFA, SEC, and NYSE rules and regulations, as applicable, address a wide range of audit committee governance topics including: <ul><li>Committee composition and members' qualifications, including financial literacy and expertise, and independence requirements;</li><li>Committee oversight of the integrity of financial statements and earnings releases and compliance with legal and regulatory requirements;</li><li>Committee charter content and minimum frequency of reviews and re-approval;</li><li>Boards' responsibility to provide the audit committee sufficient funding for payments to the external auditor and to advisors/counsel that the committee retains as it deems necessary to carry out its duties;</li><li>Committee duties and responsibilities regarding external auditor oversight including:</li><ul><li>Responsibility for selecting the auditor, evaluating the auditor's performance, replacing the auditor if needed, and ensuring that the auditor is solely responsible to the committee;</li><li>Ensuring that the external auditor submits a formal written statement regarding relationships and services that may adversely affect independence and discussing any disclosed relationships that may impact objectivity and independence with the external auditor;</li><li>Reviewing the auditor's internal quality control procedures;</li><li>Meeting with, including in executive sessions, auditors and management;</li><li>Reviewing and approving procedures for handling complaints received by the regulated entity regarding accounting, internal accounting controls, or auditing matters; and confidential, anonymous submission by regulated entity staff of concerns regarding questionable accounting or auditing matters; and</li><li>Providing for an annual committee self-evaluation or external review.</li></ul></ul>The guidance in this AB is intended to be consistent with applicable statutes, regulations, GAAP, and auditing standards.  In some instances, substantive elements of guidance herein for all regulated entities may be addressed by FHFA regulation, SEC regulation, or applicable accounting or auditing standards for one or more regulated entities.  This guidance does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards.  Any perceived conflicts should be resolved so as to comply with applicable laws and regulations, and in conformance with accounting standards. Guidance I. Financial Reporting and Disclosure Oversight and ManagementRegulated entities' boards of directors and senior managers are responsible, within their respective roles as described in FHFA's corporate governance regulation and prudential standards, for the institution operating in a safe and sound manner.  Entities should maintain effective accounting and reporting systems and ICFR to produce reliable and accurate financial reports and meaningful disclosures. To address accounting, financial reporting, and disclosure, audit committees should: <ul><li>Review and discuss annual audited financial statements, quarterly SEC filings or equivalent financial statements, and earnings releases;</li><li>Meet regularly with management and external auditors and hold regular executive sessions with the external auditor;</li><li>Oversee that management establishes, implements, and maintains accounting policies and procedures that comply with applicable laws, rules, and regulations and conform to applicable guidance, including GAAP and other relevant reporting and disclosure standards;</li><li>Ensure that the regulated entity has policies in place to notify FHFA of any accounting treatments or policies identified as posing significant legal, reputation, or safety and soundness risk, with a focus on accounting treatments or policies that do not employ GAAP or preferred methods; and</li><li>Direct management to provide the committee with adequate information and reports to carry out its duties and responsibilities and challenge management and auditors where appropriate. </li></ul> A. Assessing Materiality An entity's audit committee should review and clearly understand how management and the external auditor assess financial statement materiality.  For public financial disclosures, FHFA's regulated entities should follow materiality guidelines established by the SEC and other U.S. standard-setters and regulators as appropriate.  FHFA is informed by the SEC's statements regarding materiality and generally considers them as part of its ongoing review of regulated entities' accounting practices and controls. A regulated entity's determination that an accounting matter is material or presents a materiality issue may be a factor in FHFA's oversight of a regulated entity.  An item not being deemed to be “material" or not having “materiality" for financial reporting purposes, however, would not necessarily preclude FHFA from having supervisory concerns about the item.  Further, FHLBanks may be required to provide information that is less than material to their individual financial statements to the OF in order to support FHLBank System combined financial filings.  B. Accounting Policies and Procedures FHFA expects each regulated entity's management, with appropriate audit committee oversight, to establish and maintain: <ul><li>A formal written procedure for developing accounting policies;</li><li>A process for disclosing those policies and the regulated entity's compliance with applicable regulatory requirements and GAAP to the committee;</li><li>Accounting and disclosure policies and procedures that reflect applicable regulatory requirements and GAAP; and</li><li>A complete and current accounting guide that lists all of the regulated entity's accounting policies, including a procedure for documenting the business purpose of all significant types of transactions. </li></ul>Each regulated entity currently submits its accounting guide to FHFA annually, and significant revisions to FHFA quarterly, although the FHFA Chief Accountant may request more frequent submissions.    C. Internal Control over Financial ReportingEach regulated entity is responsible for designing, implementing, monitoring, and maintaining its ICFR. <a href="#footnote7"> [7]</a>   Each regulated entity should ensure that its ICFR system is designed to minimize the risk of a material financial misstatement, whether due to reporting error, fraud, or other external or company-specific risks. FHFA expects regulated entities to develop, implement, and maintain robust business and accounting systems and processes subject to rigorous quality controls to minimize the possibility of material misstatements.  Regulated entities should remediate identified deficiencies timely and should not allow significant control deficiencies to persist.  ICFR review functions <a href="#footnote8"> [8]</a> should be structured to ensure that those persons performing and evaluating testing are appropriately independent of the controls being tested.  Each regulated entity should ensure that it has protocols in place for its employees and vendors to comply with the regulated entity's ICFR-related policies and procedures. Each regulated entity should have a system in place to provide reasonable assurance that accounting and disclosure policies and procedures reflect regulatory and GAAP requirements and should have proper procedures and processes in place to evaluate compliance with those requirements.  The ICFR risk assessment process should include assessing new products and business lines, as well as significant growth, shrinkage, and other changes in existing products and business lines.  This should help ensure that key controls are identified and tested so that potential control deficiencies are identified timely and properly addressed. Each regulated entity's management should ensure, and its audit committee should oversee, that the regulated entity establishes, implements, and maintains effective controls over information reported to FHFA through FHFA's Call Report System and in formal data requests.  D. Regulated Entity Accounting StaffEach regulated entity's management should hire sufficient numbers of technically competent accounting staff and that staff should remain professionally competent and current in professional standards.  Accounting departments should implement and maintain quality control procedures to ensure that they follow accounting policies and procedures.  Further, accounting staff should be charged with reporting any non-compliance with GAAP to appropriate management and/or auditors.  E. Financial StatementsAs SEC registrants, each FHLBank and Enterprise must prepare and timely file with the SEC periodic financial statements and disclosures that comply with applicable SEC regulations.  Each regulated entity also should prepare and timely file financial statements and information as required by FHFA regulations.  FHFA encourages the regulated entities to maximize transparency in their public financial reporting and disclosures, and to establish and implement policies that lead to comparable and consistent accounting and disclosures to the extent practicable. <a href="#footnote9"> [9]</a>FHFA expects each FHLBank and Enterprise to submit to FHFA any financial information, disclosures, or other items it submits to the SEC that are not available to FHFA in public filings.  FHFA also expects each regulated entity to provide additional information about the financial information, disclosures, and other items it submits to the SEC when and in the manner requested by FHFA. F. Non-GAAP Measures in Financial StatementsRegulated entities should consider risks associated with presenting non-GAAP measures in public financial reports, along with their responsibilities to transparently inform stakeholders about the entity's financial condition and results of operations.  If a regulated entity decides to disclose a non-GAAP measure in its periodic filings, that measure should be subject to rigorous internal controls, should not be presented more prominently than similar GAAP measures, and should otherwise conform to applicable regulations.  Any new proposed non-GAAP measure should be discussed with the audit committee, as appropriate, prior to initial publication.  G. Alternate and Preferable GAAP Accounting TreatmentsAt least quarterly, each regulated entity's audit committee should review management's analyses of significant financial reporting issues and accounting judgments made in preparing the entity's financial statements.  To facilitate this review, management should highlight, and the committee should review, significant new or unusual items arising during the financial quarter, and management's anticipated implementation of significant new or revised GAAP.  These reviews should include effects of alternative GAAP methods.  The audit committee should also review and discuss these areas (and others as described in applicable rules, regulations, and guidance) with the external auditor. FHFA believes that it is prudent for the regulated entities' audit committees to assess the costs and benefits of engaging an independent third party to evaluate one or more accounting policy areas at least every two years.  Committees should report their findings to their board of directors and to FHFA.  Such a review may be appropriate for new or revised GAAP guidance and/or for new types of transactions that the regulated entity expects to become material, especially those for which the accounting may involve significant estimates and/or management judgments.   If the audit committee determines that the results of any such assessment warrant a targeted evaluation, it should then consider the appropriate form and scope of the engagement.  Given the potential relevance of such assessments to FHFA's supervisory responsibilities, the regulated entity should structure any targeted evaluation engagement so as to make reports and workpapers available for review by FHFA.  II. External Audit Function OversightRigorous and effective audit committee oversight of external audit functions is critical to secure the benefits of an independent, high-quality audit.  FHFA expects each regulated entity's audit committee to perform this role in accordance with applicable FHFA, SEC, and NYSE requirements.  Further, FHFA expects each audit committee to establish and maintain appropriate charter elements, and well-documented policies where needed, around this oversight role.  Finally, FHFA encourages regulated entities to develop, and audit committees to regularly review and approve for publication, disclosures that provide insight and information to stakeholders about how the committees oversee their external auditors.A. Overseeing the External Audit RelationshipThe concepts in this section should be considered when appointing, retaining, or terminating an external auditor.1. Monitoring PerformanceEach regulated entity's audit committee should perform and document a comprehensive assessment of the external audit firm's performance at least annually.  As part of the review, the committee should request and review input from audit committee members, management, and internal auditors regarding the performance of the external auditors.  The current external auditor's tenure should be considered as a factor in the assessment. FHFA expects each audit committee to identify and consider Audit Quality Indicators (AQIs) to inform dialogue and discussions with the external auditor.  AQIs are qualitative and quantitative performance metrics to help inform stakeholders, including audit committees, about key conditions or attributes that may contribute to audit quality.  AQIs may be defined at both the auditing firm and the audit engagement team levels.  While there is no regulation or auditing standard requiring firms to report or audit committees to use AQIs, larger auditing firms provide firm-level AQIs and/or similar information to their stakeholders. <a href="#footnote10"> [10]</a>  FHFA views identifying and assessing AQIs as a best practice in assessing external auditor performance. The audit committee should consider the external auditor's internal quality control procedures, including the auditing firm's processes for performing quality control reviews, when evaluating the external auditor.  The committee should discuss the auditing firm's internal quality control reviews and external PCAOB inspection results with the external auditors as part of their performance assessment.  The committee should pay particular attention to any deficiencies or non-compliance issues identified by the PCAOB or internal reviews that are relevant to their regulated entity's audit.  To aid in this process, the audit committee should request that the external auditor align any PCAOB inspection deficiencies with potential areas of exposure to the audit of the regulated entity.  The audit committee should have a good understanding of how the audit firm is addressing any identified deficiencies, including remediation plans and timetables.Auditing firm tenure is not explicitly addressed by FHFA or SEC regulations.  Even if an incumbent auditing firm has performed satisfactorily, FHFA considers it prudent for audit committees to periodically consider, and document their consideration of, the potential costs and benefits of changing or retaining their incumbent auditing firms at least every five years, or more frequently if circumstances warrant. <a href="#footnote11"> [11]</a>  2. Monitoring IndependenceExternal auditor independence is necessary for a reliable audit.  Therefore, each regulated entity's audit committee should carefully consider regulatory and professional requirements regarding independence in fact and appearance during all phases of the audit engagement. <a href="#footnote12"> [12]</a>  Independence requirements apply to the external auditing firm, to engagement and concurring partners, and to auditing firm staff and contractors working on the engagement. The audit committee should have a robust process for monitoring and assessing the external auditor's independence, including understanding how the external auditor assesses and monitors independence within the auditing firm. The external auditor's communications to the audit committee regarding independence and the committee's related discussions and decisions regarding the auditor's independence should be appropriately documented.  Arrangements regarding any permissible non-audit services to be provided by the audit firm should be clear and transparent, should not involve contingent compensation other than appropriate arrangements for tax work, and should be pre-approved by the audit committee.  If the committee delegates some of its pre-approval authority to, for example, its Chair, it should subsequently ratify the delegate's approval.  At least annually, the committee should review the nature of all services performed by the external audit firm and assess the relative magnitude of fees and personnel involved.  The committee should then consider establishing safeguards, as needed, to mitigate potential threats to audit independence that may arise as a result of providing these other services.  Further, the audit committee should be informed about and consider business and financial relationships between the auditor and the regulated entity or its officers, directors, or significant shareholders, and about employment of former regulated entity employees by the auditing firm and vice versa, as necessary to identify and address circumstances that could indicate a lack of independence or the appearance thereof.  B. Communication with External Auditor and Audit Engagement LettersEach regulated entity's audit committee and its external auditor should have an open working relationship.  Communications should be frank and robust and should cover the full range of potential topics related to financial reporting and audit risks.  Significant discussions during scheduled audit committee meetings should be clearly documented in committee minutes.  Other relevant substantive discussions should be appropriately documented in audit committee packages or minutes.  Audit committees can promote effective communications by: <ul><li>Maintaining a direct line of communication with the external auditor, including periodic, informal contact by the committee chair and regular executive sessions;</li><li>Requesting periodic involvement of other external audit partners, such as concurring, review, and tax partners at the audit committee meetings; </li><li>Discussing the external auditor's audit risk assessment and audit plan for the regulated entity;</li><li>Discussing with the auditor (and management, as applicable) any new, unusual, or non-standard representations made by management in their management representations letter; and</li><li>Requesting and reviewing insights from audit committee members, management, and internal auditors regarding the performance of the external auditors, at least annually. </li></ul>It is also important for the audit committee to have ongoing communication with the external auditor regarding its audit fees.  One objective of those communications is to provide assurance to the audit committee that negotiations for the fees and the fee arrangements themselves encourage the external auditor to conduct rigorous, high-quality audits and reviews. The engagement letter is the key document defining the relationship between the regulated entity and its external auditor.  FHFA's authority to examine the regulated entities allows it to have access to all regulated entity documents, including accounting records.  FHFA expects regulated entities' external audit engagement letters to be consistent with FHFA's examination authority.  Accordingly, FHFA expects that each regulated entity's engagement letter should: <ul><li>Provide that the external auditor may, upon FHFA's request, provide FHFA with access to the senior audit partners on the engagement and any other personnel whom such partners deem necessary, as well as to the external auditor's working papers prepared in the course of performing the services set forth in the engagement letter, and that such access to the external auditor may be without regulated entity personnel in attendance;</li><li>Not contain any provisions that would be characterized as unsafe and unsound under the “Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters";<a href="#footnote13">[13]</a> and</li><li>Provide that the external auditor, without the approval of the regulated entity, may meet with FHFA with such frequency and about such matters as determined by FHFA, and may provide reports or other communications arising from the audit engagement directly to FHFA.</li></ul> C. Audit Committee TransparencyFHFA regulations and guidelines require that the audit committees for the regulated entities review their charters annually and that the boards of directors reapprove them at least every three years. <a href="#footnote14"> [14]</a>   FHFA's regulated entities regularly publish their audit committee charters.  Besides serving as the committee's roadmap to help ensure that it fulfills all of its duties and obligations, a well-drafted charter can provide outside readers with insights on the committee's governance and functions. Under the PCAOB standards, auditor tenure is now a required element of the independent auditor's report.  Also, critical audit matters—which are matters that have been communicated to the audit committee, are related to accounts or disclosures that are material to the financial statements, and involved especially challenging, subjective, or complex auditor judgment—must be reported by the auditor beginning in the next few years. <a href="#footnote15"> [15]</a>  While this reporting is the responsibility of public companies' external auditors, we believe that these requirements evidence increased demand by financial statement users for information on audits and audit governance.  While effective audit committee oversight of and engagement with the external auditor are keys to obtaining a high-quality audit, there are no formal rules or standards that require those topics to be reported to shareholders.  That said, industry studies confirm an increasing trend among public companies to make enhanced voluntary disclosures about their audit committees' oversight of the external audit function.  Examples include disclosures about the factors that the audit committee considers when appointing or retaining an external auditor, the role of the audit committee in fee negotiations and compensation, the length of time the auditor has been engaged, whether evaluations of the auditing firm are done annually, and audit partner selection and rotation. <a href="#footnote16"> [16]</a> FHFA encourages each regulated entity's audit committee to consider providing such voluntary disclosures regarding its role in supporting a quality audit.  The audit committee should remain aware of industry trends and developments regarding audit committee transparency and should work to provide the regulated entity's stakeholders with relevant information regarding their activities to the extent practicable.  III. Annual Review by Audit CommitteeAt least annually, each regulated entity's audit committee should review, with any appropriate professional assistance, the committee's performance in light of the requirements of laws, rules, and regulations that are applicable to its activities and duties.  The committee should also assess whether it is operating consistent with applicable regulatory guidance.  The audit committee should provide the FHFA Chief Accountant with the materials and procedures employed in such review, as well as the final report.  The review may be done as part of a committee self-assessment, an outside review, or a combination of approaches.  Related Regulations and Guidance12 CFR Part 1236 and Appendix – Prudential Management and Operations Standards 12 CFR Part 1239 – Responsibilities of Boards of Directors, Corporate Practices and Corporate Governance Matters 12 CFR Part 1273 – Office of Finance 12 CFR Part 1274 – Financial Statements of the Banks Securities and Exchange Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, 72 Fed. Reg. 35324 (June 27, 2007) (codified at 17 CFR Part 241)Securities and Exchange Commission Rule 10A-3: Listing Standards Relating to Audit Committees (National Securities Exchanges), 17 CFR § 240.10A-3Securities and Exchange Commission Rule Reg. S-X: Form and Content of and Requirements for Financial Statements, Securities Act of 1933, Securities Exchange Act of 1934, Investment Company Act of 1940, Investment Advisers Act of 1940, and Energy Policy and Conservation Act of 1975 (Qualifications and Reports of Accountants), 17 CFR § 210.2-01 through -07Securities and Exchange Commission Rule Reg. S-K: Standard Instructions for Filing Forms under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975, 17 CFR Part 229Public Company Accounting Oversight Board Rule 3526: Auditor Communications with Audit Committees Concerning IndependenceNYSE, Inc., Listed Company Manual, § 303A (Corporate Governance Standards) (2018)  <hr width="25%" align="left" /> <a name="footnote1">[1]</a> The OF is not a “regulated entity" as the term is defined by 12 U.S.C. 4502(20), but for convenience, references to the “regulated entities" in this AB should be read to also apply to the OF as regards its roles in issuing combined financial reports and engaging the external auditor for those reports, and to regulated entities' affiliates as regards their roles, if any, in issuing public financial reports and in engaging external auditors. <a name="footnote2">[2]</a> Duties of FHLBank audit committees are described in 12 CFR 1239.32. Duties of the OF audit committee are described in 12 CFR 1273.9. Part 1239 stipulates that the duties and responsibilities of Enterprise audit committees are set forth under rules issued by the New York Stock Exchange, and further requires that those committees comply with requirements set forth under section 301 of the Sarbanes-Oxley Act, 15 U.S.C.§ 78j-1(f). The Prudential Management and Operations Standards set forth in the Appendix to 12 CFR Part 1236 also include standards applicable to the audit committees of the FHLBanks and Enterprises. <a name="footnote3"> [3]</a> See 12 CFR 1274.2(c). <a name="footnote4"> [4]</a> See 12 CFR 1274.2(c). <a name="footnote5"> [5]</a> See 12 CFR 1274.2(d), (e). <a name="footnote6"> [6]</a> See 12 CFR Part 1236, Appendix (Standard 10.1) and 12 CFR 1273.6(b) (2). <a name="footnote7"> [7]</a> SEC Exchange Act Rule 13a-15(f) defines the term “internal control over financial reporting" as: a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:<ol><li>Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;</li><li>Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and</li><li>Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.</li></ol> See 17 CFR 240.13a-15(f). <a name="footnote8"> [8]</a> For the OF, this refers to the ICFR over the OF's process for producing the FHLBanks' combined financial reports.  <a name="footnote9"> [9]</a> On comparability and consistency, see FASB Statement of Financial Accounting Concepts No. 8 as amended August 2018. <a name="footnote10"> [10]</a> See Center for Audit Quality, “Audit Quality Indicators:  The Journey and Path Ahead," Jan. 12, 2016. <a name="footnote11"> [11]</a> The FHLBanks and the OF, in light of the FHLBank System's requirement to issue combined financial statements, have historically engaged the same external audit firm.  Therefore, they undertake external auditor performance reviews and decisions on which audit firm to engage jointly. <a name="footnote12"> [12]</a> The external auditor must meet the requirements of independence set forth by the PCAOB Auditing Standard 1005 and in the SEC regulations at 17 CFR § 210.2-01.  <a name="footnote13"> [13]</a> 71 Fed. Reg. 6847 (Feb. 9, 2006). <a name="footnote14"> [14]</a> See 12 CFR Part 1236, Appendix (Prudential Management and Operations Standard 2.2) (regulated entity boards); 12 CFR 1239.32(d) (1), (2) (Bank audit committees and boards of directors); 12 CFR 1273.9(c) (1) (i), (ii) (Office of Finance). Enterprise boards of directors must adopt a written charter for each board committee and comply with the committee requirements of the NYSE rules and section 301 of the Sarbanes-Oxley Act, 15 U.S.C. § 78j-1. See 12 CFR 1239.5(b). Neither those incorporated provisions nor the regulation itself imposes any requirements with respect to the review or re-approval of committee charters. <a name="footnote15"> [15]</a> See PCAOB Auditing Standard 3101. <a name="footnote16"> [16]</a> See 2018 Audit Committee Transparency Barometer prepared by the Center for Audit Quality and by Audit Analytics (November 2018).   <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto:SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </td></tr></tbody></table>

8/20/2020 5:00:54 PM

Home / Supervision & Regulation / Advisory Bulletins / Financial Reporting and Disclosure and External Audit Advisory Bulletin AB 2020-04: FINANCIAL REPORTING AND DISCLOSURE

8329

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Guidance on the Use of Proxies

28094

FHL Banks

7/20/2020 4:00:00 AM

AB 2020-03

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2020-03: GUIDANCE ON THE USE OF PROXIES FOR DETERMINING THE INCOME OF SUBSEQUENT PURCHASERS OF OWNER-OCCUPIED UNITS SOLD BY AHP-ASSISTED HOUSEHOLDS DURING THE AHP RETENTION PERIOD </td></tr></tbody></table> PurposeThis Advisory Bulletin (AB) contains guidance, pursuant to the Affordable Housing Program (AHP) regulation, on the Federal Home Loan Banks’ (FHLBanks) or their designees’ use of proxies for determining whether the subsequent purchaser of an owner-occupied unit sold, transferred, or assigned by an AHP-assisted household during the AHP five-year retention period is low- or moderate-income (LMI). Specifically, the guidance provides for the use of a proxy based on the U.S. Department of Housing and Urban Development’s (HUD) HOME Investment Partnerships Program (HOME) and Housing Trust Fund (HTF) homeownership value limits for existing housing. The AB also discusses the option for FHLBanks to adopt an alternative proxy or proxies that are reliable indicators that the subsequent purchaser is LMI. In addition, the AB provides guidance on documentation requirements as well as content of a FHLBank’s AHP Implementation Plan. BackgroundThe Federal Housing Finance Agency’s (FHFA) AHP regulation provides that, for each household that receives AHP subsidy for purchase, for purchase in conjunction with rehabilitation, or for construction of an owner-occupied unit, the unit must be subject to a retention agreement. <a href="#footnote1">[1]</a> The retention agreement must provide that, if the AHP-assisted household sells, transfers, or assigns (hereafter referred to as "sells," for ease of reading) the unit within five years of closing on the unit, the FHLBank is to be repaid a pro rata portion of the AHP subsidy from any net proceeds realized by the household minus the household’s investment, subject to certain exceptions. <a href="#footnote2">[2]</a> One such exception is when the AHP-assisted household sells the unit to a LMI household, i.e., a household with income at or below 80 percent of the area median income (AMI). <a href="#footnote3">[3]</a> This exception predates the 2018 AHP final rule. <a href="#footnote4">[4]</a> Because subsequent purchasers of units sold by AHP-assisted households are under no obligation to provide income documentation to the FHLBanks or their designees for purposes of determining the AHP-assisted household’s AHP subsidy repayment obligation, it has been difficult for FHLBanks and their designees to determine subsequent purchasers’ actual incomes and, therefore, whether this subsidy repayment exception applies. Accordingly, FHFA requested comments in the 2018 AHP proposed rule preamble on potential geographically-based and person-based proxy approaches for determining subsequent purchaser income. After reviewing the comments received on the proposed rule, FHFA determined in the 2018 AHP final rule that the use of proxies for determining subsequent purchaser income would facilitate the FHLBanks’ implementation of the LMI subsequent purchaser exception.<a href="#footnote5"> [5]</a> Accordingly, the final rule revised the regulation to provide for the use of proxies pursuant to guidance to be issued by FHFA for determining a subsequent purchaser’s income. Specifically, the final rule provides that for any sale by an AHP-assisted household of an owner-occupied unit after a date established by FHFA in the guidance, a FHLBank or its designee must determine the subsequent purchaser’s income using one or more proxies that are reliable indicators of the subsequent purchaser’s income, which may be selected by the FHLBank pursuant to the guidance, unless documentation demonstrating the subsequent purchaser’s actual income is available.<a href="#footnote6"> [6]</a> This AB contains the guidance referenced in the final rule on the use of proxies for this purpose. Guidance The Proxy: HUD HOME and HTF Homeownership Value Limits for Existing Housing FHFA has determined that the sale of an owner-occupied unit by an AHP-assisted household at a price that is at or below the applicable HUD HOME and HTF homeownership value limit for existing housing (hereinafter "value limit") is a reliable indicator that the subsequent purchaser of the unit is LMI.<a href="#footnote7"> [7]</a> In reaching this conclusion, FHFA analyzed Home Mortgage Disclosure Act (HMDA) data which indicates that, in 2018, approximately 58 percent of national HMDA-reported home sales at or below the applicable value limit were to LMI purchasers. Significantly, in the ten states in which the greatest number of AHP owner-occupied subsidies under the FHLBanks’ competitive application programs and homeownership set-aside programs were awarded in 2018, over 65 percent of such sales were to LMI purchasers. FHFA also analyzed the 2018 HMDA income data to determine the percentage of homebuyers who purchased a home above the applicable value limit that were LMI. FHFA found that only 14.6 percent of 2018 HMDA homebuyers who purchased a home above the applicable value limit were LMI, making it relatively unlikely that applying the HOME and HTF price limits as a proxy would be under-inclusive of low-and-moderate income subsequent purchasers. Because proxies are approximations, no proxy can definitively determine the income of a subsequent purchaser. FHFA acknowledges this limitation of proxies generally, and the possibility that any proxy based on house sales price might fail to fully account for gentrification of areas in which the home is located, as noted by some commenters on the proposed rule. In rapidly gentrifying areas, a comparatively higher percentage of non-LMI purchasers may purchase homes at or below the value limit than in areas experiencing lower rates of gentrification. However, as noted above, the data generally suggest that house sales price at or below the applicable value limit reliably indicates that the subsequent purchaser is LMI. This proxy indicates subsequent purchaser LMI status even more reliably when the review analyzes the ten states with the highest number of AHP owner-occupied subsidies historically. In addition, although FHFA’s priority in selecting a proxy is identifying one that reliably indicates subsequent purchaser income, FHFA has selected one that, as applied to AHP-assisted households, weighs in favor of allowing households to retain AHP subsidy and thereby enjoy the full benefits of homeownership. FHFA analyzed data available under the FHLBanks’ homeownership set-aside programs to determine the likelihood that any particular AHP-assisted household would be required to repay AHP subsidy under the value limits proxy. In 2018, only 7.7 percent of AHP-assisted households who received set-aside grants in connection with purchase purchased their homes at a price greater than the applicable value limit, which suggests that the large majority of home sales by AHP-assisted households will qualify for the LMI subsequent purchaser exception under this proxy. <a href="#footnote8">[8]</a> Implementing the ProxyThe FHLBanks or their designees may use the value limits, posted on the HUD Exchange, as a proxy for determining whether the exception to the AHP subsidy repayment requirement for sales to subsequent LMI purchasers applies. HUD calculates and posts the value limits annually on the HUD Exchange website. FHFA will also post the value limits on its website and notify the FHLBanks when new annual value limits are available. However, if a FHLBank or its designee has documentation demonstrating the subsequent purchaser’s actual income, the FHLBank may not apply the value limits proxy or any other proxy to determine subsequent purchaser income. If neither the FHLBank nor its designee has such documentation, and the FHLBank elects to apply the value limits proxy, the FHLBank or its designee must use the value limits in effect at the time the AHP-assisted household sells its unit during the AHP five-year retention period. The FHLBank or its designee will determine the applicable value limit based on the specific county where the unit is located and the size of the unit (i.e., 1-unit, 2-unit, 3-unit, or 4-unit). The FHLBank or its designee will then compare the price at which the AHP-assisted household sold the unit to that value limit. If the sales price is less than or equal to the value limit, the subsequent purchaser is regarded as LMI under the value limits proxy. If the sales price is more than the applicable value limit, the subsequent purchaser is not regarded as LMI under the value limits proxy. The FHLBank or its designee must document its determinations under the value limits proxy.Alternative Bank ProxiesIn lieu of or in addition to the value limits proxy, a FHLBank may, in its discretion, adopt an alternative proxy or proxies that are reliable indicators that the subsequent purchaser of an owner-occupied unit sold by an AHP-assisted household is LMI. The FHLBank should retain documentation and data that provide a sufficient basis for the adoption of the alternative proxy or proxies, including an explanation of how the proxy or proxies reliably indicate(s) that the subsequent purchaser is LMI. In addition, as with application of the value limits proxy, the FHLBank should document its determinations under an alternative proxy for each subsequent purchaser’s income. AHP Implementation PlansThe FHLBanks must ensure that their AHP Implementation Plans include the specific proxy or proxies they have chosen to adopt pursuant to this AB. <a href="#footnote9">[9]</a> If a FHLBank adopts more than one proxy, its AHP Implementation Plan must include the policies determining which proxy or set of proxies will be applied in any particular circumstance. If these policies provide for the application of more than one proxy per sale, they must specify how conflicting determinations of subsequent purchaser LMI income will be resolved. <a href="#footnote10">[10]</a> Effective DateThis AB is effective for any sale of an owner-occupied unit by an AHP-assisted household that occurs on or after January 1, 2021 and is during the unit’s AHP five-year retention period. However, FHFA strongly encourages the FHLBanks to implement this AB before that date as practicable.  <hr width="25%" align="left" /> <a name="footnote1"> [1]</a> 12 CFR 1291.23(d)(1); 1291.42(e); 1291.15(a)(7); see also Questions and Answers on the November 28, 2018 Final Rule--Part I (July 2019), available at fhfa.gov. <a name="footnote2"> [2]</a> 12 CFR 1291.15(a)(7)(v); 1291.1 (par. (1) of the definition of "retention period"). <a name="footnote3"> [3]</a> 12 CFR 1291.15(a)(7)(ii)(B); 1291.1 (definition of "low- or moderate-income household").  <a name="footnote4">[4]</a> 12 CFR 1291.9(a)(7)(ii)(B) (Jan. 1, 2018 edition). <a name="footnote5"> [5]</a> 83 Fed. Reg. 61186, 61204 (Nov. 28, 2018). <a name="footnote6">[6]</a> 12 CFR 1291.15(a)(7)(ii)(B). <a name="footnote7"> [7]</a> For more information on these value limits, how they are derived, and their function in the applicable HUD programs, see the HOME and HTF program pages on the HUD Exchange website at www.hudexchange.info. <a name="footnote8"> [8]</a> FHFA does not collect the prices at which competitive application program subsidy recipients purchase or sell their homes. FHFA also does not collect the prices at which homeownership set-aside program subsidy recipients purchase their homes, unless the subsidy is used in connection with purchase (e.g., down payment assistance). In 2018, 68 percent of all AHP owner-occupied subsidies were awarded through set-aside programs, and 92 percent of set-aside subsidies were used in connection with purchase. <a name="footnote9"> [9]</a> 12 CFR 1291.15(a)(7)(ii)(B). <a name="footnote10"> [10]</a> 12 CFR 1291.13(b)(6).            <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes. Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact Ted Wartell at <a href="mailto:Ted.Wartell@fhfa.gov">Ted.Wartell@fhfa.gov</a> or by phone at 1-202-649-3157; or Tiffani Moore at <a href="mailto:Tiffani.Moore@fhfa.gov">Tiffani.Moore@fhfa.gov</a> or by phone at 1-202-649-3304. </td></tr></tbody></table>

7/20/2020 8:58:52 PM

Home / Supervision & Regulation / Advisory Bulletins / Guidance on the Use of Proxies Advisory Bulletin AB 2020-03: GUIDANCE ON THE USE OF PROXIES FOR DETERMINING THE INCOME

5902

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Board Diversity

27914

FHL Banks

7/9/2020 4:00:00 AM

AB 2020-02

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2020-02: Board Diversity</td></tr></tbody></table> PurposeThis Advisory Bulletin (AB) applies to the Federal Home Loan Banks (Banks) and the Banks’ Office of Finance (OF) (collectively, the System). The AB provides guidance on the diversity and inclusion (D&I) program oversight responsibilities of the System’s boards of directors (Board). The AB addresses D&I programs required of the System and for which the Boards should exercise appropriate oversight. To meet oversight obligations, the Board should become familiar with the legal concepts related to D&I, its administration by the System, the role of the Federal Housing Finance Agency (FHFA or Agency) related to statutory and regulatory authorities and expectations related to D&I. BackgroundCongress adopted provisions regarding D&I for regulated entities and FHFA as section 1116 of the Housing and Economic Recovery Act of 2008. 12 U.S.C. § 4520. The statute required the regulated entities to create an office or designate an office to carry out the section focused on diversity in management, employment, and business activities in accordance with standards and requirements as the Director of FHFA would establish. In December 2010, FHFA adopted a final rule implementing the law, at 12 CFR Part 1223, for its respective regulated entities. The regulation included a requirement to encourage the consideration of diversity in nominating or soliciting nominees for positions on the Board of Directors of each regulated entity. 12 CFR 1223.21(b)(7). Formal D&I supervision of the regulated entities began after the FHFA Office of Minority and Women Inclusion (OMWI) performed baseline reviews of their D&I programs in 2015 and 2016 <a href="#footnote1">[1]</a>.In 2015, the Agency amended the regulation to require each Bank and the OF to report annually on demographic information related to their Boards. 12 CFR 1223.23(b)(10)(i). Subsequently, the Agency developed and implemented a D&I Examination Module that became effective on January 1, 2017 <a href="#footnote2">[2]</a>. In July 2017, FHFA finalized regulation amendments requiring the regulated entities, among other things, to adopt strategic plans to promote and ensure the inclusion of minorities, women, and individuals with disabilities in their workforce at all levels of the organization, as well as minority-, women-, and disabled-owned businesses in their contracting activities and financial activities. 12 CFR 1223.21(d). Consistent with FHFA’s corporate governance regulation, 12 CFR 1239.4(a), the Board has ultimate responsibility for its regulated entity’s achievement of the requirements of the regulation.  Guidance Board Oversight Each Board of Directors is responsible for oversight of the entity’s respective D&I programs in their entirety, which includes setting the strategic goals and ensuring the appropriate management “tone at the top.” Each Board should oversee the entity’s D&I program through review of its efforts as evidenced in reports provided by management, including the Chief Executive Officer and OMWI Officer. Such reports should include information and data on D&I strategic goals; resource adequacy (human, technological, and financial); and integration of contractual parties with the entity’s businesses and activities. To address management activities regarding D&I, directors must have ongoing familiarity with D&I requirements and pay due attention to the entity’s D&I efforts and accomplishments. The Board should seek to assure itself that the entity’s D&I program is conducted in line with statutory and regulatory requirements to promote diversity and ensure inclusion. The Board should expect ongoing reporting regarding the entity’s initiatives as well as D&I accomplishments, progress, or challenges for the entity in areas identified by statute and regulation. Board Directors — Effective Oversight In order to facilitate effective oversight of the D&I program, the Board should be provided sufficient information on an ongoing basis on D&I obligations and progress to oversee effectively the entity’s D&I programs. The Board should assure that the reporting by management and the OMWI Officer is in line with law and regulation. If necessary, the Board should seek such external assistance, as it may require, to review, understand, and provide input on the entity’s D&I program. The Board should consider, as well, efforts to enhance diversity among its membership in line with law and regulation.With respect to Board skills assessments, FHFA notes the following areas of D&I law, regulation, and programs that should be familiar to directors and be part of routine reporting by the management of each entity in the System: <ol><li>Diversity. Ability to assess whether the management of each entity in the System seeks to promote D&I based on its experience working with minorities, women, and individuals with disabilities and in seeking the skill sets from a diverse group for employment and contracting. </li><li>Equal Opportunity Principles. An understanding of fundamental equal employment opportunity and D&I principles.</li><li>Managing Diversity Programs and Initiatives. The Board should be able to assess whether each entity’s management and OMWI Officer have the requisite ability to develop initiatives and to deploy programs that support inclusion of diverse populations in employment and contracting. Such assessment should be founded on reports with usable standards and metrics. </li><li>Change Management. The Board should be able to assess management and the OMWI Officer leading organizational development and corporate communication and facilitate outreach and new projects with various stakeholders internal or external to the regulated entity. </li><li>Strategic Leadership. The Board should adopt and communicate D&I objectives. </li></ol> Enhancing Board OversightEach Bank and the OF may conduct an annual assessment of skills and experience possessed by the members of its Board as a whole and may determine whether the capabilities of the Board would be enhanced through the addition of individuals with particular skills and experience. Board D&I experience and knowledge should be included in any such Board assessments. The Board or its corporate governance committee should oversee the implementation of recommendations arising from Board self-assessments. As part of its oversight duties, the corporate governance committee also may identify skills and expertise gaps among the members of the Board and may recommend that the Bank or OF indicate that it seeks persons with those skills as nominees for directorship positions. In addition, the Board should implement training for existing Board members to develop or enhance their ability to meet their obligations to oversee the entity’s D&I obligations. Board DiversityA Board's efforts to develop, maintain, and sustain a diverse Board should be a combination of seeking diverse representation on, and providing support to, the Board to meet its D&I oversight responsibilities.  This requires the Board to articulate its role in performing D&I oversight.  At the same time, promoting diversity of the Board itself should be encouraged by the Board through communication of the Bank or OF's obligations under law and regulation and the value of fostering opportunities for diverse candidates for Board service to assist in this oversight responsibility. Boards may seek to increase director diversity by requiring the Bank or OF to communicate to members its goals of identifying potential diverse candidates.  Boards may engage search firms for identifying potential independent director nominees, as appropriate, and taking such other steps as may promote diversity.    <hr width="25%" align="left" /> <a name="footnote1">[1]</a> On December 19, 2012, FHFA issued Advisory Bulletin (AB) 2012-03, which implemented the Agency’s decision to include D&I as a criterion in rating the Management component of CAMELSO.  AB 2012-03 provides:<blockquote dir="ltr">MANAGEMENT – When rating a regulated entity's management, examiners determine the capability and willingness of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of the regulated entity's activities and to ensure that the regulated entity's safe, sound and efficient operations are in compliance with applicable laws and regulations. When making this determination, examiners assess:</blockquote><ul><li>the regulated entity's compliance with laws and regulations, including Prudential Management and Operational Standards (PMOS), Office of Minority and Women Inclusion (OMWI) and relevant provisions of the Dodd-Frank Act[.]</li></ul> See: <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/FHFA_AB_2012-03.pdf">https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/FHFA_AB_2012-03.pdf</a>.  CAMELSO stands for Capital, Asset Quality, Management, Earnings, Liquidity, Sensitivity to Market Risk, and Operational Risk.  <a name="footnote2">[2]</a> The manual is available at: <a href="/SupervisionRegulation/ExaminerResources/Documents/062717-OMWI-Exam-Module.pdf">https://www.fhfa.gov/SupervisionRegulation/ExaminerResources/Documents/062717-OMWI-Exam-Module.pdf</a>         <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes.  Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities.  For comments or questions pertaining to this Advisory Bulletin, contact Sharron Levine at <a> </a><a href="mailto:Sharron.Levine@fhfa.gov">Sharron.Levine@fhfa.gov</a> or James Jordan at <a> </a><a href="mailto:James.Jordan@fhfa.gov">James.Jordan@fhfa.gov</a>.  </td></tr></tbody></table>

7/9/2020 1:54:55 PM

Home / Supervision & Regulation / Advisory Bulletins / Board Diversity Advisory Bulletin This Advisory Bulletin (AB) applies to the Federal Home Loan Banks (Banks) and the

5000

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Acquired Member Assets Risk Management

30323

FHL Banks

1/31/2020 5:00:00 AM

AB 2020-01

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2020-01: ACQUIRED MEMBER ASSETS RISK MANAGEMENT</td></tr></tbody></table> PurposeThis Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance regarding a Federal Home Loan Bank's (Bank) risk management of Acquired Member Assets (AMA), including FHFA's expectations that Bank boards of directors establish certain limits.  The Banks should be able to demonstrate their progress toward adherence to this guidance by September 30, 2020 and should have final limits in place by December 31, 2020.  BackgroundThe mission of the Banks is to provide to their members and housing associates financial products and services that assist and enhance such members' and housing associates' financing of housing and community lending.<a href="#footnote1">[1]</a>  Similar to taking an advance, when a member sells eligible mortgage loans to a Bank, the Bank serves as a funding source for the member's housing finance lending.      FHFA regulations and guidance related to AMA embody the principles that the Banks must acquire AMA safely and soundly and in a manner that is consistent with the Banks' mission.  Sound governance of AMA programs is critical to safety and soundness and should include the establishment of limits to control the risks inherent in owning mortgage loans.  AMA programs should at the same time fulfill the affordable housing mission requirements articulated in the Bank housing goals.  The guidance in this Advisory Bulletin highlights FHFA's supervisory expectations with respect to sound risk management practices and how they relate to AMA. Regulatory EnvironmentThe following provides a summary of some of the regulation and guidance for governance and AMA.<ul style="list-style-type:disc;"><li> Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Regulation.  This regulation provides that the management of each regulated entity shall be by or under the direction of its board directors.  It states, “the ultimate responsibility of each entity's board of directors for that entity's oversight is non-delegable."<a href="#footnote2">[2]</a>  Included in the responsibilities of each Bank's board of directors is the establishment of a risk management program that aligns with the Bank's risk appetite and that each of the Bank's business lines has appropriate risk limitations.<a href="#footnote3">[3]</a></li></ul><ul style="list-style-type:disc;"><li> Prudential Management and Operating Standards (PMOS) Regulation.  FHFA addresses limits on investments and management of assets in its PMOS regulation, the appendix to which establishes eleven standards as guidelines, including Standard 6 (Management of Asset and Investment Portfolio Growth), Standard 7 (Investments and Acquisitions of Assets), and Standard 9 (Management of Credit and Counterparty Risk).<a href="#footnote4">[4]</a>   The failure to meet any of the PMOS may constitute an unsafe or unsound practice for purposes of FHFA's administrative enforcement authority.<a href="#footnote5">[5]</a>  If FHFA determines that a Bank has failed to meet a standard, it also may require the Bank to submit a corrective plan.<a href="#footnote6">[6]</a> </li><li> AMA Regulation.  FHFA's AMA regulation prescribes the parameters within which the Banks may purchase mortgage loans from members and housing associates (known as participating financial institutions or PFIs).  The core of the AMA rule is a three-part test, the first and second parts of which focus on asset eligibility and member nexus, respectively.  The third part focuses on the transactions through which a Bank acquires AMA – specifically, credit risk-sharing.<a href="#footnote7">[7]</a>    </li><li> Core Mission Achievement Advisory Bulletin.  FHFA's Core Mission Achievement Advisory Bulletin describes AMA, along with advances, as “Primary Mission Assets," which are fundamental to the business of a Bank and most directly contribute to its mission.<a href="#footnote8">[8]</a>  It states, “[b]ecause a portfolio of residential mortgage loans presents risks not present with advances, FHFA expects that each Bank's board of directors will establish a prudential limit on its maximum holding of AMA, which should be governed by the Bank's ability to manage the risks inherent in holding mortgages."  FHFA included similar language in the preamble to the final AMA rule<a href="#footnote9">[9]</a> and in the AMA Price Risk Governance Advisory Bulletin.<a href="#footnote10">[10]</a>  </li></ul><ul style="list-style-type:disc;"><li> AMA Price Risk Governance Advisory Bulletin.  FHFA's AMA Price Risk Governance Advisory Bulletin describes the practices a Bank should employ, through management and controls, to mitigate its exposure to AMA price risk.  AMA price risk, for purposes of the Advisory Bulletin, is the risk that the price the Bank pays for an AMA mortgage loan is too high relative to intrinsic value based on prevailing and forecasted market conditions at the time of acquisition.<a href="#footnote11">[11]</a> </li><li> Bank Housing Goals Regulation.  FHFA's Housing Goals regulation establishes housing goals for AMA purchases of loans to low-income borrowers, very low-income borrowers, and borrowers in low-income areas.<a href="#footnote12">[12]</a>  </li></ul> Guidance Board-established Limits.  Each Bank's board of directors should establish limits on its AMA portfolios within the context of its risk appetite<a href="#footnote13">[13]</a> and the unique characteristics of its membership and district.  At the same time, the board should ensure that the Bank serves as a liquidity source for members – particularly smaller members who may not have the same capacity or access to sell loans in the secondary market that larger members may have.  For purposes of this Advisory Bulletin, the term “smaller members" includes all Bank members whose total assets are below the community financial institution (CFI) asset cap as defined in section 1263.1 of FHFA's regulations, and includes credit unions, insurance companies, and non-depository community development financial institutions.  Management Thresholds.  To support the board-established risk limits, management of each Bank should establish thresholds that would serve as monitoring tools to manage AMA-related risk exposure.  Management thresholds typically should be set at levels sufficiently below the risk limits established by the board, so that management would have adequate time to address any relevant developments that might otherwise result in a breach of a board-established limit.  If a Bank's AMA holdings were to breach a management threshold, it should have a formal process in place to assess and manage the resulting AMA-related risks.  The process may require management to conduct a targeted analysis or additional ongoing monitoring, which would also provide the board information useful in fulfilling its governance responsibilities.  Examples of actions management might take to avoid breaching management thresholds, or to avoid exceeding board-established limits if a management threshold is breached, might include:<ul style="list-style-type:disc;"><li>Imposing loan acquisition restrictions by loan type, e.g., high-balance loans or third-party loans,</li><li> Limiting loan purchases from a particular member that accounts for a disproportionate amount of total acquisitions, or</li><li>Participating or selling interests in some of its AMA mortgage loans to other Banks.</li></ul> Establishing Board LimitsFHFA expects each Bank's board of directors to approve a strong risk management program, to evaluate AMA-related risks, based on management's proposals, and to establish limits to control those risks.  To accomplish these objectives, each Bank should have staff with a strong understanding of, and insight into, the secondary mortgage market and the risks that affect the acquisition, funding, and servicing of mortgages.  The staff should have a skill set that allows them to evaluate AMA risk beyond the determination of credit enhancement obligations.  Ultimately, the staff should have the necessary expertise to monitor portfolio and market issues before they adversely affect either the mission focus or the safe and sound operation of the Bank.  FHFA expects that a prudent approach to managing risks associated with a Bank's AMA holdings would include the types of limits described in the paragraphs below.  Boards may adopt other limits to control other AMA-related risks, as identified by Bank staff as being appropriate to the magnitude of the Bank's AMA portfolio. AMA Portfolio LimitsGiven the risks associated with AMA, which include price, interest rate, operational, credit, model, and liquidity risks, each Bank's board should consider how it can safely and soundly manage its portfolio.  In considering portfolio limits, a Bank should consider, for example, the cost for safely and soundly managing how market risk may evolve in response to fluctuations in the size of the mortgage portfolio,<a href="#footnote14">[14]</a> and the risk of adverse effects on the Bank's profitability resulting from external factors that may occur in both the short and long term.  Those risks may be magnified by concentrations of loan coupons or vintages.  A board also should consider any risks associated with acquiring a large portion of its AMA mortgages from a single PFI.  When a board is setting portfolio limits, FHFA expects a Bank to consider the needs of its smaller members, who may rely on the Bank as a liquidity source to a greater degree than its larger members, who may have alternative access to the secondary mortgage market. The Bank should ensure that its portfolio limits do not result in the Bank's acquisition of mortgages from smaller members being “crowded out" by the acquisition of mortgages from larger members.   <ul style="list-style-type:disc;"><li> Size of Portfolio. Each Bank's board of directors should establish a limit on its maximum holdings of AMA that is consistent with its risk appetite and the long-term safety and soundness of the Bank.  When establishing the limit on the size of its AMA portfolio, the board may develop its own metrics that it deems most appropriate for its business plans and the needs of its members, such as a percentage of assets or consolidated obligations, or as a multiple of capital.  FHFA will assess the portfolio limit and the metrics used to set it as part of its regular supervisory process.  If a board has considered multiple approaches to setting its portfolio limit and can demonstrate that it has used the most conservative of those approaches in establishing the binding board limit, FHFA generally would consider that to be consistent with the safe and sound operation of the Bank.  FHFA also expects that the board of directors would monitor the appropriateness of its chosen metrics in light of changing conditions in the mortgage markets, capital markets, the Bank's financial condition, and the needs of its members, and consider any appropriate revisions to the metrics used to set the existing portfolio limits.  </li></ul><ul style="list-style-type:disc;"><li> Growth.  Each Bank's board of directors should establish a limit on the amount of AMA the Bank could acquire during a defined period of time in order to mitigate risks associated with rapid growth.  Reasonable metrics for managing rapid growth could include limits based on gross dollar amount acquired and net growth in AMA holdings in dollars or as percent of balances outstanding.  </li><li> Single PFI Acquisition.  Each Bank's board of directors should establish annual limits on the dollar amount of AMA that the Bank may acquire from a PFI.  PFI limits should be appropriate to the particular PFI, should be consistent with the Bank's overall AMA portfolio limit, should avoid undue concentrations of the overall AMA portfolio from particular PFIs, and should provide reasonable assurance that the Bank's smaller members will be able to continue to sell AMA to the Bank during the year, regardless of the amount of AMA purchased from the Bank's larger members.      </li></ul> Loan Concentration Limits  FHFA expects each Bank's board of directors to consider the risks associated with an aggregation of loans that have common characteristics, i.e., concentration risk.  Pools of loans that have common characteristics are sensitive to the same economic developments or downturns.  This sensitivity can cause a pool of loans to perform as if it were a single, large exposure, which potentially exposes the Bank to disproportionately greater credit losses that could negatively affect a Bank's capital.  Concentration risk may be further exacerbated for pools composed of loans that have multiple common characteristics, i.e., risk layering.  Each Bank should identify characteristics that, when aggregated in a pool or in the Bank's portfolio, could increase the Bank's risk exposure.  Loan characteristic concentrations each board should consider include:  <ul style="list-style-type:disc;"><li> Geographic area concentration, which is determined by evaluating the amount or percentage of acquired loans secured by properties within a geographic location.  The geographic areas of AMA loans held by a Bank could be evaluated by, for example, state, county, or metropolitan statistical area.<a href="#footnote15">[15]</a> FHFA expects Banks to have specific limits on AMA concentrations in particular housing markets, both in- and out-of-district.  The limits could be relative to a PFI's sales to a Bank, relative to total acquisitions in a given period, or relative to outstanding dollar balances.  </li><li> High-balance loan concentration, which is determined by evaluating the amount or percentage of acquired loans that are high-balance loans. “High-balance loans" are conforming loans secured by residential properties located in “high-cost areas" with loan amounts exceeding the baseline conforming loan limits.  Such loans may perform differently than loans at the baseline limits.<a href="#footnote16">[16]</a>  </li></ul> Third-party Loan Origination LimitsThe AMA regulation authorizes the Banks to purchase mortgage loans from a member only if the member (or an affiliate) had originated the loan or had acquired it from a third party for a “valid business purpose."<a href="#footnote17">[17]</a>  The Federal Housing Finance Board issued a regulatory interpretation that lists some factors that would be sufficient to demonstrate that a loan acquired from a third-party originator meets the valid business purpose requirement.<a href="#footnote18">[18]</a>  The interpretation also makes clear that a member must have meaningful influence or control over the mortgage assets it acquires or over the process by which it acquires them in order to demonstrate that the member has acquired them for a valid business purpose.  The factors indicating the existence of a valid business purpose include:  (1) whether purchasing loans from third-party originators represents a core business of the member; (2) how long the member has been involved in purchasing such loans; (3) whether the member is familiar with the third-party originators and experienced with the type, quality, and volume of the assets being purchased from the originators; (4) whether the member has a clear opportunity to identify and address the potential for fraud on an operational level; (5) whether the member itself approves and contracts with the originators; and (6) whether the member itself sets the terms of its contractual relationship with the third party originators, including asset standards and pricing.  As a legal matter, Banks acquiring mortgage loans that have been originated by nonmember third parties must be able to demonstrate that the member has acquired those loans for a “valid business purpose," as required by the AMA regulations.  The Banks should have processes in place that actively ensure that the member selling the loans to the Bank is exercising meaningful influence over or control of the assets it is selling, as described above.  A perfunctory assessment of whether a member in fact exercises such influence or control would not demonstrate that a member has acquired mortgage loans from a third-party originator “for a valid business purpose," which could cause the mortgage loans not to qualify as AMA.     Generally, loans originated by third parties are acquired by a Bank from members that have banking services networks that involve nonmembers.  Such loans can potentially carry greater risk than loans originated by a member.  FHFA expects a Bank's board of directors to establish limits on the amount of loans it acquires that are originated by third parties.  Those limits could be based on any reasonable metrics, such as a portion of the Bank's total AMA acquisitions or a portion of its acquisitions from a single member.  FHFA expects Banks to consider the risks associated with the acquisition of third-party originated loans that are secured by properties located outside of the Bank's district.  In consideration of smaller members who may not have the same ability to sell loans in the secondary market that larger members may have, third-party loan origination limits need not apply to smaller members that do not have their own mortgage origination operations.  Nonetheless, such members must still meet the valid business purposes requirements established in the AMA rule and Regulatory Interpretation 2000-RI-25.  Pricing LimitsFHFA expects each Bank's board of directors to consider the price risk associated with AMA.  The higher the price a Bank pays for an AMA mortgage loan, the lower its expected earnings will be, all else equal.  If the expected yield on a risk-adjusted basis is too low, a Bank may not earn enough to cover operating costs.  As stated in the AMA Price Risk Governance AB, a Bank “should set mortgage acquisition prices to ensure the resulting expected spread to funding covers its costs and provides adequate compensation for the risk assumed, e.g., option, interest rate, credit, and model risk.  The [Bank's] management committee should provide oversight, which includes approving and periodically reevaluating the minimum expected spread to funding target that guides AMA pricing."  Each Bank's board of directors should establish a limit on the price at which the Bank will acquire AMA loans.  Mortgages acquired with a relatively high premium to par increase the Bank's exposure to prepayment risk.  The write down of a mortgage premium reduces returns to the Bank and may result in losses.  Each board of directors should establish a price limit on an individual loan basis and a portfolio amortized cost basis as observed at a point in time.  For the latter, a Bank's board should establish a limit on the volume of loans it acquires at a board-determined premium level.  The board should also establish a limit on the percentage of the Bank's total outstanding portfolio that was acquired at the board-determined premium level. FHFA Monitoring of AMA Risk Management FHFA will consider each Bank's AMA risk management as part of its regular supervisory process, including the limits established by the Bank's board of directors.  As part of its off-site monitoring of Bank safety and soundness, FHFA may request periodically that each Bank submit to FHFA its board-approved AMA risk limits or thresholds.  Supervisory LetterA Bank or the Banks may receive a supervisory letter, as warranted, should FHFA determine adopted board limits are insufficient.  Furthermore, examiners will issue findings during the examination process if a Bank does not have sufficiently safe and sound AMA limits approved by the board of directors.  Related Guidance Federal Housing Finance Board Regulatory Interpretation 2000-RI-25, Acquired Member Assets Held for a Valid Business Purpose (Nov. 17, 2000). <a name="footnote1">[1]</a> 12 CFR § 1265.2 <a name="footnote2">[2]</a> 12 CFR § 1239.4(a). <a name="footnote3">[3]</a> 12 CFR §§ 1239.4(c)(1) and 1239.11(a).  <a name="footnote4"> [4]</a> 12 CFR Part 1236, Appendix. <a name="footnote5">[5]</a> 12 CFR § 1236.3(d).  FHFA has the authority to address unsafe or unsound practices through issuance of an order to cease-and-desist, through assessment of civil money penalties, or removal from office.  12 U.S.C. §§ 4631(a)(1), 4636(b)(2)(A), 4636a(a)(2)(A).   <a name="footnote6"> [6]</a> 12 CFR § 1236.4. <a name="footnote7">[7]</a> 12 CFR §§ 1268.3 (asset test), 1268.4 (member nexus), and 1268.5 (credit risk sharing). <a name="footnote8">[8]</a> See FHLBank Core Mission Achievement AB 2015-05, July 14, 2015. <a name="footnote9">[9]</a> 81 FR 91682 (Dec. 19, 2016). <a name="footnote10">[10]</a> See AMA Price Risk Governance AB 2017-03, Nov. 21, 2017. <a name="footnote11">[11]</a> See Acquired Member Asset Price Risk Governance" AB 2017-03, Nov. 21, 2017. <a name="footnote12">[12]</a> 12 CFR Part 1281. <a name="footnote13">[13]</a> The Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance regulation defines “risk appetite" as, “the aggregate level and types of risk the board of directors and management are willing to assume to achieve the regulated entity's strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements."  12 CFR § 1239.2.  <a name="footnote14"> [14]</a> A mortgage portfolio's prepayment optionality can result in unanticipated funding mismatches that can have a deleterious effect on a Bank's net income, market value of equity, market value of equity to book value of equity ratio, market value of equity to par value of capital ratio, and dividend payment capacity.    <a name="footnote15"> [15]</a> In general, in-district state level concentrations are acceptable given Banks must serve their district.  However, FHFA expects the Bank to monitor and analyze housing-market level concentrations both within and outside its district.    <a name="footnote16"> [16]</a> See <a href="/DataTools/Downloads/Pages/Conforming-Loan-Limit.aspx">https://www.fhfa.gov/DataTools/Downloads/Pages/Conforming-Loan-Limits.aspx</a>  <a name="footnote17">[17]</a> 12 CFR § 1268.4(a)(1)(ii). <a name="footnote18">[18]</a> See Regulatory Interpretation 2000-RI-25, Acquired Member Assets Held for a Valid Business Purpose (Nov. 17, 2000).         <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.  Questions about this advisory bulletin should be directed to:  <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>

1/31/2020 9:48:42 PM

Home / Supervision & Regulation / Advisory Bulletins / Acquired Member Assets Risk Management Advisory Bulletin AB 2020-01: ACQUIRED MEMBER ASSETS RISK MANAGEMENT

7687

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Compliance Risk Management

27499

Fannie Mae & Freddie Mac

10/3/2019 4:00:00 AM

AB 2019-05

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">ADVISORY BULLETINAB 2019-05: Compliance Risk Management</td></tr></tbody></table> Purpose This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations for a compliance risk management program (compliance program) <a href="#footnote1"> [1]</a>  to maintain the safety and soundness of the Enterprises’ operations.  The sophistication of the compliance program should be proportionate to each Enterprise’s size, complexity, and risk profile.  The compliance program should be designed to promote compliance with applicable laws, regulations, rules, prescribed practices, internal policies and procedures, and ethical and conflict-of-interest standards (compliance obligations).  BackgroundCompliance risk is the risk of legal or regulatory sanctions, damage to the current or projected financial condition, damage to business resilience, or damage to reputation resulting from nonconformance with compliance obligations.<a href="#footnote2">[2]</a>  In addition, an Enterprise may be exposed to compliance, reputational, or other risks as a result of a third-party provider's failure to comply with the Enterprise's expectations and operating standards and to meet all relevant legal and contractual requirements.  An effective compliance program supports safe and sound operations through policies and procedures designed to enable oversight of compliance risk management by the board of directors, or appropriate board-level committee (board). Effective management of compliance risk requires the Enterprises to address numerous complex compliance obligations and the Enterprises' high volume of transactions.  The guiding principles of sound risk management are set forth in FHFA's regulation at 12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices and Corporate Governance (Corporate Governance Rule), and in the Appendix to 12 CFR Part 1236, Prudential Management and Operations Standards (PMOS).  FHFA's general standards for safe and sound operations are set forth in the PMOS.  Three relevant PMOS articulate guidelines for an Enterprise's board of directors and senior management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).  While the guiding principles of sound risk management in the Corporate Governance Rule and the PMOS are the same for compliance risk as for other types of risk, the management of compliance risk presents certain unique challenges.  For example, compliance risk appetite and metrics may be difficult to establish and measure and compliance obligations must be addressed on an Enterprise-wide basis.<a href="#footnote3">[3]</a>  In addition, while compliance risks associated with third-party providers may be difficult to monitor based on information gathered in the normal course of business, the Enterprises should anticipate and manage exposures associated with third-party provider relationships across the Enterprises' full range of operations.<a href="#footnote4">[4]</a> GuidanceFHFA expects each Enterprise to have a comprehensive, risk-based compliance program aligned with its enterprise-wide risk management program<a href="#footnote5">[5]</a> and in accordance with all relevant FHFA guidance.  An Enterprise's compliance program should include policies and procedures designed to manage compliance risk across its entire organization, both within and across business lines and the three lines of defense.  The compliance program should include the following components:<ol><li>Compliance Governance</li><li>Compliance Policies and Procedures</li><li>Compliance Staffing and Compensation</li><li>Compliance Monitoring, Testing, and Remediation</li><li>Compliance Communication and Training   </li></ol>1)      Compliance GovernanceThe board should have an appropriate understanding of the types of compliance risks to which the Enterprise is exposed.<a href="#footnote6">[6]</a>  The board is responsible for exercising reasonable oversight to ensure that the compliance program is designed, implemented, reviewed, and revised in an effective manner.<a href="#footnote7">[7]</a>  The compliance program must be headed by a compliance officer<a href="#footnote8">[8]</a> with the appropriate qualifications, experience, authority, accountability, and independence.<a href="#footnote9">[9]</a>  It should also be aligned with the enterprise-wide risk management program and board-approved risk appetites, including limits restricting exposures to third-party providers.<a href="#footnote10">[10]</a>  The board and senior management<a href="#footnote11">[11]</a> should ensure that the compliance officer and the compliance program have adequate resources, including well-trained and capable staff.<a href="#footnote12">[12]</a>  The board and senior management must discharge their duties and responsibilities in accordance with the Enterprise's code of conduct and ethics, and conduct themselves in a manner that promotes high ethical standards and a culture of compliance throughout the organization.<a href="#footnote13">[13]</a>  Promoting a culture of compliance includes documenting and communicating clear expectations about compliance both within the Enterprise and to third-party providers including sellers and servicers.  The following activities are also part of an effective compliance culture: clearly communicating the Enterprise's compliance, integrity, and business ethics standards and expectations; articulating the principle that employees and management conduct all activities in accordance with both the letter and the spirit of compliance obligations; and creating an environment where employees are encouraged to raise legal, compliance, and ethics questions and concerns without fear of retaliation.The compliance officer must report directly to the chief executive officer<a href="#footnote14">[14]</a> and should have sufficient resources and qualified staff to implement the compliance program.  The compliance officer must also report regularly to the board.<a href="#footnote15">[15]</a>  At a minimum, these reports must address the adequacy of the Enterprise's compliance policies and procedures, including the entity's compliance with them.  The compliance officer must recommend any revisions to such policies and procedures that he or she considers necessary or appropriate.<a href="#footnote16">[16]</a> First-line business functions own and manage compliance risks and implement corrective actions to address process and control deficiencies.  The second line performs various risk control and compliance oversight functions.  The scope and breadth of the activities of the compliance program should be subject to periodic review by the internal audit function.<a href="#footnote17">[17]</a>  The internal audit function's assessment of the effectiveness of the compliance program should be separate from the compliance function's monitoring and testing activities to ensure that the activities of the compliance function are subject to independent review.<a href="#footnote18">[18]</a>2)      Compliance Policies and ProceduresThe processes and systems for managing compliance risk across the Enterprise should be documented in policies and procedures.  The policies and procedures should also address compliance training throughout the organization.  Compliance policies should clearly articulate the roles and responsibilities of the various committees, functions, and staff with compliance responsibilities as well as the oversight role and responsibilities of the compliance officer and the board.  These policies should describe the responsibilities of the compliance officer for managing and directing the implementation of the compliance program and the compliance officer's role in controlling compliance risks that transcend business lines.  The policies should also address the scope of internal reporting of compliance matters to the board and senior management and the adequacy of the Enterprise's compliance policies and procedures, including the Enterprise's compliance with them.<a href="#footnote19">[19]</a> The Enterprises should have policies and procedures in place to create an inventory of compliance obligations, identify new and revised compliance obligations, evaluate the impact to the business units, map obligations to internal controls, communicate changes with impacted parties and business units, promote independent reviews and escalation as necessary, and address compliance obligations in a practical and efficient way.  Each Enterprise's compliance program should include compliance risk and control assessment policies and procedures designed to evaluate compliance risks associated with the Enterprise's business activities, including the development of new products and business practices.  The compliance program's compliance risk assessment policies and procedures should include methods of measuring compliance risk (e.g. by using performance indicators) and use such measurements to enhance compliance risk assessments.Each Enterprise should have policies and procedures to file with FHFA any reports that may be required.<a href="#footnote20">[20]</a>   These external reporting compliance policies and procedures should address conditions imposed in writing or written agreements between FHFA and the Enterprise.<a href="#footnote21">[21]</a>  The Enterprises should have first-line policies and procedures that are designed to implement enterprise-wide compliance policies and to integrate or “operationalize" compliance obligations into day-to-day business processes, job duties, and responsibilities.  First-line compliance policies and procedures should also promote independent reviews, identification of compliance issues, and escalation and tracking of identified issues.  Procedures should describe the second-line compliance function's role in determining how business line compliance matters are addressed.  Procedures for resolving disputes between the corporate compliance function and business line management regarding compliance matters should ensure that such disputes are resolved objectively.  Under such procedures, the final decision-making authority should rest either with the corporate compliance function, or with a committee of senior management, including the compliance officer, that has no business line responsibilities.3)      Compliance Staffing and CompensationThe compliance officer should have appropriate qualifications, experience, authority, accountability, and independence.  The compliance officer should have the necessary resources to implement the compliance function effectively.  The compliance officer's compensation should include incentives tied to actions and outcomes within his or her control and influence and not include incentives that could impair or appear to impair the compliance program's independence.  The compensation should also comply with 12 CFR Part 1230<a href="#footnote22">[22]</a> as well as conform to the Enterprise's policies on compensation and performance management.The Enterprise should have a sufficient number of staff assigned to the compliance function with requisite knowledge of business activities and compliance obligations to assess compliance risk and the effectiveness of risk controls.  The compliance function may be centrally organized with dedicated staff or structured as a hybrid with first-line staff having both business and compliance responsibilities.  In a hybrid approach, responsibilities for compliance activities may be delegated within the Enterprise, but oversight and ultimate responsibility for fostering an enterprise-wide compliance approach are borne centrally by the corporate compliance function.  If a hybrid structure is used, compliance staff in the first line should have the ability and willingness to effectively challenge business operations regarding risk arising from the Enterprise's activities.  The Enterprise should implement appropriate controls and enhanced second-line oversight to identify and address issues that may arise from conflicts of interest affecting compliance staff within the business lines.  For example, in these circumstances, the Enterprise should adopt enhanced processes for the second-line compliance function's oversight of monitoring and testing activities performed by compliance staff within the business lines.  In a hybrid structure, the second-line compliance function should also play a role in personnel actions and compensation decisions affecting first-line staff with compliance responsibilities.  Compensation and incentive programs should avoid undermining the independence and objectivity of first-line compliance activity.  4)      Compliance Monitoring, Testing, and RemediationCompliance monitoring, testing, and remediation efforts should be risk-based, reflect the results of compliance risk assessments, and evaluate the adequacy and effectiveness of compliance activities across the organization.  Testing and monitoring activities should provide information to compliance staff and senior executives about the operation of compliance controls across the organization, provide evidence to support an assessment of the operating effectiveness of the compliance program, and identify actual and potential instances of noncompliance.  Monitoring activities should identify control weaknesses that may fail to prevent or fail to identify noncompliance and should be designed to identify potential issues before a problem develops into noncompliance.  These activities may include pre-activity approvals, transaction reviews, in-process quality checks, and outcome data reviews.  The Enterprises' compliance programs should also include monitoring of third-party provider relationships to assess compliance with consumer protection-related laws and regulations and oversight of third-party providers' consumer compliance-related policies, procedures, internal controls, and training.<a href="#footnote23">[23]</a>  Testing should assess the reliability of key assumptions, data sources, and procedures used in measuring and monitoring compliance risk.  Controls should be tested on a periodic basis to ensure they are working as intended.  If compliance controls are embedded in automated tools or business unit procedures, qualified compliance staff should review these tools and processes for consistency with entity-wide compliance policies and procedures.  The results of monitoring and testing activities should drive timely remediation of identified weaknesses.  Corrective actions should be tracked and escalated as appropriate.  Monitoring and testing protocols should include procedures for remedying undue delay in management response or ineffectual remediation efforts.5)      Compliance Communication and Training The Enterprises should have lines of communication for employees to seek guidance and report concerns about compliance obligations.  All Enterprise staff should receive specific, comprehensive compliance training appropriate to each individual's job responsibilities.  Training should reinforce the Enterprise's written compliance risk management policies and procedures.  When compliance policies are adopted or changed, the Enterprise should assess what, if any, training is appropriate.  The Enterprise should determine whether the training should be conducted on an entity-wide or business unit level, who should be trained, and when the training should occur. Related Guidance and Regulations12 CFR Part 1230, Executive Compensation.12 CFR Part 1236, Appendix, Prudential Management and Operations Standards.12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Third-Party-Provider-Relationships.aspx">Oversight of Third-Party Provider Relationships</a>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Multifamily-SellerServicer-Relationships.aspx">Oversight of Multifamily Seller/Servicer Relationships</a>, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Internal-Audit-Governance-and-Function.aspx">Internal Audit Governance and Function</a>, Federal Housing Finance Agency Advisory Bulletin 2016–05, October 7, 2016. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Fraud-Risk-Management.aspx">Fraud Risk Management</a>, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Single-Family-SellerServicer-Relationships.aspx">Oversight of Single-Family Seller/Servicer Relationships</a>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-02-OPERATIONAL-RISK-MANAGEMENT.aspx">Operational Risk Management</a>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-01-CONTINGENCY-PLANNING-FOR-HIGH-RISK-OR-HIGH-VOLUME-COUNTERPARTIES.aspx">Contingency Planning for High-Risk or High-Volume Counterparties</a>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.        <hr width="25%" align="left" /> <a name="footnote1">[1]</a>  12 CFR 1239.12. <a name="footnote2"> [2]</a>  The regulation requires that the compliance program manage compliance with “applicable laws, rules, regulations, and internal controls," 12 CFR 1239.12. <a name="footnote3">[3]</a>  12 CFR 1239.11(b), 1239.11(b)(2)(i), and 1239.11(c)(2). <a name="footnote4">[4]</a>  See Oversight of Third-Party Provider Relationships, AB 2018-08.  See also PMOS, Standard 9: Principles 4, 5, and 10. <a name="footnote5">[5]</a>  12 CFR 1239.11(a). <a name="footnote6">[6]</a>  See generally PMOS, Responsibilities of the Board of Directors: Principle 4. <a name="footnote7"> [7]</a>  Ibid. <a name="footnote8">[8]</a>  12 CFR 1239.12. <a name="footnote9">[9]</a>   PMOS, Standard 1: Principle 2 and Standard 8: Principles 1 and 3. <a name="footnote10"> [10]</a>  See Oversight of Third-Party Provider Relationships, AB 2018-08. <a name="footnote11"> [11]</a>  Ibid.  The term “senior management" refers to those employees who plan, direct, and formulate policies, and provide the overall direction of the Enterprise for the development and delivery of products or services, within the parameters approved by the board.  <a name="footnote12"> [12]</a>  PMOS, General Responsibilities of the Board of Directors and Senior Management: Principle 6 and Standard 8: Principle 6. <a name="footnote13"> [13]</a>  12 CFR 1239.10(a).  See also PMOS, Standard 1: Principle 3. <a name="footnote14"> [14]</a>  12 CFR 1239.12. <a name="footnote15"> [15]</a>  Ibid. <a name="footnote16">[16]</a>  Ibid. <a name="footnote17"> [17]</a>  See Internal Audit Governance and Function, AB 2016-05.  See also PMOS, Standard 1: Principle 14. <a name="footnote18"> [18]</a>  See generally PMOS, Standard 2. <a name="footnote19">[19]</a>  12 CFR 1239.12. <a name="footnote20">[20]</a>  12 CFR 1239.13. <a name="footnote21">[21]</a>  Ibid. <a name="footnote22">[22]</a>  As senior vice presidents, the Enterprises' compliance officers fit within the regulatory definition of executive officer.  See 12 CFR 1230.2. <a name="footnote23">[23]</a>  PMOS, Standard 9: Principles 4, 5, and 10.  See also Oversight of Third-Party Provider Relationships, AB 2018-08.   <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.  Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.  Questions about this advisory bulletin should be directed to:  <a>SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>

10/3/2019 8:48:03 PM

Home / Supervision & Regulation / Advisory Bulletins / Compliance Risk Management Advisory Bulletin This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the

10451

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Enterprise Fraud Reporting

27298

Fannie Mae & Freddie Mac

9/18/2019 4:00:00 AM

AB 2019-04

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2019-04:  ENTERPRISE FRAUD REPORTING</td></tr></tbody></table>   PurposeThis advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency's (FHFA) fraud reporting requirements pursuant to 12 CFR Part 1233 (FHFA Regulation).This advisory bulletin rescinds and replaces FHFA's Advisory Bulletin AB 2015-02:  Enterprise Fraud Reporting, dated March 26, 2015. BackgroundThe Housing and Economic Recovery Act of 2008 (HERA) subjects the Enterprises to fraud reporting (12 U.S.C. Section 4642) and requires an Enterprise to submit to FHFA a “timely" report upon discovery that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument.  The FHFA Regulation implements the timely reporting requirement of HERA (12 CFR Section 1233.3(a)(1)) and requires immediate notification to the Director of FHFA upon the discovery of any situation that would have a significant impact on an Enterprise (12 CFR Section 1233.3(a)(2)).  The FHFA Regulation grants the Director authority to determine procedures by which the Enterprises will submit such reports (12 CFR Section 1233.3(b)). GuidanceThe Enterprises should adhere to the guidelines in this advisory bulletin for reporting fraud or possible fraud to FHFA in compliance with the FHFA Regulation and for supervisory oversight purposes.    Immediate NotificationTo comply with the immediate notification requirement in the FHFA Regulation, an Enterprise should notify the Director's designee(s) electronically, through secure methods established by FHFA, within one calendar day from when an Enterprise becomes aware of fraud or possible fraud as defined in the FHFA Regulation that may have a significant impact on the Enterprise.  Fraud or possible fraud is considered to have a significant impact if it may create substantial financial or operational risk for the Enterprise, whether from a single event/incident or because it is systemic.  Fraud or possible fraud is also considered significant if it involves a member of the board of directors, officer, employee, or a contractor temporarily engaged to fill a position or perform a particular function at an Enterprise or other individual similarly engaged by an Enterprise.  The Enterprise should provide periodic updates to its board of directors, or a committee thereof, of all fraud or possible fraud requiring immediate notification. Timely ReportingTo comply with the timely reporting requirement in the FHFA Regulation, an Enterprise should adhere to the following two reporting requirements. Monthly Fraud Status ReportThe Enterprises should submit a monthly fraud status report to FHFA.  The monthly fraud status report shall contain requested information for each occurrence during the month in which the Enterprise has:<ol><li>Filed a suspicious activity report (SAR) with the U.S. Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) or</li><li>Discovered that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument, and the Enterprise has not filed a SAR.  </li></ol>FHFA will provide a template that describes the format of the monthly fraud status report and defines the information to be included.Each Enterprise should provide the Director's designee(s) with the monthly fraud status report within thirty (30) calendar days after the end of each month, regardless of whether the Enterprise has a reportable event during the period covered by the report.  The report should be sent electronically through secure methods established by FHFA.  Quarterly Fraud Status ReportOn a quarterly basis, the Enterprises should also report to FHFA summary information concerning their fraud risk management environments.  FHFA will provide a template that describes the format of the quarterly fraud status report and defines the information to be included.Each Enterprise should provide the Director's designee(s) with the quarterly fraud status report within thirty (30) calendar days after the end of each calendar quarter.  The report should be sent electronically through secure methods established by FHFA.   Effective DateThis advisory bulletin becomes effective on January 1, 2020.  Related Guidance <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB2015-07_Fraud-Risk-Management.pdf">Fraud Risk Management</a>, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015.<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.  Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.  Questions about this advisory bulletin should be directed to: <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>.</td></tr></tbody></table>

9/18/2019 2:00:34 PM

Home / Supervision & Regulation / Advisory Bulletins / Enterprise Fraud Reporting Advisory Bulletin This advisory bulletin communicates to Fannie Mae and Freddie Mac (the

6669

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Capital Stock Management

27088

FHL Banks

8/15/2019 4:00:00 AM

AB 2019-03

8/16/2019 7:22:36 PM

Home / Supervision & Regulation / Advisory Bulletins / Capital Stock Management Advisory Bulletin This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA

5589

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Implementation of Streamlined Monitoring Requirements for Affordable Housing Program Projects Funded by Certain Other Federal Government Rental Housing Programs

26200

FHL Banks

5/9/2019 4:00:00 AM

AB 2019-02

<div> DIVISION OF HOUSING MISSION AND GOALS <div> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN  AB 2019-02    IMPLEMENTATION OF STREAMLINED MONITORING REQUIREMENTS FOR AFFORDABLE HOUSING PROGRAM PROJECTS FUNDED BY CERTAIN OTHER FEDERAL GOVERNMENT RENTAL HOUSING PROGRAMS May 9, 2019 </td></tr></tbody></table> PurposeThe Federal Housing Finance Agency's (FHFA) Affordable Housing Program (AHP) regulation authorizes streamlined monitoring for AHP-subsidized projects that are also funded by certain other government housing programs and identified by FHFA in separate guidance.  This Advisory Bulletin (AB) identifies those programs. BackgroundFHFA published a final rule in the Federal Register on November 28, 2018 amending the AHP regulation, one component of which permits the Federal Home Loan Banks (Banks) to implement streamlined monitoring for AHP projects funded by certain other government housing programs that FHFA specifies in separate guidance.  Specifically, the amended regulation requires that at initial monitoring of AHP projects funded by such other programs, the Banks review rent rolls (in the case of rental projects) and project sponsor certifications, and any other documentation to verify that the projects meet the requirements in 12 C.F.R. § 1291.50(a)(2), but not any other back-up documentation on household incomes or rents. <a href="#1">[1]</a>  For long-term monitoring of AHP rental projects funded by such other programs, the regulation requires that the Banks review annual project sponsor certifications on household incomes and rents and information on the ongoing financial viability of the projects, but not any other back-up documentation on incomes and rents, including rent rolls. <a href="#2">[2]</a>  GuidanceAs discussed in the proposed <a href="#3">[3]</a> and final <a href="#4">[4]</a> AHP rules, FHFA has analyzed the monitoring standards and practices of several federal government housing programs to identify programs with substantially equivalent rent, income, and retention requirements to the AHP, as well as very low noncompliance rates.  FHFA's analysis also focused on each monitoring entity's demonstrated ability to monitor the program effectively.  FHFA found that the following four housing programs meet the criteria identified above: <ul><li>HUD Section 202 Program for the Elderly; </li><li>HUD Section 811 Program for Housing the Disabled;</li><li>USDA Section 515 Rural Multifamily Program; and</li><li>USDA Section 514 Farmworker Multifamily Program. </li></ul> Accordingly, the Banks may implement the streamlined monitoring described above for AHP projects funded by any of these four programs.  Although the final AHP rule became effective on December 28, 2018, the compliance date for implementing the streamlined monitoring practices is January 1, 2021.  However, Banks may implement the streamlined monitoring before this compliance date.  Banks that opt to do so should provide notice to FHFA pursuant to the email of December 26, 2018, to the Banks from the Deputy Director of the Division of Bank Regulation at <a href="mailto:DeputyDirector-FHLBanks@FHFA.gov">DeputyDirector-FHLBanks@fhfa.gov</a>.  Banks must also ensure that their AHP Implementation Plans set forth their requirements for monitoring. <a href="#5">[5]</a>  Should a Bank identify potential noncompliance with AHP household income or rent requirements in a project that is subject to streamlined monitoring, it should evaluate whether an expansion of its review to include the back-up documentation, including rent rolls, is warranted to verify compliance with AHP requirements. ____________________________________ <a name="1">[1]</a> See 12 C.F.R. § 1291.50(a)(2), (a)(3). <a name="2">[2]</a> See 12 C.F.R. § 1291.50(c)(1)(i), (ii). <a name="3">[3]</a> Affordable Housing Program Amendments, 83 Fed. Reg. 11344, 11365-11366 (Mar. 14, 2018). <a name="4">[4]</a> Affordable Housing Program Amendments, 83 Fed. Reg. 61186, 61126-61127 (Nov. 28, 2018). <a name="5">[5]</a> See 12 C.F.R. § 1291.13(b)(11). FHFA will continue to assess the monitoring standards and practices of other government housing programs and may make modifications to this guidance in a subsequent AB as appropriate. <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes.  Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities.  For comments or questions pertaining to this AB, contact Ted Wartell at <a href="mailto:Ted.Wartell@fhfa.gov">Ted.Wartell@fhfa.gov</a> or by phone at 1-202-649-3157; or Marcea Barringer at <a href="mailto:Marcea.Barringer@fhfa.govl">Marcea.Barringer@fhfa.gov</a> or by phone at 1-202-649-3275.  </td></tr></tbody></table> </div></div>

5/10/2019 7:33:45 PM

Home / Supervision & Regulation / Advisory Bulletins / Implementation of Streamlined Monitoring Requirements for Affordable Housing Program Projects Funded by Certain Other

5057

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Business Resiliency Management

26708

All

5/7/2019 4:00:00 AM

AB 2019-01

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">  ADVISORY BULLETIN  AB 2019-01:  BUSINESS RESILIENCY MANAGEMENT</td></tr></tbody></table> PurposeThis advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance on business resiliency management at Fannie Mae, Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities).<a href="#1">[1]</a>  This AB rescinds and replaces Federal Housing Finance Board Advisory Bulletin 02-3 Disaster Recovery Planning, February 13, 2002.  For purposes of this AB, business resiliency management refers to the regulated entity's ability to minimize the impact of disruptions and maintain business operations at predefined levels.  Disruptions can expose the regulated entities to operational, financial, legal, compliance, and reputational risks.  An effective business resiliency management program (program) helps to ensure safe and sound operations at each regulated entity.  BackgroundUncontrolled events, such as natural disasters, pandemics, and cyberattacks, can threaten the regulated entities' ability to perform mission critical operations, such as providing liquidity and access to credit in the mortgage market.  Disruptions in service can expose the regulated entities to a variety of risks and potentially lead to adverse economic consequences in the financial sector.  A program establishes documented strategic processes and procedures that a regulated entity should follow to mitigate and respond to risks in order to continue its business operations. The core components of a program include the business continuity plan (BCP), disaster recovery plan (DRP) and crisis management plan (CMP) (collectively, plans).  The BCP is the written set of procedures a regulated entity follows to recover, resume, and maintain business functions and their underlying processes at acceptable predefined levels following a disruption.  The BCP accounts for disruptions affecting personnel, equipment, facilities, data, third-party providers, and the technical assets associated with business functions and processes.  The DRP is the documented process to recover and resume the regulated entity's IT infrastructure, business applications, and data services in the event of a major disruption.  The CMP provides documented, coordinated responses to enterprise-wide disruptions, including overseeing the activation of the DRP and BCPs.  FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.  Three relevant PMOS articulate guidelines for a regulated entity's board of directors and senior management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8, especially Standard 8.11), and maintenance of adequate records (Standard 10).  A business resiliency program that is aligned with this AB will meet FHFA's supervisory expectations on the points that the AB addresses, with respect to those standards.  A business resiliency program that is not aligned with this AB may not meet those standards and may not be safe and sound.<a href="#2">[2]</a> GuidanceFHFA expects the regulated entities to establish and maintain a program that includes the following:<ol style="list-style-type:upper-roman;"><li>Governance</li><li>Business Resiliency Cycle</li><ol style="list-style-type:upper-alpha;"><li>Risk Assessment and Business Impact Analysis</li><li>Risk Mitigation and Plan Development</li><li>Testing and Analysis</li><li>Risk Monitoring and Program Sustainability</li></ol></ol>Each regulated entity should establish its program in alignment with its enterprise-wide risk management program,<a href="#3">[3]</a> and in accordance with all relevant FHFA guidance.  The regulated entity should develop strategies, policies, procedures, and internal standards that apply to the program.  The program should guide the regulated entity to respond appropriately to disruptions affecting business operations, personnel, equipment, facilities, IT systems, and information assets.  In order to remain current and effective, the program should adopt a cyclical, process-oriented approach that incorporates the following steps: (1) risk assessment and business impact analysis, (2) risk mitigation and plan development, (3) testing and analysis, and (4) risk monitoring and program sustainability.   I.          GoveranceThe board of directors or a committee thereof (board) is responsible for maintaining a strong business resiliency culture and overseeing the program.  The board provides oversight of senior management's implementation of the program and maintenance of plans that reflect the regulated entity's current operating environment and risk appetite.  The board should review and approve the enterprise-wide business resiliency strategic objectives of the program on an annual basis.   As delegated by the board, senior management<a href="#4">[4]</a> is responsible for executing the program.  Senior management ensures that:<ul style="list-style-type:disc;"><li>Each step of the program is carried out by assigned personnel with clear roles and responsibilities;</li><li>There are designated resources and qualified personnel from across the regulated entity's business units and operations to develop and implement plans;  </li><li>Employees are adequately trained and participate in testing exercises, as necessary, to demonstrate understanding of their role when plans are activated in the event of a disruption; </li><li>There is sufficient communication and coordination to properly execute plans and maintain enterprise-wide business resiliency;  </li><li>Effective reporting and metric requirements are in place, such as reviewing internal audit reports and providing reports to the board;  </li><li>The review and approval of plans involving critical business functions are conducted on an annual basis or when there are material changes in the operating environment that affect critical business functions; and</li><li>The board is informed of significant issues involving the strategies, plans, or testing of critical business functions. </li></ul> II.          Business Resiliency Cycle              A.  Risk Assessment and Business Impact AnalysisDeveloping an effective plan begins with a risk assessment that determines the potential threats to a regulated entity's business operations.  A risk assessment considers the full spectrum of scenarios that could affect operations, ranging from low impact, high probability occurrences (such as power or telecommunication disruptions) to low probability, high impact occurrences (such as pandemics or natural disasters).  As part of the risk assessment process, the regulated entity should take into account disruptions involving information services, equipment, personnel, facilities, and services by third-party providers.  The regulated entities should also consider their proximity to infrastructure in conjunction with their susceptibility to threats.  The business impact analysis (BIA) assesses and prioritizes those business functions and processes, including their associated technical assets, that must be recovered after a disruption.  The BIA should identify the potential impact of uncontrolled events on the regulated entity's ability to execute its business functions and processes.  The regulated entity should also consider the impact of disruptions on its ability to perform its role in the financial marketplace, satisfy legal and regulatory requirements, follow safe and sound practices, maintain public confidence, and achieve its strategic goals.  Conducting a thorough and accurate BIA is the basis for developing effective plans and a comprehensive program for the regulated entity.  As part of the BIA, the regulated entities should identify business functions and processes, evaluate and compare business function requirements, and identify interdependencies between critical systems, departments, personnel, and services that may be compromised during a disruption.  The BIA should be risk-focused, taking into consideration the priority of certain business functions and processes.  The BIA should be conducted at least annually.  Recovery point objectives (RPOs) and recovery time objectives (RTOs) are calculated results informed by the BIA.  An RPO defines the maximum level of data loss (in terms of time) that can be afforded during a failure.  An RTO estimates the maximum allowable downtime for business processes and associated technical assets that should be recovered after a disruption.  The regulated entity should additionally consider how RTOs and RPOs affect data recovery and reconciliation, especially when business and IT interdependencies are involved.  RTOs inform the regulated entity on how it should categorize and group business processes and technical assets from the most critical functions to the least critical.              B.  Risk Mitigation and Plan Development                  Risk MitigationThe regulated entity should use the results from the risk assessment and BIA to determine appropriate recovery solutions that mitigate the risk of a disruption to a level that is acceptable for its business functions and processes.  The recovery solutions may include data synchronization, redundant vendor support, alternative power sources, high-availability technologies for critical business functions, fire detection and suppression systems, and additional reserves of critical equipment and supplies.  The regulated entity should also consider the appropriate insurance coverage for its business, taking into consideration the BIA findings and its risk profile.Some business functions have high availability requirements where even minimal downtime presents risk.  The regulated entities should have an alternate, geographically distinct data center as an enterprise-wide disaster recovery solution that maintains availability within pre-determined RTOs and RPOs.  Alternatively, the regulated entity can rely on its cloud service provider.<a href="#5">[5]</a>  A geographically distinct data center should be at an appropriate distance from the regulated entity's primary operations and should not be subject to the same inherent risks as the primary site during a disaster.  Pursuant to the DRP, the alternate site would be activated to recover, by priority, the technical assets of the primary location.  The facility should be capable of operating at the regulated entity's normal volume and be available for use until the regulated entity achieves full recovery from the disaster.  For any FHLBank, partnering with another FHLBank is a useful strategy for short-term resumption of certain business processes, but by itself should not be considered an adequate disaster recovery solution.  If a third-party provider is used to mitigate business resiliency risk, the regulated entity should evaluate, according to the risk assessment or BIA, whether its business resiliency objectives are met within its third-party provider risk management framework.<a href="#6">[6]</a>  Commensurate with the risk involved, the regulated entity should consider the strength of a third-party provider's business resiliency program. The regulated entities should also consider risk mitigation strategies in addition to those addressing RPOs and RTOs.  For instance, a senior management-approved response plan to handle media inquiries can reduce the risk of reputational harm after a disruptive event.  FHFA also encourages the regulated entities to contact federal, state, and local authorities as needed to determine specific risks or exposures for their geographic location and requirements for accessing emergency zones.  The regulated entities should consider taking advantage of government-sponsored emergency programs and coordinating with agencies, emergency personnel, and service providers during the recovery and resumption of operations.                  Plan DevelopmentThe regulated entity should document how to implement the risk mitigation strategies and recovery solutions in its plans.  Plans should include short-term and long-term recovery operations with steps to transition back to normal business based on the criticality of the business functions and processes affected.  Plans should also account for internal and external dependencies in the event that third-party providers,<a href="#7">[7]</a> personnel, or certain equipment are unavailable or inefficient.  Plans should avoid single points of failure as the strength of a plan can be diminished by weak components.  If the regulated entity outsources the development of its plans, it is responsible for choosing a service provider that has the requisite expertise appropriate for the entity's size, complexity, and risk environment.   The regulated entity's plans should include the following:<ul style="list-style-type:disc;"><li>The assumptions used to develop each plan, understanding that certain assumptions may not be met when a plan is activated;</li><li>Criteria to trigger activation of the plan and escalate incidents, if appropriate;</li><li>Assigned roles and responsibilities for personnel to activate and execute the plans;</li><li>Contingency plans for technical assets, where appropriate;</li><li>Incident response measures to protect the availability, confidentiality, and integrity of information;</li><li>Current contact information for employees, customers, service providers, municipal authorities, and emergency response personnel that is readily accessible at off-site locations; </li><li>Internal and external communication protocols, including notifying FHFA, the board, and customers, and call trees and employee notification procedures;</li><li>Relocation strategies to other facilities and remote access policies and standards if personnel are working from a remote location in the event of a disaster; and</li><li>References to emergency response measures to prevent loss of life and minimize injury and property damage.</li></ul>The regulated entity should prioritize the recovery of its business functions and processes according to the RTOs and RPOs as stated in each plan.  Each business function, process, and associated technical asset should map to a BCP.  Technical assets should also be accounted for in the DRP as they relate to the prioritized recovery and protection of the regulated entity's IT infrastructure, business applications, and data.  The regulated entity should determine the enterprise-wide risk thresholds that trigger activating the CMP and the corresponding steps to respond to such incidents at an enterprise level.  The regulated entity should consider the operational, legal, compliance, financial, and reputational risks involved when determining the thresholds to trigger the CMP.  The CMP should include the coordinated responses to implement the DRP and BCPs, handle media inquiries, and oversee emergency response measures.              C.  Testing and AnalysisTesting demonstrates how well each plan achieves the business resiliency objectives defined by the regulated entity.  Each regulated entity should develop a testing program that includes policies, standards, and procedures that address test planning, execution, reporting of test results, and test revisions, as necessary.    Senior management should designate personnel to oversee the testing of plans and allocate adequate time and resources for test exercises.  Senior management is also responsible for ensuring that employees are aware of their roles (i.e., administrator or participant) in executing tests regularly.  Test plans should periodically rotate employee roles, as appropriate, to reduce reliance on specific individuals who may not be available during a disruptive event.  Testing of plans involving critical business functions should be completed at least annually, and when material changes occur to the business operating environment.  The frequency of testing should be consistent with the criticality of the business function, but should not jeopardize normal business operations.Prior to each test, management should validate the testing methods to identify potential problems.  Test plans or exercises should be evaluated to assess whether test objectives are feasible and whether assumptions used in developing the test strategy are reasonable.  Testing of plans should align with the risk assessments and the BIAs to validate pre-determined RPOs and RTOs.  Additionally, priority-based testing should:<ul style="list-style-type:disc;"><li>Incorporate a variety of threats, event types, and crisis management scenarios that range from isolated system failures to full-scale disruptions;</li><li>Evaluate identified internal and external interdependencies, including the testing of primary and alternate facilities with key third-party providers; </li><li>Progressively increase in scope and complexity, functions, physical locations, and participants; testing should ultimately process at least a full day's work at the regulated entity's normal levels;</li><li>Include a full-scale DRP test to confirm the entity's ability to conduct and sustain normal business in an alternate data center and the ability to return to pre-defined levels of operations in the primary data center; and</li><li>Over time, adapt to changes in the regulated entity's business activities and risk profile.  </li></ul>Internal audit or a qualified independent third party should review the testing program and conduct an independent assessment of selected tests, including the underlying assumptions and methodology.  Management should have oversight of key tests that are observed, verified, and evaluated by the independent party in order to validate the testing process and accuracy of test results.  Test results, deviations from test plans, problems identified during testing, and any specified remediation steps should be properly documented. Test results should be periodically analyzed to determine if problems identified during testing can be traced to a common source, remediated, and resolved through revisions to the testing program.  Problems encountered during testing should be corrected and retested in a timely manner.  Test participants or test owners can also provide suggestions to the test scenarios, plans or scripts to improve the test program.  Once tests are completed and assessed, the test program should be updated to address any gaps identified during tests and retested, as necessary, for robustness and effective remediation within a reasonable timeframe.               D.  Risk Monitoring and Program SustainabilityThe regulated entity should also implement risk monitoring to track how changes to the business operating environment, including personnel, technologies, equipment, or third-party providers, may affect business resiliency strategies and plans.   Regular reports of test results and risk monitoring inform senior management of the effectiveness of the regulated entity's program.  Senior management should use this information to determine if gaps exist between the risk assessment or BIA and the existing plans in place.  Based on this gap analysis, RPOs and RTOs may need to be reassessed and risk mitigation strategies may need to be evaluated for particular plans.  Management or plan administrators should revise plans based on test results or when material changes occur to the current business operating environment—including changes to personnel and internal and external dependencies, such as reliance on other business units or outsourced activities.  Relevant business line managers and stakeholders should also be informed of test results so they can address material business resiliency problems identified during testing.  The test and/or audit reports of third-party providers, lessons learned from an actual event, and any emerging risks identified should also be used in a gap analysis for each step of the program.  Updates to plans should be completed in a timely manner and revised plans should be communicated and made available to appropriate managers and employees. <blockquote dir="ltr" style="margin-right:0px;"> Related Guidance</blockquote><blockquote dir="ltr" style="margin-right:0px;"><blockquote dir="ltr" style="text-align:left;margin-right:0px;"><blockquote style="margin-right:0px;">12 CFR Part 1236 Prudential Management and Operations Standards, Appendix. Oversight of Third-Party Provider Relationships, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018. Cloud Computing Risk Management, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018. Information Security Management, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017. Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016. Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016. Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013. Business Continuation Contingency Planning, Federal Housing Finance Board Advisory Bulletin 03-2, February 10, 2003. Disaster Recovery Planning, Federal Housing Finance Board Advisory Bulletin 02-3, February 13, 2002 (rescinded by this advisory bulletin).  </blockquote></blockquote></blockquote><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.  Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.  Questions about this advisory bulletin should be directed to:  <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>   <a name="1">[1]</a> The OF is not a “regulated entity" as the term is defined by statute (see 12 U.S.C. 4502(20)).  However, for convenience, references to the “regulated entities" in this AB should be read to also apply to the OF.  <a name="2">[2]</a> 12 CFR 1236.4 <a name="3">[3]</a> 12 CFR 1239.11(a). <a name="4">[4]</a> The term “senior management" refers to those employees who plan, direct, and formulate policies, and provide the overall direction of the regulated entity for the development and delivery of products or services, within the parameters approved by the board. <a name="5">[5]</a> See Cloud Computing Risk Management, AB 2018-04. <a name="6">[6]</a> See Oversight of Third-Party Provider Relationships, AB 2018-08. <a name="7">[7]</a> Ibid.

5/7/2019 7:00:50 PM

Home / Supervision & Regulation / Advisory Bulletins / Business Resiliency Management Advisory Bulletin This advisory bulletin (AB) provides Federal Housing Finance Agency

8632

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Interest Rate Risk Management

25813

FHLB & Fannie Mae & Freddie Mac

9/28/2018 4:00:00 AM

AB 2018-09

<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display:inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2018-09: INTEREST RATE RISK MANAGEMENT</td></tr></tbody></table> Purpose</div></div>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for interest rate risk management at the Federal Home Loan Banks (Banks), Fannie Mae, and Freddie Mac (the Enterprises), collectively known as the regulated entities.  This guidance supersedes the Federal Housing Finance Board's advisory bulletin, Interest Rate Risk Management (AB 2004-05).  Interest rate risk management is a key component in the management of market risk.  These guidelines describe principles the regulated entities should follow to identify, measure, monitor, and control interest rate risk.  The AB is organized as follows:<blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">I.   Governance</blockquote><blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> A. Responsibilities of the Board B. Responsibilities of Senior ManagementC. Risk Management Roles and ResponsibilitiesD. Policies and Procedures</blockquote><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> II.   Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls</blockquote><blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;">A. LimitsB. Interest Rate Risk MitigationC. Internal Controls</blockquote><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">III. Risk Measurement System, Monitoring, and Reporting</blockquote><blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;">A. Interest Rate Risk Measurement SystemB. Scenario Analysis and Stress TestingC. Monitoring and Reporting</blockquote> BackgroundInterest rate risk is the risk that changes in interest rates may adversely affect financial condition and performance.  More specifically, interest rate risk is the sensitivity of cash flows, reported earnings, and economic value to changes in interest rates.  As interest rates change, expected cash flows to and from a regulated entity change.  The regulated entities may be exposed to changes in:  the level of interest rates; the slope and curvature of the yield curve; the volatilities of interest rates; and the spread relationships between assets, liabilities, and derivatives.  Interest rate risk may include repricing risk, basis risk, option risk, option-adjusted spread (OAS) risk, prepayment risk, and model risk.  Excessive interest rate risk can threaten liquidity, earnings, capital, and solvency.  The regulated entities can manage interest rate risk with respect to economic value of equity, earnings, or both.  These approaches are complementary because they provide different types of relevant information, but each has limitations.  The economic value of equity represents the underlying net market value (or net present value) of a regulated entity's assets and liabilities, including any off-balance sheet items.  A common risk management objective is to keep the market value of equity from falling below pre-specified limits over a range of interest rate scenarios.  One limitation of this approach is that market value measures do not identify when future earnings problems may occur.  When the focus is on earnings, the risk management objective is to maintain earnings within an acceptable range over specified time horizons, which are generally short-term, ranging from one year to five years.  If the objective is to ensure that net income will remain within certain parameters during the given time period over a range of interest rate scenarios, management overlooks risks that exist beyond the forecast horizon.FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236, four of which are relevant to managing interest rate risk.  Standard 3 (Management of Market Risk Exposure) highlights the expectation for each regulated entity to have a clearly defined and well-documented strategy for managing market risk and establishes responsibilities for the board of directors or delegated board committee (board) and senior management.  Standard 4 (Management of Market Risk – Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting) includes guidelines for market risk management in these areas.  Standard 2 (Independence and Adequacy of Internal Audit Systems) and Standard 8 (Overall Risk Management Processes) include responsibilities for internal audit, the board, and senior management along with an independent risk management function. GuidanceEach regulated entity's risk management practices should enable it to identify, measure, monitor, and control its interest rate risk exposures.  An effective interest rate risk management function includes appropriate management of risk exposure, policies and procedures, risk limits, internal controls, risk measurement systems, monitoring, and reporting.  A regulated entity should periodically review industry standards with regard to interest rate risk management.<h2><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> I.       Governance</blockquote></h2>The board and senior management should ensure that the regulated entity has in place appropriate policies, procedures, and internal controls for managing and controlling the regulated entity's exposure to interest rate risk.  The board should oversee the adequacy of senior management's actions.  Senior management should also ensure the regulated entity's risk measurement, monitoring, and reporting systems are reliable and effective.  <blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> A.     Responsibilities of the Board </blockquote>The board should oversee the adequacy of actions taken by senior management to identify, measure, manage, control, and report on interest rate risk exposures.  The board should establish the regulated entity's tolerance for interest rate risk, approve major interest rate risk limits, and provide management with clear guidance regarding the level of acceptable interest rate risk.  The board should approve major strategies and policies relating to the management of interest rate risk.  The board should ensure such major strategies and policies are consistent with the regulated entity's overall business plan. The board should review interest rate risk exposures on a periodic basis.  Reports provided to the board should include appropriate details to allow the board to remain sufficiently informed about the nature and level of the regulated entity's interest rate risk exposures in light of current market conditions, established risk limits, operating performance, and other relevant factors.  As a group, the board should have the requisite knowledge and background to assess the information provided and recommend further actions. At least annually, or more frequently if there are significant changes in market or financial conditions, the board should review the interest rate risk management framework and major policies, limits, and internal controls.  The regulated entity's risk tolerance; management's compliance with risk limits; results of stress tests; the level of the regulated entity's capital; and the effectiveness of the risk management framework, measurement systems, and reporting systems should inform the board's review of the risk limits.  The board should document any changes to board-approved interest rate risk limits in its minutes.  The board should also ensure that management takes appropriate corrective measures when interest rate risk limit breaches occur.    <blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> B.     Responsibilities of Senior Management</blockquote>Senior management implements board-approved strategies and policies relating to the management of interest rate risk.  Senior management should ensure interest rate risk policies and procedures are clearly written, sufficiently detailed, adhered to, periodically reviewed, and should recommend updates for board approval, as appropriate.  Senior management should ensure adequate organizational structure, systems, and resources are available to manage and control interest rate risk, and that personnel are appropriately trained and competent.Senior management should periodically review and discuss with the board information regarding the nature and level of the regulated entity's interest rate risk exposures.  Senior management should inform the board of how changing market conditions could affect interest rate risk exposure.  The discussions should be sufficient in detail and timeliness to permit the board to understand and assess the management and control of the regulated entity's interest rate risk exposures.  Senior management should report interest rate risk limit breaches to the board and identify appropriate remedial actions.  Senior management should make the board aware of the advantages and disadvantages of the regulated entity's chosen interest rate risk management strategy and alternative strategies.  <blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> C.     Risk Management Roles and Responsibilities</blockquote>Policies and procedures should delineate the roles and responsibilities of persons assigned to measure, manage and control interest rate risk so they operate with sufficient independence from the business units, as applicable.   Business units encounter interest rate risk on a daily basis and should follow policies and procedures when taking steps to manage and maintain interest rate risk within approved limits.  Senior management, through an asset and liability management (or similar) committee, is responsible for managing and controlling interest rate risk. The risk management function, or unit, is responsible for interest rate risk measurement, risk monitoring, and independent oversight, including the establishment and enforcement of board-approved interest rate risk limits.  It should also be responsible for ensuring that the business units have effective processes in place to identify, assess, monitor, and report on key interest rate risks. The chief risk officer must report regularly to the risk committee and to the chief executive officer.<a href="#1">[1]</a>)Internal audit should conduct periodic evaluations of internal controls around interest rate risk management.  Internal audit should conduct risk-based audits of the regulated entity's interest rate risk management and determine whether management promptly addresses findings or weaknesses regarding interest rate risk management.  Internal audit should review adherence to interest rate risk management policies and procedures. <blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> D.    Policies and Procedures</blockquote>A regulated entity should have interest rate risk management policies and procedures appropriate for its risk profile.  This includes being clearly written, sufficiently detailed, formally approved at the appropriate level, and, as applicable, periodically reviewed by the board and senior management.  Approved policies and procedures should include defined interest rate risk limits and assign lines of authority and responsibility for managing interest rate risk.  Procedures should exist for monitoring compliance with limits and to follow up on instances of noncompliance or breaches.    Management should ensure that policies and procedures to identify and manage inherent risks are sufficient before undertaking new products, offerings, or activities.  The regulated entity should also have policies and procedures for any management, ad hoc, or “on top" adjustments to model-generated interest rate risk metrics, and provide clear instructions on needed approvals and documentation requirements.  The documentation should explain the adjustment and the reason it is necessary as well as how long it will be required.  The regulated entity's enterprise risk management or another authorized management risk committee should be made aware of, and approve, any major management, ad hoc, or “on top" adjustments to interest rate risk metrics.<h2><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> II.       Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls</blockquote></h2>A regulated entity should have a clearly defined and well-documented strategy for managing and mitigating interest rate risk, consistent with its overall business plan.  The regulated entity should identify, manage, monitor, and control interest rate risk exposures on a business unit and an enterprise-wide basis.It is incumbent on the regulated entity to understand the adopted strategy's impact on financial condition, whether the objective is to control risk to economic value of equity, earnings, some other target, or a combination thereof.  Overemphasis on one approach may not be optimal and may lead to problems over time.  For example, meaningful declines in the market value of equity to the book value of equity ratio, prospective earnings, or related indicators may signal interest rate risk management weaknesses, even if these declines occur within the context of low reported risk and compliance with approved policies and limits.<blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> A.     Limits</blockquote>A regulated entity should establish an interest rate risk framework that includes interest rate risk metrics, a comprehensive set of board-approved interest rate risk limits, and management threshold levels, set below board limits, to serve as warning triggers and initiate discussion regarding risk levels.  The risk limits should be consistent with the regulated entity's risk profile, profitability objectives, and liquidity and capital needs.  Limits should not be set so far above actual risk exposures that they are meaningless or have no effect on risk taking behavior.  The regulated entity should also maintain a record of all limit breaches.Different metrics used for setting interest rate risk limits may include, as applicable:  duration of equity, convexity of equity, volatility duration, market value sensitivity to yield curve parallel moves and twists, key-rate duration, maturity gap of assets and liabilities, prepayment duration, spread duration, market value of equity to par value of capital stock, market value of equity to book value of equity, retained earnings, net interest income sensitivity, and Value at Risk.  A regulated entity should understand the advantages and disadvantages of the interest rate risk limits framework it has chosen to utilize.<blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> B.     Interest Rate Risk Mitigation</blockquote>A regulated entity should mitigate interest rate risk to keep risks within approved levels and should be able to identify problems that occur even when risks are within approved levels.  For example, a regulated entity should be able to recognize significant accumulating losses from interest rate risk, explain the causes of losses, and manage risk exposure at some point even if the regulated entity is in compliance with approved strategy, policies, and limits.  A regulated entity can mitigate interest rate risk through a variety of strategies including: matched funding, funding with debt having embedded options, hedging using derivatives, and building retained earnings.  Matched funding allows a regulated entity to match the maturity of its assets and liabilities.  Funding with debt having embedded options could allow regulated entities to mitigate exposures of assets with explicit and implicit options such as mortgages.  Hedging using derivatives allows the regulated entity to mitigate interest rate risk by changing its cash flows and economic exposure stemming from certain changes in interest rates.  Building retained earnings allows the regulated entity to have a larger capital base to absorb the impact of an adverse interest rate change.  Having a robust net interest income stream also allows a regulated entity to absorb the effects of adverse interest rate movements. <blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> C.     Internal Controls </blockquote>A regulated entity should have sufficient internal controls around interest rate risk management.  The internal control process should aim to ensure effective and efficient management of interest rate risk; reliable measurement of interest rate risk; reliable reporting and communication of interest rate risk; and compliance with applicable statutes, regulations, and policies governing interest rate risk.  Additionally, internal controls should support periodic reviews and evaluations of policies and procedures as well as the accuracy and reliability of risk measurement systems.A regulated entity should monitor the adequacy and effectiveness of its internal controls and information systems on an ongoing basis through a formal self-assessment process.  Business units, enterprise risk management, and internal audit should conduct periodic evaluations of internal controls for interest rate risk management.  <h2><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> III.       Risk Measurement System, Monitoring, and Reporting</blockquote></h2>The regulated entities should choose which method(s) to use to measure interest rate risk.  Methods may include: Duration Analysis, Earnings Simulation Analysis, Earnings at Risk, Capital at Risk, Value at Risk, Economic Value of Equity, or other methods.  Generally, a regulated entity would measure interest rate risk by valuing its assets, liabilities, derivatives, and off-balance sheet exposures in different interest rate environments.  A regulated entity should understand the advantages and disadvantages of its chosen interest rate risk measurement method(s). <blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> A.     Interest Rate Risk Measurement System </blockquote>A regulated entity should have an interest rate risk measurement system (i.e., a model or set of models) that captures all material sources of interest rate risk, including repricing risk, yield curve risk, basis risk, prepayment risk, and option risk.  The sophistication of the risk measurement system should be commensurate with the complexity of the financial instruments held by the regulated entity.  The risk measurement system should also provide meaningful and timely measures of the regulated entity's risk exposures and use generally accepted financial concepts, valuation methodologies, and risk measurement techniques.  The risk measurement system should be capable of valuing all of the regulated entity's assets and liabilities, including off-balance sheet positions and derivatives, and estimating the effect of changes in interest rates and other key risk factors on the regulated entity's earnings and market value of equity over a range of scenarios.  A regulated entity should properly document and bring to management's attention instances where the risk measurement system cannot reliably value an instrument or requires a model workaround.  Any management, ad hoc, or “on top" adjustments to model output should be made according to approved procedures.  The measurement system should use directly or indirectly observed market prices for its estimates of market values where feasible.  A regulated entity should test new products to verify the risk measurement system can properly measure the exposure of the new product.  Periodically, enterprise risk management or another authorized management risk committee should review the interest rate risk measurement system for accuracy and reliability, including comparison to actual portfolio behaviors when feasible.  Management should ensure the integrity and timeliness of the data inputs used to measure interest rate risk exposures and that assumptions and parameters are reasonable and properly documented.  Management should also understand strengths and weaknesses of the model(s) used, including sensitivity to changes in key assumptions.  <blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> B.     Scenario Analysis and Stress Testing</blockquote>A regulated entity should routinely conduct scenario analysis as a part of interest rate risk management as it relates to market value measures and net income measures.  Scenarios should include increasing and decreasing parallel and nonparallel interest rate shocks of varying magnitudes as well as an instantaneous and gradual steepening and flattening of the yield curve.  The regulated entity should also consider changes in prepayment speeds for mortgage-related instruments, volatility for securities impacted by interest rate volatility, and relevant interest rate spreads for different securities.  The scenarios should identify the main exposures within a regulated entity's interest rate risk profile.  A regulated entity could perform analysis to identify which assumptions or inputs cause the largest impact. A regulated entity should perform periodic stress testing of interest rate risk management positions.  The stress scenarios should include interest rate shocks and shifts in the economic environment that are of a magnitude such that it tests the effectiveness of the interest rate risk management of the regulated entity.  These stress scenarios should vary over time.  The regulated entity should include scenarios conducted for its annual strategic business plan or annual stress testing as applicable. The regulated entity should give special consideration to financial instruments or markets where it has significant concentrations, financial instruments in which a regulated entity's position may be more difficult to unwind or hedge during periods of market stress, and complex financial instruments with embedded options that may be more difficult to evaluate in stressful scenarios.If management or the board finds the results from the scenario analysis or stress testing unacceptable, management should determine a course of action and may need to modify, rebalance, or hedge so that performance would be acceptable under the identified scenarios.  The board and senior management should periodically review the design of the stress tests to ensure that they capture conditions where the regulated entity is most vulnerable.<blockquote style="margin:0px 0px 0px 60px;padding:0px;border:currentcolor;"> C.     Monitoring and Reporting</blockquote>A regulated entity should routinely monitor and report interest rate risk exposures using scenario analysis to business unit managers, senior management, and the board at a level appropriate for each.  The interest rate risk reports should be accurate, informative, and timely.  The reports should show adherence to approved interest rate risk policies and limits and any exceptions or breaches of limits and policies. The reports should identify and explain limit breaches. The interest rate risk reports should reflect and show trends in measures used to evaluate interest rate risk management objectives.  Reports should show the market value of the regulated entity's assets, liabilities, and off-balance sheet exposures, including derivatives, under a range of scenarios.  With respect to earnings, reports should show net income over a specified time horizon under various scenarios.  Reports should also include backtesting results to compare past forecasts, or risk estimates, with actual results.   Interest rate risk reports should identify any changes to risk models and model assumptions, describe the rationale for the changes, and analyze their impact on risk measures and risk limits.  Interest rate risk reports should also note any management, ad hoc, or “on top" adjustments to interest rate risk models, the reason for the adjustment, and the start and expected end date for the use of the adjustment.  Related Guidance Model Risk Management Guidance, Federal Housing Finance Agency, Advisory Bulletin AB-2013-07, November 20, 2013. Internal Audit Governance and Function, Federal Housing Finance Agency, Advisory Bulletin AB-2016-05, October 7, 2016.Appendix to 12 CFR Part 1236 - Prudential Management and Operating Standards.  12 CFR Part 1239 – Responsibilities of Board of Directors, Corporate Practices, and Corporate Governance.  ________________________ <a name="1">[1]</a> 12 CFR 1239.11(c)(5)   <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to: <a href="mailto:SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</td></tr></tbody></table>

9/28/2018 6:35:25 PM

Home / Supervision & Regulation / Advisory Bulletins / Interest Rate Risk Management Advisory Bulletin AB 2018-09: INTEREST RATE RISK MANAGEMENT The AB is organized as follows

7625

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Oversight of Third-Party Provider Relationships

25812

All

9/28/2018 4:00:00 AM

AB 2018-08

<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display:inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2018-08:  OVERSIGHT OF THIRD-PARTY PROVIDER RELATIONSHIPS</td></tr></tbody></table> Purpose</div></div>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae and Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities<a href="#1">[1]</a>) on assessing and managing risks associated with third-party provider relationships.  For the purposes of this AB, a third-party provider relationship is a business arrangement between a regulated entity and another entity that provides a product or a service.<a href="#2">[2]</a>  When entering into third-party provider relationships, the regulated entities can be exposed to financial, operational, legal, compliance, and reputational risk.  Effective risk management of third-party provider relationships is essential to the safe and sound operations of the regulated entities.  GuidanceFHFA expects each regulated entity to establish and maintain a third-party provider risk management program (program) that includes the following:<ol style="list-style-type:upper-roman;"><li>Governance</li><ol style="list-style-type:upper-alpha;"><li>Responsibilities of the Board and Senior Management</li><li>Policies, Procedures, and Internal Standards</li><li>Reporting</li></ol><li>Third-Party Provider Risk Management Life Cycle Phases</li></ol><ol style="list-style-type:upper-roman;"><ol style="list-style-type:upper-alpha;"><li>Risk Assessment</li><li>Due Diligence in Third-Party Provider Selection</li><li>Contract Negotiation </li><li>Ongoing Monitoring</li><li>Termination</li></ol></ol>A regulated entity's program should enable oversight of third-party provider relationships in accordance with the level of risk presented, the nature of the relationship, the scale of the outsourced product or service, and the risk inherent in the relationship.  Because of this risk-based approach, aspects of this AB may not apply to every third-party provider relationship.  The regulated entities should ensure that the quality and extent of third-party provider risk management corresponds with the level of risk and the complexity of these relationships.  FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.  Three relevant PMOS articulate guidelines for a regulated entity's board of directors and management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).  In addition, each regulated entity should manage its program as part of its enterprise-wide risk management program and in accordance with all relevant FHFA guidance.<a href="#3">[3]</a>  <blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"><h4>  I.       Governance </h4> A.     Responsibilities of the Board and Senior Management</blockquote></blockquote>The board of directors or board committee (board) should approve a policy establishing the program.  The board-level policy (or management-level policies, as appropriate) should establish criteria for the acceptance and monitoring of risks related to third-party provider engagements and include enterprise-wide risk management processes that reflect the complexity of the regulated entity.  Policies should assign clear roles and responsibilities to entity personnel, establish requirements for documenting decisions concerning third-party providers, and identify internal stakeholders throughout the third-party provider relationship.  Internal audit, or an independent third party if specialized expertise is required, should audit the program periodically, including review of third-party assessments.The regulated entity's board is responsible for oversight of the program, while senior management is responsible for executing the regulated entity's program and applicable policies on behalf of the board, consistent with established delegations.  Each regulated entity's board should ensure that senior management has effective processes in place to manage risks related to third-party provider relationships, consistent with the regulated entity's strategic goals, organizational objectives, and risk appetite.  <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> B.     Policies, Procedures, and Internal Standards</blockquote>The regulated entities should establish and implement risk management processes in their policies that clearly define risk categories for the oversight of third-party provider relationships.  Risk categories should consider the type and degree of risk inherent in the relationship, the scope and breadth of the third-party provider relationship, the nature of the product or service provided, and the ability to find an acceptable replacement for the third-party provider.  In addition to categorizing these relationships, the regulated entity should document and consistently update its inventory of third-party providers.  The regulated entity's program should articulate governance standards for risk-based due diligence, monitoring, and oversight that reflect the defined risk categories.  The more risk a third-party provider relationship poses to the regulated entity, the more rigorously the regulated entity should perform these activities.  Documentation requirements should correspond to the risk category or the nature of the third-party provider relationship.  Other factors considered in establishing a risk-based approach include third-party provider relationships that could: <ul style="list-style-type:disc;"><li>Cause a regulated entity to face significant business, operational, legal, compliance, or reputational risk if the third-party provider fails to meet its obligations;</li><li>Require significant resources and costs to implement and manage the risk (such as a third-party provider that has an integral role in the regulated entity's operations or a financial technology firm that leverages emerging technologies); or</li><li>Have a major effect on the regulated entity's operations if it needs to procure an alternate third-party provider or has to perform the service in house.</li></ul><blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> C.     Reporting </blockquote> The regulated entity should implement a reporting system that provides management sufficient information to adjust the program, including policy, resources, expertise, and controls.  Management should receive periodic reports from program stakeholders about commencing new third-party provider relationships, continuing existing ones, or terminating arrangements that do not meet expectations or no longer align with the goals of the regulated entity.  Regular reports to management could incorporate the documentation of phases of the third-party provider relationship, such as analysis of costs, or reputational risks found during ongoing monitoring.  Reports should contain sufficient detail to adequately inform the intended audience and sufficiently support related business decisions. To assist the board in oversight of the program, management should provide the board with regular enterprise-wide reports on the regulated entity's management of risks associated with third-party providers.  Management should also notify the board of significant third-party risks, such as business interruptions and terminations for cause, or third-party provider relationships that approach the regulated entity's risk appetite limits.   <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"><h4>II.        Third-Party Provider Risk Management Life Cycle Phases</h4></blockquote>An effective program should include policies and procedures that cover all phases of the regulated entity's third-party provider relationship life cycle:  Risk Assessment, Due Diligence in Third-Party Provider Selection, Contract Negotiation, Ongoing Monitoring, and Termination.  The scope and duration of each phase should be consistent with the program's policy, and multiple phases may be addressed simultaneously.  The documentation for each phase is also dependent on whether the phase applies and the extent to which it applies.  The life cycle phases are discussed in more detail below.                 <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> A.     Phase 1 – Risk Assessment </blockquote>Each regulated entity's program should include processes to assess the risks associated with engaging a third-party provider to supply a product or service.  These risks may include:<ul style="list-style-type:disc;"><li>The operational, compliance, legal, and reputational risks associated with having a third-party provider supply the product or service and the risk that expected benefits do not outweigh the costs;</li><li>The breadth of the products or services that would be delivered by a third-party provider;</li><li>Whether the regulated entity has adequate resources and expertise to monitor the third-party provider relationship;</li><li>The complexity of the arrangement, volume of activity, potential for a third-party provider's use of subcontractors, and the technology required; and</li><li>Potential information security risks associated with giving a third-party provider access to the regulated entity's operating location, information systems, or proprietary or personally identifiable information.</li></ul>If the regulated entity establishes a third-party provider relationship, the program should provide for management of the associated risks.  As necessary, the risk assessment should include a strategy for the regulated entity to procure adequate resources or expertise to mitigate the risks or justify acceptance of the identified risks.  The regulated entity should review and update its risk assessment and revise risk mitigation strategies when appropriate.  When documenting its risk assessment analysis, the regulated entity should indicate any risk assessment tools used in the process.<blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> B.     Phase 2 – Due Diligence in Third-Party Provider Selection</blockquote>Each regulated entity should conduct due diligence on a third-party provider before entering into a contract.  The degree of due diligence should be commensurate with the level of risk of the outsourced activity and the complexity of the third-party provider relationship.  A regulated entity should not rely solely on its prior experience or knowledge of the third-party provider as a substitute for an objective risk assessment of the third-party provider's ability to supply a product or service in a safe and sound manner.  A regulated entity may refer to a third-party provider's independent audit, Service Organization Control (SOC) report, or recognized certifications to assess certain aspects of the third-party provider's internal risk management controls.  Due diligence review should align with the severity of the risk.  Due diligence results, findings, and recommendations should be documented.Due diligence prior to entering into a third-party provider relationship should include an evaluation of financial, operational, legal, compliance, and reputational risks of engaging the proposed third-party provider.  As part of the due diligence review, the regulated entity should consider: <ul style="list-style-type:disc;"><li>Whether the proposed third-party provider can offer the product or service in compliance with applicable laws and regulations, as well as the regulated entity's internal policies, procedures, and other requirements;</li><li>The third-party provider's overall business model and how current and proposed business activities may affect the risks presented by the third-party provider; </li><li>The third-party provider's business background, experience, and reputation; </li><li>The financial performance, resources, and condition of the proposed third-party provider;</li><li>The third-party provider's insurance coverage;</li><li>The third-party provider's operational and internal controls, including information security, incident reporting and management, and business continuity programs; </li><li>Concentration risks that may arise from relying on a third-party provider for multiple products or services or from a third-party provider's reliance on subcontractors; </li><li>The extent to which the third-party provider relies on subcontractors to perform its obligations, the controls the subcontractor has in place, and the third-party provider's processes to oversee subcontractors that would be directly involved in the outsourced product or service; </li></ul><ul style="list-style-type:disc;"><li>Any potential conflicts of interest with the directors, officers, or employees of the regulated entity concerning potential third-party providers;<a href="#4">[4]</a> and</li><li>Whether there are third-party fee structures that involve potential risks, such as incentives for inappropriate risk-taking, that could arise as a result of such fee structures.  </li></ul>Each regulated entity's third-party provider selection process should also be designed to ensure, to the extent possible and consistent with safety and soundness, the inclusion of minority-, women-, and disabled-owned businesses.<a href="#5">[5]</a>Management should review the due diligence results to determine whether the third-party provider is able to adequately provide the product or service at a level of risk acceptable to the regulated entity.  If the third-party provider cannot meet the regulated entity's requirements, management should consider whether to seek an alternate provider, supply the product or service itself, or mitigate the identified risks to the extent practicable. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> C.        Phase 3 – Contract Negotiation </blockquote>Each contract with a third-party provider should clearly specify the rights and responsibilities of each party.  Consistent with the risk category involved, the regulated entity should consider what level of legal review is necessary for contracts with third-party providers and should ensure that the attorneys conducting the review for a particular contract have the appropriate subject matter expertise or work in conjunction with appropriate subject matter experts.  Copies of executed contracts should be retained for reference and record-keeping purposes.The regulated entity should consider the following when negotiating contractual provisions with third-party providers:<ul style="list-style-type:disc;"><li>The nature and scope of service; </li><li>Duration of service; </li><li>Performance standards and service levels; </li><li>Experience requirements of third-party providers and their contractors;</li><li>Cost and compensation, including the timing and procedures for payment and expense reimbursement;</li><li>Confidentiality, use, location, and security of information; </li><li>Business continuity and contingency plans and test results;</li><li>Intellectual property ownership, rights, and responsibilities; </li><li>Timely disclosure of conflicts of interest or potential conflicts of interest from the third-party provider;</li><li>Incident reporting and management;</li><li>Dispute resolution process (e.g. arbitration, mediation), termination, and remedies; and</li><li>Internal controls and audit reports.</li></ul>The regulated entity should address what constitutes nonperformance and the conditions under which the contract may be terminated by either party.  The contract should also stipulate the circumstances for and responsibilities when termination occurs.  If the regulated entity could no longer legally engage a third-party provider,<a href="#6">[6]</a> the contract should include a provision that enables the regulated entity to terminate the contract for regulatory noncompliance.  The regulated entity should also ensure that contracts address compliance with the specific laws, regulations, and guidance applicable to the regulated entity, including the regulated entity's right to obtain necessary information to conduct ongoing risk assessments, as well as monitor performance and ensure contract compliance.  Contracts should also address whether the regulated entity has the right to conduct periodic on-site reviews to verify compliance.  If contracts allow for subcontracting, the regulated entity generally should seek to ensure that the primary third-party provider remains responsible for the performance of its subcontractors in accordance with the terms of the primary contract, and be notified of the identity of any material subcontractors, when appropriate. Contracts for third-party providers should address, as appropriate, the provider's responsibility for continuation of the product or service in the event of an operational failure, such as man-made and natural disasters.  Contracts should address requirements for third-party providers to back up information and maintain disaster recovery and contingency plans with sufficiently detailed operating procedures.  Other issues such as the maintenance of adequate insurance, ownership of data or licenses, privacy, and liability limitations should be considered, as applicable.  For example, the regulated entity should consider potential legal and security risks to cross-border data storage, transmission, and processing.   <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> D.    Phase 4 – Ongoing Monitoring</blockquote>The nature and extent of monitoring of the performance of third-party provider relationships should be commensurate with the level of risk.  Management should also ensure that the regulated entity retains sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third-party provider relationship.  The approach (e.g., on-site versus off-site review), depth, scope, and frequency of the monitoring and oversight activities should correspond to the risk category involved.  If the regulated entity outsources any part of its monitoring and oversight, management is responsible for choosing a service provider appropriate for the entity's size, complexity, and risk environment.  Ongoing monitoring should include the due diligence activities referenced in Phase 2 that apply to the particular third-party provider relationship.  Management of the regulated entity should also consider whether the third-party provider is:<ul style="list-style-type:disc;"><li>Meeting service-level agreements, performance metrics, and other contractual terms; </li><li>Monitoring and evaluating subcontractor controls that are relevant to the contract work being performed;</li><li>Engaged in agreements with other entities that may pose a conflict of interest or present risks; </li><li>Performing periodic background checks; and</li><li>Complying with applicable legal and regulatory requirements, including documenting such compliance when necessary.</li></ul>Because both the level and types of risks may change over the lifetime of a third-party provider relationship, a regulated entity should ensure that its ongoing monitoring adapts accordingly.  Periodic assessments should be conducted to determine whether the product or service remains necessary or relevant to the regulated entity's mission or operations.  Each regulated entity should also periodically assess existing third-party provider relationships to determine whether the nature of the product or service provided has changed, resulting in the need for re-designation to a new risk category.  Management should review existing third-party provider contracts to determine whether the terms and conditions address current risks associated with having the product or service supplied by the third-party provider.  Where concerns are identified, the regulated entity should consider addressing those concerns by negotiating an amendment to the contract where appropriate, or revising the contract prior to a renewal.  When a regulated entity identifies concerns through ongoing monitoring, it should seek to resolve the issues at the earliest opportunity.  Management should ensure procedures exist to escalate issues such as service agreement performance, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, or compliance lapses.  Additionally, management should ensure that the regulated entity's controls for managing these risks from third-party provider relationships are tested regularly.  Weaknesses identified that substantively increase the risk to the regulated entity should be reported to the board based on an assessment of the level of associated risk.Any assessments and analyses performed during this phase should be documented, as well as any regular risk management and performance reports received from the third-party provider (e.g., audit reports, security reviews, and reports about compliance with service-level agreements).<blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;"> E.     Phase 5 – Termination</blockquote>The terms of each contract will govern how a regulated entity or a third-party provider may terminate the contractual relationship.  A regulated entity may wish to terminate a third-party provider relationship for various reasons, including: <ul style="list-style-type:disc;"><li>Expiration, completion, or satisfaction of the contract;</li><li>Breach of contract;</li><li>To engage an alternate third-party provider;</li><li>To discontinue the product or service; </li><li>To bring the product or service in house; or</li><li>To comply with an FHFA order directing suspension of the third-party provider relationship. </li></ul>Each regulated entity should have strategies and contingency plans in place to terminate third-party provider relationships in an efficient manner that minimizes risk to the regulated entity, whether the outsourced product or service is transitioned to another third-party provider, brought in house, or discontinued. The regulated entity should consider:<ul style="list-style-type:disc;"><li>The capabilities, resources, and time frames required to transition the product or service while still managing legal, regulatory, and other risks;</li><li>Risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party provider relationship;</li><li>Intellectual property ownership, rights, and responsibilities, as well as the handling of any joint intellectual property developed during the course of the arrangement; </li><li>The return of any regulated entity's information in the third-party provider's possession after voluntary or involuntary termination of the contract;</li><li>Reputational risks to the regulated entity if the termination results from the third-party provider's inability to meet expectations; and</li><li>Roles and assistance with transfer or wind down of the outsourced product or service upon termination.</li></ul> Related Guidance12 CFR Part 1236 Prudential Management and Operations Standards, Appendix. Cloud Computing Risk Management, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018. Oversight of Multifamily Seller/Servicer Relationships, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018. Information Security Management, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017. Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016. Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016. Information Technology Investment Management, Federal Housing Finance Agency Advisory Bulletin 2015-06, September 21, 2015. Oversight of Single-Family Seller/Servicer Relationships, Federal Housing Finance Agency Advisory Bulletin, 2014-07, December 1, 2014. Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin, 2014-02, February 18, 2014. Model Risk Management, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013. Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.___________________________________________ <a name="1">[1]</a> The OF is not a “regulated entity" as the term is defined by statute (see 12 U.S.C. 4502(20)).  However, for convenience, references to the “regulated entities" in this AB should be read to also apply to the OF.  <a name="2">[2]</a> This AB does not apply to business arrangements through which a FHLBank provides products or services to its members or housing associates, or to a FHLBank's business arrangements with sponsors participating in its Affordable Housing Program.    <a name="3">[3]</a> 12 CFR 1239.11(a). <a name="4">[4]</a> 12 CFR 1239.10(a). <a name="5">[5]</a> 12 CFR 1223.2, 1223.21. <a name="6">[6]</a>See, e.g., 12 CFR Part 1227.<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to: <a href="mailto:SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</td></tr></tbody></table> </blockquote></blockquote></blockquote>

9/28/2018 6:30:25 PM

Home / Supervision & Regulation / Advisory Bulletins / Oversight of Third-Party Provider Relationships Advisory Bulletin AB 2018-08: OVERSIGHT OF THIRD-PARTY PROVIDER

15994

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Federal Home Loan Bank Liquidity Guidance

25695

FHL Banks

8/27/2018 4:00:00 AM

AB 2018-07

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2018-07 FEDERAL HOME LOAN BANK LIQUIDITY GUIDANCE </td></tr></tbody></table> PurposeThis advisory bulletin (AB) communicates the Federal Housing Finance Agency’s (FHFA) guidance for maintaining sufficient amounts of liquidity<a href="#1">[1]</a> that will enable Federal Home Loan Banks (FHLBanks) to provide advances and fund letters of credit for members during a sustained capital markets disruption.  Although this guidance sets expectations for how FHLBanks may best measure and maintain sufficient liquidity, the FHLBanks should also use liquidity metrics that are commensurate with their funds management strategies and that provide a comprehensive assessment of their liquidity risk to ensure that sufficient funds are available at a reasonable cost to meet potential demands. Contemporaneously with the issuance of this AB, the Division of Federal Home Loan Bank Regulation (DBR) is issuing a supervisory letter to the FHLBanks that identifies the initial thresholds for the various measures of liquidity described herein.  DBR will periodically assess conditions in the financial markets to determine whether they warrant revisions to those thresholds.  DBR will issue supervisory letters to notify the FHLBanks of any subsequent revisions that it believes to be appropriate in light of any material changes in market conditions, and will provide an appropriate notice period for the FHLBanks to make appropriate adjustments to their liquidity management practices. This guidance rescinds the March 6, 2009 Liquidity Supervisory Letter as of March 31, 2019, but does not supplant existing regulations that pertain to liquidity at the FHLBanks.<a href="#2">[2]</a> Background Liquidity risk is the risk that a financial institution will be unable to meet its financial obligations in a timely and cost-efficient manner.  Strong liquidity risk management enables a FHLBank to be financially sound, so that it may continue to perform its mission, while limiting and controlling shortfalls in cash.  This AB describes key elements of a strong liquidity management program, including cash flow measurement, funding gaps, stress testing, and a contingency funding plan (CFP). FHFA has adopted a series of prudential management and operations standards (PMOS) for the FHLBanks and the Enterprises, one of which addresses the adequacy of an entity’s liquidity and reserves.<a href="#3">[3]</a> A FHLBank’s failure to meet any of the prudential standards may invoke the remediation provisions of the PMOS statute,<a href="#4">[4]</a> and may also constitute an unsafe and unsound practice that would provide grounds for FHFA to invoke its other administrative enforcement powers.<a href="#5">[5]</a> This AB complements the provisions of Standard 5, which describes the FHFA’s general expectations for an effective liquidity risk management framework.  More specifically, Standard 5 provides that a FHLBank should articulate an appropriate liquidity risk tolerance; establish a process for identifying, measuring, and controlling its liquidity position and liquidity risk exposures; and develop a funding strategy that includes diverse sources of funding.  In addition, Standard 5 states that FHLBanks should conduct regular stress tests to identify sources of potential liquidity strain, and should establish a CFP.  Of most relevance to this AB, Standard 5 states that a regulated entity should maintain adequate reserves of liquid assets, including marketable securities that can be liquidated to meet unexpected needs.  The management of liquidity risk is also an element of an entity’s overall risk management process that is addressed by Standard 8 of the PMOS, which describes the responsibilities of boards of directors and senior management and the need for the FHLBanks to establish risk management practices that measure, monitor, and control liquidity, market, credit, and operational risks.  Management of liquidity risk should also be addressed as an element of a regulated entity’s enterprise-wide risk management program that is required by FHFA regulations.<a href="#6">[6]</a>The principal sources of funding for the FHLBanks are the global capital markets, into which the FHLBanks issue their consolidated obligations (COs), on which they are all jointly and severally liable.  Because the FHLBanks are government-sponsored enterprises (GSEs), they can issue debt at lower interest rates (controlling for tenor) than can their members.  Though the FHLBanks have that funding advantage over their members, their GSE status makes them ineligible to borrow from the Federal Reserve Bank’s discount window, nor do they have daylight overdraft privileges at a Federal Reserve Bank, both of which funding sources are generally available to depository institution members.  Consequently, during periods of disruption or duress in the capital markets, systemic or otherwise, or in the FHLBanks' operating environment, it is essential that the FHLBanks have established adequate reserves of liquidity to ensure their ability to continue funding advances and letters of credit for their members, as provided in Standard 5 of the PMOS.  This AB is intended to provide guidance to assist the FHLBanks in maintaining a level of liquid assets that is consistent with the expectations of Standard 5. Guidance This AB sets out FHFA’s supervisory expectations with respect to what may constitute an adequate amount of liquidity for purposes of meeting the PMOS.  A FHLBank maintaining a liquidity position at or above the levels described in this bulletin will be presumed to be operating with “adequate reserves of liquid assets” as that term is used in the PMOS.<a href="#7">[7]</a>  Notwithstanding that presumption, FHFA will assess the adequacy of each FHLBank’s liquid assets and its liquidity risk management program as part of each annual examination, and will take any appropriate supervisory or enforcement action if it determines that a particular FHLBank’s liquidity reserves or risk management program are deficient in any material respect.The guidance below is intended to provide some reasonable assurance that the FHLBanks will be able to conduct their normal business operations – providing advances and standby letters of credit (SLOCs) to their members – for a specified period of time without access to the capital markets.  As is the case with guidance adopted by other banking regulators, this AB addresses the level of on-balance sheet liquid assets and funding imbalances, as described in the provisions below relating to base case liquidity and funding gap limits, respectively.  As part of the base case liquidity measure, the guidance also includes a separate provision to address liquidity risk associated with a FHLBank’s off-balance sheet commitments arising from its issuance of SLOCs. I.  Base Case Liquidity Cash Flow Measurement Positive cash flow is important to maintaining an adequate liquidity position, as having sufficient positive cash flow will better enable a FHLBank to withstand a sustained capital markets disruption that impedes or limits its ability to issue COs.  DBR believes each FHLBank should be able to maintain a positive cash balance during a projected period of time (measurement period) without access to the capital markets for COs or other unsecured funding sources.<a href="#8">[8]</a> Under the 2009 Liquidity Supervisory Letter, the FHLBanks assume a 5-day period without access to the capital markets, but they also assume that certain large members would not renew their advances during that period.  The federal banking regulators; however, allow those large depository institutions to assume that they will renew 75 percent of their FHLBank advances.<a href="#9">[9]</a>   This suggests that the assumptions underlying the 2009 Liquidity Supervisory Letter may not be sufficient to cover the FHLBanks’ actual liquidity risk associated with those large members’ advances.  Furthermore, a FHLBank is expected to be a liquidity provider by offering to make advances to all members, even in times of market disruption.<a href="#10">[10]</a>To address those additional risks, FHFA believes that the FHLBanks should maintain larger liquidity positions to allow them to meet their operational needs over a longer period of time without access to the capital markets.  Such liquidity reserves are especially important for the FHLBanks because they do not have access to any material off-balance sheet liquidity sources on which they could rely during market disruptions, such as the Federal Reserve Discount Window or the Government Sponsored Credit Facility that expired in December 2009.<a href="#11">[11]</a> FHFA believes that a reasonable measurement period of days without access to the capital markets generally would be between 10 and 30 calendar days, depending on market conditions.  As noted previously, DBR is issuing a supervisory letter to the FHLBanks identifying the number of days for the initial measurement period. FHFA believes that a prudent measure for assessing the adequacy of a FHLBank’s liquidity position is whether it has sufficient positive cash balances to cover its expected funding needs over the specified number of days in the measurement period.  Determining the positive cash balances is largely a function of a FHLBank’s cash inflows and outflows.  In order to ensure that there is consistency in how each FHLBank calculates its cash balance liquidity positions, FHFA has developed a series of assumptions regarding cash inflows and cash outflows that each FHLBank should use in establishing its Base Case liquidity position.  The initial cash flow assumptions are also described in the supervisory letter that DBR is providing to the FHLBanks.  Accordingly, each FHLBank, on a daily basis, should project forward (for the duration of the measurement period) and maintain positive cash balances net of cumulative daily cash flows, assuming the renewal of all maturing advances, according to the following formula:<a href="#12">[12]</a> <img src="/SupervisionRegulation/AdvisoryBulletins/PublishingImages/Pages/Federal-Home-Loan-Bank-Liquidity-Guidance/Formula-1.PNG" alt="Formula-1.PNG" style="margin:5px;width:700px;height:102px;" />  Standby Letters of Credit Measurement The FHLBanks have experienced significant growth in SLOCs, which they issue at the request of their members for the benefit of third parties.  Beneficiaries can draw against the SLOC by presenting a demand to the FHLBank.  SLOCs totaled $149.4 billion at year-end 2017, up materially from $29.2 billion at year-end 2007.  Much of the growth in SLOCs has occurred over the past five years as depository institution members have used the product to optimize their liquidity.<a href="#13">[13]</a> The substantial growth in this off-balance sheet product has created a greater risk to the FHLBanks.  Specifically, there is now greater possibility that beneficiaries will demand more payments under their SLOCs in a short period of time, which creates a potential liquidity exposure for the FHLBanks.  Consequently, any measure of an adequate level of liquidity should include some amount to cover that potential exposure.  To ensure that a FHLBank will have adequate funds available to support its SLOC commitments, FHFA believes that it should maintain a liquidity reserve of between 1 percent and 20 percent of its outstanding SLOC commitments.<a href="#14">[14]</a> The supervisory letter that DBR is providing to the FHLBanks also identifies the initial percentage that FHFA believes would provide adequate liquidity for these instruments in light of current market conditions. II.  Funding Gaps Funding gap metrics measure the difference between a FHLBank’s assets and liabilities that are scheduled to mature during a specified period, and are typically expressed as a percentage of the FHLBank’s total assets.<a href="#15">[15]</a> Operating within appropriate funding gap limits reduces large structural imbalances, which provides for more stable asset and liability balance sheet structures.  Furthermore, maintaining appropriate funding gap limits reduces the amount of liquidity transformation and pro-cyclical funding behavior.  By maintaining prudent funding gap limits for three-month and one-year time horizons, the FHLBanks may reduce the liquidity risks associated with a mismatch in their contractual asset and liability maturities, including an undue reliance on short-term debt funding, which increases their debt rollover risk.  Depending on conditions in the financial markets, FHFA believes that maintaining funding gap limits within the range of negative 10 percent to negative 20 percent for the three-month horizon, and negative 25 percent to negative 35 percent for the one-year horizon, would provide reasonable assurance that a FHLBank would have adequate liquidity to address the risks associated with possible asset and liability maturity mismatches.  The supervisory letter that DBR is providing to the FHLBanks also identifies the initial percentages within those ranges that FHFA believes would be appropriate in light of current market conditions. In order to ensure that there is consistency in the way in which the FHLBanks calculate their funding gap ratios for FHFA’s supervisory purposes, FHFA has developed a formula, set out below, that each FHLBank should use to calculate its funding gap ratios.  When measuring their funding gaps, the FHLBanks should do so as of calendar month-end, using the average ratio for the most recent three month-ends.<a href="#16">[16]</a> <img src="/SupervisionRegulation/AdvisoryBulletins/PublishingImages/Pages/Federal-Home-Loan-Bank-Liquidity-Guidance/Formula-2.PNG" alt="Formula-2.PNG" style="margin:5px;width:700px;height:97px;" /> III.  Counter-Cyclical Liquidity Supervisory Approach The financial crisis demonstrated that financial intermediaries should maintain prudent levels of liquidity to protect against unexpected disruptions in funding.  During periods of prolonged market stress, a FHLBank may need to use the liquidity that it established during a non-stress period.  To that end, the DBR Deputy Director may, based on ongoing monitoring of market conditions, reduce the measurement period under the base case liquidity provision or increase the negative funding gap thresholds through a supervisory letter to the FHLBanks.  Any such actions will be guided by what is necessary to preserve the safety and soundness of the FHLBanks, even if that entails allowing the FHLBanks to maintain liquidity positions outside of the ranges described herein.  In addition, if a FHLBank experiences a prolonged funding event, it promptly should inform the Deputy Director of its need to reduce its liquidity holdings or increase its negative funding gaps.  At a minimum, any such notice should describe the source of the funding stress, the expected duration of event, and how and when the FHLBank expects to restore its liquidity positions. FHFA recognizes that a FHLBank infrequently may need to draw upon its liquid assets to function as a liquidity provider for its members during short-term market disruptions or other short-term events that impair access to funding.<a href="#17">[17]</a> Accordingly, this Advisory Bulletin does not preclude a FHLBank from temporarily decreasing its liquidity position, in a safe and sound manner, below the levels described herein, as necessary for providing unanticipated extensions of advances to members or draws on letters of credit to beneficiaries.<a href="#18">[18]</a>  In such instances, the FHLBank should notify its examiner-in-charge of the cause of any temporary liquidity shortfall, anticipated duration of the temporary shortfall, and when and how a FHLBank expects to restore its liquidity back to the identified level set forth in FHFA’s separate supervisory letter.  DBR will evaluate any such temporary liquidity shortfall as part of the FHLBank’s annual examination. IV.  Liquidity Stress Testing Liquidity stress testing allows the assessment of vulnerabilities to FHLBank-specific, entity-specific, and market-wide exposures across a range of time horizons.  Stress test results may identify sources of potential liquidity strain that can be mitigated by appropriate liquidity risk management strategies.  A FHLBank may use results of stress tests to adjust its liquidity management policies and procedures, positions and practices, and to develop effective contingency plans.  The PMOS states that regulated entities should conduct stress tests on a regular basis and use the results to keep their liquidity risk exposures within the bounds of their established risk tolerances, as well as to adjust the elements of their risk management programs.  To allow FHFA to assess each FHLBank’s alignment with this provision of the PMOS, the FHLBanks should report the results of this stress test to the FHFA annually, using financial data as of June 30 of each year.  FHLBanks that conduct liquidity stress tests more frequently than annually should continue to do so, but need not report those additional results to FHFA.  FHFA will review results of all stress tests as part of the liquidity framework assessment during examinations. V.  Contingency Funding Plan  The PMOS provide that a regulated entity should have a formal CFP that establishes strategies for addressing liquidity shortfalls in emergencies, and that is tested periodically.  The CFP should represent management’s best estimate of balance sheet changes that may result from a liquidity event based on stress testing and scenario analysis and should be integrated into a FHLBank’s overall liquidity risk management.  A CFP should establish plans, courses of action, clear lines of responsibility, and escalation procedures to ensure liquidity sources are sufficient to fund normal operations during potential temporary, intermediate-term, and long-term liquidity disruptions. FHFA expects an effective CFP to clearly specify the roles and responsibilities, including the authority to invoke the CFP, identify alternates for key roles, and include realistic action plans to execute the various elements of the plan for given levels of stress.  A CFP should establish more frequent and more detailed internal liquidity risk reporting as the stress situation intensifies.  The CFP should recognize the need to coordinate actions and information flows with other FHLBanks and the Office of Finance and address scenarios where debt issuance is constrained.  A CFP should be regularly updated to reflect changes in market or business conditions. FHFA expects each FHLBank to test periodically its CFP to assess its reliability and operational soundness under stress conditions.  Testing should evaluate whether roles and responsibilities are up-to-date and appropriate; whether legal and operational documents are up-to-date and appropriate; whether the FHLBank can transfer cash and collateral where and when needed; and whether the FHLBank can draw on contingent liquidity lines when needed.   VI.  Core Mission Adjustments FHFA previously issued an AB that provides guidance about how it will assess each FHLBank’s core mission achievement.  That bulletin uses a ratio of a FHLBank’s “primary mission assets” to its outstanding consolidated obligations as the measure of its mission achievement.<a href="#19">[19]</a>  To prevent a FHLBank that has invested in high quality U.S. Treasury securities for liquidity purposes from being penalized under the core mission achievement guidance for having made those investments, FHFA has determined that it would be appropriate to exclude those securities when measuring a FHLBank’s core mission achievement.  Accordingly, a FHLBank may adjust its core mission achievement measure, as defined in AB 2015-05, by deducting from the denominator of the Primary Core Mission Asset ratio the annual average par value of its U.S. Treasury Securities that are held in a Trading account or Available-for-Sale account, as reported in FHFA’s Call Report System. VII.  Transition Period and DatesThe Deputy Director is issuing a supervisory letter to accompany this AB that sets out the initial measures for each of the liquidity metrics described in the AB, along with the dates as of which FHFA will begin assessing the adequacy of each FHLBank’s liquidity position in the manner described in the AB.  The supervisory letter includes phased-in measures for the cash flow component of the Base Case Liquidity provisions.  Absent a market event that requires a countercyclical use of liquidity, the initial measurement period will begin on March 31, 2019, and full measurement period will begin on December 31, 2019.  For the SLOC component of the Base Case Liquidity provisions, the date is March 31, 2019.  For funding gap measures, FHFA will begin using those measures on December 31, 2018. VIII.  Reporting DBR will develop new reporting requirements for each of the liquidity measures described in this AB well in advance of the above dates.<a href="#20">[20]</a>  DBR intends to monitor each FHLBank’s liquidity position through their submission of periodic reports, as well as through the examination process.IX.  Reservation of Authority Nothing in this Advisory Bulletin limits the authority of FHFA under any other provision of law or regulation to take supervisory or enforcement action, including action to address unsafe or unsound practices or conditions, deficient liquidity levels, or violations of law. Related Regulations and Advisory Bulletins 12 USC § 1431(g) – Reserve Requirement for Member Deposits  12 CFR Part 1236 – Prudential Management and Operations Standards12 CFR Part 1266.5 – Terms and Conditions for Advances12 CFR Part 1270.2 – Authorized Liabilities12 CFR Part 1270.3(b) – Investment Coverage of Member Deposits12 CFR Part 1270.10(b) – Liquidity CertificationAdvisory Bulletin – AB 2015-AB-05, FHLBank Core Mission Achievement, July 15, 2015 <hr /> <a name="1">[1]</a> For purposes of this bulletin, ”liquidity” includes non-advance cash inflows during the measurement period plus certain high quality liquid assets (Treasury securities with remaining maturities of 10 years or less held in the Trading Account or Available-for-Sale accounting categories, and that are uncommitted and unencumbered). <a name="2">[2]</a> The regulatory provisions addressing FHLBank liquidity are located at 12 CFR 1236, Appendix, Standard 5 (Liquidity and Reserves) and 12 CFR 1270.3 (reserves for deposits from members). <a name="3">[3]</a> 12 CFR part 1236, Appendix, Standard 5 <a name="4">[4]</a> 12 USC 4513b, 12 CFR 1236.4.5 <a name="5">[5]</a> 12 CFR 1236.3(d) <a name="6">[6]</a> 12 CFR 1239.11(a) (requirement for a board-approved risk management program). <a name="7">[7]</a> 12 CFR part 1236, Appendix, Standard 5. <a name="8">[8]</a> Other unsecured borrowing sources would be limited to member deposits and federal funds purchased. See 12 CFR 1270.2 (authorized Bank liabilities). <a name="9">[9]</a> 12 CFR 249.32(j)(1)(iii). Under these Liquidity Coverage Ratio risk measurement standards (LCR), depository members subject to LCR are only required to provide liquidity coverage of 25 percent of their secured borrowings from U.S. government-sponsored entities that are assigned a risk weight of 20 percent, such as FHLBank advances. <a name="10">[10]</a> FHFA regulations require that the FHLBanks offer to provide advances to all members with maturities of up to ten years, and allow them to make advances with longer maturities, in both cases consistent with the safe and sound operation of the FHLBank. 12 CFR 1266.5(a). Both the statute and regulations recognize a FHLBank’s right to decline to make an advance to a particular member for reasons of safety and soundness. 12 USC 1429; 12 CFR 1266.4(a). <a name="11">[11]</a> The U.S. Treasury Department established the Government Sponsored Enterprise Credit Facility on September 7, 2008 as a back-up credit line for emergency use by Fannie Mae, Freddie Mac, or the FHLBanks. A fact sheet describing the facility can be located at <a href="https://www.treasury.gov/press-center/press-releases/Documents/gsecf_factsheet_090708.pdf">https://www.treasury.gov/press-center/press-releases/Documents/gsecf_factsheet_090708.pdf</a>. <a name="12">[12]</a> Renewing advances is a simplifying assumption for the advances book of business given that the maturities of most advances are short-term and advances have steadily grown since 2012 (after contracting for several years after the financial crisis). The assumption is based on the premise that FHLBanks should continue to provide advances during a period of impeded CO market access. <a name="13">[13]</a> A frequent use of SLOCs by depository members is to secure public unit deposits, which then allows the members to use their highly-rated securities to meet their own liquidity requirements rather than pledge them as collateral for the public unit deposits. <a name="14">[14]</a> For a variable balance letter of credit, the gross commitment should be used as the notional amount outstanding. <a name="15">[15]</a> A FHLBank may include estimates for expected cash inflows, including anticipated prepayments, from mortgage assets as part of assets in the funding gap ratio numerator. Mortgage cash flow estimates should be consistent with estimates the FHLBank uses for its market risk measures. For purposes of calculating funding gap measures, Banks may include U.S. Treasury Securities meeting the definition of HQLA held in a Trading account as short-term (T+1) assets. All other U.S. Treasury Securities should be reported in funding gap measures at their maturity. <a name="16">[16]</a> For example, Funding Gap = [Funding Gap current month-end (T0) + Funding Gap month-end (T-1) + Funding Gap month-end (T-2)] divided by 3. <a name="17">[17]</a> The use of liquidity also is anticipated during operational events such as natural disasters, cyber disruptions, etc. <a name="18">[18]</a> Force majeure events may also cause a temporary decrease in a FHLBank’s liquidity position. <a name="19">[19]</a> Advisory Bulletin – AB 2015-AB-05, FHLBank Core Mission Achievement, July 15, 2015. <a name="20">[20]</a> Currently FHLBanks provide liquidity data as specified in SDR-2008-03, which will be revised or rescinded when the new reporting requirements are established.  <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Contact <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a> if you have questions. </td></tr></tbody></table>

8/27/2018 4:00:14 PM

Home / Supervision & Regulation / Advisory Bulletins / Federal Home Loan Bank Liquidity Guidance Advisory Bulletin This advisory bulletin (AB) communicates the Federal Housing

11650

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Liquidity Risk Management

25675

Fannie Mae & Freddie Mac

8/22/2018 4:00:00 AM

AB 2018-06

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2018-06 LIQUIDITY RISK MANAGEMENT </td></tr></tbody></table> Purpose This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) guidance for the management of liquidity risk. Strong liquidity risk management supports safe and sound operations by enabling the Enterprises to meet their financial obligations when they come due without incurring unacceptable losses. This advisory bulletin summarizes the principles of sound liquidity risk management, and, where appropriate, aligns with the regulation of other financial intermediaries. FHFA expects the Enterprises to use liquidity metrics that are commensurate with their funds management strategies and provide a comprehensive view of their liquidity risk to ensure that sufficient funds are available at a reasonable cost to meet potential demands. This AB supersedes AB 2014-01 (Liquidity Risk Management).  Background Liquidity risk is the risk that an Enterprise will be unable to meet its financial obligations as they come due without incurring unacceptable losses. Strong liquidity risk management enables an Enterprise to be financially sound to perform its public mission and to limit and control shortfalls in cash. The guidance emphasizes the importance of cashflow projections, diversified funding sources, stress testing, a cushion of liquid assets, and a formal, well-developed contingency funding plan as primary tools for measuring and managing liquidity risk. The standards for safe and sound operations for the Enterprises are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR part 1236. Standard 5 (Adequacy and Maintenance of Liquidity and Reserves) states that each Enterprise should establish a liquidity management framework, articulate liquidity risk tolerances; and establish a process for identifying, measuring, monitoring, controlling, and reporting its liquidity position and liquidity risk exposures. In addition, Standard 5 includes guidelines for conducting stress tests to identify sources of potential liquidity strain and guidelines for establishing contingency funding plans. Standard 8 (Overall Risk Management Processes) states the expectation for the Enterprises to establish risk management practices that measure, monitor, and control liquidity risk. The PMOS describe responsibilities of boards of directors and management for all Standards. Guidance Each Enterprise is expected to be able to identify, measure, monitor, control, and report its liquidity exposures by accurately identifying both existing and emerging risks, and quantifying the primary sources of liquidity risk. Effective liquidity risk management should include: <ul><li>Adequate board of directors (board) and senior management oversight;  </li><li>Appropriate liquidity management policies, procedures, and limits;  </li><li>Appropriate risk measurement methodology, monitoring, and reporting systems; and  </li><li>An effective contingency funding plan.  </li></ul>The Enterprise should address risks unique to it with regard to liquidity, such as access to debt markets and the ability to sell or repurchase securities during a crisis.  Board of Directors and Senior Management Oversight An Enterprise’s board is ultimately responsible for the liquidity risk assumed by the Enterprise and for guiding the strategic direction of liquidity risk management. The board, or a committee thereof, should establish and approve appropriate liquidity risk tolerances and limits, and oversee management’s establishment and approval of liquidity management strategies, policies, and procedures. The board should review these at least annually. In addition, the board is expected to have an understanding of the Enterprise’s business activities and associated liquidity risk. The board should understand the cash inflows and outflows that dictate an Enterprise’s liquidity needs (e.g., trust remittance cycle, guarantee fee, cash window, and mortgage purchase commitments). The board is expected to ensure that senior management has the necessary expertise to effectively manage liquidity risk. <a href="#1">[1]</a> Senior management oversees the daily and long-term management of liquidity risk. As part of an effective liquidity risk management program, senior management:  <ul><li>Develops liquidity risk management strategies, policies, and practices for approval by the board;  </li><li>Implements sound internal controls for managing liquidity risk;  </li><li>Establishes effective information systems and contingency funding plans; and  </li><li>Establishes reporting systems that produce timely and accurate information on the Enterprise’s liquidity position and sources of risk exposure, including concentration risk, and provides regular reports to the board.  </li></ul>These responsibilities may be delegated to a board-approved management committee.  The Enterprise’s organizational structure should clearly assign responsibility, authority, and relationships for managing liquidity risk and management should ensure that personnel are competent and appropriately trained with regard to the Enterprise’s established systems, policies and tolerances. FHFA expects a Treasury unit to be responsible for the ownership and management of the liquidity risk limits. The unit should also be responsible for the identification, assessment, mitigation, control, monitoring, and reporting of liquidity risk, and for the Enterprise’s adherence to risk policies, standards, and limits. A risk management unit should be responsible for the independent oversight and monitoring of liquidity risk. The risk management unit’s responsibilities would normally include: <ul><li>Ensuring that risk limits for liquidity risk are meaningful, assessing liquidity risk against key risk indicators;  </li><li>Independently reporting on liquidity risk issues;  </li><li>Escalating liquidity risk breaches;  </li><li>Stress testing liquidity risk limits;  </li><li>Providing senior management and the board with reports on liquidity risk management and gaps between supervisory guidance, industry sound practices, and practices at the Enterprise; and  </li><li>Ensuring that the Treasury unit has an effective process in place to identify, assess, monitor, and report on key liquidity risks.  </li></ul>Appropriate Liquidity Management Policies, Procedures, and Limits  A robust set of liquidity risk management policies would appropriately include: <ul><li>Standards regarding day-to-day operational liquidity needs;  </li><li>Plans for dealing with contingent liquidity needs, including potential temporary, intermediate-term, and long-term liquidity disruptions;  </li><li>Board-established liquidity risk tolerances, and procedures establish steps to manage the risk exposures within those limits. </li><li>Methodology for determining the Enterprise’s operational and contingency liquidity needs;  </li><li>Characteristics of investments that can be held for liquidity purposes;  </li><li>Identification of investments that can be liquidated with minimal loss during times of stress;  </li><li>Provisions for documenting and periodically reviewing assumptions used in liquidity projections;  </li><li>Contingency funding plan for the Enterprise’s ability to access capital markets during periods of market stress; and  </li><li>The nature and frequency of liquidity risk reporting for management and the board.  </li></ul>Liquidity risk tolerances or limits should be appropriate for the complexity and liquidity risk profile of the Enterprise and should employ quantitative targets. These limits, tolerances, and guidelines will be most effective if they include items such as:  <ul><li>Discrete or cumulative cashflow mismatches or gaps (sources and uses of funds) over specified future short- and long-term time horizons under both expected and adverse business conditions. These may be expressed as cashflow coverage ratios or as specific aggregate amounts;  </li><li>Target amounts of unpledged, high-quality liquid asset reserves expressed as aggregate amounts or as ratios;  </li><li>Asset concentrations, especially with respect to more complex exposures that are illiquid or difficult to value, e.g. the size of the position relative to the depth of the market;  </li><li>Funding concentrations that address diversification issues, such as dependency on a few sources of borrowed funds; and  </li><li>Contingent liability metrics, such as amounts of unfunded commitments and lines of credit relative to available funding.  </li></ul>Appropriate Risk Measurement Methodology, Monitoring, and Reporting Systems  FHFA expects an Enterprise’s measurement of liquidity to include metrics for intraday liquidity, short-term cash needs (e.g., 30 days), access to collateral to manage cash needs over the medium term (e.g., 365 days), and a general congruence between the maturity profiles of the assets and liabilities. An Enterprise should also consider common industry practices and regulatory standards. <a href="#2">[2]</a> FHFA expects that an Enterprise’s measurement systems should reasonably measure liquidity exposures, identify potential liquidity shortfalls, and simulate various market scenarios, including stress scenarios. Measurement systems should include robust models for projecting cashflows and an Enterprise’s liquidity needs over appropriate time horizons, ranging from intraday to longer-term liquidity needs of one year or more. These systems are expected (i) to measure tenor, liquidation costs, time to liquidate assets, and liquidity provider concentrations to ensure that reliance on certain funding structures or sources of funds is appropriately identified and controlled, and (ii) to capture all significant on- and off-balance sheet items and be adjusted as products or risks change.  <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">A. Cashflow Modeling </blockquote>Since an Enterprise’s cashflows depend on choices mortgage borrowers make to prepay or extend their obligations, managing liquidity risk will be facilitated by the Enterprises’ use of pro forma cashflow statements. Pro forma cashflow analysis can be used to project sources and uses of funds under various liquidity scenarios to identify potential funding gaps. In determining potential liquidity needs and risk management strategies, the possibility of losses and deterioration in valuations from potential credit and market events should be considered. The Enterprise should account for this in assessing the feasibility and impact of asset sales on its liquidity position during stress events. Stress events should include national and regional events and cases where the catastrophic events occur simultaneously. The Enterprise should be able to calculate all of its collateral positions in a timely manner, including the value of assets currently pledged relative to the amount of security required and unencumbered assets available to be pledged. The Enterprise should be aware of the operational and timing requirements associated with accessing collateral given its physical location (i.e., the custodian entity or securities settlement system with which collateral is held). The Enterprise should also fully address the potential demand for additional collateral arising from various types of contractual contingencies during periods of both market-wide and Enterprise idiosyncratic stress.  To capture a variety of stresses, management's pro forma cashflow analysis should incorporate multiple scenarios that consider the general and unique risks faced by the Enterprise. Assumptions used in pro forma cashflow projections should be reasonable and appropriate, adequately documented, and periodically reviewed by the appropriate risk management unit and the model oversight group at the Enterprises. Assumptions should consider a wide range of potential outcomes with regard to the stability of borrowings and securitization. Sensitivity tests should be performed to measure the effects that material changes to assumptions would have on related accounts. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">B. Management Reporting </blockquote>To effectively fulfill senior management’s responsibilities with respect to liquidity risk management, it is necessary that senior management receive sufficient reports on Enterprise’s liquidity risk management. An Enterprise should generate such reports at least monthly, including the level and trend of the Enterprise’s liquidity risk; and to report to the board, or a board committee, quarterly. If liquidity risk is high, or if it is moderate and increasing, more frequent reports are likely to be called for. Reportable items may include:  <ul><li>Cashflow gaps;  </li><li>Asset and funding concentrations;  </li><li>Critical assumptions used in cashflow projections;  </li><li>Key early warning or risk indicators;  </li><li>Funding availability;  </li><li>Status of contingent funding sources; and  </li><li>Collateral usage.  </li></ul>Contingency Funding Plan (CFP)  Funding decisions can be influenced by unplanned events. Such events include the inability to fund asset growth; difficulty renewing or replacing funding as it matures;<a href="#3">[3]</a> the exercise of options by customers to prepay or to draw down lines of credit; legal or operational risks; the demise of a business line; and market disruptions. Funding and investment strategies that are concentrated in one or two business lines or relationships, such as the Enterprises’ strategies, typically are at greater risk of being disrupted by adverse events. An Enterprise should examine contracts and arrangements associated with major lines of business and funding sources to identify low-probability/high-impact events that could adversely affect liquidity. Contingency plans that incorporate practical solutions that can be adopted quickly to address such contingencies as they arise will minimize exposure to such events. An Enterprise’s CFP should be customized to the liquidity risk profile of the Enterprise, and should identify the types of stress events which may be faced. The overall impact of a given stress event should be considered, including both direct and indirect effects. To be effective in mitigating foreseeable stress events, the CFP should: <ul><li>Define responsibilities and decision-making authority so that all personnel understand their role during a problem-funding situation;  </li><li>Include an assessment of the possible liquidity events that an Enterprise might encounter;  </li><li>Detail how management will monitor for liquidity events, typically through stress testing of various scenarios in a pro forma cashflow format; and  </li><li>Identify and assess the adequacy of contingency funding sources. The plan should identify any back-up facilities (lines of credit), the conditions and limitations to their use, and the circumstances where the Enterprise might use such facilities. Management should understand the various legal, financial, and logistical constraints, such as notice periods, collateral requirements, or net worth covenants, that could affect the Enterprise’s ability to use back-up facilities. They should test back-up facilities annually.  </li></ul>CFPs are particularly important in institutions such as the Enterprises that rely on securitization. This is because an Enterprise’s income is generated from its volume of business. The Enterprises have contracts to purchase fixed volumes of loans from mortgage originators, and they are dependent on the To Be Announced (TBA) market to generate corresponding cash inflows. CFPs are expected to address scenarios where securitization or asset sales become rapidly unavailable. The Enterprise should have plans in place to address disruptions in the capital markets that would result in delayed sales of loans as well as required increases in retained interests and other credit enhancements. <div> </div> Related Guidance 12 CFR part 1720 Safety and Soundness Standards, August 30, 2002. 12 CFR part 1236 Prudential Management and Operations Standards, Appendix. 12 CFR Part 249 Liquidity Coverage Ratio: Liquidity Risk Measurement Standards, October 10, 2014. 12 CFR part 1239 Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance, December 21, 2015.  Proposed Rule on Net Stable Funding Ratio: Liquidity Risk Measurement Standards and Disclosure Requirements, 81 FR 35124 through 35183, June 1, 2016. Model Risk Management Guidance, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013. Liquidity Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-01, February 18, 2014 (superseded). <hr /> <a name="1">[1]</a> Liquidity risk management policies and procedures should establish the roles and responsibilities of groups involved in liquidity risk management, and have clear escalation procedures in the event of a breach of the liquidity limits. This would include board-level risk limits and action plans in the event of a breach of risk limits. The standards for board governance in 12 CFR part 1239, FHFA’s Corporate Governance Rule, were issued November 2015. Section 1239.11 addresses risk management. <a name="2">[2]</a> On October 10, 2014, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation collectively issued a final rule that implemented a quantitative liquidity requirement, the Liquidity Coverage Ratio (LCR). 12 CFR part 50 (OCC); 12 CFR part 249  (Regulation WW) (Federal Reserve Board); 12 CFR part 329 (FDIC). On June 1, 2016, the FFIEC interagency rule for the <a href="https://www.occ.gov/news-issuances/federal-register/81fr35124.pdf">Net Stable Funding Ratio: Liquidity Risk Measurement Standards and Disclosure Requirements</a> (NSFR) was proposed. 81 FR 35124 through 35183 (June 1, 2016). These sources address issues of short term liquidity (e.g., the adequacy of high quality assets holdings) and scale of mismatch of cashflows over the intermediate term. As of this date, the Net Stable Funding Ratio has not been adopted, but the proposal remains a useful reference point.  <a name="3">[3]</a> Critical rollover needs can be identified using funding ladders. <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to: <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>

8/22/2018 9:23:35 PM

Home / Supervision & Regulation / Advisory Bulletins / Liquidity Risk Management Advisory Bulletin This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the

7444

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Oversight of Multifamily Seller/Servicer Relationships

25577

Fannie Mae & Freddie Mac

8/15/2018 4:00:00 AM

AB 2018-05

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2018-05 OVERSIGHT OF MULTIFAMILY SELLER/SERVICER RELATIONSHIPS </td></tr></tbody></table> Purpose This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations to maintain the safety and soundness of their operations by effectively managing multifamily Seller/Servicer relationships. FHFA expects each Enterprise to assess financial, operational, legal, compliance, and reputational risks associated with its multifamily Seller/Servicer counterparties and take appropriate action to mitigate those risks or reduce Enterprise exposures. Counterparty risk management, as part of a board-approved risk management framework, should include an Enterprise’s multifamily Seller/Servicer business operations. <div>This advisory bulletin is applicable to the counterparty risk management of third-party relationships managed by an Enterprise’s multifamily business unit. FHFA expects the Enterprises to institute proper controls and perform monitoring to identify and manage risks associated with any multifamily counterparty. BackgroundEach Enterprise uses a limited network of Seller/Servicers that originate and service multifamily loans. These loans can be retained in an Enterprise’s portfolio or used as the underlying collateral for securitizations usually sold to investors. Multifamily loans are generally larger than residential loans and have more complicated servicing requirements. Multifamily servicing requirements include performing periodic property inspections and collecting rent roll reports that are used to evaluate the value and stability of the underlying multifamily property. Multifamily loan servicing also presents risk factors such as determining net operating cash flow derived from a subject property, as well as calculating economic metrics (e.g., occupancy and vacancy rates, average monthly rents, and regional unemployment rates). Multifamily underwriting criteria include maximum loan-to-value and minimum debt service coverage ratios as the basis for approval. The term Seller/Servicer, as used in this advisory bulletin, includes approved bank or nonbank entities with a contractual relationship with an Enterprise that originate and service multifamily loans. With Enterprise approval, a designated multifamily servicer can use a subservicer (a servicer that performs servicing on behalf of the servicer) to perform the servicing administration of a loan for a fee. Multifamily Seller/Servicers routinely engage in all aspects of a loan’s lifecycle. Nonbank multifamily Seller/Servicers include publicly traded or privately owned commercial real estate companies. GuidanceOversight of multifamily Seller/Servicer relationships should be part of a risk management framework that includes periodic evaluation of counterparty financial performance; operational risk factors; and legal, compliance, and reputational risks. That information is used in the approval and ongoing monitoring of multifamily Seller/Servicers to ensure compliance with Enterprise guidelines. An effective risk management framework helps management achieve an Enterprise’s performance and profitability targets and prevent financial loss. It also should promote appropriate reporting and compliance with laws and regulations and help to avoid damage to the Enterprise’s reputation and associated consequences.  Risk Management FrameworkA risk management framework is an important element of corporate governance. Further, an effective risk management framework includes policies that support risk-related decision making. As outlined in Standard 8 of the Prudential Management and Operations Standards (PMOS), prudent risk management processes address the general responsibilities of the board of directors and senior management. The board is responsible for establishing and overseeing a robust risk management governance structure whereas management is responsible for the development, implementation, and maintenance of the risk management framework. A risk management framework considers each multifamily Seller/Servicer’s lifecycle to include selection of Seller/Servicers; (due diligence including eligibility validation); ongoing monitoring (performance, compliance reviews, and training schedules); and corrective action (remediation, suspension, or termination). Policies and procedures should be tailored to the oversight of multifamily Seller/Servicers to enable an Enterprise to consistently identify, measure, monitor, and control aggregate and emerging risks. Established policies should outline the role and responsibilities of the first line business units and the second line, enterprise risk management (ERM), which oversees risk management and assesses risk independent of the first line units. The responsibilities for risk ownership, management, control, oversight, and assurance should be clearly understood by both the first line business unit and the ERM group. Policies and procedures should also address the frequency of reporting, escalation, and tracking of policy exceptions or waivers by the Enterprise’s senior management team to the board of directors or committee thereof, depending on the issue and risk exposure to the Enterprise. In addition, policies should address the remediation of deficiencies or weaknesses identified in performance standards or in particular risk areas, as appropriate. The policies should also set standards for taking timely corrective action against a multifamily Seller/Servicer depending on the level and seriousness of the findings.  Selection of Multifamily Seller/ServicersDue diligence, including research and analysis of a multifamily Seller/Servicer’s financial condition, operational capabilities, and reputation, is expected before approving a multifamily Seller/Servicer. The Enterprise should evaluate the factors referenced below in the due diligence process, in addition to compliance with eligibility requirements, to assess the strength of the Seller/Servicer.  Financial Risk FactorsFinancial risk can result from a weak or deteriorating financial performance or condition, adverse market conditions, or extraordinary events. Effective counterparty risk management includes evaluation of a potential Seller/Servicer’s financial condition to assess its ability to continue operations based on components of its capital base, sources of revenue, profit margins, liquidity sources, and cash flow. These factors should be evaluated periodically or as warranted through ongoing monitoring to determine whether a Seller/Servicer has the capacity to meet its financial obligations. The Enterprises should consider the following in assessing potential risks to an Enterprise from each multifamily Seller/Servicer’s financial condition, as appropriate: <ul><li>The Seller/Servicer’s ability to perform through various market conditions;  </li><li>Ability of the Seller/Servicer to meet loss sharing obligations, if applicable;  </li><li>Capability of the Seller/Servicer’s management;  </li><li>Internal risk management structure of the Seller/Servicer;  </li><li>Industry reputation, product mix, geographic diversity, and estimated loan production volumes;  </li><li>The Seller/Servicer’s corporate structure, ownership, and any special financial arrangements; </li><li>Quality of the loan portfolio, when the underwriting function is delegated, or servicing performance; and  </li><li>Adequacy of the Seller/Servicer’s fidelity bond and errors and omissions insurance coverage that protects the Enterprises from losses resulting from dishonest or fraudulent acts committed by the lender’s employed personnel or outside parties that provide services to the lender.  </li></ul> Operational Risk FactorsWeak operations or controls can result in exposures to loss resulting from inadequate or failed processes, people, systems, or external events. Noncompliance with the selling and servicing agreements and guide requirements can also create operational risk exposures. Operational risk events may prevent a Seller/Servicer from fulfilling its obligations to an Enterprise pursuant to contractual terms. The Enterprises should consider the following, as appropriate, in assessing each multifamily Seller/Servicer’s operational risk: <ul><li>Ability of the servicing operations to absorb future growth in terms of staffing, facilities, and system infrastructure;  </li><li>Overall servicing performance by the servicer or subservicers, including routine property inspections and collection of rent roll reports;  </li><li>Adequacy of the Seller/Servicer’s information technology management program, including information security practices;  </li><li>The Seller/Servicer’s business continuity, disaster recovery, and contingency planning to minimize any potential service disruptions;  </li><li>The Seller/Servicer’s risk management program, including internal controls in conjunction with periodic reviews as well as post-closing loan reviews;  </li><li>The Seller/Servicer’s management team’s experience level, tenure, and any possible influence by controlling shareholders; and  </li><li>The Seller/Servicer’s oversight of its third-party service providers such as subservicers, information technology providers, brokers, and appraisers.  </li></ul> Legal, Compliance, and Reputation Risk FactorsLegal, compliance, and reputation risks can exist as a result of, among other factors, noncompliance with laws or regulations or from non-adherence to sound industry practices or Enterprise selling and servicing agreements and guides. The Enterprises should consider the following in assessing the legal, compliance, and reputation risks associated with each multifamily Seller/Servicer, as appropriate: <ul><li>Maintenance of appropriate federal and state charters or licenses required for, or relevant to, operating its business in the approved jurisdictions;  </li><li>Scope of federal and state regulatory oversight and the Seller/Servicer’s compliance program for all applicable laws and regulations;  </li><li>Record of compliance from publicly available information sources including past and pending legal actions; and  </li><li>Information known or reasonably available to an Enterprise about any civil, criminal, or regulatory issues affecting the Seller/Servicer.  </li></ul> Ongoing MonitoringMonitoring of multifamily Seller/Servicers is an essential component of managing the risks they pose to an Enterprise. Ongoing monitoring by an Enterprise should be guided by risk-based procedures that outline periodic reviews of critical information to assess a Seller/Servicer’s performance. The Enterprise’s risk-based process should be designed to ensure that the direction, depth, and frequency of reviews is commensurate with each multifamily Seller/Servicer’s risk profile. The review should be available for evaluation by staff performing oversight duties (ERM) and should take into account factors assessed during the approval process, as well as the following additional factors, as appropriate: <ul><li>The number and volume of multifamily loans sold to and serviced for an Enterprise and the mix of various product types;  </li><li>The quality of the servicing that is performed on behalf of an Enterprise;  </li><li>The terms of any risk sharing arrangements in place, periodic review of accounts maintained by third parties, and reconciliation between risk sharing obligations and account balances; </li><li>Whether the Enterprises have the ability to collect loan data from the Seller/Servicer, such as exception and waiver statistics, including documented justifications for waivers and results of ongoing performance reviews of those loans;  </li><li>Verification of eligibility standards and other terms of business throughout the relationship;  </li><li>Results of onsite reviews to validate compliance with the servicing guide, internal controls, and other contract provisions;  </li><li>Accuracy, timeliness, and completeness of loan recordkeeping, including loan data systems and loan documentation, throughout the life of the loan; and  </li><li>Changes in a Seller/Servicer’s senior management, business model, strategies, or practices.  </li></ul> Corrective ActionThe Enterprises have a range of remedies when dealing with a Seller/Servicer that fails to meet its contractual obligations. Clear communication between an Enterprise and a Seller/Servicer is critical in resolving areas that are not in compliance with issues outlined in the respective Seller/Servicer guide requirements. Each Enterprise should have established policies that include a process for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer. Enterprise policies should include standards for taking appropriate action against a Seller/Servicer that fails to meet an Enterprise’s standards of performance or that poses reputation risk because of noncompliance with applicable laws and regulations or unsound business practices. Related Guidance12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.  Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.  Oversight of Single-Family Seller/Servicer Relationships, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014. </div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to: <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>

8/15/2018 5:55:06 PM

Home / Supervision & Regulation / Advisory Bulletins / Oversight of Multifamily Seller/Servicer Relationships Advisory Bulletin This advisory bulletin communicates to Fannie

5602

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Cloud Computing Risk Management

25572

All

8/15/2018 4:00:00 AM

AB 2018-04

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2018-04 CLOUD COMPUTING RISK MANAGEMENT </td></tr></tbody></table> Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae, Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities)  on assessing and managing risks associated with third-party cloud providers.  Effective risk management of cloud providers is critical to safe and sound operations.  Each regulated entity should use a risk-based approach across key areas listed below to meet FHFA supervisory expectations: <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">I. Governance</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">A. Responsibilities of the Board and Senior Management</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">B. Strategies, Policies, Procedures, and Internal Standards</blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">II. Third-Party Cloud Provider Management</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">A. Due Diligence Assessment</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">B. Service Agreements</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">C. Oversight and Ongoing Monitoring</blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">III. Information Security</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">A. Shared Responsibility for Security</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">B. Data Classification and Systems Security</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">C. Access Management</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">D. Incident Notification, Planning, and Response</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">E. Development and Testing Environments </blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">IV. Business Continuity Cloud Provider Management </blockquote>BackgroundCloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.  This model is composed of five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (Software as a Service or SaaS, Platform as a Service or PaaS, and Infrastructure as a Service or IaaS), and four deployment models (private cloud, community cloud, public cloud, and hybrid cloud).Relationships between cloud customers and their cloud providers are complex.  Critical information and resource controls may shift from in-house operations to a third party, meaning the regulated entity and cloud provider share responsibility for safeguarding organizational information and systems.  Additionally, cloud providers may have privileged access to organizational systems and information.  Because of this shared responsibility, a regulated entity engaging with a cloud provider should take appropriate steps to manage associated third-party risks and revise the information security program to address risks specific to cloud computing.  A regulated entity should also prepare for outages and failures that may hinder access to organizational information and systems that rely on cloud providers. FHFA’s general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.  Three relevant PMOS articulate guidelines for a regulated entity’s board of directors and management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10). GuidanceFHFA expects each regulated entity to appropriately manage its cloud computing risks as part of its enterprise-wide risk management program,  and in accordance with all relevant FHFA guidance.  Application of this guidance by the regulated entity should correspond to the level of risk presented.  The regulated entity’s evaluation of the level of risk should include the classification of the data hosted at the cloud provider, the criticality of the service(s) provided, service and deployment models used, and other risks associated with engaging a third-party cloud provider.The regulated entity may establish a standalone cloud computing risk management program or subsume the governance and functions of cloud computing risk management under another established program.  The complexity of and level of risk associated with the regulated entity’s cloud usage should inform the decision on whether the cloud computing risk management program should exist as a standalone program or is subsumed into other program(s).  Because cloud computing affects several different areas of operations, those responsible for managing related risks should coordinate across different divisions to manage the third-party provider, information security, and business continuity risks. I. GovernanceThe governance of the cloud computing risk management program should consist of the cloud strategy, policies, procedures, and internal standards.  If the regulated entity subsumes the governance of the cloud computing risk management program into other programs, the regulated entity should clearly communicate which strategies, policies, procedures, and internal standards apply.  The complexity of and level of risk associated with the regulated entity’s cloud usage should inform whether the board or senior management approves the cloud computing strategy, policies, procedures, and internal standards.<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">A. Responsibilities of the Board and Senior Management</blockquote>The board of directors or a committee thereof (board) should provide oversight to the cloud computing risk management program.  As part of that oversight, the board should understand the risks involved in the regulated entity’s use of cloud computing.  The board should ensure that senior management fully understands the effects of shifting to a cloud computing environment and has appropriate expertise on managing those effects prior to engaging a cloud provider.  The board should review the strategy or strategic plan that covers cloud computing and major policies relating to associated risks.Senior management should develop and periodically update policies, procedures, and internal standards and implement the cloud computing risk management program.  Senior management should also periodically report to the board about the nature of the regulated entity’s cloud computing risk, which may change significantly over time.<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">B. Strategies, Policies, Procedures, and Internal Standards</blockquote>Each regulated entity should establish and periodically update its cloud computing strategy, and evaluate its appetite for associated risks.  The regulated entity’s current and planned cloud usage, including the extent and purpose, the classification of data stored on the cloud, and the choice of cloud service and delivery model, should inform the development of individual policies, procedures, and internal standards.  Policies should describe appropriate uses for cloud computing.  The regulated entity should evaluate and update policies, procedures, and internal standards so they are consistent with the cloud strategy and the regulated entity’s risk appetite.The regulated entity should develop or update internal standards as a basis for managing and monitoring risks at levels consistent with the regulated entity’s risk appetite.  The internal standards should establish the technical and operational criteria the regulated entity uses to evaluate cloud provider service agreements and controls, including criteria on performance and reliability in terms of availability, security, business continuity, and compliance.  Where possible, internal standards should include metrics.  The regulated entity should consider industry standards as well as its needs, capabilities, and risk appetite to inform the development of its internal standards. II. Third-Party Cloud Provider ManagementThe regulated entities should take steps to mitigate the third-party risks arising from their use of cloud providers.  The shared responsibility framework, heightened administrative privileges, standardized service model, and potential for vendor lock-in of cloud providers, result in new risks and complications to existing risks. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">A. Due Diligence Assessment</blockquote>In addition to an evaluation of financial, operational, legal, compliance, and reputational risks of engaging the cloud provider, the regulated entity should evaluate whether and how shifting to a cloud computing environment affects risk.  If warranted under the circumstances, the assessment should include a comparison with other cloud providers that offer comparable services.  The results of due diligence assessments should frame service agreement negotiations and the regulated entity’s procedures and operations for managing provider-specific cloud computing risks.The on-demand self-service and rapid elasticity of cloud service have the potential to result in substantial changes to the risks associated with a specific cloud provider when the service agreement has not changed.  Consequently, due diligence assessments should occur for every cloud provider at contract inception and prior to any modifications in the level or type of services obtained that could result in significant increases to the regulated entity’s risk exposure.  Policies on the frequency of due diligence assessments should also consider the rapid evolution in the market for cloud services.<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">B. Service Agreements</blockquote>Recognizing that each cloud computing use, complexity, and risk is unique, the details of the service agreement provisions may vary.  Because cloud providers often use a standardized service model, the regulated entity may not be able to negotiate changes to the selected cloud provider’s standard service agreement.  In cases where there are differences between the chosen cloud provider’s service agreement and the regulated entity’s policies and internal standards, the regulated entity should first consider alternative providers.  If a regulated entity determines that no alternatives exist that meet the business need, the regulated entity should develop plans to mitigate or transfer any risks emanating from the differences to reduce the risk to an acceptable level.Service agreements with a cloud provider should define roles and responsibilities of the cloud provider and regulated entity.  Service agreements should not restrict information technology, information security, and business continuity teams from effectively performing their responsibilities in the cloud environment, including monitoring and evaluating performance, protecting against and responding to security incidents, and supporting ongoing risk and compliance management. Prior to executing a cloud computing service agreement, legal and information security experts who are knowledgeable about cloud computing should review the agreement to determine if the agreement exposes the regulated entity to unacceptable levels of risk.  The review should include an assessment of significant contractual risk points for cloud computing, such as the dispute resolution process, confidentiality provisions, privacy policy, data residency, and any limitations on liability, indemnities, termination rights, and suspension rights.  Additionally, the review should include a determination of whether and how the cloud provider may use regulated entity data for its own purposes.  In accordance with a regulated entity’s policies and procedures, the regulated entity should re-evaluate service agreements periodically to determine whether they need to be updated.<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">C. Oversight and Ongoing Monitoring</blockquote>The regulated entity should implement and oversee ongoing monitoring to ensure compliance with the service agreement(s) and to evaluate the performance of the cloud provider.  The regulated entity should track all cloud providers used, the approved cloud services, and usage of those services.  Each entity should assess each cloud provider’s quality and performance in providing information security to protect data at rest and in transit and evaluate the timeliness and completeness of the provider’s communications.If the regulated entity relies on monitoring and oversight provided by third parties, such as third party audit reports, the regulated entity should evaluate whether its contracted cloud services match the services evaluated in the outsourced monitoring and oversight. III. Information SecurityMigrating operations to the cloud may result in both new information security risks, such as from multi-tenancy risks, and complications to existing information security risks, such as risks stemming from privileged user access.  The regulated entity should evaluate and revise its information security program to reflect its cloud computing environments, and it should, to the extent possible, extend information security governance, engineering, architecture, and operations to cloud computing environments and providers.<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">A. Shared Responsibility for Security</blockquote>The regulated entity and the cloud provider share responsibility for protecting data stored in the cloud.  The regulated entity should understand its cloud security responsibilities, which may vary based on the provider and service model.  In addition to any descriptions of the roles and responsibilities in the service agreement, the terms of the cloud provider’s information security standards and controls should inform the regulated entity of its responsibilities for protecting its cloud environment(s).  The regulated entity should understand and mitigate, accept, or transfer the risks from any identified gaps in the cloud provider’s information security program.<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">B. Data Classification and Systems Security</blockquote>The data classification and the regulated entity’s risk appetite should inform the security requirements of specific data in the cloud.  Prior to placing data in a cloud environment, the regulated entity should evaluate the appropriateness of its protections, such as encryption, and geographic location of data at rest and in transit.  The regulated entity should assess compliance with its security policies through regular tests of key controls, systems, and procedures it uses for its cloud environment(s).The regulated entity should comply with laws and other requirements that may restrict where data are stored and establish appropriate data storage controls designed to maintain data in the appropriate physical location.  Additionally, there are substantial legal and security risks to storing data outside the United States.  The regulated entity should evaluate its risk appetite, the applicable jurisdiction’s laws, and the regulated entity’s expertise in and ability to effectively mitigate the security and legal risks prior to permitting hosting data in a jurisdiction outside of the United States. The service and deployment model may also inform decisions about security requirements.  For example, some cloud environments share physical components and resources among disparate tenants using logical separation of data.  To protect against multi-tenancy risks, the regulated entity should ensure that it and the cloud provider take steps such as using information technology services and systems to monitor applicable activity within the cloud environment. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">C. Access Management</blockquote>Cloud computing environments may differ in access management configurations, so each regulated entity should take steps to ensure that identity and access management functions are configured properly.  The regulated entity should evaluate the effectiveness of policies, procedures, and internal standards on identity and access management functions to protect against unauthorized or malicious use by the cloud provider.The regulated entity should protect and secure cloud credentials.  When encrypting data in the cloud, the regulated entity should protect and secure encryption keys in a manner consistent with the classification of the data they protect. <blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">D. Incident Notification, Planning, and Response</blockquote>The regulated entity should update its incident response plan(s) to include incidents that could arise from using cloud providers.  Responding to incidents that occur in the cloud environment often requires coordination with the cloud provider.  Notification requirements in the service agreement should define the criticality of the incidents the cloud provider should report and require the cloud provider to deliver timely notification of such incidents with sufficient detail to allow the regulated entity to take steps to prevent the expansion of an incident, mitigate its effects, or eradicate the incident in accordance with its incident response plan.<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;">E. Development and Testing Environments</blockquote>Regulated entities that isolate testing and development environments may maintain less rigorous controls over these environments to increase flexibility for developers and testers.  The regulated entity should revisit and, as appropriate, update policies, procedures, and internal standards for development and testing on the cloud to assess whether it has sufficient controls to maintain security at all phases of the development life cycle.IV. Business Continuity Cloud Provider ManagementCloud computing services may experience outages and performance slowdowns.  The regulated entity should configure its cloud usage for a level of availability and reliability appropriate for its intended use.  Using a cloud provider for disaster recovery does not relieve the regulated entity of its business continuity responsibilities.  Business continuity scenarios and associated plans should evaluate a variety of scenarios, including permanent cloud provider failure, as well as a range of short- to long-term disruptions.  The regulated entity should test, using an appropriate testing method, its business continuity plan both prior to, and while relying on, the cloud provider(s) for operations.Each regulated entity should consider the risk of using the same cloud provider for multiple critical services.  If an FHLBank plans to rely on another FHLBank (e.g., Buddy Bank) for business continuity and both use the same cloud provider, these arrangements should be re-evaluated for the possibility of a simultaneous disruption. Related GuidanceInformation Security Management, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016. Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016. Information Technology Investment Management, Federal Housing Finance Agency Advisory Bulletin 2015-06, September 21, 2015. Model Risk Management, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 19, 2013. Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. 12 CFR Part 1236 Prudential Management and Operations Standards, Appendix. 12 CFR Part 1239.11(a)(risk management program). <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.  Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.  Questions about this advisory bulletin should be directed to: <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>

8/15/2018 3:30:01 PM

Home / Supervision & Regulation / Advisory Bulletins / Cloud Computing Risk Management Advisory Bulletin This advisory bulletin provides Federal Housing Finance Agency (FHFA

10487

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Advances Pricing

25522

FHL Banks

8/6/2018 4:00:00 AM

AB 2018-03

PurposeThis Advisory Bulletin provides Federal Housing Finance Agency (FHFA) guidance to the Federal Home Loan Banks (FHLBanks or Banks) on the methods a FHLBank may use to demonstrate and document its compliance with the minimum advance pricing requirements set forth in FHFA's regulations.  The methods described in this Advisory Bulletin are not exclusive and Banks may choose other methods to demonstrate and document compliance.  BackgroundSection 1266.5(b)(1) of FHFA's regulation on Bank advances states:“A Bank shall not price its advances to members below:<ol><li>The marginal cost to the Bank of raising matching term and maturity funds in the marketplace, including embedded options; and</li><li>The administrative and operating costs associated with making such advances to members."<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[1]</a>  </li></ol>The above requirement establishes the minimum price a Bank must charge on an advance.<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[2]</a>  The minimum price of an advance must be no lower than the sum of the following two components:  (1) the cost to issue debt with matching terms and conditions (marginal cost), and (2) the administrative and operating costs associated with making the advance (administrative and operating costs). Marginal Cost – The FHLBanks have introduced advance products tailored to meet changing member needs.  In cases where the structure of an advance is more complex, a Bank may find it more difficult to identify Bank-issued debt in the marketplace with terms and conditions matching those of the advance.<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[3]</a>  While a FHLBank may choose not to match-fund the advance, the advance pricing must reflect a fully matched position to comply with the regulation.<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[4]</a>  This Advisory Bulletin describes several methods a Bank may use to demonstrate and document its compliance with the minimum pricing requirement of the advances regulation when a Bank-issued debt equivalent is not available in the marketplace.Administrative and Operating Costs – In addition to the marginal cost component, the minimum price of an advance must cover the administrative and operating costs associated with making the advance.  This Advisory Bulletin provides general guidance for allocating the administrative and operating costs associated with making an advance.GuidanceBefore setting the price of an advance, a FHLBank must determine that the proposed price complies with the minimum pricing requirements of FHFA's advances regulation.  FHFA expects each Bank to create and retain documentation supporting those determinations.  When documenting compliance, a Bank should explain how the particular features of the advance affect the Bank's marginal, administrative, and operating costs of issuing that advance.  Such features may include options and interest rate caps and floors that are embedded in the advance terms, and other components, as appropriate.  In making its determinations, the Bank should ensure the timeliness of all data used to establish the cost of the advance and chosen price relative to the anticipated issuance date of the advance.  Periodically, examiners will review each Bank's determinations regarding its compliance with the regulatory pricing requirements, including the Bank's documentation for establishing the cost of advances.  Documenting the Marginal Cost ComponentFor simple advances with no special features, such as prepayment or extension options, or interest rate caps or floors, documenting the cost of the advance would require identifying the marginal cost of issuing debt with the same contractual maturity.<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[5]</a>   For a fixed-rate advance, the marginal cost to the FHLBank of issuing that advance would be the marginal cost of issuing fixed-rate debt of the same tenor as the advance being offered.  Thus, the Bank's marginal cost of issuing additional debt with the same contractual tenor as the advance being offered would form the basis for the Bank's “marginal cost of the advance."  Similarly, for a simple floating-rate advance with no other special features, the marginal cost of that advance would reflect the marginal cost of issuing floating-rate debt of the same tenor as the advance being offered.  FHFA recognizes that, in the case of Office of Finance (OF) indications, the matching tenor debt may not be issued contemporaneously or issued at all.  In such circumstances, the FHLBank may use the OF's consolidated obligation indicative curves, which currently include:  Cost of Funds Curve, Callable Indications, and Discount Note Indications.  FHFA expects the FHLBanks to document that the System can issue debt near the indicative prices through backtesting and other model risk oversight found in Advisory Bulletin 2013-07, Model Risk Management.  If the OF maintains such documentation, a FHLBank may reference such OF documentation, to the extent it meets the expectations set in the Advisory Bulletin, and provided the Bank has assured itself of the adequacy of that documentation.The price of either synthetically created fixed- or floating-rate advances should reflect the Bank's constructed cost of the underlying debt plus the constructed costs associated with creating the synthetic feature (i.e., either the floating or fixed rate) of the advance. Determining and documenting compliance with the marginal cost component of the minimum pricing requirement is more challenging when no matching FHLBank-issued debt exists with the tenor and unique features offered by the Bank for its advance.  FHLBanks may use the following pricing frameworks to establish the marginal costs associated with an advance when information on matching FHLBank-issued debt is not readily ascertainable from the marketplace.<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[6]</a>  A Bank should use the alternative or combination of alternatives that is most likely to reflect the actual costs it would incur in the marketplace and provide support for this choice in its documentation.Capital Markets Proxy – A FHLBank may identify and use a capital markets proxy, consisting of a single debt security with a liquid market that has been issued by an entity other than the Office of Finance, with tenors and features similar to those of the advance, to demonstrate appropriate pricing.  Appropriate documentation to support pricing would include adjustments to the proxy's price based on differences in features such as settlement date, term, rate structure, and credit risk, among others.  Several such securities can be used as individual proxies to reduce uncertainty for complex advances or in cases that require many adjustments to the proxies.Synthetic Security – A FHLBank may demonstrate compliance through a derivatives pricing or replicating portfolio framework by pricing a synthetic security that captures the underlying maturity, rate structure, and any other features of the advance.  For example, the Bank could replicate the contractual cash flows of the advance through a synthetic portfolio of actual consolidated obligations and derivative instruments used to support the underlying structure of the advance.  In this case, the FHLBank may use models to generate and value cash flows that match the contractual cash flows from the advance to demonstrate compliance with the regulation.  When matching the advance's contractual cash flows, the Bank should make conservative assumptions, unless there is clear and convincing market-derived information about the assumptions that market participants would likely use to price similar obligations.  Price Indication – When a capital markets proxy is unavailable and a FHLBank is unable to reference a synthetic security, it may obtain pricing indications on the same debt from reliable sources, preferably dealers that are market makers in these types of financial instruments and that take account of all appropriate terms required to support the advance's structure.  A Bank using a price indication approach should obtain an appropriate number of indications to provide a range of estimates.  If possible, the debt indications should have sufficient documentation to support the price quotes, ideally including any theory, assumptions, and observable market prices, among other factors.  The Bank should support in documentation its reasoning for choosing whatever indication it ultimately uses as a representation for the cost of debt supporting the advance.In its pricing evaluation, to the extent a FHLBank uses models, the Bank should provide in its documentation a sufficient discussion of model theory, assumptions, data inputs, and monitoring to allow an independent reviewer to replicate and evaluate the Bank's chosen method.  When reviewing documentation that supports the marginal cost component of the advance to determine compliance with the regulatory requirements on advance pricing, examiners will apply AB 2013-07, Model Risk Management Guidance, to these pricing models in determining whether a Bank's rationale and documentation for its advance pricing are sufficient.  Documenting Administrative and Operating CostsIn addition to the marginal cost component, the advances regulation requires FHLBanks to include the administrative and operating cost (AOC) associated with making advances in setting the advance price.  Charging only for the marginal AOC does not account for the appropriate allocation of fixed AOC.  To demonstrate compliance with the AOC component of the regulation, the Banks should document the allocation of total Bank operational expenses across all business lines no less than annually.  The allocation should be specific enough for an outside party to evaluate whether the advance price includes an appropriate charge for expenses related to making the advance.  The allocation should reflect each Bank's business model and supportable considerations.Advances with Accompanying DerivativesThe regulation requires a FHLBank to consider embedded options in advances when establishing advances pricing.  However, the underlying principle of Bank advance pricing reflecting the marginal cost to the Bank of creating the product extends to other aspects of the advance and accompanying derivatives the Bank may offer the member.  For example, if the Bank offers the member a cap on the rate of an advance, the Bank should document and incorporate in the advance price the cost of obtaining that cap offered to the member for the advance.  A Bank should ensure that its advances pricing incorporates the cost of derivatives when they are associated with advances offerings.  Effective DateThe FHLBanks should apply the guidance in this Advisory Bulletin, where possible and as appropriate, by January 1, 2019.  FHFA understands that adjustments to systems and processes and model validations may, in some cases, take additional time.  Notwithstanding, FHFA will continue to assess compliance with applicable regulatory requirements through ongoing supervision and examination processes.<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.  Questions may be directed to <a href="mailto:SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>…<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[1]</a> 12 CFR 1266.5(b)(1).  The advance pricing minimum does not apply to a Bank's CICA programs or any other advances programs that are volume limited and specifically approved by the Bank's board of directors.  Volume limited programs are generally associated with disaster relief efforts.  12 CFR § 1266.5(3).<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[2]</a> These pricing requirements apply to advances to housing associates, as well as to members.  12 CFR § 1266.17(c)(2).  <a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[3]</a> In this Advisory Bulletin, “FHLBank-issued debt" is defined as debt actually issued by the FHLBanks, swapped versions thereof, and pricing indications for FHLBank debt provided by the Office of Finance.<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[4]</a> Examiners will assess the safety and soundness of the FHLBank's funding and hedging strategy separately.<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[5]</a> Note that the regulation requires reference to the marketplace for the cost of issuing debt with terms that mirror those of the advance, but does not require consideration of actual funding choices or the actual use of other sources of funds such as capital.<a href="file:///C:/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx">[6]</a> The regulation requires that a FHLBank price advances above the cost of funds, as determined by the price of matching debt.  However, the regulation does not prohibit a FHLBank from using a more expensive cost of funds to determine prices.  The spread above the more expensive cost of funds will necessarily exceed the required cost of funds.  The Bank may choose a more expensive cost of funds in the case where it is more easily measured than the required cost of funds.

8/6/2018 8:17:27 PM

Home / Supervision & Regulation / Advisory Bulletins / Advances Pricing Advisory Bulletin This Advisory Bulletin provides Federal Housing Finance Agency (FHFA) guidance to the

5150

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk

19302

FHL Banks

4/26/2018 4:00:00 AM

AB 2018-02

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> ADVISORY BULLETIN AB 2018-02 FEDERAL HOME LOAN BANK USE OF MODELS AND METHODOLOGIES FOR INTERNAL ASSESSMENTS OF MORTGAGE ASSET CREDIT RISK </td></tr></tbody></table> PurposeThis Advisory Bulletin provides Federal Housing Finance Agency (FHFA) guidance for Federal Home Loan Bank (Bank) use of models and methodologies to assess credit risk associated with mortgage assets, including Acquired Member Asset (AMA) mortgage pools, mortgage-backed securities (MBS), and collateralized mortgage obligations (CMOs), as required by FHFA regulations.  This guidance supplements more general guidance issued by FHFA on model risk management by describing minimally acceptable criteria in selecting a mortgage asset credit risk model and the associated input of a macroeconomic stress scenario to be used in assessing mortgage asset credit risk.<a href="#footnote1">[1]</a> As applied to Bank acquisitions of AMA, the guidance provides criteria that a Bank should consider when selecting a mortgage asset credit risk model to use to document its compliance with the requirement imposed by 12 CFR § 1268.5(f).  The AMA rule requires that a Bank shall use an appropriate model and methodology for estimating the amount of credit enhancement for an asset or pool.     As applied to Bank investments in MBS and CMOs, the guidance provides criteria a Bank should consider when selecting and using a mortgage asset credit risk model and stress test to document its determination that the credit risk associated with such assets is consistent with those assets being deemed to be of "investment quality," as is required by 12 CFR §§ 1267.1 and 1267.3(a)(3).     Effective DateEffective, January 1, 2019, FHFA will consider a Bank's use of models and methodology for internal assessments of mortgage asset credit risk to be satisfactory if the Bank's use of models and methodology meets the criteria described in this Advisory Bulletin. Background AMA Model and Methodology RequirementIn July 2000, the Federal Housing Finance Board (Finance Board) adopted a regulation governing the Banks' mortgage acquisitions – the AMA rule.  The rule established that for each AMA product, the Banks shall have a credit risk-sharing (enhancement) structure with the member participating financial institution to enhance the credit quality of the pool of loans to at least that of a Nationally Recognized Statistically Ratings Organization (NRSRO) equivalent of investment grade, i.e., triple-B or better.<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/FHLBank-Use-of-Models-and-Methodologies-for-Internal-Assessments-for-Mortgage-Asset-Credit-Risk.aspx">[2]</a>  The AMA rule also required that Banks determine the amount of the member-provided credit enhancement by using a methodology that is confirmed in writing by an NRSRO to be equivalent to one that an NRSRO would use in rating a comparable pool of assets.<a href="#footnote3">[3]</a>  In December 2016, FHFA amended the AMA rule primarily to remove references to NRSROs.<a href="#footnote4">[4]</a>  Consequently, FHFA replaced the requirement that the methodology to determine the credit enhancement be equivalent to that used by an NRSRO with a more general requirement that the Bank use a model and methodology that it determines to be appropriate.  The amount of the credit enhancement determined by the Bank's model and methodology, however, must result in the pool or asset being at least "AMA investment grade."  12 CFR § 1268.5(a), (b).  For an item to be AMA investment grade, the Bank must have determined, based on a documented analysis, that it has a high degree of confidence "that it will be paid principal and interest in all material respects, even under reasonably likely adverse changes to expected economic conditions."  Id. at § 1268.1.  The regulations further require a Bank, upon request, to provide FHFA information about its model and methodology, and reserved to FHFA the right to direct a Bank to make changes to its model and methodology.  Id. at § 1268.5(f).  Mortgage-related SecuritiesBanks are separately authorized to acquire other types of investments, including MBS and CMOs.  Until 2014, the regulations had required that such acquisitions have an NRSRO credit rating of investment grade, i.e., triple-B or better.  FHFA amended the regulation to remove all references to NRSROs and NRSRO credit ratings, and to require instead that such instruments be of "investment quality."  12 CFR § 1267.3(a)(3).  The term "investment quality" refers to a determination by a Bank, based on a documented analysis, that full and timely payment of principal and interest is expected, and that adverse changes in economic and financial conditions during the projected life of the instruments will only cause minimal risk of such payments not occurring.  Id. at 1267.1.  Although the investment regulations do not specifically set any requirements as to the model or methodology a Bank should use to make that determination, FHFA expects that Banks will use their models and methodologies in a similar manner when assessing the credit quality of both AMA and mortgage-related securities.  Due Diligence in Acquiring Mortgage AssetsBeyond those specific regulatory requirements, Banks also should assess the market and credit risks associated with any asset they may acquire, for prudential reasons.<a href="#footnote5">[5]</a>  With respect to the credit risk of mortgage assets, including MBS and CMOs, FHFA expects that a Bank would make those assessments based on its own analyses, rather than by relying solely on a credit rating provided by an NRSRO or other third party vendor.  The accepted practice within the mortgage industry for making such an assessment of credit risk is to use a mortgage asset credit risk model and any other models that might be necessary to account for credit enhancements, such as those provided through a CMO subordination structure.   ScopeThe Advisory Bulletin applies to Banks that acquire AMA loans or any other single-family residential mortgage assets, MBS, or CMOs.  Mortgage-related assets that are guaranteed as to the payment of principal and interest by the United States government or by an entity that is operating with capital support or other form of direct assistance from the United States government, currently including Fannie Mae and Freddie Mac, are considered by FHFA to present zero credit risk and, therefore, are excluded from the scope of this Advisory Bulletin.  Certain legacy mortgage-related assets for which a Bank can demonstrate a de minimis credit risk also are excluded from the scope of this Advisory Bulletin.  The criteria for excluding such assets are described below. GuidanceIn order to be reasonably assured that they can accurately assess the credit risk associated with their mortgage-related investments, the Banks should use a mortgage asset credit risk model that is sufficiently robust to produce meaningful loss estimates.  Mortgage asset credit models are commonly used to assess credit risk at the loan level.  Such models account for a wide variety of risk factors, including both underwriting information and macroeconomic scenarios.  The underwriting information generally includes borrower information (e.g., credit score, owner or investor, debt-to-income ratio) and loan specific information (e.g., interest rate, loan-to-value ratio, loan size, loan age).  The macroeconomic scenarios generally include house price and interest rate scenarios extending out for the life of the loans.  Credit enhancements, such as insurance, recourse structures, or subordination, are typically accounted for through a separate model or exercise applied to the initial estimates of credit loss.  FHFA would consider a mortgage asset credit model that meets the criteria described below as able to produce results that could satisfy the regulatory requirements. Selecting a Mortgage Asset Credit Risk ModelA Bank should select a credit risk model that is capable of producing loan-level estimates of potential credit loss, and that can accept as an input user-defined macroeconomic stress scenarios disaggregated to at least the state level.  Such models are made available by third-party vendors and are commonly used by mortgage market participants.  Available vendor-supplied credit models, however, may differ in model structure and, importantly, in the historical data sets used to estimate the model coefficients, all of which can result in differences in estimates of prepayment speeds and credit loss for an identical pool of loans.  Consequently, the Bank should consider, for example, selecting a model constructed using data from loans generally similar to those typically acquired by the Bank, such as conforming loans.  Alternatively, a Bank, or consortium of Banks, could develop and administer a similarly capable, credit risk model.<a href="#footnote6">[6]</a>  Macroeconomic ScenariosA Bank should ensure that its model includes appropriate macroeconomic stress scenarios.  The scenarios incorporated into a mortgage asset credit risk model should include several key factors that will affect the borrowers' prepayment decisions and their ability to make timely payment of principal and interest, as such factors will affect the probability of default.  At a minimum, the key factors should include projected paths of house price levels and interest rates.<a href="#footnote7">[7]</a>  The most important factor affecting credit loss estimates is the level of house prices because a change in the value of the property that secures a mortgage loan will not only affect the probability of default, but also, and more importantly, is the principal risk factor affecting estimates of the loss-given-default on mortgage loans.  If a borrower defaults on the loan when the market value of the property that secures it is greater than the remaining amount of the loan (plus transaction costs), then typically the property can be sold to repay the loan at little or no loss to the mortgage holder.  Consequently, credit loss (loss-given-default) on a mortgage loan will generally occur only in locations where, subsequent to origination, house price levels have fallen in nominal terms.  The model's scenarios also should allow for different house price paths by geographic location because house price appreciation and depreciation can vary, and historically have varied, significantly across geographic regions, including at the state and MSA levels.  For example, a defaulted loan in a location where house price levels have fallen may result in significant credit loss while an otherwise identical defaulted loan, at the same moment in time but in a different location where house price levels have been stable, may not generate a loss.  So, while a credit model should identify loans that, because of borrower or loan risk factors, are at a high risk of default, whether those defaults would result in credit losses will depend on the movement in house prices. Macroeconomic scenarios used in credit risk models are typically either baseline or stress scenarios.  A baseline scenario can be used when estimating expected losses.  Estimates of expected loss are used for purposes of mortgage asset pricing, and for determining the member's risk-sharing obligations, as required in AMA programs.<a href="#footnote8">[8]</a>  In generating a baseline scenario, common practice is to project house price and interest rate paths that revert to anticipated long-run trend levels and growth rates, and either cycle about or remain at such trends for the duration of the loans.  Historical data typically are used to generate such trends.  The house price component of the baseline scenario, as represented by a house price index (HPI), should be disaggregated to at least the state level, and not at the national level.  The interest rate component can be determined at the national level. A stress scenario is used when estimating stress losses.  A Bank can use stress-loss estimates to determine an appropriate level of economic capital that should accompany any asset purchase.<a href="#footnote9">[9]</a>  A Bank should establish an appropriate level of economic capital when determining whether a particular investment is permissible.  It also should do so when conducting its due diligence in connection with any asset acquisition.  As with the baseline scenario, the HPI component of the stress scenario should be disaggregated to at least the state level, and not at the national level.  The interest rate component can be determined at the national level.  Determining a Stress ScenarioDetermining the HPI path for a stress scenario is particularly challenging because the scenario should anticipate the degree to which HPI could fall from its current levels, which is not always bounded by historical precedent.  For example, as observed during the prior financial crisis, HPI in certain states fell from its peak by a greater percentage than had occurred previously, based on all available HPI data.  In seeking to address that possibility, FHFA has developed an approach that demonstrates how economic fundamentals can be used to support a rules-based methodology for determining stress scenarios that dynamically adjust the severity of the HPI shock to current market conditions, and that, as unprecedented current conditions might one day warrant, could result in HPI shocks more severe than any observed historically.  FHFA makes its stress scenarios publicly available on a quarterly basis.<a href="#footnote10">[10]</a>  The FHFA stress scenarios meet all of the following criteria:  <ul><li>The methodology to determine the HPI path is rules-based or objectively determined, not discretionary, which ensures that it will be consistently applied across time and region.  </li><li>The HPI downward shock is determined on a regional (state or MSA) basis.</li><li>The HPI downward shock is based on economic fundamentals that are reflective of current market conditions relative to long-term trend, such that it results in stress-loss estimates applicable to new acquisitions that are increasing as HPI rises further above its long-term trend, and decreasing as HPI falls to or below its trend.</li><li>The downward path of the HPI shock begins on day one of the scenario and reaches its lowest point in real terms no later than three years beyond day one of the scenario.  Such a pattern should ensure that the Bank would know the potential stress losses, or the full amount of economic capital the mortgage asset should ever require, as of the day the Bank acquires it.</li><li>The depth of the HPI shock shall extend to a proportion below long-run trend that at least equals the lowest such proportion observed for that geographic region during the prior 40 years.</li><li>The interest rate shock reflects Federal Reserve Board policy as applied during the prior financial crisis, and applied at the national level.  In effect, rates decline over a short period to very low levels and then remain at the lower level for a number of years. </li></ul>For purposes of determining an appropriate amount of economic capital, and to adhere to Advisory Bulletin 2013-07, a Bank may elect to use the FHFA methodology or stress scenarios in assessing the credit risk associated with its mortgage-related assets.  Alternatively, a Bank may develop its own methodology and stress scenarios.  If a Bank does so, however, FHFA expects the Bank's methodology to be consistent with that described herein, and that the shocks used would be no less severe at the state level than under the FHFA scenarios.  A Bank that develops its own methodology also should be able to demonstrate that the loss estimates for its current book of mortgage-related assets produced by the Bank's own stress tests are at least as severe on a state-by-state basis as those produced using the FHFA stress scenarios. Credit EnhancementsMortgage assets of all types can be credit-enhanced through a variety of means, including insurance, recourse arrangements, and subordination as it may be structured in a CMO.  Such credit enhancements serve to reduce the Bank's exposure to credit risk.  Consequently, a Bank should subtract from its estimates of expected and stress credit losses any amounts that the Bank can reasonably expect to receive as compensation for such credit losses from its various credit enhancement arrangements.  In assessing what amounts of credit enhancements a Bank may reasonably expect to receive, the Bank should take into consideration the creditworthiness of any counterparty providing the credit enhancement, the extent to which the credit enhancement may be secured, and the waterfall of payment priorities embedded in the credit enhancement arrangement, such as in a subordination structure.  Exclusion of Certain Legacy Private Label MBS  Certain of the Banks continue to own small portfolios of privately issued mortgage-backed securities (Private Label MBS), most of which were acquired prior to 2008.  For those Banks, the costs associated with modeling those assets in accordance with this Advisory Bulletin may outweigh the benefits likely to result from doing so.  For that reason, this Advisory Bulletin allows a Bank to exclude its Private Label MBS from the scope of this guidance if the Bank can demonstrate that the stress loss estimates for the portfolio would be de minimis.  FHFA will regard stress loss estimates as de minimis by reference to either of two thresholds.  First, the stress loss estimates for a Bank's Private Label MBS portfolio may be de minimis if the current unpaid principal balance of that portfolio is less than 10 percent of the Bank's current permanent capital.  Second, the stress loss estimates may be de minimis if the Bank, using the methodology described in this bulletin, has estimated that the stress losses associated with the Private Label MBS portfolio are less than two percent of the Bank's current permanent capital.  A Bank that can demonstrate either measure is below the corresponding threshold may reasonably assume a zero credit risk exposure, and thus a zero economic capital charge for that portfolio.  For purposes of this paragraph, the term Private Label MBS includes only those instruments owned by a Bank as of the date of this Advisory Bulletin.  Determining Estimated Losses for Securities that Cannot Be ModeledIf a Bank owns a mortgage-related security for which the underlying loan-level data needed to model the stress losses in accordance with this Advisory Bulletin is either insufficient or unavailable, the Bank may use a proxy to estimate the credit losses associated with that security.  One approach to estimating those losses would be to determine whether the mortgage loans underlying the security and the structure of the security are similar to any other mortgage-related securities that the Bank owns and for which sufficient loan-level data is available to model.  In that case, a Bank could model the estimated loss percentage (of unpaid principal balance at origination) for each of those other similar securities and then use an average of those estimated loss percentages as a proxy for the security for which sufficient data is lacking, even if doing so resulted in an estimate of zero credit losses for the security.  If, however, a Bank does not own any mortgage-related securities with loan pools and security structures that are similar to the data-deficient security, it could use any other mortgage-related securities that it owns and for which sufficient loan-level data is available to develop an alternative proxy.  In that case, a Bank could calculate the average of all of the non-zero estimated credit loss percentages for those other securities and use that average as a reasonable estimate of the credit loss percentage associated with the data-deficient security.  ______________________________________ <a name="footnote1">[1]</a> See FHFA <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-07-Model-Risk-Management-Guidance.aspx">Advisory Bulletin 2013-07</a>, "Model Risk Management Guidance". <a name="footnote2">[2]</a> 65 Fed. Reg. 43969 (July 17, 2000).  <a name="footnote3">[3]</a> 12 CFR 955.3(a) (2001).  <a name="footnote4">[4]</a> 81 Fed. Reg. 91674 (Dec. 19, 2016).  FHFA amended the AMA rule to comply with Section 939A of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which requires federal agencies to remove from regulations all references to, or requirements based on, ratings issued by NRSROs. <a name="footnote5">[5]</a> Specifically, like any financial institution, each Bank should assign and provide for sufficient economic capital to ensure solvency of the Bank aside from regulatory capital requirements. <a name="footnote6">[6]</a> As an example, see "FHFA Mortgage Analytics Platform," a white paper released by FHFA on July 10 2014, located at:   <a href="/PolicyProgramsResearch/Research/PaperDocuments/FHFA_MortgageAnalyticsPlatform_Whitepaper.pdf">https://www.fhfa.gov/PolicyProgramsResearch/Research/PaperDocuments/FHFA_MortgageAnalyticsPlatform_Whitepaper.pdf</a>  <a name="footnote7">[7]</a> Some mortgage asset credit risk models also accommodate including projections of GDP and/or unemployment in the macroeconomic scenario.  FHFA research has found that, as long as HPI paths are included, also including projections of GDP and unemployment will add little to the stress loss estimates, and therefore is not necessary.   <a name="footnote8">[8]</a> AMA participating financial institutions must bear the direct economic consequences of actual credit losses for AMA assets sold to the Banks from the first dollar of loss up to the amount of expected losses, or immediately following expected losses in an amount equal to or exceeding expected losses. See 12 CFR § 1268.5 (c)(1)(i). <a name="footnote9">[9]</a> Economic capital is calculated internally by the entity and is the amount of risk capital needed to ensure the survival of the firm in a stress or worst-case scenario.  It is meant to be the firm's own view of a realistic measure of risk, and could be greater or less than regulatory risk-based capital requirements.<a name="footnote10">[10]</a> The scenarios and working papers that describe the economic-based methodology used to derive the scenarios are available at:  <a href="/DataTools/Downloads/Pages/Countercyclical-Stress-Paths.aspx">https://www.fhfa.gov/DataTools/Downloads/Pages/Countercyclical-Stress-Paths.aspx</a> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks. Questions may be directed to<a href="mailto:SupervisionPolicy@fhfa.gov"> SupervisionPolicy@fhfa.gov</a>. </td></tr></tbody></table>

4/26/2018 7:00:27 PM

Home / Supervision & Regulation / Advisory Bulletins / FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk Advisory Bulletin

5200

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Scenario Determination for Market Risk Models Used for Risk-Based Capital

19313

FHL Banks

2/7/2018 5:00:00 AM

AB 2018-01

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">ADVISORY BULLETINAB 2018-01 SCENARIO DETERMINATION FOR MARKET RISK MODELS USED FOR RISK-BASED CAPITAL </td></tr></tbody></table> Purpose This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for Federal Home Loan Bank (Bank) determinations of market risk scenarios that are incorporated into the Banks’ internal market risk models, as required under the market risk capital requirement of the risk-based capital regulation.<a href="#footnote1">[1]</a> This guidance supersedes both Advisory Bulletin 03-10, Guidance on Value-at-Risk Modeling, October 06, 2003 (as modified on July 22, 2016), and Revised Technical Guidance for Calculation of Market Risk Capital Requirement, April 25, 2013, both of which are hereby rescinded, effective as of November 1, 2018. The capital regulation requires that a Bank’s internal model use market risk scenarios that meet certain minimum requirements. Such scenarios must be satisfactory to FHFA, be historically-based, and represent changes in market environments observed over 120 business-day periods that are drawn from the period that starts at the end of the previous month and that goes back to 1978. The shocks are to be applied to the current market environment. Prior guidance has authorized the Banks to apply the historically observed changes in market environments as either proportional (percentage) shocks or “haircut” shocks (as described in AB 03-10), and to exclude scenarios that draw upon pre-1992 data (as described in the Revised Technical Guidance).In light of recent methodological developments by FHFA for determining market risk scenarios, FHFA has determined that the continued use of either proportional shocks or haircut shocks to the Banks’ internal market risk models will no longer be deemed to be satisfactory to FHFA, as required by the regulation. Instead, FHFA will now consider as satisfactory the application of absolute shocks that are subject to appropriate constraints that are designed to ensure the plausibility of the scenarios. As described below, a Bank may choose from any of the following three options: (1) use the scenarios provided by FHFA that already incorporate such constraints; (2) use the methodology developed by FHFA to implement such constraints; or (3) develop and apply a Bank version of a methodology and constraints, which must be subject to FHFA review. Given that the scenarios must be representative of periods of the greatest market stress, and that the 2008 financial crisis represents those periods, the guidance also allows Banks to exclude scenarios that draw upon pre-1998 data. Background Overview In January 2001, the Federal Housing Finance Board (Finance Board), adopted a regulation governing the Banks’ risk-based capital requirements, which included a market risk requirement. The rule established criteria to which a Bank must adhere in generating historically-based market risk scenarios to incorporate into the Bank’s internal market risk model.The rule requires the Banks to generate scenarios that represent changes in market interest rates, interest rate volatility (volatility), and the shape of the yield curve equivalent to those observed over 120 business-day periods of market stress going back to 1978. To do so, the Banks must measure historical changes in rates (including volatility and curve shape), and apply them as shocks to the current rate environment. There are two basic approaches for doing this: either by converting the historical rate changes to proportional changes (shocks) and then imposing the proportional shocks on the current rates; or by applying the absolute measure of changes in historical rates as shocks to the current rates.One advantage of the proportional shock approach is that it cannot result in scenarios with implausible negative rates, whereas absolute shocks could do so when current rates are lower than the scenario historical rates. Under those same circumstances, however, converting a historical shock to a proportional shock may mute the shock to an extent that it is not very stressful, and hence not meaningful in assessing risk. In a similar fashion, should current interest rates well exceed the scenario historical rates, converting the shock to a proportional shock may effectively amplify the shock to be unreasonably stressful. Scenarios based on historical absolute rate changes are not amplified or muted. Thus, absolute shocks are not a concern in a high current rate environment. Finance Board Permissions In 2001, the Finance Board lacked a robust method to address the disadvantages of both the proportional and absolute shock approaches. Because interest rates in 2001 were not excessively high or low by historical standards, the Finance Board allowed that the disadvantages of using proportional shocks would be minimal for some time and, therefore, permitted the Banks to apply that approach. In 2002, the Finance Board developed the haircut method, intending to address potential disadvantages of both the proportional and absolute shock approaches, and permitted the Banks to apply that approach as an alternative to the proportional shock approach.Recent developments have given FHFA reason to revisit its previous determinations that the use of the proportional and haircut shock approaches would be satisfactory means of generating the scenarios that are needed to comply with the market risk regulation. Specifically, the extended period of very low current interest rates has made more apparent the disadvantages of using the proportional shock approach. Also, FHFA has reviewed updated estimates of the statistical relationships that underlie the haircut method, and found them to be only weakly significant at best, suggesting that the haircut shock approach also may be deficient. Contemporaneously with these developments, FHFA has devised a new approach, based on parsimonious factorization (PF), to address the potential disadvantages, and hence the viability, of using the absolute shock approach. FHFA staff working papers on the PF approach are available on the FHFA website and published in peer reviewed professional journals, and provide the reasoned basis for the approach FHFA is taking in this guidance.<a href="#footnote2">[2]</a> ScopeThis Advisory Bulletin applies only to the Banks. Guidance Interest Rate and Market Price Scenario ConstructionFHFA is rescinding AB 03-10 and will no longer deem the use of proportional or haircut measures of historical interest rate shocks to be satisfactory methods of generating the scenarios needed to comply with the market risk capital requirement. Subsequent to November 1, 2018, FHFA will consider interest rate and market price scenarios that a Bank incorporates into its internal market risk model to be satisfactory if they meet the following criteria: (1) the scenarios are based on historical absolute interest rate changes, as applied to current interest rates; (2) the historical shocks represent changes in interest rates and market conditions observed over 120 business-day periods, and the methodology to apply those shocks to current interest rates incorporates the constraints described herein; (3) the scenarios encompass shocks to interest rate volatility that reflect the historical relationship between interest rates and volatility; and (4) for assets backed by residential mortgage loans,<a href="#footnote3">[3]</a> the scenarios include shocks to option-adjusted spreads (OAS).Each calendar quarter, FHFA will generate scenarios using the PF method and will make those scenarios available to the Banks. In addition, FHFA will provide the associated computer code to any Bank upon request. Thus, a Bank may either use the FHFA generated scenarios, or may use the FHFA code to generate its own scenarios for its market risk model. Alternatively, a Bank may develop its own methodology to generate the scenarios, provided that the Bank first demonstrates to FHFA that its approach also is based on absolute measures of historical shocks and includes appropriate constraints to ensure that the resulting scenarios are plausible and maintain the integrity of the historical shock in a manner that is similar to shocks produced using the PF method, and are therefore reasonable ways to implement the requirements of the regulation. <div> Constraints to Ensure Scenario PlausibilityStress test scenarios must represent plausible market conditions if they are to be used to estimate meaningful risk-based capital requirements. Because any method used to generate absolute shocks could produce scenarios with implausible characteristics, such as negative nominal rates, negative forward rates, and unlikely spreads between government and non-government rates, such methods must include appropriate constraints on the generation of the absolute shocks to eliminate such implausible outcomes. Such constraints, however, also should be designed in such a manner that they do not undermine the integrity of the historical representation of the interest rate shock. The PF method achieves both of those objectives because it accommodates the imposition of such constraints with only minimal effects on the integrity of the historical representation of the shock. The PF method achieves this outcome because it embeds the constraints to be considered simultaneously to the generation of the shock, rather than imposing the constraints as follow-on corrections to the shock. Relevant Historical ObservationsThe current capital regulation provides that “the relevant historical observations should be drawn” from a period that begins in 1978. In 2001, when the rule was written, it was necessary to go back that far to ensure that the periods of the greatest potential market stress were included in the market risk scenarios. In 2013, FHFA permitted the Banks to use historical observations that began in 1992, reasoning that, since the 2008 financial crisis, scenarios drawing from market events of the 1980s no longer represented periods of the greatest market stress. That action was consistent with the requirement in the capital regulation that both the number of historical observations and the specific observations shall be satisfactory to FHFA. More recently, FHFA has concluded that historical data prior to 1998 lacks some of the key elements currently used to generate stress scenarios. For example, information pertaining to interest rate caps and floors, which currently is used in calculating volatility shocks, is not widely available for time periods prior to 1998. Moreover, FHFA has determined that post-1997 data is sufficient to produce appropriately robust scenarios. Consequently, FHFA will consider as satisfactory any historical observations drawn from the period that starts at the end of the month preceding the calculation date and goes back to the beginning of 1998. Scenario SamplingFHFA is mindful of the operational burdens that may be associated with incorporating all of the scenarios from the relevant historical period into the market risk models, and believes that it would be possible for a Bank to use an appropriately selected sample of those scenarios without compromising the quality of the model’s results. Accordingly, this bulletin will allow the Banks the option of using a sampling of scenarios to be identified by FHFA in lieu of using all of the scenarios from the relevant historical period. Periodically, FHFA will identify at least 100 historical scenarios that FHFA believes represent the most stressful shocks to market conditions, and will provide that information by letter to the Banks. FHFA will consider any market risk model that incorporates all of those historical scenarios to be satisfactory, for purposes of the market risk capital regulation. A Bank also may include scenarios of its choosing in addition to those identified by FHFA. <div> One Percent Probability of LossThe current regulation states that the market risk capital requirement shall equal the estimate of the market value of the Bank’s portfolio at risk, such that the probability of a loss occurring that would be greater than the estimated loss shall be no more than one percent.<a href="#footnote4">[4]</a> The Finance Board recognized that because the scenarios are historically based, the distribution of outcomes cannot be known with certainty, and thus there is no way for a Bank to mathematically identify a number representing any given percentile of the distribution. Consequently, the Finance Board allowed the Banks to use the outcome that was associated with the scenario that was closest to the 99th percent worst scenario, in terms of rank order, as a proxy for the one percent requirement. That approach, however, would become problematic if used in connection with scenario sampling, as described above. That approach also effectively ignores information on market risk that would be contained in the tail of the distribution of outcomes. To address those shortcomings, FHFA is replacing the existing method of calculating the proxy for the one percent requirement with a method that is based on an average of worst outcomes. Accordingly, FHFA will deem a Bank’s stress scenarios to be satisfactory if a Bank sets its proxy requirement based on an average of the five worst (tail) outcomes, and will not consider the previous rank-order proxy approach to be a reasonable implementation of the regulation. Periodically, FHFA will inform the Banks by letter whether and what weights are reasonable to apply to the tail outcomes in determining the average. Stability of Implementation ConsiderationsA Bank’s market risk management is informed not only by estimates of potential losses, but also by the trend or movement in those estimates over time. Discerning such trends is made more difficult if key aspects of the methodology are adjusted frequently or significantly over time. Such key aspects of the methodology would include, for example, the size or composition of the sample scenarios to be identified by FHFA and the method used to set the one percent probability of loss requirement based on the scenario outcomes. Consequently, FHFA will endeavor to make such adjustments only infrequently and will notify the Banks at least one full calendar quarter prior to implementing any such adjustments, unless supervisory considerations require FHFA to implement the adjustments on shorter notice. </div></div><hr width="25%" align="left" /><a name="footnote1">[1]</a> See 12 CFR § 932.5 (b)(4). FHFA has issued a proposed rule which, if adopted as a final rule, would revise and relocate the market risk capital regulations to 12 CFR § 1277.5(b)(4). <a name="footnote2">[2]</a> See, Bogin, Alexander N. and Doerner, William M. "Generating Historically-Based Stress Scenarios Using Parsimonious Factorization." Journal of Risk Finance, 15(5), 591-611, 2014. Originally published as FHFA Working Paper 13-02. <a href="http://www.emeraldinsight.com/doi/abs/10.1108/JRF-03-2014-0036">http://www.emeraldinsight.com/doi/abs/10.1108/JRF-03-2014-0036</a> . See also, Bogin, Alexander N., Doerner, William M., and Polkovnichenko, Nataliya, "Overlooked Market Risk Shocks: Prepayment Uncertainty and Option-Adjusted Spreads." Journal of Fixed Income, 26(2), 5-15, 2016. Originally published as FHFA Working Paper 15-03. <a href="http://www.iijournals.com/doi/abs/10.3905/jfi.2016.26.2.005">http://www.iijournals.com/doi/abs/10.3905/jfi.2016.26.2.005</a> . <a name="footnote3">[3]</a> For these purposes, the term “residential mortgage loans” includes those secured by both single-family and multi-family properties. Mortgage related assets that should be subject to the OAS shocks include: (1) repos, if backed by TBAs, (2) AMA mortgage loans, (3) agency securities backed by MBS, CMO, DUS, and HECM loans, (4) State Housing Agency Bonds, and (5) private label mortgage-backed securities. The only other assets that should be subject to the OAS shocks are asset-backed securities representing interests in federally guaranteed student loans. <a name="footnote4">[4]</a> The estimated market value loss with a one percent probability is necessarily associated with a future time horizon over which the loss is expected to occur. Because the market risk shocks to be applied by the Banks are based on six-month changes in historical rates, six months is the appropriate time horizon for the Banks to use in the model validation process, especially back-testing. Back-testing value at risk models involves comparing estimated losses with the actual losses realized at the end of the specified time horizon. This comparison identifies periods where the model overestimates value at risk or where actual losses are greater than projected levels. <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters. For this Advisory Bulletin, contact your respective Examiner-in-Charge if you have questions or comments. </td></tr></tbody></table>

2/14/2018 3:33:24 PM

Home / Supervision & Regulation / Advisory Bulletins / Scenario Determination for Market Risk Models Used for Risk-Based Capital Advisory Bulletin The shocks are to be applied

5066

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Acquired Member Asset Price Risk Governance

19344

FHL Banks

11/21/2017 5:00:00 AM

AB 2017-03

11/21/2017 10:03:37 PM

Home / Supervision & Regulation / Advisory Bulletins / Acquired Member Asset Price Risk Governance Advisory Bulletin This Advisory Bulletin provides Federal Housing Finance

4083

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Information Security Management

19305

All

9/28/2017 4:00:00 AM

AB 2017-02

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">ADVISORY BULLETINAB 2017-02 INFORMATION SECURITY MANAGEMENT </td></tr></tbody></table> Purpose This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance on information security management for supporting a safe and sound operational environment and promoting the resilience of Fannie Mae, Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (OF) (collectively, the regulated entities <a href="#ref1">[1]</a>). The guidance in this AB is applicable to the regulated entities and is based on current regulatory and industry standards. It does not prescribe specific standards or technology solutions, but describes three main components of an information security program (program). Each regulated entity should use a risk-based approach across key areas listed below to meet FHFA supervisory expectations: I. Governance <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">A. Roles and ResponsibilitiesB. Risk AssessmentsC. Industry StandardsD. Cyber-Insurance</blockquote>II. Engineering and Architecture<blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">A. Network SecurityB. Software SecurityC. Endpoints</blockquote>III. Operations<blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">A. Continuous MonitoringB. Vulnerability ManagementC. Baseline ConfigurationD. Asset Life CycleE. Awareness and TrainingF. Incident Response and RecoveryG. User Access ManagementH. Data Classification and ProtectionI. Third-Party OversightJ. Threat Intelligence Sharing</blockquote><div> </div>This AB on information security management supersedes AB 2014-05 (Cyber Risk Management Guidance) and the Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002 (Safety and Soundness Standards for Information). Background Effective information security management protects the availability, integrity, and confidentiality of information in both electronic and physical form.  Information security management encompasses the management of cyber risk, which focuses on protecting systems, operating locations, and risk related to cyber threats.   The frequency and sophistication of information security threats to the financial services industry increases the importance of information security management.  Information security incidents can compromise sensitive, confidential, or personally identifiable information.  Such incidents can affect the integrity and availability of business critical information and systems and expose an institution to risk.  Each regulated entity’s risk appetite, policies, operational and technological practices, third-party relationships, governance structure, and the level of involvement of the board of directors (board) and senior management should support effective information security management.  FHFA’s guidelines for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236.  Three relevant PMOS articulate guidelines for the board and management when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10). Guidance FHFA expects the regulated entities to protect their information technology (IT) environments using a risk-based approach to determine the appropriate activities to include in a comprehensive program.  The regulated entities may use third parties to perform information security activities, but that does not diminish their information security responsibilities.  Although information security risks cannot be eliminated, they can be managed safely and soundly. I. Governance Management at each regulated entity should align the program with the regulated entity’s enterprise risk management framework.  The program should be comprehensive, involve board participation, and include repeatable and executable processes for managing information security risks and incidents.  Each regulated entity should periodically evaluate its approach and appropriately document its program, ensuring that documentation is updated regularly to reflect changes to the program. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">A. Roles and Responsibilities</blockquote>The board is responsible for maintaining and prioritizing a strong information security culture, providing oversight of senior management’s information security risk management activities, and reviewing and approving the information security risk appetite and program.  Delegation of any of these activities to a board-level committee does not relieve all board members of their responsibility to remain informed about how their entity’s information security management practices appropriately address potential risks, consistent with the established risk appetite.  Senior management is responsible for establishing and implementing a program consistent with the regulated entity’s risk appetite, developing and implementing policies, and supporting the board’s oversight responsibilities.  The program should include procedures, guidelines, and periodic self-assessment activities, and should be proportional to the information security risks at institutional, business, and operational levels.  Senior management should periodically evaluate and update the program, particularly when new risks or program weaknesses are identified.  Furthermore, senior management should establish and maintain information security policies that prioritize information security management efforts in alignment with risk appetite, strategies, goals and objectives, escalation and security incident management procedures, and processes for how to assess and respond to information security risks and incidents. Senior management should report to the board at least annually on the overall status of the program; any significant issues with their entity’s adherence and exceptions to applicable requirements and guidance; and significant emerging risks, strategies, and other information to ensure that information security management practices appropriately address potential risks.  Management reports should address issues such as risk assessments, risk management and control decisions, third-party relationships, results of testing, security breaches or violations and management’s responses, and recommendations for changes in the program.  A Chief Information Security Officer or equivalent (CISO) should head the program at each regulated entity.  The CISO is responsible for overseeing and reporting on the management and mitigation of information security risks.  The CISO should have appropriate independence, authority, and resources to carry out the responsibilities of the position. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">B. Risk Assessments</blockquote>Each of the regulated entities should conduct periodic risk assessments of its program to identify, understand, and prioritize information security risks relevant to business operations, including assessments of third parties and IT architecture.  Enterprise-wide risk assessments should identify internal and external threats that, alone or in tandem, could result in unauthorized access and subsequent loss, alteration, or exploitation of sensitive, confidential, or personally identifiable information.  The risk assessment should identify the likelihood and potential impact of these threats as well as the residual risk of impact after considering controls and mitigating factors.   As part of risk assessments, each of the regulated entities should identify and prioritize which risks to avoid, accept, mitigate, or transfer.  Periodic information security gap analyses should be conducted and reported to the board with steps to promptly remediate gaps.  Management should also establish and maintain a waiver process that includes risk identification and compensating controls for remediation activities that do not comply with policy. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">C. Industry Standards</blockquote>Each regulated entity’s program should align with appropriate industry standards (e.g., standards promulgated by National Institute of Standards and Technology and International Organization for Standardization) commensurate with the complexity and risk profile of the entity.  Each regulated entity should periodically review its program to verify that it reflects industry standards.  Management should identify and address any gaps between the program and chosen industry standard(s) and should document the rationale for accepted risks. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">D. Cyber-Insurance</blockquote>If the regulated entity uses an insurance policy to transfer part of the financial exposure of an information security incident, management should understand the extent of coverage, conditions of coverage, and requirements governing the reimbursement of claims and report on them to the board.   II. Engineering and ArchitectureSecurity engineering and architecture address risks to an IT environment by building security into an information system.  Each regulated entity should design its information networks, software, and Internet-capable devices at the network boundary commensurate with identified information security risks and consistent with the entity’s risk appetite.  The designs should include defense in depth, access control, and separate production and non-production IT environments.  <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">A. Network Security</blockquote>The regulated entities should design their networks to allow for continuously monitored network systems that provide a view into operational controls and include the ability to provide timely remediation.  The design of the network should include network segmentation, proxy hosts, firewalls, demilitarized zones, intrusion detection and prevention systems, security zones, and virtual private networks.  FHFA expects the regulated entities to place log generating devices and sensors throughout their respective networks and feed security logs to a security information and event management device for continuous monitoring. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">B. Software Security</blockquote>Effective software security requires selecting, implementing, and monitoring appropriate controls to restrict end users’ ability to install and modify software.  Each of the regulated entities should integrate application code reviews, security testing, and secure deployment to its development processes.  Each of the regulated entities should also consider other activities such as threat modeling and static code analysis for high-risk, custom application development.  Policies and device and network controls should ensure that users download software only from approved sites.  Each regulated entity should assess and protect against the risks of using open source software (OSS) solutions, including an evaluation of the reliability of the source of the OSS solution.  Such an assessment is particularly important when using OSS without strong support communities.  Each regulated entity should also address user-developed technologies with end-user development policies that include inventory, classification, and testing policies and enforce change and access control.<blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">C. Endpoints</blockquote>The program should have requirements to secure any organization-owned endpoint using private networks, access control, intrusion detection and prevention, vulnerability scanning, virus protection, and data encryption.  Use of personal devices such as laptops, tablets, and smart phones present security risks that each regulated entity’s program should fully address.  FHFA expects management to establish and maintain policies for all devices with network access, including employee-, contractor-, and guest-owned devices, and to engineer network and software solutions to manage risks associated with these devices.  The programs should require all users of endpoints connected to regulated entity systems to follow such policies and maintain an information security culture.  Restrictions on resources and applications, segregation of personal data from the regulated entity’s data, and real-time monitoring, such as endpoint detection and response capabilities should be incorporated into the program.Each regulated entity’s program should include policies addressing the use of all configurable media and hardware that have access to the regulated entity’s information.  This may include any removable media, personal devices, laptops, printers, and scanners.  The policy should restrict transfers of information to and from removable media to prevent unwanted disclosure of the regulated entities’ information and to protect the IT environment.  III. OperationsSecurity operations provide essential protection of information systems by monitoring, assessing, and defending such systems from threats and harm, and security solutions should be engineered into information systems.  Each regulated entity’s program should apply a defense in depth approach to operational security practices on an ongoing basis, including system monitoring, vulnerability management, baseline maintenance, asset life cycle procedures, staff training, incident response and recovery, access management, data protection, third-party oversight, and threat intelligence sharing.  Additionally, the regulated entities should monitor their physical facilities, including monitoring for exposure to environmental threats. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">A. Continuous Monitoring</blockquote>An effective program should include continuous monitoring of systems to detect anomalies as well as successful and attempted attacks, including unauthorized activity on or intrusion into information systems.  The program should define monitoring procedures, roles, and responsibilities, and a process for evaluating the effectiveness of identified controls.  Operational security monitoring includes network, physical event, and user activity monitoring.  The regulated entities should use operational security monitoring to mitigate the risks of insider threats.   <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">B. Vulnerability Management</blockquote>Vulnerability management is an essential component of the program and should include both regular vulnerability assessments and the timely remediation of vulnerabilities that exceed the risk appetite.  Unsupported or out-of-date systems, assets, and applications should be identified, monitored, and addressed within a vulnerability management process.  Patches should be reviewed through a testing and approval process prior to deploying fixes.  Procedures should require management’s approval, impact analysis, and justification for any accepted vulnerabilities or vendor-provided upgrades or patches not implemented internally.  Identified vulnerabilities that present considerable risk require prompt analysis and timely approval and remediation.The regulated entity should regularly test the effectiveness of key controls, systems, and procedures used to protect against information security risks through vulnerability scanning, internal and external audits, and penetration testing.  Management should develop and maintain risk-based policies that define the scope and frequency of regular tests.  The policies should also define triggers, such as significant changes to technologies or a security incident that will result in tests of key controls, systems, and procedures.  Independent parties may conduct and review such tests.  Procedures should be in place to track and independently validate the remediation of identified vulnerabilities.  Results from these tests should inform updates to the program.   <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">C. Baseline Configuration</blockquote>The program should include maintenance of accurate and complete inventories of IT assets and systems as well as baseline configurations of assets and systems.  The program should include a formal change management process for baseline configuration adjustments to address such changes.  The regulated entities should establish and maintain security standards for technology platforms and use tools to automatically compare such standards to the actual configuration of deployed assets and notify appropriate person(s) responsible for security operations of any unapproved changes.   <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">D. Asset Life Cycle</blockquote>The program should include procedures to define, inventory, maintain, protect, and retire systems and technologies to support continued operations and normal business processes.  Additionally, all systems should have life cycle plans that provide details on procurement, inventory maintenance, ownership, retirement, and disposal.  The program should include procedures requiring documentation of maintenance schedules and repairs on assets in accordance with manufacturer or vendor specifications and internal requirements.  The policies on asset maintenance should also define roles and responsibilities for approving removal of, or changes to, an IT asset, recovery of all information prior to maintenance, and verifying all security controls function after maintenance.   <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">E. Awareness and Training</blockquote>Consistent with a strong information security culture, the program should include enterprise-wide information security awareness and training processes appropriate to each of the regulated entities’ systems, size, and complexity.  The program should provide that personnel, including third parties with access to the regulated entities’ IT systems, receive general and role-based training on the policies and procedures governing the use of information systems, potential security threats (e.g., phishing), and how management enforces information security policies.  The board should receive training appropriate with its oversight role.  The program should address the expected frequency of awareness and training events, and role-based training qualifications.  All employees and contractors are responsible for maintaining an information security culture involving the protection of the regulated entities’ information and systems. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">F. Incident Response and Recovery</blockquote>The program should include an incident response plan that documents the triggers, procedures, roles and responsibilities, and resources for eradicating and/or limiting the expansion of an information security incident and minimizing its effects.  Incident response plans should address both physical and cyber events that could affect the availability, confidentiality, and integrity of information.  Repeatable and executable procedures to respond to information security incidents should be proportional to the characteristics of the identified exposures.  These procedures should prioritize and establish resiliency requirements for critical services and dependencies, be rehearsed and tested, identify criteria for escalation and reporting, and define scenarios that would result in the execution of the business continuity program.The incident response plan should include an incident recovery plan that identifies person(s) responsible for initiating the recovery plan, defines criteria that must be met to return compromised services and technology to the network, and explains how to document the decisions and actions taken for future reference.  Recovery operations should reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics.  The incident response plan should address how to coordinate communication with internal and external stakeholders about response and restoration activities.  Additionally, incident response and recovery activities should have sufficient follow-up analyses to determine whether procedures were followed and the actions taken were adequate.  These analyses should include investigating detection system notifications, understanding the impact of incidents, performing forensics, and classifying the incidents.  These analyses should use indicators to appropriately quantify the impact of the incident and feed into remediation plans and risk management reporting.  Follow up analyses should identify areas of improvement for future updates to incident response plans.  An independent party (e.g., internal audit or an outside consultant) should periodically validate the implementation and effectiveness of incident response and recovery activities. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">G. User Access Management</blockquote>The program should define policies and procedures to grant, revoke, monitor, and regularly review appropriate access for all users.  Access should be based on the minimum rights required for the identified business purpose, or least privilege.  The program should establish and maintain a process governing access control of and documenting reasons for using shared accounts.  Terminated or transferred users with different role requirements should be removed promptly.  The program should include maintenance of access logs to effectively monitor user activity.User access security controls should include logical and physical access controls, password safeguards, monitoring for unauthorized changes to IT systems or applications, and network encryption as appropriate.  Each regulated entity should consider whether to adopt additional solutions, including segregation of duties, configuration management, change management, identification and authentication management, and background investigation checks.  Operating locations should be physically secured and designed to deny unauthorized access to facilities, equipment, data, and resources.Logical access controls, including remote access management, should restrict remote access usage to that defined in and allowed by relevant policies.  Monitoring of remote access should include the identification of remote access devices that attach to systems.  Furthermore, logical access controls should have security features with an appropriate level of sophistication to authenticate users that connect to the network.  <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">H. Data Classification and Protection</blockquote>Each of the regulated entities possesses sensitive, confidential, or personally identifiable information that it needs to protect from loss, alteration, or exploitation.  Classification of such information based on importance and sensitivity should guide their determination of the appropriate level of protection.  Management should establish and maintain policies that address where sensitive, confidential, or personally identifiable information may reside; how to manage and use that information; and how to transmit, transport, protect, and dispose of that information.Each of the regulated entities may protect information through a variety of means, such as using front and back end controls on user access, encryption, verification tools to detect unauthorized changes to data, and data loss prevention measures.  Each of the regulated entities should evaluate the effectiveness of protection and preventative measures regularly. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">I. Third-Party Oversight</blockquote>FHFA expects the regulated entities to understand and manage the risks of third-party access to or maintenance of institutional information.  The information security policies and level of sensitivity and access to information should inform third party security responsibilities.  Each regulated entity’s program should include policies and procedures, contractual assurance for security responsibilities, controls, reporting, nondisclosure of data, and incident notification requirements.  Each regulated entity should define when information security incidents should result in substituting or replacing services provided by third parties, if feasible.When using a technology service provider (TSP), such as a cloud computing or technology solutions provider, each of the regulated entities should review the TSP’s information security programs and select a TSP that is consistent with established risk tolerances.  In its selection, each regulated entity should consider the TSP’s abilities to identify and mitigate cyber threats to data and operational infrastructure, effectively carry out incident response procedures to cyberattacks, and perform adequate business continuity resilience. <blockquote style="margin:0px 0px 0px 40px;padding:0px;border:currentcolor;">J. Threat Intelligence Sharing</blockquote>The Cybersecurity Information Sharing Act of 2015 encourages information sharing between the federal government and other recognized organizations.  Sharing and receiving technical information, such as threat indicators and emerging risks, promotes financial sector resiliency and provides the regulated entity additional situational awareness to remain current in their defenses.  Each of the regulated entities should participate in and incorporate information from external coordination efforts relevant to their respective operations. Related Guidance <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Data-Management-and-Usage.aspx">Data Management and Usage</a>, Federal Housing Finance Agency Advisory Bulletin AB-2016-04, September 29, 2016. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Information-Technology-Investment-Management.aspx">Information Technology Investment Management</a>, Federal Housing Finance Agency Advisory Bulletin AB-2015-06, September 21, 2015. Cyber Risk Management Guidance, Federal Housing Finance Agency Advisory Bulletin AB-2014-05, May 19, 2014 (superseded). <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-02-OPERATIONAL-RISK-MANAGEMENT.aspx">Operational Risk Management</a>, Federal Housing Finance Agency Advisory Bulletin AB-2014-02, February 18, 2014.  <a href="https://www.ecfr.gov/cgi-bin/text-idx?SID=4789529b5c4a4e95899da27516cdc49e&mc=true&node=pt12.10.1233&rgn=div5">12 CFR Part 1233 Reporting of Fraudulent Financial Instruments</a>, February 11, 2013. <a href="https://www.ecfr.gov/cgi-bin/text-idx?SID=7d165130b500cae028042a9b47b757aa&mc=true&node=pt12.10.1236&rgn=div5">12 CFR Part 1236 Prudential Management and Operations Standards</a>, June 8, 2012. Safety and Soundness Standards for Information, Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001 (superseded). <hr /> <a name="ref1">[1]</a> The OF is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. See <a href="https://www.gpo.gov/fdsys/pkg/USCODE-2010-title12/html/USCODE-2010-title12-chap46-sec4502.htm">12 U.S.C. 4502(20)</a>. However, for convenience, references to the “regulated entities” in this AB should be read to also apply to the OF. <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.  This advisory bulletin is effective immediately upon issuance.  For the FHLBanks, contact Amy Bogdon, Associate Director for Regulatory Policy and Programs, Division of FHLBank Regulation, at <a href="mailto:Amy.Bogdon@fhfa.gov">Amy.Bogdon@fhfa.gov</a>.  For Fannie Mae and Freddie Mac, contact Annie Golden, Supervisory Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto:Annie.Golden@fhfa.gov">Annie.Golden@fhfa.gov</a> or Brian Schwartz, Senior Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto:Brian.Schwartz@fhfa.gov">Brian.Schwartz@fhfa.gov</a>.</td></tr></tbody></table>

8/4/2018 4:23:53 AM

Home / Supervision & Regulation / Advisory Bulletins / Information Security Management Advisory Bulletin This advisory bulletin (AB) provides Federal Housing Finance Agency

10164

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Classifications of Adverse Examination Findings

19348

All

3/13/2017 4:00:00 AM

AB 2017-01

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">ADVISORY BULLETINAB 2017-01CLASSIFICATIONS OF ADVERSE EXAMINATION FINDINGS</td></tr></tbody></table> PurposeThis advisory bulletin establishes classifications of adverse examination findings at Fannie Mae, Freddie Mac, the Federal Home Loan Banks (the regulated entities) and the Office of Finance. Adverse examination findings are typically risk management deficiencies, increases in risk exposures, or violations of laws, regulations, or orders that affect the performance or condition of a regulated entity or the Office of Finance. This advisory bulletin establishes classifications of examination findings that identify priorities for remediation by the regulated entities and the Office of Finance and guide FHFA in the development of supervisory strategies. This advisory bulletin supersedes and rescinds Advisory Bulletin 2012-01, Categories of Examination Findings (April 2, 2012). Communication of Adverse Examination FindingsFHFA staff communicates examination findings to a regulated entity or the Office of Finance through the examination process. Reports of examination and other formal written communications summarize examination findings, assessments, and conclusions. FHFA provides a report of examination to the board of directors of the regulated entity or the Office of Finance. The board’s awareness of significant supervisory issues is critical because it is ultimately responsible for the organization’s safety and soundness. Adverse Examination Findings Classifications:When communicating adverse examination findings to the regulated entities and Office of Finance, examination staff will use the following classifications:<div><ol><li>Matters Requiring Attention (MRAs) fall into one of the following categories:</li><ul><li>Critical supervisory matters (the highest priority) which pose substantial risk to the safety and soundness of the regulated entity or the Office of Finance. They may involve instances of noncompliance with laws or regulations of a serious nature or may be repeat criticisms that have escalated in importance because of insufficient attention or action by the regulated entity or Office of Finance.</li><li>Deficiencies which are supervisory concerns that FHFA believes could, if not corrected,escalate and potentially negatively affect the condition, financial performance, risk profile, operations, or reputation of the regulated entity or the Office of Finance.</li><li>The distinction between critical supervisory matters and deficiencies is the nature and severity of the issues requiring corrective action. Corrective action for an MRA must be articulated in written remediation plans and timeframes that reflect the significance of the findings.</li></ul><li>Recommendations are advisory in nature and suggest changes to a policy, procedure, practice, or control that supervision staff believes would improve, or prevent deterioration in, condition, operations, or performance. Implementation is discretionary, although FHFA expects the regulated entity or Office of Finance to implement recommendations unless the regulated entity or Office of Finance can demonstrate through a reasoned assessment that the recommended action is unwarranted or is likely to be detrimental to condition, operations, or performance.</li><li>Violations are matters in which an examination discloses noncompliance with laws, regulations, or orders. Violations require action by the regulated entity or Office of Finance to correct, if possible, the past noncompliance with requirements and to change a program or practice to prevent recurrence. The expected remediation timeframe depends on the seriousness of the actual or potential consequences of the violation and the time required for the regulated entity to implement required corrective action. A violation that may negatively affect the condition or practices of the regulated entity may also be identified as an MRA.</li> </ol><div>Effective DateThe adverse examination findings classifications defined in this Advisory Bulletin are effective for the 2017 examination cycle for Fannie Mae and Freddie Mac. The adverse examination findings classifications are effective upon issuance of this Advisory Bulletin for all Federal Home Loan Bank and Office of Finance examinations not yet started. <table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. Contact Louis Scalza, Associate Director, Division of Bank Regulation at <a href="mailto:Louis.Scalza@fhfa.gov">Louis.Scalza@fhfa.gov</a> or Jim Griffin, Associate Director, Division of Enterprise Regulation at <a href="mailto:James.GriffinJr@fhfa.gov">James.GriffinJr@fhfa.gov</a>, with comments or questions pertaining to this bulletin.</td></tr></tbody></table> </div> </div>

3/13/2017 6:54:21 PM

Home / Supervision & Regulation / Advisory Bulletins / Classifications of Adverse Examination Findings Advisory Bulletin This advisory bulletin establishes classifications of

5406

https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspx

html

False

aspx

Internal Audit Governance and Function

19308

All

10/7/2016 4:00:00 AM

AB 2016-05

<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">ADVISORY BULLETINAB 2016-05INTERNAL AUDIT GOVERNANCE AND FUNCTION</td></tr></tbody></table> PurposeThis Advisory Bulletin (AB) applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities), and the FHLBanks' Office of Finance (OF).  References to the regulated entities<a href="#1">[1]</a> in this AB equally apply to the OF.  This AB rescinds and replaces the following guidance:<ul><li>2002-AB-05:  Risk Assessment – Internal Auditor Independence;</li><li>1999-AB-10:  Internal Audit Department External Reviews; and</li><li>1996-AB-01:  Examination Reviews of Audit Independence, Audit Committee Oversight of Selection, Compensation and Performance Evaluation of the Audit Director.   The Federal Housing Finance Agency (FHFA) requires the regulated entities to establish independent Internal Audit (IA) functions and expects those IA functions to provide timely feedback to management and assurance to audit committees on the effectiveness of regulated entities' internal controls, risk management, and governance.  Timely and reliable information about elevated risks and internal control systems are important so that management can make prompt corrections.  This AB sets forth FHFA guidance and supervisory expectations regarding:</li></ul><ol><li>Audit Committee Oversight of the IA Function;  </li><li>IA Independence and Objectivity; and</li><li>IA Attributes and Operations - including IA's role in reporting to the audit committee on the regulated entity's identification of significant risks and the existence and effectiveness of related internal controls. A regulated entity's risk management framework generally comprises:  </li></ol><ul><li>Units engaged in business operations, which take and manage risks and report directly to management;<a href="#2">[2]</a></li><li>Independent risk management (including enterprise risk management, compliance, and other risk control functions), which monitors risk-taking activities, assesses risks and issues independent of business operations units, and is separate from first-line operating management but still under the direction and control of senior management; and</li><li>IA, which reports independently to the audit committee on risks, risk management, and the effectiveness of the regulated entity's system of internal controls.  </li></ul>This structure is commonly known as the "three lines of defense," and together these elements should form a strong and effective risk management framework.  The guidance in this AB is consistent with the three lines of defense framework and sets forth FHFA's expectation that IA, as the third line of defense, is independent, objective, and effective at identifying and informing management and the audit committee about the regulated entity's risks and related controls.FHFA expects Chief Audit Executives (CAEs)<a href="#3">[3]</a> to establish and audit committees to oversee IA functions that:  <ul><li>Are independent and objective;</li><li>Continuously monitor key activities and associated risks;  </li><li>Adapt audit approaches and activities to address changes; and</li><li>Identify and communicate internal control deficiencies and emerging, previously unidentified, or undervalued risks (i.e., risks that have become more significant) to the audit committee and management.     FHFA further expects audit committees, through their direction to and oversight of CAEs and IA functions, to validate that staffing and resource decisions take appropriate account of the risks at the regulated entity.  FHFA expects that these decisions consider the entity's size, scale, complexity of operations, pace of innovation, and financial standing.</li></ul> BackgroundFHFA recently published a revised rule, 12 CFR Parts 1236 and 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Matters, that in part addresses regulated entities' audit committees' oversight of IA functions at the FHLBanks and the Enterprises.  In addition, FHFA's standards for the FHLBanks and Enterprises specifically related to their audit committees and IA functions are in Standard 2 of the FHFA Prudential Management and Operations Standards (PMOS) (12 CFR Part 1236, Appendix).  FHFA requirements relating to the OF's audit committee are set forth at 12 CFR 1273.9.For the FHLBanks, the regulations prescribe specific details about the composition of the audit committee, the independence of its members, the content of the audit committee charter, and the duties and responsibilities of the audit committee, including its oversight responsibilities with re

Get Started Here:

Performance and Accountability Report

FHFA Values​

Annual Report to Congress

We Want to Hear From You

Conservatorship of Fannie Mae and Freddie Mac​​

Conservatorship ​Performance Goals​

Downloadable Data ​& Data Reports​​

House Price Index Rele​ase Dates​​​

Advisory Bulletins List

​Advisory Bulletins List

Performance and
Accountability Report

FHFA Values

Conservatorship of Fannie Mae
and Freddie Mac

Conservatorship
Performance Goals

Downloadable Data
& Data Reports

House Price Index Release Dates

Advisory Bulletins List