Federal Housing Finance Agency Print
Home / Supervision & Regulation / Advisory Bulletins / Advisory Bulletins List

 Advisory Bulletins List

 

 

Enterprise Cybersecurity Incident Reporting27878Fannie Mae & Freddie Mac8/21/2020 4:00:00 AMAB 2020-05<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-05&#58; ENTERPRISE CYBERSECURITY INCIDENT REPORTING</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"> <em> <strong>​Purpose</strong></em></em></p><p>This advisory bulletin (AB) communicates Federal Housing Finance Agency's (FHFA) supervisory expectations for cybersecurity incident reporting to maintain safe and sound operations at Fannie Mae and Freddie Mac (the Enterprises). <a href="#footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a></p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>As part of an effective information security management program, the Enterprises need to be able to effectively respond to cybersecurity events that could affect the confidentiality, availability, and integrity of information. &#160;The continuous monitoring of systems to detect anomalies as well as successful and attempted attacks, including unauthorized activity on or intrusion into information systems, is an activity that underlies robust incident response.</p><p>Prioritizing the handling of cybersecurity incidents is a critical factor in the success or failure of an incident response process. By prioritizing incidents, Enterprises identify situations that are of greater severity and demand immediate attention.&#160; The Enterprises should communicate to FHFA incidents that affect or have the potential to affect the security of their information.&#160; This AB informs the Enterprises of supervisory expectations for assessing the Enterprise reports on cybersecurity incident data sent to FHFA.</p><p style="text-decoration&#58;underline;"> <em> <strong>Guidance</strong></em></p><p>This guidance explains the need for cybersecurity incident information that is supplemental to what is otherwise regularly, consistently, and systematically collected for use in supervisory oversight.&#160; The information reported in line with this guidance is adjunct to other more formal reports, but it is important for both the Enterprises and FHFA to compile and use the information specifically in evaluating cybersecurity incident responses and readiness to confront cybersecurity threats to safety and soundness.</p><p> <em>Definition of Cybersecurity Incident</em></p><p>For the purpose of the AB, FHFA defines a reportable cybersecurity incident as an occurrence that&#58;</p><ul><li>occurs at the Enterprise or at a third party that actually or potentially jeopardizes the confidentiality, integrity, or availability of an Enterprise system or Enterprise information the system processes, stores, or transmits, or;</li><li>constitutes a violation or imminent threat of violation of the Enterprise's security policies, security procedures, or acceptable use policies. <a href="#footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a></li></ul><p> <em>Incident Severity Scoring</em></p><p>Effective reporting of cybersecurity incidents begins with the Enterprises determining a cybersecurity incident's severity by evaluating the confirmed impacts as well as potential impacts of the incident that they anticipate are likely to occur. Outlined below is an Incident Severity Score framework that will be consistent in meaning across both Enterprises and will facilitate the Enterprises' accurately advising FHFA of the seriousness of each incident. <a href="#footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a>&#160; As analysis of a cybersecurity incident progresses, the Enterprises should continuously re-evaluate the severity level for each incident and report to FHFA as described below.</p><p> <strong>Severity 1&#58; Major.</strong>&#160; Cybersecurity incidents that interrupt one or more mission critical functions or result in the inability to achieve one or more mission critical objectives.&#160; Major Incidents are likely to have a substantial negative impact on customers and/or counterparties and may pose reputational risk to the Enterprise.&#160; Cybersecurity incidents that include personally identifiable information may also be considered a Major Incident.&#160; </p><p> <strong>Severity 2&#58; Significant.</strong>&#160; Cybersecurity incidents that interrupt or result in a degradation to one or more mission critical functions or core services.&#160; Significant Incidents may have a negative impact on customers and/or counterparties and may pose reputational risk to the Enterprise.&#160; Cybersecurity incidents that include substantial non-public information may also be considered Significant Incidents.</p><p> <strong>Severity 3&#58; Moderate.</strong>&#160; Cybersecurity incidents that interrupt or result in a degradation to one or more production systems or applications.&#160; Moderate Incidents may have a negative impact on customers and/or counterparties but are unlikely to pose substantial reputational risk to the Enterprise.&#160; Cybersecurity incidents that include a moderate amount of non-public information may also be considered Moderate Incidents.</p><p> <strong>Severity 4&#58; Minor.</strong> &#160;Cybersecurity incidents that result in a degradation to a production system or application or an outage of multiple non-production systems or applications.&#160; Minor Incidents are unlikely to have negative impact on customers and/or counterparties and pose no reputational risk to the Enterprise.&#160; Cybersecurity incidents that include minor amounts of data loss may also be considered.&#160; Minor Incidents may result in minor amounts of data loss that cannot be retrieved or deleted.</p><p> <strong>Severity 5&#58; Insignificant.</strong>&#160; Cybersecurity incidents that interrupt or result in an outage of a single non-production system or application or the degradation of one or more non-production systems or applications.&#160; Insignificant Incidents may also include a violation of security policies, security procedures, or acceptable use policies that has no impact on systems and applications.&#160; Insignificant Incidents are unlikely to have a negative impact on customers and/or counterparties and pose no reputational risk to the Enterprise.&#160; Cybersecurity incidents that include minor amounts of data loss that can be retrieved may also be considered Insignificant Incidents.</p><p> <em>Timely Reporting&#160;</em></p><p>Timely reporting from each Enterprise is critical to effective supervision.</p><p> <strong>Immediate Notification</strong></p><p>FHFA expects the Enterprises to prioritize responding to, and taking corrective action for, the identified incident or potential threat and to notify and provide a description of any Major Incident as soon as possible to the Examiner-in-Charge (EIC) for the Enterprise.&#160; The notification can occur via email, telephone, or in person so long as the Enterprise confirms receipt of the notification.&#160; In addition to contacting the EIC, the Enterprise should send a report describing the Major Incident to FHFA through secure methods established by FHFA.&#160; The Enterprise should continue to provide updates on any Major Incident throughout the incident response and remediation to the EIC or his/her designee.</p><p> <strong>24-hour Notification</strong></p><p>FHFA expects the Enterprises to notify and report a description of any Significant Incident within 24 hours of determination.&#160; The notice and report should be made to the EIC for the Enterprise.&#160; The notification can occur via email, telephone, or in person so long as the Enterprise confirms receipt of the notification.&#160; In addition to contacting the EIC, a report of any Significant Incident should be sent electronically through secure methods established by FHFA.&#160; The Enterprise should continue to provide updates on any Significant Incident throughout the incident response and remediation to the EIC or his/her designee.&#160;</p><p> <strong>Monthly Cybersecurity Incident Report</strong></p><p>Consistency of incident reporting is necessary to assess the effectiveness of each Enterprise's incident response process.&#160; Threats may occur simultaneously, sequentially, or randomly and FHFA needs to be sufficiently informed of incidents to evaluate effective detection and responses across the Enterprises. By submitting a monthly cybersecurity incident report to FHFA, the Enterprises and FHFA will be better prepared and aware of security challenges that could compromise safety and soundness.&#160; FHFA will provide a template describing the format as well as the standard content with corresponding definitions and examples that should be included in the monthly cybersecurity incident report.</p><p>Each Enterprise should submit the monthly cybersecurity incident report within fifteen (15) calendar days after the end of each month, even if there are no reportable cybersecurity incidents during the reporting period.&#160; The report should be sent electronically through secure methods established by FHFA.</p><p style="text-decoration&#58;underline;"> <strong><em>Effective Date</em></strong></p><p>This AB becomes effective on October 1, 2020</p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p style="text-align&#58;left;">12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.&#160;<em>&#160;</em></p><p style="text-align&#58;left;"> <em>Oversight of Third-Party Provider Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.&#160;</p><p style="text-align&#58;left;"> <em>Cloud Computing Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.&#160;</p><p style="text-align&#58;left;"> <em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.&#160;</p><p style="text-align&#58;left;"> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.&#160;</p><p style="text-align&#58;left;"> <em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.&#160;</p><p style="text-align&#58;left;"> <em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.<br>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a>&#160;Common Securitization Solutions, LLC (CSS) is an “affiliate&quot; of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended.&#160; 12 USC 4502(1).</p><p> <a name="footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a>&#160;This definition is adapted from the National Institute of Standards and Technology. </p><p> <a name="footnote3"><span style="text-decoration&#58;underline;">[3]</span></a><em>&#160;</em>The Incident Scoring is not meant to replace severity or priority scoring established internally by the Enterprises.</p><p> <em>&#160; </em></p> <em> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </p></td></tr></tbody></table> <p>&#160;</p></em>8/24/2020 5:00:30 PMHome / Supervision & Regulation / Advisory Bulletins / Enterprise Cybersecurity Incident Reporting Advisory Bulletin AB 2020-05: ENTERPRISE CYBERSECURITY INCIDENT REPORTING 1185https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Financial Reporting and Disclosure and External Audit28435All8/20/2020 4:00:00 AMAB 2020-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-04&#58; FINANCIAL REPORTING AND DISCLOSURE AND EXTERNAL AUDIT</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) articulates the Federal Housing Finance Agency's (FHFA) supervisory expectations for oversight and management of financial reporting and disclosures and of the external audit function. </p><p>This AB applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks), and the FHLBanks' Office of Finance (OF) (collectively, the regulated entities) <a href="#footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a> and is effective immediately. &#160;This AB rescinds, and along with AB 2016-05 Internal Audit Governance and Function, replaces FHFA's Examination for Accounting Practices guidance.&#160; </p><p>Transparent financial reporting and disclosures, subject to strong internal control over financial reporting (ICFR) and confirmed by a high-quality external audit, help ensure that published financial information is reliable and free from material misstatements for all stakeholders.&#160; &#160;&#160;Timely, accurate, complete, and meaningful reporting and disclosures regarding financial condition and performance support FHFA's risk-focused supervision of the regulated entities.&#160; For FHFA as a prudential regulator, such reporting facilitates effective risk assessments, off-site monitoring, and examination planning. &#160;Financial condition and performance metrics for capital adequacy, liquidity, earnings adequacy, and asset quality are based on information in these reports.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>The Office of Federal Housing Enterprise Oversight (OFHEO) issued the Examination for Accounting Practices guidance to the Enterprises in 2006. &#160;FHFA revised and updated that guidance in 2009 and expanded its application to the FHLBanks. &#160;With the issuance of this financial reporting and external audit guidance and AB 2016-05 Internal Audit Governance and Function, FHFA has updated and revised the 2009 guidance to reflect our regulatory experience and that of other financial regulators, and to more clearly communicate FHFA's supervisory expectations in these areas to the regulated entities.&#160;</p><p>Regarding financial reporting and external audit, the regulated entities are governed by different, yet generally concordant, FHFA and/or Securities and Exchange Commission (SEC) regulations and auditing standards. <a href="#footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a>&#160; Notably&#58;&#160;</p><ul><li>The Enterprises are SEC registrants. Their external audits are subject to Public Company Accounting Oversight Board (PCAOB) auditing standards.&#160; Under FHFA regulations, the Enterprises are subject to specified New York Stock Exchange (NYSE) requirements.</li><li>The FHLBanks are SEC registrants.&#160; Their external audits are subject to PCAOB auditing standards and under FHFA regulations, are subject to Generally Accepted Auditing Standards (GAAS) and Generally Accepted Government Auditing Standards (GAGAS). <a href="#footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a>&#160; Applicable FHFA rules further detail specific requirements for audit committees regarding external audit and financial reporting oversight.</li><li>The OF is not an SEC registrant.&#160; Under FHFA regulations, FHLBank System combined financial reports are subject to GAAS and GAGAS. <a href="#footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a>&#160; The regulations also address oversight of the external auditor for the combined financial reports. <a href="#footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a></li></ul><p>Each Enterprise and FHLBank is covered by FHFA's Prudential Management and Operations Standards (PMOS) and each regulated entity reports financial information in conformance with U.S. Generally Accepted Accounting Principles (GAAP). <a href="#footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a>&#160; Enterprise and FHLBank management assess the effectiveness of their respective entity's ICFR based on the criteria in the Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).&#160;</p><p>The referenced FHFA, SEC, and NYSE rules and regulations, as applicable, address a wide range of audit committee governance topics including&#58;&#160;</p><ul><li>Committee composition and members' qualifications, including financial literacy and expertise, and independence requirements;</li><li>Committee oversight of the integrity of financial statements and earnings releases and compliance with legal and regulatory requirements;</li><li>Committee charter content and minimum frequency of reviews and re-approval;</li><li>Boards' responsibility to provide the audit committee sufficient funding for payments to the external auditor and to advisors/counsel that the committee retains as it deems necessary to carry out its duties;</li><li>Committee duties and responsibilities regarding external auditor oversight including&#58;</li><ul><li>Responsibility for selecting the auditor, evaluating the auditor's performance, replacing the auditor if needed, and ensuring that the auditor is solely responsible to the committee;</li><li>Ensuring that the external auditor submits a formal written statement regarding relationships and services that may adversely affect independence and discussing any disclosed relationships that may impact objectivity and independence with the external auditor;</li><li>Reviewing the auditor's internal quality control procedures;</li><li>Meeting with, including in executive sessions, auditors and management;</li><li>Reviewing and approving procedures for handling complaints received by the regulated entity regarding accounting, internal accounting controls, or auditing matters; and confidential, anonymous submission by regulated entity staff of concerns regarding questionable accounting or auditing matters; and</li><li>Providing for an annual committee self-evaluation or external review.</li></ul></ul><p>The guidance in this AB is intended to be consistent with applicable statutes, regulations, GAAP, and auditing standards.&#160; In some instances, substantive elements of guidance herein for all regulated entities may be addressed by FHFA regulation, SEC regulation, or applicable accounting or auditing standards for one or more regulated entities.&#160; This guidance does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards.&#160; Any perceived conflicts should be resolved so as to comply with applicable laws and regulations, and in conformance with accounting standards.</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p> <strong>I. Financial Reporting and Disclosure Oversight and Management</strong></p><p>Regulated entities' boards of directors and senior managers are responsible, within their respective roles as described in FHFA's corporate governance regulation and prudential standards, for the institution operating in a safe and sound manner. &#160;Entities should maintain effective accounting and reporting systems and ICFR to produce reliable and accurate financial reports and meaningful disclosures.&#160;</p><p>To address accounting, financial reporting, and disclosure, audit committees should&#58;&#160;</p><ul><li>Review and discuss annual audited financial statements, quarterly SEC filings or equivalent financial statements, and earnings releases;</li><li>Meet regularly with management and external auditors and hold regular executive sessions with the external auditor;</li><li>Oversee that management establishes, implements, and maintains accounting policies and procedures that comply with applicable laws, rules, and regulations and conform to applicable guidance, including GAAP and other relevant reporting and disclosure standards;</li><li>Ensure that the regulated entity has policies in place to notify FHFA of any accounting treatments or policies identified as posing significant legal, reputation, or safety and soundness risk, with a focus on accounting treatments or policies that do not employ GAAP or preferred methods; and</li><li>Direct management to provide the committee with adequate information and reports to carry out its duties and responsibilities and challenge management and auditors where appropriate.&#160;</li></ul><p> <em>A. Assessing Materiality&#160;</em></p><p>An entity's audit committee should review and clearly understand how management and the external auditor assess financial statement materiality. &#160;For public financial disclosures, FHFA's regulated entities should follow materiality guidelines established by the SEC and other U.S. standard-setters and regulators as appropriate.&#160; FHFA is informed by the SEC's statements regarding materiality and generally considers them as part of its ongoing review of regulated entities' accounting practices and controls.&#160;</p><p>A regulated entity's determination that an accounting matter is material or presents a materiality issue may be a factor in FHFA's oversight of a regulated entity. &#160;An item not being deemed to be “material&quot; or not having “materiality&quot; for financial reporting purposes, however, would not necessarily preclude FHFA from having supervisory concerns about the item. &#160;Further, FHLBanks may be required to provide information that is less than material to their individual financial statements to the OF in order to support FHLBank System combined financial filings.&#160;</p><p> <em>B. Accounting Policies and Procedures&#160;</em></p><p>FHFA expects each regulated entity's management, with appropriate audit committee oversight, to establish and maintain&#58;&#160;</p><ul><li>A formal written procedure for developing accounting policies;</li><li>A process for disclosing those policies and the regulated entity's compliance with applicable regulatory requirements and GAAP to the committee;</li><li>Accounting and disclosure policies and procedures that reflect applicable regulatory requirements and GAAP; and</li><li>A complete and current accounting guide that lists all of the regulated entity's accounting policies, including a procedure for documenting the business purpose of all significant types of transactions.&#160;</li></ul><p>Each regulated entity currently submits its accounting guide to FHFA annually, and significant revisions to FHFA quarterly, although the FHFA Chief Accountant may request more frequent submissions.&#160;&#160;&#160;</p><p> <em>C. Internal Control over Financial Reporting</em></p><p>Each regulated entity is responsible for designing, implementing, monitoring, and maintaining its ICFR. <a href="#footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> &#160;&#160;Each regulated entity should ensure that its ICFR system is designed to minimize the risk of a material financial misstatement, whether due to reporting error, fraud, or other external or company-specific risks.&#160;</p><p>FHFA expects regulated entities to develop, implement, and maintain robust business and accounting systems and processes subject to rigorous quality controls to minimize the possibility of material misstatements.&#160; Regulated entities should remediate identified deficiencies timely and should not allow significant control deficiencies to persist.&#160;&#160;</p><p>ICFR review functions <a href="#footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a> should be structured to ensure that those persons performing and evaluating testing are appropriately independent of the controls being tested. &#160;Each regulated entity should ensure that it has protocols in place for its employees and vendors to comply with the regulated entity's ICFR-related policies and procedures.&#160;</p><p>Each regulated entity should have a system in place to provide reasonable assurance that accounting and disclosure policies and procedures reflect regulatory and GAAP requirements and should have proper procedures and processes in place to evaluate compliance with those requirements.&#160; The ICFR risk assessment process should include assessing new products and business lines, as well as significant growth, shrinkage, and other changes in existing products and business lines. &#160;This should help ensure that key controls are identified and tested so that potential control deficiencies are identified timely and properly addressed.&#160;</p><p>Each regulated entity's management should ensure, and its audit committee should oversee, that the regulated entity establishes, implements, and maintains effective controls over information reported to FHFA through FHFA's Call Report System and in formal data requests.&#160;</p><p> <em>D. Regulated Entity Accounting Staff</em></p><p>Each regulated entity's management should hire sufficient numbers of technically competent accounting staff and that staff should remain professionally competent and current in professional standards. &#160;Accounting departments should implement and maintain quality control procedures to ensure that they follow accounting policies and procedures.&#160; Further, accounting staff should be charged with reporting any non-compliance with GAAP to appropriate management and/or auditors.&#160;</p><p> <em>E. Financial Statements</em></p><p>As SEC registrants, each FHLBank and Enterprise must prepare and timely file with the SEC periodic financial statements and disclosures that comply with applicable SEC regulations. &#160;Each regulated entity also should prepare and timely file financial statements and information as required by FHFA regulations.&#160; FHFA encourages the regulated entities to maximize transparency in their public financial reporting and disclosures, and to establish and implement policies that lead to comparable and consistent accounting and disclosures to the extent practicable. <a href="#footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a></p><p>FHFA expects each FHLBank and Enterprise to submit to FHFA any financial information, disclosures, or other items it submits to the SEC that are not available to FHFA in public filings. &#160;FHFA also expects each regulated entity to provide additional information about the financial information, disclosures, and other items it submits to the SEC when and in the manner requested by FHFA.</p><p> <em>F. Non-GAAP Measures in Financial Statements</em></p><p>Regulated entities should consider risks associated with presenting non-GAAP measures in public financial reports, along with their responsibilities to transparently inform stakeholders about the entity's financial condition and results of operations.&#160; If a regulated entity decides to disclose a non-GAAP measure in its periodic filings, that measure should be subject to rigorous internal controls, should not be presented more prominently than similar GAAP measures, and should otherwise conform to applicable regulations.&#160; Any new proposed non-GAAP measure should be discussed with the audit committee, as appropriate, prior to initial publication.&#160; </p><p> <em>G. Alternate and Preferable GAAP Accounting Treatments</em></p><p>At least quarterly, each regulated entity's audit committee should review management's analyses of significant financial reporting issues and accounting judgments made in preparing the entity's financial statements.&#160; To facilitate this review, management should highlight, and the committee should review, significant new or unusual items arising during the financial quarter, and management's anticipated implementation of significant new or revised GAAP.&#160; These reviews should include effects of alternative GAAP methods.&#160; The audit committee should also review and discuss these areas (and others as described in applicable rules, regulations, and guidance) with the external auditor.&#160;</p><p>FHFA believes that it is prudent for the regulated entities' audit committees to assess the costs and benefits of engaging an independent third party to evaluate one or more accounting policy areas at least every two years.&#160; Committees should report their findings to their board of directors and to FHFA.&#160; Such a review may be appropriate for new or revised GAAP guidance and/or for new types of transactions that the regulated entity expects to become material, especially those for which the accounting may involve significant estimates and/or management judgments.&#160;&#160;&#160;</p><p>If the audit committee determines that the results of any such assessment warrant a targeted evaluation, it should then consider the appropriate form and scope of the engagement.&#160; Given the potential relevance of such assessments to FHFA's supervisory responsibilities, the regulated entity should structure any targeted evaluation engagement so as to make reports and workpapers available for review by FHFA.&#160;</p><p> <strong>II. External Audit Function Oversight</strong></p><p>Rigorous and effective audit committee oversight of external audit functions is critical to secure the benefits of an independent, high-quality audit.&#160; FHFA expects each regulated entity's audit committee to perform this role in accordance with applicable FHFA, SEC, and NYSE requirements.&#160; Further, FHFA expects each audit committee to establish and maintain appropriate charter elements, and well-documented policies where needed, around this oversight role. &#160;Finally, FHFA encourages regulated entities to develop, and audit committees to regularly review and approve for publication, disclosures that provide insight and information to stakeholders about how the committees oversee their external auditors.</p><p>A. Overseeing the External Audit Relationship</p><p>The concepts in this section should be considered when appointing, retaining, or terminating an external auditor.</p><p>1. Monitoring Performance</p><p>Each regulated entity's audit committee should perform and document a comprehensive assessment of the external audit firm's performance at least annually.&#160; As part of the review, the committee should request and review input from audit committee members, management, and internal auditors regarding the performance of the external auditors.&#160; The current external auditor's tenure should be considered as a factor in the assessment.&#160;</p><p>FHFA expects each audit committee to identify and consider Audit Quality Indicators (AQIs) to inform dialogue and discussions with the external auditor. &#160;AQIs are qualitative and quantitative performance metrics to help inform stakeholders, including audit committees, about key conditions or attributes that may contribute to audit quality. &#160;AQIs may be defined at both the auditing firm and the audit engagement team levels.&#160; While there is no regulation or auditing standard requiring firms to report or audit committees to use AQIs, larger auditing firms provide firm-level AQIs and/or similar information to their stakeholders. <a href="#footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a> &#160;FHFA views identifying and assessing AQIs as a best practice in assessing external auditor performance.&#160;</p><p>The audit committee should consider the external auditor's internal quality control procedures, including the auditing firm's processes for performing quality control reviews, when evaluating the external auditor.&#160; The committee should discuss the auditing firm's internal quality control reviews and external PCAOB inspection results with the external auditors as part of their performance assessment. &#160;The committee should pay particular attention to any deficiencies or non-compliance issues identified by the PCAOB or internal reviews that are relevant to their regulated entity's audit.&#160; To aid in this process, the audit committee should request that the external auditor align any PCAOB inspection deficiencies with potential areas of exposure to the audit of the regulated entity.&#160; The audit committee should have a good understanding of how the audit firm is addressing any identified deficiencies, including remediation plans and timetables.</p><p>Auditing firm tenure is not explicitly addressed by FHFA or SEC regulations. &#160;Even if an incumbent auditing firm has performed satisfactorily, FHFA considers it prudent for audit committees to periodically consider, and document their consideration of, the potential costs and benefits of changing or retaining their incumbent auditing firms at least every five years, or more frequently if circumstances warrant. <a href="#footnote11"> <span style="text-decoration&#58;underline;">[11]</span></a> &#160;</p><p>2. Monitoring Independence</p><p>External auditor independence is necessary for a reliable audit. &#160;Therefore, each regulated entity's audit committee should carefully consider regulatory and professional requirements regarding independence in fact and appearance during all phases of the audit engagement. <a href="#footnote12"> <span style="text-decoration&#58;underline;">[12]</span></a>&#160; Independence requirements apply to the external auditing firm, to engagement and concurring partners, and to auditing firm staff and contractors working on the engagement. The audit committee should have a robust process for monitoring and assessing the external auditor's independence, including understanding how the external auditor assesses and monitors independence within the auditing firm.&#160;</p><p>The external auditor's communications to the audit committee regarding independence and the committee's related discussions and decisions regarding the auditor's independence should be appropriately documented.&#160; Arrangements regarding any permissible non-audit services to be provided by the audit firm should be clear and transparent, should not involve contingent compensation other than appropriate arrangements for tax work, and should be pre-approved by the audit committee.&#160; If the committee delegates some of its pre-approval authority to, for example, its Chair, it should subsequently ratify the delegate's approval.&#160;&#160;</p><p>At least annually, the committee should review the nature of all services performed by the external audit firm and assess the relative magnitude of fees and personnel involved.&#160; The committee should then consider establishing safeguards, as needed, to mitigate potential threats to audit independence that may arise as a result of providing these other services.&#160; Further, the audit committee should be informed about and consider business and financial relationships between the auditor and the regulated entity or its officers, directors, or significant shareholders, and about employment of former regulated entity employees by the auditing firm and vice versa, as necessary to identify and address circumstances that could indicate a lack of independence or the appearance thereof.&#160;</p><p> <em>B. Communication with External Auditor and Audit Engagement Letters</em></p><p>Each regulated entity's audit committee and its external auditor should have an open working relationship.&#160; Communications should be frank and robust and should cover the full range of potential topics related to financial reporting and audit risks.&#160; Significant discussions during scheduled audit committee meetings should be clearly documented in committee minutes.&#160; Other relevant substantive discussions should be appropriately documented in audit committee packages or minutes.&#160; Audit committees can promote effective communications by&#58;&#160;</p><ul><li>Maintaining a direct line of communication with the external auditor, including periodic, informal contact by the committee chair and regular executive sessions;</li><li>Requesting periodic involvement of other external audit partners, such as concurring, review, and tax partners at the audit committee meetings; </li><li>Discussing the external auditor's audit risk assessment and audit plan for the regulated entity;</li><li>Discussing with the auditor (and management, as applicable) any new, unusual, or non-standard representations made by management in their management representations letter; and</li><li>Requesting and reviewing insights from audit committee members, management, and internal auditors regarding the performance of the external auditors, at least annually.&#160;</li></ul><p>It is also important for the audit committee to have ongoing communication with the external auditor regarding its audit fees.&#160; One objective of those communications is to provide assurance to the audit committee that negotiations for the fees and the fee arrangements themselves encourage the external auditor to conduct rigorous, high-quality audits and reviews.&#160;</p><p>The engagement letter is the key document defining the relationship between the regulated entity and its external auditor.&#160; FHFA's authority to examine the regulated entities allows it to have access to all regulated entity documents, including accounting records. &#160;FHFA expects regulated entities' external audit engagement letters to be consistent with FHFA's examination authority. &#160;Accordingly, FHFA expects that each regulated entity's engagement letter should&#58;&#160;</p><ul><li>Provide that the external auditor may, upon FHFA's request, provide FHFA with access to the senior audit partners on the engagement and any other personnel whom such partners deem necessary, as well as to the external auditor's working papers prepared in the course of performing the services set forth in the engagement letter, and that such access to the external auditor may be without regulated entity personnel in attendance;</li><li>Not contain any provisions that would be characterized as unsafe and unsound under the “Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters&quot;;<a href="#footnote13"><span style="text-decoration&#58;underline;">[13]</span></a> and</li><li>Provide that the external auditor, without the approval of the regulated entity, may meet with FHFA with such frequency and about such matters as determined by FHFA, and may provide reports or other communications arising from the audit engagement directly to FHFA.</li></ul><p> <em>C. Audit Committee Transparency</em></p><p>FHFA regulations and guidelines require that the audit committees for the regulated entities review their charters annually and that the boards of directors reapprove them at least every three years. <a href="#footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a> &#160;&#160;FHFA's regulated entities regularly publish their audit committee charters.&#160; Besides serving as the committee's roadmap to help ensure that it fulfills all of its duties and obligations, a well-drafted charter can provide outside readers with insights on the committee's governance and functions.&#160;</p><p>Under the PCAOB standards, auditor tenure is now a required element of the independent auditor's report.&#160; Also, critical audit matters—which are matters that have been communicated to the audit committee, are related to accounts or disclosures that are material to the financial statements, and involved especially challenging, subjective, or complex auditor judgment—must be reported by the auditor beginning in the next few years. <a href="#footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a>&#160; While this reporting is the responsibility of public companies' external auditors, we believe that these requirements evidence increased demand by financial statement users for information on audits and audit governance.&#160;&#160;</p><p>While effective audit committee oversight of and engagement with the external auditor are keys to obtaining a high-quality audit, there are no formal rules or standards that require those topics to be reported to shareholders. &#160;That said, industry studies confirm an increasing trend among public companies to make enhanced voluntary disclosures about their audit committees' oversight of the external audit function. &#160;Examples include disclosures about the factors that the audit committee considers when appointing or retaining an external auditor, the role of the audit committee in fee negotiations and compensation, the length of time the auditor has been engaged, whether evaluations of the auditing firm are done annually, and audit partner selection and rotation. <a href="#footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a>&#160;</p><p>FHFA encourages each regulated entity's audit committee to consider providing such voluntary disclosures regarding its role in supporting a quality audit. &#160;The audit committee should remain aware of industry trends and developments regarding audit committee transparency and should work to provide the regulated entity's stakeholders with relevant information regarding their activities to the extent practicable.&#160;</p><p> <strong>III. Annual Review by Audit Committee</strong></p><p>At least annually, each regulated entity's audit committee should review, with any appropriate professional assistance, the committee's performance in light of the requirements of laws, rules, and regulations that are applicable to its activities and duties.&#160; The committee should also assess whether it is operating consistent with applicable regulatory guidance.&#160; The audit committee should provide the FHFA Chief Accountant with the materials and procedures employed in such review, as well as the final report. &#160;The review may be done as part of a committee self-assessment, an outside review, or a combination of approaches.&#160;</p><p> <strong>Related Regulations and Guidance</strong></p><p>12 CFR Part 1236 and Appendix – Prudential Management and Operations Standards&#160;</p><p>12 CFR Part 1239 – Responsibilities of Boards of Directors, Corporate Practices and Corporate Governance Matters&#160;</p><p>12 CFR Part 1273 – Office of Finance&#160;</p><p>12 CFR Part 1274 – Financial Statements of the Banks&#160;</p><p>Securities and Exchange Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, 72 Fed. Reg. 35324 (June 27, 2007) (codified at 17 CFR Part 241)</p><p>Securities and Exchange Commission Rule 10A-3&#58; Listing Standards Relating to Audit Committees (National Securities Exchanges), 17 CFR § 240.10A-3</p><p>Securities and Exchange Commission Rule Reg. S-X&#58; Form and Content of and Requirements for Financial Statements, Securities Act of 1933, Securities Exchange Act of 1934, Investment Company Act of 1940, Investment Advisers Act of 1940, and Energy Policy and Conservation Act of 1975 (Qualifications and Reports of Accountants), 17 CFR § 210.2-01 through -07</p><p>Securities and Exchange Commission Rule Reg. S-K&#58; Standard Instructions for Filing Forms under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975, 17 CFR Part 229</p><p>Public Company Accounting Oversight Board Rule 3526&#58; Auditor Communications with Audit Committees Concerning Independence</p><p>NYSE, Inc., Listed Company Manual, § 303A (Corporate Governance Standards) (2018)</p><p> <br>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"><span style="text-decoration&#58;underline;">[1]</span></a>&#160;The OF is not a “regulated entity&quot; as the term is defined by 12 U.S.C. 4502(20), but for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF as regards its roles in issuing combined financial reports and engaging the external auditor for those reports, and to regulated entities' affiliates as regards their roles, if any, in issuing public financial reports and in engaging external auditors.</p><p> <a name="footnote2"><span style="text-decoration&#58;underline;">[2]</span></a>&#160;Duties of FHLBank audit committees are described in 12 CFR 1239.32. Duties of the OF audit committee are described in 12 CFR 1273.9. Part 1239 stipulates that the duties and responsibilities of Enterprise audit committees are set forth under rules issued by the New York Stock Exchange, and further requires that those committees comply with requirements set forth under section 301 of the Sarbanes-Oxley Act, 15 U.S.C.§ 78j-1(f). The Prudential Management and Operations Standards set forth in the Appendix to 12 CFR Part 1236 also include standards applicable to the audit committees of the FHLBanks and Enterprises.</p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a><em>&#160;See </em>12 CFR 1274.2(c).</p><p> <a name="footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a><em>&#160;See </em>12 CFR 1274.2(c).</p><p> <a name="footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a><em>&#160;See </em>12 CFR 1274.2(d), (e).</p><p> <a name="footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a><em>&#160;See </em>12 CFR Part 1236, Appendix (Standard 10.1) and 12 CFR 1273.6(b) (2).</p><p> <a name="footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> SEC Exchange Act Rule 13a-15(f) defines the term “internal control over financial reporting&quot; as&#58; a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that&#58;</p><ol><li>Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;</li><li>Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and</li><li>Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.</li></ol><p> <em>See </em>17 CFR 240.13a-15(f).</p><p> <a name="footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a> For the OF, this refers to the ICFR over the OF's process for producing the FHLBanks' combined financial reports.&#160;</p><p> <a name="footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a> On comparability and consistency, see FASB Statement of Financial Accounting Concepts No. 8 as amended August 2018.</p><p> <a name="footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a> See Center for Audit Quality, “Audit Quality Indicators&#58;&#160; The Journey and Path Ahead,&quot; Jan. 12, 2016.</p><p> <a name="footnote11"> <span style="text-decoration&#58;underline;">[11]</span></a> The FHLBanks and the OF, in light of the FHLBank System's requirement to issue combined financial statements, have historically engaged the same external audit firm.&#160; Therefore, they undertake external auditor performance reviews and decisions on which audit firm to engage jointly.</p><p> <a name="footnote12"> <span style="text-decoration&#58;underline;">[12]</span></a> The external auditor must meet the requirements of independence set forth by the PCAOB Auditing Standard 1005 and in the SEC regulations at 17 CFR § 210.2-01.&#160;</p><p> <a name="footnote13"> <span style="text-decoration&#58;underline;">[13]</span></a> 71 Fed. Reg. 6847 (Feb. 9, 2006).</p><p> <a name="footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a><em>&#160;See </em>12 CFR Part 1236, Appendix (Prudential Management and Operations Standard 2.2) (regulated entity boards); 12 CFR 1239.32(d) (1), (2) (Bank audit committees and boards of directors); 12 CFR 1273.9(c) (1) (i), (ii) (Office of Finance). Enterprise boards of directors must adopt a written charter for each board committee and comply with the committee requirements of the NYSE rules and section 301 of the Sarbanes-Oxley Act, 15 U.S.C. § 78j-1. <em>See </em>12 CFR 1239.5(b). Neither those incorporated provisions nor the regulation itself imposes any requirements with respect to the review or re-approval of committee charters.</p><p> <a name="footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a><em>&#160;See </em>PCAOB Auditing Standard 3101.</p><p> <a name="footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a><em>&#160;See </em>2018 Audit Committee Transparency Barometer prepared by the Center for Audit Quality and by Audit Analytics (November 2018).</p><p> <em>&#160; </em></p> <em> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </p></td></tr></tbody></table> <p>&#160;</p></em>8/20/2020 5:00:54 PMHome / Supervision & Regulation / Advisory Bulletins / Financial Reporting and Disclosure and External Audit Advisory Bulletin AB 2020-04: FINANCIAL REPORTING AND DISCLOSURE 954https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on the Use of Proxies28094FHL Banks7/20/2020 4:00:00 AMAB 2020-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-03&#58; GUIDANCE ON THE USE OF PROXIES FOR DETERMINING THE INCOME OF SUBSEQUENT PURCHASERS OF OWNER-OCCUPIED UNITS SOLD BY AHP-ASSISTED HOUSEHOLDS DURING THE AHP RETENTION PERIOD </strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"> <em> <strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) contains guidance, pursuant to the Affordable Housing Program (AHP) regulation, on the Federal Home Loan Banks’ (FHLBanks) or their designees’ use of proxies for determining whether the subsequent purchaser of an owner-occupied unit sold, transferred, or assigned by an AHP-assisted household during the AHP five-year retention period is low- or moderate-income (LMI). Specifically, the guidance provides for the use of a proxy based on the U.S. Department of Housing and Urban Development’s (HUD) HOME Investment Partnerships Program (HOME) and Housing Trust Fund (HTF) homeownership value limits for existing housing. The AB also discusses the option for FHLBanks to adopt an alternative proxy or proxies that are reliable indicators that the subsequent purchaser is LMI. In addition, the AB provides guidance on documentation requirements as well as content of a FHLBank’s AHP Implementation Plan.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>The Federal Housing Finance Agency’s (FHFA) AHP regulation provides that, for each household that receives AHP subsidy for purchase, for purchase in conjunction with rehabilitation, or for construction of an owner-occupied unit, the unit must be subject to a retention agreement. <a href="#footnote1">[1]</a> The retention agreement must provide that, if the AHP-assisted household sells, transfers, or assigns (hereafter referred to as &quot;sells,&quot; for ease of reading) the unit within five years of closing on the unit, the FHLBank is to be repaid a pro rata portion of the AHP subsidy from any net proceeds realized by the household minus the household’s investment, subject to certain exceptions. <a href="#footnote2">[2]</a> One such exception is when the AHP-assisted household sells the unit to a LMI household, i.e., a household with income at or below 80 percent of the area median income (AMI). <a href="#footnote3">[3]</a> This exception predates the 2018 AHP final rule. <a href="#footnote4">[4]</a> Because subsequent purchasers of units sold by AHP-assisted households are under no obligation to provide income documentation to the FHLBanks or their designees for purposes of determining the AHP-assisted household’s AHP subsidy repayment obligation, it has been difficult for FHLBanks and their designees to determine subsequent purchasers’ actual incomes and, therefore, whether this subsidy repayment exception applies. Accordingly, FHFA requested comments in the 2018 AHP proposed rule preamble on potential geographically-based and person-based proxy approaches for determining subsequent purchaser income. </p><p>After reviewing the comments received on the proposed rule, FHFA determined in the 2018 AHP final rule that the use of proxies for determining subsequent purchaser income would facilitate the FHLBanks’ implementation of the LMI subsequent purchaser exception.<a href="#footnote5"> [5]</a> Accordingly, the final rule revised the regulation to provide for the use of proxies pursuant to guidance to be issued by FHFA for determining a subsequent purchaser’s income. Specifically, the final rule provides that for any sale by an AHP-assisted household of an owner-occupied unit after a date established by FHFA in the guidance, a FHLBank or its designee must determine the subsequent purchaser’s income using one or more proxies that are reliable indicators of the subsequent purchaser’s income, which may be selected by the FHLBank pursuant to the guidance, unless documentation demonstrating the subsequent purchaser’s actual income is available.<a href="#footnote6"> [6]</a> This AB contains the guidance referenced in the final rule on the use of proxies for this purpose. </p><p style="text-decoration&#58;underline;"> <em> <strong>Guidance</strong></em></p><p> <span style="text-decoration&#58;underline;">The Proxy&#58; HUD HOME and HTF Homeownership Value Limits for Existing Housing </span></p><p>FHFA has determined that the sale of an owner-occupied unit by an AHP-assisted household at a price that is at or below the applicable HUD HOME and HTF homeownership value limit for existing housing (hereinafter &quot;value limit&quot;) is a reliable indicator that the subsequent purchaser of the unit is LMI.<a href="#footnote7"> [7]</a> In reaching this conclusion, FHFA analyzed Home Mortgage Disclosure Act (HMDA) data which indicates that, in 2018, approximately 58 percent of national HMDA-reported home sales at or below the applicable value limit were to LMI purchasers. Significantly, in the ten states in which the greatest number of AHP owner-occupied subsidies under the FHLBanks’ competitive application programs and homeownership set-aside programs were awarded in 2018, over 65 percent of such sales were to LMI purchasers. </p><p>FHFA also analyzed the 2018 HMDA income data to determine the percentage of homebuyers who purchased a home above the applicable value limit that were LMI. FHFA found that only 14.6 percent of 2018 HMDA homebuyers who purchased a home above the applicable value limit were LMI, making it relatively unlikely that applying the HOME and HTF price limits as a proxy would be under-inclusive of low-and-moderate income subsequent purchasers. </p><p>Because proxies are approximations, no proxy can definitively determine the income of a subsequent purchaser. FHFA acknowledges this limitation of proxies generally, and the possibility that any proxy based on house sales price might fail to fully account for gentrification of areas in which the home is located, as noted by some commenters on the proposed rule. In rapidly gentrifying areas, a comparatively higher percentage of non-LMI purchasers may purchase homes at or below the value limit than in areas experiencing lower rates of gentrification. </p><p>However, as noted above, the data generally suggest that house sales price at or below the applicable value limit reliably indicates that the subsequent purchaser is LMI. This proxy indicates subsequent purchaser LMI status even more reliably when the review analyzes the ten states with the highest number of AHP owner-occupied subsidies historically. </p><p>In addition, although FHFA’s priority in selecting a proxy is identifying one that reliably indicates subsequent purchaser income, FHFA has selected one that, as applied to AHP-assisted households, weighs in favor of allowing households to retain AHP subsidy and thereby enjoy the full benefits of homeownership. FHFA analyzed data available under the FHLBanks’ homeownership set-aside programs to determine the likelihood that any particular AHP-assisted household would be required to repay AHP subsidy under the value limits proxy. In 2018, only 7.7 percent of AHP-assisted households who received set-aside grants in connection with purchase purchased their homes at a price greater than the applicable value limit, which suggests that the large majority of home sales by AHP-assisted households will qualify for the LMI subsequent purchaser exception under this proxy. <a href="#footnote8">[8]</a> </p><p style="text-decoration&#58;underline;">Implementing the Proxy</p><p>The FHLBanks or their designees may use the value limits, posted on the HUD Exchange, as a proxy for determining whether the exception to the AHP subsidy repayment requirement for sales to subsequent LMI purchasers applies. HUD calculates and posts the value limits annually on the HUD Exchange website. FHFA will also post the value limits on its website and notify the FHLBanks when new annual value limits are available. </p><p>However, if a FHLBank or its designee has documentation demonstrating the subsequent purchaser’s actual income, the FHLBank may not apply the value limits proxy or any other proxy to determine subsequent purchaser income. If neither the FHLBank nor its designee has such documentation, and the FHLBank elects to apply the value limits proxy, the FHLBank or its designee must use the value limits in effect at the time the AHP-assisted household sells its unit during the AHP five-year retention period. The FHLBank or its designee will determine the applicable value limit based on the specific county where the unit is located and the size of the unit (i.e., 1-unit, 2-unit, 3-unit, or 4-unit). The FHLBank or its designee will then compare the price at which the AHP-assisted household sold the unit to that value limit. If the sales price is less than or equal to the value limit, the subsequent purchaser is regarded as LMI under the value limits proxy. If the sales price is more than the applicable value limit, the subsequent purchaser is not regarded as LMI under the value limits proxy. The FHLBank or its designee must document its determinations under the value limits proxy.</p><p style="text-decoration&#58;underline;">Alternative Bank Proxies</p><p>In lieu of or in addition to the value limits proxy, a FHLBank may, in its discretion, adopt an alternative proxy or proxies that are reliable indicators that the subsequent purchaser of an owner-occupied unit sold by an AHP-assisted household is LMI. The FHLBank should retain documentation and data that provide a sufficient basis for the adoption of the alternative proxy or proxies, including an explanation of how the proxy or proxies reliably indicate(s) that the subsequent purchaser is LMI. In addition, as with application of the value limits proxy, the FHLBank should document its determinations under an alternative proxy for each subsequent purchaser’s income. </p><p style="text-decoration&#58;underline;">AHP Implementation Plans</p><p>The FHLBanks must ensure that their AHP Implementation Plans include the specific proxy or proxies they have chosen to adopt pursuant to this AB. <a href="#footnote9">[9]</a> If a FHLBank adopts more than one proxy, its AHP Implementation Plan must include the policies determining which proxy or set of proxies will be applied in any particular circumstance. If these policies provide for the application of more than one proxy per sale, they must specify how conflicting determinations of subsequent purchaser LMI income will be resolved. <a href="#footnote10">[10]</a> </p><p style="text-decoration&#58;underline;">Effective Date</p><p>This AB is effective for any sale of an owner-occupied unit by an AHP-assisted household that occurs on or after January 1, 2021 and is during the unit’s AHP five-year retention period. However, FHFA strongly encourages the FHLBanks to implement this AB before that date as practicable. </p><p>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a> 12 CFR 1291.23(d)(1); 1291.42(e); 1291.15(a)(7); <em>see also Questions and Answers on the November 28, 2018 Final Rule--Part I (July 2019)</em>, available at fhfa.gov. </p><p> <a name="footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a> 12 CFR 1291.15(a)(7)(v); 1291.1 (par. (1) of the definition of &quot;retention period&quot;). </p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a> 12 CFR 1291.15(a)(7)(ii)(B); 1291.1 (definition of &quot;low- or moderate-income household&quot;).&#160; </p><p> <a name="footnote4"><span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR 1291.9(a)(7)(ii)(B) (Jan. 1, 2018 edition). </p><p> <a name="footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a> 83 Fed. Reg. 61186, 61204 (Nov. 28, 2018). </p><p> <a name="footnote6"><span style="text-decoration&#58;underline;">[6]</span></a> 12 CFR 1291.15(a)(7)(ii)(B). </p><p> <a name="footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> For more information on these value limits, how they are derived, and their function in the applicable HUD programs, see the HOME and HTF program pages on the HUD Exchange website at www.hudexchange.info. </p><p> <a name="footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a><em>&#160;</em>FHFA does not collect the prices at which competitive application program subsidy recipients purchase or sell their homes. FHFA also does not collect the prices at which homeownership set-aside program subsidy recipients purchase their homes, unless the subsidy is used in connection with purchase (e.g., down payment assistance). In 2018, 68 percent of all AHP owner-occupied subsidies were awarded through set-aside programs, and 92 percent of set-aside subsidies were used in connection with purchase. </p><p> <a name="footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a> 12 CFR 1291.15(a)(7)(ii)(B). </p><p> <a name="footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a>&#160;12 CFR 1291.13(b)(6).&#160;&#160;&#160;&#160;&#160;&#160;&#160;</p><p> <em>&#160; </em></p> <em> <p>&#160;</p> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes. Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact Ted Wartell at <a href="mailto&#58;Ted.Wartell@fhfa.gov">Ted.Wartell@fhfa.gov</a> or by phone at 1-202-649-3157; or Tiffani Moore at <a href="mailto&#58;Tiffani.Moore@fhfa.gov">Tiffani.Moore@fhfa.gov</a> or by phone at 1-202-649-3304. </p></td></tr></tbody></table> <p>&#160;</p></em> <p>&#160;</p>7/20/2020 8:58:52 PMHome / Supervision & Regulation / Advisory Bulletins / Guidance on the Use of Proxies Advisory Bulletin AB 2020-03: GUIDANCE ON THE USE OF PROXIES FOR DETERMINING THE INCOME 1049https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Board Diversity27914FHL Banks7/9/2020 4:00:00 AMAB 2020-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-02&#58; <strong>Board Diversity</strong></strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​</strong></em></em></p><p> <em style="text-decoration&#58;underline;"> <em> <strong>Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) applies to the Federal Home Loan Banks (Banks) and the Banks’ Office of Finance (OF) (collectively, the System). The AB provides guidance on the diversity and inclusion (D&amp;I) program oversight responsibilities of the System’s boards of directors (Board). The AB addresses D&amp;I programs required of the System and for which the Boards should exercise appropriate oversight. To meet oversight obligations, the Board should become familiar with the legal concepts related to D&amp;I, its administration by the System, the role of the Federal Housing Finance Agency (FHFA or Agency) related to statutory and regulatory authorities and expectations related to D&amp;I.</p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>Congress adopted provisions regarding D&amp;I for regulated entities and FHFA as section 1116 of the Housing and Economic Recovery Act of 2008. 12 U.S.C. § 4520. The statute required the regulated entities to create an office or designate an office to carry out the section focused on diversity in management, employment, and business activities in accordance with standards and requirements as the Director of FHFA would establish. In December 2010, FHFA adopted a final rule implementing the law, at 12 CFR Part 1223, for its respective regulated entities. The regulation included a requirement to encourage the consideration of diversity in nominating or soliciting nominees for positions on the Board of Directors of each regulated entity. 12 CFR 1223.21(b)(7). </p><p>Formal D&amp;I supervision of the regulated entities began after the FHFA Office of Minority and Women Inclusion (OMWI) performed baseline reviews of their D&amp;I programs in 2015 and 2016 <a href="#footnote1">[1]</a>.</p><p>In 2015, the Agency amended the regulation to require each Bank and the OF to report annually on demographic information related to their Boards. 12 CFR 1223.23(b)(10)(i). Subsequently, the Agency developed and implemented a D&amp;I Examination Module that became effective on January 1, 2017 <a href="#footnote2">[2]</a>. In July 2017, FHFA finalized regulation amendments requiring the regulated entities, among other things, to adopt strategic plans to promote and ensure the inclusion of minorities, women, and individuals with disabilities in their workforce at all levels of the organization, as well as minority-, women-, and disabled-owned businesses in their contracting activities and financial activities. 12 CFR 1223.21(d). Consistent with FHFA’s corporate governance regulation, 12 CFR 1239.4(a), the Board has ultimate responsibility for its regulated entity’s achievement of the requirements of the regulation.&#160;</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p> <strong>Board Oversight </strong> </p><p>Each Board of Directors is responsible for oversight of the entity’s respective D&amp;I programs in their entirety, which includes setting the strategic goals and ensuring the appropriate management “tone at the top.” Each Board should oversee the entity’s D&amp;I program through review of its efforts as evidenced in reports provided by management, including the Chief Executive Officer and OMWI Officer. Such reports should include information and data on D&amp;I strategic goals; resource adequacy (human, technological, and financial); and integration of contractual parties with the entity’s businesses and activities. <br>To address management activities regarding D&amp;I, directors must have ongoing familiarity with D&amp;I requirements and pay due attention to the entity’s D&amp;I efforts and accomplishments. The Board should seek to assure itself that the entity’s D&amp;I program is conducted in line with statutory and regulatory requirements to promote diversity and ensure inclusion. The Board should expect ongoing reporting regarding the entity’s initiatives as well as D&amp;I accomplishments, progress, or challenges for the entity in areas identified by statute and regulation. </p><p> <strong>Board Directors — Effective Oversight</strong></p><p> In order to facilitate effective oversight of the D&amp;I program, the Board should be provided sufficient information on an ongoing basis on D&amp;I obligations and progress to oversee effectively the entity’s D&amp;I programs. The Board should assure that the reporting by management and the OMWI Officer is in line with law and regulation. If necessary, the Board should seek such external assistance, as it may require, to review, understand, and provide input on the entity’s D&amp;I program. The Board should consider, as well, efforts to enhance diversity among its membership in line with law and regulation.</p><p>With respect to Board skills assessments, FHFA notes the following areas of D&amp;I law, regulation, and programs that should be familiar to directors and be part of routine reporting by the management of each entity in the System&#58; </p><ol><li>Diversity. Ability to assess whether the management of each entity in the System seeks to promote D&amp;I based on its experience working with minorities, women, and individuals with disabilities and in seeking the skill sets from a diverse group for employment and contracting.&#160;</li><li>Equal Opportunity Principles. An understanding of fundamental equal employment opportunity and D&amp;I principles.</li><li>Managing Diversity Programs and Initiatives. The Board should be able to assess whether each entity’s management and OMWI Officer have the requisite ability to develop initiatives and to deploy programs that support inclusion of diverse populations in employment and contracting. Such assessment should be founded on reports with usable standards and metrics.&#160;</li><li>Change Management. The Board should be able to assess management and the OMWI Officer leading organizational development and corporate communication and facilitate outreach and new projects with various stakeholders internal or external to the regulated entity.&#160;</li><li>Strategic Leadership. The Board should adopt and communicate D&amp;I objectives.<br></li></ol><p> <strong>Enhancing Board Oversight</strong></p><p>Each Bank and the OF may conduct an annual assessment of skills and experience possessed by the members of its Board as a whole and may determine whether the capabilities of the Board would be enhanced through the addition of individuals with particular skills and experience. Board D&amp;I experience and knowledge should be included in any such Board assessments. The Board or its corporate governance committee should oversee the implementation of recommendations arising from Board self-assessments. As part of its oversight duties, the corporate governance committee also may identify skills and expertise gaps among the members of the Board and may recommend that the Bank or OF indicate that it seeks persons with those skills as nominees for directorship positions. In addition, the Board should implement training for existing Board members to develop or enhance their ability to meet their obligations to oversee the entity’s D&amp;I obligations.</p><p style="text-align&#58;left;"> <strong>Board Diversity</strong></p><p>A Board's efforts to develop, maintain, and sustain a diverse Board should be a combination of seeking diverse representation on, and providing support to, the Board to meet its D&amp;I oversight responsibilities. &#160;This requires the Board to articulate its role in performing D&amp;I oversight.&#160; At the same time, promoting diversity of the Board itself should be encouraged by the Board through communication of the Bank or OF's obligations under law and regulation and the value of fostering opportunities for diverse candidates for Board service to assist in this oversight responsibility. </p><p style="text-align&#58;left;">Boards may seek to increase director diversity by requiring the Bank or OF to communicate to members its goals of identifying potential diverse candidates.&#160; Boards may engage search firms for identifying potential independent director nominees, as appropriate, and taking such other steps as may promote diversity.&#160; &#160;</p><p style="text-align&#58;left;">&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1">[1]</a> On December 19, 2012, FHFA issued Advisory Bulletin (AB) 2012-03, which implemented the Agency’s decision to include D&amp;I as a criterion in rating the Management component of CAMELSO.&#160; AB 2012-03 provides&#58;</p><blockquote dir="ltr"><p>MANAGEMENT – When rating a regulated entity's management, examiners determine the capability and willingness of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of the regulated entity's activities and to ensure that the regulated entity's safe, sound and efficient operations are in compliance with applicable laws and regulations. When making this determination, examiners assess&#58;</p></blockquote><ul><li><p>the regulated entity's compliance with laws and regulations, including Prudential Management and Operational Standards (PMOS), Office of Minority and Women Inclusion (OMWI) and relevant provisions of the Dodd-Frank Act[.]</p></li></ul><p> <em>See&#58; </em><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/FHFA_AB_2012-03.pdf">https&#58;//www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/FHFA_AB_2012-03.pdf</a>.&#160; CAMELSO stands for Capital, Asset Quality, Management, Earnings, Liquidity, Sensitivity to Market Risk, and Operational Risk.&#160; </p><p> <a name="footnote2">[2]</a> The manual is available at&#58; <a href="/SupervisionRegulation/ExaminerResources/Documents/062717-OMWI-Exam-Module.pdf">https&#58;//www.fhfa.gov/SupervisionRegulation/ExaminerResources/Documents/062717-OMWI-Exam-Module.pdf</a> &#160;</p>&#160;&#160;&#160;&#160;&#160;&#160; <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <font color="#000000" face="Times New Roman" size="3"> </font> <p> FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes.&#160; Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities.&#160; For comments or questions pertaining to this Advisory Bulletin, contact Sharron Levine at <a> </a><a href="mailto&#58;Sharron.Levine@fhfa.gov">Sharron.Levine@fhfa.gov</a>&#160;or James Jordan at <a> </a><a href="mailto&#58;James.Jordan@fhfa.gov">James.Jordan@fhfa.gov</a>.&#160;</p> <font color="#000000" face="Times New Roman" size="3"> </font></td></tr></tbody></table><p>&#160;</p>7/9/2020 1:54:55 PMHome / Supervision & Regulation / Advisory Bulletins / Board Diversity Advisory Bulletin This Advisory Bulletin (AB) applies to the Federal Home Loan Banks (Banks) and the 1329https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Acquired Member Assets Risk Management30323FHL Banks1/31/2020 5:00:00 AMAB 2020-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-01&#58; ACQUIRED MEMBER ASSETS RISK MANAGEMENT</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance regarding a Federal Home Loan Bank's (Bank) risk management of Acquired Member Assets (AMA), including FHFA's expectations that Bank boards of directors establish certain limits. &#160;The Banks should be able to demonstrate their progress toward adherence to this guidance by September 30, 2020 and should have final limits in place by December 31, 2020.&#160; </p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>The mission of the Banks is to provide to their members and housing associates financial products and services that assist and enhance such members' and housing associates' financing of housing and community lending.<a href="#footnote1"><span style="text-decoration&#58;underline;">[1]</span></a>&#160; Similar to taking an advance, when a member sells eligible mortgage loans to a Bank, the Bank serves as a funding source for the member's housing finance lending.&#160;&#160;&#160;&#160;&#160; </p><p>FHFA regulations and guidance related to AMA embody the principles that the Banks must acquire AMA safely and soundly and in a manner that is consistent with the Banks' mission.&#160; Sound governance of AMA programs is critical to safety and soundness and should include the establishment of limits to control the risks inherent in owning mortgage loans.&#160; AMA programs should at the same time fulfill the affordable housing mission requirements articulated in the Bank housing goals.&#160; The guidance in this Advisory Bulletin highlights FHFA's supervisory expectations with respect to sound risk management practices and how they relate to AMA. </p><p style="text-align&#58;left;"> <span style="text-decoration&#58;underline;">Regulatory Environment</span></p><p style="text-align&#58;left;">The following provides a summary of some of the regulation and guidance for governance and AMA.</p><ul style="list-style-type&#58;disc;"><li> <em>Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Regulation.</em><em>&#160; </em>This regulation provides that the management of each regulated entity shall be by or under the direction of its board directors.&#160; It states, “the ultimate responsibility of each entity's board of directors for that entity's oversight is non-delegable.&quot;<a href="#footnote2"><span style="text-decoration&#58;underline;">[2]</span></a> &#160;Included in the responsibilities of each Bank's board of directors is the establishment of a risk management program that aligns with the Bank's risk appetite and that each of the Bank's business lines has appropriate risk limitations.<a href="#footnote3"><span style="text-decoration&#58;underline;">[3]</span></a><em></em></li></ul><ul style="list-style-type&#58;disc;"><li> <em>Prudential Management and Operating Standards (PMOS) Regulation.</em>&#160; FHFA addresses limits on investments and management of assets in its PMOS regulation, the appendix to which establishes eleven standards as guidelines, including Standard 6 (Management of Asset and Investment Portfolio Growth), Standard 7 (Investments and Acquisitions of Assets), and Standard 9 (Management of Credit and Counterparty Risk).<a href="#footnote4"><span style="text-decoration&#58;underline;">[4]</span></a>&#160;&#160; The failure to meet any of the PMOS may constitute an unsafe or unsound practice for purposes of FHFA's administrative enforcement authority.<a href="#footnote5"><span style="text-decoration&#58;underline;">[5]</span></a>&#160; If FHFA determines that a Bank has failed to meet a standard, it also may require the Bank to submit a corrective plan.<a href="#footnote6"><span style="text-decoration&#58;underline;">[6]</span></a><br></li><li> <em>AMA Regulation</em>. &#160;FHFA's AMA regulation prescribes the parameters within which the Banks may purchase mortgage loans from members and housing associates (known as participating financial institutions or PFIs).&#160; The core of the AMA rule is a three-part test, the first and second parts of which focus on asset eligibility and member nexus, respectively.&#160; The third part focuses on the transactions through which a Bank acquires AMA – specifically, credit risk-sharing.<a href="#footnote7"><span style="text-decoration&#58;underline;">[7]</span></a>&#160;&#160;&#160; <br></li><li> <em>Core Mission Achievement Advisory Bulletin</em>.&#160; FHFA's Core Mission Achievement Advisory Bulletin describes AMA, along with advances, as “Primary Mission Assets,&quot; which are fundamental to the business of a Bank and most directly contribute to its mission.<a href="#footnote8"><span style="text-decoration&#58;underline;">[8]</span></a>&#160; It states, “[b]ecause a portfolio of residential mortgage loans presents risks not present with advances, FHFA expects that each Bank's board of directors will establish a prudential limit on its maximum holding of AMA, which should be governed by the Bank's ability to manage the risks inherent in holding mortgages.&quot;&#160; FHFA included similar language in the preamble to the final AMA rule<a href="#footnote9"><span style="text-decoration&#58;underline;">[9]</span></a> and in the AMA Price Risk Governance Advisory Bulletin.<a href="#footnote10"><span style="text-decoration&#58;underline;">[10]</span></a>&#160; </li></ul><ul style="list-style-type&#58;disc;"><li> <em>AMA Price Risk Governance Advisory Bulletin.</em>&#160; FHFA's AMA Price Risk Governance Advisory Bulletin describes the practices a Bank should employ, through management and controls, to mitigate its exposure to AMA price risk.&#160; AMA price risk, for purposes of the Advisory Bulletin, is the risk that the price the Bank pays for an AMA mortgage loan is too high relative to intrinsic value based on prevailing and forecasted market conditions at the time of acquisition.<a href="#footnote11"><span style="text-decoration&#58;underline;">[11]</span></a><br></li><li> <em>Bank Housing Goals Regulation</em>.&#160; FHFA's Housing Goals regulation establishes housing goals for AMA purchases of loans to low-income borrowers, very low-income borrowers, and borrowers in low-income areas.<a href="#footnote12"><span style="text-decoration&#58;underline;">[12]</span></a>&#160;&#160;</li></ul><p> <em><strong>Guidance</strong></em></p><p style="text-align&#58;left;"> <em>Board-established Limits.</em>&#160; Each Bank's board of directors should establish limits on its AMA portfolios within the context of its risk appetite<a href="#footnote13"><span style="text-decoration&#58;underline;">[13]</span></a> and the unique characteristics of its membership and district. &#160;At the same time, the board should ensure that the Bank serves as a liquidity source for members – particularly smaller members who may not have the same capacity or access to sell loans in the secondary market that larger members may have. &#160;For purposes of this Advisory Bulletin, the term “smaller members&quot; includes all Bank members whose total assets are below the community financial institution (CFI) asset cap as defined in section 1263.1 of FHFA's regulations, and includes credit unions, insurance companies, and non-depository community development financial institutions.&#160; </p><p style="text-align&#58;left;"> <em>Management Thresholds.</em><em>&#160; </em>To support the board-established risk limits, management of each Bank should establish thresholds that would serve as monitoring tools to manage AMA-related risk exposure.&#160; Management thresholds typically should be set at levels sufficiently below the risk limits established by the board, so that management would have adequate time to address any relevant developments that might otherwise result in a breach of a board-established limit.&#160; If a Bank's AMA holdings were to breach a management threshold, it should have a formal process in place to assess and manage the resulting AMA-related risks.&#160; The process may require management to conduct a targeted analysis or additional ongoing monitoring, which would also provide the board information useful in fulfilling its governance responsibilities.&#160; Examples of actions management might take to avoid breaching management thresholds, or to avoid exceeding board-established limits if a management threshold is breached, might include&#58;</p><ul style="list-style-type&#58;disc;"><li>Imposing loan acquisition restrictions by loan type, e.g., high-balance loans or third-party loans,</li><li>&#160;Limiting loan purchases from a particular member that accounts for a disproportionate amount of total acquisitions, or</li><li>Participating or selling interests in some of its AMA mortgage loans to other Banks.</li></ul><p> <span style="text-decoration&#58;underline;">Establishing Board Limits</span></p><p style="text-align&#58;left;">FHFA expects each Bank's board of directors to approve a strong risk management program, to evaluate AMA-related risks, based on management's proposals, and to establish limits to control those risks.&#160; To accomplish these objectives, each Bank should have staff with a strong understanding of, and insight into, the secondary mortgage market and the risks that affect the acquisition, funding, and servicing of mortgages.&#160; The staff should have a skill set that allows them to evaluate AMA risk beyond the determination of credit enhancement obligations.&#160; Ultimately, the staff should have the necessary expertise to monitor portfolio and market issues before they adversely affect either the mission focus or the safe and sound operation of the Bank.&#160; </p><p style="text-align&#58;left;">FHFA expects that a prudent approach to managing risks associated with a Bank's AMA holdings would include the types of limits described in the paragraphs below.&#160; Boards may adopt other limits to control other AMA-related risks, as identified by Bank staff as being appropriate to the magnitude of the Bank's AMA portfolio.</p><p> <em>AMA Portfolio Limits</em></p><p>Given the risks associated with AMA, which include price, interest rate, operational, credit, model, and liquidity risks, each Bank's board should consider how it can safely and soundly manage its portfolio.&#160; In considering portfolio limits, a Bank should consider, for example, the cost for safely and soundly managing how market risk may evolve in response to fluctuations in the size of the mortgage portfolio,<a href="#footnote14"><span style="text-decoration&#58;underline;">[14]</span></a> and the risk of adverse effects on the Bank's profitability resulting from external factors that may occur in both the short and long term.&#160; Those risks may be magnified by concentrations of loan coupons or vintages.&#160; A board also should consider any risks associated with acquiring a large portion of its AMA mortgages from a single PFI.&#160; When a board is setting portfolio limits, FHFA expects a Bank to consider the needs of its smaller members, who may rely on the Bank as a liquidity source to a greater degree than its larger members, who may have alternative access to the secondary mortgage market. The Bank should ensure that its portfolio limits do not result in the Bank's acquisition of mortgages from smaller members being “crowded out&quot; by the acquisition of mortgages from larger members.&#160;&#160; </p><ul style="list-style-type&#58;disc;"><li> <em>Size of Portfolio. </em>Each Bank's board of directors should establish a limit on its maximum holdings of AMA that is consistent with its risk appetite and the long-term safety and soundness of the Bank.&#160; When establishing the limit on the size of its AMA portfolio, the board may develop its own metrics that it deems most appropriate for its business plans and the needs of its members, such as a percentage of assets or consolidated obligations, or as a multiple of capital.&#160; FHFA will assess the portfolio limit and the metrics used to set it as part of its regular supervisory process.&#160; If a board has considered multiple approaches to setting its portfolio limit and can demonstrate that it has used the most conservative of those approaches in establishing the binding board limit, FHFA generally would consider that to be consistent with the safe and sound operation of the Bank.&#160; FHFA also expects that the board of directors would monitor the appropriateness of its chosen metrics in light of changing conditions in the mortgage markets, capital markets, the Bank's financial condition, and the needs of its members, and consider any appropriate revisions to the metrics used to set the existing portfolio limits.&#160;&#160;</li></ul><ul style="list-style-type&#58;disc;"><li> <em>Growth.</em><em>&#160; </em>Each Bank's board of directors should establish a limit on the amount of AMA the Bank could acquire during a defined period of time in order to mitigate risks associated with rapid growth. &#160;Reasonable metrics for managing rapid growth could include limits based on gross dollar amount acquired and net growth in AMA holdings in dollars or as percent of balances outstanding.&#160;<br></li><li> <em>Single PFI Acquisition</em>. &#160;Each Bank's board of directors should establish annual limits on the dollar amount of AMA that the Bank may acquire from a PFI.&#160; PFI limits should be appropriate to the particular PFI, should be consistent with the Bank's overall AMA portfolio limit, should avoid undue concentrations of the overall AMA portfolio from particular PFIs, and should provide reasonable assurance that the Bank's smaller members will be able to continue to sell AMA to the Bank during the year, regardless of the amount of AMA purchased from the Bank's larger members.&#160;&#160;&#160;&#160;&#160;&#160;</li></ul><p> <em>Loan Concentration Limits</em>&#160;</p><p> FHFA expects each Bank's board of directors to consider the risks associated with an aggregation of loans that have common characteristics, i.e., concentration risk. &#160;Pools of loans that have common characteristics are sensitive to the same economic developments or downturns.&#160; This sensitivity can cause a pool of loans to perform as if it were a single, large exposure, which potentially exposes the Bank to disproportionately greater credit losses that could negatively affect a Bank's capital.&#160; Concentration risk may be further exacerbated for pools composed of loans that have multiple common characteristics, i.e., risk layering. &#160;Each Bank should identify characteristics that, when aggregated in a pool or in the Bank's portfolio, could increase the Bank's risk exposure.&#160; Loan characteristic concentrations each board should consider include&#58;&#160;<br></p><ul style="list-style-type&#58;disc;"><li> <em>Geographic area concentration,</em> which is determined by evaluating the amount or percentage of acquired loans secured by properties within a geographic location.&#160; The geographic areas of AMA loans held by a Bank could be evaluated by, for example, state, county,&#160;or metropolitan statistical area.<a href="#footnote15"><span style="text-decoration&#58;underline;">[15]</span></a> FHFA expects Banks to have specific limits on AMA concentrations in particular housing markets, both in- and out-of-district.&#160; The limits could be relative to a PFI's sales to a Bank, relative to total acquisitions in a given period, or relative to outstanding dollar balances.&#160; <br></li><li> <em>High-balance loan concentration,</em> which is determined by evaluating the amount or percentage of acquired loans that are high-balance loans. “High-balance loans&quot; are conforming loans secured by residential properties located in “high-cost areas&quot; with loan amounts exceeding the baseline conforming loan limits.&#160; Such loans may perform differently than loans at the baseline limits.<a href="#footnote16"><span style="text-decoration&#58;underline;">[16]</span></a>&#160;&#160;</li></ul><p> <em>Third-party Loan Origination Limits</em></p><p>The AMA regulation authorizes the Banks to purchase mortgage loans from a member only if the member (or an affiliate) had originated the loan or had acquired it from a third party for a “valid business purpose.&quot;<a href="#footnote17"><span style="text-decoration&#58;underline;">[17]</span></a>&#160; The Federal Housing Finance Board issued a regulatory interpretation that lists some factors that would be sufficient to demonstrate that a loan acquired from a third-party originator meets the valid business purpose requirement.<a href="#footnote18"><span style="text-decoration&#58;underline;">[18]</span></a>&#160; The interpretation also makes clear that a member must have meaningful influence or control over the mortgage assets it acquires or over the process by which it acquires them in order to demonstrate that the member has acquired them for a valid business purpose.&#160; The factors indicating the existence of a valid business purpose include&#58;&#160; (1) whether purchasing loans from third-party originators represents a core business of the member; (2) how long the member has been involved in purchasing such loans; (3) whether the member is familiar with the third-party originators and experienced with the type, quality, and volume of the assets being purchased from the originators; (4) whether the member has a clear opportunity to identify and address the potential for fraud on an operational level; (5) whether the member itself approves and contracts with the originators; and (6) whether the member itself sets the terms of its contractual relationship with the third party originators, including asset standards and pricing.&#160;&#160;</p><p>As a legal matter, Banks acquiring mortgage loans that have been originated by nonmember third parties must be able to demonstrate that the member has acquired those loans for a “valid business purpose,&quot; as required by the AMA regulations.&#160; The Banks should have processes in place that actively ensure that the member selling the loans to the Bank is exercising meaningful influence over or control of the assets it is selling, as described above.&#160; A perfunctory assessment of whether a member in fact exercises such influence or control would not demonstrate that a member has acquired mortgage loans from a third-party originator “for a valid business purpose,&quot; which could cause the mortgage loans not to qualify as AMA.&#160;&#160;&#160;&#160;&#160;</p><p>Generally, loans originated by third parties are acquired by a Bank from members that have banking services networks that involve nonmembers.&#160; Such loans can potentially carry greater risk than loans originated by a member.&#160; FHFA expects a Bank's board of directors to establish limits on the amount of loans it acquires that are originated by third parties.&#160; Those limits could be based on any reasonable metrics, such as a portion of the Bank's total AMA acquisitions or a portion of its acquisitions from a single member. &#160;FHFA expects Banks to consider the risks associated with the acquisition of third-party originated loans that are secured by properties located outside of the Bank's district.&#160;&#160;</p><p>In consideration of smaller members who may not have the same ability to sell loans in the secondary market that larger members may have, third-party loan origination limits need not apply to smaller members that do not have their own mortgage origination operations. &#160;Nonetheless, such members must still meet the valid business purposes requirements established in the AMA rule and Regulatory Interpretation 2000-RI-25.&#160;</p><p> <em>Pricing Limits</em></p><p>FHFA expects each Bank's board of directors to consider the price risk associated with AMA.&#160; The higher the price a Bank pays for an AMA mortgage loan, the lower its expected earnings will be, all else equal.&#160; If the expected yield on a risk-adjusted basis is too low, a Bank may not earn enough to cover operating costs.&#160; As stated in the AMA Price Risk Governance AB, a Bank “should set mortgage acquisition prices to ensure the resulting expected spread to funding covers its costs and provides adequate compensation for the risk assumed, e.g., option, interest rate, credit, and model risk.&#160; The [Bank's] management committee should provide oversight, which includes approving and periodically reevaluating the minimum expected spread to funding target that guides AMA pricing.&quot;&#160;&#160;</p><p>Each Bank's board of directors should establish a limit on the price at which the Bank will acquire AMA loans.&#160; Mortgages acquired with a relatively high premium to par increase the Bank's exposure to prepayment risk.&#160; The write down of a mortgage premium reduces returns to the Bank and may result in losses.&#160; Each board of directors should establish a price limit on an individual loan basis and a portfolio amortized cost basis as observed at a point in time.&#160; For the latter, a Bank's board should establish a limit on the volume of loans it acquires at a board-determined premium level.&#160; The board should also establish a limit on the percentage of the Bank's total outstanding portfolio that was acquired at the board-determined premium level. </p><p style="text-decoration&#58;underline;"> <strong> <em>FHFA Monitoring of AMA Risk Management</em></strong> </p><p>FHFA will consider each Bank's AMA risk management as part of its regular supervisory process, including the limits established by the Bank's board of directors.&#160; As part of its off-site monitoring of Bank safety and soundness, FHFA may request periodically that each Bank submit to FHFA its board-approved AMA risk limits or thresholds.&#160; </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Supervisory Letter</em></strong></span></p><p>A Bank or the Banks may receive a supervisory letter, as warranted, should FHFA determine adopted board limits are insufficient.&#160; Furthermore, examiners will issue findings during the examination process if a Bank does not have sufficiently safe and sound AMA limits approved by the board of directors.&#160; </p><p style="text-decoration&#58;underline;"> <strong> <em>Related Guidance</em></strong> </p><p>Federal Housing Finance Board Regulatory Interpretation 2000-RI-25, <em>Acquired Member Assets Held for a Valid Business Purpose </em>(Nov. 17, 2000).</p><p> <a name="footnote1"><span style="text-decoration&#58;underline;">[1]</span></a> 12 CFR § 1265.2</p><p> <a name="footnote2"><span style="text-decoration&#58;underline;">[2]</span></a> 12 CFR § 1239.4(a).</p><p> <a name="footnote3"><span style="text-decoration&#58;underline;">[3]</span></a> 12 CFR §§&#160;1239.4(c)(1) and 1239.11(a).&#160; </p><p> <a name="footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR Part 1236, Appendix.</p><p> <a name="footnote5"><span style="text-decoration&#58;underline;">[5]</span></a> 12 CFR § 1236.3(d).&#160; FHFA has the authority to address unsafe or unsound practices through issuance of an order to cease-and-desist, through assessment of civil money penalties, or removal from office.&#160; 12 U.S.C. §§&#160;4631(a)(1), 4636(b)(2)(A), 4636a(a)(2)(A).&#160;&#160; </p><p> <a name="footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a> 12 CFR § 1236.4.</p><p> <a name="footnote7"><span style="text-decoration&#58;underline;">[7]</span></a> 12 CFR §§&#160;1268.3 (asset test), 1268.4 (member nexus), and 1268.5 (credit risk sharing).</p><p> <a name="footnote8"><span style="text-decoration&#58;underline;">[8]</span></a><em>&#160;See </em> <em>FHLBank Core Mission Achievement</em> AB 2015-05, July 14, 2015.</p><p> <a name="footnote9"><span style="text-decoration&#58;underline;">[9]</span></a> 81 FR 91682 (Dec. 19, 2016).</p><p> <a name="footnote10"><span style="text-decoration&#58;underline;">[10]</span></a><em>&#160;See </em> <em>AMA Price Risk Governance</em> AB 2017-03, Nov. 21, 2017.</p><p> <a name="footnote11"><span style="text-decoration&#58;underline;">[11]</span></a><em>&#160;See </em> <em>Acquired Member Asset Price Risk Governance</em>&quot; AB 2017-03, Nov. 21, 2017.</p><p> <a name="footnote12"><span style="text-decoration&#58;underline;">[12]</span></a> 12 CFR Part 1281.</p><p> <a name="footnote13"><span style="text-decoration&#58;underline;">[13]</span></a> The <em>Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance</em> regulation defines “risk appetite&quot; as, “the aggregate level and types of risk the board of directors and management are willing to assume to achieve the regulated entity's strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.&quot;&#160; 12 CFR §&#160;1239.2.&#160; </p><p> <a name="footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a> A mortgage portfolio's prepayment optionality can result in unanticipated funding mismatches that can have a deleterious effect on a Bank's net income, market value of equity, market value of equity to book value of equity ratio, market value of equity to par value of capital ratio, and dividend payment capacity.&#160;&#160;&#160; </p><p> <a name="footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a> In general, in-district state level concentrations are acceptable given Banks must serve their district.&#160; However, FHFA expects the Bank to monitor and analyze housing-market level concentrations both within and outside its district.&#160;&#160;&#160; </p><p> <a name="footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a><em> See </em><a href="/DataTools/Downloads/Pages/Conforming-Loan-Limits.aspx">https&#58;//www.fhfa.gov/DataTools/Downloads/Pages/Conforming-Loan-Limits.aspx</a><em>&#160;</em></p><p> <a name="footnote17"><span style="text-decoration&#58;underline;">[17]</span></a> 12 CFR § 1268.4(a)(1)(ii).</p><p> <a name="footnote18"><span style="text-decoration&#58;underline;">[18]</span></a><em>&#160;See </em>Regulatory Interpretation 2000-RI-25, <em>Acquired Member Assets Held for a Valid Business Purpose</em> (Nov. 17, 2000).&#160; </p>&#160;&#160;&#160;&#160;&#160;&#160; <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. &#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table><p>&#160;</p>1/31/2020 9:48:42 PMHome / Supervision & Regulation / Advisory Bulletins / Acquired Member Assets Risk Management Advisory Bulletin AB 2020-01: ACQUIRED MEMBER ASSETS RISK MANAGEMENT 2816https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Credit Risk Transfer – Analysis and Reporting27606Fannie Mae & Freddie Mac11/14/2019 5:00:00 AMAB 2019-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2019-06&#58; Credit Risk Transfer – Analysis and Reporting</p></td></tr></tbody></table><p> <strong style="text-decoration&#58;underline;"> <em> <br>Purpose</em></strong></p><p>This advisory bulletin articulates the Federal Housing Finance Agency’s (FHFA) supervisory expectations for the analysis and internal reporting of certain proposed or in-force credit risk transfer (CRT) activities.&#160; This advisory bulletin applies to Fannie Mae and Freddie Mac (Enterprises) and is effective immediately.</p><p>The scope of this advisory bulletin addresses risk analysis and reporting for individual and aggregate CRT activities.&#160; This advisory bulletin excludes primary mortgage insurance, seller indemnification, collateralized lender recourse, and multifamily lender loss sharing.</p><p>Enterprise CRT activities include debt instruments with varying structures and characteristics as well as insurance or reinsurance transactions and senior/subordinate securitizations.&#160; CRT programs are integrated with core single-family and multifamily business activities and affect the Enterprises’ overall credit risk profiles.&#160; </p><p>The comprehensive analysis and internal reporting of CRT activities support Enterprise safety and soundness.&#160; The Enterprises’ CRT programs could pose considerable financial risk exposure if associated risks are not adequately understood and managed.&#160; Robust risk analysis coupled with effective reporting to senior management and, as appropriate, the board of directors could identify potential risk and further support the oversight of the CRT program.&#160; </p><p>The guidance section outlines FHFA’s supervisory expectations regarding analysis and reporting for CRTs.&#160; The Enterprises may augment the analyses included in this advisory bulletin with other types of analyses deemed appropriate by management or the board of directors.<br></p><p> <strong style="text-decoration&#58;underline;"><em>Background</em></strong></p><p>The ownership or guarantee of mortgage-related instruments exposes the Enterprises to credit risk.&#160; Credit risk transfers can moderate the risk of credit-related losses and expenses by mitigating the Enterprises’ credit risk exposure.&#160; The Enterprises routinely transfer credit risk to third-party investors through the capital markets, and to insurance and reinsurance companies through negotiated transactions.</p><p>The use of CRT transactions alters the earnings and credit risk profiles of the Enterprises by transferring some portion of estimated credit losses.&#160; Modeling applications estimate these credit losses.&#160; Credit losses transferred to investors or insurers, over the term of the CRT transaction, could differ significantly from the Enterprises’ original estimates of expected credit losses absorbed by investors or insurers.&#160; </p><p>This advisory bulletin discusses approaches designed to provide both an economic view as well as a view into the financial impact of CRT transactions.&#160; <br>Risks associated with CRT transactions, as noted in more details below, include residual credit risk, financial risk, price risk, model risk, counterparty credit risk, and mark-to-market risk.&#160; Fully understanding the risks and their potential earnings and capital impact is an important step in determining appropriate risk mitigants for those risks that can be controlled and reasonably managed. </p><p> <em>Residual Credit Risk</em></p><p>Residual credit risk refers to the credit risk remaining with the Enterprises from the loans in the reference pool.&#160; Typically, only a portion of credit risk is transferred at the origination of the CRT transaction.&#160; Additionally, termination dates for some CRT transactions may be earlier than the contractual maturity of the underlying single-family or multifamily mortgage loans in the reference pool.&#160; If credit loss events on single-family or multifamily loans in the reference pool occur after the maturity of the CRT issuance or insurance transaction, the Enterprises remain exposed to residual credit risk for the lifetime of loans remaining in the original reference pool.</p><p> <em>Financial Risk</em></p><p>Financial risk is the uncertain net earnings and balance sheet impact attributed to the costs and the credit loss protection provided by investors or insurers.&#160; The Enterprises’ cost to purchase credit protection through CRT transactions may be substantial in relation to guarantee fee revenue.&#160; The expected credit risk mitigation provided by investors and insurers is not precisely known at origination and requires complex calculations to estimate.&#160; Financial risk could be significant and could negatively affect corporate profitability and capital levels.</p><p> <em>Price Risk</em></p><p>Price risk refers to the risk that it may not be feasible for an Enterprise to enter into new CRT transactions because of market-driven costs.&#160; An Enterprise’s ability to transfer credit risk on an ongoing and regular basis is dependent on third-party investor or counterparty demand to enter into new transactions, but this demand may significantly weaken or disappear during periods of adverse economic or poor market conditions.&#160; The interest of market participants may vary over housing price cycles and could influence demand for new and existing CRT instruments.&#160; The countercyclical nature of some CRT transactions could expose the Enterprises to price risk, as they may incur considerably higher costs by entering into CRT transactions during times of significant economic downturns or severely adverse market disruptions.</p><p> <em>Model Risk</em></p><p>Model risk refers to the earnings and capital exposure from inadequate model results or weaknesses in model governance, processes, or controls.&#160; Enterprise management relies in part on sophisticated quantitative analyses and complex models.&#160; These models estimate Enterprise credit risk, including the financial costs of CRT transactions.&#160; Estimates of mortgage interest rates and house price movements are significant factors in management’s analysis.&#160; Models and analytical processes are sensitive to data inputs, key assumptions, and the complexity of calculation methodologies.&#160; </p><p> <em>Counterparty Credit Risk</em></p><p>Some CRT transactions introduce counterparty credit risk.&#160; While CRT transactions serve to reduce credit risk exposure from individual borrowers, the reduction may be partially offset by added credit risk from corporate counterparties.&#160; Counterparty credit risk is introduced in insurance-related CRT transactions, as the risk that an insurance company will not fulfill its potential obligation is substituted for the risk that individual borrowers will not meet their obligation with respect to the underlying mortgage loan.</p><p> <em>Mark-to-Market Risk</em></p><p>Mark-to-market risk refers to the market price volatility or sensitivity associated with CRT issuances.&#160; The Enterprises are exposed to mark-to-market risk for some CRT transactions.&#160; Changes in fair market values may have a negative financial performance or capital impact.&#160; For example, an Enterprise may issue unsecured debt in the form of a CRT transaction and record fair market gains or losses based on price changes.&#160; Hedging activities may mitigate the underlying mark-to-market risk inherent in the CRT transaction.<br></p><p> <strong style="text-decoration&#58;underline;"><em>Guidance</em></strong></p><p>This section outlines FHFA’s supervisory expectations regarding analysis and internal reporting for CRTs.&#160; The analyses described below will allow senior management to understand individual and aggregate CRT transactions and inform corporate business decisions, and the aggregate reporting will inform the board of directors or a designated committee of the board.&#160; These analyses should be completed in a timely manner, and documentation should include an explanation and support for significant management assumptions or estimates, detailed model results, and key analytical factors.&#160;&#160;</p><p style="margin-left&#58;40px;"> <strong>I. Analysis of CRT</strong></p><p>Analyses A, B, and D described below do not depend on economic, regulatory, or imputed capital or capital costs.</p><p style="margin-left&#58;40px;"> <em>A.&#160;Analysis of Expected Revenues and Expected Costs</em></p><p style="margin-left&#58;80px;">1. Transaction-Level Analysis</p><p style="margin-left&#58;80px;">Transaction-level analyses should thoroughly evaluate the financial value of individual CRT transactions, that is, the expected revenues and expected costs that result from CRT transactions.&#160; Revenues and costs include guarantee-fee income, expected default costs, and transaction costs associated with a CRT structure. The cashflow analysis should cover the full term of the underlying mortgages in the reference pool.&#160; Management should use stochastic credit risk models to generate forecasts of prepayment, default, and severity using relevant macroeconomic factors.&#160; The macroeconomic factors, at a minimum, include interest rates and house prices.&#160; For a meaningful analysis, a wide-range of economic scenarios should be included.</p><p style="margin-left&#58;80px;">Two types of transaction-level analyses should be performed on the reference pool&#58;&#160; (a) transaction analysis without CRT; and (b) transaction analysis with CRT.&#160; Both types of transaction-level analysis should use the methods described above.&#160; </p><p style="margin-left&#58;80px;"> <em>(a) Transaction Analysis without CRT.</em>&#160; This analysis evaluates the estimated cashflows by calculating estimated expected pre-tax revenues (guarantee fees) and associated expected expenses (including credit losses and interest expense) for the reference pool.&#160; Management should calculate the revenues and expenses for each of the simulated paths.&#160; The path-level results should then be aggregated to determine overall expected net revenue.</p><p style="margin-left&#58;80px;"> <em>(b) Transaction Analysis with CRT.</em>&#160; This analysis evaluates the estimated cashflows by calculating estimated expected pre-tax revenues (guarantee fees) and associated expected expenses (including credit losses and interest expense) for the reference pool.&#160; Management should calculate the revenues and expenses for each of the simulated paths with the proposed CRT transaction.&#160; The path-level results should then be aggregated to determine overall expected net revenue.</p><p style="margin-left&#58;80px;">In addition to analyses (a) and (b), management should develop at least one stress test by evaluating revenue and credit losses absorbed by investors or insurers for paths that exceed a specific high confidence level (e.g., 90%, 95%, or 99%).&#160;&#160; For CRT transactions with a counterparty credit risk component, transaction analyses should incorporate an assessment of the credit risk associated with the underlying counterparty.</p><p style="margin-left&#58;80px;">2. Consolidated Analysis </p><p style="margin-left&#58;80px;">Consolidated analysis should assess the net financial impact of aggregated CRT transactions on financial performance.&#160; This analysis should calculate the impact of existing CRT transactions incorporating all business segments of corporate revenue and expenses.&#160; The results should provide insight into the aggregate and full impact of CRTs.</p><p style="margin-left&#58;80px;">In order to conduct the consolidated analysis, the stochastic analysis to estimate net revenues and credit losses absorbed by investors or insurers described above should be estimated (ex-post, on a transaction level) and aggregated. </p><p style="margin-left&#58;40px;"> <em>B.&#160;Earnings Forecast Analysis</em></p><p style="margin-left&#58;80px;">Earnings forecast analysis should assess the annual forecasted generally accepted accounting principles (GAAP) impact for aggregate CRT activities.&#160; This analysis should be designed to calculate the impact of existing CRT transactions on future corporate revenue and expenses.&#160; The analysis should cover each year of the duration of all CRT transactions existing at the time of the analysis.</p><p style="margin-left&#58;80px;">The methodology used for this earnings forecast analysis should be comparable to the transaction-level financial analysis (described above) to allow for meaningful benchmarking analysis.&#160; Specifically, individual transactions should be modeled stochastically before results are consolidated.&#160; Key model methodology, assumptions, and inputs should be transparent and well supported.&#160; Stress testing should also be a component of the earnings forecast analysis to add a meaningful dimension.&#160; The earnings forecast analysis should include sufficient time period intervals to allow Enterprise management to assess significant timing differences between CRT expenses or costs and the absorption of credit losses by investors or insurers that may occur well after the initial CRT transaction.</p><p style="margin-left&#58;40px;"> <em>C.&#160;Price Risk Analysis </em></p><p style="margin-left&#58;80px;">The price risk analysis should measure the strength and health of the CRT market in order to assess the economic sensibility of entering into new CRT transactions.&#160; The cost to transfer credit risk may vary depending on the position of the economy in the economic cycle.&#160; It may be more expensive for the Enterprises to transfer credit risk during periods of economic instability or uncertainty.&#160; Enterprise management should develop measures to analyze CRT price risk.&#160; </p><p style="margin-left&#58;80px;">Enterprise secondary market purchases or sales of previously issued CRT securities should include consideration of the potential impact on corporate CRT strategies and overall CRT effectiveness.&#160; These transactions could reduce the amount of credit risk that has previously been transferred through a CRT transaction.&#160; For this reason, an analysis of the potential impact to CRT effectiveness should be performed prior to secondary market transactions.</p><p style="margin-left&#58;40px;"> <em>D.&#160;Industry Analyses </em></p><p style="margin-left&#58;80px;">Credit rating agencies and other industry participants play a role in the Enterprise CRT market.&#160; Industry participants may conduct analytical assessments for individual CRT instruments using proprietary models and evaluation techniques.&#160; Management should review and understand the analytical approach and results of analyses performed by rating agencies or other industry participants and identify significant differences from internal Enterprise analyses.</p><p style="margin-left&#58;40px;"> <strong>II.&#160;Management and Board of Directors Reporting</strong><br></p><p style="margin-left&#58;40px;">The management and board of directors reporting described in this section may be presented as independent, standalone reports, or incorporated into existing reporting processes.&#160; If incorporated into existing reporting processes, management should ensure that CRT analysis results are given attention commensurate with the significance of the analytical results and findings.&#160; Whether standalone or incorporated into an existing reporting process, the CRT reports should contain sufficient detail to adequately inform the intended audience and sufficiently support related business decisions.</p><p style="margin-left&#58;40px;"> <em>A.&#160;Analysis of Expected Revenues and Expected Costs</em></p><p style="margin-left&#58;80px;">1. Transaction-Level Analysis</p><p style="margin-left&#58;80px;">The results of the transaction-level analyses for individual single-family CRT transactions should be included in transaction-level, pre-transaction analysis reported to business line management.&#160; For multifamily CRT transactions, results may be aggregated and reported to business line management on a quarterly basis.&#160; Senior management should also review a summary of transaction reports.</p><p style="margin-left&#58;80px;">2. Consolidated Analysis</p><p style="margin-left&#58;80px;">The CRT consolidated analysis should be prepared on at least an annual basis with detailed results reported to senior management.&#160; The board of directors or designated board committee should review a summary of the consolidated analysis.</p><p style="margin-left&#58;40px;"> <em>B.&#160;Earnings Forecast Analysis </em></p><p style="margin-left&#58;40px;">The CRT earnings forecast analysis should be prepared on at least an annual basis with detailed results reported to senior management.&#160; The board of directors or designated board committee should review a summary of the earnings forecast analysis.</p><p style="margin-left&#58;40px;"> <em>C.&#160;Price Risk Analysis </em></p><p style="margin-left&#58;40px;">Price risk analysis results should be incorporated into senior management reporting.</p><p style="margin-left&#58;40px;"> <em>D.&#160;Industry Analyses </em></p><p style="margin-left&#58;40px;">Internal evaluations of industry CRT analyses should be reported to business line management at least annually, with more frequent reporting or reporting to Enterprise management and, the board of directors, or designated board committee, as appropriate, if interim analyses indicate significant findings.</p><p> <br> <em><strong style="text-decoration&#58;underline;">Related Guidance and Regulations</strong></em></p><p>12 CFR Part 1236, Appendix, Prudential Management and Operations Standards. </p><p>12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance.</p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Interest-Rate-Risk-Management_2018-09.aspx">Interest Rate Risk Management</a></em>, Federal Housing Finance Agency, Advisory Bulletin AB-2018-09, September 28, 2018.</p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB_2013-07_Model_Risk_Management_Guidance.pdf">Model Risk Management Guidance</a></em>, Federal Housing Finance Agency, Advisory Bulletin AB-2013-07, November 20, 2013.<br></p>&#160;&#160;&#160;&#160;&#160;&#160; <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. &#160;Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. &#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table>11/14/2019 8:01:21 PMHome / Supervision & Regulation / Advisory Bulletins / Credit Risk Transfer – Analysis and Reporting Advisory Bulletin AB 2019-06: Credit Risk Transfer – Analysis and 3000https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Compliance Risk Management27499Fannie Mae & Freddie Mac10/3/2019 4:00:00 AMAB 2019-05<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2019-05&#58; Compliance Risk Management</p></td></tr></tbody></table><p> <strong style="text-decoration&#58;underline;"><em><br>Purpose</em></strong><br><br>This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations for a compliance risk management program (compliance program) <span class="ms-rteStyle-References"> </span> <a href="#footnote1"> <span class="ms-rteStyle-References"><span style="text-decoration&#58;underline;">[1]</span></span></a>&#160; to maintain the safety and soundness of the Enterprises’ operations.&#160; The sophistication of the compliance program should be proportionate to each Enterprise’s size, complexity, and risk profile.&#160; The compliance program should be designed to promote compliance with applicable laws, regulations, rules, prescribed practices, internal policies and procedures, and ethical and conflict-of-interest standards (compliance obligations).&#160;</p><p> <strong style="text-decoration&#58;underline;"><em>Background</em></strong></p><p>Compliance risk is the risk of legal or regulatory sanctions, damage to the current or projected financial condition, damage to business resilience, or damage to reputation resulting from nonconformance with compliance obligations.<a href="#footnote2"><span class="ms-rteStyle-References" style="text-decoration&#58;underline;">[2]</span></a>&#160; In addition, an Enterprise may be exposed to compliance, reputational, or other risks as a result of a third-party provider's failure to comply with the Enterprise's expectations and operating standards and to meet all relevant legal and contractual requirements.&#160; An effective compliance program supports safe and sound operations through policies and procedures designed to enable oversight of compliance risk management by the board of directors, or appropriate board-level committee (board). </p><p>Effective management of compliance risk requires the Enterprises to address numerous complex compliance obligations and the Enterprises' high volume of transactions.&#160; The guiding principles of sound risk management are set forth in FHFA's regulation at 12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices and Corporate Governance (Corporate Governance Rule), and in the Appendix to 12 CFR Part 1236, Prudential Management and Operations Standards (PMOS).&#160; </p><p>FHFA's general standards for safe and sound operations are set forth in the PMOS. &#160;Three relevant PMOS articulate guidelines for an Enterprise's board of directors and senior management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10). &#160;While the guiding principles of sound risk management in the Corporate Governance Rule and the PMOS are the same for compliance risk as for other types of risk, the management of compliance risk presents certain unique challenges.&#160; For example, compliance risk appetite and metrics may be difficult to establish and measure and compliance obligations must be addressed on an Enterprise-wide basis.<a href="#footnote3"><span style="text-decoration&#58;underline;">[3]</span></a>&#160; In addition, while compliance risks associated with third-party providers may be difficult to monitor based on information gathered in the normal course of business, the Enterprises should anticipate and manage exposures associated with third-party provider relationships across the Enterprises' full range of operations.<a href="#footnote4"><span style="text-decoration&#58;underline;">[4]</span></a></p><p> <strong style="text-decoration&#58;underline;"><em>Guidance</em></strong></p><p>FHFA expects each Enterprise to have a comprehensive, risk-based compliance program aligned with its enterprise-wide risk management program<a href="#footnote5"><span style="text-decoration&#58;underline;">[5]</span></a> and in accordance with all relevant FHFA guidance.&#160; An Enterprise's compliance program should include policies and procedures designed to manage compliance risk across its entire organization, both within and across business lines and the three lines of defense.&#160; The compliance program should include the following components&#58;</p><ol><li>Compliance Governance</li><li>Compliance Policies and Procedures</li><li>Compliance Staffing and Compensation</li><li>Compliance Monitoring, Testing, and Remediation</li><li>Compliance Communication and Training&#160;<br>&#160;</li></ol><p><strong>1)&#160;&#160;&#160;&#160;&#160; Compliance Governance</strong></p><p>The board should have an appropriate understanding of the types of compliance risks to which the Enterprise is exposed.<a href="#footnote6"><span style="text-decoration&#58;underline;">[6]</span></a>&#160; The board is responsible for exercising reasonable oversight to ensure that the compliance program is designed, implemented, reviewed, and revised in an effective manner.<a href="#footnote7"><span style="text-decoration&#58;underline;">[7]</span></a> &#160;The compliance program must be headed by a compliance officer<a href="#footnote8"><span style="text-decoration&#58;underline;">[8]</span></a> with the appropriate qualifications, experience, authority, accountability, and independence.<a href="#footnote9"><span style="text-decoration&#58;underline;">[9]</span></a>&#160; It should also be aligned with the enterprise-wide risk management program and board-approved risk appetites, including limits restricting exposures to third-party providers.<a href="#footnote10"><span style="text-decoration&#58;underline;">[10]</span></a>&#160; The board and senior management<a href="#footnote11"><span style="text-decoration&#58;underline;">[11]</span></a> should ensure that the compliance officer and the compliance program have adequate resources, including well-trained and capable staff.<a href="#footnote12"><span style="text-decoration&#58;underline;">[12]</span></a> &#160;</p><p>The board and senior management must discharge their duties and responsibilities in accordance with the Enterprise's code of conduct and ethics, and conduct themselves in a manner that promotes high ethical standards and a culture of compliance throughout the organization.<a href="#footnote13"><span style="text-decoration&#58;underline;">[13]</span></a>&#160; Promoting a culture of compliance includes documenting and communicating clear expectations about compliance both within the Enterprise and to third-party providers including sellers and servicers.&#160; The following activities are also part of an effective compliance culture&#58; clearly communicating the Enterprise's compliance, integrity, and business ethics standards and expectations; articulating the principle that employees and management conduct all activities in accordance with both the letter and the spirit of compliance obligations; and creating an environment where employees are encouraged to raise legal, compliance, and ethics questions and concerns without fear of retaliation.</p><p>The compliance officer must report directly to the chief executive officer<a href="#footnote14"><span style="text-decoration&#58;underline;">[14]</span></a> and should have sufficient resources and qualified staff to implement the compliance program.&#160; The compliance officer must also report regularly to the board.<a href="#footnote15"><span style="text-decoration&#58;underline;">[15]</span></a>&#160; At a minimum, these reports must address the adequacy of the Enterprise's compliance policies and procedures, including the entity's compliance with them.&#160; The compliance officer must recommend any revisions to such policies and procedures that he or she considers necessary or appropriate.<a href="#footnote16"><span style="text-decoration&#58;underline;">[16]</span></a> </p><p>First-line business functions own and manage compliance risks and implement corrective actions to address process and control deficiencies.&#160; The second line performs various risk control and compliance oversight functions.&#160; The scope and breadth of the activities of the compliance program should be subject to periodic review by the internal audit function.<a href="#footnote17"><span style="text-decoration&#58;underline;">[17]</span></a>&#160; The internal audit function's assessment of the effectiveness of the compliance program should be separate from the compliance function's monitoring and testing activities to ensure that the activities of the compliance function are subject to independent review.<a href="#footnote18"><span style="text-decoration&#58;underline;">[18]</span></a></p><p><strong>2)&#160;&#160;&#160;&#160;&#160; Compliance Policies and Procedures</strong></p><p>The processes and systems for managing compliance risk across the Enterprise should be documented in policies and procedures.&#160; The policies and procedures should also address compliance training throughout the organization.&#160; </p><p>Compliance policies should clearly articulate the roles and responsibilities of the various committees, functions, and staff with compliance responsibilities as well as the oversight role and responsibilities of the compliance officer and the board.&#160; These policies should describe the responsibilities of the compliance officer for managing and directing the implementation of the compliance program and the compliance officer's role in controlling compliance risks that transcend business lines.&#160; The policies should also address the scope of internal reporting of compliance matters to the board and senior management and the adequacy of the Enterprise's compliance policies and procedures, including the Enterprise's compliance with them.<a href="#footnote19"><span style="text-decoration&#58;underline;">[19]</span></a> </p><p style="text-align&#58;left;">The Enterprises should have policies and procedures in place to create an inventory of compliance obligations, identify new and revised compliance obligations, evaluate the impact to the business units, map obligations to internal controls, communicate changes with impacted parties and business units, promote independent reviews and escalation as necessary, and address compliance obligations in a practical and efficient way.&#160; </p><p style="text-align&#58;left;">Each Enterprise's compliance program should include compliance risk and control assessment policies and procedures designed to evaluate compliance risks associated with the Enterprise's business activities, including the development of new products and business practices.&#160; The compliance program's compliance risk assessment policies and procedures should include methods of measuring compliance risk (e.g. by using performance indicators) and use such measurements to enhance compliance risk assessments.</p><p style="text-align&#58;left;">Each Enterprise should have policies and procedures to file with FHFA any reports that may be required.<a href="#footnote20"><span style="text-decoration&#58;underline;">[20]</span></a><sup> </sup>&#160;&#160;These external reporting compliance policies and procedures should address conditions imposed in writing or written agreements between FHFA and the Enterprise.<a href="#footnote21"><span style="text-decoration&#58;underline;">[21]</span></a>&#160; </p><p style="text-align&#58;left;">The Enterprises should have first-line policies and procedures that are designed to implement enterprise-wide compliance policies and to integrate or “operationalize&quot; compliance obligations into day-to-day business processes, job duties, and responsibilities.&#160; First-line compliance policies and procedures should also promote independent reviews, identification of compliance issues, and escalation and tracking of identified issues.&#160; </p><p style="text-align&#58;left;">Procedures should describe the second-line compliance function's role in determining how business line compliance matters are addressed. &#160;Procedures for resolving disputes between the corporate compliance function and business line management regarding compliance matters should ensure that such disputes are resolved objectively.&#160; Under such procedures, the final decision-making authority should rest either with the corporate compliance function, or with a committee of senior management, including the compliance officer, that has no business line responsibilities.</p><p><strong>3)&#160;&#160;&#160;&#160;&#160; Compliance Staffing and Compensation</strong></p><p>The compliance officer should have appropriate qualifications, experience, authority, accountability, and independence.&#160; The compliance officer should have the necessary resources to implement the compliance function effectively.&#160; The compliance officer's compensation should include incentives tied to actions and outcomes within his or her control and influence and not include incentives that could impair or appear to impair the compliance program's independence.&#160; The compensation should also comply with 12 CFR Part 1230<a href="#footnote22"><span style="text-decoration&#58;underline;">[22]</span></a> as well as conform to the Enterprise's policies on compensation and performance management.</p><p>The Enterprise should have a sufficient number of staff assigned to the compliance function with requisite knowledge of business activities and compliance obligations to assess compliance risk and the effectiveness of risk controls.&#160; The compliance function may be centrally organized with dedicated staff or structured as a hybrid with first-line staff having both business and compliance responsibilities. &#160;In a hybrid approach, responsibilities for compliance activities may be delegated within the Enterprise, but oversight and ultimate responsibility for fostering an enterprise-wide compliance approach are borne centrally by the corporate compliance function.&#160; If a hybrid structure is used, compliance staff in the first line should have the ability and willingness to effectively challenge business operations regarding risk arising from the Enterprise's activities.&#160; The Enterprise should implement appropriate controls and enhanced second-line oversight to identify and address issues that may arise from conflicts of interest affecting compliance staff within the business lines. &#160;For example, in these circumstances, the Enterprise should adopt enhanced processes for the second-line compliance function's oversight of monitoring and testing activities performed by compliance staff within the business lines.&#160; In a hybrid structure, the second-line compliance function should also play a role in personnel actions and compensation decisions affecting first-line staff with compliance responsibilities.&#160; Compensation and incentive programs should avoid undermining the independence and objectivity of first-line compliance activity.&#160; </p><p><strong>4)&#160;&#160;&#160;&#160;&#160; Compliance Monitoring, Testing, and Remediation</strong></p><p>Compliance monitoring, testing, and remediation efforts should be risk-based, reflect the results of compliance risk assessments, and evaluate the adequacy and effectiveness of compliance activities across the organization.&#160; Testing and monitoring activities should provide information to compliance staff and senior executives about the operation of compliance controls across the organization, provide evidence to support an assessment of the operating effectiveness of the compliance program, and identify actual and potential instances of noncompliance.&#160; </p><p>Monitoring activities should identify control weaknesses that may fail to prevent or fail to identify noncompliance and should be designed to identify potential issues before a problem develops into noncompliance.&#160; These activities may include pre-activity approvals, transaction reviews, in-process quality checks, and outcome data reviews.&#160; The Enterprises' compliance programs should also include monitoring of third-party provider relationships to assess compliance with consumer protection-related laws and regulations and oversight of third-party providers' consumer compliance-related policies, procedures, internal controls, and training.<a href="#footnote23"><span style="text-decoration&#58;underline;">[23]</span></a>&#160; </p><p>Testing should assess the reliability of key assumptions, data sources, and procedures used in measuring and monitoring compliance risk.&#160; Controls should be tested on a periodic basis to ensure they are working as intended.&#160; If compliance controls are embedded in automated tools or business unit procedures, qualified compliance staff should review these tools and processes for consistency with entity-wide compliance policies and procedures.&#160; </p><p>The results of monitoring and testing activities should drive timely remediation of identified weaknesses. &#160;Corrective actions should be tracked and escalated as appropriate.&#160; Monitoring and testing protocols should include procedures for remedying undue delay in management response or ineffectual remediation efforts.</p><p><strong>5)&#160;&#160;&#160;&#160;&#160; Compliance Communication and Training </strong></p><p>The Enterprises should have lines of communication for employees to seek guidance and report concerns about compliance obligations.&#160; All Enterprise staff should receive specific, comprehensive compliance training appropriate to each individual's job responsibilities. &#160;Training should reinforce the Enterprise's written compliance risk management policies and procedures.&#160; When compliance policies are adopted or changed, the Enterprise should assess what, if any, training is appropriate.&#160; The Enterprise should determine whether the training should be conducted on an entity-wide or business unit level, who should be trained, and when the training should occur.</p><p> <br> <em><strong style="text-decoration&#58;underline;">Related Guidance and Regulations</strong></em></p><p>12 CFR Part 1230, Executive Compensation.</p><p>12 CFR Part 1236, Appendix, Prudential Management and Operations Standards.</p><p>12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Third-Party-Provider-Relationships.aspx">Oversight of Third-Party Provider Relationships</a></em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Multifamily-SellerServicer-Relationships.aspx">Oversight of Multifamily Seller/Servicer Relationships</a></em>, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Internal-Audit-Governance-and-Function.aspx">Internal Audit Governance and Function</a></em>, Federal Housing Finance Agency Advisory Bulletin 2016–05, October 7, 2016.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Fraud-Risk-Management.aspx">Fraud Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Single-Family-SellerServicer-Relationships.aspx">Oversight of Single-Family Seller/Servicer Relationships</a></em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-02-OPERATIONAL-RISK-MANAGEMENT.aspx">Operational Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-01-CONTINGENCY-PLANNING-FOR-HIGH-RISK-OR-HIGH-VOLUME-COUNTERPARTIES.aspx">Contingency Planning for High-Risk or High-Volume Counterparties</a></em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.</p>&#160;&#160;&#160;&#160;&#160;&#160; <p>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"><font color="#0066cc">[1]</font></a>&#160; 12 CFR 1239.12.</p><p> <a name="footnote2"> <font color="#0066cc">[2]</font></a>&#160; The regulation requires that the compliance program manage compliance with “applicable laws, rules, regulations, and internal controls,&quot; 12 CFR 1239.12.</p><p> <a name="footnote3"><font color="#0066cc">[3]</font></a>&#160; 12 CFR 1239.11(b), 1239.11(b)(2)(i), and 1239.11(c)(2).</p><p> <a name="footnote4"><font color="#0066cc">[4]</font></a>&#160; See <em>Oversight of Third-Party Provider Relationships, </em>AB 2018-08.&#160; See also PMOS, Standard 9&#58; Principles 4, 5, and 10.</p><p> <a name="footnote5"><font color="#0066cc">[5]</font></a>&#160; 12 CFR 1239.11(a).</p><p> <a name="footnote6"><font color="#0066cc">[6]</font></a>&#160; See generally PMOS, <em>Responsibilities of the Board of Directors&#58;</em> Principle 4.</p><p> <a name="footnote7"> <font color="#0066cc">[7]</font></a>&#160; Ibid.</p><p> <a name="footnote8"><font color="#0066cc">[8]</font></a>&#160; 12 CFR 1239.12.</p><p> <a name="footnote9"><font color="#0066cc">[9]</font></a>&#160;&#160; PMOS, Standard 1&#58; Principle 2 and Standard 8&#58; Principles 1 and 3.</p><p> <a name="footnote10"> <font color="#0066cc">[10]</font></a>&#160; See <em>Oversight of Third-Party Provider Relationships, </em>AB 2018-08.</p><p> <a name="footnote11"> <font color="#0066cc">[11]</font></a>&#160; Ibid.&#160; The term “senior management&quot; refers to those employees who plan, direct, and formulate policies, and provide the overall direction of the Enterprise for the development and delivery of products or services, within the parameters approved by the board.&#160; </p><p> <a name="footnote12"> <font color="#0066cc">[12]</font></a>&#160; PMOS, <em>General Responsibilities of the Board of Directors and Senior Management</em>&#58; Principle 6 and Standard 8&#58; Principle 6.</p><p> <a name="footnote13"> <font color="#0066cc">[13]</font></a>&#160; 12 CFR 1239.10(a).&#160; See also PMOS, Standard 1&#58; Principle 3. </p><p> <a name="footnote14"> <font color="#0066cc">[14]</font></a>&#160; 12 CFR 1239.12.</p><p> <a name="footnote15"> <font color="#0066cc">[15]</font></a>&#160; Ibid.</p><p> <a name="footnote16"><font color="#0066cc">[16]</font></a>&#160; Ibid.</p><p> <a name="footnote17"> <font color="#0066cc">[17]</font></a>&#160; See <em>Internal Audit Governance and Function, </em>AB 2016-05. &#160;See also PMOS, Standard 1&#58; Principle 14.</p><p> <a name="footnote18"> <font color="#0066cc">[18]</font></a>&#160; See generally PMOS, Standard 2.</p><p> <a name="footnote19"><font color="#0066cc">[19]</font></a>&#160; 12 CFR 1239.12.</p><p> <a name="footnote20"><font color="#0066cc">[20]</font></a>&#160; 12 CFR 1239.13.</p><p> <a name="footnote21"><font color="#0066cc">[21]</font></a>&#160; Ibid.</p><p> <a name="footnote22"><font color="#0066cc">[22]</font></a>&#160; As senior vice presidents, the Enterprises' compliance officers fit within the regulatory definition of executive officer.&#160; See 12 CFR 1230.2.</p><p> <a name="footnote23"><font color="#0066cc">[23]</font></a>&#160; PMOS, Standard 9&#58; Principles 4, 5, and 10.&#160; See also <em>Oversight of Third-Party Provider Relationships, </em>AB 2018-08.</p><p> <br>&#160;&#160;</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. &#160;Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. &#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a>SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table>10/3/2019 8:48:03 PMHome / Supervision & Regulation / Advisory Bulletins / Compliance Risk Management Advisory Bulletin This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the 3941https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Enterprise Fraud Reporting27298Fannie Mae & Freddie Mac9/18/2019 4:00:00 AMAB 2019-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>ADVISORY BULLETIN</strong></p><p> <strong>AB 2019-04&#58;&#160; ENTERPRISE FRAUD REPORTING</strong></p></td></tr></tbody></table><p> <span style="text-decoration&#58;underline;"><strong><em></em></strong></span>&#160;</p><p> <span style="text-decoration&#58;underline;"><strong><em>P<span style="text-decoration&#58;underline;"><strong><em>urpose</em></strong></span></em></strong></span></p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency's (FHFA) fraud reporting requirements pursuant to 12 CFR Part 1233 (FHFA Regulation).</p><p>This advisory bulletin rescinds and replaces FHFA's Advisory Bulletin AB 2015-02&#58;&#160; <em>Enterprise Fraud Reporting</em>, dated March 26, 2015.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p style="text-align&#58;left;">The Housing and Economic Recovery Act of 2008 (HERA) subjects the Enterprises to fraud reporting (12 U.S.C. Section 4642) and requires an Enterprise to submit to FHFA a “timely&quot; report upon discovery that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument.&#160; </p><p style="text-align&#58;left;">The FHFA Regulation implements the timely reporting requirement of HERA (12 CFR Section 1233.3(a)(1)) and requires immediate notification to the Director of FHFA upon the discovery of any situation that would have a significant impact on an Enterprise (12 CFR Section 1233.3(a)(2)).&#160; The FHFA Regulation grants the Director authority to determine procedures by which the Enterprises will submit such reports (12 CFR Section 1233.3(b)).</p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>The Enterprises should adhere to the guidelines in this advisory bulletin for reporting fraud or possible fraud to FHFA in compliance with the FHFA Regulation and for supervisory oversight purposes.&#160; &#160;</p><p> <em>Immediate Notification</em></p><p>To comply with the immediate notification requirement in the FHFA Regulation, an Enterprise should notify the Director's designee(s) electronically, through secure methods established by FHFA, within one calendar day from when an Enterprise becomes aware of fraud or possible fraud as defined in the FHFA Regulation that may have a significant impact on the Enterprise.&#160; Fraud or possible fraud is considered to have a significant impact if it may create substantial financial or operational risk for the Enterprise, whether from a single event/incident or because it is systemic.&#160; Fraud or possible fraud is also considered significant if it involves a member of the board of directors, officer, employee, or a contractor temporarily engaged to fill a position or perform a particular function at an Enterprise or other individual similarly engaged by an Enterprise.&#160; </p><p>The Enterprise should provide periodic updates to its board of directors, or a committee thereof, of all fraud or possible fraud requiring immediate notification.</p><p> <em>Timely Reporting</em></p><p>To comply with the timely reporting requirement in the FHFA Regulation, an Enterprise should adhere to the following two reporting requirements. </p><p> <span style="text-decoration&#58;underline;">Monthly Fraud Status Report</span></p><p>The Enterprises should submit a monthly fraud status report to FHFA. &#160;The monthly fraud status report shall contain requested information for each occurrence during the month in which the Enterprise has&#58;</p><ol><li>Filed a suspicious activity report (SAR) with the U.S. Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) or</li><li>Discovered that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument, and the Enterprise has not filed a SAR.<br>&#160;</li></ol><p>FHFA will provide a template that describes the format of the monthly fraud status report and defines the information to be included.</p><p>Each Enterprise should provide the Director's designee(s) with the monthly fraud status report within thirty (30) calendar days after the end of each month, regardless of whether the Enterprise has a reportable event during the period covered by the report.&#160; The report should be sent electronically through secure methods established by FHFA.&#160; </p><p> <span style="text-decoration&#58;underline;">Quarterly Fraud Status Report</span></p><p>On a quarterly basis, the Enterprises should also report to FHFA summary information concerning their fraud risk management environments.&#160; </p><p>FHFA will provide a template that describes the format of the quarterly fraud status report and defines the information to be included.</p><p>Each Enterprise should provide the Director's designee(s) with the quarterly fraud status report within thirty (30) calendar days ​after the end of each calendar quarter.&#160; The report should be sent electronically through secure methods established by FHFA. &#160;<br></p><p> <span style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></span></p><p style="text-align&#58;left;">This advisory bulletin becomes effective on January 1, 2020.&#160;​​<br>​<br></p><p style="text-decoration&#58;underline;"> <strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;"><em>​Related Guidance</em></strong><br></p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB2015-07_Fraud-Risk-Management.pdf">Fraud Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. &#160;Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>9/18/2019 2:00:34 PMHome / Supervision & Regulation / Advisory Bulletins / Enterprise Fraud Reporting Advisory Bulletin This advisory bulletin communicates to Fannie Mae and Freddie Mac (the 2428https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Capital Stock Management27088FHL Banks8/15/2019 4:00:00 AMAB 2019-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2019-03<br></p><p>CAPITAL STOCK MANAGEMENT<br></p></td></tr></tbody></table><p> &#160;&#160; <br></p><p> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong><br></p><p>This Advisory Bulletin (AB)&#160;provides Federal Housing Finance Agency (FHFA) guidance for each Federal Home Loan Bank (Bank) regarding the manner in which it manages its capital accounts.&#160; This guidance augments existing statutory and regulatory capital requirements.&#160; </p><p>This guidance describes FHFA’s supervisory expectations regarding an appropriate level of capital stock that each Bank should maintain, expressed as a percentage of assets, in order to help preserve the cooperative nature of the Banks.&#160; Recent developments have resulted in the Banks responding to growth in their retained earnings, in part, by lowering their levels of capital stock, where both are measured as a proportion of total assets.&#160; Holding a higher proportion of total capital as retained earnings supports the maintenance of the par value of Bank capital stock, but also results in a declining proportion of capital stock which could, at some point, undermine the cooperative nature of the Banks by minimizing their members’ ownership interest in them.<br>&#160;</p><p> <strong style="text-decoration&#58;underline;"> <em>Background</em></strong></p><p> <span style="text-decoration&#58;underline;">Capital Composition</span><br></p><p>Bank regulatory capital is comprised of member paid-in Bank capital stock (capital stock) and retained earnings.<a href="#footnote1">[1]</a>&#160;&#160;&#160; Each Bank has a variety of means to manage the composition of its capital accounts between those two items.&#160; For example, a Bank can increase or decrease the proportion of capital attributable to capital stock by increasing or decreasing stock purchase requirements that an institution must make for membership or for conducting certain activities, primarily member advance borrowings.&#160; The Bank also can issue stock dividends, which converts retained earnings into capital stock.<br></p><p> <span style="text-decoration&#58;underline;">Cooperative Nature of the Bank System</span><br></p><p>Congress established the Banks as cooperative business organizations, meaning that the Banks are to be owned and managed by their members for the purpose of providing services to those members.&#160; Specifically, only members may own capital stock in the Banks or vote to elect persons to the boards of directors, a majority of which must be officers or directors of those member institutions.&#160; The members of the Banks also own the retained earnings of the Banks, in proportion to the amount of Class B capital stock that each member owns.&#160; Only members and certain eligible associates may receive an advance, which is the primary service provided by the Banks, or may sell qualifying mortgage loans to their Bank.<a href="#footnote2">[2]</a>&#160;&#160; </p><p>A fundamental aspect of the cooperative structure is that the members have a financial incentive to be fully engaged in the oversight and business of the Bank.&#160; Being so engaged helps to preserve the value of the members’ investment in the capital stock of the Bank, and to maintain the availability of Bank services that benefit members.&#160; As both owners and customers of the Bank, members also are financially motivated to ensure that the Bank operates in a safe and sound manner.&#160; As a practical matter, however, the members’ financial motivation to properly oversee the operations of the Bank will likely be positively correlated with the members’ tangible investment in the Bank.&#160; </p><p>In recent years, the Banks have achieved significant growth in retained earnings as a proportion of total assets.&#160; Consequently, the Banks have also managed a gradual decline in capital stock as a proportion of assets.&#160; FHFA believes that it is important for a Bank to maintain a minimum capital stock-to-assets ratio in order to help preserve the cooperative structure incentives that encourage members to remain fully engaged in the oversight of their investment in the Bank.&#160; Determining an amount of capital stock that would provide some reasonable assurance that the members would continue to have a financial incentive to remain engaged in the oversight and use of the cooperative is not a matter that readily lends itself to precise calculation.&#160; Nonetheless, FHFA believes that the members of a Bank that maintains a ratio of at least two percent of capital stock to assets will continue to have adequate financial incentive to remain engaged in the cooperative, and encourages each Bank to maintain its capital stock at or above that ratio.&#160;&#160;&#160; </p><p>A factor suggesting that maintaining at least a two percent capital stock-to-assets ratio may align with sufficient member incentive to remain engaged in the cooperative is that this measure is related to the risk of capital stock impairment.&#160; Specifically, the risk of impairment is heightened as the Bank’s total capital declines to near the level of two percent of assets.&#160; This is the threshold at which the prompt corrective action regulation specifies that the Director of FHFA may appoint a conservator or receiver.<a href="#footnote3">[3]</a>&#160;&#160; Either of those actions would significantly increase the likelihood of impairment for the remaining amounts of capital stock.&#160; If a Bank that was approaching the two percent capital level were to be capitalized principally with retained earnings, its members would have little investment at risk if the Bank’s capital levels were to continue to decline, and thus less motivation to engage in actions to revive the safe and profitable operation of the Bank.&#160; Clearly, the motivation of the members to actively support the Bank would increase in step with the proportion of that capital that is capital stock and would be maximized when needed most in the circumstance of a Bank that has only about two percent of capital to assets, and all of that capital is capital stock.<br><br></p><p style="text-decoration&#58;underline;"> <strong> <em>Scope</em></strong></p><p>This Advisory Bulletin applies only to the Banks.<br>&#160;</p><p> <strong style="text-decoration&#58;underline;"> <em>Guidance</em></strong></p><p>Maintaining the level of capital stock in an amount that is equal to or greater than two percent of a Bank’s assets is consistent with helping preserve the cooperative nature of the Bank System. Beginning six months following the date of this Advisory Bulletin, FHFA will consider the proportion of capital stock, as measured on a daily average basis at month end, when assessing each Bank’s capital management practices.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;</p><p>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1">[1]</a> For purposes of this Advisory Bulletin, capital stock includes all member paid-in Bank capital stock, including mandatorily redeemable stock.<br></p><p> <a name="footnote2">[2]</a> Most recently, in the amended Acquired Member Asset rule, FHFA stated that the objective of the member nexus requirement in that rule is to align the mortgage purchase programs with the cooperative structure of the Bank System. 81 Fed. Reg. 91674, 91676 (Dec. 19, 2016).<br></p><p> <a name="footnote3">[3]</a> <em>See</em> 12 CFR 1229.1, 1229.10(a). This threshold is also well known from commercial banking regulation, where the Federal Deposit Insurance Act requires that a bank’s “critical capital” be not less than two percent of total assets. 12 USC 1831o(c)(3)(B).<br></p><p> <br> &#160;</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a><br></p></td></tr></tbody></table>8/16/2019 7:22:36 PMHome / Supervision & Regulation / Advisory Bulletins / Capital Stock Management Advisory Bulletin This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA 2321https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Implementation of Streamlined Monitoring Requirements for Affordable Housing Program Projects Funded by Certain Other Federal Government Rental Housing Programs26200FHL Banks5/9/2019 4:00:00 AMAB 2019-02<div> <strong>DIVISION OF HOUSING MISSION AND GOALS</strong><br> <div> <br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;"> <strong>ADVISORY BULLETIN</strong><strong>&#160; </strong></p><p style="text-align&#58;left;"> <strong>AB 2019-02</strong><strong>&#160;&#160;</strong>&#160;<br></p><p style="text-align&#58;left;"> <strong>IMPLEMENTATION OF STREAMLINED MONITORING REQUIREMENTS FOR AFFORDABLE HOUSING PROGRAM PROJECTS FUNDED BY CERTAIN OTHER FEDERAL GOVERNMENT RENTAL HOUSING PROGRAMS</strong><br></p><p style="text-align&#58;left;"><strong>May 9, 2019</strong><br></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <br> <strong> <em>Purpose</em></strong></p><p>The Federal Housing Finance Agency's (FHFA) Affordable Housing Program (AHP) regulation authorizes streamlined monitoring for AHP-subsidized projects that are also funded by certain other government housing programs and identified by FHFA in separate guidance.&#160; This Advisory Bulletin (AB) identifies those programs.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>FHFA published a final rule in the <em>Federal Register</em> on November 28, 2018 amending the AHP regulation, one component of which permits the Federal Home Loan Banks (Banks) to implement streamlined monitoring for AHP projects funded by certain other government housing programs that FHFA specifies in separate guidance.&#160; Specifically, the amended regulation requires that at initial monitoring of AHP projects funded by such other programs, the Banks review rent rolls (in the case of rental projects) and project sponsor certifications, and any other documentation to verify that the projects meet the requirements in 12 C.F.R. § 1291.50(a)(2), but not any other back-up documentation on household incomes or rents.&#160;<a href="#1">[1]</a>&#160;<span style="font-style&#58;normal;">&#160;</span>For long-term monitoring of AHP rental projects funded by such other programs, the regulation requires that the Banks review annual project sponsor certifications on household incomes and rents and information on the ongoing financial viability of the projects, but not any other back-up documentation on incomes and rents, including rent rolls.&#160;<a href="#2">[2]</a>&#160;<br></p><p style="text-align&#58;left;text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p>As discussed in the proposed&#160;<a href="#3">[3]</a>&#160;and final&#160;<a href="#4">[4]</a>&#160;AHP rules, FHFA has analyzed the monitoring standards and practices of several federal government housing programs to identify programs with substantially equivalent rent, income, and retention requirements to the AHP, as well as very low noncompliance rates.&#160; FHFA's analysis also focused on each monitoring entity's demonstrated ability to monitor the program effectively.&#160; </p><p>FHFA found that the following four housing programs meet the criteria identified above&#58;<br></p><ul><li>HUD Section 202 Program for the Elderly;<br></li><li>HUD Section 811 Program for Housing the Disabled;</li><li>USDA Section 515 Rural Multifamily Program; and</li><li>USDA Section 514 Farmworker Multifamily Program.<br></li></ul><p> <span style="color&#58;#444444;font-style&#58;normal;">Accordingly, the Banks may implement the streamlined monitoring described above for AHP projects funded by any of these four programs.</span><span style="font-style&#58;normal;color&#58;#444444;">&#160;</span><br></p><p>Although the final AHP rule became effective on December 28, 2018, the compliance date for implementing the streamlined monitoring practices is January 1, 2021.&#160; However, Banks may implement the streamlined monitoring before this compliance date.&#160; Banks that opt to do so should provide notice to FHFA pursuant to the email of December 26, 2018, to the Banks from the Deputy Director of the Division of Bank Regulation at <a href="mailto&#58;DeputyDirector-FHLBanks@FHFA.gov">DeputyDirector-FHLBanks@fhfa.gov​</a>.&#160; Banks must also ensure that their AHP Implementation Plans set forth their requirements for monitoring.&#160;<a href="#5">[5​]</a>&#160;<br></p><p>Should a Bank identify potential noncompliance with AHP household income or rent requirements in a project that is subject to streamlined monitoring, it should evaluate whether an expansion of its review to include the back-up documentation, including rent rolls, is warranted to verify compliance with AHP requirements.&#160;</p><p style="font-style&#58;normal;">____________________________________<br></p><p style="font-style&#58;normal;text-decoration-line&#58;underline;"> <span style="font-size&#58;inherit;font-family&#58;inherit;font-weight&#58;700 !important;"> <em></em></span></p><p style="font-style&#58;normal;"> <a name="1">[1]</a>&#160;<em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">See</em><span style="font-style&#58;normal;">&#160;12 C.F.R. § 1291.50(a)(2), (a)(3).</span><br></p><p style="font-style&#58;normal;"> <a name="2">[2]</a>&#160;<em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">See</em><span style="font-style&#58;normal;">&#160;12 C.F.R. § 1291.50(c)(1)(i), (ii).</span>​</p><p> <a name="3">[3]</a>&#160;Affordable Housing Program Amendments, 83 Fed. Reg. 11344, 11365-11366 (Mar. 14, 2018).​<br></p><p> <a name="4">[4]</a>&#160;Affordable Housing Program Amendments, 83 Fed. Reg. 61186, 61126-61127 (Nov. 28, 2018).<br></p><p> <a name="5">[5]</a>&#160;See&#160;12 C.F.R. § 1291.13(b)(11).&#160;</p><p style="text-align&#58;left;">FHFA will continue to assess the monitoring standards and practices of other government housing programs and may make modifications to this guidance in a subsequent AB as appropriate.<br style="text-decoration&#58;underline;"></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;">FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes.&#160; Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities.&#160; For comments or questions pertaining to this AB, contact Ted Wartell at <a href="mailto&#58;Ted.Wartell@fhfa.gov">Ted.Wartell@fhfa.gov</a> or by phone at 1-202-649-3157; or Marcea Barringer at <a href="mailto&#58;Marcea.Barringer@fhfa.govl">Marcea.Barringer@fhfa.gov</a> or by phone at 1-202-649-3275.&#160;<br></p></td></tr></tbody></table> <br> </div></div>5/10/2019 7:33:45 PMHome / Supervision & Regulation / Advisory Bulletins / Implementation of Streamlined Monitoring Requirements for Affordable Housing Program Projects Funded by Certain Other 1953https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Business Resiliency Management26708All5/7/2019 4:00:00 AMAB 2019-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;"> <strong>&#160;</strong><strong>ADVISORY BULLETIN</strong><strong>&#160; </strong></p><p style="text-align&#58;left;"> <strong>AB 2019-01&#58;</strong><strong>&#160; </strong><strong>BUSINESS RESILIENCY MANAGEMENT</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <br> <strong> <em>Purpose</em></strong></p><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance on business resiliency management at Fannie Mae, Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities).<a href="#1">[1]</a>&#160; This AB rescinds and replaces Federal Housing Finance Board Advisory Bulletin 02-3 Disaster Recovery Planning, February 13, 2002.&#160; </p><p>For purposes of this AB, business resiliency management refers to the regulated entity's ability to minimize the impact of disruptions and maintain business operations at predefined levels. &#160;Disruptions can expose the regulated entities to operational, financial, legal, compliance, and reputational risks.&#160; An effective business resiliency management program (program) helps to ensure safe and sound operations at each regulated entity.&#160; </p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p style="text-align&#58;left;">Uncontrolled events, such as natural disasters, pandemics, and cyberattacks, can threaten the regulated entities' ability to perform mission critical operations, such as providing liquidity and access to credit in the mortgage market.&#160; Disruptions in service can expose the regulated entities to a variety of risks and potentially lead to adverse economic consequences in the financial sector.&#160; A program establishes documented strategic processes and procedures that a regulated entity should follow to mitigate and respond to risks in order to continue its business operations. </p><p style="text-align&#58;left;">The core components of a program include the business continuity plan (BCP), disaster recovery plan (DRP) and crisis management plan (CMP) (collectively, plans).&#160; The BCP is the written set of procedures a regulated entity follows to recover, resume, and maintain business functions and their underlying processes at acceptable predefined levels following a disruption.&#160; The BCP accounts for disruptions affecting personnel, equipment, facilities, data, third-party providers, and the technical assets associated with business functions and processes.&#160; The DRP is the documented process to recover and resume the regulated entity's IT infrastructure, business applications, and data services in the event of a major disruption.&#160; The CMP provides documented, coordinated responses to enterprise-wide disruptions, including overseeing the activation of the DRP and BCPs. &#160;</p><p style="text-align&#58;left;">FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity's board of directors and senior management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8, especially Standard 8.11), and maintenance of adequate records (Standard 10). &#160;A business resiliency program that is aligned with this AB will meet FHFA's supervisory expectations on the points that the AB addresses, with respect to those standards.&#160; A business resiliency program that is not aligned with this AB may not meet those standards and may not be safe and sound.<a href="#2">[2]</a></p><p style="text-align&#58;left;text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p>FHFA expects the regulated entities to establish and maintain a program that includes the following&#58;</p><ol style="list-style-type&#58;upper-roman;"><li>Governance</li><li>Business Resiliency Cycle</li><ol style="list-style-type&#58;upper-alpha;"><li>Risk Assessment and Business Impact Analysis</li><li>Risk Mitigation and Plan Development</li><li>Testing and Analysis</li><li>Risk Monitoring and Program Sustainability</li></ol></ol><p>Each regulated entity should establish its program in alignment with its enterprise-wide risk management program,<a href="#3">[3]</a> and in accordance with all relevant FHFA guidance.&#160; The regulated entity should develop strategies, policies, procedures, and internal standards that apply to the program.&#160; The program should guide the regulated entity to respond appropriately to disruptions affecting business operations, personnel, equipment, facilities, IT systems, and information assets.&#160; In order to remain current and effective, the program should adopt a cyclical, process-oriented approach that incorporates the following steps&#58; (1) risk assessment and business impact analysis, (2) risk mitigation and plan development, (3) testing and analysis, and (4) risk monitoring and program sustainability. &#160;</p><p> <strong>I.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Goverance</strong></p><p>The board of directors or a committee thereof (board) is responsible for maintaining a strong business resiliency culture and overseeing the program.&#160; The board provides oversight of senior management's implementation of the program and maintenance of plans that reflect the regulated entity's current operating environment and risk appetite.&#160; The board should review and approve the enterprise-wide business resiliency strategic objectives of the program on an annual basis.&#160; &#160;</p><p>As delegated by the board, senior management<a href="#4">[4]</a> is responsible for executing the program.&#160; Senior management ensures that&#58;</p><ul style="list-style-type&#58;disc;"><li>Each step of the program is carried out by assigned personnel with clear roles and responsibilities;</li><li>There are designated resources and qualified personnel from across the regulated entity's business units and operations to develop and implement plans;&#160; </li><li>Employees are adequately trained and participate in testing exercises, as necessary, to demonstrate understanding of their role when plans are activated in the event of a disruption; </li><li>There is sufficient communication and coordination to properly execute plans and maintain enterprise-wide business resiliency;&#160; </li><li>Effective reporting and metric requirements are in place, such as reviewing internal audit reports and providing reports to the board;&#160; </li><li>The review and approval of plans involving critical business functions are conducted on an annual basis or when there are material changes in the operating environment that affect critical business functions; and</li><li>The board is informed of significant issues involving the strategies, plans, or testing of critical business functions. </li></ul><p> <strong>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Business Resiliency Cycle</strong></p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; A.&#160; Risk Assessment and Business Impact Analysis</em></p><p>Developing an effective plan begins with a risk assessment that determines the potential threats to a regulated entity's business operations.&#160; A risk assessment considers the full spectrum of scenarios that could affect operations, ranging from low impact, high probability occurrences (such as power or telecommunication disruptions) to low probability, high impact occurrences (such as pandemics or natural disasters).&#160; As part of the risk assessment process, the regulated entity should take into account disruptions involving information services, equipment, personnel, facilities, and services by third-party providers.&#160; The regulated entities should also consider their proximity to infrastructure in conjunction with their susceptibility to threats.&#160; </p><p>The business impact analysis (BIA) assesses and prioritizes those business functions and processes, including their associated technical assets, that must be recovered after a disruption.&#160; The BIA should identify the potential impact of uncontrolled events on the regulated entity's ability to execute its business functions and processes.&#160; The regulated entity should also consider the impact of disruptions on its ability to perform its role in the financial marketplace, satisfy legal and regulatory requirements, follow safe and sound practices, maintain public confidence, and achieve its strategic goals.&#160; </p><p>Conducting a thorough and accurate BIA is the basis for developing effective plans and a comprehensive program for the regulated entity.&#160; As part of the BIA, the regulated entities should identify business functions and processes, evaluate and compare business function requirements, and identify interdependencies between critical systems, departments, personnel, and services that may be compromised during a disruption.&#160; The BIA should be risk-focused, taking into consideration the priority of certain business functions and processes. &#160;The BIA should be conducted at least annually.&#160; </p><p>Recovery point objectives (RPOs) and recovery time objectives (RTOs) are calculated results informed by the BIA.&#160; An RPO defines the maximum level of data loss (in terms of time) that can be afforded during a failure.&#160; An RTO estimates the maximum allowable downtime for business processes and associated technical assets that should be recovered after a disruption.&#160; The regulated entity should additionally consider how RTOs and RPOs affect data recovery and reconciliation, especially when business and IT interdependencies are involved.&#160; RTOs inform the regulated entity on how it should categorize and group business processes and technical assets from the most critical functions to the least critical.</p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; B.&#160; Risk Mitigation and Plan Development</em></p><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;<span style="text-decoration&#58;underline;">Risk Mitigation</span></p><p>The regulated entity should use the results from the risk assessment and BIA to determine appropriate recovery solutions that mitigate the risk of a disruption to a level that is acceptable for its business functions and processes.&#160; The recovery solutions may include data synchronization, redundant vendor support, alternative power sources, high-availability technologies for critical business functions, fire detection and suppression systems, and additional reserves of critical equipment and supplies.&#160; The regulated entity should also consider the appropriate insurance coverage for its business, taking into consideration the BIA findings and its risk profile.</p><p>Some business functions have high availability requirements where even minimal downtime presents risk. &#160;The regulated entities should have an alternate, geographically distinct data center as an enterprise-wide disaster recovery solution that maintains availability within pre-determined RTOs and RPOs.&#160; Alternatively, the regulated entity can rely on its cloud service provider.<a href="#5">[5]</a>&#160; A geographically distinct data center should be at an appropriate distance from the regulated entity's primary operations and should not be subject to the same inherent risks as the primary site during a disaster.&#160; Pursuant to the DRP, the alternate site would be activated to recover, by priority, the technical assets of the primary location.&#160; The facility should be capable of operating at the regulated entity's normal volume and be available for use until the regulated entity achieves full recovery from the disaster. &#160;For any FHLBank, partnering with another FHLBank is a useful strategy for short-term resumption of certain business processes, but by itself should not be considered an adequate disaster recovery solution.&#160; </p><p>If a third-party provider is used to mitigate business resiliency risk, the regulated entity should evaluate, according to the risk assessment or BIA, whether its business resiliency objectives are met within its third-party provider risk management framework.<a href="#6">[6]</a>&#160; Commensurate with the risk involved, the regulated entity should consider the strength of a third-party provider's business resiliency program. </p><p>The regulated entities should also consider risk mitigation strategies in addition to those addressing RPOs and RTOs.&#160; For instance, a senior management-approved response plan to handle media inquiries can reduce the risk of reputational harm after a disruptive event.&#160; FHFA also encourages the regulated entities to contact federal, state, and local authorities as needed to determine specific risks or exposures for their geographic location and requirements for accessing emergency zones.&#160; The regulated entities should consider taking advantage of government-sponsored emergency programs and coordinating with agencies, emergency personnel, and service providers during the recovery and resumption of operations.</p><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <span style="text-decoration&#58;underline;">Plan Development</span></p><p>The regulated entity should document how to implement the risk mitigation strategies and recovery solutions in its plans.&#160; Plans should include short-term and long-term recovery operations with steps to transition back to normal business based on the criticality of the business functions and processes affected.&#160; Plans should also account for internal and external dependencies in the event that third-party providers,<a href="#7">[7]</a>&#160;personnel, or certain equipment are unavailable or inefficient.&#160; Plans should avoid single points of failure as the strength of a plan can be diminished by weak components. &#160;If the regulated entity outsources the development of its plans, it is responsible for choosing a service provider that has the requisite expertise appropriate for the entity's size, complexity, and risk environment.&#160;&#160; </p><p>The regulated entity's plans should include the following&#58;</p><ul style="list-style-type&#58;disc;"><li>The assumptions used to develop each plan, understanding that certain assumptions may not be met when a plan is activated;</li><li>Criteria to trigger activation of the plan and escalate incidents, if appropriate;</li><li>Assigned roles and responsibilities for personnel to activate and execute the plans;</li><li>Contingency plans for technical assets, where appropriate;</li><li>Incident response measures to protect the availability, confidentiality, and integrity of information;</li><li>Current contact information for employees, customers, service providers, municipal authorities, and emergency response personnel that is readily accessible at off-site locations; </li><li>Internal and external communication protocols, including notifying FHFA, the board, and customers, and call trees and employee notification procedures;</li><li>Relocation strategies to other facilities and remote access policies and standards if personnel are working from a remote location in the event of a disaster; and</li><li>References to emergency response measures to prevent loss of life and minimize injury and property damage.</li></ul><p>The regulated entity should prioritize the recovery of its business functions and processes according to the RTOs and RPOs as stated in each plan. &#160;Each business function, process, and associated technical asset should map to a BCP.&#160; Technical assets should also be accounted for in the DRP as they relate to the prioritized recovery and protection of the regulated entity's IT infrastructure, business applications, and data. &#160;The regulated entity should determine the enterprise-wide risk thresholds that trigger activating the CMP and the corresponding steps to respond to such incidents at an enterprise level.&#160; The regulated entity should consider the operational, legal, compliance, financial, and reputational risks involved when determining the thresholds to trigger the CMP.&#160; The CMP should include the coordinated responses to implement the DRP and BCPs, handle media inquiries, and oversee emergency response measures.</p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; C.&#160; Testing and Analysis</em></p><p>Testing demonstrates how well each plan achieves the business resiliency objectives defined by the regulated entity.&#160; Each regulated entity should develop a testing program that includes policies, standards, and procedures that address test planning, execution, reporting of test results, and test revisions, as necessary.&#160;&#160;&#160; </p><p>Senior management should designate personnel to oversee the testing of plans and allocate adequate time and resources for test exercises.&#160; Senior management is also responsible for ensuring that employees are aware of their roles (i.e., administrator or participant) in executing tests regularly.&#160; Test plans should periodically rotate employee roles, as appropriate, to reduce reliance on specific individuals who may not be available during a disruptive event.&#160; Testing of plans involving critical business functions should be completed at least annually, and when material changes occur to the business operating environment.&#160; The frequency of testing should be consistent with the criticality of the business function, but should not jeopardize normal business operations.</p><p>Prior to each test, management should validate the testing methods to identify potential problems.&#160; Test plans or exercises should be evaluated to assess whether test objectives are feasible and whether assumptions used in developing the test strategy are reasonable.&#160; Testing of plans should align with the risk assessments and the BIAs to validate pre-determined RPOs and RTOs.&#160; Additionally, priority-based testing should&#58;</p><ul style="list-style-type&#58;disc;"><li>Incorporate a variety of threats, event types, and crisis management scenarios that range from isolated system failures to full-scale disruptions;</li><li>Evaluate identified internal and external interdependencies, including the testing of primary and alternate facilities with key third-party providers; </li><li>Progressively increase in scope and complexity, functions, physical locations, and participants; testing should ultimately process at least a full day's work at the regulated entity's normal levels;</li><li>Include a full-scale DRP test to confirm the entity's ability to conduct and sustain normal business in an alternate data center and the ability to return to pre-defined levels of operations in the primary data center; and</li><li>Over time, adapt to changes in the regulated entity's business activities and risk profile.&#160; </li></ul><p>Internal audit or a qualified independent third party should review the testing program and conduct an independent assessment of selected tests, including the underlying assumptions and methodology.&#160; Management should have oversight of key tests that are observed, verified, and evaluated by the independent party in order to validate the testing process and accuracy of test results.&#160; Test results, deviations from test plans, problems identified during testing, and any specified remediation steps should be properly documented. </p><p>Test results should be periodically analyzed to determine if problems identified during testing can be traced to a common source, remediated, and resolved through revisions to the testing program.&#160; Problems encountered during testing should be corrected and retested in a timely manner.&#160; Test participants or test owners can also provide suggestions to the test scenarios, plans or scripts to improve the test program.&#160; Once tests are completed and assessed, the test program should be updated to address any gaps identified during tests and retested, as necessary, for robustness and effective remediation within a reasonable timeframe.&#160; </p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; D.&#160; Risk Monitoring and Program Sustainability</em></p><p>The regulated entity should also implement risk monitoring to track how changes to the business operating environment, including personnel, technologies, equipment, or third-party providers, may affect business resiliency strategies and plans.&#160;&#160; </p><p>Regular reports of test results and risk monitoring inform senior management of the effectiveness of the regulated entity's program.&#160; Senior management should use this information to determine if gaps exist between the risk assessment or BIA and the existing plans in place.&#160; Based on this gap analysis, RPOs and RTOs may need to be reassessed and risk mitigation strategies may need to be evaluated for particular plans.&#160; Management or plan administrators should revise plans based on test results or when material changes occur to the current business operating environment—including changes to personnel and internal and external dependencies, such as reliance on other business units or outsourced activities.&#160; Relevant business line managers and stakeholders should also be informed of test results so they can address material business resiliency problems identified during testing.&#160; The test and/or audit reports of third-party providers, lessons learned from an actual event, and any emerging risks identified should also be used in a gap analysis for each step of the program.&#160; Updates to plans should be completed in a timely manner and revised plans should be communicated and made available to appropriate managers and employees. </p><blockquote dir="ltr" style="margin-right&#58;0px;"> <strong> <em> <br>Related Guidance</em></strong></blockquote><blockquote dir="ltr" style="margin-right&#58;0px;"><blockquote dir="ltr" style="text-align&#58;left;margin-right&#58;0px;"><blockquote style="margin-right&#58;0px;"><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.<br><br><em>Oversight of Third-Party Provider Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.<br><br><em>Cloud Computing Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.<br><br><em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.<br><br><em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.<br><br><em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.<br><br><em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. <br><br><em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013. <br><br><em>Business Continuation Contingency Planning</em>, Federal Housing Finance Board Advisory Bulletin 03-2, February 10, 2003.<br><br><em>Disaster Recovery Planning</em>, Federal Housing Finance Board Advisory Bulletin 02-3, February 13, 2002 (rescinded by this advisory bulletin).&#160;<br><br></p></blockquote></blockquote></blockquote><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160; <br>Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table> <p> <u></u>&#160;</p><p> <a name="1">[1]</a>&#160;The OF is not a “regulated entity&quot; as the term is defined by statute (<em>see</em> 12 U.S.C. 4502(20)).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.&#160; </p><p> <a name="2">[2]</a>&#160;12 CFR 1236.4</p><p> <a name="3">[3]</a>&#160;12 CFR 1239.11(a).</p><p> <a name="4">[4]</a>&#160;The term “senior management&quot; refers to those employees who plan, direct, and formulate policies, and provide the overall direction of the regulated entity for the development and delivery of products or services, within the parameters approved by the board.</p><p> <a name="5">[5]</a>&#160;<em>See Cloud Computing Risk Management</em>, AB 2018-04.</p><p> <a name="6">[6]</a>&#160;<em>See Oversight of Third-Party Provider Relationships</em>, AB 2018-08.</p><p> <a name="7">[7]</a>&#160;Ibid.</p>5/7/2019 7:00:50 PMHome / Supervision & Regulation / Advisory Bulletins / Business Resiliency Management Advisory Bulletin This advisory bulletin (AB) provides Federal Housing Finance Agency 2558https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Interest Rate Risk Management25813FHLB & Fannie Mae & Freddie Mac9/28/2018 4:00:00 AMAB 2018-09<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display&#58;inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-09&#58; INTEREST RATE RISK MANAGEMENT</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p></div></div><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for interest rate risk management at the Federal Home Loan Banks (Banks), Fannie Mae, and Freddie Mac (the Enterprises), collectively known as the regulated entities. &#160;This guidance supersedes the Federal Housing Finance Board's advisory bulletin, <em>Interest Rate Risk Management</em> (AB 2004-05).&#160; Interest rate risk management is a key component in the management of market risk.&#160; These guidelines describe principles the regulated entities should follow to identify, measure, monitor, and control interest rate risk. &#160;The AB is organized as follows&#58;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>I.&#160;&#160;&#160;Governance</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> A. Responsibilities of the Board</p><p> B. Responsibilities of Senior Management</p><p>C. Risk Management Roles and Responsibilities</p><p>D. Policies and Procedures</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> II.&#160;&#160; Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p>A. Limits</p><p>B. Interest Rate Risk Mitigation</p><p>C. Internal Controls</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>III.&#160;Risk Measurement System, Monitoring, and Reporting</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p>A. Interest Rate Risk Measurement System</p><p>B. Scenario Analysis and Stress Testing</p><p>C. Monitoring and Reporting</p></blockquote><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Interest rate risk is the risk that changes in interest rates may adversely affect financial condition and performance.&#160; More specifically, interest rate risk is the sensitivity of cash flows, reported earnings, and economic value to changes in interest rates.&#160; As interest rates change, expected cash flows to and from a regulated entity change.&#160; The regulated entities may be exposed to changes in&#58;&#160; the level of interest rates; the slope and curvature of the yield curve; the volatilities of interest rates; and the spread relationships between assets, liabilities, and derivatives.&#160; Interest rate risk may include repricing risk, basis risk, option risk, option-adjusted spread (OAS) risk, prepayment risk, and model risk.&#160; Excessive interest rate risk can threaten liquidity, earnings, capital, and solvency.&#160; </p><p>The regulated entities can manage interest rate risk with respect to economic value of equity, earnings, or both. &#160;These approaches are complementary because they provide different types of relevant information, but each has limitations.&#160; The economic value of equity represents the underlying net market value (or net present value) of a regulated entity's assets and liabilities, including any off-balance sheet items.&#160; A common risk management objective is to keep the market value of equity from falling below pre-specified limits over a range of interest rate scenarios.&#160; One limitation of this approach is that market value measures do not identify when future earnings problems may occur.&#160; When the focus is on earnings, the risk management objective is to maintain earnings within an acceptable range over specified time horizons, which are generally short-term, ranging from one year to five years. &#160;If the objective is to ensure that net income will remain within certain parameters during the given time period over a range of interest rate scenarios, management overlooks risks that exist beyond the forecast horizon.</p><p>FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236, four of which are relevant to managing interest rate risk.&#160; Standard 3 (Management of Market Risk Exposure) highlights the expectation for each regulated entity to have a clearly defined and well-documented strategy for managing market risk and establishes responsibilities for the board of directors or delegated board committee (board) and senior management.&#160; Standard 4 (Management of Market Risk – Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting) includes guidelines for market risk management in these areas.&#160; Standard 2 (Independence and Adequacy of Internal Audit Systems) and Standard 8 (Overall Risk Management Processes) include responsibilities for internal audit, the board, and senior management along with an independent risk management function. </p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>Each regulated entity's risk management practices should enable it to identify, measure, monitor, and control its interest rate risk exposures. &#160;An effective interest rate risk management function includes appropriate management of risk exposure, policies and procedures, risk limits, internal controls, risk measurement systems, monitoring, and reporting.&#160; A regulated entity should periodically review industry standards with regard to interest rate risk management.</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>I.&#160;&#160;&#160;&#160;&#160;&#160; Governance</strong></p></blockquote></h2><p>The board and senior management should ensure that the regulated entity has in place appropriate policies, procedures, and internal controls for managing and controlling the regulated entity's exposure to interest rate risk.&#160; The board should oversee the adequacy of senior management's actions.&#160; Senior management should also ensure the regulated entity's risk measurement, monitoring, and reporting systems are reliable and effective.&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Responsibilities of the Board </em></p></blockquote><p>The board should oversee the adequacy of actions taken by senior management to identify, measure, manage, control, and report on interest rate risk exposures. &#160;The board should establish the regulated entity's tolerance for interest rate risk, approve major interest rate risk limits, and provide management with clear guidance regarding the level of acceptable interest rate risk.&#160; The board should approve major strategies and policies relating to the management of interest rate risk. &#160;The board should ensure such major strategies and policies are consistent with the regulated entity's overall business plan. </p><p>The board should review interest rate risk exposures on a periodic basis. &#160;Reports provided to the board should include appropriate details to allow the board to remain sufficiently informed about the nature and level of the regulated entity's interest rate risk exposures in light of current market conditions, established risk limits, operating performance, and other relevant factors.&#160; As a group, the board should have the requisite knowledge and background to assess the information provided and recommend further actions. </p><p>At least annually, or more frequently if there are significant changes in market or financial conditions, the board should review the interest rate risk management framework and major policies, limits, and internal controls. &#160;The regulated entity's risk tolerance; management's compliance with risk limits; results of stress tests; the level of the regulated entity's capital; and the effectiveness of the risk management framework, measurement systems, and reporting systems should inform the board's review of the risk limits.&#160; The board should document any changes to board-approved interest rate risk limits in its minutes.&#160; The board should also ensure that management takes appropriate corrective measures when interest rate risk limit breaches occur.&#160;&#160;&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Responsibilities of Senior Management</em></p></blockquote><p>Senior management implements board-approved strategies and policies relating to the management of interest rate risk.&#160; Senior management should ensure interest rate risk policies and procedures are clearly written, sufficiently detailed, adhered to, periodically reviewed, and should recommend updates for board approval, as appropriate.&#160; Senior management should ensure adequate organizational structure, systems, and resources are available to manage and control interest rate risk, and that personnel are appropriately trained and competent.</p><p>Senior management should periodically review and discuss with the board information regarding the nature and level of the regulated entity's interest rate risk exposures. &#160;Senior management should inform the board of how changing market conditions could affect interest rate risk exposure.&#160; The discussions should be sufficient in detail and timeliness to permit the board to understand and assess the management and control of the regulated entity's interest rate risk exposures.&#160; Senior management should report interest rate risk limit breaches to the board and identify appropriate remedial actions. &#160;Senior management should make the board aware of the advantages and disadvantages of the regulated entity's chosen interest rate risk management strategy and alternative strategies.&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Risk Management Roles and Responsibilities</em></p></blockquote><p>Policies and procedures should delineate the roles and responsibilities of persons assigned to measure, manage and control interest rate risk so they operate with sufficient independence from the business units, as applicable. &#160;&#160;</p><p>Business units encounter interest rate risk on a daily basis and should follow policies and procedures when taking steps to manage and maintain interest rate risk within approved limits.&#160; Senior management, through an asset and liability management (or similar) committee, is responsible for managing and controlling interest rate risk. </p><p>The risk management function, or unit, is responsible for interest rate risk measurement, risk monitoring, and independent oversight, including the establishment and enforcement of board-approved interest rate risk limits.&#160; It should also be responsible for ensuring that the business units have effective processes in place to identify, assess, monitor, and report on key interest rate risks. The chief risk officer must report regularly to the risk committee and to the chief executive officer.<a href="#1">[1]</a>)</p><p>Internal audit should conduct periodic evaluations of internal controls around interest rate risk management. &#160;Internal audit should conduct risk-based audits of the regulated entity's interest rate risk management and determine whether management promptly addresses findings or weaknesses regarding interest rate risk management.&#160; Internal audit should review adherence to interest rate risk management policies and procedures. </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>D.&#160;&#160;&#160; Policies and Procedures</em></p></blockquote><p>A regulated entity should have interest rate risk management policies and procedures appropriate for its risk profile.&#160; This includes being clearly written, sufficiently detailed, formally approved at the appropriate level, and, as applicable, periodically reviewed by the board and senior management.&#160; Approved policies and procedures should include defined interest rate risk limits and assign lines of authority and responsibility for managing interest rate risk. &#160;Procedures should exist for monitoring compliance with limits and to follow up on instances of noncompliance or breaches.&#160; &#160;&#160;</p><p>Management should ensure that policies and procedures to identify and manage inherent risks are sufficient before undertaking new products, offerings, or activities.&#160; </p><p>The regulated entity should also have policies and procedures for any management, ad hoc, or “on top&quot; adjustments to model-generated interest rate risk metrics, and provide clear instructions on needed approvals and documentation requirements.&#160; The documentation should explain the adjustment and the reason it is necessary as well as how long it will be required.&#160; The regulated entity's enterprise risk management or another authorized management risk committee should be made aware of, and approve, any major management, ad hoc, or “on top&quot; adjustments to interest rate risk metrics.</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>II.&#160;&#160;&#160;&#160;&#160;&#160; Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls</strong></p></blockquote></h2><p>A regulated entity should have a clearly defined and well-documented strategy for managing and mitigating interest rate risk, consistent with its overall business plan.&#160; The regulated entity should identify, manage, monitor, and control interest rate risk exposures on a business unit and an enterprise-wide basis.</p><p>It is incumbent on the regulated entity to understand the adopted strategy's impact on financial condition, whether the objective is to control risk to economic value of equity, earnings, some other target, or a combination thereof.&#160; Overemphasis on one approach may not be optimal and may lead to problems over time.&#160; For example, meaningful declines in the market value of equity to the book value of equity ratio, prospective earnings, or related indicators may signal interest rate risk management weaknesses, even if these declines occur within the context of low reported risk and compliance with approved policies and limits.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Limits</em></p></blockquote><p>A regulated entity should establish an interest rate risk framework that includes interest rate risk metrics, a comprehensive set of board-approved interest rate risk limits, and management threshold levels, set below board limits, to serve as warning triggers and initiate discussion regarding risk levels. &#160;The risk limits should be consistent with the regulated entity's risk profile, profitability objectives, and liquidity and capital needs.&#160; Limits should not be set so far above actual risk exposures that they are meaningless or have no effect on risk taking behavior. &#160;The regulated entity should also maintain a record of all limit breaches.</p><p>Different metrics used for setting interest rate risk limits may include, as applicable&#58; &#160;duration of equity, convexity of equity, volatility duration, market value sensitivity to yield curve parallel moves and twists, key-rate duration, maturity gap of assets and liabilities, prepayment duration, spread duration, market value of equity to par value of capital stock, market value of equity to book value of equity, retained earnings, net interest income sensitivity, and Value at Risk.&#160; A regulated entity should understand the advantages and disadvantages of the interest rate risk limits framework it has chosen to utilize.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Interest Rate Risk Mitigation</em></p></blockquote><p>A regulated entity should mitigate interest rate risk to keep risks within approved levels and should be able to identify problems that occur even when risks are within approved levels.&#160; For example, a regulated entity should be able to recognize significant accumulating losses from interest rate risk, explain the causes of losses, and manage risk exposure at some point even if the regulated entity is in compliance with approved strategy, policies, and limits.&#160; </p><p>A regulated entity can mitigate interest rate risk through a variety of strategies including&#58; matched funding, funding with debt having embedded options, hedging using derivatives, and building retained earnings. &#160;Matched funding allows a regulated entity to match the maturity of its assets and liabilities. &#160;Funding with debt having embedded options could allow regulated entities to mitigate exposures of assets with explicit and implicit options such as mortgages.&#160; Hedging using derivatives allows the regulated entity to mitigate interest rate risk by changing its cash flows and economic exposure stemming from certain changes in interest rates. &#160;Building retained earnings allows the regulated entity to have a larger capital base to absorb the impact of an adverse interest rate change.&#160; Having a robust net interest income stream also allows a regulated entity to absorb the effects of adverse interest rate movements. </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Internal Controls </em></p></blockquote><p style="text-align&#58;left;">A regulated entity should have sufficient internal controls around interest rate risk management.&#160; The internal control process should aim to ensure effective and efficient management of interest rate risk; reliable measurement of interest rate risk; reliable reporting and communication of interest rate risk; and compliance with applicable statutes, regulations, and policies governing interest rate risk.&#160; Additionally, internal controls should support periodic reviews and evaluations of policies and procedures as well as the accuracy and reliability of risk measurement systems.</p><p style="text-align&#58;left;">A regulated entity should monitor the adequacy and effectiveness of its internal controls and information systems on an ongoing basis through a formal self-assessment process.&#160; Business units, enterprise risk management, and internal audit should conduct periodic evaluations of internal controls for interest rate risk management. &#160;</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>III.&#160;&#160;&#160;&#160;&#160;&#160; Risk Measurement System, Monitoring, and Reporting</strong></p></blockquote></h2><p>The regulated entities should choose which method(s) to use to measure interest rate risk. &#160;Methods may include&#58; Duration Analysis, Earnings Simulation Analysis, Earnings at Risk, Capital at Risk, Value at Risk, Economic Value of Equity, or other methods. &#160;Generally, a regulated entity would measure interest rate risk by valuing its assets, liabilities, derivatives, and off-balance sheet exposures in different interest rate environments.&#160; A regulated entity should understand the advantages and disadvantages of its chosen interest rate risk measurement method(s). </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Interest Rate Risk Measurement System </em></p></blockquote><p>A regulated entity should have an interest rate risk measurement system (<em>i.e.</em>, a model or set of models) that captures all material sources of interest rate risk, including repricing risk, yield curve risk, basis risk, prepayment risk, and option risk. &#160;The sophistication of the risk measurement system should be commensurate with the complexity of the financial instruments held by the regulated entity.&#160; The risk measurement system should also provide meaningful and timely measures of the regulated entity's risk exposures and use generally accepted financial concepts, valuation methodologies, and risk measurement techniques. &#160;</p><p>The risk measurement system should be capable of valuing all of the regulated entity's assets and liabilities, including off-balance sheet positions and derivatives, and estimating the effect of changes in interest rates and other key risk factors on the regulated entity's earnings and market value of equity over a range of scenarios.&#160; A regulated entity should properly document and bring to management's attention instances where the risk measurement system cannot reliably value an instrument or requires a model workaround.&#160; Any management, ad hoc, or “on top&quot; adjustments to model output should be made according to approved procedures.&#160; The measurement system should use directly or indirectly observed market prices for its estimates of market values where feasible.&#160; A regulated entity should test new products to verify the risk measurement system can properly measure the exposure of the new product.&#160; </p><p>Periodically, enterprise risk management or another authorized management risk committee should review the interest rate risk measurement system for accuracy and reliability, including comparison to actual portfolio behaviors when feasible.&#160; Management should ensure the integrity and timeliness of the data inputs used to measure interest rate risk exposures and that assumptions and parameters are reasonable and properly documented.&#160; Management should also understand strengths and weaknesses of the model(s) used, including sensitivity to changes in key assumptions. &#160;</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Scenario Analysis and Stress Testing</em></p></blockquote><p style="text-align&#58;left;">A regulated entity should routinely conduct scenario analysis as a part of interest rate risk management as it relates to market value measures and net income measures.&#160; Scenarios should include increasing and decreasing parallel and nonparallel interest rate shocks of varying magnitudes as well as an instantaneous and gradual steepening and flattening of the yield curve.&#160; The regulated entity should also consider changes in prepayment speeds for mortgage-related instruments, volatility for securities impacted by interest rate volatility, and relevant interest rate spreads for different securities.&#160; The scenarios should identify the main exposures within a regulated entity's interest rate risk profile.&#160; A regulated entity could perform analysis to identify which assumptions or inputs cause the largest impact. </p><p>A regulated entity should perform periodic stress testing of interest rate risk management positions. &#160;The stress scenarios should include interest rate shocks and shifts in the economic environment that are of a magnitude such that it tests the effectiveness of the interest rate risk management of the regulated entity.&#160; These stress scenarios should vary over time.&#160; The regulated entity should include scenarios conducted for its annual strategic business plan or annual stress testing as applicable. </p><p style="text-align&#58;left;">The regulated entity should give special consideration to financial instruments or markets where it has significant concentrations, financial instruments in which a regulated entity's position may be more difficult to unwind or hedge during periods of market stress, and complex financial instruments with embedded options that may be more difficult to evaluate in stressful scenarios.</p><p style="text-align&#58;left;">If management or the board finds the results from the scenario analysis or stress testing unacceptable, management should determine a course of action and may need to modify, rebalance, or hedge so that performance would be acceptable under the identified scenarios.&#160; The board and senior management should periodically review the design of the stress tests to ensure that they capture conditions where the regulated entity is most vulnerable.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Monitoring and Reporting</em></p></blockquote><p>A regulated entity should routinely monitor and report interest rate risk exposures using scenario analysis to business unit managers, senior management, and the board at a level appropriate for each.&#160; The interest rate risk reports should be accurate, informative, and timely.&#160; The reports should show adherence to approved interest rate risk policies and limits and any exceptions or breaches of limits and policies. The reports should identify and explain limit breaches. </p><p>The interest rate risk reports should reflect and show trends in measures used to evaluate interest rate risk management objectives.&#160; Reports should show the market value of the regulated entity's assets, liabilities, and off-balance sheet exposures, including derivatives, under a range of scenarios.&#160; With respect to earnings, reports should show net income over a specified time horizon under various scenarios. &#160;Reports should also include backtesting results to compare past forecasts, or risk estimates, with actual results. &#160;&#160;</p><p>Interest rate risk reports should identify any changes to risk models and model assumptions, describe the rationale for the changes, and analyze their impact on risk measures and risk limits.&#160; Interest rate risk reports should also note any management, ad hoc, or “on top&quot; adjustments to interest rate risk models, the reason for the adjustment, and the start and expected end date for the use of the adjustment.&#160; </p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p> <em>Model Risk Management Guidance, </em>Federal Housing Finance Agency, Advisory Bulletin AB-2013-07, November 20, 2013.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency, Advisory Bulletin AB-2016-05, October 7, 2016.</p><p>Appendix to 12 CFR Part 1236 - Prudential Management and Operating Standards.&#160; </p><p>12 CFR Part 1239 – Responsibilities of Board of Directors, Corporate Practices, and Corporate Governance.&#160; </p><p>________________________<br></p><p> <a name="1">[1]</a> 12 CFR 1239.11(c)(5)&#160;&#160; </p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58;&#160;<a href="mailto&#58;SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>​<br> 9/28/2018 6:35:25 PMHome / Supervision & Regulation / Advisory Bulletins / Interest Rate Risk Management Advisory Bulletin AB 2018-09: INTEREST RATE RISK MANAGEMENT The AB is organized as follows 3685https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Third-Party Provider Relationships25812All9/28/2018 4:00:00 AMAB 2018-08<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display&#58;inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-08&#58;&#160; OVERSIGHT OF THIRD-PARTY PROVIDER RELATIONSHIPS</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p></div></div><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae<strong> </strong>and<strong> </strong>Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities<a href="#1">[1]</a>) on assessing and managing risks associated with third-party provider relationships.&#160; For the purposes of this AB, a third-party provider relationship is a business arrangement between a regulated entity and another entity that provides a product or a service.<a href="#2">[2]</a>&#160; When entering into third-party provider relationships, the regulated entities can be exposed to financial, operational, legal, compliance, and reputational risk.&#160; Effective risk management of third-party provider relationships is essential to the safe and sound operations of the regulated entities.&#160;</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p>FHFA expects each regulated entity to establish and maintain a third-party provider risk management program (program) that includes the following&#58;</p><ol style="list-style-type&#58;upper-roman;"><li>Governance</li><ol style="list-style-type&#58;upper-alpha;"><li>Responsibilities of the Board and Senior Management</li><li>Policies, Procedures, and Internal Standards</li><li>Reporting</li></ol><li>Third-Party Provider Risk Management Life Cycle Phases</li></ol><ol style="list-style-type&#58;upper-roman;"><ol style="list-style-type&#58;upper-alpha;"><li>Risk Assessment</li><li>Due Diligence in Third-Party Provider Selection</li><li>Contract Negotiation </li><li>Ongoing Monitoring</li><li>Termination</li></ol></ol><p style="text-align&#58;left;">A regulated entity's program should enable oversight of third-party provider relationships in accordance with the level of risk presented, the nature of the relationship, the scale of the outsourced product or service, and the risk inherent in the relationship.&#160; Because of this risk-based approach, aspects of this AB may not apply to every third-party provider relationship.&#160; The regulated entities should ensure that the quality and extent of third-party provider risk management corresponds with the level of risk and the complexity of these relationships.&#160; </p><p style="text-align&#58;left;">FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity's board of directors and management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).&#160; In addition, each regulated entity should manage its program as part of its enterprise-wide risk management program and in accordance with all relevant FHFA guidance.<a href="#3">[3]</a>&#160; </p><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><h4> &#160;I.&#160;&#160;&#160;&#160;&#160;&#160; Governance </h4><p> <em>A.&#160;&#160;&#160;&#160; Responsibilities of the Board and Senior Management</em></p></blockquote></blockquote><p style="text-align&#58;left;">The board of directors or board committee (board) should approve a policy establishing the program.&#160; The board-level policy (or management-level policies, as appropriate) should establish criteria for the acceptance and monitoring of risks related to third-party provider engagements and include enterprise-wide risk management processes that reflect the complexity of the regulated entity.&#160; Policies should assign clear roles and responsibilities to entity personnel, establish requirements for documenting decisions concerning third-party providers, and identify internal stakeholders throughout the third-party provider relationship.&#160; Internal audit, or an independent third party if specialized expertise is required, should audit the program periodically, including review of third-party assessments.</p><p>The regulated entity's board is responsible for oversight of the program, while senior management is responsible for executing the regulated entity's program and applicable policies on behalf of the board, consistent with established delegations.&#160; Each regulated entity's board should ensure that senior management has effective processes in place to manage risks related to third-party provider relationships, consistent with the regulated entity's strategic goals, organizational objectives, and risk appetite.&#160; </p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Policies, Procedures, and Internal Standards</em></p></blockquote><p style="text-align&#58;left;">The regulated entities should establish and implement risk management processes in their policies that clearly define risk categories for the oversight of third-party provider relationships.&#160; Risk categories should consider the type and degree of risk inherent in the relationship, the scope and breadth of the third-party provider relationship, the nature of the product or service provided, and the ability to find an acceptable replacement for the third-party provider. &#160;In addition to categorizing these relationships, the regulated entity should document and consistently update its inventory of third-party providers.&#160; The regulated entity's program should articulate governance standards for risk-based due diligence, monitoring, and oversight that reflect the defined risk categories.&#160; The more risk a third-party provider relationship poses to the regulated entity, the more rigorously the regulated entity should perform these activities.&#160; Documentation requirements should correspond to the risk category or the nature of the third-party provider relationship.&#160; Other factors considered in establishing a risk-based approach include third-party provider relationships that could&#58; </p><ul style="list-style-type&#58;disc;"><li>Cause a regulated entity to face significant business, operational, legal, compliance, or reputational risk if the third-party provider fails to meet its obligations;</li><li>Require significant resources and costs to implement and manage the risk (such as a third-party provider that has an integral role in the regulated entity's operations or a financial technology firm that leverages emerging technologies); or</li><li>Have a major effect on the regulated entity's operations if it needs to procure an alternate third-party provider or has to perform the service in house.</li></ul><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Reporting</em> </p></blockquote><p> The regulated entity should implement a reporting system that provides management sufficient information to adjust the program, including policy, resources, expertise, and controls.&#160; Management should receive periodic reports from program stakeholders about commencing new third-party provider relationships, continuing existing ones, or terminating arrangements that do not meet expectations or no longer align with the goals of the regulated entity.&#160; Regular reports to management could incorporate the documentation of phases of the third-party provider relationship, such as analysis of costs, or reputational risks found during ongoing monitoring.&#160; Reports should contain sufficient detail to adequately inform the intended audience and sufficiently support related business decisions.</p><p> To assist the board in oversight of the program, management should provide the board with regular enterprise-wide reports on the regulated entity's management of risks associated with third-party providers.&#160; Management should also notify the board of significant third-party risks, such as business interruptions and terminations for cause, or third-party provider relationships that approach the regulated entity's risk appetite limits.&#160;&#160;</p><p>&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><h4>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160; Third-Party Provider Risk Management Life Cycle Phases</h4></blockquote><p style="text-align&#58;left;">An effective program should include policies and procedures that cover all phases of the regulated entity's third-party provider relationship life cycle&#58; &#160;Risk Assessment, Due Diligence in Third-Party Provider Selection, Contract Negotiation, Ongoing Monitoring, and Termination.&#160; The scope and duration of each phase should be consistent with the program's policy, and multiple phases may be addressed simultaneously.&#160; The documentation for each phase is also dependent on whether the phase applies and the extent to which it applies. &#160;The life cycle phases are discussed in more detail below.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <em></em></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Phase 1 – Risk Assessment </em></p></blockquote><p style="text-align&#58;left;">Each regulated entity's program should include processes to assess the risks associated with engaging a third-party provider to supply a product or service.&#160; These risks may include&#58;</p><ul style="list-style-type&#58;disc;"><li>The operational, compliance, legal, and reputational risks associated with having a third-party provider supply the product or service and the risk that expected benefits do not outweigh the costs;</li><li>The breadth of the products or services that would be delivered by a third-party provider;</li><li>Whether the regulated entity has adequate resources and expertise to monitor the third-party provider relationship;</li><li>The complexity of the arrangement, volume of activity, potential for a third-party provider's use of subcontractors, and the technology required; and</li><li>Potential information security risks associated with giving a third-party provider access to the regulated entity's operating location, information systems, or proprietary or personally identifiable information.</li></ul><p style="text-align&#58;left;">If the regulated entity establishes a third-party provider relationship, the program should provide for management of the associated risks.&#160; As necessary, the risk assessment should include a strategy for the regulated entity to procure adequate resources or expertise to mitigate the risks or justify acceptance of the identified risks.&#160; The regulated entity should review and update its risk assessment and revise risk mitigation strategies when appropriate.&#160; When documenting its risk assessment analysis, the regulated entity should indicate any risk assessment tools used in the process.</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Phase 2 – Due Diligence in Third-Party Provider Selection</em></p></blockquote><p style="text-align&#58;left;">Each regulated entity should conduct due diligence on a third-party provider before entering into a contract.&#160; The degree of due diligence should be commensurate with the level of risk of the outsourced activity and the complexity of the third-party provider relationship.&#160; A regulated entity should not rely solely on its prior experience or knowledge of the third-party provider as a substitute for an objective risk assessment of the third-party provider's ability to supply a product or service in a safe and sound manner.&#160; A regulated entity may refer to a third-party provider's independent audit, Service Organization Control (SOC) report, or recognized certifications to assess certain aspects of the third-party provider's internal risk management controls.&#160; Due diligence review should align with the severity of the risk.&#160; Due diligence results, findings, and recommendations should be documented.</p><p style="text-align&#58;left;">Due diligence prior to entering into a third-party provider relationship should include an evaluation of financial, operational, legal, compliance, and reputational risks of engaging the proposed third-party provider.&#160; As part of the due diligence review, the regulated entity should consider&#58; </p><ul style="list-style-type&#58;disc;"><li>Whether the proposed third-party provider can offer the product or service in compliance with applicable laws and regulations, as well as the regulated entity's internal policies, procedures, and other requirements;</li><li>The third-party provider's overall business model and how current and proposed business activities may affect the risks presented by the third-party provider; </li><li>The third-party provider's business background, experience, and reputation; </li><li>The financial performance, resources, and condition of the proposed third-party provider;</li><li>The third-party provider's insurance coverage;</li><li>The third-party provider's operational and internal controls, including information security, incident reporting and management, and business continuity programs; </li><li>Concentration risks that may arise from relying on a third-party provider for multiple products or services or from a third-party provider's reliance on subcontractors; </li><li>The extent to which the third-party provider relies on subcontractors to perform its obligations, the controls the subcontractor has in place, and the third-party provider's processes to oversee subcontractors that would be directly involved in the outsourced product or service; </li></ul><ul style="list-style-type&#58;disc;"><li>Any potential conflicts of interest with the directors, officers, or employees of the regulated entity concerning potential third-party providers;<a href="#4">[4]</a> and</li><li>Whether there are third-party fee structures that involve potential risks, such as incentives for inappropriate risk-taking, that could arise as a result of such fee structures.&#160; </li></ul><p style="text-align&#58;left;">Each regulated entity's third-party provider selection process should also be designed to ensure, to the extent possible and consistent with safety and soundness, the inclusion of&#160;minority-, women-, and disabled-owned businesses.<a href="#5">[5]</a></p><p style="text-align&#58;left;">Management should review the due diligence results to determine whether the third-party provider is able to adequately provide the product or service at a level of risk acceptable to the regulated entity.&#160; If the third-party provider cannot meet the regulated entity's requirements, management should consider whether to seek an alternate provider, supply the product or service itself, or mitigate the identified risks to the extent practicable. </p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160;&#160;&#160; &#160;Phase 3 – Contract Negotiation </em></p></blockquote><p style="text-align&#58;left;">Each contract with a third-party provider should clearly specify the rights and responsibilities of each party.&#160; Consistent with the risk category involved, the regulated entity should consider what level of legal review is necessary for contracts with third-party providers and should ensure that the attorneys conducting the review for a particular contract have the appropriate subject matter expertise or work in conjunction with appropriate subject matter experts. &#160;Copies of executed contracts should be retained for reference and record-keeping purposes.</p><p style="text-align&#58;left;">The regulated entity should consider the following when negotiating contractual provisions with third-party providers&#58;</p><ul style="list-style-type&#58;disc;"><li>The nature and scope of service; </li><li>Duration of service; </li><li>Performance standards and service levels; </li><li>Experience requirements of third-party providers and their contractors;</li><li>Cost and compensation, including the timing and procedures for payment and expense reimbursement;</li><li>Confidentiality, use, location, and security of information; </li><li>Business continuity and contingency plans and test results;</li><li>Intellectual property ownership, rights, and responsibilities; </li><li>Timely disclosure of conflicts of interest or potential conflicts of interest from the third-party provider;</li><li>Incident reporting and management;</li><li>Dispute resolution process (<em>e.g.</em> arbitration, mediation), termination, and remedies; and</li><li>Internal controls and audit reports.</li></ul><p>The regulated entity should address what constitutes nonperformance and the conditions under which the contract may be terminated by either party.&#160; The contract should also stipulate the circumstances for and responsibilities when termination occurs.&#160; If the regulated entity could no longer legally engage a third-party provider,<a href="#6">[6]</a> the contract should include a provision that enables the regulated entity to terminate the contract for regulatory noncompliance.&#160; </p><p style="text-align&#58;left;">The regulated entity should also ensure that contracts address compliance with the specific laws, regulations, and guidance applicable to the regulated entity, including the regulated entity's right to obtain necessary information to conduct ongoing risk assessments, as well as monitor performance and ensure contract compliance.&#160; Contracts should also address whether the regulated entity has the right to conduct periodic on-site reviews to verify compliance.&#160; If contracts allow for subcontracting, the regulated entity generally should seek to ensure that the primary third-party provider remains responsible for the performance of its subcontractors in accordance with the terms of the primary contract, and be notified of the identity of any material subcontractors, when appropriate. </p><p style="text-align&#58;left;">Contracts for third-party providers should address, as appropriate, the provider's responsibility for continuation of the product or service in the event of an operational failure, such as man-made and natural disasters.&#160; Contracts should address requirements for third-party providers to back up information and maintain disaster recovery and contingency plans with sufficiently detailed operating procedures.&#160; </p><p style="text-align&#58;left;">Other issues such as the maintenance of adequate insurance, ownership of data or licenses, privacy, and liability limitations should be considered, as applicable.&#160; For example, the regulated entity should consider potential legal and security risks to cross-border data storage, transmission, and processing.&#160;&#160;&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>D.&#160;&#160;&#160; Phase 4 – Ongoing Monitoring</em></p></blockquote><p style="text-align&#58;left;">The nature and extent of monitoring of the performance of third-party provider relationships should be commensurate with the level of risk.&#160; Management should also ensure that the regulated entity retains sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third-party provider relationship.&#160; The approach (<em>e.g.</em>, on-site versus off-site review), depth, scope, and frequency of the monitoring and oversight activities should correspond to the risk category involved.&#160; If the regulated entity outsources any part of its monitoring and oversight, management is responsible for choosing a service provider appropriate for the entity's size, complexity, and risk environment.&#160; </p><p style="text-align&#58;left;">Ongoing monitoring should include the due diligence activities referenced in Phase 2 that apply to the particular third-party provider relationship.&#160; Management of the regulated entity should also consider whether the third-party provider is&#58;</p><ul style="list-style-type&#58;disc;"><li>Meeting service-level agreements, performance metrics, and other contractual terms; </li><li>Monitoring and evaluating subcontractor controls that are relevant to the contract work being performed;</li><li>Engaged in agreements with other entities that may pose a conflict of interest or present risks; </li><li>Performing periodic background checks; and</li><li>Complying with applicable legal and regulatory requirements, including documenting such compliance when necessary.</li></ul><p style="text-align&#58;left;">Because both the level and types of risks may change over the lifetime of a third-party provider relationship, a regulated entity should ensure that its ongoing monitoring adapts accordingly.&#160; Periodic assessments should be conducted to determine whether the product or service remains necessary or relevant to the regulated entity's mission or operations.&#160; Each regulated entity should also periodically assess existing third-party provider relationships to determine whether the nature of the product or service provided has changed, resulting in the need for re-designation to a new risk category. &#160;Management should review existing third-party provider contracts to determine whether the terms and conditions address current risks associated with having the product or service supplied by the third-party provider.&#160; Where concerns are identified, the regulated entity should consider addressing those concerns by negotiating an amendment to the contract where appropriate, or revising the contract prior to a renewal. &#160;</p><p style="text-align&#58;left;">When a regulated entity identifies concerns through ongoing monitoring, it should seek to resolve the issues at the earliest opportunity.&#160; Management should ensure procedures exist to escalate issues such as service agreement performance, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, or compliance lapses.&#160; Additionally, management should ensure that the regulated entity's controls for managing these risks from third-party provider relationships are tested regularly.&#160; Weaknesses identified that substantively increase the risk to the regulated entity should be reported to the board based on an assessment of the level of associated risk.</p><p style="text-align&#58;left;">Any assessments and analyses performed during this phase should be documented, as well as any regular risk management and performance reports received from the third-party provider (<em>e.g.</em>, audit reports, security reviews, and reports about compliance with service-level agreements).</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>E.&#160;&#160;&#160;&#160; Phase 5 – Termination</em></p></blockquote><p style="text-align&#58;left;">The terms of each contract will govern how a regulated entity or a third-party provider may terminate the contractual relationship.&#160; A regulated entity may wish to terminate a third-party provider relationship for various reasons, including&#58;&#160;</p><ul style="list-style-type&#58;disc;"><li>Expiration, completion, or satisfaction of the contract;</li><li>Breach of contract;</li><li>To engage an alternate third-party provider;</li><li>To discontinue the product or service; </li><li>To bring the product or service in house; or</li><li>To comply with an FHFA order directing suspension of the third-party provider relationship. </li></ul><p style="text-align&#58;left;">Each regulated entity should have strategies and contingency plans in place to terminate third-party provider relationships in an efficient manner that minimizes risk to the regulated entity, whether the outsourced product or service is transitioned to another third-party provider, brought in house, or discontinued. The regulated entity should consider&#58;</p><ul style="list-style-type&#58;disc;"><li>The capabilities, resources, and time frames required to transition the product or service while still managing legal, regulatory, and other risks;</li><li>Risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party provider relationship;</li><li>Intellectual property ownership, rights, and responsibilities, as well as the handling of any joint intellectual property developed during the course of the arrangement; </li><li>The return of any regulated entity's information in the third-party provider's possession after voluntary or involuntary termination of the contract;</li><li>Reputational risks to the regulated entity if the termination results from the third-party provider's inability to meet expectations; and</li><li>Roles and assistance with transfer or wind down of the outsourced product or service upon termination.</li></ul><p style="text-decoration&#58;underline;"> <strong> <em>Related Guidance</em></strong></p><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix. </p><p> <em>Cloud Computing Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.</p><p> <em>Oversight of Multifamily Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018.</p><p> <em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.</p><p> <em>Data Management and Usage,</em> Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.</p><p> <em>Information Technology Investment Management,</em> Federal Housing Finance Agency Advisory Bulletin 2015-06, September 21, 2015.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships, </em>Federal Housing Finance Agency Advisory Bulletin, 2014-07, December 1, 2014.</p><p> <em>Operational Risk Management,</em> Federal Housing Finance Agency Advisory Bulletin, 2014-02, February 18, 2014. </p><p> <em>Model Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013.</p><p> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.</p><p>___________________________________________<br></p><p> <a name="1">[1]</a> The OF is not a “regulated entity&quot; as the term is defined by statute (<em>see </em>12 U.S.C. 4502(20)).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.&#160; </p><p> <a name="2">[2]</a> This AB does not apply to business arrangements through which a FHLBank provides products or services to its members or housing associates, or to a FHLBank's business arrangements with sponsors participating in its Affordable Housing Program.&#160; &#160;</p><p> <a name="3">[3]</a> 12 CFR 1239.11(a).</p><p> <a name="4">[4]</a> 12 CFR 1239.10(a).</p><p> <a name="5">[5]</a> 12 CFR 1223.2, 1223.21.</p><p> <a name="6">[6]</a><em>See, e.g.</em>, 12 CFR Part 1227.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58;&#160;<a href="mailto&#58;SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>​<br></blockquote></blockquote></blockquote>9/28/2018 6:30:25 PMHome / Supervision & Regulation / Advisory Bulletins / Oversight of Third-Party Provider Relationships Advisory Bulletin AB 2018-08:  OVERSIGHT OF THIRD-PARTY PROVIDER 7281https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Federal Home Loan Bank Liquidity Guidance25695FHL Banks8/27/2018 4:00:00 AMAB 2018-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-07</strong><br></p><p> <strong>FEDERAL HOME LOAN BANK LIQUIDITY GUIDANCE</strong><br></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p><p>This advisory bulletin (AB) communicates the Federal Housing Finance Agency’s (FHFA) guidance for maintaining sufficient amounts of liquidity<a href="#1">[1]</a> that will enable Federal Home Loan Banks (FHLBanks) to provide advances and fund letters of credit for members during a sustained capital markets disruption.&#160; Although this guidance sets expectations for how FHLBanks may best measure and maintain sufficient liquidity, the FHLBanks should also use liquidity metrics that are commensurate with their funds management strategies and that provide a comprehensive assessment of their liquidity risk to ensure that sufficient funds are available at a reasonable cost to meet potential demands.<br></p><p>Contemporaneously with the issuance of this AB, the Division of Federal Home Loan Bank Regulation (DBR) is issuing a supervisory letter to the FHLBanks that identifies the initial thresholds for the various measures of liquidity described herein.&#160; DBR will periodically assess conditions in the financial markets to determine whether they warrant revisions to those thresholds.&#160; DBR will issue supervisory letters to notify the FHLBanks of any subsequent revisions that it believes to be appropriate in light of any material changes in market conditions, and will provide an appropriate notice period for the FHLBanks to make appropriate adjustments to their liquidity management practices.<br></p><p>This guidance rescinds the March 6, 2009 Liquidity Supervisory Letter as of March 31, 2019, but does not supplant existing regulations that pertain to liquidity at the FHLBanks.<a href="#2">[2]</a></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Background</em></strong><br></p><p>Liquidity risk is the risk that a financial institution will be unable to meet its financial obligations in a timely and cost-efficient manner.&#160; Strong liquidity risk management enables a FHLBank to be financially sound, so that it may continue to perform its mission, while limiting and controlling shortfalls in cash.&#160; This AB describes key elements of a strong liquidity management program, including cash flow measurement, funding gaps, stress testing, and a contingency funding plan (CFP).<br></p><p>FHFA has adopted a series of prudential management and operations standards (PMOS) for the FHLBanks and the Enterprises, one of which addresses the adequacy of an entity’s liquidity and reserves.<a href="#3">[3]</a> A FHLBank’s failure to meet any of the prudential standards may invoke the remediation provisions of the PMOS statute,<a href="#4">[4]</a> and may also constitute an unsafe and unsound practice that would provide grounds for FHFA to invoke its other administrative enforcement powers.<a href="#5">[5]</a> This AB complements the provisions of Standard 5, which describes the FHFA’s general expectations for an effective liquidity risk management framework.&#160; More specifically, Standard 5 provides that a FHLBank should articulate an appropriate liquidity risk tolerance; establish a process for identifying, measuring, and controlling its liquidity position and liquidity risk exposures; and develop a funding strategy that includes diverse sources of funding.&#160; In addition, Standard 5 states that FHLBanks should conduct regular stress tests to identify sources of potential liquidity strain, and should establish a CFP.&#160; Of most relevance to this AB, Standard 5 states that a regulated entity should maintain adequate reserves of liquid assets, including marketable securities that can be liquidated to meet unexpected needs.&#160; The management of liquidity risk is also an element of an entity’s overall risk management process that is addressed by Standard 8 of the PMOS, which describes the responsibilities of boards of directors and senior management and the need for the FHLBanks to establish risk management practices that measure, monitor, and control liquidity, market, credit, and operational risks.&#160; Management of liquidity risk should also be addressed as an element of a regulated entity’s enterprise-wide risk management program that is required by FHFA regulations.<a href="#6">[6]</a></p><p>The principal sources of funding for the FHLBanks are the global capital markets, into which the FHLBanks issue their consolidated obligations (COs), on which they are all jointly and severally liable.&#160; Because the FHLBanks are government-sponsored enterprises (GSEs), they can issue debt at lower interest rates (controlling for tenor) than can their members.&#160; Though the FHLBanks have that funding advantage over their members, their GSE status makes them ineligible to borrow from the Federal Reserve Bank’s discount window, nor do they have daylight overdraft privileges at a Federal Reserve Bank, both of which funding sources are generally available to depository institution members.&#160; Consequently, during periods of disruption or duress in the capital markets, systemic or otherwise, or in the FHLBanks' operating environment, it is essential that the FHLBanks have established adequate reserves of liquidity to ensure their ability to continue funding advances and letters of credit for their members, as provided in Standard 5 of the PMOS.&#160; This AB is intended to provide guidance to assist the FHLBanks in maintaining a level of liquid assets that is consistent with the expectations of Standard 5.<br></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Guidance</em></strong><br></p><p>This AB sets out FHFA’s supervisory expectations with respect to what may constitute an adequate amount of liquidity for purposes of meeting the PMOS.&#160; A FHLBank maintaining a liquidity position at or above the levels described in this bulletin will be presumed to be operating with “adequate reserves of liquid assets” as that term is used in the PMOS.<a href="#7">[7]</a>&#160; Notwithstanding that presumption, FHFA will assess the adequacy of each FHLBank’s liquid assets and its liquidity risk management program as part of each annual examination, and will take any appropriate supervisory or enforcement action if it determines that a particular FHLBank’s liquidity reserves or risk management program are deficient in any material respect.</p><p>The guidance below is intended to provide some reasonable assurance that the FHLBanks will be able to conduct their normal business operations – providing advances and standby letters of credit (SLOCs) to their members – for a specified period of time without access to the capital markets.&#160; As is the case with guidance adopted by other banking regulators, this AB addresses the level of on-balance sheet liquid assets and funding imbalances, as described in the provisions below relating to base case liquidity and funding gap limits, respectively.&#160; As part of the base case liquidity measure, the guidance also includes a separate provision to address liquidity risk associated with a FHLBank’s off-balance sheet commitments arising from its issuance of SLOCs.<br></p><p>I.&#160; <em>Base Case Liquidity</em><br></p><p> <em>Cash Flow Measurement</em><br></p><p>Positive cash flow is important to maintaining an adequate liquidity position, as having sufficient positive cash flow will better enable a FHLBank to withstand a sustained capital markets disruption that impedes or limits its ability to issue COs.&#160; DBR believes each FHLBank should be able to maintain a positive cash balance during a projected period of time (measurement period) without access to the capital markets for COs or other unsecured funding sources.<a href="#8">[8]</a> Under the 2009 Liquidity Supervisory Letter, the FHLBanks assume a 5-day period without access to the capital markets, but they also assume that certain large members would not renew their advances during that period.&#160; The federal banking regulators; however, allow those large depository institutions to assume that they will renew 75 percent of their FHLBank advances.<a href="#9">[9]</a>&#160; &#160;This suggests that the assumptions underlying the 2009 Liquidity Supervisory Letter may not be sufficient to cover the FHLBanks’ actual liquidity risk associated with those large members’ advances.&#160; Furthermore, a FHLBank is expected to be a liquidity provider by offering to make advances to all members, even in times of market disruption.<a href="#10">[10]</a></p><p>To address those additional risks, FHFA believes that the FHLBanks should maintain larger liquidity positions to allow them to meet their operational needs over a longer period of time without access to the capital markets.&#160; Such liquidity reserves are especially important for the FHLBanks because they do not have access to any material off-balance sheet liquidity sources on which they could rely during market disruptions, such as the Federal Reserve Discount Window or the Government Sponsored Credit Facility that expired in December 2009.<a href="#11">[11]</a> FHFA believes that a reasonable measurement period of days without access to the capital markets generally would be between 10 and 30 calendar days, depending on market conditions.&#160; As noted previously, DBR is issuing a supervisory letter to the FHLBanks identifying the number of days for the initial measurement period.<br></p><p>FHFA believes that a prudent measure for assessing the adequacy of a FHLBank’s liquidity position is whether it has sufficient positive cash balances to cover its expected funding needs over the specified number of days in the measurement period.&#160; Determining the positive cash balances is largely a function of a FHLBank’s cash inflows and outflows.&#160; In order to ensure that there is consistency in how each FHLBank calculates its cash balance liquidity positions, FHFA has developed a series of assumptions regarding cash inflows and cash outflows that each FHLBank should use in establishing its Base Case liquidity position.&#160; The initial cash flow assumptions are also described in the supervisory letter that DBR is providing to the FHLBanks.&#160; Accordingly, each FHLBank, on a daily basis, should project forward (for the duration of the measurement period) and maintain positive cash balances net of cumulative daily cash flows, assuming the renewal of all maturing advances, according to the following formula&#58;<a href="#12">[12]</a></p><p style="text-align&#58;center;"> <img src="/SupervisionRegulation/AdvisoryBulletins/PublishingImages/Pages/Federal-Home-Loan-Bank-Liquidity-Guidance/Formula-1.PNG" alt="Formula-1.PNG" style="margin&#58;5px;width&#58;700px;height&#58;102px;" />&#160;</p><p> <em>Standby Letters of Credit Measurement&#160;</em></p><p>The FHLBanks have experienced significant growth in SLOCs, which they issue at the request of their members for the benefit of third parties.&#160; Beneficiaries can draw against the SLOC by presenting a demand to the FHLBank.&#160; SLOCs totaled $149.4 billion at year-end 2017, up materially from $29.2 billion at year-end 2007.&#160; Much of the growth in SLOCs has occurred over the past five years as depository institution members have used the product to optimize their liquidity.<a href="#13">[13]</a> The substantial growth in this off-balance sheet product has created a greater risk to the FHLBanks.&#160; Specifically, there is now greater possibility that beneficiaries will demand more payments under their SLOCs in a short period of time, which creates a potential liquidity exposure for the FHLBanks.&#160; Consequently, any measure of an adequate level of liquidity should include some amount to cover that potential exposure.&#160; To ensure that a FHLBank will have adequate funds available to support its SLOC commitments, FHFA believes that it should maintain a liquidity reserve of between 1 percent and 20 percent of its outstanding SLOC commitments.<a href="#14">[14]</a> The supervisory letter that DBR is providing to the FHLBanks also identifies the initial percentage that FHFA believes would provide adequate liquidity for these instruments in light of current market conditions.<br><br>II.&#160; <em>Funding Gaps</em><br></p><p>Funding gap metrics measure the difference between a FHLBank’s assets and liabilities that are scheduled to mature during a specified period, and are typically expressed as a percentage of the FHLBank’s total assets.<a href="#15">[15]</a> Operating within appropriate funding gap limits reduces large structural imbalances, which provides for more stable asset and liability balance sheet structures.&#160; Furthermore, maintaining appropriate funding gap limits reduces the amount of liquidity transformation and pro-cyclical funding behavior.&#160; By maintaining prudent funding gap limits for three-month and one-year time horizons, the FHLBanks may reduce the liquidity risks associated with a mismatch in their contractual asset and liability maturities, including an undue reliance on short-term debt funding, which increases their debt rollover risk.&#160; Depending on conditions in the financial markets, FHFA believes that maintaining funding gap limits within the range of negative 10 percent to negative 20 percent for the three-month horizon, and negative 25 percent to negative 35 percent for the one-year horizon, would provide reasonable assurance that a FHLBank would have adequate liquidity to address the risks associated with possible asset and liability maturity mismatches.&#160; The supervisory letter that DBR is providing to the FHLBanks also identifies the initial percentages within those ranges that FHFA believes would be appropriate in light of current market conditions.<br></p><p>In order to ensure that there is consistency in the way in which the FHLBanks calculate their funding gap ratios for FHFA’s supervisory purposes, FHFA has developed a formula, set out below, that each FHLBank should use to calculate its funding gap ratios.&#160; When measuring their funding gaps, the FHLBanks should do so as of calendar month-end, using the average ratio for the most recent three month-ends.<a href="#16">[16]</a></p><p style="text-align&#58;center;"> <img src="/SupervisionRegulation/AdvisoryBulletins/PublishingImages/Pages/Federal-Home-Loan-Bank-Liquidity-Guidance/Formula-2.PNG" alt="Formula-2.PNG" style="margin&#58;5px;width&#58;700px;height&#58;97px;" />&#160;</p><p>III.&#160; <em>Counter-Cyclical Liquidity Supervisory Approach</em><br></p><p>The financial crisis demonstrated that financial intermediaries should maintain prudent levels of liquidity to protect against unexpected disruptions in funding.&#160; During periods of prolonged market stress, a FHLBank may need to use the liquidity that it established during a non-stress period.&#160; To that end, the DBR Deputy Director may, based on ongoing monitoring of market conditions, reduce the measurement period under the base case liquidity provision or increase the negative funding gap thresholds through a supervisory letter to the FHLBanks.&#160; Any such actions will be guided by what is necessary to preserve the safety and soundness of the FHLBanks, even if that entails allowing the FHLBanks to maintain liquidity positions outside of the ranges described herein.&#160; In addition, if a FHLBank experiences a prolonged funding event, it promptly should inform the Deputy Director of its need to reduce its liquidity holdings or increase its negative funding gaps.&#160; At a minimum, any such notice should describe the source of the funding stress, the expected duration of event, and how and when the FHLBank expects to restore its liquidity positions.<br></p><p>FHFA recognizes that a FHLBank infrequently may need to draw upon its liquid assets to function as a liquidity provider for its members during short-term market disruptions or other short-term events that impair access to funding.<a href="#17">[17]</a> Accordingly, this Advisory Bulletin does not preclude a FHLBank from temporarily decreasing its liquidity position, in a safe and sound manner, below the levels described herein, as necessary for providing unanticipated extensions of advances to members or draws on letters of credit to beneficiaries.<a href="#18">[18]</a>&#160; In such instances, the FHLBank should notify its examiner-in-charge of the cause of any temporary liquidity shortfall, anticipated duration of the temporary shortfall, and when and how a FHLBank expects to restore its liquidity back to the identified level set forth in FHFA’s separate supervisory letter.&#160; DBR will evaluate any such temporary liquidity shortfall as part of the FHLBank’s annual examination.<br></p><p>IV.&#160; <em>Liquidity Stress Testing</em><br></p><p>Liquidity stress testing allows the assessment of vulnerabilities to FHLBank-specific, entity-specific, and market-wide exposures across a range of time horizons.&#160; Stress test results may identify sources of potential liquidity strain that can be mitigated by appropriate liquidity risk management strategies.&#160; A FHLBank may use results of stress tests to adjust its liquidity management policies and procedures, positions and practices, and to develop effective contingency plans.&#160; The PMOS states that regulated entities should conduct stress tests on a regular basis and use the results to keep their liquidity risk exposures within the bounds of their established risk tolerances, as well as to adjust the elements of their risk management programs.&#160; To allow FHFA to assess each FHLBank’s alignment with this provision of the PMOS, the FHLBanks should report the results of this stress test to the FHFA annually, using financial data as of June 30 of each year.&#160; FHLBanks that conduct liquidity stress tests more frequently than annually should continue to do so, but need not report those additional results to FHFA.&#160; FHFA will review results of all stress tests as part of the liquidity framework assessment during examinations.<br></p><p>V.&#160; <em>Contingency Funding Plan&#160;</em><br></p><p>The PMOS provide that a regulated entity should have a formal CFP that establishes strategies for addressing liquidity shortfalls in emergencies, and that is tested periodically.&#160; The CFP should represent management’s best estimate of balance sheet changes that may result from a liquidity event based on stress testing and scenario analysis and should be integrated into a FHLBank’s overall liquidity risk management.&#160; A CFP should establish plans, courses of action, clear lines of responsibility, and escalation procedures to ensure liquidity sources are sufficient to fund normal operations during potential temporary, intermediate-term, and long-term liquidity disruptions.<br></p><p>FHFA expects an effective CFP to clearly specify the roles and responsibilities, including the authority to invoke the CFP, identify alternates for key roles, and include realistic action plans to execute the various elements of the plan for given levels of stress.&#160; A CFP should establish more frequent and more detailed internal liquidity risk reporting as the stress situation intensifies.&#160; The CFP should recognize the need to coordinate actions and information flows with other FHLBanks and the Office of Finance and address scenarios where debt issuance is constrained.&#160; A CFP should be regularly updated to reflect changes in market or business conditions.<br></p><p>FHFA expects each FHLBank to test periodically its CFP to assess its reliability and operational soundness under stress conditions.&#160; Testing should evaluate whether roles and responsibilities are up-to-date and appropriate; whether legal and operational documents are up-to-date and appropriate; whether the FHLBank can transfer cash and collateral where and when needed; and whether the FHLBank can draw on contingent liquidity lines when needed.&#160;&#160;<br></p><p>VI.&#160; <em>Core Mission Adjustments</em><br></p><p>FHFA previously issued an AB that provides guidance about how it will assess each FHLBank’s core mission achievement.&#160; That bulletin uses a ratio of a FHLBank’s “primary mission assets” to its outstanding consolidated obligations as the measure of its mission achievement.<a href="#19">[19]</a>&#160; To prevent a FHLBank that has invested in high quality U.S. Treasury securities for liquidity purposes from being penalized under the core mission achievement guidance for having made those investments, FHFA has determined that it would be appropriate to exclude those securities when measuring a FHLBank’s core mission achievement.&#160; Accordingly, a FHLBank may adjust its core mission achievement measure, as defined in AB 2015-05, by deducting from the denominator of the Primary Core Mission Asset ratio the annual average par value of its U.S. Treasury Securities that are held in a Trading account or Available-for-Sale account, as reported in FHFA’s Call Report System.<br></p><p>VII.&#160; <em>Transition Period and Dates</em></p><p>The Deputy Director is issuing a supervisory letter to accompany this AB that sets out the initial measures for each of the liquidity metrics described in the AB, along with the dates as of which FHFA will begin assessing the adequacy of each FHLBank’s liquidity position in the manner described in the AB.&#160; The supervisory letter includes phased-in measures for the cash flow component of the Base Case Liquidity provisions.&#160; Absent a market event that requires a countercyclical use of liquidity, the initial measurement period will begin on March 31, 2019, and full measurement period will begin on December 31, 2019.&#160; For the SLOC component of the Base Case Liquidity provisions, the date is March 31, 2019.&#160; For funding gap measures, FHFA will begin using those measures on December 31, 2018.<br></p><p>VIII.&#160; <em>Reporting</em><br></p><p>DBR will develop new reporting requirements for each of the liquidity measures described in this AB well in advance of the above dates.<a href="#20">[20]</a>&#160; DBR intends to monitor each FHLBank’s liquidity position through their submission of periodic reports, as well as through the examination process.</p><p>IX.&#160; <em>Reservation of Authority</em><br>Nothing in this Advisory Bulletin limits the authority of FHFA under any other provision of law or regulation to take supervisory or enforcement action, including action to address unsafe or unsound practices or conditions, deficient liquidity levels, or violations of law.<br></p><p> <br> </p><p> <strong>Related Regulations and Advisory Bulletins</strong><br>12 USC § 1431(g) – Reserve Requirement for Member Deposits&#160;<br></p><p>12 CFR Part 1236 – Prudential Management and Operations Standards</p><p>12 CFR Part 1266.5 – Terms and Conditions for Advances</p><p>12 CFR Part 1270.2 – Authorized Liabilities</p><p>12 CFR Part 1270.3(b) – Investment Coverage of Member Deposits</p><p>12 CFR Part 1270.10(b) – Liquidity Certification</p><p>Advisory Bulletin – AB 2015-AB-05, <em>FHLBank Core Mission Achievement</em>, July 15, 2015<br></p><p>​<br></p><hr /><p> <a name="1">[1]</a> For purposes of this bulletin, ”liquidity” includes non-advance cash inflows during the measurement period plus certain high quality liquid assets (Treasury securities with remaining maturities of 10 years or less held in the Trading Account or Available-for-Sale accounting categories, and that are uncommitted and unencumbered).</p><p> <a name="2">[2]</a> The regulatory provisions addressing FHLBank liquidity are located at 12 CFR 1236, Appendix, Standard 5 (Liquidity and Reserves) and 12 CFR 1270.3 (reserves for deposits from members).</p><p> <a name="3">[3]</a> 12 CFR part 1236, Appendix, Standard 5</p><p> <a name="4">[4]</a> 12 USC 4513b, 12 CFR 1236.4.5</p><p> <a name="5">[5]</a> 12 CFR 1236.3(d)</p><p> <a name="6">[6]</a> 12 CFR 1239.11(a) (requirement for a board-approved risk management program).</p><p> <a name="7">[7]</a> 12 CFR part 1236, Appendix, Standard 5.</p><p> <a name="8">[8]</a> Other unsecured borrowing sources would be limited to member deposits and federal funds purchased. See 12 CFR 1270.2 (authorized Bank liabilities).</p><p> <a name="9">[9]</a> 12 CFR 249.32(j)(1)(iii). Under these Liquidity Coverage Ratio risk measurement standards (LCR), depository members subject to LCR are only required to provide liquidity coverage of 25 percent of their secured borrowings from U.S. government-sponsored entities that are assigned a risk weight of 20 percent, such as FHLBank advances.</p><p> <a name="10">[10]</a> FHFA regulations require that the FHLBanks offer to provide advances to all members with maturities of up to ten years, and allow them to make advances with longer maturities, in both cases consistent with the safe and sound operation of the FHLBank. 12 CFR 1266.5(a). Both the statute and regulations recognize a FHLBank’s right to decline to make an advance to a particular member for reasons of safety and soundness. 12 USC 1429; 12 CFR 1266.4(a).</p><p> <a name="11">[11]</a> The U.S. Treasury Department established the Government Sponsored Enterprise Credit Facility on September 7, 2008 as a back-up credit line for emergency use by Fannie Mae, Freddie Mac, or the FHLBanks. A fact sheet describing the facility can be located at <a href="https&#58;//www.treasury.gov/press-center/press-releases/Documents/gsecf_factsheet_090708.pdf">https&#58;//www.treasury.gov/press-center/press-releases/Documents/gsecf_factsheet_090708.pdf​</a>.</p><p> <a name="12">[12]</a> Renewing advances is a simplifying assumption for the advances book of business given that the maturities of most advances are short-term and advances have steadily grown since 2012 (after contracting for several years after the financial crisis). The assumption is based on the premise that FHLBanks should continue to provide advances during a period of impeded CO market access.</p><p> <a name="13">[13]</a> A frequent use of SLOCs by depository members is to secure public unit deposits, which then allows the members to use their highly-rated securities to meet their own liquidity requirements rather than pledge them as collateral for the public unit deposits.</p><p> <a name="14">[14]</a> For a variable balance letter of credit, the gross commitment should be used as the notional amount outstanding.</p><p> <a name="15">[15]</a> A FHLBank may include estimates for expected cash inflows, including anticipated prepayments, from mortgage assets as part of assets in the funding gap ratio numerator. Mortgage cash flow estimates should be consistent with estimates the FHLBank uses for its market risk measures. For purposes of calculating funding gap measures, Banks may include U.S. Treasury Securities meeting the definition of HQLA held in a Trading account as short-term (T+1) assets. All other U.S. Treasury Securities should be reported in funding gap measures at their maturity.</p><p> <a name="16">[16]</a> For example, Funding Gap = [Funding Gap current month-end (T<span style="font-size&#58;smaller;vertical-align&#58;sub;">0</span>​) + Funding Gap month-end (T<span style="font-size&#58;smaller;vertical-align&#58;sub;">-1</span>) + Funding Gap month-end (T-2)] divided by 3.</p><p> <a name="17">[17]</a> The use of liquidity also is anticipated during operational events such as natural disasters, cyber disruptions, etc.</p><p> <a name="18">[18]</a> Force majeure events may also cause a temporary decrease in a FHLBank’s liquidity position.</p><p> <a name="19">[19]</a> Advisory Bulletin – AB 2015-AB-05, <em>FHLBank Core Mission Achievement</em>, July 15, 2015.</p><p> <a name="20">[20]</a> Currently FHLBanks provide liquidity data as specified in SDR-2008-03, which will be revised or rescinded when the new reporting requirements are established.​​<br></p><p>&#160;</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Contact <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov​</a> if you have questions.<br></p></td></tr></tbody></table>​<br>8/27/2018 4:00:14 PMHome / Supervision & Regulation / Advisory Bulletins / Federal Home Loan Bank Liquidity Guidance Advisory Bulletin This advisory bulletin (AB) communicates the Federal Housing 5351https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Liquidity Risk Management25675Fannie Mae & Freddie Mac8/22/2018 4:00:00 AMAB 2018-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-06</strong><br></p><p> <strong>LIQUIDITY RISK MANAGEMENT</strong><br></p></td></tr></tbody></table><p></p> <br> <p> <strong style="text-decoration&#58;underline;"><em></em></strong></p><p style="text-decoration&#58;underline;"><strong><em>Purpose&#160;</em></strong></p><p>This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) guidance for the management of liquidity risk. Strong liquidity risk management supports safe and sound operations by enabling the Enterprises to meet their financial obligations when they come due without incurring unacceptable losses.&#160;</p><p>This advisory bulletin summarizes the principles of sound liquidity risk management, and, where appropriate, aligns with the regulation of other financial intermediaries. FHFA expects the Enterprises to use liquidity metrics that are commensurate with their funds management strategies and provide a comprehensive view of their liquidity risk to ensure that sufficient funds are available at a reasonable cost to meet potential demands.&#160;</p><p>This AB supersedes AB 2014-01 (<em>Liquidity Risk Management</em>).&#160;</p><p> <br> </p><p style="text-decoration&#58;underline;"><strong><em>Background&#160;</em></strong></p><p>Liquidity risk is the risk that an Enterprise will be unable to meet its financial obligations as they come due without incurring unacceptable losses. Strong liquidity risk management enables an Enterprise to be financially sound to perform its public mission and to limit and control shortfalls in cash. The guidance emphasizes the importance of cashflow projections, diversified funding sources, stress testing, a cushion of liquid assets, and a formal, well-developed contingency funding plan as primary tools for measuring and managing liquidity risk.&#160;</p><p>The standards for safe and sound operations for the Enterprises are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR part 1236. Standard 5 (Adequacy and Maintenance of Liquidity and Reserves) states that each Enterprise should establish a liquidity management framework, articulate liquidity risk tolerances; and establish a process for identifying, measuring, monitoring, controlling, and reporting its liquidity position and liquidity risk exposures. In addition, Standard 5 includes guidelines for conducting stress tests to identify sources of potential liquidity strain and guidelines for establishing contingency funding plans.&#160;</p><p>Standard 8 (Overall Risk Management Processes) states the expectation for the Enterprises to establish risk management practices that measure, monitor, and control liquidity risk. The PMOS describe responsibilities of boards of directors and management for all Standards.</p><p>&#160;</p><p style="text-decoration&#58;underline;"><strong><em>Guidance&#160;</em></strong></p><p>Each Enterprise is expected to be able to identify, measure, monitor, control, and report its liquidity exposures by accurately identifying both existing and emerging risks, and quantifying the primary sources of liquidity risk. Effective liquidity risk management should include&#58;&#160;</p><ul><li>Adequate board of directors (board) and senior management oversight;&#160;<br></li><li>Appropriate liquidity management policies, procedures, and limits;&#160;<br></li><li>Appropriate risk measurement methodology, monitoring, and reporting systems; and&#160;<br></li><li>An effective contingency funding plan.&#160;<br></li></ul><p>The Enterprise should address risks unique to it with regard to liquidity, such as access to debt markets and the ability to sell or repurchase securities during a crisis.&#160;<br></p><p><strong>Board of Directors and Senior Management Oversight&#160;</strong></p><p>An Enterprise’s board is ultimately responsible for the liquidity risk assumed by the Enterprise and for guiding the strategic direction of liquidity risk management. The board, or a committee thereof, should establish and approve appropriate liquidity risk tolerances and limits, and oversee management’s establishment and approval of liquidity management strategies, policies, and procedures. The board should review these at least annually. In addition, the board is expected to have an understanding of the Enterprise’s business activities and associated liquidity risk. The board should understand the cash inflows and outflows that dictate an Enterprise’s liquidity needs (e.g., trust remittance cycle, guarantee fee, cash window, and mortgage purchase commitments). The board is expected to ensure that senior management has the necessary expertise to effectively manage liquidity risk. <a href="#1">[1]</a>​&#160;</p><p>Senior management oversees the daily and long-term management of liquidity risk. As part of an effective liquidity risk management program, senior management&#58;&#160;<br></p><ul><li>Develops liquidity risk management strategies, policies, and practices for approval by the board;&#160;<br></li><li>Implements sound internal controls for managing liquidity risk;&#160;<br></li><li>Establishes effective information systems and contingency funding plans; and&#160;<br></li><li>Establishes reporting systems that produce timely and accurate information on the Enterprise’s liquidity position and sources of risk exposure, including concentration risk, and provides regular reports to the board.&#160;<br></li></ul><p>These responsibilities may be delegated to a board-approved management committee.&#160;<br></p><p>The Enterprise’s organizational structure should clearly assign responsibility, authority, and relationships for managing liquidity risk and management should ensure that personnel are competent and appropriately trained with regard to the Enterprise’s established systems, policies and tolerances.&#160;</p><p>FHFA expects a Treasury unit to be responsible for the ownership and management of the liquidity risk limits. The unit should also be responsible for the identification, assessment, mitigation, control, monitoring, and reporting of liquidity risk, and for the Enterprise’s adherence to risk policies, standards, and limits.&#160;</p><p>A risk management unit should be responsible for the independent oversight and monitoring of liquidity risk. The risk management unit’s responsibilities would normally include&#58;&#160;</p><ul><li>Ensuring that risk limits for liquidity risk are meaningful, assessing liquidity risk against key risk indicators;&#160;<br></li><li>Independently reporting on liquidity risk issues;&#160;<br></li><li>Escalating liquidity risk breaches;&#160;<br></li><li>Stress testing liquidity risk limits;&#160;<br></li><li>Providing senior management and the board with reports on liquidity risk management and gaps between supervisory guidance, industry sound practices, and practices at the Enterprise; and&#160;<br></li><li>Ensuring that the Treasury unit has an effective process in place to identify, assess, monitor, and report on key liquidity risks.&#160;<br></li></ul><p><strong>Appropriate Liquidity Management Policies, Procedures, and Limits&#160;</strong><br></p><p>A robust set of liquidity risk management policies would appropriately include&#58;&#160;</p><ul><li>Standards regarding day-to-day operational liquidity needs;&#160;<br></li><li>Plans for dealing with contingent liquidity needs, including potential temporary, intermediate-term, and long-term liquidity disruptions;&#160;<br></li><li>Board-established liquidity risk tolerances, and procedures establish steps to manage the risk exposures within those limits.<br></li><li>Methodology for determining the Enterprise’s operational and contingency liquidity needs;&#160;<br></li><li>Characteristics of investments that can be held for liquidity purposes;&#160;<br></li><li>Identification of investments that can be liquidated with minimal loss during times of stress;&#160;<br></li><li>Provisions for documenting and periodically reviewing assumptions used in liquidity projections;&#160;<br></li><li>Contingency funding plan for the Enterprise’s ability to access capital markets during periods of market stress; and&#160;<br></li><li>The nature and frequency of liquidity risk reporting for management and the board.&#160;<br></li></ul><p>Liquidity risk tolerances or limits should be appropriate for the complexity and liquidity risk profile of the Enterprise and should employ quantitative targets. These limits, tolerances, and guidelines will be most effective if they include items such as&#58;&#160;<br></p><ul><li>Discrete or cumulative cashflow mismatches or gaps (sources and uses of funds) over specified future short- and long-term time horizons under both expected and adverse business conditions. These may be expressed as cashflow coverage ratios or as specific aggregate amounts;&#160;<br></li><li>Target amounts of unpledged, high-quality liquid asset reserves expressed as aggregate amounts or as ratios;&#160;<br></li><li>Asset concentrations, especially with respect to more complex exposures that are illiquid or difficult to value, e.g. the size of the position relative to the depth of the market;&#160;<br></li><li>Funding concentrations that address diversification issues, such as dependency on a few sources of borrowed funds; and&#160;<br></li><li>Contingent liability metrics, such as amounts of unfunded commitments and lines of credit relative to available funding.&#160;<br></li></ul><p><strong>Appropriate Risk Measurement Methodology, Monitoring, and Reporting Systems</strong>&#160;<br></p><p>FHFA expects an Enterprise’s measurement of liquidity to include metrics for intraday liquidity, short-term cash needs (e.g., 30 days), access to collateral to manage cash needs over the medium term (e.g., 365 days), and a general congruence between the maturity profiles of the assets and liabilities. An Enterprise should also consider common industry practices and regulatory standards. <a href="#2">[2]</a>&#160;</p><p>FHFA expects that an Enterprise’s measurement systems should reasonably measure liquidity exposures, identify potential liquidity shortfalls, and simulate various market scenarios, including stress scenarios. Measurement systems should include robust models for projecting cashflows and an Enterprise’s liquidity needs over appropriate time horizons, ranging from intraday to longer-term liquidity needs of one year or more. These systems are expected (i) to measure tenor, liquidation costs, time to liquidate assets, and liquidity provider concentrations to ensure that reliance on certain funding structures or sources of funds is appropriately identified and controlled, and (ii) to capture all significant on- and off-balance sheet items and be adjusted as products or risks change.&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>A. Cashflow Modeling&#160;</em></p></blockquote><p>Since an Enterprise’s cashflows depend on choices mortgage borrowers make to prepay or extend their obligations, managing liquidity risk will be facilitated by the Enterprises’ use of pro forma cashflow statements. Pro forma cashflow analysis can be used to project sources and uses of funds under various liquidity scenarios to identify potential funding gaps. In determining potential liquidity needs and risk management strategies, the possibility of losses and deterioration in valuations from potential credit and market events should be considered. The Enterprise should account for this in assessing the feasibility and impact of asset sales on its liquidity position during stress events. Stress events should include national and regional events and cases where the catastrophic events occur simultaneously. The Enterprise should be able to calculate all of its collateral positions in a timely manner, including the value of assets currently pledged relative to the amount of security required and unencumbered assets available to be pledged. The Enterprise should be aware of the operational and timing requirements associated with accessing collateral given its physical location (i.e., the custodian entity or securities settlement system with which collateral is held). The Enterprise should also fully address the potential demand for additional collateral arising from various types of contractual contingencies during periods of both market-wide and Enterprise idiosyncratic stress.&#160;<br></p><p>To capture a variety of stresses, management's pro forma cashflow analysis should incorporate multiple scenarios that consider the general and unique risks faced by the Enterprise.&#160;</p><p>Assumptions used in pro forma cashflow projections should be reasonable and appropriate, adequately documented, and periodically reviewed by the appropriate risk management unit and the model oversight group at the Enterprises. Assumptions should consider a wide range of potential outcomes with regard to the stability of borrowings and securitization. Sensitivity tests&#160;</p><p>should be performed to measure the effects that material changes to assumptions would have on related accounts.&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>B. Management Reporting&#160;</em></p></blockquote><p>To effectively fulfill senior management’s responsibilities with respect to liquidity risk management, it is necessary that senior management receive sufficient reports on Enterprise’s liquidity risk management. An Enterprise should generate such reports at least monthly, including the level and trend of the Enterprise’s liquidity risk; and to report to the board, or a board committee, quarterly. If liquidity risk is high, or if it is moderate and increasing, more frequent reports are likely to be called for. Reportable items may include&#58;&#160;<br></p><ul><li>Cashflow gaps;&#160;<br></li><li>Asset and funding concentrations;&#160;<br></li><li>Critical assumptions used in cashflow projections;&#160;<br></li><li>Key early warning or risk indicators;&#160;<br></li><li>Funding availability;&#160;<br></li><li>Status of contingent funding sources; and&#160;<br></li><li>Collateral usage.&#160;<br></li></ul><p><strong>Contingency Funding Plan (CFP)&#160;</strong><br></p><p>Funding decisions can be influenced by unplanned events. Such events include the inability to fund asset growth; difficulty renewing or replacing funding as it matures;<a href="#3">[3]</a>​ the exercise of options by customers to prepay or to draw down lines of credit; legal or operational risks; the demise of a business line; and market disruptions. Funding and investment strategies that are concentrated in one or two business lines or relationships, such as the Enterprises’ strategies, typically are at greater risk of being disrupted by adverse events.&#160;</p><p>An Enterprise should examine contracts and arrangements associated with major lines of business and funding sources to identify low-probability/high-impact events that could adversely affect liquidity. Contingency plans that incorporate practical solutions that can be adopted quickly to address such contingencies as they arise will minimize exposure to such events.&#160;</p><p>An Enterprise’s CFP should be customized to the liquidity risk profile of the Enterprise, and should identify the types of stress events which may be faced. The overall impact of a given stress event should be considered, including both direct and indirect effects. To be effective in mitigating foreseeable stress events, the CFP should&#58;&#160;</p><ul><li>Define responsibilities and decision-making authority so that all personnel understand their role during a problem-funding situation;&#160;<br></li><li>Include an assessment of the possible liquidity events that an Enterprise might encounter;&#160;<br></li><li>Detail how management will monitor for liquidity events, typically through stress testing of various scenarios in a pro forma cashflow format; and&#160;<br></li><li>Identify and assess the adequacy of contingency funding sources. The plan should identify any back-up facilities (lines of credit), the conditions and limitations to their use, and the circumstances where the Enterprise might use such facilities. Management should understand the various legal, financial, and logistical constraints, such as notice periods, collateral requirements, or net worth covenants, that could affect the Enterprise’s ability to use back-up facilities. They should test back-up facilities annually.&#160;<br></li></ul><p>CFPs are particularly important in institutions such as the Enterprises that rely on securitization. This is because an Enterprise’s income is generated from its volume of business. The Enterprises have contracts to purchase fixed volumes of loans from mortgage originators, and they are dependent on the To Be Announced (TBA) market to generate corresponding cash inflows. CFPs are expected to address scenarios where securitization or asset sales become rapidly unavailable. The Enterprise should have plans in place to address disruptions in the capital markets that would result in delayed sales of loans as well as required increases in retained interests and other credit enhancements.&#160;</p><div>​<br></div><p></p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance&#160;</em></strong></p><p>12 CFR part 1720 Safety and Soundness Standards, August 30, 2002.&#160;</p><p>12 CFR part 1236 Prudential Management and Operations Standards, Appendix.&#160;</p><p>12 CFR Part 249 Liquidity Coverage Ratio&#58; Liquidity Risk Measurement Standards, October 10, 2014.&#160;</p><p>12 CFR part 1239 Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance, December 21, 2015.&#160;<br></p><p>Proposed Rule on Net Stable Funding Ratio&#58; Liquidity Risk Measurement Standards and Disclosure Requirements, 81 FR 35124 through 35183, June 1, 2016.&#160;</p><p><em>Model Risk Management Guidance</em>, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013.&#160;</p><p><em>Liquidity Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-01, February 18, 2014 (superseded).<br></p><p> <br> </p><hr /> <br> <p> <a name="1">[1]</a> Liquidity risk management policies and procedures should establish the roles and responsibilities of groups involved in liquidity risk management, and have clear escalation procedures in the event of a breach of the liquidity limits. This would include board-level risk limits and action plans in the event of a breach of risk limits. The standards for board governance in 12 CFR part 1239, FHFA’s Corporate Governance Rule, were issued November 2015. Section 1239.11 addresses risk management.</p><p></p><p> <a name="2">[2]</a> On October 10, 2014, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation collectively issued a final rule that implemented a quantitative liquidity requirement, the Liquidity Coverage Ratio (LCR). 12 CFR part 50 (OCC); 12 CFR part 249&#160; (Regulation WW) (Federal Reserve Board); 12 CFR part 329 (FDIC). On June 1, 2016, the FFIEC interagency rule for the <a href="https&#58;//www.occ.gov/news-issuances/federal-register/81fr35124.pdf">Net Stable Funding Ratio&#58; Liquidity Risk Measurement Standards and Disclosure Requirements​</a> (NSFR) was proposed. 81 FR 35124 through 35183 (June 1, 2016). These sources address issues of short term liquidity (e.g., the adequacy of high quality assets holdings) and scale of mismatch of cashflows over the intermediate term. As of this date, the Net Stable Funding Ratio has not been adopted, but the proposal remains a useful reference point.&#160;</p><p> <a name="3">[3]</a> Critical rollover needs can be identified using funding ladders.<br></p><p> <br> </p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov​</a>.<br></p></td></tr></tbody></table>​<br><br>8/22/2018 9:23:35 PMHome / Supervision & Regulation / Advisory Bulletins / Liquidity Risk Management Advisory Bulletin This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the 3401https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Multifamily Seller/Servicer Relationships25577Fannie Mae & Freddie Mac8/15/2018 4:00:00 AMAB 2018-05<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-05</strong><br></p><p> <strong>OVERSIGHT OF ​MULTIFAMILY SELLER/SERVICER RELATIONSHIPS​</strong><br></p></td></tr></tbody></table>​<br> <p></p> <p> <span style="text-decoration&#58;underline;"> </span> <strong style="text-decoration&#58;underline;"> <em>Purpose&#160;</em></strong></p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations to maintain the safety and soundness of their operations by effectively managing multifamily Seller/Servicer relationships.</p><p> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">FHFA expects each Enterprise to assess financial, operational, legal, compliance, and reputational risks associated with its multifamily Seller/Servicer counterparties and take appropriate action to mitigate those risks or reduce Enterprise exposures. Counterparty risk management, as part of a board-approved risk management framework, should include an Enterprise’s multifamily Seller/Servicer business operations.&#160;</span></p><div><p>This advisory bulletin is applicable to the counterparty risk management of third-party relationships managed by an Enterprise’s multifamily business unit. FHFA expects the Enterprises to institute proper controls and perform monitoring to identify and manage risks associated with any multifamily counterparty.<br><br></p><p> <span style="text-decoration&#58;underline;"></span><em style="text-decoration&#58;underline;"><strong>Background</strong></em></p><p>Each Enterprise uses a limited network of Seller/Servicers that originate and service multifamily loans. These loans can be retained in an Enterprise’s portfolio or used as the underlying collateral for securitizations usually sold to investors. Multifamily loans are generally larger than residential loans and have more complicated servicing requirements. Multifamily servicing requirements include performing periodic property inspections and collecting rent roll reports that are used to evaluate the value and stability of the underlying multifamily property. Multifamily loan servicing also presents risk factors such as determining net operating cash flow derived from a subject property, as well as calculating economic metrics (e.g., occupancy and vacancy rates, average monthly rents, and regional unemployment rates). Multifamily underwriting criteria include maximum loan-to-value and minimum debt service coverage ratios as the basis for approval.&#160;</p><p>The term Seller/Servicer, as used in this advisory bulletin, includes approved bank or nonbank entities with a contractual relationship with an Enterprise that originate and service multifamily loans. With Enterprise approval, a designated multifamily servicer can use a subservicer (a servicer that performs servicing on behalf of the servicer) to perform the servicing administration of a loan for a fee. Multifamily Seller/Servicers routinely engage in all aspects of a loan’s lifecycle. Nonbank multifamily Seller/Servicers include publicly traded or privately owned commercial real estate companies.<br><br></p><p> <span style="text-decoration&#58;underline;"> </span> <strong style="text-decoration&#58;underline;"> <em>​Guidance</em></strong></p><p><strong style="text-decoration&#58;underline;"><em></em></strong>Oversight of multifamily Seller/Servicer relationships should be part of a risk management framework that includes periodic evaluation of counterparty financial performance; operational risk factors; and legal, compliance, and reputational risks. That information is used in the approval and ongoing monitoring of multifamily Seller/Servicers to ensure compliance with Enterprise guidelines. An effective risk management framework helps management achieve an Enterprise’s performance and profitability targets and prevent financial loss. It also should promote appropriate reporting and compliance with laws and regulations and help to avoid damage to the Enterprise’s reputation and associated consequences.&#160;</p><p> <strong>Risk Management Framework</strong></p><p>A risk management framework is an important element of corporate governance. Further, an effective risk management framework includes policies that support risk-related decision making. As outlined in Standard 8 of the Prudential Management and Operations Standards (PMOS), prudent risk management processes address the general responsibilities of the board of directors and senior management. The board is responsible for establishing and overseeing a robust risk management governance structure whereas management is responsible for the development, implementation, and maintenance of the risk management framework.&#160;</p><p>A risk management framework considers each multifamily Seller/Servicer’s lifecycle to include selection of Seller/Servicers; (due diligence including eligibility validation); ongoing monitoring (performance, compliance reviews, and training schedules); and corrective action (remediation, suspension, or termination).&#160;</p><p>Policies and procedures should be tailored to the oversight of multifamily Seller/Servicers to enable an Enterprise to consistently identify, measure, monitor, and control aggregate and emerging risks. Established policies should outline the role and responsibilities of the first line business units and the second line, enterprise risk management (ERM), which oversees risk management and assesses risk independent of the first line units. The responsibilities for risk&#160;ownership, management, control, oversight, and assurance should be clearly understood by both the first line business unit and the ERM group. Policies and procedures should also address the frequency of reporting, escalation, and tracking of policy exceptions or waivers by the Enterprise’s senior management team to the board of directors or committee thereof, depending on the issue and risk exposure to the Enterprise.&#160;</p><p>In addition, policies should address the remediation of deficiencies or weaknesses identified in performance standards or in particular risk areas, as appropriate. The policies should also set standards for taking timely corrective action against a multifamily Seller/Servicer depending on the level and seriousness of the findings.&#160;</p><p> <strong>Selection of Multifamily Seller/Servicers</strong></p><p>Due diligence, including research and analysis of a multifamily Seller/Servicer’s financial condition, operational capabilities, and reputation, is expected before approving a multifamily Seller/Servicer. The Enterprise should evaluate the factors referenced below in the due diligence process, in addition to compliance with eligibility requirements, to assess the strength of the Seller/Servicer.&#160;</p><p> <em>Financial Risk Factors</em></p><p>Financial risk can result from a weak or deteriorating financial performance or condition, adverse market conditions, or extraordinary events. Effective counterparty risk management includes evaluation of a potential Seller/Servicer’s financial condition to assess its ability to continue operations based on components of its capital base, sources of revenue, profit margins, liquidity sources, and cash flow. These factors should be evaluated periodically or as warranted through ongoing monitoring to determine whether a Seller/Servicer has the capacity to meet its financial obligations. The Enterprises should consider the following in assessing potential risks to an Enterprise from each multifamily Seller/Servicer’s financial condition, as appropriate&#58;&#160;</p><ul><li>The Seller/Servicer’s ability to perform through various market conditions;&#160;<br></li><li>Ability of the Seller/Servicer to meet loss sharing obligations, if applicable;&#160;<br></li><li>Capability of the Seller/Servicer’s management;&#160;<br></li><li>Internal risk management structure of the Seller/Servicer;&#160;<br></li><li>Industry reputation, product mix, geographic diversity, and estimated loan production volumes;&#160;<br></li><li>The Seller/Servicer’s corporate structure, ownership, and any special financial arrangements;<br></li><li>​Quality of the loan portfolio, when the underwriting function is delegated, or servicing performance; and&#160;<br></li><li>Adequacy of the Seller/Servicer’s fidelity bond and errors and omissions insurance coverage that protects the Enterprises from losses resulting from dishonest or fraudulent acts committed by the lender’s employed personnel or outside parties that provide services to the lender.&#160;<br></li></ul><p> <em>​Operational Risk Factors</em></p><p>Weak operations or controls can result in exposures to loss resulting from inadequate or failed processes, people, systems, or external events. Noncompliance with the selling and servicing agreements and guide requirements can also create operational risk exposures. Operational risk events may prevent a Seller/Servicer from fulfilling its obligations to an Enterprise pursuant to contractual terms.&#160;</p><p>The Enterprises should consider the following, as appropriate, in assessing each multifamily Seller/Servicer’s operational risk&#58;&#160;</p><ul><li>Ability of the servicing operations to absorb future growth in terms of staffing, facilities, and system infrastructure;&#160;<br></li><li>Overall servicing performance by the servicer or subservicers, including routine property inspections and collection of rent roll reports;&#160;<br></li><li>Adequacy of the Seller/Servicer’s information technology management program, including information security practices;&#160;<br></li><li>The Seller/Servicer’s business continuity, disaster recovery, and contingency planning to minimize any potential service disruptions;&#160;<br></li><li>The Seller/Servicer’s risk management program, including internal controls in conjunction with periodic reviews as well as post-closing loan reviews;&#160;<br></li><li>The Seller/Servicer’s management team’s experience level, tenure, and any possible influence by controlling shareholders; and&#160;<br></li><li>The Seller/Servicer’s oversight of its third-party service providers such as subservicers, information technology providers, brokers, and appraisers.&#160;<br></li></ul><p> <em>​Legal, Compliance, and Reputation Risk Factors</em></p><p>Legal, compliance, and reputation risks can exist as a result of, among other factors, noncompliance with laws or regulations or from non-adherence to sound industry practices or Enterprise selling and servicing agreements and guides. The Enterprises should consider the following in assessing the legal, compliance, and reputation risks associated with each multifamily Seller/Servicer, as appropriate&#58;&#160;</p><ul><li>Maintenance of appropriate federal and state charters or licenses required for, or relevant to, operating its business in the approved jurisdictions;&#160;<br></li><li>Scope of federal and state regulatory oversight and the Seller/Servicer’s compliance program for all applicable laws and regulations;&#160;<br></li><li>Record of compliance from publicly available information sources including past and pending legal actions; and&#160;<br></li><li>Information known or reasonably available to an Enterprise about any civil, criminal, or regulatory issues affecting the Seller/Servicer.&#160;<br></li></ul><p> <strong>Ongoing Monitoring</strong></p><p>Monitoring of multifamily Seller/Servicers is an essential component of managing the risks they pose to an Enterprise. Ongoing monitoring by an Enterprise should be guided by risk-based procedures that outline periodic reviews of critical information to assess a Seller/Servicer’s performance. The Enterprise’s risk-based process should be designed to ensure that the direction, depth​, and frequency of reviews is commensurate with each multifamily Seller/Servicer’s risk profile.&#160;</p><p>The review should be available for evaluation by staff performing oversight duties (ERM) and should take into account factors assessed during the approval process, as well as the following additional factors, as appropriate&#58;&#160;</p><ul><li>The number and volume of multifamily loans sold to and serviced for an Enterprise and the mix of various product types;&#160;<br></li><li>The quality of the servicing that is performed on behalf of an Enterprise;&#160;<br></li><li>The terms of any risk sharing arrangements in place, periodic review of accounts maintained by third parties, and reconciliation between risk sharing obligations and account balances;​<br></li><li>Whether the Enterprises have the ability to collect loan data from the Seller/Servicer, such as exception and waiver statistics, including documented justifications for waivers and results of ongoing performance reviews of those loans;&#160;<br></li><li>Verification of eligibility standards and other terms of business throughout the relationship;&#160;<br></li><li>Results of onsite reviews to validate compliance with the servicing guide, internal controls, and other contract provisions;&#160;<br></li><li>Accuracy, timeliness, and completeness of loan recordkeeping, including loan data systems and loan documentation, throughout the life of the loan; and&#160;<br></li><li>Changes in a Seller/Servicer’s senior management, business model, strategies, or practices.&#160;<br></li></ul><p> <strong>​Corrective Action</strong></p><p>The Enterprises have a range of remedies when dealing with a Seller/Servicer that fails to meet its contractual obligations. Clear communication between an Enterprise and a Seller/Servicer is critical in resolving areas that are not in compliance with issues outlined in the respective Seller/Servicer guide requirements. Each Enterprise should have established policies that include a process for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer. Enterprise policies should include standards for taking appropriate action against a Seller/Servicer that fails to meet an Enterprise’s standards of performance or that poses reputation risk because of noncompliance with applicable laws and regulations or unsound business practices.<br><br></p><p> <span style="text-decoration&#58;underline;"> </span> <strong style="text-decoration&#58;underline;"> <em>​Related Guidance</em></strong></p><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.&#160;</p><p> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.&#160;<br></p><p> <em>Oversight of Single-Family Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014.<br><br></p></div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov​</a>.<br></p></td></tr></tbody></table> <br>8/15/2018 5:55:06 PMHome / Supervision & Regulation / Advisory Bulletins / Oversight of Multifamily Seller/Servicer Relationships Advisory Bulletin This advisory bulletin communicates to Fannie 2046https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Cloud Computing Risk Management25572All8/15/2018 4:00:00 AMAB 2018-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-04</strong><br></p><p> <strong>CLOUD COMPUTING RISK MANAGEMENT​</strong><br></p></td></tr></tbody></table>​<br> <p></p><p><strong style="text-decoration&#58;underline;"><em>Purpose​</em></strong><br></p><p>This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae, Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities)&#160; on assessing and managing risks associated with third-party cloud providers.&#160; Effective risk management of cloud providers is critical to safe and sound operations.&#160; Each regulated entity should use a risk-based approach across key areas listed below to meet FHFA supervisory expectations&#58;​<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>I.&#160;Governance</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>A. Responsibilities of the Board and Senior Management</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>B. Strategies, Policies, Procedures, and Internal Standards</p></blockquote></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>II. Third-Party Cloud Provider Management</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>A. Due Diligence Assessment</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>B. Service Agreements</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>C. Oversight and Ongoing Monitoring</p></blockquote></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>III. Information Security</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>A. Shared Responsibility for Security</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>B. Data Classification and Systems Security</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>C. Access Management</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>D. Incident Notification, Planning, and Response</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>E. Development and Testing Environments&#160;</p></blockquote></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>IV. Business Continuity Cloud Provider Management<br></p><p><br></p></blockquote><p><strong style="text-decoration&#58;underline;"><em>Background</em></strong></p><p><strong style="text-decoration&#58;underline;"><em></em></strong>Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.&#160; This model is composed of five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (Software as a Service or SaaS, Platform as a Service or PaaS, and Infrastructure as a Service or IaaS), and four deployment models (private cloud, community cloud, public cloud, and hybrid cloud).</p><p>Relationships between cloud customers and their cloud providers are complex.&#160; Critical information and resource controls may shift from in-house operations to a third party, meaning the regulated entity and cloud provider share responsibility for safeguarding organizational information and systems.&#160; Additionally, cloud providers may have privileged access to organizational systems and information.&#160; Because of this shared responsibility, a regulated entity engaging with a cloud provider should take appropriate steps to manage associated third-party risks and revise the information security program to address risks specific to cloud computing.&#160; A regulated entity should also prepare for outages and failures that may hinder access to organizational information and systems that rely on cloud providers.<br></p><p>FHFA’s general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity’s board of directors and management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).<br><br></p><p><strong style="text-decoration&#58;underline;"><em>Guidance</em></strong></p><p>FHFA expects each regulated entity to appropriately manage its cloud computing risks as part of its enterprise-wide risk management program,&#160; and in accordance with all relevant FHFA guidance.&#160; Application of this guidance by the regulated entity should correspond to the level of risk presented.&#160; The regulated entity’s evaluation of the level of risk should include the classification of the data hosted at the cloud provider, the criticality of the service(s) provided, service and deployment models used, and other risks associated with engaging a third-party cloud provider.</p><p>The regulated entity may establish a standalone cloud computing risk management program or subsume the governance and functions of cloud computing risk management under another established program.&#160; The complexity of and level of risk associated with the regulated entity’s cloud usage should inform the decision on whether the cloud computing risk management program should exist as a standalone program or is subsumed into other program(s).&#160; Because cloud computing affects several different areas of operations, those responsible for managing related risks should coordinate across different divisions to manage the third-party provider, information security, and business continuity risks.​<br></p><p><strong>I. Governance</strong></p><p>The governance of the cloud computing risk management program should consist of the cloud strategy, policies, procedures, and internal standards.&#160; If the regulated entity subsumes the governance of the cloud computing risk management program into other programs, the regulated entity should clearly communicate which strategies, policies, procedures, and internal standards apply.&#160; The complexity of and level of risk associated with the regulated entity’s cloud usage should inform whether the board or senior management approves the cloud computing strategy, policies, procedures, and internal standards.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>A. Responsibilities of the Board and Senior Management</em></p></blockquote><p>The board of directors or a committee thereof (board) should provide oversight to the cloud computing risk management program.&#160; As part of that oversight, the board should understand the risks involved in the regulated entity’s use of cloud computing.&#160; The board should ensure that senior management fully understands the effects of shifting to a cloud computing environment and has appropriate expertise on managing those effects prior to engaging a cloud provider.&#160; The board should review the strategy or strategic plan that covers cloud computing and major policies relating to associated risks.</p><p>Senior management should develop and periodically update policies, procedures, and internal standards and implement the cloud computing risk management program.&#160; Senior management should also periodically report to the board about the nature of the regulated entity’s cloud computing risk, which may change significantly over time.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>B. Strategies, Policies, Procedures, and Internal Standards</em></p></blockquote><p>Each regulated entity should establish and periodically update its cloud computing strategy, and evaluate its appetite for associated risks.&#160; The regulated entity’s current and planned cloud usage, including the extent and purpose, the classification of data stored on the cloud, and the choice of cloud service and delivery model, should inform the development of individual policies, procedures, and internal standards.&#160; Policies should describe appropriate uses for cloud computing.&#160; The regulated entity should evaluate and update policies, procedures, and internal standards so they are consistent with the cloud strategy and the regulated entity’s risk appetite.</p><p>The regulated entity should develop or update internal standards as a basis for managing and monitoring risks at levels consistent with the regulated entity’s risk appetite.&#160; The internal standards should establish the technical and operational criteria the regulated entity uses to evaluate cloud provider service agreements and controls, including criteria on performance and reliability in terms of availability, security, business continuity, and compliance.&#160; Where possible, internal standards should include metrics.&#160; The regulated entity should consider industry standards as well as its needs, capabilities, and risk appetite to inform the development of its internal standards.<br></p><p><strong>II. Third-Party Cloud Provider Management</strong></p><p>The regulated entities should take steps to mitigate the third-party risks arising from their use of cloud providers.&#160; The shared responsibility framework, heightened administrative privileges, standardized service model, and potential for vendor lock-in of cloud providers, result in new risks and complications to existing risks.&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>A. Due Diligence Assessment</em></p></blockquote><p>In addition to an evaluation of financial, operational, legal, compliance, and reputational risks of engaging the cloud provider, the regulated entity should evaluate whether and how shifting to a cloud computing environment affects risk.&#160; If warranted under the circumstances, the assessment should include a comparison with other cloud providers that offer comparable services.&#160; The results of due diligence assessments should frame service agreement negotiations and the regulated entity’s procedures and operations for managing provider-specific cloud computing risks.</p><p>The on-demand self-service and rapid elasticity of cloud service have the potential to result in substantial changes to the risks associated with a specific cloud provider when the service agreement has not changed.&#160; Consequently, due diligence assessments should occur for every cloud provider at contract inception and prior to any modifications in the level or type of services obtained that could result in significant increases to the regulated entity’s risk exposure.&#160; Policies on the frequency of due diligence assessments should also consider the rapid evolution in the market for cloud services.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>B. Service Agreements</em></p></blockquote><p>Recognizing that each cloud computing use, complexity, and risk is unique, the details of the service agreement provisions may vary.&#160; Because cloud providers often use a standardized service model, the regulated entity may not be able to negotiate changes to the selected cloud provider’s standard service agreement.&#160; In cases where there are differences between the chosen cloud provider’s service agreement and the regulated entity’s policies and internal standards, the regulated entity should first consider alternative providers.&#160; If a regulated entity determines that no alternatives exist that meet the business need, the regulated entity should develop plans to mitigate or transfer any risks emanating from the differences to reduce the risk to an acceptable level.​</p><p>Service agreements with a cloud provider should define roles and responsibilities of the cloud provider and regulated entity.&#160; Service agreements should not restrict information technology, information security, and business continuity teams from effectively performing their responsibilities in the cloud environment, including monitoring and evaluating performance, protecting against and responding to security incidents, and supporting ongoing risk and compliance management.<br></p><p>Prior to executing a cloud computing service agreement, legal and information security experts who are knowledgeable about cloud computing should review the agreement to determine if the agreement exposes the regulated entity to unacceptable levels of risk.&#160; The review should include an assessment of significant contractual risk points for cloud computing, such as the dispute resolution process, confidentiality provisions, privacy policy, data residency, and any limitations on liability, indemnities, termination rights, and suspension rights.&#160; Additionally, the review should include a determination of whether and how the cloud provider may use regulated entity data for its own purposes.&#160; In accordance with a regulated entity’s policies and procedures, the regulated entity should re-evaluate service agreements periodically to determine whether they need to be updated.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>C. Oversight and Ongoing Monitoring</em></p></blockquote><p>The regulated entity should implement and oversee ongoing monitoring to ensure compliance with the service agreement(s) and to evaluate the performance of the cloud provider.&#160; The regulated entity should track all cloud providers used, the approved cloud services, and usage of those services.&#160; Each entity should assess each cloud provider’s quality and performance in providing information security to protect data at rest and in transit and evaluate the timeliness and completeness of the provider’s communications.</p><p>If the regulated entity relies on monitoring and oversight provided by third parties, such as third party audit reports, the regulated entity should evaluate whether its contracted cloud services match the services evaluated in the outsourced monitoring and oversight.<br></p><p><strong>III. Information Security</strong></p><p>Migrating operations to the cloud may result in both new information security risks, such as from multi-tenancy risks, and complications to existing information security risks, such as risks stemming from privileged user access.&#160; The regulated entity should evaluate and revise its information security program to reflect its cloud computing environments, and it should, to the extent possible, extend information security governance, engineering, architecture, and operations to cloud computing environments and providers.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>A. Shared Responsibility for Security</em></p></blockquote><p>The regulated entity and the cloud provider share responsibility for protecting data stored in the cloud.&#160; The regulated entity should understand its cloud security responsibilities, which may vary based on the provider and service model.&#160; In addition to any descriptions of the roles and responsibilities in the service agreement, the terms of the cloud provider’s information security standards and controls should inform the regulated entity of its responsibilities for protecting its cloud environment(s).&#160; The regulated entity should understand and mitigate, accept, or transfer the risks from any identified gaps in the cloud provider’s information security program.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>B. Data Classification and Systems Security</em></p></blockquote><p>The data classification and the regulated entity’s risk appetite should inform the security requirements of specific data in the cloud.&#160; Prior to placing data in a cloud environment, the regulated entity should evaluate the appropriateness of its protections, such as encryption, and geographic location of data at rest and in transit.&#160; The regulated entity should assess compliance with its security policies through regular tests of key controls, systems, and procedures it uses for its cloud environment(s).</p><p>The regulated entity should comply with laws and other requirements that may restrict where data are stored and establish appropriate data storage controls designed to maintain data in the appropriate physical location.&#160; Additionally, there are substantial legal and security risks to storing data outside the United States.&#160; The regulated entity should evaluate its risk appetite, the applicable jurisdiction’s laws, and the regulated entity’s expertise in and ability to effectively mitigate the security and legal risks prior to permitting hosting data in a jurisdiction outside of the United States.<br></p><p>The service and deployment model may also inform decisions about security requirements.&#160; For example, some cloud environments share physical components and resources among disparate tenants using logical separation of data.&#160; To protect against multi-tenancy risks, the regulated entity should ensure that it and the cloud provider take steps such as using information technology services and systems to monitor applicable activity within the cloud environment.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>C. Access Management</em></p></blockquote><p>Cloud computing environments may differ in access management configurations, so each regulated entity should take steps to ensure that identity and access management functions are configured properly.&#160; The regulated entity should evaluate the effectiveness of policies, procedures, and internal standards on identity and access management functions to protect against unauthorized or malicious use by the cloud provider.</p><p>The regulated entity should protect and secure cloud credentials.&#160; When encrypting data in the cloud, the regulated entity should protect and secure encryption keys in a manner consistent with the classification of the data they protect.​<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>D. Incident Notification, Planning, and Response</em></p></blockquote><p>The regulated entity should update its incident response plan(s) to include incidents that could arise from using cloud providers.&#160; Responding to incidents that occur in the cloud environment often requires coordination with the cloud provider.&#160; Notification requirements in the service agreement should define the criticality of the incidents the cloud provider should report and require the cloud provider to deliver timely notification of such incidents with sufficient detail to allow the regulated entity to take steps to prevent the expansion of an incident, mitigate its effects, or eradicate the incident in accordance with its incident response plan.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>E. Development and Testing Environments</em></p></blockquote><p>Regulated entities that isolate testing and development environments may maintain less rigorous controls over these environments to increase flexibility for developers and testers.&#160; The regulated entity should revisit and, as appropriate, update policies, procedures, and internal standards for development and testing on the cloud to assess whether it has sufficient controls to maintain security at all phases of the development life cycle.</p><p><strong>IV. Business Continuity Cloud Provider Management</strong></p><p>Cloud computing services may experience outages and performance slowdowns.&#160; The regulated entity should configure its cloud usage for a level of availability and reliability appropriate for its intended use.&#160; Using a cloud provider for disaster recovery does not relieve the regulated entity of its business continuity responsibilities.&#160; Business continuity scenarios and associated plans should evaluate a variety of scenarios, including permanent cloud provider failure, as well as a range of short- to long-term disruptions.&#160; The regulated entity should test, using an appropriate testing method, its business continuity plan both prior to, and while relying on, the cloud provider(s) for operations.</p><p>Each regulated entity should consider the risk of using the same cloud provider for multiple critical services.&#160; If an FHLBank plans to rely on another FHLBank (e.g., Buddy Bank) for business continuity and both use the same cloud provider, these arrangements should be re-evaluated for the possibility of a simultaneous disruption.<br><br></p><p><em style="text-decoration&#58;underline;"><strong>Related Guidance</strong></em></p><p><em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.</p><p><em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.<br></p><p><em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.<br></p><p><em>Information Technology Investment Management</em>, Federal Housing Finance Agency Advisory Bulletin 2015-06, September 21, 2015.<br><em>Model Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 19, 2013.<br></p><p><em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin&#160;2014-02, February 18, 2014.&#160;</p><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.<br></p><p>​12 CFR Part 1239.11(a)(risk management program).<br></p><p><br></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160; Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov​</a>.<br></p></td></tr></tbody></table><br>8/15/2018 3:30:01 PMHome / Supervision & Regulation / Advisory Bulletins / Cloud Computing Risk Management Advisory Bulletin This advisory bulletin provides Federal Housing Finance Agency (FHFA 5064https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Advances Pricing25522FHL Banks8/6/2018 4:00:00 AMAB 2018-03<p><span style="text-decoration&#58;underline;"><strong><em>Purpose</em></strong></span></p><p>This Advisory Bulletin provides Federal Housing Finance Agency (FHFA) guidance to the Federal Home Loan Banks (FHLBanks or Banks) on the methods a FHLBank may use to demonstrate and document its compliance with the minimum advance pricing requirements set forth in FHFA's regulations.&#160; The methods described in this Advisory Bulletin are not exclusive and Banks may choose other methods to demonstrate and document compliance.&#160; </p><p><span style="text-decoration&#58;underline;"><strong><em>Background</em></strong></span></p><p>Section 1266.5(b)(1) of FHFA's regulation on Bank advances states&#58;</p><p>“A Bank shall not price its advances to members below&#58;</p><ol><li>The marginal cost to the Bank of raising matching term and maturity funds in the marketplace, including embedded options; and</li><li>The administrative and operating costs associated with making such advances to members.&quot;<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[1]</span></a><br>&#160;</li></ol><p>The above requirement establishes the minimum price a Bank must charge on an advance.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[2]</span></a>&#160; The minimum price of an advance must be no lower than the sum of the following two components&#58;&#160; (1) the cost to issue debt with matching terms and conditions (marginal cost), and (2) the administrative and operating costs associated with making the advance (administrative and operating costs). </p><p><em>Marginal Cost</em> – The FHLBanks have introduced advance products tailored to meet changing member needs.&#160; In cases where the structure of an advance is more complex, a Bank may find it more difficult to identify Bank-issued debt in the marketplace with terms and conditions matching those of the advance.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[3]</span></a>&#160; While a FHLBank may choose not to match-fund the advance, the advance pricing must reflect a fully matched position to comply with the regulation.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[4]</span></a>&#160; This Advisory Bulletin describes several methods a Bank may use to demonstrate and document its compliance with the minimum pricing requirement of the advances regulation when a Bank-issued debt equivalent is not available in the marketplace.</p><p><em>Administrative and Operating Costs</em> – In addition to the marginal cost component, the minimum price of an advance must cover the administrative and operating costs associated with making the advance.&#160; This Advisory Bulletin provides general guidance for allocating the administrative and operating costs associated with making an advance.</p><p><span style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></span></p><p>Before setting the price of an advance, a FHLBank must determine that the proposed price complies with the minimum pricing requirements of FHFA's advances regulation.&#160; FHFA expects each Bank to create and retain documentation supporting those determinations.&#160; When documenting compliance, a Bank should explain how the particular features of the advance affect the Bank's marginal, administrative, and operating costs of issuing that advance.&#160; Such features may include options and interest rate caps and floors that are embedded in the advance terms, and other components, as appropriate.&#160; In making its determinations, the Bank should ensure the timeliness of all data used to establish the cost of the advance and chosen price relative to the anticipated issuance date of the advance.&#160; Periodically, examiners will review each Bank's determinations regarding its compliance with the regulatory pricing requirements, including the Bank's documentation for establishing the cost of advances.&#160; </p><p><em>Documenting the Marginal Cost Component</em></p><p style="text-align&#58;justify;">For simple advances with no special features, such as prepayment or extension options, or interest rate caps or floors, documenting the cost of the advance would require identifying the marginal cost of issuing debt with the same contractual maturity.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[5]</span></a>&#160;&#160; For a fixed-rate advance, the marginal cost to the FHLBank of issuing that advance would be the marginal cost of issuing fixed-rate debt of the same tenor as the advance being offered.&#160; Thus, the Bank's marginal cost of issuing additional debt with the same contractual tenor as the advance being offered would form the basis for the Bank's “marginal cost of the advance.&quot;&#160; Similarly, for a simple floating-rate advance with no other special features, the marginal cost of that advance would reflect the marginal cost of issuing floating-rate debt of the same tenor as the advance being offered.&#160; </p><p style="text-align&#58;justify;">FHFA recognizes that, in the case of Office of Finance (OF) indications, the matching tenor debt may not be issued contemporaneously or issued at all.&#160; In such circumstances, the FHLBank may use the OF's consolidated obligation indicative curves, which currently include&#58;&#160; Cost of Funds Curve, Callable Indications, and Discount Note Indications.&#160; FHFA expects the FHLBanks to document that the System can issue debt near the indicative prices through backtesting and other model risk oversight found in <em>Advisory Bulletin 2013-07, Model Risk Management.</em>&#160; If the OF maintains such documentation, a FHLBank may reference such OF documentation, to the extent it meets the expectations set in the Advisory Bulletin, and provided the Bank has assured itself of the adequacy of that documentation.</p><p style="text-align&#58;justify;">The price of either synthetically created fixed- or floating-rate advances should reflect the Bank's constructed cost of the underlying debt plus the constructed costs associated with creating the synthetic feature (<em>i.e</em>., either the floating or fixed rate) of the advance. </p><p>Determining and documenting compliance with the marginal cost component of the minimum pricing requirement is more challenging when no matching FHLBank-issued debt exists with the tenor and unique features offered by the Bank for its advance. &#160;FHLBanks may use the following pricing frameworks to establish the marginal costs associated with an advance when information on matching FHLBank-issued debt is not readily ascertainable from the marketplace.<a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[6]</span></a>&#160; A Bank should use the alternative or combination of alternatives that is most likely to reflect the actual costs it would incur in the marketplace and provide support for this choice in its documentation.</p><p><em>Capital Markets Proxy</em> – A FHLBank may identify and use a capital markets proxy, consisting of a single debt security with a liquid market that has been issued by an entity other than the Office of Finance, with tenors and features similar to those of the advance, to demonstrate appropriate pricing.&#160; Appropriate documentation to support pricing would include adjustments to the proxy's price based on differences in features such as settlement date, term, rate structure, and credit risk, among others.&#160; Several such securities can be used as individual proxies to reduce uncertainty for complex advances or in cases that require many adjustments to the proxies.</p><p style="text-align&#58;justify;"><em>Synthetic Security</em> – A FHLBank may demonstrate compliance through a derivatives pricing or replicating portfolio framework by pricing a synthetic security that captures the underlying maturity, rate structure, and any other features of the advance.&#160; For example, the Bank could replicate the contractual cash flows of the advance through a synthetic portfolio of actual consolidated obligations and derivative instruments used to support the underlying structure of the advance.&#160; In this case, the FHLBank may use models to generate and value cash flows that match the contractual cash flows from the advance to demonstrate compliance with the regulation.&#160; When matching the advance's contractual cash flows, the Bank should make conservative assumptions, unless there is clear and convincing market-derived information about the assumptions that market participants would likely use to price similar obligations.&#160; </p><p><em>Price Indication</em> – When a capital markets proxy is unavailable and a FHLBank is unable to reference a synthetic security, it may obtain pricing indications on the same debt from reliable sources, preferably dealers that are market makers in these types of financial instruments and that take account of all appropriate terms required to support the advance's structure.&#160; A Bank using a price indication approach should obtain an appropriate number of indications to provide a range of estimates.&#160; If possible, the debt indications should have sufficient documentation to support the price quotes, ideally including any theory, assumptions, and observable market prices, among other factors.&#160; The Bank should support in documentation its reasoning for choosing whatever indication it ultimately uses as a representation for the cost of debt supporting the advance.</p><p>In its pricing evaluation, to the extent a FHLBank uses models, the Bank should provide in its documentation a sufficient discussion of model theory, assumptions, data inputs, and monitoring to allow an independent reviewer to replicate and evaluate the Bank's chosen method.&#160; When reviewing documentation that supports the marginal cost component of the advance to determine compliance with the regulatory requirements on advance pricing, examiners will apply AB 2013-07, <em>Model Risk Management Guidance,</em> to these pricing models in determining whether a Bank's rationale and documentation for its advance pricing are sufficient.&#160; </p><p><em>Documenting Administrative and Operating Costs</em></p><p>In addition to the marginal cost component, the advances regulation requires FHLBanks to include the administrative and operating cost (AOC) associated with making advances in setting the advance price.&#160; Charging only for the marginal AOC does not account for the appropriate allocation of fixed AOC.&#160; To demonstrate compliance with the AOC component of the regulation, the Banks should document the allocation of total Bank operational expenses across all business lines no less than annually.&#160; The allocation should be specific enough for an outside party to evaluate whether the advance price includes an appropriate charge for expenses related to making the advance.&#160; The allocation should reflect each Bank's business model and supportable considerations.</p><p><em>Advances with Accompanying Derivatives</em></p><p>The regulation requires a FHLBank to consider <em>embedded options</em> in advances when establishing advances pricing.&#160; However, the underlying principle of Bank advance pricing reflecting the marginal cost to the Bank of creating the product extends to other aspects of the advance and accompanying derivatives the Bank may offer the member.&#160; For example, if the Bank offers the member a cap on the rate of an advance, the Bank should document and incorporate in the advance price the cost of obtaining that cap offered to the member for the advance.&#160; A Bank should ensure that its advances pricing incorporates the cost of derivatives when they are associated with advances offerings.&#160; </p><p><span style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></span></p><p>The FHLBanks should apply the guidance in this Advisory Bulletin, where possible and as appropriate, by January 1, 2019.&#160; FHFA understands that adjustments to systems and processes and model validations may, in some cases, take additional time.&#160; Notwithstanding, FHFA will continue to assess compliance with applicable regulatory requirements through ongoing supervision and examination processes.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.&#160; Questions may be directed to <a href="mailto&#58;SupervisionPolicy@fhfa.gov"><span style="text-decoration&#58;underline;">SupervisionPolicy@fhfa.gov</span></a>. </td></tr></tbody></table><p style="text-align&#58;justify;">…</p><p style="text-align&#58;justify;"><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[1]</span></a> 12 CFR 1266.5(b)(1).&#160; The advance pricing minimum does not apply to a Bank's CICA programs or any other advances programs that are volume limited and specifically approved by the Bank's board of directors.&#160; Volume limited programs are generally associated with disaster relief efforts.&#160; 12 CFR §&#160;1266.5(3).</p><p style="text-align&#58;justify;"><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[2]</span></a> These pricing requirements apply to advances to housing associates, as well as to members.&#160; 12 CFR §&#160;1266.17(c)(2).&#160; </p><p style="text-align&#58;justify;"><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[3]</span></a> In this Advisory Bulletin, “FHLBank-issued debt&quot; is defined as debt actually issued by the FHLBanks, swapped versions thereof, and pricing indications for FHLBank debt provided by the Office of Finance.</p><p><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[4]</span></a> Examiners will assess the safety and soundness of the FHLBank's funding and hedging strategy separately.</p><p style="text-align&#58;justify;"><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[5]</span></a> Note that the regulation requires reference to the marketplace for the cost of issuing debt with terms that mirror those of the advance, but does not require consideration of actual funding choices or the actual use of other sources of funds such as capital.</p><p style="text-align&#58;justify;"><a href="file&#58;///C&#58;/Users/greenleer/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/81T8S0BH/AB%202018-03%20Advisory%20Bulletin%20on%20Advances%20Pricing.docx"><span style="text-decoration&#58;underline;">[6]</span></a> The regulation requires that a FHLBank price advances above the cost of funds, as determined by the price of matching debt.&#160; However, the regulation does not prohibit a FHLBank from using a more expensive cost of funds to determine prices.&#160; The spread above the more expensive cost of funds will necessarily exceed the required cost of funds.&#160; The Bank may choose a more expensive cost of funds in the case where it is more easily measured than the required cost of funds.</p>8/6/2018 8:17:27 PMHome / Supervision & Regulation / Advisory Bulletins / Advances Pricing Advisory Bulletin This Advisory Bulletin provides Federal Housing Finance Agency (FHFA) guidance to the 1997https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk19302FHL Banks4/26/2018 4:00:00 AMAB 2018-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-02</strong><br></p><p> <strong>FEDERAL HOME LOAN BANK USE OF MODELS AND METHODOLOGIES FOR INTERNAL ASSESSMENTS OF MORTGAGE ASSET CREDIT RISK</strong><br></p></td></tr></tbody></table><p> <br> </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Purpose</em></strong></span></p><p>This Advisory Bulletin provides Federal Housing Finance Agency (FHFA) guidance for Federal Home Loan Bank (Bank) use of models and methodologies to assess credit risk associated with mortgage assets, including Acquired Member Asset (AMA) mortgage pools, mortgage-backed securities (MBS), and collateralized mortgage obligations (CMOs), as required by FHFA regulations.&#160; This guidance supplements more general guidance issued by FHFA on model risk management by describing minimally acceptable criteria in selecting a mortgage asset credit risk model and the associated input of a macroeconomic stress scenario to be used in assessing mortgage asset credit risk.<a href="#footnote1">[1]</a><br></p><p>As applied to Bank acquisitions of AMA, the guidance provides criteria that a Bank should consider when selecting a mortgage asset credit risk model to use to document its compliance with the requirement imposed by 12 CFR §&#160;1268.5(f).&#160; The AMA rule requires that a Bank shall use an appropriate model and methodology for estimating the amount of credit enhancement for an asset or pool.&#160; &#160;&#160;<br></p><p>As applied to Bank investments in MBS and CMOs, the guidance provides criteria a Bank should consider when selecting and using a mortgage asset credit risk model and stress test to document its determination that the credit risk associated with such assets is consistent with those assets being deemed to be of &quot;investment quality,&quot; as is required by 12 CFR §§&#160;1267.1 and 1267.3(a)(3).&#160; &#160;&#160;<br></p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Effective Date</em></strong></span></p><p>Effective, January 1, 2019, FHFA will consider a Bank's use of models and methodology for internal assessments of mortgage asset credit risk to be satisfactory if the Bank's use of models and methodology meets the criteria described in this Advisory Bulletin.</p><p> <br> </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p> <span style="text-decoration&#58;underline;">AMA Model and Methodology Requirement</span></p><p>In July 2000, the Federal Housing Finance Board (Finance Board) adopted a regulation governing the Banks' mortgage acquisitions – the AMA rule.&#160; The rule established that for each AMA product, the Banks shall have a credit risk-sharing (enhancement) structure with the member participating financial institution to enhance the credit quality of the pool of loans to at least that of a Nationally Recognized Statistically Ratings Organization (NRSRO) equivalent of investment grade, <em>i.e.,</em> triple-B or better.<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/FHLBank-Use-of-Models-and-Methodologies-for-Internal-Assessments-for-Mortgage-Asset-Credit-Risk.aspx">[2]</a>&#160; The AMA rule also required that Banks determine the amount of the member-provided credit enhancement by using a methodology that is confirmed in writing by an NRSRO to be equivalent to one that an NRSRO would use in rating a comparable pool of assets.<a href="#footnote3">[3]</a>&#160; In December 2016, FHFA amended the AMA rule primarily to remove references to NRSROs.<a href="#footnote4">[4]</a>&#160; Consequently, FHFA replaced the requirement that the methodology to determine the credit enhancement be equivalent to that used by an NRSRO with a more general requirement that the Bank use a model and methodology that it determines to be appropriate.&#160; The amount of the credit enhancement determined by the Bank's model and methodology, however, must result in the pool or asset being at least &quot;AMA investment grade.&quot;&#160; 12 CFR §&#160;1268.5(a), (b).&#160; For an item to be AMA investment grade, the Bank must have determined, based on a documented analysis, that it has a high degree of confidence &quot;that it will be paid principal and interest in all material respects, even under reasonably likely adverse changes to expected economic conditions.&quot;&#160; <em>Id.</em> at §&#160;1268.1.&#160; The regulations further require a Bank, upon request, to provide FHFA information about its model and methodology, and reserved to FHFA the right to direct a Bank to make changes to its model and methodology. &#160;<em>Id. </em>at §&#160;1268.5(f).&#160; <br></p><p> <span style="text-decoration&#58;underline;">Mortgage-related Securities</span></p><p>Banks are separately authorized to acquire other types of investments, including MBS and CMOs.&#160; Until 2014, the regulations had required that such acquisitions have an NRSRO credit rating of investment grade, <em>i.e.,</em> triple-B or better.&#160; FHFA amended the regulation to remove all references to NRSROs and NRSRO credit ratings, and to require instead that such instruments be of &quot;investment quality.&quot;&#160; 12 CFR §&#160;1267.3(a)(3).&#160; The term &quot;investment quality&quot; refers to a determination by a Bank, based on a documented analysis, that full and timely payment of principal and interest is expected, and that adverse changes in economic and financial conditions during the projected life of the instruments will only cause minimal risk of such payments not occurring.&#160; <em>Id.</em> at 1267.1.&#160; Although the investment regulations do not specifically set any requirements as to the model or methodology a Bank should use to make that determination, FHFA expects that Banks will use their models and methodologies in a similar manner when assessing the credit quality of both AMA and mortgage-related securities.&#160; </p><p> <span style="text-decoration&#58;underline;">Due Diligence in Acquiring Mortgage Assets</span></p><p>Beyond those specific regulatory requirements, Banks also should assess the market and credit risks associated with any asset they may acquire, for prudential reasons.<a href="#footnote5">[5]</a>&#160; With respect to the credit risk of mortgage assets, including MBS and CMOs, FHFA expects that a Bank would make those assessments based on its own analyses, rather than by relying solely on a credit rating provided by an NRSRO or other third party vendor.&#160; The accepted practice within the mortgage industry for making such an assessment of credit risk is to use a mortgage asset credit risk model and any other models that might be necessary to account for credit enhancements, such as those provided through a CMO subordination structure.&#160;&#160;</p><p style="text-decoration&#58;underline;"> <strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;"> <em>Scope</em></strong></p><p>The Advisory Bulletin applies to Banks that acquire AMA loans or any other single-family residential mortgage assets, MBS, or CMOs.&#160; Mortgage-related assets that are guaranteed as to the payment of principal and interest by the United States government or by an entity that is operating with capital support or other form of direct assistance from the United States government, currently including Fannie Mae and Freddie Mac, are considered by FHFA to present zero credit risk and, therefore, are excluded from the scope of this Advisory Bulletin.&#160; Certain legacy mortgage-related assets for which a Bank can demonstrate a <em>de minimis</em> credit risk also are excluded from the scope of this Advisory Bulletin.&#160; The criteria for excluding such assets are described below.<br></p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></span></p><p>In order to be reasonably assured that they can accurately assess the credit risk associated with their mortgage-related investments, the Banks should use a mortgage asset credit risk model that is sufficiently robust to produce meaningful loss estimates. &#160;Mortgage asset credit models are commonly used to assess credit risk at the loan level.&#160; Such models account for a wide variety of risk factors, including both underwriting information and macroeconomic scenarios.&#160; The underwriting information generally includes borrower information (<em>e.g.,</em> credit score, owner or investor, debt-to-income ratio) and loan specific information (<em>e.g.,</em> interest rate, loan-to-value ratio, loan size, loan age).&#160; The macroeconomic scenarios generally include house price and interest rate scenarios extending out for the life of the loans.&#160; Credit enhancements, such as insurance, recourse structures, or subordination, are typically accounted for through a separate model or exercise applied to the initial estimates of credit loss.&#160; FHFA would consider a mortgage asset credit model that meets the criteria described below as able to produce results that could satisfy the regulatory requirements. <br></p><p> <span style="text-decoration&#58;underline;">Selecting a Mortgage Asset Credit Risk Model</span></p><p>A Bank should select a credit risk model that is capable of producing loan-level estimates of potential credit loss, and that can accept as an input user-defined macroeconomic stress scenarios disaggregated to at least the state level.&#160; Such models are made available by third-party vendors and are commonly used by mortgage market participants.&#160; Available vendor-supplied credit models, however, may differ in model structure and, importantly, in the historical data sets used to estimate the model coefficients, all of which can result in differences in estimates of prepayment speeds and credit loss for an identical pool of loans.&#160; Consequently, the Bank should consider, for example, selecting a model constructed using data from loans generally similar to those typically acquired by the Bank, such as conforming loans.&#160; Alternatively, a Bank, or consortium of Banks, could develop and administer a similarly capable, credit risk model.<a href="#footnote6">[6]</a>&#160; <br></p><p> <span style="text-decoration&#58;underline;">Macroeconomic Scenarios</span></p><p>A Bank should ensure that its model includes appropriate macroeconomic stress scenarios.&#160; The scenarios incorporated into a mortgage asset credit risk model should include several key factors that will affect the borrowers' prepayment decisions and their ability to make timely payment of principal and interest, as such factors will affect the probability of default.&#160; At a minimum, the key factors should include projected paths of house price levels and interest rates.<a href="#footnote7">[7]</a>&#160; The most important factor affecting credit loss estimates is the level of house prices because a change in the value of the property that secures a mortgage loan will not only affect the probability of default, but also, and more importantly, is the principal risk factor affecting estimates of the loss-given-default on mortgage loans.&#160; <br></p><p>If a borrower defaults on the loan when the market value of the property that secures it is greater than the remaining amount of the loan (plus transaction costs), then typically the property can be sold to repay the loan at little or no loss to the mortgage holder.&#160; Consequently, credit loss (loss-given-default) on a mortgage loan will generally occur only in locations where, subsequent to origination, house price levels have fallen in nominal terms.&#160; The model's scenarios also should allow for different house price paths by geographic location because house price appreciation and depreciation can vary, and historically have varied, significantly across geographic regions, including at the state and MSA levels.&#160; For example, a defaulted loan in a location where house price levels have fallen may result in significant credit loss while an otherwise identical defaulted loan, at the same moment in time but in a different location where house price levels have been stable, may not generate a loss.&#160; So, while a credit model should identify loans that, because of borrower or loan risk factors, are at a high risk of default, whether those defaults would result in credit losses will depend on the movement in house prices.<br></p><p>Macroeconomic scenarios used in credit risk models are typically either baseline or stress scenarios.&#160; A baseline scenario can be used when estimating expected losses.&#160; Estimates of expected loss are used for purposes of mortgage asset pricing, and for determining the member's risk-sharing obligations, as required in AMA programs.<a href="#footnote8">[8]</a> &#160;In generating a baseline scenario, common practice is to project house price and interest rate paths that revert to anticipated long-run trend levels and growth rates, and either cycle about or remain at such trends for the duration of the loans. &#160;Historical data typically are used to generate such trends.&#160; The house price component of the baseline scenario, as represented by a house price index (HPI), should be disaggregated to at least the state level, and not at the national level.&#160; The interest rate component can be determined at the national level.<br></p><p>A stress scenario is used when estimating stress losses.&#160; A Bank can use stress-loss estimates to determine an appropriate level of economic capital that should accompany any asset purchase.<a href="#footnote9">[9]</a>&#160; A Bank should establish an appropriate level of economic capital when determining whether a particular investment is permissible.&#160; It also should do so when conducting its due diligence in connection with any asset acquisition.&#160; As with the baseline scenario, the HPI component of the stress scenario should be disaggregated to at least the state level, and not at the national level.&#160; The interest rate component can be determined at the national level.&#160; <br></p><p> <span style="text-decoration&#58;underline;">Determining a Stress Scenario</span></p><p>Determining the HPI path for a stress scenario is particularly challenging because the scenario should anticipate the degree to which HPI could fall from its current levels, which is not always bounded by historical precedent. &#160;For example, as observed during the prior financial crisis, HPI in certain states fell from its peak by a greater percentage than had occurred previously, based on all available HPI data.&#160; In seeking to address that possibility, FHFA has developed an approach that demonstrates how economic fundamentals can be used to support a rules-based methodology for determining stress scenarios that dynamically adjust the severity of the HPI shock to current market conditions, and that, as unprecedented current conditions might one day warrant, could result in HPI shocks more severe than any observed historically.&#160; <br></p><p>FHFA makes its stress scenarios publicly available on a quarterly basis.<a href="#footnote10">[10]</a>&#160; The FHFA stress scenarios meet all of the following criteria&#58;&#160; <br></p><ul><li>The methodology to determine the HPI path is rules-based or objectively determined, not discretionary, which ensures that it will be consistently applied across time and region.&#160; </li><li>The HPI downward shock is determined on a regional (state or MSA) basis.</li><li>The HPI downward shock is based on economic fundamentals that are reflective of current market conditions relative to long-term trend, such that it results in stress-loss estimates applicable to new acquisitions that are increasing as HPI rises further above its long-term trend, and decreasing as HPI falls to or below its trend.</li><li>The downward path of the HPI shock begins on day one of the scenario and reaches its lowest point in real terms no later than three years beyond day one of the scenario.&#160; Such a pattern should ensure that the Bank would know the potential stress losses, or the full amount of economic capital the mortgage asset should ever require, as of the day the Bank acquires it.</li><li>The depth of the HPI shock shall extend to a proportion below long-run trend that at least equals the lowest such proportion observed for that geographic region during the prior 40 years.</li><li>The interest rate shock reflects Federal Reserve Board policy as applied during the prior financial crisis, and applied at the national level.&#160; In effect, rates decline over a short period to very low levels and then remain at the lower level for a number of years.<br></li></ul><p>For purposes of determining an appropriate amount of economic capital, and to adhere to Advisory Bulletin 2013-07, a Bank may elect to use the FHFA methodology or stress scenarios in assessing the credit risk associated with its mortgage-related assets.&#160; Alternatively, a Bank may develop its own methodology and stress scenarios.&#160; If a Bank does so, however, FHFA expects the Bank's methodology to be consistent with that described herein, and that the shocks used would be no less severe at the state level than under the FHFA scenarios.&#160; A Bank that develops its own methodology also should be able to demonstrate that the loss estimates for its current book of mortgage-related assets produced by the Bank's own stress tests are at least as severe on a state-by-state basis as those produced using the FHFA stress scenarios.<br></p><p> <span style="text-decoration&#58;underline;">Credit Enhancements</span></p><p>Mortgage assets of all types can be credit-enhanced through a variety of means, including insurance, recourse arrangements, and subordination as it may be structured in a CMO.&#160; Such credit enhancements serve to reduce the Bank's exposure to credit risk.&#160; Consequently, a Bank should subtract from its estimates of expected and stress credit losses any amounts that the Bank can reasonably expect to receive as compensation for such credit losses from its various credit enhancement arrangements.&#160; In assessing what amounts of credit enhancements a Bank may reasonably expect to receive, the Bank should take into consideration the creditworthiness of any counterparty providing the credit enhancement, the extent to which the credit enhancement may be secured, and the waterfall of payment priorities embedded in the credit enhancement arrangement, such as in a subordination structure.&#160; <br></p><p> <span style="text-decoration&#58;underline;">Exclusion of Certain Legacy Private Label MBS</span><span style="text-decoration&#58;underline;">&#160; </span></p><p>Certain of the Banks continue to own small portfolios of privately issued mortgage-backed securities (Private Label MBS), most of which were acquired prior to 2008.&#160; For those Banks, the costs associated with modeling those assets in accordance with this Advisory Bulletin may outweigh the benefits likely to result from doing so.&#160; For that reason, this Advisory Bulletin allows a Bank to exclude its Private Label MBS from the scope of this guidance if the Bank can demonstrate that the stress loss estimates for the portfolio would be <em>de minimis.</em> &#160;FHFA will regard stress loss estimates as <em>de minimis</em> by reference to either of two thresholds.&#160; First, the stress loss estimates for a Bank's Private Label MBS portfolio may be <em>de minimis </em>if the current unpaid principal balance of that portfolio is less than 10 percent of the Bank's current permanent capital.&#160; Second, the stress loss estimates may be <em>de minimis</em> if the Bank, using the methodology described in this bulletin, has estimated that the stress losses associated with the Private Label MBS portfolio are less than two percent of the Bank's current permanent capital.&#160; A Bank that can demonstrate either measure is below the corresponding threshold may reasonably assume a zero credit risk exposure, and thus a zero economic capital charge for that portfolio.&#160; For purposes of this paragraph, the term Private Label MBS includes only those instruments owned by a Bank as of the date of this Advisory Bulletin.&#160; <br></p><p> <span style="text-decoration&#58;underline;">Determining Estimated Losses for Securities that Cannot Be Modeled</span></p><p>If a Bank owns a mortgage-related security for which the underlying loan-level data needed to model the stress losses in accordance with this Advisory Bulletin is either insufficient or unavailable, the Bank may use a proxy to estimate the credit losses associated with that security.&#160; One approach to estimating those losses would be to determine whether the mortgage loans underlying the security and the structure of the security are similar to any other mortgage-related securities that the Bank owns and for which sufficient loan-level data is available to model.&#160; In that case, a Bank could model the estimated loss percentage (of unpaid principal balance at origination) for each of those other similar securities and then use an average of those estimated loss percentages as a proxy for the security for which sufficient data is lacking, even if doing so resulted in an estimate of zero credit losses for the security.&#160; If, however, a Bank does not own any mortgage-related securities with loan pools and security structures that are similar to the data-deficient security, it could use any other mortgage-related securities that it owns and for which sufficient loan-level data is available to develop an alternative proxy.&#160; In that case, a Bank could calculate the average of all of the non-zero estimated credit loss percentages for those other securities and use that average as a reasonable estimate of the credit loss percentage associated with the data-deficient security.&#160; </p><p>______________________________________<br><a name="footnote1">[1]</a> See FHFA <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-07-Model-Risk-Management-Guidance.aspx">Advisory Bulletin 2013-07</a>, &quot;<em style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-weight&#58;400;">Model Risk Management Guidance</em>&quot;.<br></p><p> <a name="footnote2">[2]</a> 65 Fed. Reg. 43969 (July 17, 2000).&#160; </p><p> <a name="footnote3">[3]</a> 12 CFR 955.3(a) (2001).&#160; </p><p> <a name="footnote4">[4]</a> 81 Fed. Reg. 91674 (Dec. 19, 2016).&#160; FHFA amended the AMA rule to comply with Section 939A of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which requires federal agencies to remove from regulations all references to, or requirements based on, ratings issued by NRSROs.</p><p> <a name="footnote5">[5]</a> Specifically, like any financial institution, each Bank should assign and provide for sufficient economic capital to ensure solvency of the Bank aside from regulatory capital requirements.</p><p> <a name="footnote6">[6]</a> As an example, see &quot;FHFA Mortgage Analytics Platform,&quot; a white paper released by FHFA on July 10 2014, located at&#58;&#160;&#160; <a href="/PolicyProgramsResearch/Research/PaperDocuments/FHFA_MortgageAnalyticsPlatform_Whitepaper.pdf">https&#58;//www.fhfa.gov/PolicyProgramsResearch/Research/PaperDocuments/FHFA_MortgageAnalyticsPlatform_Whitepaper.pdf</a>&#160; </p><p> <a name="footnote7">[7]</a> Some mortgage asset credit risk models also accommodate including projections of GDP and/or unemployment in the macroeconomic scenario.&#160; FHFA research has found that, as long as HPI paths are included, also including projections of GDP and unemployment will add little to the stress loss estimates, and therefore is not necessary.&#160;&#160; </p><p> <a name="footnote8">[8]</a> AMA participating financial institutions must bear the direct economic consequences of actual credit losses for AMA assets sold to the Banks from the first dollar of loss up to the amount of expected losses, or immediately following expected losses in an amount equal to or exceeding expected losses. See 12 CFR § 1268.5 (c)(1)(i).</p><p> <a name="footnote9">[9]</a> Economic capital is calculated internally by the entity and is the amount of risk capital needed to ensure the survival of the firm in a stress or worst-case scenario.&#160; It is meant to be the firm's own view of a realistic measure of risk, and could be greater or less than regulatory risk-based capital requirements.</p><p><a name="footnote10">[10]</a> The scenarios and working papers that describe the economic-based methodology used to derive the scenarios are available at&#58;&#160; <a href="/DataTools/Downloads/Pages/Countercyclical-Stress-Paths.aspx">https&#58;//www.fhfa.gov/DataTools/Downloads/Pages/Countercyclical-Stress-Paths.aspx</a><br></p> <br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks. Questions may be directed to<a href="mailto&#58;SupervisionPolicy@fhfa.gov"> SupervisionPolicy@fhfa.gov</a>.<br></p></td></tr></tbody></table><br>4/26/2018 7:00:27 PMHome / Supervision & Regulation / Advisory Bulletins / FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk Advisory Bulletin 2006https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Scenario Determination for Market Risk Models Used for Risk-Based Capital19313FHL Banks2/7/2018 5:00:00 AMAB 2018-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2018-01<br></p><p>SCENARIO DETERMINATION FOR MARKET RISK MODELS USED FOR RISK-BASED CAPITAL<br></p></td></tr></tbody></table><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong><br></p><p>This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for Federal Home Loan Bank (Bank) determinations of market risk scenarios that are incorporated into the Banks’ internal market risk models, as required under the market risk capital requirement of the risk-based capital regulation.<a href="#footnote1">[1]</a> This guidance supersedes both Advisory Bulletin 03-10, Guidance on Value-at-Risk Modeling, October 06, 2003 (as modified on July 22, 2016), and Revised Technical Guidance for Calculation of Market Risk Capital Requirement, April 25, 2013, both of which are hereby rescinded, effective as of November 1, 2018.<br></p><p>The capital regulation requires that a Bank’s internal model use market risk scenarios that meet certain minimum requirements. Such scenarios must be satisfactory to FHFA, be historically-based, and represent changes in market environments observed over 120 business-day periods that are drawn from the period that starts at the end of the previous month and that goes back to 1978. The shocks are to be applied to the current market environment. Prior guidance has authorized the Banks to apply the historically observed changes in market environments as either proportional (percentage) shocks or “haircut” shocks (as described in AB 03-10), and to exclude scenarios that draw upon pre-1992 data (as described in the Revised Technical Guidance).</p><p>In light of recent methodological developments by FHFA for determining market risk scenarios, FHFA has determined that the continued use of either proportional shocks or haircut shocks to the Banks’ internal market risk models will no longer be deemed to be satisfactory to FHFA, as required by the regulation. Instead, FHFA will now consider as satisfactory the application of absolute shocks that are subject to appropriate constraints that are designed to ensure the plausibility of the scenarios. As described below, a Bank may choose from any of the following three options&#58; (1) use the scenarios provided by FHFA that already incorporate such constraints; (2) use the methodology developed by FHFA to implement such constraints; or (3) develop and apply a Bank version of a methodology and constraints, which must be subject to FHFA review. Given that the scenarios must be representative of periods of the greatest market stress, and that&#160;the 2008 financial crisis represents those periods, the guidance also allows Banks to exclude scenarios that draw upon pre-1998 data.<br></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"><em>Background</em></strong></p><p> <span style="text-decoration&#58;underline;">Overview</span><br></p><p></p><p>In January 2001, the Federal Housing Finance Board (Finance Board), adopted a regulation governing the Banks’ risk-based capital requirements, which included a market risk requirement. The rule established criteria to which a Bank must adhere in generating historically-based market risk scenarios to incorporate into the Bank’s internal market risk model.</p><p>The rule requires the Banks to generate scenarios that represent changes in market interest rates, interest rate volatility (volatility), and the shape of the yield curve equivalent to those observed over 120 business-day periods of market stress going back to 1978. To do so, the Banks must measure historical changes in rates (including volatility and curve shape), and apply them as shocks to the current rate environment. There are two basic approaches for doing this&#58; either by converting the historical rate changes to proportional changes (shocks) and then imposing the proportional shocks on the current rates; or by applying the absolute measure of changes in historical rates as shocks to the current rates.</p><p>One advantage of the proportional shock approach is that it cannot result in scenarios with implausible negative rates, whereas absolute shocks could do so when current rates are lower than the scenario historical rates. Under those same circumstances, however, converting a historical shock to a proportional shock may mute the shock to an extent that it is not very stressful, and hence not meaningful in assessing risk. In a similar fashion, should current interest rates well exceed the scenario historical rates, converting the shock to a proportional shock may effectively amplify the shock to be unreasonably stressful. Scenarios based on historical absolute rate changes are not amplified or muted. Thus, absolute shocks are not a concern in a high current rate environment.<br></p><p> <span style="text-decoration&#58;underline;">Finance Board Permissions</span><br></p><p></p><p>In 2001, the Finance Board lacked a robust method to address the disadvantages of both the proportional and absolute shock approaches. Because interest rates in 2001 were not excessively high or low by historical standards, the Finance Board allowed that the disadvantages of using proportional shocks would be minimal for some time and, therefore, permitted the Banks to apply that approach. In 2002, the Finance Board developed the haircut method, intending to address potential disadvantages of both the proportional and absolute shock approaches, and permitted the Banks to apply that approach as an alternative to the proportional shock approach.</p><p>Recent developments have given FHFA reason to revisit its previous determinations that the use of the proportional and haircut shock approaches would be satisfactory means of generating the scenarios that are needed to comply with the market risk regulation. Specifically, the extended period of very low current interest rates has made more apparent the disadvantages of using the proportional shock approach. Also, FHFA has reviewed updated estimates of the statistical relationships that underlie the haircut method, and found them to be only weakly significant at&#160;best, suggesting that the haircut shock approach also may be deficient. Contemporaneously with these developments, FHFA has devised a new approach, based on parsimonious factorization (PF), to address the potential disadvantages, and hence the viability, of using the absolute shock approach. FHFA staff working papers on the PF approach are available on the FHFA website and published in peer reviewed professional journals, and provide the reasoned basis for the approach FHFA is taking in this guidance.<a href="#footnote2">[2]</a><br></p><p> <br> </p><p></p><p style="text-decoration&#58;underline;"> <strong><em>Scope</em></strong></p><p>This Advisory Bulletin applies only to the Banks.<br></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"><em>Guidance</em></strong></p><p></p><p style="text-decoration&#58;underline;"> Interest Rate and Market Price Scenario Construction</p><p></p><p>FHFA is rescinding AB 03-10 and will no longer deem the use of proportional or haircut measures of historical interest rate shocks to be satisfactory methods of generating the scenarios needed to comply with the market risk capital requirement. Subsequent to November 1, 2018, FHFA will consider interest rate and market price scenarios that a Bank incorporates into its internal market risk model to be satisfactory if they meet the following criteria&#58; (1) the scenarios are based on historical absolute interest rate changes, as applied to current interest rates; (2) the historical shocks represent changes in interest rates and market conditions observed over 120 business-day periods, and the methodology to apply those shocks to current interest rates incorporates the constraints described herein; (3) the scenarios encompass shocks to interest rate volatility that reflect the historical relationship between interest rates and volatility; and (4) for assets backed by residential mortgage loans,<a href="#footnote3">[3]</a> the scenarios include shocks to option-adjusted spreads (OAS).</p><p>Each calendar quarter, FHFA will generate scenarios using the PF method and will make those scenarios available to the Banks. In addition, FHFA will provide the associated computer code to any Bank upon request. Thus, a Bank may either use the FHFA generated scenarios, or may use the FHFA code to generate its own scenarios for its market risk model. Alternatively, a Bank may develop its own methodology to generate the scenarios, provided that the Bank first demonstrates to FHFA that its approach also is based on absolute measures of historical shocks and includes appropriate constraints to ensure that the resulting scenarios are plausible and maintain the integrity of the historical shock in a manner that is similar to shocks produced using&#160;the PF method, and are therefore reasonable ways to implement the requirements of the regulation.<br></p><div><p style="text-decoration&#58;underline;"> Constraints to Ensure Scenario Plausibility</p><p>Stress test scenarios must represent plausible market conditions if they are to be used to estimate meaningful risk-based capital requirements. Because any method used to generate absolute shocks could produce scenarios with implausible characteristics, such as negative nominal rates, negative forward rates, and unlikely spreads between government and non-government rates, such methods must include appropriate constraints on the generation of the absolute shocks to eliminate such implausible outcomes. Such constraints, however, also should be designed in such a manner that they do not undermine the integrity of the historical representation of the interest rate shock. The PF method achieves both of those objectives because it accommodates the imposition of such constraints with only minimal effects on the integrity of the historical representation of the shock. The PF method achieves this outcome because it embeds the constraints to be considered simultaneously to the generation of the shock, rather than imposing the constraints as follow-on corrections to the shock.<br></p><p style="text-decoration&#58;underline;"> Relevant Historical Observations</p><p>The current capital regulation provides that “the relevant historical observations should be drawn” from a period that begins in 1978. In 2001, when the rule was written, it was necessary to go back that far to ensure that the periods of the greatest potential market stress were included in the market risk scenarios. In 2013, FHFA permitted the Banks to use historical observations that began in 1992, reasoning that, since the 2008 financial crisis, scenarios drawing from market events of the 1980s no longer represented periods of the greatest market stress. That action was consistent with the requirement in the capital regulation that both the number of historical observations and the specific observations shall be satisfactory to FHFA. More recently, FHFA has concluded that historical data prior to 1998 lacks some of the key elements currently used to generate stress scenarios. For example, information pertaining to interest rate caps and floors, which currently is used in calculating volatility shocks, is not widely available for time periods prior to 1998. Moreover, FHFA has determined that post-1997 data is sufficient to produce appropriately robust scenarios. Consequently, FHFA will consider as satisfactory any historical observations drawn from the period that starts at the end of the month preceding the calculation date and goes back to the beginning of 1998.<br></p><p style="text-decoration&#58;underline;"> Scenario Sampling</p><p>FHFA is mindful of the operational burdens that may be associated with incorporating all of the scenarios from the relevant historical period into the market risk models, and believes that it would be possible for a Bank to use an appropriately selected sample of those scenarios without compromising the quality of the model’s results. Accordingly, this bulletin will allow the Banks the option of using a sampling of scenarios to be identified by FHFA in lieu of using all of the scenarios from the relevant historical period. Periodically, FHFA will identify at least 100 historical scenarios that FHFA believes represent the most stressful shocks to market conditions, and will provide that information by letter to the Banks. FHFA will consider any market risk&#160;model that incorporates all of those historical scenarios to be satisfactory, for purposes of the market risk capital regulation. A Bank also may include scenarios of its choosing in addition to those identified by FHFA.<br></p><div><p style="text-decoration&#58;underline;"> One Percent Probability of Loss</p><p>The current regulation states that the market risk capital requirement shall equal the estimate of the market value of the Bank’s portfolio at risk, such that the probability of a loss occurring that would be greater than the estimated loss shall be no more than one percent.<a href="#footnote4">[4]</a> The Finance Board recognized that because the scenarios are historically based, the distribution of outcomes cannot be known with certainty, and thus there is no way for a Bank to mathematically identify a number representing any given percentile of the distribution. Consequently, the Finance Board allowed the Banks to use the outcome that was associated with the scenario that was closest to the 99th percent worst scenario, in terms of rank order, as a proxy for the one percent requirement. That approach, however, would become problematic if used in connection with scenario sampling, as described above. That approach also effectively ignores information on market risk that would be contained in the tail of the distribution of outcomes. To address those shortcomings, FHFA is replacing the existing method of calculating the proxy for the one percent requirement with a method that is based on an average of worst outcomes. Accordingly, FHFA will deem a Bank’s stress scenarios to be satisfactory if a Bank sets its proxy requirement based on an average of the five worst (tail) outcomes, and will not consider the previous rank-order proxy approach to be a reasonable implementation of the regulation. Periodically, FHFA will inform the Banks by letter whether and what weights are reasonable to apply to the tail outcomes in determining the average.</p><p style="text-decoration&#58;underline;"> Stability of Implementation Considerations</p><p>A Bank’s market risk management is informed not only by estimates of potential losses, but also by the trend or movement in those estimates over time. Discerning such trends is made more difficult if key aspects of the methodology are adjusted frequently or significantly over time. Such key aspects of the methodology would include, for example, the size or composition of the sample scenarios to be identified by FHFA and the method used to set the one percent probability of loss requirement based on the scenario outcomes. Consequently, FHFA will endeavor to make such adjustments only infrequently and will notify the Banks at least one full calendar quarter prior to implementing any such adjustments, unless supervisory considerations require FHFA to implement the adjustments on shorter notice.<br></p><p> <br> </p></div></div><p></p><hr width="25%" align="left" /><p><a name="footnote1">[1]</a> See 12 CFR § 932.5 (b)(4). FHFA has issued a proposed rule which, if adopted as a final rule, would revise and relocate the market risk capital regulations to 12 CFR § 1277.5(b)(4).<br></p><p><a name="footnote2">[2]</a> See, Bogin, Alexander N. and Doerner, William M. &quot;Generating Historically-Based Stress Scenarios Using Parsimonious Factorization.&quot; Journal of Risk Finance, 15(5), 591-611, 2014. Originally published as FHFA Working Paper 13-02. <a href="http&#58;//www.emeraldinsight.com/doi/abs/10.1108/JRF-03-2014-0036">http&#58;//www.emeraldinsight.com/doi/abs/10.1108/JRF-03-2014-0036</a> . See also, Bogin, Alexander N., Doerner, William M., and Polkovnichenko, Nataliya, &quot;Overlooked Market Risk Shocks&#58; Prepayment Uncertainty and Option-Adjusted Spreads.&quot; Journal of Fixed Income, 26(2), 5-15, 2016. Originally published as FHFA Working Paper 15-03. <a href="http&#58;//www.iijournals.com/doi/abs/10.3905/jfi.2016.26.2.005">http&#58;//www.iijournals.com/doi/abs/10.3905/jfi.2016.26.2.005</a> .<br></p><p><a name="footnote3">[3]</a> For these purposes, the term “residential mortgage loans” includes those secured by both single-family and multi-family properties. Mortgage related assets that should be subject to the OAS shocks include&#58; (1) repos, if backed by TBAs, (2) AMA mortgage loans, (3) agency securities backed by MBS, CMO, DUS, and HECM loans, (4) State Housing Agency Bonds, and (5) private label mortgage-backed securities. The only other assets that should be subject to the OAS shocks are asset-backed securities representing interests in federally guaranteed student loans.<br></p><p><a name="footnote4">[4]</a> The estimated market value loss with a one percent probability is necessarily associated with a future time horizon over which the loss is expected to occur. Because the market risk shocks to be applied by the Banks are based on six-month changes in historical rates, six months is the appropriate time horizon for the Banks to use in the model validation process, especially back-testing. Back-testing value at risk models involves comparing estimated losses with the actual losses realized at the end of the specified time horizon. This comparison identifies periods where the model overestimates value at risk or where actual losses are greater than projected levels.<br></p><p> <br> </p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters. For this Advisory Bulletin, contact your respective Examiner-in-Charge if you have questions or comments.<br></p></td></tr></tbody></table>2/14/2018 3:33:24 PMHome / Supervision & Regulation / Advisory Bulletins / Scenario Determination for Market Risk Models Used for Risk-Based Capital Advisory Bulletin The shocks are to be applied 1999https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Acquired Member Asset Price Risk Governance19344FHL Banks11/21/2017 5:00:00 AMAB 2017-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2017-03<br></p><p>ACQUIRED MEMBER ASSET PRICE RISK GOVERNANCE<br></p></td></tr></tbody></table> <br> <p> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong></p><p>This Advisory Bulletin provides Federal Housing Finance Agency (FHFA) guidance for Federal Home Loan Bank (FHLBank) Acquired Member Asset (AMA) price risk governance.<a href="#footnote1">[1]</a>&#160; It sets forth that a FHLBank should&#58; &#160;(1) estimate expected spread to funding; (2) establish minimum expected spreads; (3) adopt total portfolio and acquisition limits; (4) create controls; and (5) conduct board and management committee<a href="#footnote2">[2]</a> education and reporting. &#160;&#160;</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p> <span style="text-decoration&#58;underline;">Overview of AMA</span></p><p>In July 2000, one of FHFA's predecessor agencies, the Federal Housing Finance Board (Finance Board), adopted a regulation governing the FHLBanks' mortgage acquisitions – the AMA rule.&#160; In December 2016, FHFA amended the AMA rule primarily to remove references to Nationally Recognized Statistically Ratings Organizations (NRSROs).<a href="#footnote3">[3]</a>&#160; FHFA made some other changes, clarified certain provisions, and moved the rule from part 955 to part 1268.&#160; At its core, the AMA regulation continues to require that all assets acquired as AMA must meet a three-part test – an asset requirement, a member or housing associate nexus requirement, and a credit risk-sharing requirement.&#160; </p><p>The Finance Board approved two AMA Programs&#58; &#160;the Mortgage Partnership Finance (MPF) program and the Mortgage Purchase Program (MPP).&#160; Under each of the approved AMA Programs, FHLBanks offer various AMA Products that allow members to sell mortgage loans to their respective FHLBank.<a href="#footnote4">[4]</a></p><p> <span style="text-decoration&#58;underline;">Description</span><span style="text-decoration&#58;underline;"> of </span><span style="text-decoration&#58;underline;">AMA </span><span style="text-decoration&#58;underline;">Price Risk</span></p><p>For purposes of this Advisory Bulletin, price risk associated with AMA (AMA price risk) is the risk that the <em>price</em> the FHLBank pays for an AMA mortgage loan is too high, i.e., the price is too high relative to its intrinsic value based on prevailing and forecasted market conditions at the time of acquisition.&#160; AMA price risk governance addresses the practices a FHLBank should employ, through management and controls, to mitigate its exposure to this risk.</p><p>The higher the price a FHLBank pays for an AMA asset, the lower its expected earnings will be, all else equal.&#160; If the expected yield net of risks, i.e., the &quot;expected yield on a risk-adjusted basis,&quot; is too low, a FHLBank may not earn enough to cover operating costs.&#160; A FHLBank's inability to cover operating costs may diminish its financial condition, and compromise its ability to generate sufficient earnings to pay dividends or augment retained earnings.&#160; </p><p>Estimating AMA risk-adjusted yields and spreads on mortgage loans is challenging because AMA mortgage loans are long-term assets with embedded prepayment options that make predicting cash flows difficult.&#160; A FHLBank purchasing mortgages must project prepayment speeds, which are a function of interest rates, the general economic climate, and idiosyncratic borrower behavior, all of which are hard to predict over the life of the mortgage.&#160; A FHLBank must also estimate potential disruptions or shortfalls in cash flows caused by credit risk events, taking into consideration the credit enhancement structures of each AMA Product. &#160;The consequences of inadequately estimating AMA spreads to funding can be significant given the long expected lives of mortgage assets. &#160;Additionally, as the FHLBank is setting prices, setting prices too high could spur increased volume and create the potential for decreased net earnings over a long period.&#160;&#160;&#160; </p><p> <span style="text-decoration&#58;underline;"><strong><em>Scope</em></strong></span></p><p>The guidance in this Advisory Bulletin applies to all loans newly acquired to be held in portfolio beginning on January 1, 2018.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></span></p><p>When managing AMA price risk, a FHLBank should use this Advisory Bulletin as a guide.&#160; This Advisory Bulletin provides guidance to evaluate AMA price risk, including establishing minimum expected spread for AMA pricing.&#160;&#160;<br>&#160;&#160; <span style="text-decoration&#58;underline;"></span></p><p> <span style="text-decoration&#58;underline;">Approaches to Estimate Expected Spread to Funding</span></p><p>Central to the management and governance of AMA price risk is having a sound estimate of expected<a href="#footnote5">[5]</a> net earnings on the mortgage assets, given the prices paid.&#160; FHLBanks use various approaches to estimate spreads when setting AMA prices.&#160; The approaches include&#58;</p><ul style="list-style-type&#58;disc;"><li>Basket of Liabilities.&#160; The simplest process to estimate expected spread to funding is to construct a basket of liabilities that partially offsets the interest rate risk of the AMA, and then to compare the AMA yield to the weighted-average liability yield.&#160; Though simple to construct and easy to interpret, the approach does not generate an accurate estimate of expected spread since the resulting spread is not risk-adjusted.&#160; </li></ul><ul style="list-style-type&#58;disc;"><li>Single-rate Scenario.&#160; The process uses a single rate scenario or a small set of static rate shocks, such as -100 bps, base case, +100 bps, and others to estimate spread.&#160; The resulting net spread estimate, however, does not constitute an &quot;expected&quot; spread for the funded asset. &#160;It only estimates the spread in the respective scenarios, and the results may vary significantly depending on the scenarios selected.</li></ul><ul style="list-style-type&#58;disc;"><li>Option-Adjusted Spread (OAS).<a href="#footnote6">[6]</a>&#160; A metric commonly used in the mortgage industry, and that the FHLBanks produce, that largely overcomes the above-mentioned shortcomings.&#160; It is an estimate of the risk-adjusted spread, also known as OAS, to funding.&#160; To capture the effect of the prepayment option embedded in the mortgage, FHLBanks generate a large number of interest rate paths (256 is the minimum number of paths in models commonly used by the FHLBanks).&#160; Generally, the distribution of the paths is a modeling assumption and, for arbitrage free models, is consistent with the market information provided by the current yield curve and option prices.<a href="#footnote7">[7]</a></li></ul><p>FHLBanks might use different methods to generate OAS to funding.&#160; The most straightforward method uses the consolidated obligation (CO) curve as the yield curve input to the model.&#160; Another method is to use a more liquid curve, such as LIBOR or Treasury, and then adjust the underlying curve for differences between the CO curve and the curve used.&#160; A third method is to assemble a risk-matching set of liabilities and to calculate a net OAS as the difference between mortgage OAS and the weighted-average funding OAS. <a href="#footnote8">[8]</a></p><p>FHLBanks should use a metric to assess expected spread to funding that is risk adjusted. &#160;The OAS approach appears to be the best available metric to meet this expectation; however, other measurements may be reasonably applied under certain conditions in conjunction with OAS. &#160;The FHLBanks should clearly define the gradation for estimating the expected spread (e.g., entire AMA portfolio, mortgage pool or master commitment, or by individual transaction). &#160;In determining the level of gradation, FHLBanks should consider volume of activity, risk appetite, and transparency.&#160; </p><p> <span style="text-decoration&#58;underline;">Minimum Expected Spreads for Pricing Guidance</span></p><p>A FHLBank should set mortgage acquisition prices to ensure the resulting expected spread to funding covers its costs and provides adequate compensation for the risks assumed, e.g., option, interest rate, credit, and model risks.&#160; The FHLBank's management committee should provide oversight, which includes approving and periodically reevaluating the minimum expected spread to funding target that guides AMA pricing.&#160; Additionally, the methodology employed for risk-adjusted spread estimation and the specific costs and risks associated with the acquisition of AMA should be documented.&#160; </p><p>The FHLBank should include a credit risk component in its AMA pricing, either within or in addition to the minimum spread. &#160;Cash flow disruption caused by credit risk events, while historically low for FHLBanks, occurs in all mortgage portfolios.&#160; Differing credit enhancement structures offered by the FHLBanks affect the timing of those disrupted cash flows.&#160; Therefore, the FHLBank should estimate a credit risk component for spread that is sufficient to compensate for credit risk across the array of AMA credit enhancement structures.<a href="#footnote9">[9]</a>&#160; A FHLBank may factor in the credit enhancement obligation (CEO) that participating financial institutions provide when estimating a credit risk component.&#160; In addition, the FHLBank should determine whether different CEO structures result in a different credit risk component.&#160; Finally, a credit risk component may mitigate the absence of loan level price adjustments that Fannie Mae and Freddie Mac employ to compensate for increased credit risk.&#160; </p><p>In addition, the FHLBank should include a model risk component in its AMA pricing, either within or in addition to the minimum spread. &#160;Uncertainty in the estimate of the expected risk-adjusted spread of a funded mortgage is unavoidable.&#160; The primary source of uncertainty is mortgage prepayments, as the model must project prepayment rates over a 360 months period.&#160; Another source of uncertainty involves the assumed funding rates.&#160; The illiquidity in the longer-term fixed rate and callable CO markets makes cost estimates of future debt issuance uncertain.&#160; As a result, the expected spread estimated for mortgage investments is likely to be far less accurate than estimated advance spreads.&#160; </p><p>Under certain conditions, a FHLBank may purchase AMA below established minimum expected spreads.&#160; However, the FHLBank should establish in policy&#58; &#160;(1) a framework within which it acquires AMA below the minimum spreads; (2) limits to curtail the negative effect of acquiring AMA below the minimum expected spread on the FHLBank's earnings performance or market value of equity measures; and (3) reporting of the exceptions, and attendant reasons, to the appropriate management committee. </p><p> <span style="text-decoration&#58;underline;">Total Portfolio and Acquisition Limits</span></p><p>In light of the unique risk exposures stemming from mortgages, some of which cannot be fully mitigated (e.g., model risk), a FHLBank's board should consider how large an AMA portfolio the FHLBank can safely manage relative to total assets, total capital, and/or retained earnings.&#160; FHFA's AMA regulation does not establish limits on the total amount of AMA a FHLBank may acquire; however, the Supplementary Information to the regulation states, &quot;FHFA expects each Bank's board of directors to establish a prudential limit on its maximum holdings of AMA, which should be governed by the Bank's ability to manage the risks inherent in funding and holding such mortgage loans.&quot;<a href="#footnote10">[10]</a>&#160; The board of directors should have a reasonable basis for setting the prudential limit at a particular level, which should be clearly documented in the board's records.&#160; Similarly, to avoid excessive concentration of coupons or vintages, the board of directors may want to limit the amount of AMA the FHLBank may acquire in a given period (e.g., one year).&#160; </p><p> <span style="text-decoration&#58;underline;">Controls</span></p><p>A FHLBank should have a well-managed, clearly articulated, and well-controlled process to generate the acquisition spread estimates, i.e., these controls should comport with the model risk management expectations set forth in FHFA's AB 2013-07 <em>Model Risk Management</em>.&#160; The model used to generate AMA prices is a mission critical model and requires validation on time schedules specified for a critical model.&#160; Additionally, management should regularly test the accuracy of the model inputs and the validity of the model assumptions. &#160;Furthermore, the appropriate management committee should review and approve key assumptions employed.&#160; </p><p> <span style="text-decoration&#58;underline;">Board and Management Committee Education and Reporting</span></p><p>The FHLBank should provide an appropriate overview on the OAS approach, including uncertainties that accompany OAS estimation, to the entire board, appropriate board committee, and to new board members when providing board education on the FHLBank's pricing method for AMA.<a href="#footnote11">[11]</a>&#160; Further, the board or appropriate board committee, and management committee should receive quarterly reporting of acquisition OAS. &#160;When increasing AMA relative to total assets, total capital, or retained earnings, a FHLBank should adjust its reporting and monitoring of AMA price risk accordingly.&#160; </p><p>Regarding the performance of the AMA portfolio, the board or appropriate board committee and management committee should be provided with information explaining that earnings on AMA may differ over time depending on the interest rate environment.&#160; For example, AMA loans purchased in an upward sloping yield curve environment may produce most of their recognized earnings early in their lives, i.e., earnings are &quot;front-loaded.&quot; &#160;Under such circumstances, FHFA would expect management to provide an income simulation analysis and to clearly communicate to the board or board committee and management committee the expected annual earnings on the portfolio over time, including a periodic roll-down analysis. </p><p>____________________</p><p><a name="footnote1">[1]</a> Most of the principles discussed within this Advisory Bulletin are also applicable to the price risk stemming from the acquisition of mortgage-backed securities.&#160; However, this guidance focuses on the unique exposure stemming from FHLBanks' activities involving AMA mortgage loan acquisitions.</p><p><a name="footnote2">[2]</a> The AB uses the term &quot;management committee&quot; in a non-specific manner.&#160; The FHLBank should determine the appropriate management committee that will provide oversight of implementation of this guidance.</p><p><a name="footnote3">[3]</a> FHFA amended the AMA rule to comply with Section 939A of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which requires federal agencies to remove from regulations all references to, or requirements based on, ratings issued by NRSROs.</p><p><a name="footnote4">[4]</a> FHFA defined the terms &quot;AMA Program&quot; and &quot;AMA Product&quot; in its AMA Rule.&#160; <em>See</em> 12 CFR 1268.1.</p><p><a name="footnote5">[5]</a> Throughout the document, the term &quot;expected&quot; is used in its statistical context&#58; as the mean value of a probability distribution.&#160; FHFA realizes the generated spread may not be the actual spread earned over the lifetime of the specific acquisition.&#160; However, over the course of many acquisitions, the &quot;expected&quot; spread should approximate the average spread earned on acquisitions, </p><p><a name="footnote6">[6]</a> OAS of a mortgage-related financial instrument is highly model dependent and is a function of the underlying interest rate process, probability distribution, interest rate volatility, and mortgage rate propagation assumptions.&#160; During the mortgage OAS valuation process, the model generates random interest rates paths (trials) to cover an assumed probability distribution and calculates cash flows (including prepayments) along each path.&#160; Along paths with high interest rates, cash flows generally extend as prepayment speeds slow, while along paths with low interest rates, cash flows contract as prepayment speeds increase.&#160; The OAS process calculates present values of these projected cash flows along each random path using discount factors obtained by adding or subtracting a constant spread to/from the interest rates across all the random paths such that the average of these present values will equal the AMA's acquisition price.&#160; </p><p><a name="footnote7">[7]</a> Specifically, the average of the rates projected in each future period (i.e., months 1, 2…360) will equal the corresponding market-implied forward rate for that period, and the dispersion of these rates in each period will correspond to market implied volatility.&#160; When these conditions are met, the rate paths are said to meet &quot;arbitrage-free&quot; conditions. &#160;</p><p><a name="footnote8">[8]</a> If necessary, FHLBanks should supplement OAS analysis with stress testing to estimate the OAS's stability under various stress scenarios (assumptions could be deterministic or even stochastic in both interest rates and volatility).</p><p><a name="footnote9">[9]</a> A FHLBank may use a single amount for the credit risk component for spread estimates; however, the amount should sufficiently cover the expected disruption of cash flows caused by credit events for each AMA product offered.&#160;&#160; </p><p><a name="footnote10">[10]</a> <em>See</em> 81 FR 91682, December 19, 2016</p><p><a name="footnote11">[11]</a> A FHLBank does not have to provide OAS process overview if it is not acquiring mortgage loans for on-balance sheet purposes.&#160; </p><p>&#160;</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <span style="color&#58;#444444;font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;">Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters.&#160;&#160;For this Advisory Bulletin, contact your respective Examiner-in-Charge if you have questions or comments.</span></p></td></tr></tbody></table><p>&#160;</p><p>&#160;</p>11/21/2017 10:03:37 PMHome / Supervision & Regulation / Advisory Bulletins / Acquired Member Asset Price Risk Governance Advisory Bulletin This Advisory Bulletin provides Federal Housing Finance 1407https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Information Security Management19305All9/28/2017 4:00:00 AMAB 2017-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2017-02<br></p><p>INFORMATION SECURITY MANAGEMENT<br></p></td></tr></tbody></table> <br> <p> <strong style="text-decoration&#58;underline;"><em>Purpose</em></strong><br></p><p></p><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance on information security management for supporting a safe and sound operational environment and promoting the resilience of Fannie Mae, Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (OF) (collectively, the regulated entities&#160;<a href="#ref1">[1]</a>).<br></p><p>The guidance in this AB is applicable to the regulated entities and is based on current regulatory and industry standards. It does not prescribe specific standards or technology solutions, but describes three main components of an information security program (program). Each regulated entity should use a risk-based approach across key areas listed below to meet FHFA supervisory expectations&#58;<br></p><p></p><p>I. Governance<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Roles and Responsibilities</p><p>B. Risk Assessments</p><p>C. Industry Standards</p><p>D. Cyber-Insurance</p></blockquote><p>II. Engineering and Architecture</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Network Security</p><p>B. Software Security</p><p>C. Endpoints</p></blockquote><p>III. Operations</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Continuous Monitoring</p><p>B. Vulnerability Management</p><p>C. Baseline Configuration</p><p>D. Asset Life Cycle</p><p>E. Awareness and Training</p><p>F. Incident Response and Recovery</p><p>G. User Access Management</p><p>H. Data Classification and Protection</p><p>I. Third-Party Oversight</p><p>J. Threat Intelligence Sharing</p></blockquote><div> <br> </div><p>This AB on information security management supersedes AB 2014-05 (Cyber Risk Management Guidance) and the Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002 (Safety and Soundness Standards for Information).</p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Background</em></strong><br></p><p>Effective information security management protects the availability, integrity, and confidentiality of information in both electronic and physical form.&#160; Information security management encompasses the management of cyber risk, which focuses on protecting systems, operating locations, and risk related to cyber threats.&#160;&#160;<br></p><p>The frequency and sophistication of information security threats to the financial services industry increases the importance of information security management.&#160; Information security incidents can compromise sensitive, confidential, or personally identifiable information.&#160; Such incidents can affect the integrity and availability of business critical information and systems and expose an institution to risk.&#160; Each regulated entity’s risk appetite, policies, operational and technological practices, third-party relationships, governance structure, and the level of involvement of the board of directors (board) and senior management should support effective information security management.&#160; FHFA’s guidelines for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236.&#160; Three relevant PMOS articulate guidelines for the board and management when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).</p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Guidance</em></strong><br></p><p>FHFA expects the regulated entities to protect their information technology (IT) environments using a risk-based approach to determine the appropriate activities to include in a comprehensive program.&#160; The regulated entities may use third parties to perform information security activities, but that does not diminish their information security responsibilities.&#160; Although information security risks cannot be eliminated, they can be managed safely and soundly.</p><p> <br> </p><p> <strong>I. Governance</strong><br></p><p>Management at each regulated entity should align the program with the regulated entity’s enterprise risk management framework.&#160; The program should be comprehensive, involve board participation, and include repeatable and executable processes for managing information security risks and incidents.&#160; Each regulated entity should periodically evaluate its approach and appropriately document its program, ensuring that documentation is updated regularly to reflect changes to the program.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Roles and Responsibilities</p></blockquote><p>The board is responsible for maintaining and prioritizing a strong information security culture, providing oversight of senior management’s information security risk management activities, and reviewing and approving the information security risk appetite and program.&#160; Delegation of any of these activities to a board-level committee does not relieve all board members of their responsibility to remain informed about how their entity’s information security management practices appropriately address potential risks, consistent with the established risk appetite.&#160;<br></p><p>Senior management is responsible for establishing and implementing a program consistent with the regulated entity’s risk appetite, developing and implementing policies, and supporting the board’s oversight responsibilities.&#160; The program should include procedures, guidelines, and periodic self-assessment activities, and should be proportional to the information security risks at institutional, business, and operational levels.&#160; Senior management should periodically evaluate and update the program, particularly when new risks or program weaknesses are identified.&#160; Furthermore, senior management should establish and maintain information security policies that prioritize information security management efforts in alignment with risk appetite, strategies, goals and objectives, escalation and security incident management procedures, and processes for how to assess and respond to information security risks and incidents.<br></p><p>Senior management should report to the board at least annually on the overall status of the program; any significant issues with their entity’s adherence and exceptions to applicable requirements and guidance; and significant emerging risks, strategies, and other information to ensure that information security management practices appropriately address potential risks.&#160; Management reports should address issues such as risk assessments, risk management and control decisions, third-party relationships, results of testing, security breaches or violations and management’s responses, and recommendations for changes in the program.&#160;&#160;</p><p>A Chief Information Security Officer or equivalent (CISO) should head the program at each regulated entity.&#160; The CISO is responsible for overseeing and reporting on the management and mitigation of information security risks.&#160; The CISO should have appropriate independence, authority, and resources to carry out the responsibilities of the position.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Risk Assessments</p></blockquote><p>Each of the regulated entities should conduct periodic risk assessments of its program to identify, understand, and prioritize information security risks relevant to business operations, including assessments of third parties and IT architecture.&#160; Enterprise-wide risk assessments should identify internal and external threats that, alone or in tandem, could result in unauthorized access and subsequent loss, alteration, or exploitation of sensitive, confidential, or personally identifiable information.&#160; The risk assessment should identify the likelihood and potential impact of these threats as well as the residual risk of impact after considering controls and mitigating factors.&#160;&#160;<br></p><p>As part of risk assessments, each of the regulated entities should identify and prioritize which risks to avoid, accept, mitigate, or transfer.&#160; Periodic information security gap analyses should be conducted and reported to the board with steps to promptly remediate gaps.&#160; Management should also establish and maintain a waiver process that includes risk identification and compensating controls for remediation activities that do not comply with policy.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Industry Standards</p></blockquote><p>Each regulated entity’s program should align with appropriate industry standards (e.g., standards promulgated by National Institute of Standards and Technology and International Organization for Standardization) commensurate with the complexity and risk profile of the entity.&#160; Each regulated entity should periodically review its program to verify that it reflects industry standards.&#160; Management should identify and address any gaps between the program and chosen industry standard(s) and should document the rationale for accepted risks.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">D. Cyber-Insurance</p></blockquote><p>If the regulated entity uses an insurance policy to transfer part of the financial exposure of an information security incident, management should understand the extent of coverage, conditions of coverage, and requirements governing the reimbursement of claims and report on them to the board.&#160;&#160;</p><p> <br> </p><p> <strong>II. Engineering and Architecture</strong></p><p>Security engineering and architecture address risks to an IT environment by building security into an information system.&#160; Each regulated entity should design its information networks, software, and Internet-capable devices at the network boundary commensurate with identified information security risks and consistent with the entity’s risk appetite.&#160; The designs should include defense in depth, access control, and separate production and non-production IT environments.&#160;&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Network Security</p></blockquote><p>The regulated entities should design their networks to allow for continuously monitored network systems that provide a view into operational controls and include the ability to provide timely remediation.&#160; The design of the network should include network segmentation, proxy hosts, firewalls, demilitarized zones, intrusion detection and prevention systems, security zones, and virtual private networks.&#160; FHFA expects the regulated entities to place log generating devices and sensors throughout their respective networks and feed security logs to a security information and event management device for continuous monitoring.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Software Security</p></blockquote><p>Effective software security requires selecting, implementing, and monitoring appropriate controls to restrict end users’ ability to install and modify software.&#160; Each of the regulated entities should integrate application code reviews, security testing, and secure deployment to its development processes.&#160; Each of the regulated entities should also consider other activities such as threat modeling and static code analysis for high-risk, custom application development.&#160; Policies and device and network controls should ensure that users download software only from approved sites.&#160; Each regulated entity should assess and protect against the risks of using open source software (OSS) solutions, including an evaluation of the reliability of the source of the OSS solution.&#160; Such an assessment is particularly important when using OSS without strong support communities.&#160; Each regulated entity should also address user-developed technologies with end-user development policies that include inventory, classification, and testing policies and enforce change and access control.</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Endpoints</p></blockquote><p>The program should have requirements to secure any organization-owned endpoint using private networks, access control, intrusion detection and prevention, vulnerability scanning, virus protection, and data encryption.&#160; Use of personal devices such as laptops, tablets, and smart phones present security risks that each regulated entity’s program should fully address.&#160; FHFA expects management to establish and maintain policies for all devices with network access, including employee-, contractor-, and guest-owned devices, and to engineer network and software solutions to manage risks associated with these devices.&#160; The programs should require all users of endpoints connected to regulated entity systems to follow such policies and maintain an information security culture.&#160; Restrictions on resources and applications, segregation of personal data from the regulated entity’s data, and real-time monitoring, such as endpoint detection and response capabilities should be incorporated into the program.</p><p>Each regulated entity’s program should include policies addressing the use of all configurable media and hardware that have access to the regulated entity’s information.&#160; This may include any removable media, personal devices, laptops, printers, and scanners.&#160; The policy should restrict transfers of information to and from removable media to prevent unwanted disclosure of the regulated entities’ information and to protect the IT environment.</p><p>&#160;<br></p><p> <strong>III. Operations</strong></p><p>Security operations provide essential protection of information systems by monitoring, assessing, and defending such systems from threats and harm, and security solutions should be engineered into information systems.&#160; Each regulated entity’s program should apply a defense in depth approach to operational security practices on an ongoing basis, including system monitoring, vulnerability management, baseline maintenance, asset life cycle procedures, staff training, incident response and recovery, access management, data protection, third-party oversight, and threat intelligence sharing.&#160; Additionally, the regulated entities should monitor their physical facilities, including monitoring for exposure to environmental threats.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Continuous Monitoring</p></blockquote><p>An effective program should include continuous monitoring of systems to detect anomalies as well as successful and attempted attacks, including unauthorized activity on or intrusion into information systems.&#160; The program should define monitoring procedures, roles, and responsibilities, and a process for evaluating the effectiveness of identified controls.&#160; Operational security monitoring includes network, physical event, and user activity monitoring.&#160; The regulated entities should use operational security monitoring to mitigate the risks of insider threats.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Vulnerability Management</p></blockquote><p>Vulnerability management is an essential component of the program and should include both regular vulnerability assessments and the timely remediation of vulnerabilities that exceed the risk appetite.&#160; Unsupported or out-of-date systems, assets, and applications should be identified, monitored, and addressed within a vulnerability management process.&#160; Patches should be reviewed through a testing and approval process prior to deploying fixes.&#160; Procedures should require management’s approval, impact analysis, and justification for any accepted vulnerabilities or vendor-provided upgrades or patches not implemented internally.&#160; Identified vulnerabilities that present considerable risk require prompt analysis and timely approval and remediation.</p><p>The regulated entity should regularly test the effectiveness of key controls, systems, and procedures used to protect against information security risks through vulnerability scanning, internal and external audits, and penetration testing.&#160; Management should develop and maintain risk-based policies that define the scope and frequency of regular tests.&#160; The policies should also define triggers, such as significant changes to technologies or a security incident that will result in tests of key controls, systems, and procedures.&#160; Independent parties may conduct and review such tests.&#160; Procedures should be in place to track and independently validate the remediation of identified vulnerabilities.&#160; Results from these tests should inform updates to the program.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Baseline Configuration</p></blockquote><p>The program should include maintenance of accurate and complete inventories of IT assets and systems as well as baseline configurations of assets and systems.&#160; The program should include a formal change management process for baseline configuration adjustments to address such changes.&#160; The regulated entities should establish and maintain security standards for technology platforms and use tools to automatically compare such standards to the actual configuration of deployed assets and notify appropriate person(s) responsible for security operations of any unapproved changes.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">D. Asset Life Cycle</p></blockquote><p>The program should include procedures to define, inventory, maintain, protect, and retire systems and technologies to support continued operations and normal business processes.&#160; Additionally, all systems should have life cycle plans that provide details on procurement, inventory maintenance, ownership, retirement, and disposal.&#160; The program should include procedures requiring documentation of maintenance schedules and repairs on assets in accordance with manufacturer or vendor specifications and internal requirements.&#160; The policies on asset maintenance should also define roles and responsibilities for approving removal of, or changes to, an IT asset, recovery of all information prior to maintenance, and verifying all security controls function after maintenance.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">E. Awareness and Training</p></blockquote><p>Consistent with a strong information security culture, the program should include enterprise-wide information security awareness and training processes appropriate to each of the regulated entities’ systems, size, and complexity.&#160; The program should provide that personnel, including third parties with access to the regulated entities’ IT systems, receive general and role-based training on the policies and procedures governing the use of information systems, potential security threats (e.g., phishing), and how management enforces information security policies.&#160; The board should receive training appropriate with its oversight role.&#160; The program should address the expected frequency of awareness and training events, and role-based training qualifications.&#160; All employees and contractors are responsible for maintaining an information security culture involving the protection of the regulated entities’ information and systems.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">F. Incident Response and Recovery</p></blockquote><p>The program should include an incident response plan that documents the triggers, procedures, roles and responsibilities, and resources for eradicating and/or limiting the expansion of an information security incident and minimizing its effects.&#160; Incident response plans should address both physical and cyber events that could affect the availability, confidentiality, and integrity of information.&#160; Repeatable and executable procedures to respond to information security incidents should be proportional to the characteristics of the identified exposures.&#160; These procedures should prioritize and establish resiliency requirements for critical services and dependencies, be rehearsed and tested, identify criteria for escalation and reporting, and define scenarios that would result in the execution of the business continuity program.</p><p>The incident response plan should include an incident recovery plan that identifies person(s) responsible for initiating the recovery plan, defines criteria that must be met to return compromised services and technology to the network, and explains how to document the decisions and actions taken for future reference.&#160; Recovery operations should reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics.&#160;&#160;</p><p>The incident response plan should address how to coordinate communication with internal and external stakeholders about response and restoration activities.&#160; Additionally, incident response and recovery activities should have sufficient follow-up analyses to determine whether procedures were followed and the actions taken were adequate.&#160; These analyses should include investigating detection system notifications, understanding the impact of incidents, performing forensics, and classifying the incidents.&#160; These analyses should use indicators to appropriately quantify the impact of the incident and feed into remediation plans and risk management reporting.&#160;&#160;</p><p>Follow up analyses should identify areas of improvement for future updates to incident response plans.&#160; An independent party (e.g., internal audit or an outside consultant) should periodically validate the implementation and effectiveness of incident response and recovery activities.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">G. User Access Management</p></blockquote><p>The program should define policies and procedures to grant, revoke, monitor, and regularly review appropriate access for all users.&#160; Access should be based on the minimum rights required for the identified business purpose, or least privilege.&#160; The program should establish and maintain a process governing access control of and documenting reasons for using shared accounts.&#160; Terminated or transferred users with different role requirements should be removed promptly.&#160; The program should include maintenance of access logs to effectively monitor user activity.</p><p>User access security controls should include logical and physical access controls, password safeguards, monitoring for unauthorized changes to IT systems or applications, and network encryption as appropriate.&#160; Each regulated entity should consider whether to adopt additional solutions, including segregation of duties, configuration management, change management, identification and authentication management, and background investigation checks.&#160; Operating locations should be physically secured and designed to deny unauthorized access to facilities, equipment, data, and resources.</p><p>Logical access controls, including remote access management, should restrict remote access usage to that defined in and allowed by relevant policies.&#160; Monitoring of remote access should include the identification of remote access devices that attach to systems.&#160; Furthermore, logical access controls should have security features with an appropriate level of sophistication to authenticate users that connect to the network.&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">H. Data Classification and Protection</p></blockquote><p>Each of the regulated entities possesses sensitive, confidential, or personally identifiable information that it needs to protect from loss, alteration, or exploitation.&#160; Classification of such information based on importance and sensitivity should guide their determination of the appropriate level of protection.&#160; Management should establish and maintain policies that address where sensitive, confidential, or personally identifiable information may reside; how to manage and use that information; and how to transmit, transport, protect, and dispose of that information.</p><p>Each of the regulated entities may protect information through a variety of means, such as using front and back end controls on user access, encryption, verification tools to detect unauthorized changes to data, and data loss prevention measures.&#160; Each of the regulated entities should evaluate the effectiveness of protection and preventative measures regularly.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">I. Third-Party Oversight</p></blockquote><p>FHFA expects the regulated entities to understand and manage the risks of third-party access to or maintenance of institutional information.&#160; The information security policies and level of sensitivity and access to information should inform third party security responsibilities.&#160; Each regulated entity’s program should include policies and procedures, contractual assurance for security responsibilities, controls, reporting, nondisclosure of data, and incident notification requirements.&#160; Each regulated entity should define when information security incidents should result in substituting or replacing services provided by third parties, if feasible.</p><p>When using a technology service provider (TSP), such as a cloud computing or technology solutions provider, each of the regulated entities should review the TSP’s information security programs and select a TSP that is consistent with established risk tolerances.&#160; In its selection, each regulated entity should consider the TSP’s abilities to identify and mitigate cyber threats to data and operational infrastructure, effectively carry out incident response procedures to cyberattacks, and perform adequate business continuity resilience.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">J. Threat Intelligence Sharing</p></blockquote><p>The Cybersecurity Information Sharing Act of 2015 encourages information sharing between the federal government and other recognized organizations.&#160; Sharing and receiving technical information, such as threat indicators and emerging risks, promotes financial sector resiliency and provides the regulated entity additional situational awareness to remain current in their defenses.&#160; Each of the regulated entities should participate in and incorporate information from external coordination efforts relevant to their respective operations.<br></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Related Guidance</em></strong><br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Data-Management-and-Usage.aspx">Data Management and Usage</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2016-04, September 29, 2016.<br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Information-Technology-Investment-Management.aspx">Information Technology Investment Management</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2015-06, September 21, 2015.</p><p> <em>Cyber Risk Management Guidance</em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-05, May 19, 2014 (superseded).<br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-02-OPERATIONAL-RISK-MANAGEMENT.aspx">Operational Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-02, February 18, 2014.&#160;</p><p> <a href="https&#58;//www.ecfr.gov/cgi-bin/text-idx?SID=4789529b5c4a4e95899da27516cdc49e&amp;mc=true&amp;node=pt12.10.1233&amp;rgn=div5">12 CFR Part 1233 Reporting of Fraudulent Financial Instruments</a>, February 11, 2013.<br></p><p> <a href="https&#58;//www.ecfr.gov/cgi-bin/text-idx?SID=7d165130b500cae028042a9b47b757aa&amp;mc=true&amp;node=pt12.10.1236&amp;rgn=div5">12 CFR Part 1236 Prudential Management and Operations Standards</a>, June 8, 2012.<br></p><p> <em>Safety and Soundness Standards for Information</em>, Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001 (superseded).<br></p><p> <br> </p><hr /> <p> <a name="ref1">[1]</a> The OF is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. See <a href="https&#58;//www.gpo.gov/fdsys/pkg/USCODE-2010-title12/html/USCODE-2010-title12-chap46-sec4502.htm">12 U.S.C. 4502(20)</a>. However, for convenience, references to the “regulated entities” in this AB should be read to also apply to the OF.</p><br><br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <span style="color&#58;#444444;font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.&#160; This advisory bulletin is effective immediately upon issuance.&#160; For the FHLBanks, contact Amy Bogdon, Associate Director for Regulatory Policy and Programs, Division of FHLBank Regulation, at <a href="mailto&#58;Amy.Bogdon@fhfa.gov">Amy.Bogdon@fhfa.gov</a>.&#160; For Fannie Mae and Freddie Mac, contact Annie Golden, Supervisory Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Annie.Golden@fhfa.gov">Annie.Golden@fhfa.gov</a> or Brian Schwartz, Senior Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Brian.Schwartz@fhfa.gov">Brian.Schwartz@fhfa.gov</a>.</span></td></tr></tbody></table> <br>8/4/2018 4:23:53 AMHome / Supervision & Regulation / Advisory Bulletins / Information Security Management Advisory Bulletin This advisory bulletin (AB) provides Federal Housing Finance Agency 4329https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Classifications of Adverse Examination Findings19348All3/13/2017 4:00:00 AMAB 2017-01<p></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2017-01</p><p>CLASSIFICATIONS OF ADVERSE EXAMINATION FINDINGS</p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15pt;"> <em></em></strong> <br></p><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"> <em>Purpose</em></strong></p><p>This advisory bulletin establishes classifications of adverse examination findings at Fannie Mae, Freddie Mac, the Federal Home Loan Banks (the regulated entities) and the Office of Finance. Adverse examination findings are typically risk management deficiencies, increases in risk exposures, or violations of laws, regulations, or orders that affect the performance or condition of a regulated entity or the Office of Finance. This advisory bulletin establishes classifications of examination findings that identify priorities for remediation by the regulated entities and the Office of Finance and guide FHFA in the development of supervisory strategies. This advisory bulletin supersedes and rescinds Advisory Bulletin 2012-01, <em>Categories of Examination Findings (April 2, 2012)</em>.</p><p> <br> </p><p style="text-decoration&#58;underline;"><strong><em>Communication of Adverse Examination Findings</em></strong></p><p>FHFA staff communicates examination findings to a regulated entity or the Office of Finance&#160;through the examination process. Reports of examination and other formal written&#160;communications summarize examination findings, assessments, and conclusions. FHFA&#160;provides a report of examination to the board of directors of the regulated entity or the Office of&#160;Finance. The board’s awareness of significant supervisory issues is critical because it is&#160;ultimately responsible for the organization’s safety and soundness.</p><p> <br> </p><p style="text-decoration&#58;underline;"><strong><em>Adverse Examination Findings Classifications&#58;</em></strong></p><p>When communicating adverse examination findings to the regulated entities and Office of&#160;Finance, examination staff will use the following classifications&#58;</p><div><ol><li><p><em>Matters Requiring Attention</em> (MRAs) fall into one of the following categories&#58;</p></li><ul><li><p>Critical supervisory matters (the highest priority) which pose substantial risk to the&#160;safety and soundness of the regulated entity or the Office of Finance. They may involve instances of noncompliance with laws or regulations of a serious nature or may be&#160;repeat criticisms that have escalated in importance because of insufficient attention or action by the regulated entity or Office of Finance.</p></li><li><p>Deficiencies which are supervisory concerns that FHFA believes could, if not corrected,escalate and potentially negatively affect the condition, financial performance, risk profile, operations, or reputation of the regulated entity or the Office of Finance.</p></li><li><p>The distinction between critical supervisory matters and deficiencies is the nature and severity of the issues requiring corrective action. Corrective action for an MRA must be articulated in written remediation plans and timeframes that reflect the significance of the findings.</p></li></ul><li><p><em>Recommendations</em> are advisory in nature and suggest changes to a policy, procedure,&#160;practice, or control that supervision staff believes would improve, or prevent deterioration&#160;in, condition, operations, or performance. Implementation is discretionary, although FHFA&#160;expects the regulated entity or Office of Finance to implement recommendations unless the&#160;regulated entity or Office of Finance can demonstrate through a reasoned assessment that&#160;the recommended action is unwarranted or is likely to be detrimental to condition,&#160;operations, or performance.</p></li><li><p><em>Violations</em> are matters in which an examination discloses noncompliance with laws, regulations, or&#160;orders. Violations require action by the regulated entity or Office of Finance to correct, if possible,&#160;the past noncompliance with requirements and to change a program or practice to prevent&#160;recurrence. The expected remediation timeframe depends on the seriousness of the actual or&#160;potential consequences of the violation and the time required for the regulated entity to implement&#160;required corrective action. A violation that may negatively affect the condition or practices of the&#160;regulated entity may also be identified as an MRA.</p></li><br><br></ol><div><p style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></p><p>The adverse examination findings classifications defined in this Advisory Bulletin are effective for the&#160;2017 examination cycle for Fannie Mae and Freddie Mac. The adverse examination findings&#160;classifications are effective upon issuance of this Advisory Bulletin for all Federal Home Loan Bank&#160;and Office of Finance examinations not yet started.</p><p><br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on&#160;specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. Contact Louis Scalza, Associ<span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">ate Director, Division of Bank&#160;</span>Regulation at <a href="mailto&#58;Louis.Scalza@fhfa.gov">Louis.Scalza@fhfa.gov</a> or Jim Griffin, Associate Director, Division of Enterprise R<span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">egulation at <a href="mailto&#58;James.GriffinJr@fhfa.gov">James.GriffinJr@fhfa.gov</a>, with comments or questions pertaining to this bulletin.</span></td></tr></tbody></table><br></div> </div>3/13/2017 6:54:21 PMHome / Supervision & Regulation / Advisory Bulletins / Classifications of Adverse Examination Findings Advisory Bulletin This advisory bulletin establishes classifications of 1560https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Internal Audit Governance and Function19308All10/7/2016 4:00:00 AMAB 2016-05<p></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2016-05</p><p>INTERNAL AUDIT GOVERNANCE AND FUNCTION</p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15pt;"><em></em></strong><br></p><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"><em>Purpose</em></strong></p><p>This Advisory Bulletin (AB) applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities), and the FHLBanks' Office of Finance (OF).&#160; References to the regulated entities<a href="#1"><span style="text-decoration&#58;underline;">[1]</span></a> in this AB equally apply to the OF.&#160; This AB rescinds and replaces the following guidance&#58;</p><ul><li>2002-AB-05&#58;&#160; <em>Risk Assessment – Internal Auditor Independence;</em></li><li>1999-AB-10&#58;&#160; <em>Internal Audit Department External Reviews; </em>and</li><li>1996-AB-01&#58;&#160; <em>Examination Reviews of Audit Independence, Audit Committee Oversight of Selection, Compensation and Performance Evaluation of the Audit Director</em>.<br>&#160;<br>The Federal Housing Finance Agency (FHFA) requires the regulated entities to establish independent Internal Audit (IA) functions and expects those IA functions to provide timely feedback to management and assurance to audit committees on the effectiveness of regulated entities' internal controls, risk management, and governance.&#160; Timely and reliable information about elevated risks and internal control systems are important so that management can make prompt corrections.&#160; This AB sets forth FHFA guidance and supervisory expectations regarding&#58;</li></ul><ol><li>Audit Committee Oversight of the IA Function; &#160;</li><li>IA Independence and Objectivity; and</li><li>IA Attributes and Operations - including IA's role in reporting to the audit committee on the regulated entity's identification of significant risks and the existence and effectiveness of related internal controls.<br><br>A regulated entity's risk management framework generally comprises&#58;<br>&#160;</li></ol><ul><li>Units engaged in business operations, which take and manage risks and report directly to management;<a href="#2"><span style="text-decoration&#58;underline;">[2]</span></a></li><li>Independent risk management (including enterprise risk management, compliance, and other risk control functions), which monitors risk-taking activities, assesses risks and issues independent of business operations units, and is separate from first-line operating management but still under the direction and control of senior management; and</li><li>IA, which reports independently to the audit committee on risks, risk management, and the effectiveness of the regulated entity's system of internal controls.<br>&#160;</li></ul><p>This structure is commonly known as the &quot;three lines of defense,&quot; and together these elements should form a strong and effective risk management framework.&#160; The guidance in this AB is consistent with the three lines of defense framework and sets forth FHFA's expectation that IA, as the third line of defense, is independent, objective, and effective at identifying and informing management and the audit committee about the regulated entity's risks and related controls.</p><p>FHFA expects Chief Audit Executives (CAEs)<a href="#3"><span style="text-decoration&#58;underline;">[3]</span></a> to establish and audit committees to oversee IA functions that&#58;&#160; </p><ul><li>Are independent and objective;</li><li>Continuously monitor key activities and associated risks;&#160; </li><li>Adapt audit approaches and activities to address changes; and</li><li>Identify and communicate internal control deficiencies and emerging, previously unidentified, or undervalued risks (<em>i.e.</em>, risks that have become more significant) to the audit committee and management.&#160;&#160;&#160;&#160;<br><br>FHFA further expects audit committees, through their direction to and oversight of CAEs and IA functions, to validate that staffing and resource decisions take appropriate account of the risks at the regulated entity.&#160; FHFA expects that these decisions consider the entity's size, scale, complexity of operations, pace of innovation, and financial standing.</li></ul><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"><em>Background</em></strong></p><p>FHFA recently published a revised rule, 12 CFR Parts 1236 and 1239, <em>Responsibilities</em><em> of Boards of </em> <em>Directors, Corporate Practices,</em><em> and Corporate</em><em> Governance</em><em> </em> <em>Matters</em>, that in part addresses regulated entities' audit committees' oversight of IA functions at the FHLBanks and the Enterprises.&#160; In addition, FHFA's standards for the FHLBanks and Enterprises specifically related to their audit committees and IA functions are in Standard 2 of the <em>FHFA</em><em> </em> <em>Prudential</em><em> </em> <em>Management</em><em> </em> <em>and Operations Standards</em><em> </em>(PMOS) (12 CFR Part 1236, Appendix).&#160; FHFA requirements relating to the OF's audit committee are set forth at 12 CFR 1273.9.</p><p>For the FHLBanks, the regulations prescribe specific details about the composition of the audit committee, the independence of its members, the content of the audit committee charter, and the duties and responsibilities of the audit committee, including its oversight responsibilities with respect to the IA function.<a href="#4"><span style="text-decoration&#58;underline;">[4]</span></a> </p><p>The OF is the FHLBanks' fiscal agent.&#160; It compiles and publishes the FHLBanks' Combined Financial Reports.&#160; The OF's audit committee composition, responsibilities, and charter are addressed in 12 CFR 1273.9 and are similar to those applicable to FHLBanks.&#160; The OF is not a Securities and Exchange Commission registrant.</p><p>For the Enterprises, regulations in 12 CFR 1239.5(b) require that all the board committees comply with requirements established by the New York Stock Exchange (NYSE) and that the audit committees also comply with the requirements of Section 301 of the Sarbanes-Oxley Act of 2002.<a href="#5">[5]</a>&#160; Relevant portions of the NYSE rules address the composition of the audit committee, the independence of its members, the general requirements for its charter, the responsibilities and duties of the audit committee (which include assisting the board in oversight of the IA function), and the need for audit committees to meet separately and periodically with management, CAEs, and independent auditors.<a href="#6">[6]</a>&#160; </p><p>Because the existing regulations and guidelines provide general requirements for oversight of the IA function, FHFA is issuing this AB to provide an additional level of detail on the responsibilities of audit committees in their oversight of the IA function, as well as on the independence and operation of the IA function.&#160; This guidance reflects FHFA's supervisory expectations that the audit committee actively and rigorously oversees the IA function and that the function is independent, objective, and effective.&#160; Further, this guidance is informed by FHFA's understanding of industry best practices for IA governance and operations at larger and more complex financial institutions.</p><p>In addition, the provisions of this AB are consistent with IA guidance issued by the federal banking regulatory agencies.&#160; That guidance includes the <em>Interagency Policy Statement on the Internal Audit Function and its Outsourcing</em> (March 17, 2003) and the Federal Reserve Board's <em>Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing</em> (January 23, 2013).&#160; This AB is also consistent with the <em>OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; </em> <a href="https&#58;//www.federalregister.gov/regulations/1557-AD78/occ-guidelines-establishing-heightened-standards-for-certain-large-national-banks-federal-savings-as"> <span style="text-decoration&#58;underline;"> <em>Integration of 12 CFR Parts 30 and 170</em></span></a> (effective November 10, 2014) and with guidance in the October 27, 2009 FHFA <em>Examination for Accounting Practices</em> document, which remains in effect.&#160; </p><p style="text-decoration&#58;underline;"> <em style="font-size&#58;15px;"> <strong>Guidance</strong></em></p><p>&#160;&#160;&#160;&#160;&#160; <strong>I.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>Audit </strong> <strong>Committee Oversight of the </strong> <strong>IA Function</strong></p><p>The board of directors of each regulated entity is required to have an audit committee responsible for overseeing the IA function and an individual responsible for the IA function (referred to in this document as the CAE, regardless of that individual's title).&#160; The audit committee should have regular and open communications with the CAE.</p><p>The audit committee should direct the CAE to structure the IA function so that it is appropriately designed, independent, and objective, and so that it effectively identifies and assesses risks.&#160; The committee should confirm that the regulated entity's IA audit methodology is established and activities are conducted in accordance with appropriate professional standards, such as the Institute of Internal Auditors' <em>International</em><em> </em> <em>Standards for the Professional </em> <em>Practice </em> <em>of Internal Auditing</em><em> </em> <em>(IIA Standards). </em>&#160;The CAE should periodically review IA's audit methodology with the committee and the committee should approve the methodology and significant changes thereto.&#160; Further, the audit committee should oversee the process by which issues that are reported by IA are promptly addressed and satisfactorily resolved by management.</p><p>A.&#160;&#160;&#160; <em>Audit </em> <em>Committee</em><em> </em> <em>Charter</em><em> </em> <em>and the </em> <em>Internal</em><em> Audit </em> <em>Function</em></p><p>The audit committee is required to operate pursuant to a written charter,<a href="#7"><span style="text-decoration&#58;underline;">[7]</span></a> which should be reviewed at least annually by the audit committee and full board of directors (board), and be re-approved at least every three years by the board.<a href="#8"><span style="text-decoration&#58;underline;">[8]</span></a> &#160;</p><p>FHFA expects that, at a minimum, the audit committee charter will address the following matters regarding the IA function&#58;<a href="#9"><span style="text-decoration&#58;underline;">[9]</span></a></p><ul><li>CAE selection, evaluation, compensation, and where appropriate, replacement&#58;&#160; The charter should establish that the CAE may be hired or removed only with audit committee approval.</li><li>CAE reporting relationships&#58; &#160;The charter should establish that the CAE reports directly to the audit committee and is ultimately accountable to the audit committee and board of directors in order to maintain independence and objectivity.</li><li>CAE access to the audit committee&#58; &#160;The charter should provide the CAE with unrestricted access to the committee without the need for any prior management knowledge or approval and should establish executive session meetings with the CAE. </li><li>Annual review and approval of the Audit Plan&#58; &#160;The committee should confirm that the scope of IA's activities is appropriate and approve the annual Audit Plan and significant changes thereto.</li><li>Annual review and approval of the IA department's budget&#58; &#160;The committee should confirm that IA has sufficient resources to accomplish its objectives and approve the department's budget.<br>&#160;</li></ul><p>B.&#160;&#160;&#160; <em>Audit </em> <em>Committee Communication</em><em> with </em> <em>Internal</em><em> </em> <em>Audit</em></p><p>The audit committee and the CAE, including IA staff, should have unrestricted access to each other without prior management knowledge or approval. &#160;FHFA expects audit committee leadership to discuss audit matters with the CAE between and apart from regular audit committee meetings to stay current on IA operations, emerging risks, and other relevant matters. &#160;If significant issues arise in these discussions, they should be covered timely with the committee. &#160;Regular executive sessions with the CAE are essential to ensure open and complete communications. &#160;These executive sessions should be confidential, closed to management, and should be regularly scheduled.</p><p>An important component of effective communications between the CAE and audit committee are the regular written reports to the audit committee prior to each meeting and otherwise as warranted.&#160; Regular written reports from IA to the committee should generally address&#58;</p><ul><li>Audit Findings and Risk Analyses&#58;</li><ul><li>Audit reports focusing on less than satisfactory findings;</li><li>Significant and higher-risk issue follow-up information, including potential impact, aging, past-due status, root-cause analysis, progress towards remediating significant findings, and thematic trends;</li><li>Clear, timely, detailed reporting on open remediation plans, along with associated timetables that were agreed upon by stakeholders for significant open audit issues;</li><li>Information on significant industry and institution trends in risks and controls;&#160; </li><li>An assessment of risk management processes, including whether monitoring processes are appropriate and the effectiveness of management's self-assessment and remediation of identified issues; and</li><li>Aggregate information on the nature of significant trends, if any, in audit findings and observations that have been communicated to management but not detailed in reports to the audit committee.</li></ul><li>Audit Department Performance and Processes&#58;</li><ul><li>Audit coverage and completion versus the Audit Plan;</li><li>Budgeted versus actual audit hours;</li><li>Any updates or amendments to the Audit Plan, including support for changes;</li><li>Results of internal and external quality assurance reviews;</li><li>Updates on the status of IA annual goals and objectives;</li><li>Significant changes in audit staffing levels and the status of required staff training;</li><li>Information on major projects and initiatives; and</li><li>Any significant changes in IA processes, including a periodic review of key IA policies and procedures.</li></ul></ul><p>C.&#160;&#160;&#160; <em>Monitoring</em><em> and </em> <em>Performance </em> <em>Assessments</em></p><p>The audit committee should maintain a robust process for monitoring and, at least annually, formally assessing and evaluating CAE performance and the effectiveness of the IA function.&#160; The process should generally incorporate input from senior management and external auditors, from any outside peer reviews or assessments including regulatory examinations, and from the audit committee's own observations of and interactions with the CAE and IA staff.&#160; The audit committee should document its assessments of the CAE's and IA function's performance.</p><p>&#160;&#160;&#160; <strong>II.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>IA Independence and Objectivity</strong></p><p>A.&#160;&#160;&#160; <em>Conflicts</em><em> of </em> <em>Interest</em></p><p>Before appointing a CAE, and thereafter at least annually, the audit committee should confirm with the CAE and document whether the CAE has any actual or apparent conflicts of interest and should develop appropriate limits for the CAE's activities accordingly.&#160; If an audit committee considers a candidate for CAE with potential conflicts of interest, the conflicts, and any mitigating considerations, should be disclosed to and discussed by the audit committee and should be clearly documented in audit committee records.</p><p>Similarly, the CAE should regularly assess whether IA staff has actual, potential, or apparent conflicts of interest and appropriately restrict the activities of the staff to avoid those conflicts.&#160; At least annually, the CAE should confirm IA activities' independence to the audit committee.&#160; To help maintain the highest level of objectivity in the IA function, CAEs should consider rotating assignments for lead auditors and audit staff when feasible.</p><p>B.&#160;&#160;&#160; <em>Placement</em><em> of</em><em> </em> <em>IA</em><em> </em> <em>in the</em><em> Organization</em></p><p>Properly positioning the CAE and the IA function in a regulated entity's organization helps achieve objectivity and independence of the IA function and minimizes the opportunity for management to unduly influence, override, or limit IA activities or findings. &#160;The most structurally independent organizational arrangement for the IA function would have the CAE report directly to the audit committee regarding both audit issues and administrative matters.&#160; However, the CAE may report administratively to the Chief Executive Officer (CEO) if the audit committee so approves.<a href="#10">[10]</a></p><p>Board and senior management engagement and cooperation with IA are essential to its effectiveness.&#160; Boards and management should give IA full and unconditional access to any records and data, including access to management information systems and records and the minutes of all board and management committee meetings.&#160; FHFA expects IA to have access to management committee meetings and related materials in an ex-officio capacity, and any exceptions should be discussed and reconciled with the audit committee.&#160; Boards and management should also require timely remediation of audit issues.</p><ol><li> <em>Scope </em> <em>Limitations</em></li></ol><p>Should management attempt to hinder IA's objectivity and independence, for example, by restricting IA's access to records or personnel, IA staff should disclose to and discuss such attempts with the CAE. &#160;If the scope of an audit is affected by management's action, the limitation should be disclosed in the audit report and documented in the associated work papers.&#160; The CAE should report any attempts to hinder IA's objectivity and independence or limit the scope of an audit activity to the audit committee, generally through the chair, immediately for appropriate resolution.</p><p>D.&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit </em> <em>Compensation</em><em> </em> <em>Arrangements</em></p><p>CAE compensation, which should be approved by the audit committee, should include an appropriate focus on performing audit activities and should only include incentives tied to actions and outcomes within the CAE's control and influence.&#160; Audit committees should not link CAE incentive compensation to the regulated entity's financial position, results of operations, achieving growth or volume targets, business unit compliance levels, or other measures or metrics that could impair or appear to impair IA independence or objectivity.&#160; CAE compensation should be reasonable and comparable with compensation for employment in other similar businesses (including publicly held financial institutions or major financial services companies) involving similar duties and responsibilities.&#160; To these ends, consulting with and obtaining input from a regulated entity's compensation committee may provide useful insights. </p><p style="text-align&#58;justify;">&#160; <strong>III.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>IA Attributes and Operations </strong> <br></p><p>A.&#160;&#160;&#160; <em>IA Function Attributes</em><br></p><p>1.&#160;&#160;&#160;&#160; <em>Internal Audit</em><em> </em> <em>Department</em><em> Charter</em></p><p>The IA department should have a written charter, which should be reviewed at least annually and be approved by the audit committee every three years or whenever substantive changes are made.&#160; The charter should define the purposes, authorities, and responsibilities of the IA function.&#160; The charter is the foundational document governing all IA activities.&#160; The charter should generally cover&#58;</p><p>&#160;</p><ul><li>IA Department Structure and Independence</li><ul><li>Indicate the IA function's placement within the regulated entity, the CAE's and IA function's authority, the CAE's functional reporting relationship to the audit committee, and the CAE's administrative reporting to senior management, if any;</li><li>Stipulate that IA has unrestricted access to the audit committee and authorize staff to access all regulated entity records and personnel needed to carry out their function; and</li><li>Require the IA function to maintain its independence and objectivity, particularly if IA provides non-attest services, such as consulting on internal controls design for information technology projects, performing financial reporting internal controls testing under management direction, and/or identifying potential operating inefficiencies for management.</li></ul><li>Applicable Standards and Codes of Ethics</li><ul><li>Identify standards applicable to the IA function and staff, including any professional standards, such as the Institute of Internal Auditors (IIA) Standards; and</li><li>Identify codes of ethics and requirements with which IA staff must comply.&#160; These may include both the regulated entity's own written code and one or more professional standard codes, such as the IIA's Code of Ethics.</li></ul><li>Reporting</li><ul><li>Indicate regular reports and items that the IA function is required to provide to the audit committee, including audit plans and annual budget and resource requirements; </li><li>Require timely reporting of significant deviations from approved plans; and</li><li>Require the IA function to monitor and report its activities and management's responses to IA findings, and track, assess, and regularly report on management's remedial actions regarding significant open compliance and regulatory examination issues.</li></ul><li>Performance Assessment and Quality Assurance</li><ul><li>Require the IA function to regularly assess its performance, including its performance relative to the Audit Plan;</li><li>Require the IA function to maintain internal quality assurance processes and programs, and document how weaknesses identified as a result of such processes and programs are addressed; and</li><li>Establish the timeframe for regular external quality reviews (at a minimum every five years) and require the IA function to document how any weaknesses, recommendations, or best practice suggestions identified as a result of such external quality reviews are addressed.</li></ul></ul><p>2.&#160;&#160;&#160;&#160; <em>IA</em><em> Staffing </em> <em>and</em><em> Professional </em> <em>Competence</em></p><p>The IA function needs sufficient staff with the requisite knowledge, skills, professional competence, resources, and stature within the regulated entity to assess the effectiveness of the regulated entity's controls and to credibly challenge management.</p><p>A regulated entity should have policies and procedures designed to reinforce that&#58;</p><ul><li>The IA function hires and maintains sufficient, technically competent staff to provide adequate audit coverage of the regulated entity's risks;</li><li>IA staff are provided appropriate training and professional development opportunities to enable them to remain current in both technical matters and professional standards; and</li><li>IA staff understand their duties, including the duty to report instances of non-compliance with laws, regulations, regulatory guidance, generally accepted accounting principles, professional standards, or the regulated entity's own policies to the CAE, management, and/or the audit committee, as appropriate. </li></ul><p>Collectively, IA staff, supplemented as needed by external resources, should have the knowledge and skills, as evidenced by education and audit, industry, and technical experience, to audit the entire regulated entity. &#160;Relevant and current professional certifications and licenses provide evidence of certain technical knowledge and skills.&#160; Generally, IA staff should audit business units or functions related to their areas of expertise.</p><p>At least annually, the CAE is expected to assess and document the knowledge, skills, and abilities of IA staff and compare those with both the Audit Plan and the universe of risks in the regulated entity. &#160;When assessing the knowledge, skills, and abilities of IA staff, the CAE may consider management feedback and internal or external quality assurance assessments.&#160; If the assessment identifies gaps within IA staff knowledge, skill, and abilities, the CAE should identify a means for filling those gaps, which might include staff training, hiring new staff, and/or using co-sourcing or outsourcing arrangements.&#160; The CAE should report the results of the assessment to the audit committee.</p><p>The CAE should confirm that he/she and all IA staff receive ongoing formal training.&#160; CAEs and staff should generally receive a minimum of forty hours of training per year. &#160;The IA function should have a process to evaluate and monitor the quality and appropriateness of training.&#160; In addition to formal training, IA staff may benefit from staff rotations, both within the IA department and with business and risk management functions, in order to provide IA staff with broader exposure to those functions and opportunities to develop additional areas of expertise.&#160; We encourage such rotations where they are feasible and can be done without compromising audit coverage and IA independence.</p><ol><li> <em>Co-sourcing</em><em> and</em><em> Outsourcing</em><em> </em> <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Activities</em></li></ol><p>The IA function may be staffed using IA employees solely or by supplementing them with co-sourced or outsourced resources.<a href="#11"><span style="text-decoration&#58;underline;">[11]</span></a>&#160; Co-sourcing or outsourcing engagements are generally entered into when a regulated entity has insufficient staff to complete planned audits in a timely manner or needs technical expertise beyond that of the IA staff.&#160; The CAE retains responsibility for managing and providing the audit committee with reports to enable the audit committee to oversee all IA work, whether done by IA staff, co-sourced, or outsourced.</p><p>Co-sourcing is a partnership between IA and an outside vendor (auditor or firm) that works with and often alongside, but does not replace, existing IA staff. &#160;In co-sourcing, IA staff takes an active part in project planning and decision making and may participate in preparing final reports.&#160; Further, IA manages and/or works alongside the specially-skilled partner(s) or vendor(s).&#160; One objective of co-sourcing may be to transfer knowledge from the vendor to IA. &#160;In a co-sourcing arrangement, the vendor has a dual reporting relationship to IA and the vendor's own management.&#160; The CAE should require in associated contracts with co-sourced partners that work complies with applicable IA policies and standards and that the workpapers associated with the co-sourced work are retained by IA, not the vendor.&#160; </p><p>Under an outsourcing arrangement, the outside vendor (auditor or firm) is responsible for performing discrete IA engagements.&#160; The CAE maintains ownership of the entire IA function, including outsourced activities.&#160; When outsourcing audit work, the CAE should approve the scope of work and procedures to be performed. &#160;The CAE remains responsible for results of outsourced work, including findings, conclusions, and recommendations.</p><p>Before hiring a vendor to perform IA work, the CAE should confirm that&#58;&#160; the vendor and staff who will work on the engagement have the technical knowledge and ability to perform the work; the engagement will be effectively managed; the vendor's work will be well-documented; that all control weaknesses and other significant findings, including any apparent regulatory violations, will be timely communicated to the CAE and other stakeholders; and that the regulated entity has appropriate contingency plans should a vendor be released or terminated before completing the engagement.</p><p>Co-sourced and outsourced audit work should be completed pursuant to an engagement letter or similar agreement covering all significant aspects of the engagement.&#160; Such engagement letters should generally&#58;</p><ul><li>Describe expectations and responsibilities for the regulated entity and the vendor;</li><li>Define the work to be performed and the amount and timing of fees to be paid;</li><li>Describe the responsibilities for providing and receiving information, including the type and frequency of contract work status reporting to the CAE and the audit committee;</li><li>Describe the process for changing engagement terms, such as for expanding work if significant issues are identified;</li><li>Define conditions that would constitute default and remedies including canceling the engagement;</li><li>Establish who bears the cost of damages arising from errors, omissions, and negligence;</li><li>State that the vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with American Institute of Certified Public Accountants, Securities and Exchange Commission, Public Company Accounting Oversight Board, and other relevant professional standards, and other applicable regulatory guidance; and</li><li>For any engagements where reports or workpapers will be retained by the vendor&#58;</li><ul><li>Establish that reports created by the vendor during the engagement are the property of the regulated entity, that the regulated entity will be provided with any copies of the related workpapers it deems necessary, and that employees authorized by the regulated entity will have reasonable and timely access to the workpapers prepared by the vendor;</li><li>Specify the locations of reports and the related workpapers and the length of time vendors must maintain workpapers;</li><li>State that FHFA examination staff will have full and timely access to vendor-created IA reports and related workpapers. </li></ul></ul><p> <strong>&#160;</strong></p><p>B.&#160;&#160;&#160; <em>Internal Audit Operations</em><br></p><p>1.&#160;&#160;&#160;&#160; <em>Internal Audit Risk </em> <em>Assessments</em></p><p>Regulated entities' IA universes (comprising all auditable entities<a href="#12"><span style="text-decoration&#58;underline;">[12]</span></a> that are significant and subject to risks for which controls should be reviewed) should be regularly updated for organizational changes.&#160; Audit plans should be formulated to provide reasonable assurance that a regulated entity's system of controls is well-designed, operates effectively, and manages risks to an acceptable level.&#160; At least annually, IA should perform a risk assessment that includes reviews of its IA universe and Audit Plan to ensure that all auditable entities receive audit coverage over an appropriate period of time commensurate with associated risks.&#160; </p><p>The IA risk assessment should include four basic steps&#58; &#160;1) identify inherent risks to the regulated entity; 2) understand management's controls over those inherent risks; 3) assess residual or remaining risks to establish the frequency with which activities should be audited; and 4) prioritize auditable entities from the audit universe for audit coverage. &#160;The IA risk assessment should also consider multiple approaches.&#160; For example a &quot;top-down&quot; approach could complement a bottom-up approach.&#160; A top-down approach begins with identifying industry, environmental, and other enterprise-wide current or emerging risks.&#160; A bottom-up approach starts with the audit universe, then assesses and aggregates risks attributable to auditable entities within the audit universe.&#160; </p><p>The CAE should perform the risk assessment annually and should document the IA staff's understanding of the entity's significant business activities and the associated risks.&#160; To facilitate risk assessment and audit planning, IA should maintain (or regularly review if such an inventory is maintained by independent risk management) a complete inventory of all of the regulated entity's material processes, product lines, services, and functions, and then assess the risks, including emerging risks, associated with each.&#160; The risk assessment should consider and address risks to the regulated entity from all sources, both internal and external.&#160; These include, but are not limited to, credit, market, operational, governance, reputational, fraud, and compliance risk.&#160; The assessment should also consider thematic control issues and layered or aggregated risks that cross business units or lines of business.&#160; The risk assessment should analyze and prioritize key risks and risk management functions.</p><p>While the risk assessment should reflect IA's independent analysis, IA may consider all available information, for example, input from management self-assessments. &#160;While the formal risk assessment is performed annually, IA should update it as needed for major organizational changes, infrastructure changes, or changes in the regulated entity's external business or regulatory environment.</p><p>As underlying technology has advanced, more business entities are using &quot;Continuous Monitoring&quot; (CM) tools to continuously assess and provide management feedback on whether business processes are performing effectively and &quot;Continuous Auditing&quot; (CA) tools, which allow IA to gather and review control-related business process data. &#160;</p><p>FHFA expects IA functions to employ formal CA and/or CM practices.&#160; CA and CM can be conducted by IA staff and/or through technological tools.&#160; In either case, it should be done pursuant to written policies and procedures that support consistent and comparable results.&#160; CA and CM should be documented through business metrics, management reporting, reports to audit committees, and through any related adjustments made to audit risk assessments and plans.&#160; IA should continuously monitor key business metrics and performance indicators. &#160;IA should work to understand changes and their drivers in order to help identify potential audit issues and changes in the business environment and to adjust risk assessments and audit plans, if needed, in a timely manner.</p><p>2.&#160;&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Planning</em></p><p>At least annually, IA should review and update the Audit Plan.&#160; The Audit Plan should be based on the risk assessment and should consider key risks and related controls within each significant business and functional activity, the timing and frequency of planned IA work, and a resource budget. &#160;During the planning process, IA should analyze the regulated entity's specific risks, mitigating controls, and level of residual risk. &#160;The CAE should have a contingency plan to mitigate any significant disruption to audit coverage, particularly for high-risk areas. &#160;Documentation supporting the Audit Plan should reference the IA program that describes the objectives of the audit work and the audit work expected to be performed during each IA activity.</p><p>The audit planning process should include evaluating management's root cause and lessons learned analyses performed after a significant adverse event.&#160; IA should consider management's analysis of reasons for the adverse event and whether it resulted from a control breakdown or failure.&#160; IA should confirm that management correctly identified the measures needed to prevent a similar event from occurring in the future.&#160; In certain situations, IA should conduct its own lessons learned analysis outlining the remediation procedures necessary to detect, correct, and/or prevent future internal control breakdowns (including improvements in IA processes).</p><p>The audit planning process should also be designed to inform the board's responsibilities for risk oversight to include&#58;&#160; overseeing the regulated entity's operational and risk management; remaining informed about the regulated entity's operations and condition; and remaining informed about the entity's risk exposures and senior management's actions to address them. &#160;The Audit Plan should be designed to provide the audit committee with the depth and breadth of IA assurance it needs to inform those responsibilities.</p><p>3.&#160;&#160;&#160;&#160; <em>Internal Audit Coverage of Risk Management and Regulatory Compliance Programs</em></p><p>FHFA regulations require the Enterprises and FHLBanks to appoint a Chief Risk Officer (CRO) to implement and maintain appropriate enterprise-wide risk management practices and a Compliance Officer (CO) to head a compliance program designed to assure that they comply with applicable laws, rules, regulations, and internal controls.&#160; Both officers should regularly report to the board (in addition, the CRO reports to the Risk Committee) and to the CEO.&#160; These functions are part of the regulated entity's second line of defense, its independent risk management function, and are &#160;separate from first-line operating management but still under the direction and control of senior management.</p><p>IA is the regulated entity's third line of defense.&#160; IA should, through its risk assessment and auditing processes, provide the audit committee with independent assurance that enterprise risk management and compliance programs are working effectively, that those programs have identified and reported timely enterprise and compliance risks, and that significant risks are managed to an acceptable level.&#160; </p><p>4.&#160;&#160;&#160;&#160; <em>Internal Audit Frequency</em></p><p>Internal audits should generally cover the entire audit universe over a maximum four year period. &#160;High-risk areas should generally be audited annually, and moderate- and low-risk audits should be scheduled every 12 to 48 months (or one to four years) based on a risk assessment and ranking that is regularly reviewed and updated.&#160; FHFA expects that IA will weigh both inherent and residual risk when deciding on how frequently to audit an area and in considering the audit approach, including the nature and extent of testing. &#160;The CAE should confirm that higher level risks, including thematic trends and control issues, are not underreported due to being separately captured in moderate- or low-risk audits.<a href="#13"><span style="text-decoration&#58;underline;">[13]</span></a>&#160; Audit plans should be dynamic and include time to expand audit work when unexpected or higher risks are identified through CM activities, scheduled audits, or otherwise.&#160; The CAE should regularly report significant changes to the audit universe or audit plans to the audit committee, along with an analysis supporting the changes.</p><p>5.&#160;&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Reports</em></p><p>IA reports should generally present the purpose, scope, objectives, and results of the audit, including findings, conclusions, observations, and/or recommendations however styled.&#160; Final reports should also document management's response to findings.&#160; IA should maintain work papers that document the work performed and support the audit report.</p><p>IA should establish and implement a documented methodology that employs appropriate criteria to prioritize and rank audit issues.&#160; The criteria should be sufficiently objective to promote consistent application of judgment and appropriate prioritization of audit issue severity.&#160;&#160;&#160;&#160; </p><p>6.&#160;&#160;&#160;&#160; <em>Internal Audit Issues Monitoring and Tracking</em></p><p>Audit committees should regularly receive clear, timely, and detailed reports on significant open violations, findings, weaknesses, and other issues, regardless of their original source.&#160; Issues that FHFA requires to be reported to audit committee chairs, whether by FHFA or regulated entities' management, including all FHFA Matters Requiring Attention (MRAs), should be presumed significant.&#160; Issues may originate from IA audits and reviews, external audit, regulatory examinations, management self-identification, outside consultants' work, and other sources.&#160; IA should also verify that significant risks and/or control deficiencies identified by first- and second-line of defense units, external auditors, or other parties are adequately assessed and communicated to management and board stakeholders.&#160; To facilitate the timely and effective remediation of open audit issues, IA and management or the board (as warranted) should agree on a resolution date and on interim milestones, if appropriate.&#160; </p><p>IA should establish standards for performing timely and appropriately rigorous validation work once management asserts that remediation of significant audit issues (to include MRAs) has occurred.&#160; When management or the board indicates that they have performed the required remediation, IA should validate that revised processes and controls are in place, operating, and sustainable before closing the issue.&#160; The level of validation work that IA should perform to close an issue will vary based on the issue's risk, complexity, and associated interdependencies.&#160; For higher-risk issues, IA should verify that sufficient testing is performed over an appropriate period of time to validate that the issue is sustainably resolved. </p><p>IA reports should include key information about open remediation plans and associated timetables agreed on by stakeholders.&#160; Reports should highlight significant issues with delayed remediation, including those for which management has made agreed-upon corrective steps and/or control design changes that are pending validation, until testing is complete.&#160; These steps should help to verify that control changes are effective and sustainable and to identify issues for which the planned remediation may need to be amended.</p><p>Regulated entities should establish and implement policies and/or procedures as appropriate for documenting, monitoring, tracking, and reporting on management's acceptance of risks for any management decision not to remediate audit issues, or for time extensions to perform agreed-upon remediation.&#160; If such accepted risks are individually or in aggregate more than insignificant, the CAE should consult with senior management and the audit committee as appropriate.</p><p>7.&#160;&#160;&#160;&#160; <em>Quality</em><em> Assurance </em> <em>Program</em></p><p>An effective IA Quality Assurance Program (QAP) should be implemented to help minimize audit risk, including the risk that an audit reaches inaccurate conclusions.&#160; A QAP should include regular internal processes and reviews, as well as an external Quality Assurance Review (QAR) to be performed at least every five years.&#160; </p><p>The internal QAP review should include rigorous reviews by IA management and/or peer reviews of reports and work papers for clarity, adherence to IA policies and procedures, and consistency with relevant professional standards.&#160; The QAP should help confirm that IA policies, procedures, and processes comply with applicable regulatory and industry guidance; are appropriate for the size, complexity, and risk profile of the regulated entity; are updated to reflect changes to internal and external risk factors, emerging risks, and improvements in industry; and are followed consistently.&#160; QAP reviews and self-assessments may be activity driven or ongoing.&#160; Gaps identified should be documented and addressed timely.&#160; The CAE should report the results of the QAP to the audit committee at least annually and results from the QAR and any other external review, as received.</p><p> <a name="1" id="1"><span style="text-decoration&#58;underline;">[1]</span></a> The OF is not a &quot;regulated entity&quot; as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. &#160;However, for convenience, references to the &quot;regulated entities&quot; in this AB should be read to also apply to the OF.</p><p> <a name="2" id="2"><span style="text-decoration&#58;underline;">[2]</span></a> &quot;Management&quot; as the term is used in this guidance generally comprises the CEO and subordinate managers, who engage in business operations.</p><p> <a name="3" id="3"><span style="text-decoration&#58;underline;">[3]</span></a> As used in this guidance, the term &quot;Chief Audit Executive&quot;&#160;means the individual responsible for the internal audit function at a regulated entity.</p><p> <a name="4" id="4"><span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR 1239.32.</p><p> <a name="5" id="5"><span style="text-decoration&#58;underline;">[5]</span></a> Section 301 of the Sarbanes-Oxley Act does not directly address the audit committee's oversight of the IA function.</p><p> <a name="6" id="6"><span style="text-decoration&#58;underline;">[6]</span></a> NYSE Listed Company Manual, Rule 303A.07.</p><p> <a name="7" id="7"><span style="text-decoration&#58;underline;">[7]</span></a> 12 CFR 1239.5(c).</p><p> <a name="8" id="8"><span style="text-decoration&#58;underline;">[8]</span></a> For the FHLBanks, annual review by the committee and the full board, and re-approval by the board at least every three years are required by regulation.&#160; 12 CFR 1239.32(d).</p><p> <a name="9" id="9"><span style="text-decoration&#58;underline;">[9]</span></a> For the FHLBanks, these items, except audit committee approval of IA department budget approval, are regulatory requirements. &#160;12 CFR 1239.32(d) (3), (e) (3).</p><p> <a name="10" id="10"><span style="text-decoration&#58;underline;">[10]</span></a> 12 CFR Part 1273.9 (b) (5), which relates to the OF only, states &quot;the internal auditor shall report directly to the Audit Committee and administratively to executive management.&quot;</p><p> <a name="11" id="11"><span style="text-decoration&#58;underline;">[11]</span></a> Co-sourced and outsourced audit engagements should be awarded in compliance with the requirements for equal opportunity in employment and contracting under applicable provisions of the Minority and Women Inclusion and Diversity at Regulated Entities and the Office of Finance regulation, 12 CFR 1207.21.</p><p> <a name="12" id="12"><span style="text-decoration&#58;underline;">[12]</span></a> Auditable entities collectively comprise the potential audit universe and may represent business units, departments, processes, general ledger accounts, or other functions at a regulated entity that are suitable for audit.</p><p> <a name="13" id="13"><span style="text-decoration&#58;underline;">[13]</span></a> For example, if a regulated entity relies on user-developed spreadsheets across its operations, and IA has identified high level or thematic control issues regarding such spreadsheets, the incremental spreadsheet control risk in moderate- or low-risk auditable entities should be aggregated, addressed, and reported appropriately.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.&#160; This Advisory Bulletin is effective January 1, 2017. &#160;Contact David R. Poston, Deputy Chief Accountant, Office of Chief Accountant at <a href="mailto&#58;David.Poston@fhfa.gov"> <span style="text-decoration&#58;underline;">David.Poston@fhfa.gov</span></a> or 202-649-3467, or Nicholas J. Satriano, Chief Accountant, at <a href="mailto&#58;Nicholas.Satriano@fhfa.gov"> <span style="text-decoration&#58;underline;">Nicholas.Satriano@fhfa.gov</span></a> or 202-649-3450, with comments or questions pertaining to this bulletin.</td></tr></tbody></table><p>&#160;</p>11/29/2016 6:25:28 PMHome / Supervision & Regulation / Advisory Bulletins / Internal Audit Governance and Function Advisory Bulletin This Advisory Bulletin (AB) applies to Fannie Mae and Freddie 2912https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Data Management and Usage19295Fannie Mae & Freddie Mac9/29/2016 4:00:00 AMAB 2016-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​<strong>ADVISORY BULLETIN</strong></p><p> <strong>AB 2016-04</strong></p><p> <strong>DATA MANAGEMENT AND USAGE<span aria-hidden="true"></span></strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"><strong><em><br></em></strong></p><p style="text-decoration&#58;underline;"> <strong><em>Purpose</em></strong></p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations for the management of data, including expectations for data governance, architecture, quality, and security. Strong data management supports safe and sound operations by enabling an Enterprise to provide secure, accurate, and accessible data to meet business needs and for use in risk management and compliance processes.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>Data management is the development, implementation, and enforcement of policies, procedures, and standards throughout the data lifecycle that establish how data are defined, shared, stored, protected, retrieved, and purged. Strong data management enables an Enterprise to reduce its exposure to operational, financial, and reputational risks. Consistent data management methods can reduce the likelihood of operational errors, adverse business decisions, and financial loss.</p><p>FHFA’s general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236. Standard 1 (Internal Controls and Information Systems) articulates the considerations for the board of directors and management to evaluate when establishing internal controls and information systems. FHFA expects the Enterprises to provide relevant, accurate, and timely information to decision-makers and personnel in risk management and compliance functions; to establish and test contingency arrangements for information systems storing data; and to communicate policies and procedures to all personnel with regard to their respective duties and responsibilities. Effective data management includes compliance with applicable laws and regulations and adherence to FHFA supervisory guidance.</p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>FHFA expects each Enterprise to have enterprise-wide data management policies, procedures, and standards. Data architecture should be integrated and provide scalable accessibility and effective utilization across the Enterprise as appropriate. Each Enterprise should establish data quality requirements so that data used for decision-making are relevant, accurate, complete, timely, and consistent. Data management practices should allow users to identify and access appropriate data for business, risk management, and compliance activities and functions. FHFA expects the confidentiality, integrity, and availability of data to be consistent with sound business practices and regulatory requirements.</p><p>Fundamental requirements in the following areas are detailed below&#58;</p><ul><li>Data Governance<br></li><li>Data Architecture<br></li><li>Data Quality<br></li><li>Data Security<br></li><li>Data Usage<br></li></ul><p> <em>Data Governance</em></p><p>Data governance provides the necessary framework to control and support data used in decision-making and risk management. Each Enterprise should establish a data strategy that supports organizational goals through data management, and effective policies, procedures, and standards to maintain the confidentiality, integrity, and availability of Enterprise data throughout the data lifecycle. Policies, procedures, and standards should cover, at a minimum, data architecture, data quality, data security, and data usage. Policies and procedures should establish data requirements; controls for assessing and monitoring data; assignment and coordination of individuals’ roles and responsibilities, including their authority to manage the data; and&#160;management support and accountability of data-related issues. Policies, procedures, and standards should be reviewed and updated at least annually and aligned with legal and regulatory requirements for records management.</p><p>In order to assure data oversight and accountability, an Enterprise should designate individuals to be responsible for managing data and representing the interests of relevant stakeholders. Defined responsibilities should include, at a minimum, identifying and monitoring controls for processing or storing data; managing content of both structured and unstructured data; and controlling data from internal and external sources. A senior-level management official should be responsible for and report on effective data management practices for each business unit or control function.</p><p>The Enterprises should monitor and enforce data policies, procedures, and standards. Instances of non-compliance should be identified and tracked through to resolution. Metrics to measure and communicate the effectiveness of the Enterprise’s data strategy should be developed and adopted.</p><p> <em>Data Architecture</em></p><p>Data architecture should define and support data requirements and formats, direct the integration of data, and align data investments with the data strategy. An Enterprise should establish data standardization requirements across the organization that are consistent with the data strategy and that reflect the needs of business and risk management functions. Adherence to those requirements should be confirmed throughout the data lifecycle. Each Enterprise should deploy data in a way that reduces redundancy and encourages the use of a single-source system of record for each element. Data should be maintained or archived pursuant to business, legal, and risk requirements to allow for recovery or evaluation of historical data outputs, whether stored in an Enterprise’s data center or in a hosted cloud environment. The use of data virtualization should consider appropriate data synchronization and integration.</p><p>Data models define the Enterprise’s technical requirements for data and the structure to support those requirements. Data modeling, in conformance with established standards, can support reliable data quality and reduce disparate data. In order to standardize data and track the flow of data, both business and technical metadata should be used to describe data characteristics for purposes of organization, collection, storage, and usage. Metadata can improve business collaboration, integration, and efficiency by providing organizational understanding of data and the business processes used by the Enterprises.</p><p> <em>Data Quality</em></p><p>An Enterprise should take steps designed to ensure that data are of an acceptable quality to meet business requirements and control function needs. Data should be sufficiently accurate, complete, timely, and consistent to enable the Enterprise to generate reliable results, such as for reporting and risk modeling. An Enterprise should have comprehensive data quality management policies and procedures that include outlining roles and responsibilities regarding the collection, dissemination, and maintenance of data, both created and acquired; defining data quality requirements for created data; defining data quality checks for acquired data; and requiring a mechanism for assessing and verifying data quality, data quality metrics, and data conformance requirements.</p><p>Data should be validated at different points in the lifecycle to assure it meets integrity requirements. An Enterprise should have a methodology for identifying and addressing data inconsistencies, problems, and defects. An Enterprise should design and implement controls intended to ensure quality of data in use, at rest, and moving through applications or databases. Data standardization should consider the relationships of data and how to maintain integrity of data from multiple sources. Tools and techniques should be employed to assure conformity to data quality standards. Data used for decision making should have auditable trails to confirm the quality of data.</p><p> <em>Data Security</em></p><p>Data must be protected against unauthorized and inappropriate use, modification, disclosure, and purging. Each Enterprise should have policies and procedures for monitoring and managing data security that are intended to ensure confidentiality, integrity, and appropriate availability of data. This includes the creation and maintenance of data classifications and controls consistent with the internal standards established in data governance, data architecture, and data quality management.</p><p>Data security management should contain specific security requirements established for categories of data, such as personally identifiable information, intellectual property, and non-public information. Data security controls should be commensurate with the security requirements. Each Enterprise should have procedures and processes to ensure that the controls are documented, reviewed, and tested related to those requirements. In order to secure data, an Enterprise should maintain a comprehensive inventory of databases and contents to identify and protect their data and dataflow. An Enterprise should identify and implement encryption controls that are consistent with industry standards and supervisory guidance.</p><p> <em>Data Usage</em></p><p>Data management enables relevant data to be used by an Enterprise to meet its business needs; manage business risks; and support risk management and compliance functions. Enterprise data, whether generated internally or acquired, should be available to business and risk functions to provide comprehensive, clear, and useful outputs. Reporting or risk modeling processes should accurately aggregate data and be able to be reconciled and validated. Reliance on manual processes to manipulate data should be limited to reduce the possibility of human error. Each Enterprise should establish procedures intended to ensure that reports conveying the same data are consistent enterprise-wide. Sufficient controls should be implemented to appropriately protect the confidentiality of distributed information derived from data.</p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p> <em>Information Technology Investment Management, </em>Federal Housing Finance Agency Advisory Bulletin AB-2015-06, September 21, 2015.</p><p> <em>Cyber Risk Management Guidance, </em>Federal Housing Finance Agency Advisory Bulletin AB-2014-05, May 19, 2014.</p><p> <em>Operational Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin AB-2014-02, February 18, 2014.</p><p> <em>Model Risk Management Guidance, </em>Federal Housing Finance Agency Advisory Bulletin AB- 2013-07, November 20, 2013.</p><p>12 CFR Part 1236 Prudential Management and Operations Standards, June 8, 2012.</p><p> <em>Safety and Soundness Standards for Information, </em>Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. This advisory bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a> or Annie Golden, Supervisory Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Annie.Golden@fhfa.gov">Annie.Golden@fhfa.gov</a> with comments or questions pertaining to this bulletin. </td></tr></tbody></table>9/29/2016 10:04:40 PMHome / Supervision & Regulation / Advisory Bulletins / Data Management and Usage Advisory Bulletin This advisory bulletin communicates to Fannie Mae and Freddie Mac (the 2478https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Affordable Housing Program: Monitoring Of Income Eligibility And Rents For Shelters For The Homeless And Victims of Domestic Violence19346FHL Banks8/29/2016 4:00:00 AMAB 2016-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p><strong>ADVISORY BULLETIN</strong></p><p> <strong>AB 2016-03</strong></p><p> <strong>AFFORDABLE HOUSING PROGRAM&#58; MONITORING OF INCOME ELIGIBILITY AND RENTS FOR SHELTERS FOR THE HOMELESS AND VICTIMS OF DOMESTIC VIOLENCE<span aria-hidden="true"></span></strong></p></td></tr></tbody></table><p> <span style="text-decoration&#58;underline;"><strong><em>Purpose </em></strong></span></p><p style="text-align&#58;justify;">This Advisory Bulletin provides guidance under the Affordable Housing Program (AHP) on how the Federal Home Loan Banks (Banks) may verify AHP household income eligibility and rents in the case of shelters for the homeless and shelters for victims of domestic violence.</p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"><strong><em>Background</em></strong></span></p><p>For purposes of initial monitoring of AHP rental housing projects, the AHP regulation requires that a Bank have written monitoring policies for determining whether household incomes and rents comply with the income targeting and rent commitments made in the approved AHP application.&#160; The Bank's policies must include requirements for Bank review of compliance with household income eligibility and rents, and back-up project documentation regarding household incomes and rents maintained by the project owner. &#160;12 CFR § 1291.7(a)(1)(i)(C)(<em>2</em>), (ii)(A). </p><p>In the case of long-term monitoring over the AHP 15-year retention period, a Bank's written monitoring policies must include requirements for Bank review of annual certifications, and back-up documentation submitted to the Bank by project owners, to determine that household incomes and rents are in compliance with the commitments in the approved AHP application. &#160;12 CFR § 1291.7(a)(4)(ii)(A), (B).<a href="#1">[1]</a> </p><p>Under the Federal Home Loan Bank Act (Bank Act) and AHP regulation, at least 20 percent of the units in a rental project must be occupied by and affordable for very low-income households (households with incomes at or below 50 percent of area median income (AMI)).&#160; The AHP projects approved by the Banks have much higher percentages of units targeted to very low- and low- or moderate-income households (incomes at or below 80 percent of AMI), in part, due to the targeting scoring incentives in the AHP regulation.&#160; <span style="text-decoration&#58;underline;">See</span> 12 CFR&#160;&#160;&#160;&#160;&#160; § 1430(j)(2)(B); 1291.5(d)(5)(iii).</p><p>Also, under the Bank Act and AHP regulation, the rent charged to a household for a unit that is to be reserved for occupancy by a household with an income at or below 80 percent of AMI, shall not exceed 30 percent of the income of a household of the maximum income and size expected, under the commitment made in the approved AHP application, to occupy the unit, with adjustment for family size. &#160;<span lang="EN" style="text-decoration&#58;underline;">See</span> 12 CFR § 1430(j)(13)(D); 1291.1 (definition of &quot;affordable&quot;).&#160; </p><p>The Banks have requested that for purposes of meeting the AHP initial and long-term monitoring requirements for shelters for the homeless and shelters for victims of domestic violence, the Banks should not be required to obtain documentation to verify shelter residents' AHP income eligibility. </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Analysis</em></strong></span></p><p>Back-up household income-eligibility and rent documentation available from conventional rental housing projects, such as W-2 forms and rent rolls, is typically not available from shelters.&#160; Instead, the Banks have obtained other back-up documentation such as shelter intake forms that include household self-reporting of income (often zero), or social security income documentation, but such documentation is not always readily obtainable.&#160; Intake processing in most shelters presumes that clients are indigent.&#160; Since the fundamental purpose of shelters for the homeless is to serve persons with no homes and, therefore, likely no employment or very low-paying employment, who may be relying on government assistance, it is reasonable to presume that homeless persons residing in shelters have little or no income and, thus, meet the AHP income-eligibility requirements. &#160;FHFA experience in examining Banks for compliance with the AHP monitoring requirements is consistent with this presumption.&#160; For shelters for victims of domestic violence, research from several sources indicates that the incomes of persons residing in such shelters are likely consistent with the AHP income-eligibility requirements.<a href="#2">[2]</a>&#160; </p><p>Residents in homeless shelters and shelters for victims of domestic violence typically do not pay rent or may pay only a nominal amount.&#160; In those shelters that do charge rent or a nominal amount, that amount does not exceed 30 percent of a household's income and, thus, it is reasonable to presume that those shelters comply with the AHP rent requirements.</p><p> <span style="text-decoration&#58;underline;"><strong><em>Guidance&#58;</em></strong></span></p><p>The intent of the AHP rental monitoring requirements is to assure that AHP income-eligibility and rent requirements are met for the AHP 15-year retention period.&#160; In light of the fundamental purpose of shelters for the homeless to serve the most indigent, and the evidence indicating that victims of domestic violence residing in shelters meet the AHP income-eligibility requirements, the likelihood of residents of such shelters not meeting the AHP income-eligibility requirements is very low.&#160; Accordingly, it is reasonable to presume compliance by such shelters with the AHP income-eligibility requirements, and the Banks do not need to obtain back-up documentation from the shelter owners verifying the residents' compliance with the AHP income-eligibility requirements.&#160; Similarly, in light of the fact that shelters charge no rent or only a nominal amount, it is reasonable to presume that the shelter rents meet the AHP rent requirements, and the Banks do not need to obtain back-up documentation from the shelter owners verifying compliance with the AHP rent requirements.&#160; </p><p>The Banks, however, must continue to verify at initial monitoring, such as by receipt of a certification from the shelter owner, that the shelter residents' incomes and the rents comply with the income-targeting and rent commitments made in the approved AHP application.&#160; <span style="text-decoration&#58;underline;">See</span> 12 CFR § 1291.7(a)(1)(i)(C)(<em>2</em>).&#160; During long-term monitoring, the Banks must continue to obtain and review annual certifications by the shelter owners that the shelter residents' incomes and the rents comply with the income-targeting and rent commitments made in the approved AHP application, as required under § 1291.7(a)(4)(ii)(A).&#160; The Banks may rely on certifications by shelter owners to verify compliance with the AHP income-eligibility and rent requirements. The guidance in this Advisory Bulletin supersedes any previous contrary regulatory guidance or interpretations concerning the documentation required to be obtained by the Banks to verify AHP household income eligibility and rents in the case of shelters for the homeless and shelters for victims of domestic violence.</p><p> <a name="1" id="1"><span style="text-decoration&#58;underline;">[1]</span></a> For AHP projects receiving Low-Income Housing Tax Credits, a Bank need not obtain reports verifying AHP income eligibility and rents during long-term monitoring, based on a presumption of compliance with the AHP income eligibility and rent requirements over the AHP 15-year retention period. &#160;12 CFR § 1291.7(a)(2). </p><p style="text-align&#58;left;"> <a name="2" id="2"> <span style="text-decoration&#58;underline;">[2]</span></a> <span style="text-decoration&#58;underline;">See</span> <span style="text-decoration&#58;underline;">generally</span> Catalano, Shannon, &quot;Intimate Partner Violence in the United States, Bureau of Justice Statistics, U.S. Department of Justice, last accessed on June 29, 2016, <a href="http&#58;//www.bjs.gov/content/pub/pdf/ipvus.pdf#page6"> <span style="text-decoration&#58;underline;">http&#58;//www.bjs.gov/content/pub/pdf/ipvus.pdf#page6</span></a><span style="text-decoration&#58;underline;">; </span>Breiding, M.J., Chen, J., &amp; Black, M.C. (2014), <span style="text-decoration&#58;underline;">Intimate Partner Violence in the United States — 2010,</span> Atlanta, GA, National Center for Injury Prevention and Control, Centers for Disease Control and Prevention, <a href="http&#58;//www.cdc.gov/violenceprevention/pdf/cdc_nisvs_ipv_report_2013_v17_single_a.pdf"> <span style="text-decoration&#58;underline;">http&#58;//www.cdc.gov/violenceprevention/pdf/cdc_nisvs_ipv_report_2013_v17_single_a.pdf</span></a><span style="text-decoration&#58;underline;">; R</span>enzetti, C.M., &quot;Economic Stress and Domestic Violence,&quot; Harrisburg, PA, <a href="http&#58;//www.vawnet.org/"> <span style="text-decoration&#58;underline;">http&#58;//www.vawnet.org</span></a>.</p><p style="text-align&#58;justify;">&#160;</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. &#160;This Advisory Bulletin is effective immediately upon issuance.&#160; For comments or questions pertaining to this Advisory Bulletin, contact Sylvia Martinez at <a href="mailto&#58;Sylvia.Martinez@fhfa"> <span style="text-decoration&#58;underline;">Sylvia.Martinez@fhfa</span></a><span style="text-decoration&#58;underline;">.gov</span> or 202-649-3301; or Marcea Barringer at <a href="mailto&#58;Marcea.Barringer@fhfa.gov"> <span style="text-decoration&#58;underline;">Marcea.Barringer@fhfa.gov</span></a> or 202-649-3275. </td></tr></tbody></table><p>&#160;</p>11/29/2016 7:22:36 PMHome / Supervision & Regulation / Advisory Bulletins / Affordable Housing Program: Monitoring Of Income Eligibility And Rents For Shelters For The Homeless And Victims of 3260https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
FHLBank Changes to Internal Market Risk Models19298FHL Banks4/21/2016 4:00:00 AMAB 2016-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2016-02</strong></p><p> <strong>FHLBANK CHANGES TO INTERNAL MARKET RISK MODELS</strong></p></td></tr></tbody></table><p>&#160;</p><p style="text-decoration&#58;underline;"> <strong><em>Purpose</em></strong></p><p>This Advisory Bulletin updates previous guidance on how a Federal Home Loan Bank (Bank) may obtain approval to implement significant changes to a previously approved internal market risk model after proper notification to the Federal Housing Finance Agency (FHFA).<a href="#1">[1]</a>&#160; This Advisory Bulletin describes the procedures and documentation for the notification process.&#160; </p><p>This Advisory Bulletin rescinds 2005-AB-06, <em>Changes to Internal Market Risk Models</em>.</p> <br> <p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>Each Bank received approval of an internal market risk model used to calculate the market risk component of risk-based capital prior to implementing its capital plan pursuant to 12 CFR&#160; §&#160;932.1.&#160; Further, 12 CFR § 932.5(d) states&#58;</p><p>Each Bank shall obtain&#160; . . . approval of an internal market risk model …. including subsequent material adjustments to the model made by the Bank, prior to use of any model.&#160; Each Bank shall make such adjustments to its model as may be directed by the Finance Board.<a href="#2">[2]</a> </p><p>This section does not establish a specific process to follow for obtaining approval of &quot;subsequent material adjustments.&quot;&#160; In the absence of specific procedures in a regulation for obtaining a required approval, 12 CFR § 1211.3 (Section 1211.3) establishes a general approval process for the Banks and FHFA to follow.&#160; Section 1211.3 authorizes the Deputy Director for Federal Home Loan Bank Regulation or his/her designee to grant approvals for any matters requiring approval under FHFA regulations, and specifically authorizes the Deputy Director, or his/her designee, to &quot;prescribe additional or alternative procedures for any application for approval of any transaction, activity, or item.&quot;&#160; Section 1211.3, including the authority to prescribe additional or alternative procedures for seeking approval, is substantially similar to a Finance Board rule which FHFA adopted as its own subject to certain conforming modifications in 2014.<a href="#3">[3]</a>&#160; </p><p>In 2004, the Finance Board issued Regulatory Interpretation 2004-RI-01, which addressed the predecessor provision to the current FHFA rule.&#160; Because the prior rule had allowed the Finance Board to prescribe alternate processes for a required approval, the Regulatory Interpretation permitted a Bank to implement reported changes to its internal market risk model immediately after filing a notice with the Finance Board, absent a Finance Board objection.&#160; In particular, the Regulatory Interpretation noted that the process did not affect the Finance Board's authority under 12 CFR § 932.5(d) to direct a Bank to reverse any change made to the model or to make other changes to the model.&#160; As a result, the regulatory interpretation stated that using a notification process to fulfill the prior approval requirements of 12 CFR § 932.5(d) represented &quot;a change in process rather than a change in the substance of . . . supervisory oversight.&quot;&#160; Given that Regulatory Interpretation 2004-RI-01 addressed a provision that FHFA substantively carried over from the Finance Board rules into Section 1211.3, these conclusions also apply to FHFA's authority under current rules.</p><p>The specific procedures described in Regulatory Interpretation 2004-RI-01 as later modified by Advisory Bulletin 2005-AB-06 currently govern the process under which Banks fulfill the regulatory requirement that they obtain approval of significant changes to a previously approved internal market risk model.&#160; This Advisory Bulletin embodies a further modification to the process.<a href="#4">[4]</a>&#160; It does not represent a change in FHFA's supervisory oversight.&#160; FHFA staff will continue to review a Bank's internal risk model during regularly scheduled examinations and may undertake a special review if circumstances warrant.&#160; FHFA also retains the authority to require model changes under 12 CFR § 932.5(d) if it deems such changes necessary.<br><br></p><p style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p>A Bank may implement a significant model change to a previously approved internal market risk model after proper notification to FHFA.<a href="#5">[5]</a>&#160; All model change notifications should be signed by a Bank officer and sent to the Manager, Risk Modeling Branch, FHFA Division of Bank Regulation.&#160; A Bank may notify FHFA of a significant model change in one of two ways depending on certain conditions.&#160; </p><p>Under the first option, a Bank may implement a significant model change that does not involve replacing its existing market risk model, absent a specific objection from FHFA, immediately upon notification to FHFA, provided that the Bank meets each of the following conditions&#58; </p><ol><li>The Bank's most recent Report of Examination (ROE) composite and market risk ratings were a 1 or 2;</li><li>The Bank's most recent ROE contains no Matters Requiring Attention (MRA) or violations pertaining to the Bank's market risk modeling;</li><li>The proposed model change does not decrease the Bank's estimated Value at Risk (VaR) by more than 10 percent relative to the existing approved model; and</li><li>The Bank provides appropriate documentation described below&#58;</li></ol><ol style="list-style-type&#58;decimal;"><ol style="list-style-type&#58;lower-alpha;"><li>Assumption Template (see <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Modeling%20Assumptions%20Template.xls">Modeling Assumptions Template</a> attachment);</li><li>Written description of the model change indicating why the model change is an improvement over the current production model, and its effect on the Bank's market risk metrics, including but not limited to market value sensitivity to parallel and nonparallel interest rate shocks, duration of equity, convexity, key rate duration, constant prepayment rate (CPR), and VaR for at least two time periods no less frequently than monthly; and</li><li>Certification that the proposed model change meets the Bank's Information Technology signoff requirements (e.g., change control procedures) and copies of other required signoff approvals. </li></ol></ol><p>If FHFA has no objections, it will acknowledge receipt of a Bank's proposed model change notification.&#160; Alternatively, if FHFA objects to a specific model change or does not believe the Bank meets the conditions described above, it will inform the Bank of the reasons for its objection or for believing the Bank does not qualify to implement the model change immediately upon notification.</p><p>Under the second option, a Bank seeking to replace its existing market risk model, or a Bank not meeting the conditions to implement a model change immediately upon notification, must obtain FHFA approval prior to implementing any material change to its market risk model.&#160; Under the second option, a Bank should provide the following documentation as part of its submission to FHFA&#58;</p><ol><li>Assumptions Template (see <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Modeling%20Assumptions%20Template.xls">Modeling Assumptions Template</a> attachment);</li><li>Written description of the model change indicating why the model change is an improvement over the current production model, and its effect on the Bank's market risk metrics, including, but not limited to, market value sensitivity to parallel and nonparallel interest rate shocks, duration of equity, convexity, key rate duration, CPR, and VaR;</li><li>Detailed instrument and sub-portfolio level results of parallel model runs and any other relevant testing the Bank performed.&#160; The Bank should submit parallel testing for at least two time periods no less frequently than monthly along with any internal analysis;</li><li>Any spreadsheets used to prepare input data for the model if these are affected by the proposed model change; and</li><li>Certification that the proposed model change meets the Bank's Information Technology signoff requirements (e.g., change control procedures) and copies of other required signoff approvals.</li></ol><p>Upon receipt of the notification, FHFA will determine whether a Bank's submitted documentation is complete within 30 calendar days, and will advise the Bank in writing whether additional documentation is needed.&#160; Once documentation is complete, FHFA will provide an approval or objection to the model change within 30 calendar days.<a href="#6">[6]</a></p><p><br></p><p> Footnotes&#58;<br><a name="1" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[1]</a><span style="font-style&#58;normal;">&#160;A Bank that follows the guidance described in this Advisory Bulletin will satisfy the regulatory requirement of prior FHFA approval of material adjustments to a market risk model set forth in 12 CFR § 932.5(d).</span></p><p> <span style="font-style&#58;normal;"><a name="2">[2]</a></span><span style="font-style&#58;normal;">&#160;This rule was originally adopted by the Federal Housing Finance Board (Finance Board).&#160; All Finance Board rules remain in effect until repealed, amended or re-adopted by FHFA.&#160;&#160;</span><em style="font-weight&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">See</em><span style="font-style&#58;normal;">&#160;12 U.S.C. § 4511, note.</span><br></p><p> <span style="font-style&#58;normal;"><span style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;"><a name="3">[3]</a></span><em style="font-weight&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;"> See</em><span style="font-style&#58;normal;">, Final Rule, Procedures and General Definitions, 79 Fed. Reg. 64661 (Oct. 31, 2014).&#160;&#160;</span><em style="font-weight&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">See, also</em><span style="font-style&#58;normal;">, 12 CFR&#160; §&#160;907.3 (20</span><span style="font-style&#58;normal;">08).</span><br></span></p><p> <span style="font-style&#58;normal;"><span style="font-style&#58;normal;"><a name="4">[4]</a></span><span style="font-style&#58;normal;">&#160;Therefore, Banks should rely on the process described in this Advisory Bulletin for fulfilling the approval requirements of 12 CFR § 932.5(d).&#160; While this Advisory Bulletin supersedes the procedures described in Regulatory Interpretation 2004-RI-01, the reasoning and conclusions of that Regulatory Interpretation remain valid.</span><br></span></p><p> <span style="font-style&#58;normal;"> <span style="font-style&#58;normal;"> <a name="5">[5]</a><span style="font-style&#58;normal;">&#160;What constitutes a significant model change depends on qualitative and quantitative factors determined by the Bank.&#160; The following modifications would constitute a significant model change regardless of any change in model output metrics&#58; replacing, adding, or eliminating model input sources; replacing, adding, or eliminating model parameters and assumptions; changing a software product's processing components or computer code; or changing an application of the model.</span><br></span></span></p><p> <span style="font-style&#58;normal;"><span style="font-style&#58;normal;"><span style="font-style&#58;normal;"><a name="6">[6]</a><span style="font-style&#58;normal;">&#160;Thus, if a Bank submits appropriate documentation with the model change notification, the Bank could expect to receive an approval to the model change from FHFA within 30 calendar days.</span><br></span></span></span></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the FHLBanks, Fannie Mae, and Freddie Mac.&#160; This bulletin is effective immediately upon issuance. &#160;Contact Stefan Szilagyi, Manager, Risk Modeling Branch, FHFA Division of Bank Regulation at <a href="mailto&#58;Stefan.Szilagyi@fhfa.gov">Stefan.Szilagyi@fhfa.gov</a> with comments or questions pertaining to this advisory bulletin. </p></td></tr></tbody></table><p>&#160;</p>10/17/2016 10:37:20 PMHome / Supervision & Regulation / Advisory Bulletins / FHLBank Changes to Internal Market Risk Models Advisory Bulletin This Advisory Bulletin updates previous guidance on how 1000https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Classification of Investment Securities at FHLBanks19347FHL Banks1/21/2016 5:00:00 AMAB 2016-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <p> <strong>​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2016-01</strong><br></p><p><strong>CLASSIFICATION OF INVESTMENT SECURITIES AT FHLBANKS&#160;&#160;</strong></p></td></tr></tbody></table><p><span style="text-decoration&#58;underline;"><strong><em>​​<br></em></strong></span></p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Purpose</em></strong></span></p><p>​This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on the&#160;classification of investment securities at the Federal Home Loan Banks (FHLBanks). It&#160;incorporates the guidance provided by the Uniform Agreement on the Classification and&#160;Appraisal of Securities Held by Depository Institutions (<a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Banking_Agency_Guidance_10-29-2013.pdf">Uniform Agreement</a>​) issued by the&#160;<span style="line-height&#58;22px;">Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve&#160;</span><span style="line-height&#58;22px;">System, and the Federal Deposit Insurance Corporation (collectively, the Federal Banking&#160;</span><span style="line-height&#58;22px;">Agencies).&#160;</span></p><p><span style="text-decoration&#58;underline;"><strong><em>Background</em></strong></span></p><p></p><p>In 2010, FHFA’s Division of Federal Home Loan Bank Regulation (DBR) adopted as part of its&#160;examination program the Federal Banking Agencies’ then-current 2004 Uniform Agreement,&#160;with additional related guidelines on how to apply it to the classification of private-label&#160;mortgage-backed securities (PLMBS). While DBR adopted the 2004 Uniform Agreement and&#160;<span style="line-height&#58;22px;">re</span><span style="line-height&#58;22px;">lated guidelines through a bulletin directed to its examination staff, the staff in turn&#160;communicated the classification approach to the FHLBanks through ongoing examination&#160;communications. In addition, FHFA published DBR’s general framework for classifying&#160;investment securities in FHFA’s examination module on Investment Portfolio Management.</span></p><p>The Federal Banking Agencies revised the Uniform Agreement in October 2013. The 2013&#160;Uniform Agreement replaced references to ratings by the Nationally Recognized Statistical&#160;Rating Agencies (NRSROs) with alternative standards of creditworthiness. Similarly, in&#160;November 2013, FHFA adopted a standard for investment quality through revisions to Part 1276&#160;– Federal Home Loan Bank Investments, to remove references to NRSROs in that rule. Both the&#160;Federal Banking Agencies’ changes to the Uniform Agreement and FHFA’s changes to Part&#160;1276 responded to section 939A of the Dodd-Frank Wall Street Reform and Consumer&#160;Protection Act (Dodd-Frank Act). In keeping with the Dodd-Frank Act and FHFA’s attendant​&#160;obligation to remove references to or requirements based on NRSRO ratings, FHFA is adopting&#160;through this advisory bulletin the 2013 Uniform Agreement for FHLBank supervisory purposes.</p><p><span style="font-style&#58;normal;font-variant&#58;normal;line-height&#58;22px;text-decoration&#58;underline;font-weight&#58;700 !important;"><em>Guidance</em></span></p><p>The classification of assets is one process through which a FHLBank, as well as FHFA,&#160;identifies and communicates the level of credit risk on a FHLBank’s balance sheet. The&#160;FHLBanks should follow the 2013 Uniform Agreement when classifying investment securities. <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Classification-of-Investment-Securities-at-FHLBanks.aspx#1">[1]</a>&#160;The 2013 Uniform Agreement is attached for reference. Where FHFA’s rules and guidance and&#160;the 2013 Uniform Agreement may conflict, FHFA’s rules and guidance apply.</p><p>In applying the 2013 Uniform Agreement, a FHLBank should use sound and conservative&#160;assumptions, particularly when following the guidance in the Uniform Agreement as it pertains&#160;to upgrades. For example, when considering whether to upgrade a classified security to “pass,” a&#160;FHLBank should base its assessment on assumptions that minimize the likelihood that the&#160;FHLBank would need to classify the security again in the future. As a general rule, FHFA&#160;expects FHLBanks not to use assessment approaches that would allow them to move a security&#160;in and out of adverse classification on a recurring basis. Therefore, a FHLBank should only&#160;upgrade a security after evaluating its future performance under economic and other scenarios&#160;that are significantly adverse and incorporating in the FHLBank’s upgrade criteria sufficient&#160;<span style="line-height&#58;22px;">margins for error.</span></p><p>Notably, the 2013 Uniform Agreement provides classification approach examples that, when&#160;taken together, provide boundaries for upgrading classified securities. Among other factors, the&#160;examples indicate that, regardless of whether a FHLBank has actually incurred credit losses, an&#160;analysis supporting the upgrade of a security previously classified Substandard must show that&#160;the FHLBank will receive all future contractual payments. They further indicate that a FHLBank&#160;<span style="line-height&#58;22px;">may only upgrade such a security after a sustained period of performance. For a security that a&#160;</span><span style="line-height&#58;22px;">FHLBank had classified Substandard and on which it had incurred actual credit losses, an&#160;</span><span style="line-height&#58;22px;">analysis would have to clearly show no future risk of loss to support an upgrade.&#160;</span></p><p>Examinations of the FHLBanks will evaluate how a FHLBank applies the 2013 Uniform&#160;Agreement and the guidance in this advisory bulletin to its classification practices. When FHFA&#160;examiners classify a FHLBank’s investment securities, they will also follow the <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Banking_Agency_Guidance_10-29-2013.pdf" style="font-style&#58;normal;font-variant&#58;normal;font-size&#58;14px;line-height&#58;22px;font-family&#58;'source sans pro', sans-serif;">2013 Uniform Agreement</a>&#160;and the guidance in this advisory bulletin.</p><p><span style="font-style&#58;normal;font-variant&#58;normal;line-height&#58;22px;text-decoration&#58;underline;font-weight&#58;700 !important;"><em>​</em></span><span style="line-height&#58;22px;">________________________________</span></p><p> <a id="1" href="#ref1">[1]</a>&#160;<span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">For purposes of applying the guidance in this Advisory Bulletin, “investment securities” generally means those&#160;</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;color&#58;#444444;">investments categorized as securities according to FHFA call report instructions for FHLBank reporting. For&#160;</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;color&#58;#444444;">example, the guidance does not apply to federal funds sold, certificates of deposit, or securities purchased under&#160;</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;color&#58;#444444;">resale agreements (i.e., reverse repurchase agreements).</span></p><p> </p><br><div><table class="ms-rteTable-default" cellspacing="0" style="width&#58;100%;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the FHLBanks, Fannie Mae, and Freddie Mac. &#160;For the FHLBanks, contact Amy Bogdon, Associate Director for Regulatory Policy and Programs, DIvision of FHLBank Regulation, at <a href="mailto&#58;Amy.Bogdon@fhfa.gov" target="_blank">Amy.Bogdon@fhfa.gov</a>. &#160;For t<span style="line-height&#58;22px;">his advisory bulletin specifically, contact Louis Scalza, Associate Director, Office of Examinations, Division of FHLBank Regulation, at <a href="mailto&#58;Louis.Scalza@fhfa.gov" target="_blank">Louis.Scalza@fhfa.gov</a>.&#160;</span><span style="line-height&#58;22px;">&#160;&#160;</span></p></td></tr></tbody></table></div>1/21/2016 8:28:53 PMHome / Supervision & Regulation / Advisory Bulletins / Classification of Investment Securities at FHLBanks Advisory Bulletin This advisory bulletin provides Federal Housing 1051https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Fraud Risk Management19303Fannie Mae & Freddie Mac9/29/2015 4:00:00 AMAB 2015-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-07</strong><br></p><p> <strong>FRAUD RISK MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <span style="text-decoration&#58;underline;"><strong><em>Purpose</em></strong></span></p><p>This Advisory Bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency's (FHFA) supervisory expectations for fraud risk management, including the establishment and maintenance of internal controls to prevent, deter, and detect fraud or possible fraud.&#160; </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Effective fraud risk management is essential to the safe and sound operations of the Enterprises.&#160; Potential exposure to the risk of fraud exists in Enterprise business operations.&#160; For example, single-family and multifamily mortgage operations have exposure to the risk of fraud associated with activities of borrowers, loan originators, mortgage brokers, loan sellers, attorneys, servicers, appraisers, property managers, and third parties engaged to perform functions relating to loans or the collateral securing the loans.&#160; Capital markets activities may expose an Enterprise to fraud committed by counterparties involved in securitizations.&#160; The Enterprises also have potential exposure to fraud risk resulting from insider malfeasance.<a id="ref1" href="#1"><font color="#0066cc">[1]</font></a></p><p>Fraud may subject an Enterprise to financial, operational, legal, or reputational harm.&#160; For example, mortgage fraud may result in financial losses for an Enterprise if a seller does not have the financial ability and willingness to honor its obligation to repurchase fraudulent loans.&#160; Other types of fraud may result in financial losses if the fraud is not fully covered by fidelity bond insurance.&#160; An Enterprise may be exposed to litigation or civil money penalties for failure to comply with fraud-related statutes and regulations.&#160; Further, fraud may cause reputational risk if an Enterprise's operations are used or perceived to be used to perpetrate fraud. &#160;While experience demonstrates that fraud may not be prevented completely, it may be deterred or reduced through appropriate anti-fraud procedures that are maintained and reviewed over time.</p><p> <span style="text-decoration&#58;underline;">Examples of Fraud</span> </p><p>The Enterprises may encounter various types of fraud.&#160; For example, mortgage fraud may occur in mortgage loans purchased for an Enterprise's own portfolios or for securitization.&#160; Fraud may be committed as part of the origination, underwriting, or closing process or in conjunction with the servicing of a loan on behalf of an Enterprise.&#160; </p><p>Mortgage-related fraud may be committed by various participants in the origination, selling, and servicing of mortgage loans.&#160; Borrowers may provide false identification, employment, or income information to obtain approval for a mortgage loan.&#160; Parties involved in loan originations, such as appraisers, attorneys, and title agencies, may engage in misrepresentation of collateral or performance of contracted responsibilities, or through diversion of funds.&#160; Sellers of mortgage loans may misrepresent underwriting standards or deliver a single mortgage loan multiple times.&#160; Servicers may divert custodial or other funds received to accounts used for their own purposes.&#160; </p><p>Mortgage-related fraud may be part of larger schemes that include originating mortgage loans through the use of straw borrowers, illegal property flipping, double-pledging of collateral, and builder bailouts.&#160; Post-origination mortgage fraud may target financially distressed borrowers to steal equity in or secure title to a property through fraudulent workout schemes or short sales.&#160; </p><p>Insider fraud (<em>i.e.</em>, fraud involving current or former employees and contractors) may include accounting fraud, payroll fraud, embezzlement, or collaboration with external parties in a fraud against an Enterprise or other financial institution.&#160; </p><p>The wide variation of possible fraudulent activities creates a broad range of fraud risk; therefore, an Enterprise should implement a risk-based approach to fraud risk management that takes into account the scope and potential harm to the Enterprise of possible fraud.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></span></p><p>This Advisory Bulletin describes FHFA's expectations for the oversight of fraud risk management, key elements of a risk-based approach to fraud risk management, and the training and independent testing functions that should accompany an Enterprise's fraud risk management approach. &#160;As described below, FHFA expects the Enterprises will take steps to manage fraud risk in all business lines and operational functions.<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Fraud-Risk-Management.aspx#footnote2"><font color="#0066cc">[2]</font></a></p><p> <span style="text-decoration&#58;underline;">Oversight of Fraud Risk Management</span></p><p>Each Enterprise's board of directors has a responsibility to ensure that the Enterprise's management is committed to effective fraud risk management and that the Enterprise has appropriate policies for preventing and detecting fraud or possible fraud.&#160; The Enterprise should have documented processes in place to appropriately inform the board about fraud risk management activities and significant instances of fraud or possible fraud.&#160; Fraud risk should be included in the risk management policies that are approved by the board or a committee thereof, and reviewed on a periodic basis.&#160; </p><p>The policies should establish the Enterprise's standards and reporting processes relating to fraud and possible fraud.&#160; The policies should designate the management official(s) responsible for the oversight of fraud risk management and define specific roles and responsibilities for personnel with fraud risk management responsibilities.&#160; </p><p>Enterprise management should develop and oversee the implementation of business unit policies and procedures to implement and support anti-fraud and regulatory reporting programs and controls consistent with the Enterprise's policies.&#160; Business unit policies should detail the Enterprise's fraud risk management processes, including risk assessments, internal controls, training, independent testing, fraud response protocols, and board and senior management reporting.&#160; </p><p>The Enterprise should provide for appropriate coordination across business lines and functions of fraud risk management activities and resources.&#160; Areas of coordination may include risk assessments, oversight of the design and implementation of anti-fraud and regulatory reporting programs and controls, and reporting to senior management and the board or a committee thereof, as appropriate, the results of the Enterprise's fraud risk management efforts.&#160; </p><p> <span style="text-decoration&#58;underline;">Elements of Fraud Risk Management</span></p><p>Effective fraud risk management should include&#58;</p><ul style="list-style-type&#58;disc;"><li>Ongoing risk assessments to determine areas of heightened risk for possible fraud and adequacy of the control environment. </li><li>Risk-based internal controls that are designed to prevent and deter fraud from occurring.</li><li>Risk-based internal controls that are designed to detect fraud when it occurs.</li><li>Processes for responding to and reporting fraud or possible fraud.</li></ul><p> <em>Risk Assessments</em> </p><p>An Enterprise should have an ongoing process for performing risk assessments to identify and assess risk of fraud and to evaluate controls in place to mitigate risk.&#160; Risk assessments should consider factors such as products, services, customers, counterparties, and geographic locations, and should cover business units and operational and control functions.&#160; Fraud risk assessments should provide the basis for internal controls to prevent and deter fraud and to detect fraud or possible fraud.&#160; An Enterprise should have in place a process for periodically updating fraud risk assessments and making associated changes to internal controls.&#160; </p><p> <em>Fraud Prevention and Deterrence</em></p><p>Each Enterprise should maintain effective internal controls designed to prevent and deter fraud.&#160; The type and scale of internal controls will vary depending on the operational area, product type, and fraud risk.&#160; Types of controls include segregation of duties; a system of proper authorizations; physical safeguards to prohibit access to assets and records; a system of independent checks; and records to provide an audit trail.&#160; </p><p>Internal controls should be clearly documented and subject to ongoing review to determine whether they are followed, are effective, and reflect current industry sound practices.&#160; With regard to potential insider fraud, policies related to the consequences of committing or concealing fraud should be communicated clearly to all personnel.&#160; </p><p> <em>Fraud Detection </em></p><p>The complexity and extent of the internal controls for detection of different types of potential fraud in different business activities should be based on the fraud risk assessment, in light of the size, structure, risks, complexity, and vulnerability to fraud of the particular activity.&#160; Fraud detection controls and tools may include, but are not limited to, internal and external tip hotlines; whistleblower vehicles; audits; quality control reviews; and analysis of financial, operational, and transaction data.&#160; Detection methods may involve a review of transactions for possible fraud and, where possible, should include a review for red flags that indicate fraud or possible fraud.&#160; Examples of red flags may include patterns of inconsistency in borrower information, loan documentation, servicer records, and significant servicer performance issues, as well as adverse public information. &#160;Additionally, an Enterprise may identify individuals and firms known to have been involved in fraud. &#160;Fraud detection procedures should document when findings will warrant the expansion of the scope of review consistent with current risk assessments.</p><p>Each Enterprise should have adequate information systems to timely capture information needed to detect fraud or possible fraud and comply with regulatory reporting requirements.&#160; </p><p> <em>Fraud Response and Reporting</em></p><p>Each Enterprise should have documented processes for evaluating and responding to various types of possible fraud and for complying with regulatory reporting requirements.&#160; An Enterprise should take steps to make its employees and third parties aware of methods by which they may report possible fraud relating to Enterprise operations.&#160; Furthermore, an Enterprise should ensure that its procedures and resources are sufficient to timely investigate possible fraud.&#160; </p><p>An Enterprise's process should address investigation procedures, protocols for gathering evidence, decision-making authority, internal and regulatory reporting, escalation protocols, remedial action, and disclosure.&#160; Individuals assigned to investigations should have the necessary training, authority, and skills to evaluate possible fraud and determine the appropriate course of action.&#160; The process should include a tracking or case management system(s) where allegations of fraud are logged.&#160; As appropriate, an Enterprise's procedures should also include a review of incidents to determine if improvements need to be made to processes or internal control systems to prevent future incidents of possible fraud.&#160; </p><p>Each Enterprise should have effective, risk-based processes to timely investigate potential fraud to minimize and prevent loss.&#160; Procedures should be in place for reporting investigation findings regarding fraud or possible fraud in accordance with regulatory requirements and Enterprise policy.&#160; </p><p> <span style="text-decoration&#58;underline;">Training</span></p><p>Each Enterprise should promote fraud awareness by conveying the importance of fraud prevention and penalties for fraud to all employees. &#160;Each Enterprise should provide and document adequate fraud risk management training that is risk-based and commensurate with trainees' roles and specific responsibilities.&#160; Training should include instruction on regulatory requirements and the Enterprise's policies and procedures to comply with those requirements.&#160; Board and senior management training should reflect their oversight role.&#160; Training should be updated as needed to reflect regulatory changes and industry sound practices, as well as changes to the Enterprise's risk assessments and internal controls.&#160; </p><p> <span style="text-decoration&#58;underline;">Independent Testing</span></p><p>Each Enterprise should conduct regular independent testing in all business lines to determine the overall adequacy and effectiveness of the Enterprise's fraud risk management.&#160; Testing scope, procedures performed, and findings should be documented.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Related FHFA Guidance</em></strong></span></p><p> <em>Enterprise Fraud Reporting</em>, Federal Housing Finance Agency Advisory Bulletin 2015-02, March 26, 2015, communicates to the Enterprises FHFA's fraud reporting requirements pursuant to 12 CFR Part 1233.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014, communicates to the Enterprises FHFA's supervisory expectations for managing counterparty risk associated with their relationships with single-family Seller/Servicers.</p><p> <em>Suspended Counterparty Program at 12 CFR Part 1227, </em>generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. &#160;FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.</p><p>________________________________ </p><p> <a id="1" href="#ref1">[1]</a> For purposes of this Advisory Bulletin, fraud occurs when a person(s), knowingly and willfully (1) falsifies, conceals, or covers up a material fact by any trick, scheme, or device; (2) makes any materially false, fictitious, or fraudulent statement or representation; or (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry. </p><p> <a id="2" href="#ref2">[2]</a> The risk management guidance in this Advisory Bulletin complements the requirements for reporting fraud and possible fraud found in&#58; (i) 12 C.F.R. Part 1233, Reporting of Fraudulent Financial Instruments; (ii) 31 C.F.R. Parts 1010 and 1030, Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises; and (iii) Advisory Bulletin 2015-02, Enterprise Fraud Reporting (March 26, 2015).</p><div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, Kathy Beach, Principal Advisor, Office os Supervision Policy at <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov</a> or (202) 649-3521, or Ellen Joyce, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Ellen.Joyce@fhfa.gov">Ellen.Joyce@fhfa.gov</a> or (202) 649-3409 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table></div>9/29/2015 1:00:27 PMHome / Supervision & Regulation / Advisory Bulletins / Fraud Risk Management Advisory Bulletin This Advisory Bulletin communicates to Fannie Mae and Freddie Mac (the 3025https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Information Technology Investment Management19306Fannie Mae & Freddie Mac9/21/2015 4:00:00 AMAB 2015-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-06</strong><br></p><p> <strong>INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong> </p><p>This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on information technology (IT) investment management by Fannie Mae and Freddie Mac (the Enterprises).&#160; FHFA expects that each Enterprise's IT investment management will include sound governance and effective monitoring and reporting that reflect relevant risk assessments of the Enterprise.&#160; &#160;&#160;</p><div><div style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></div><div> <br> &#160;</div><div><p>The Enterprises' investments to maintain and improve their IT environments are critical to the success of business operations and strategic initiatives.&#160; Effective IT investment management contributes to safe and sound operations by enabling an Enterprise to confirm that IT investments are aligned with strategic priorities, support business operations, and deliver expected returns on investment. &#160;An effective process for funding IT projects should assist an Enterprise to assess costs and benefits of investments, manage interdependencies among related projects, identify risk exposures to third-party vendors, and plan the funding of multi-year projects over multiple budget cycles.&#160; </p><p>FHFA's standards for safe and sound operations are generally set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236.&#160; In particular, PMOS Standard 1.4 (Internal Controls and Information Systems, Framework) articulates the requirement for an effective system of internal controls, which includes a board-approved organizational structure that clearly assigns responsibility, authority, and reporting relationships, as well as appropriate segregation of duties.&#160;&#160;</p></div><div> <em> <span style="text-decoration&#58;underline;"> <strong>Guidance</strong></span></em></div><div> <br> &#160;</div><div> <span style="line-height&#58;1.6;">FHFA expects that each Enterprise's IT investment management will include sound governance and effective monitoring and reporting that reflect relevant risk assessments of the Enterprise. &#160;</span><span style="line-height&#58;1.6;">An Enterprise may develop and refine its IT investment management based on sound industry practices, such as the Control Objectives for Information and Related Technology (COBIT) framework issued by the Information Systems Audit and Control Association (ISACA).</span><span style="line-height&#58;1.6;">&#160;</span> <p></p><p> <em>Governance</em></p><p>Each Enterprise should maintain sound governance over IT investments using a risk-based approach at both the portfolio level and at the project level to confirm that the Enterprise's IT investments are aligned with enterprise strategic priorities and line of business objectives.&#160; Governance should address funding of IT projects and prioritization of project funding based upon risk assessments for proposed investments, cost-benefit analyses, and requirements for diversity and inclusion practices in contracting, <strong> </strong><a id="ref1" href="#1"><strong> </strong><span><strong> </strong><font color="#0066cc"><strong>[1]</strong></font></span></a><strong>&#160;</strong>among other factors.</p><p>The governance over IT investments should clearly define the roles and responsibilities of stakeholders, including the board of directors, business leads, and IT management.&#160; Delegations of authority should be established and subject to periodic review, and exceptions to delegated authority should be documented.&#160; The governance process should confirm that appropriate risk control functions have input into IT funding decisions at both project and portfolio levels. &#160;</p><p>Setting IT investment priorities is a key component of governance.&#160; Risk assessments should be performed for IT funding proposals to identify potential risks at the project and portfolio level.&#160; In addition, cost-benefit analyses should be conducted to inform the prioritization of IT investments and funding decisions.&#160; </p><p>Ensuring sustainability of IT investments is essential for mitigating risks such as operational disruptions, security lapses, or system degradation.&#160; Strong governance and oversight of IT investments should be designed to enable an Enterprise to ensure that its IT environment remains current and that IT investments are sustainable.&#160; Budgeting should include long-term IT investments over multiple budget cycles, not only for new projects, but also for ongoing maintenance such as routine service, periodic modification, equipment replacement, enhancement of security features, and patch management.&#160; Effective IT investment governance should also include a regular review function to monitor project management practices against established standards, practices, and internal controls.&#160; </p><p> <em>Monitoring and Reporting</em></p><p>Each Enterprise should maintain a process for tracking IT investments and the performance of funded projects.&#160; Monitoring and reporting are essential tools for management to ensure timely identification of changes to project schedules or budgets and the opportunity to ensure that issues are addressed through appropriate governance mechanisms. &#160;Effective monitoring and reporting &#160;for IT investments should assist management in ensuring ongoing alignment of the IT project portfolio with strategic objectives and business operating plans, and in maintaining current information on budgets, timelines, and project interdependencies.&#160; </p><p>IT investment management requires periodic performance reporting that provides senior management and the board of directors with appropriate dashboards or similar reports to capture results for performance objectives.&#160; Such reports should inform decision-makers about the sustainability and viability of both existing and future projects.</p><p style="text-decoration&#58;underline;"> <i> <strong>Related Guidance</strong></i></p><p> <em>Guidance on Cyber Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin AB‑2014-05, May 19, 2014.</p><p> <em>Guidance on the Retirement of the Microsoft Windows XP Operating System</em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-04, March 20, 2014. </p><p> <em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin AB‑2014‑02, February 18, 2014. </p><p> <em>Safety and Soundness Standards for Information</em>, Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001.&#160;</p><p>​________________________________</p><p></p><p> <a id="1" href="#ref1"> [1]</a> 12 CFR § 1207.21 requires that the Enterprises develop, implement, and maintain policies and procedures to ensure, to the maximum extent possible in balance with financially safe and sound business practices, the inclusion and utilization of minorities, women, individuals with disabilities, and minority-, women-, and disabled-owned businesses in procurement and all types of contracts.</p></div></div><div>​ <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance,&#160;Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, John McNicholas, Senior Examiner (Policy), Examination Standards Branch&#160;at <a href="mailto&#58;John.McNicholas@fhfa.gov">John.McNicholas@fhfa.gov</a> or&#160;(202) 649-3525&#160;or&#160;Anne Paulin, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Anne.Paulin@FHFA.gov">Anne.Paulin@fhfa.gov</a> or (202) 649-3421 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table> ​</div>9/28/2015 7:07:16 PMHome / Supervision & Regulation / Advisory Bulletins / Information Technology Investment Management Advisory Bulletin This advisory bulletin provides Federal Housing Finance 1531https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
FHLBank Core Mission Achievement19299FHL Banks7/14/2015 4:00:00 AMAB 2015-05<p> <span style="text-decoration&#58;underline;"> <strong> <em>Purpose</em></strong></span></p><p>This Advisory Bulletin provides Federal Housing Finance Agency (FHFA) guidance on Federal Home Loan Bank (Bank) core mission achievement.&#160; It should be considered in conjunction with FHFA's Advisory Bulletin 2010-AB-02, <em>Strategic Plans</em>.&#160; The Advisory Bulletin also describes how FHFA will assess the Banks' core mission achievement, as well as FHFA's expectations about the content of the strategic plans for Banks with core mission assets below specified levels.&#160;&#160;&#160;&#160;&#160; </p><p> <span style="text-decoration&#58;underline;"><strong><em>Background</em></strong></span></p><p>FHFA currently has in place a core mission activities regulation (12 CFR § 1265.2), which describes the mission of the Banks as follows&#58;</p><p style="text-align&#58;justify;">The mission of the Banks is to provide to their members and housing associates financial products and services, including but not limited to advances, that assist and enhance such members' and housing associates' financing of&#58; (a) housing, including single-family and multi-family housing serving consumers at all income levels; and (b) community lending.</p><p>Further, the regulation defines core mission activities to include&#58;</p><ul><li>All advances,</li><li>All letters of credit, </li><li>All intermediary derivative contracts, </li><li>Most mortgage loans (Acquired Member Assets or AMA), </li><li>Certain debt and equity investments in targeted community development and in small business investment companies (SBICs), </li><li>Investment in certain SBIC securities guaranteed by the Small Business Administration,</li><li>Investment in notes and certificates guaranteed by the Department of Housing and Urban Development under section 108 of the Housing and Community Development Act of 1974, and </li><li>Investments and obligations for housing and community development issued or guaranteed under Title VI of the Native American Housing Assistance and Self-Determination Act of 1996. </li></ul><p> <span style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></span></p><p>When developing its strategic business plan with respect to core mission, FHFA will expect each Bank to consider the guidelines established in this Advisory Bulletin.&#160; FHFA's regulation on strategic business plans requires each Bank's board of directors to adopt, maintain, and periodically review a strategic business plan that &quot;describes how the business activities of the Bank will achieve the mission of the Bank consistent with&quot; the core mission activities provisions.<a id="ref1" href="#1">[1]</a></p><p> <span style="text-decoration&#58;underline;">Components of Core Mission</span></p><p>Core mission assets and activities should be divided into two parts.</p><ul><li> <em>Primary Mission Assets</em> – Advances (inclusive of Community Investment Program (CIP) Advances and Community Investment Cash Advances (CICA)) and AMA are &quot;Primary Mission Assets.&quot; &#160;These two assets are fundamental to the business of a Bank and most directly contribute to the mission of the Banks. &#160;Because a portfolio of residential mortgage loans presents risks not present with advances, FHFA expects that each Bank's board of directors will establish a prudential limit on its maximum holdings of AMA, which should be governed by the Bank's ability to manage the risks inherent in holding mortgages. &#160;</li></ul><ul><li> <em>Supplemental Mission Assets and Activities</em> – This category includes other types of assets or activities that also support the Banks' housing finance and community lending mission, though in a less direct way than advances and AMA.&#160; Supplemental Mission Assets and Activities would include, but not be limited to, advance commitments, Housing Finance Agency debt instruments, investment in certain small business investment company securities, certain Small Business Administration government guaranteed investments, standby bond purchase agreements, off-balance sheet mortgages, and letters of credit.</li></ul><p> <span style="text-decoration&#58;underline;">Measuring Core Mission Achievement</span></p><p>FHFA will assess each Bank's core mission achievement by calculating the ratio of its Primary Mission Assets relative to consolidated obligations (COs).&#160; FHFA will make these calculations, starting at year-end 2015, using annual average par values, as reported by the Banks in FHFA's Call Report System (CRS), and will assess each Bank's core mission achievement on an annual basis as part of the examination process.&#160; &#160;&#160;</p><p> <span style="text-decoration&#58;underline;">Consideration of Core Mission Achievement</span></p><p>When considering its core mission achievement, FHFA will expect each Bank to use the following framework.&#160; </p><ul><li> <em>Preferred Advances and AMA Ratio</em> – This term refers to a ratio of advances and AMA to COs of at least 70 percent.&#160; </li></ul><p>For Banks that maintain a &quot;Preferred Advances and AMA Ratio,&quot; FHFA will not undertake a further evaluation regarding its mission achievement.&#160; Nonetheless, a Bank in this category should include as part of its strategic plan an assessment of its prospects for maintaining this level of mission achievement. </p><ul><li> <em>Evolving Advances and AMA Ratio</em> – This term refers to a ratio of advances and AMA to COs of less than 70 percent but at least 55 percent.&#160; </li></ul><p>For Banks that have an &quot;Evolving Advances and AMA Ratio,&quot; FHFA will undertake a further evaluation regarding its mission achievement, the nature of which will &#160;depend on the Bank's actual ratio.&#160; For those Banks where the ratio is&#58; </p><ul><li>Closer to 70 percent, FHFA expects the Bank's strategic plan to explain how the Bank will bring the ratio closer to the &quot;Preferred Advances and AMA Ratio.&quot;&#160; If, however, the Bank had significant amounts of Supplemental Mission Assets and Activities or of CIP advances and CICA, FHFA would be less concerned than if the Bank did not.</li></ul><ul><li>Closer to 55 percent, FHFA expects the Bank's strategic plan to include a more detailed description of the actions the Bank plans to take to bring its Primary Mission Assets closer to the &quot;Preferred Advances and AMA Ratio.&quot;&#160; This provision of the strategic plan should explain in some detail the Bank's plans to increase its mission focus, such as by increasing Primary Mission Assets or Supplemental Mission Assets and Activities, or by decreasing its other investments.&#160;&#160;</li></ul><ul><li> <em>Advances and AMA Ratio below 55 percent – </em>This category would include any Bank with a ratio of Advances and AMA to COs below 55 percent. </li></ul><p>FHFA will evaluate in detail Banks with Primary Mission Asset ratios below 55 percent.&#160; At a minimum, FHFA will expect the Bank's strategic plan to include a robust explanation describing in detail the circumstances that caused the Primary Mission Asset ratio to fall below 55 percent, as well as a detailed description of its plans to increase its ratio.&#160; </p><p>In assessing the mission achievement of such Banks, FHFA will take into consideration the potential effects of business cycle fluctuations on advance demand and the Banks' ability to influence that demand.&#160; However, FHFA will expect that if a Bank were to have a Primary Mission Assets ratio below 55 percent over the course of several consecutive reviews, then the Bank's board of directors should consider possible strategic alternatives, in addition to the balance sheet actions noted above, as part of its strategic planning.</p><p>_________________</p><p> <a id="1" href="#ref1">[1]</a> The regulation on strategic business plans is currently located at 12 CFR §&#160;917.5, but FHFA has proposed to relocate the provision to 12 CFR § 1239.31&#160;</p>9/28/2015 4:11:18 PMHome / Supervision & Regulation / Advisory Bulletins / FHLBank Core Mission Achievement Advisory Bulletin This Advisory Bulletin provides Federal Housing Finance Agency (FHFA 1353https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
FHLBank Unsecured Credit Exposure Reporting19301FHLB & Office of Finance7/1/2015 4:00:00 AMAB 2015-04<p><strong></strong>&#160;</p><p><strong>ADVISORY BULLETIN</strong></p><p><strong>AB 2015-04</strong></p><p><strong>FHLBANK UNSECURED CREDIT EXPOSURE REPORTING </strong></p><p><strong>&#160;</strong></p><p><span style="text-decoration&#58;underline;"><strong><em>Introduction</em></strong></span></p><p>This Advisory Bulletin (AB) applies to the Federal Home Loan Banks (FHLBanks) and the Office of Finance (OF), and describes changes to the manner in which the FHLBanks are to report their unsecured credit exposures.&#160; The AB provides guidance to the FHLBanks in fulfilling the requirements of Section 932.9(e)(1), Section 932.9(e)(2), Section 1273.6(f), and Section 1260.2 of the Federal Housing Finance Agency (FHFA) regulations, which pertain to FHLBank reporting requirements and OF monitoring requirements, as described below.&#160; This AB replaces and supersedes the Federal Housing Finance Board guidance on unsecured credit reporting requirements provided by AB-02-07, dated August 27, 2002.&#160; </p><p><span style="text-decoration&#58;underline;"><strong><em>Background</em></strong></span></p><p>Section 932.9(e)(1) of FHFA regulations provides that each FHLBank must periodically report to the FHFA certain information regarding its unsecured credit exposures.&#160; In recent years, the FHLBanks fulfilled this requirement by reporting their unsecured credit exposures by counterparty to the OF, which compiles the data into a consolidated monthly report and provides that information to FHFA.&#160; Under Section 1273.6(f) of FHFA regulations, OF is required to monitor and compile relevant data on each FHLBank and the FHLBank System's unsecured credit exposures to individual counterparties.&#160; </p><p>Section 932.9(e)(2) separately requires each FHLBank to report similar information on their combined secured and unsecured extensions of credit to individual counterparties.&#160; In accordance with AB-02-07, the FHLBanks currently report this information to FHFA through their call reports.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </p><p>In addition to the above processes, FHFA has issued a special data request (SDR), SDR-2011-04, pursuant to which it requires the FHLBanks to report certain unsecured credit information on a weekly basis.&#160; Information collected under this SDR is shared with the FHLBanks and OF as set forth in part 1260 of FHFA regulations (Sharing of Information among the Federal Home Loan Banks).&#160; </p><p>In coordination with FHLBank and OF representatives, FHFA has developed a new reporting process whereby the FHLBanks will submit information required under Section 932.9(e)(1) directly to FHFA, instead of reporting it to OF.&#160; Effective June 30, 2015, all FHLBanks should submit information directly to FHFA through the new extranet reporting interface developed to satisfy regulatory reporting requirements related to unsecured credit.&#160; Existing FHFA Call Report System requirements concerning FHLBank combined secured and unsecured exposures to individual counterparties remain in force and unchanged.</p><p><span style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></span></p><p><strong>Section 932.9(e)(1) Reporting</strong></p><p>Section 932.9(e)(1) of FHFA regulations requires each FHLBank to report monthly the total amount of unsecured credit extensions to any single counterparty that exceeds five percent of the FHLBank's total capital or five percent of the counterparty's Tier 1 capital.&#160; If the FHLBank has extended unsecured credit to affiliated counterparties, it must use the affiliates' combined Tier 1 capital for these calculations.&#160; </p><p>The FHLBanks have been fulfilling these reporting requirements by reporting their unsecured credit exposures by counterparty to the OF, which uses the data to prepare a consolidated monthly report for FHFA.&#160; Under the new reporting requirement, information about FHLBank capital and counterparty Tier 1 capital amounts used to evaluate maximum allowable counterparty exposure will now come directly from information that FHFA collects. &#160;</p><p>With implementation of the new reporting process, the FHLBanks should submit monthly reports on unsecured extensions of credit by counterparty to the FHFA through the new extranet reporting portal.&#160; FHLBanks should no longer submit FHFA-required information on unsecured credit exposures to OF.&#160; Information on the FHLBanks' net derivative exposures to particular counterparties will also ultimately be included in the new reporting requirements and submitted through the same portal.&#160; </p><p>With these changes to the FHLBanks' unsecured credit reporting requirements, FHFA has determined that the FHLBanks need not continue to submit the weekly reports of their unsecured credit exposures required by SDR-2011-04.&#160; Although a separate SDR will be forthcoming, the reporting system outlined in this AB will be effectively immediately.&#160;&#160;&#160;&#160;&#160; </p><p><strong>Section 932.9(e)(2)</strong><strong>&#160; </strong><strong>Reporting</strong></p><p>FHLBanks should continue to report through the Call Report System the information required by Section 932.9(e)(2) of FHFA regulations regarding total extensions of secured and unsecured credit to any single counterparty or group of affiliated counterparties that exceeds five percent of the FHLBank's total assets.&#160; FHLBank assets should be determined as of the same month-end as the month in which the FHLBanks made the extension of credit.&#160; </p><p><strong>Section 1273.6(f) Monitoring</strong></p><p>Section 1273.6(f) of FHFA regulations requires the OF to monitor and compile relevant data on each FHLBank's and the System's unsecured credit exposures to individual counterparties.&#160; Currently, OF carries out those responsibilities based on the unsecured credit exposure data that the FHLBanks submit to OF each month.&#160; With implementation of the new reporting interface, the OF will have access through the FHFA extranet to Bank-reported unsecured credit data and will be able to monitor and compile relevant data on unsecured credit exposures in that manner.&#160; </p><p><strong>Section 1260.2(a) Bank Information to be Shared</strong></p><p>Section 1260.2(a) of FHFA regulations requires FHFA to distribute to the FHLBanks and the OF financial and supervisory information regarding each FHLBank and the System.&#160; FHFA's information sharing notice, which sets forth the categories of information to be distributed to the FHLBanks, states that the information contained in the weekly report on each&#160; FHLBank and the FHLBanks' collective unsecured credit exposures should be shared with all FHLBanks.&#160; Under the new reporting process implemented by this AB, this weekly report will be discontinued and will be replaced by the monthly report to FHFA, as described above.&#160; FHFA, therefore, will share the monthly data on unsecured exposures with the FHLBanks and will make appropriate modifications to the existing information sharing notice through a separate document.&#160;&#160;&#160;&#160;&#160;&#160; </p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the FHLBanks, Fannie Mae, and Freddie Mac. &#160;If you have any questions on this AB, please contact the Division of Federal Home Loan Bank Regulation's Principal Examiner Jack Phelps at <a href="mailto&#58;jack.phelps@fhfa.gov"><span style="text-decoration&#58;underline;">jack.phelps@fhfa.gov</span></a> or 202-649-3522 or Associate Director- <em>Safety and Soundness Examinations</em> Gary L. Bucher at <a href="mailto&#58;gary.bucher@fhfa.gov"><span style="text-decoration&#58;underline;">gary.bucher@fhfa.gov</span></a> or 202-649-3522.</td></tr></tbody></table>7/1/2015 2:52:05 PMHome / Supervision & Regulation / Advisory Bulletins / FHLBank Unsecured Credit Exposure Reporting Advisory Bulletin This Advisory Bulletin (AB) applies to the Federal Home 1898https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Rescission of Division of Enterprise Regulation Guidance Documents19312Fannie Mae & Freddie Mac3/26/2015 4:00:00 AMAB 2015-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-03</strong><br></p><p> <strong>RESCISSION OF DIVISION OF ENTERPRISE REGULATION GUIDANCE DOCUMENTS&#160;</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong> </p><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to rescind five examination guidance documents issued by the Office of Federal Housing Enterprise Oversight (OFHEO).</p><div><div> <br> &#160;</div><div style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></div><div> <br> &#160;</div><p>In an effort to keep guidance related to the examination process current, FHFA regularly reviews outstanding guidance, including guidance issued by its predecessor agencies. &#160;As a result of the most current review, FHFA has determined that five guidance documents issued by OFHEO should be rescinded. &#160;These five guidance documents have been superseded by FHFA guidance, or restate regulations without providing additional guidance, or are no longer relevant or applicable in the current environment. &#160;</p><div> <br> &#160;</div><div style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></div><div> <br> &#160;</div><div>This Advisory Bulletin rescinds&#58;</div><div>&#160;</div><div><ul><li>PG-00-001&#58; Minimum Safety and Soundness Requirements (12/19/2000)<br></li><li>PG-00-002&#58; Non-Mortgage Liquidity Investments (12/19/2000)<br></li><li>PG-06-001&#58; Examination for Corporate Governance (11/8/2006)<br></li><li>PG-06-003&#58; Examination for Accounting Practices (11/8/2006)<br></li><li>PG-08-002&#58; Standards for Enterprise Use of the Fair Value Option (4/21/2008)<br></li></ul></div></div><div>​<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;Contact Bobbi Montoya, Associate Director, Office of Supervision Policy at (202)&#160;649-3406 or <a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a> or Carol Connelly, Principal Examiner, Examination Standards Branch, at (202) 649-3232 or <a href="mailto&#58;Carol.Connelly@fhfa.gov">Carol.Connelly@fhfa.gov​</a>, with comments or questions pertaining to this bulletin.&#160;&#160;</p></td></tr></tbody></table><br>​</div>3/26/2015 5:00:19 PMHome / Supervision & Regulation / Advisory Bulletins / Rescission of Division of Enterprise Regulation Guidance Documents Advisory Bulletin In an effort to keep guidance 1047https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
FHLBank Fraud Reporting19300FHL Banks2/12/2015 5:00:00 AMAB 2015-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-01</strong><br></p><p> <strong>FHLBank Fraud Reporting</strong></p></td></tr></tbody></table><p> <br> <strong style="text-decoration&#58;underline;"><em>Purpose</em></strong> </p><p> This advisory bulletin communicates the Federal Housing Finance Agency's (FHFA) guidance on fraud activity reporting for the Federal Home Loan Banks (FHLBanks).&#160;&#160; </p><p style="text-align&#58;justify;">This advisory bulletin rescinds and replaces FHFA's Regulatory Policy Guidance RPG-2011-001, <em>Reporting of Fraudulent Financial Instruments</em> (RPG-2011-001), as the RPG applies to the FHLBanks.&#160; </p><p><strong style="text-decoration&#58;underline;"><em>Background</em></strong><br>The FHLBanks, Federal National Mortgage Association (Fannie Mae) and Federal Home Loan Mortgage Corporation (Freddie Mac) (together, the &quot;Enterprises&quot;) (the FHLBanks and the Enterprises collectively, the &quot;regulated entities&quot;) have certain reporting requirements under the Federal Housing Enterprises Financial Safety and Soundness Act of 1992 (12 U.S.C. Section 4501 <em>et seq</em>.) (Safety and Soundness Act) as implemented by 12 CFR Part 1233 (FHFA Regulation).&#160; The Housing and Economic Recovery Act of 2008 (HERA) amended the Safety and Soundness Act and conferred upon FHFA supervisory and oversight responsibilities for the Enterprises and the FHLBanks.&#160; The Safety and Soundness Act subjects the regulated entities to fraud reporting (12 U.S.C. 4642) and requires each regulated entity to submit to FHFA a &quot;timely&quot; report upon discovery that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument (12 U.S.C. 4642).&#160; </p><p>The FHFA Regulation implements the timely reporting requirement of the Safety and Soundness Act (12 U.S.C. 4642) and requires that a regulated entity provide immediate notification to the Director of FHFA either by telephone or electronic communication upon the discovery of any situation that would have a significant impact on the regulated entity, determine the manner in which the regulated entities are to report a fraud or possible fraud to FHFA, as well as develop internal controls, policies, procedures and training as related to the reporting of fraud or possible fraud.&#160; (12 CFR Part 1233).&#160; The FHFA Regulation grants the Director authority to determine procedures by which the regulated entities will submit such reports (12 CFR 1233.3(b)).&#160; </p><p>On February 25, 2014, the Financial Crimes Enforcement Network (FinCEN) published the &quot;Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises&quot; (31 CFR Parts 1010 and 1030) (79 FR 10365) (FinCEN Regulation), which extends certain provisions of the Bank Secrecy Act to the regulated entities, and delegates examination responsibility to FHFA to determine compliance with the requirements of the FinCEN Regulation.&#160; Generally, the FinCEN Regulation requires that each regulated entity develop an anti-money laundering (AML) program and file suspicious activity reports (SARs), among other requirements.&#160; The FinCEN Regulation became effective on April 28, 2014.&#160; Starting August 25, 2014, the regulated entities were required to comply with the SAR filing requirements.</p><p><span style="text-decoration&#58;underline;"><strong><em>Guidance - Reporting</em></strong></span></p><p>The FHLBanks should implement policies and procedures for complying with FinCEN reporting requirements as defined in the FinCEN Regulation.&#160; In addition, this advisory bulletin provides the FHLBanks guidelines for reporting fraud to FHFA in compliance with the FHFA Regulation and for supervisory oversight purposes.&#160; Previous guidance issued under RPG-2011-001 is no longer applicable, including guidance limiting fraud reporting to those instances involving a pattern of fraud of which the transaction is a part.&#160; </p><p>FHFA may request additional information related to fraud or potential fraud from the FHLBanks individually or collectively to accomplish the agency's supervisory objectives.&#160; </p><p><strong><em>1.</em></strong><strong><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em></strong><strong><em>Definitions</em></strong></p><p>A number of definitions appear in 12 CFR Part 1233, and additional terms used in this advisory bulletin are defined below. </p><p>&#160;<strong>Discovery Date</strong> means the date at which an FHLBank becomes aware of a fraud or possible fraudulent activity, including employee misconduct.</p><p><strong>Financial Instrument Fraud Officer (FIFO) </strong>means a designated management official with overall responsibility for overseeing the investigation, reporting and operational training in connection with fraud or possible fraud involving the purchase or sale of loans or other financial instruments.&#160; The FIFO's operational training responsibilities include developing and maintaining a training program designed to ensure that employees and contractors who have fraud detection, investigation and reporting responsibilities conduct their duties efficiently and effectively.&#160; This position does not need to be a stand-alone job function, so long as other responsibilities do not conflict with the FIFO duties.&#160; The FIFO may be the same person as the compliance officer required by the FinCEN Regulation.</p><p><strong>Insider Fraud</strong>, for purposes of this advisory bulletin, means a fraud or possible fraud involving a member of the board of directors, an officer, an employee, or a contractor temporarily engaged to fill a position at an FHLBank or other individual similarly engaged by an FHLBank.&#160; Insider fraud also includes misconduct by an employee that&#58;</p><ol><li>Intentionally falsifies, conceals, or covers up by any trick, scheme, or device a material fact; </li><li>Makes any materially false, fictitious, or fraudulent statement or representation; or </li><li>Makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry that results in a material personal benefit or causes material harm to the FHLBank.</li></ol><p>The reporting of such employee misconduct is within FHFA's authority under 12 U.S.C. 4514, which provides the Director the authority to require reports by the regulated entities as the Director considers appropriate. </p><p><strong>Significant, </strong>as used in the context of an immediate notification, means that which may affect the integrity of or public confidence in the FHLBank or the U.S. Government.</p><p><strong><em>2.</em></strong><strong><em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </em></strong><strong><em>FHLBank Reporting </em></strong></p><p>The FHLBanks should adhere to the following reporting requirements in order to fulfill their timely reporting responsibilities under 12 CFR 1233.3(a)(1).</p><p><span style="text-decoration&#58;underline;"><strong><em>Control Environment</em></strong></span></p><p>Compliance with the FHFA Regulation and the FinCEN Regulation will be best enabled if each FHLBank maintains a FIFO (as defined above) and the FIFO oversees the following reporting requirements.&#160; </p><p><span style="text-decoration&#58;underline;"><strong><em>Immediate Notification</em></strong></span></p><p>To comply with 12 CFR 1233.3(a)(2), an FHLBank should notify the Director's designee(s) within one calendar day of the Discovery Date by telephone and by electronic communication when a fraud or possible fraud may involve a significant fiscal, financial, or reputational impact on the FHLBank, when a significant fraud or possible fraud involves a vendor, or when a fraud or possible fraud involves insider fraud, including employee misconduct. &#160;</p><p><span style="text-decoration&#58;underline;"><strong><em>Suspicious Activity Report Filing Notification</em></strong></span></p><p>FHLBanks should notify the Division of FHLBank Regulation (DBR) by electronic communication that it has filed a SAR with FinCEN on the same day as filing the SAR.&#160; This notification should include the Discovery Date, FinCEN filing date, SAR filing name, the estimated monetary value, a description of the activity reported in the filing, and any other information requested by FHFA.&#160; FHFA will provide a template that an FHLBank may use for such reporting and the name(s) of the Director's designee(s).&#160; </p><p><span style="text-decoration&#58;underline;"><strong><em>Cumulative Quarterly Status Report</em></strong></span></p><p>The FHLBanks should submit a quarterly report to FHFA, referred to as the <em>Cumulative Quarterly Status Report</em>, which should include a summary of all SARs filed with FinCEN during the current year, all open (unresolved) SARs or previously filed Financial Instrument Fraud Reports (FIFRs), and any SARs/FIFRs closed or resolved during the past three years.&#160; FHFA will provide the FHLBanks with a template for the <em>Cumulative Quarterly Status Report</em>. </p><p>Each FHLBank should provide the Director's designee(s) with the <em>Cumulative Quarterly Status Report</em> within ten (10) calendar days after the end of each calendar quarter, regardless of whether the FHLBank had a reportable event during the period covered by the report.&#160; The FHLBank should send the report electronically through secure methods or such other process as established by FHFA.&#160; </p><p style="text-align&#58;justify;"><span style="text-decoration&#58;underline;"><strong><em>Annual Conformance Review and Report </em></strong></span></p><p style="text-align&#58;justify;">No less than annually, each FHLBank should review the requirements of the FHFA Regulation, the FHLBank's internal controls, and this advisory bulletin to determine whether its practices are aligned with FHFA's expectations.</p><p>Each FHLBank should submit an <em>Annual Conformance Report</em> to its board of directors describing the results of its annual review.&#160; At a minimum, the <em>Annual Conformance Report </em>should include a summary of the FHLBank's policies, procedures, internal controls, and training for financial instrument fraud and anti-money laundering risk that have been developed, modified, or enhanced; other actions taken by the FHLBank to conform with the provisions of this advisory bulletin; and the status of the FHLBank's efforts to remediate &quot;matters requiring attention&quot; related to the discovery and reporting of fraud or possible fraud identified as part of FHFA examinations.</p><p><span style="text-decoration&#58;underline;"><strong><em>FHLBank Reporting</em></strong></span></p><p>Upon its approval and as documented in meeting minutes, the FHLBank's board of directors should submit the <em>Annual Conformance Report</em> to the Director's designee(s) three months after the close of the reporting cycle.&#160; For the initial reporting cycles under this advisory bulletin, the <em>Annual Conformance Report</em> should cover calendar year 2014, then the time period of January 1,<sup> </sup>2015 through June 30, 2015.&#160; Thereafter, the <em>Annual Conformance Report</em> should cover the time period of July 1 through June 30 of the following year, with the <em>Annual Conformance Report</em> submitted on or before September 30.&#160; </p><p>&#160;</p> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> ​​​​​​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the FHLBanks, Fannie Mae, and Freddie Mac. &#160;For the FHLBanks, contact Amy Bogdon, Associate Director for Regulatory Policy and Programs, Division of FHLBank Regulation at <a href="mailto&#58;Amy.Bogdon@fhfa.gov">Amy.Bogdon@fhfa.gov</a>.&#160; </p></td></tr></tbody></table>2/12/2015 10:10:21 PMHome / Supervision & Regulation / Advisory Bulletins / FHLBank Fraud Reporting Advisory Bulletin This advisory bulletin communicates the Federal Housing Finance Agency's (FHFA 1539https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Single-Family Seller/Servicer Relationships19310Fannie Mae & Freddie Mac12/1/2014 5:00:00 AMAB 2014-07​ <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​ADVISORY BULLETIN&#160;</strong><br><strong></strong></p><p> <strong>AB 2014-07&#160;</strong><br><strong></strong></p><p> <strong>Oversight of Single-Family Seller/Servicer Relationships</strong></p></td></tr></tbody></table><h2> <br> </h2><h2>Purpose</h2><p>This a​dvisory bulletin communicates the Federal Housing Finance Agency’s (FHFA) supervisory expectation that Fannie Mae and Freddie Mac (collectively, the Enterprises) maintain the safety and soundness of their operations by effectively managing counterparty risks. FHFA expects each Enterprise to assess financial, operational, legal, compliance, and reputation risks associated with its single-family Seller/Servicer counterparties and to take appropriate action to mitigate those risks or reduce the Enterprise’s exposure. Toward this end, each Enterprise should implement a board-approved risk management framework that specifically includes risk-based oversight of single-family Seller/Servicers. Enterprise oversight should be performed pursuant to policies and procedures as described in this advisory bulletin.</p><h2>​Background</h2><p>The business relationships between the Enterprises and Seller/Servicers are a fundamental component of the Enterprises’ delegated business models. Seller/Servicers engage in business transactions with and on behalf of the Enterprises, principally selling loans and performing servicing functions, under the terms of each Enterprise’s respective selling and servicing guide and other contractual provisions. The term “Seller/Servicer” as used in this advisory bulletin includes all entities that sell single-family mortgage loans to the Enterprises or perform single-family mortgage loan servicing for the Enterprises.</p><p>Seller/Servicers may engage in all aspects of a mortgage loan’s lifecycle or specialize in phases of the lifecycle (e.g., servicing delinquent mortgage loans). Individual Seller/Servicers may present unique risks due to their organizational structure and complexity; operational and technological capabilities and capacity; experience; access to financial resources, both funding and capital; and scope of regulatory oversight.</p><h2>Guidance</h2><p> <em>Risk Management Framework</em><br></p><p>The board of directors is responsible for overseeing the Enterprise’s overall risk management. The use of a third party does not relieve the Enterprise’s board of directors and senior management of their respective responsibilities to oversee and manage the risks that arise out of the Enterprise’s Seller/Servicer relationships.</p><p>FHFA expects each Enterprise to have a risk management framework for Seller/Servicers as part of its enterprise-wide risk management program. An effective risk management framework addresses the Seller/Servicer relationship for the duration of its lifecycle, including due diligence and selection, contract negotiation, ongoing monitoring (including performance review and issue resolution), and termination.</p><p>The framework should incorporate a policy for the oversight of Seller/Servicer relationships. The policy should establish standards for identifying, assessing, monitoring, and managing risks associated with Seller/Servicer relationships. The policy should assign clear roles and responsibilities and require that significant decisions with respect to Seller/Servicers be documented and include all appropriate Enterprise stakeholders, including Enterprise risk management. The policy should require that significant issues related to a Seller/Servicer or exceptions to the policy be reported to senior management. The policy should identify criteria for when significant issues will be reported to the board of directors (or a committee thereof). The policy should be implemented by business line-level policies and procedures that establish processes and controls.</p><p> <em>Selection of Seller/Servicers&#160;</em></p><p> <em></em> <span style="line-height&#58;22px;">Prior to entering into a contractual relationship with a Seller/Servicer, the Enterprise should perform due diligence and document the results. The due diligence should evaluate relevant risks related to a potential Seller/Servicer and should be informed by the factors below. The framework may provide for due diligence to be conducted using a risk-based approach, pursuant to defined criteria.&#160;</span><br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> ​<span style="text-decoration&#58;underline;">Financial Risk Factors</span>&#160;</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>​​Financial risk is the risk of loss due to the Seller/Servicer’s inability to meet its financial obligations. Financial risk may arise due to deterioration in the Seller/Servicer’s financial condition, significant growth, or an unexpected event that causes financial hardship. The Enterprises should consider the following in assessing each potential Seller/Servicer’s financial risk, as appropriate&#58;</p><ul><li> <span style="line-height&#58;22px;">Overall financial strength and financial ratio trends;&#160;</span><br></li><li> <span style="line-height&#58;22px;">B</span><span style="line-height&#58;22px;">usiness plan, expertise, and loan production sources;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Ability to meet selling and servicing guides and other contractual provisions, including representations and warranties, under stable and adverse economic scenarios;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Existing and anticipated sources of income, capital, and liquidity;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Quality of loans;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Projected levels of loans, mortgage servicing rights (MSRs), and other servicing assets (e.g., MSR strips, servicing advances);&#160;</span><br></li><li> <span style="line-height&#58;22px;">Adequacy of fidelity bond and errors and omissions insurance coverage; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Complexity of the Seller/Servicer’s financial structure, in</span><span style="line-height&#58;22px;">cluding the terms of any financial arrangements with other parties.&#160;</span><br></li></ul><p style="text-decoration&#58;underline;"> Operational Risk Factors</p><p>Operational risk is the exposure to loss from inadequate or failed internal processes, people, and systems, or from external events. Operational risk may arise when a Seller/Servicer cannot effectively perform the duties that it has contracted to perform due to deficiencies in its operations or controls. The Enterprises should consider the following in assessing each potential Seller/Servicer’s operational risk, as appropriate&#58;&#160;</p><ul><li> <span style="line-height&#58;22px;">Current and prospective resources and capacity regarding staffing, facilities, technology infrastructure, and any sub-servicing arrangements;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Organizational structure, complexity, and ownership, including affiliates;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Key personnel, principals, and controlling shareholders, including information from background checks, when appropriate;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Reliance on, exposure to, and performance of sub-servicers, location of subservicers, and the Seller/Servicer’s ongoing monitoring program and quality control testing of sub-servicers;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Seller/Servicer oversight of third-party service providers (e.g., mortgage brokers, appraisers) contractually obligated to the Seller/Servicer, not the Enterprise;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Risk management program, internal controls and results of audits or reviews, including independent post-closing loan review process;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Business continuity and contingency planning; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information technology management program, including an information security framework.&#160;</span><br></li></ul><p> <span style="text-decoration&#58;underline;">Legal, Compliance, and Reputation Risk Factors</span>&#160;</p><p>Legal, compliance, and reputation risk exists when a Seller/Servicer’s operations are not consistent with laws, regulations, sound practices, or an Enterprise’s selling and servicing guides and other contracts. The Enterprises should consider the following in assessing the legal, compliance, and reputation risk associated with potential Seller/Servicers, as appropriate&#58;&#160;</p><ul><li> <span style="line-height&#58;22px;">Maintenance of the appropriate federal and state charters or licenses required for or relevant to operating their business;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Scope of federal and state regulatory oversight, both prudential and consumer protection;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Compliance programs for all applicable laws and regulations, including consumer protection laws;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Record of compliance with applicable laws </span><span style="line-height&#58;22px;">and regulations, based upon publicly available information;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information known or reasonably available to an Enterprise about loan originators used by the Seller/Servicer and their compliance with consumer protection laws;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Publicly available information about supervisory and legal actions, including criminal and civil actions, taken against the Seller/Servicer, key personnel, principals or controlling shareholders, and affiliates;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Publicly available information about investigations and litigation initiated by federal and state authorities, and agreements reached in conjunction with those actions, including the assessment of fines;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Orders issued under the FHFA Suspended Counterparty Program; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Significant consumer complaints or a pattern of consumer complaints</span><span style="line-height&#58;22px;">.&#160;</span><br></li></ul></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"> <span style="line-height&#58;22px;">Evaluation of these risk factors should be consistent with, and supportive of, the standards for approving Seller/Servicers articulated in the risk management policy.&#160;</span></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"> <span style="line-height&#58;22px;"><br></span></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>Ongoing Monitoring</em>&#160;</p><div> <span style="line-height&#58;22px;">​Monitoring of the Seller/Servicer for the duration of the relationship is essential to an Enterprise’s ability to manage Seller</span><span style="line-height&#58;22px;">/Servicer risks. As part of ongoing monitoring, each Enterprise should have risk-based procedures that require updating information obtained during the approval process and performing subsequent analysis to evaluate changes in a Seller/Servicer’s risk. FHFA expects that ongoing monitoring will be risk-based, so it will vary among individual Seller/Servicers and may change over time for a particular Seller/Servicer. Enterprise policy regarding the scope and frequency of ongoing monitoring activities should be commensurate with the risk associated with the particular Seller/Servicer.&#160;</span><br></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">The documented analysis should take into account factors assessed during the approval process, as well as the following factors, as appropriate&#58;&#160;</span></div><div><ul><li> <span style="line-height&#58;22px;">Volume of loans sold; MSRs retained, sold, transferred, or pledged; and servicing transfer activity, noting rapid or significant changes;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Outstanding obligations and past performance regarding recoveries of repurchases and compensatory fees;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Adherence to approved terms of business, including capital requirements, sales volume, and product limitations;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Delivery and servicing performance record;&#160;</span></li><li> <span style="line-height&#58;22px;">Contractual ability of the Enterprise to access Seller/Servicer records and conduct onsite visits;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Results of operational reviews performed by the Enterprise;&#160;</span></li><li> <span style="line-height&#58;22px;">Results of the Enterprise’s review of a Seller/Servicer for the Seller/Servicer’s compliance with consumer protection and other laws where the Enterprise may have legal liability as a result of the Seller/Servicer’s noncompliance;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Information about a Seller/Servicer’s compliance with consumer protection laws where the Enterprise may be exposed to significant risk as a result of the Seller/Servicer’s noncompliance;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Record of compliance with Seller/Servicer guides and other contractual terms, including compliance with laws and regulations, based on Enterprise compliance and quality control reviews;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Results of fraud and data integrity reviews;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Volume, type, and pattern of Seller/Servicer guide waivers considering documented justification for waivers, and results of ongoing performance reviews of loans with waivers relative to justification and expectations;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Sufficiency and timeliness of performance data to evaluate the quality and effectiveness of Seller/Servicer processes for actual and projected volumes;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Accuracy and completeness of loan recordkeeping, including loan data systems and loan documentation, throughout the life of the loan;&#160;</span><br></li><li> <span style="line-height&#58;22px;">Changes in the Seller/Servicer’s business model, strategies, or practices; and&#160;</span><br></li><li> <span style="line-height&#58;22px;">Operational and system complexity, including after an acquisition or merger involving multiple locations, systems, and processes.&#160;</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">&#160;</span></li></ul></div></blockquote><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;"> <em>Managem​ent</em>&#160;</span></div><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;"> <br></span></div><div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">The risk management framework should include policies for the escalation to and subsequent tracking of issues by the Enterprise’s senior management or board of directors (or committee thereof), depending on the type of issue and the risk posed to the Enterprise. In addition, the policies should address the remediation of deficiencies or weaknesses identified in performance criteria or risk areas, as appropriate. The policies should also include standards for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer, including, for example, against a Seller/Servicer that fails to meet an Enterprise’s standards of performance or that poses reputation risk because of noncompliance with applicable laws and regulations or unso</span><span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;line-height&#58;22px;">und business practices.&#160;</span><br></div><div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div> <span style="line-height&#58;22px;"> <br></span></div></blockquote><h2> Related Guidance and Regulations </h2><div> <em style="color&#58;#404040;font-family&#58;'source sans pro', sans-serif;font-size&#58;14px;line-height&#58;22px;">Mortgage Servicing Transfers</em><span style="line-height&#58;22px;">, Federal Housing Finance Agency Advisory Bulletin 2014-06, June 11, 2014, communicates FHFA’s supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights or the transfer of the operational responsibilities for servicing mortgage loans owned or guaranteed by the Enterprises.&#160;</span><br></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;"> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1227 <em>Suspended Counterparty Program</em> generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1233 <em>Reporting of Fraudulent Financial Instruments </em>requires each regulated entity to make a report to FHFA upon discovery that it has purchased or sold a fraudulent loan or financial instrument or suspects a possible fraud relating to the purchase or sale of any loan or financial instrument.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">12 CFR Part 1236 <em>Prudential Management and Operations Standards, Standard 9 – Management of Credit and Counterparty Risk </em>provides guidelines on the management of credit and counterparty risk.&#160;</span></div><div> <span style="line-height&#58;22px;"> <br></span></div><div> <span style="line-height&#58;22px;">Department of the Treasury Financial Crimes Enforcement Network 31 CFR Parts 1010 and 1030 <em>Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises </em>requires each regulated entity to file suspicious activity reports and develop an anti-money laundering program.&#160;</span><br> <div> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">​</span></div></div></div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​</strong><span style="font-style&#58;normal;font-variant&#58;normal;line-height&#58;22px;">Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. This bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy at 202-649-3405 or <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a>, or Kathy Beach, Office of Supervision Policy, at 202-649-3521 or <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov​</a> with comments or questions pertaining to this bulletin<strong>.</strong><em></em></span></p></td></tr></tbody></table>12/1/2014 7:02:56 PMHome / Supervision & Regulation / Advisory Bulletins / Oversight of Single-Family Seller/Servicer Relationships Advisory Bulletin This a​dvisory bulletin communicates the 1873https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Mortgage Servicing Transfers19309Fannie Mae & Freddie Mac6/11/2014 4:00:00 AMAB 2014-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p><strong>ADVISORY BULLETIN&#160;</strong><br><strong></strong></p><p><strong>AB 2014-06&#160;</strong><br><strong></strong></p><p><strong>Mortgage Servicing Transfers&#160;</strong></p></td></tr></tbody></table><h2>Purpose</h2><p>The Federal Housing Finance Agency (FHFA) is issuing this advisory bulletin to communicate supervisory expectations for risk management practices in conjunction with the sale and transfer of mortgage servicing rights (MSRs) or the transfer of the operational responsibilities of servicing mortgage loans owned or guaranteed by Fannie Mae and Freddie Mac (collectively, the Enterprises).</p><h2>​Background</h2><p>​The sale and transfer of MSRs or the transfer of mortgage servicing has recently increased for a number of reasons. Some servicing transfers are initiated by the Enterprises. An Enterprise may seek to facilitate or require the transfer of&#160;mortgage servicing to a different servicer in an effort to improve mortgage servicing performance. A transfer may also be necessitated by a mortgage servicer’s failure to meet contractual requirements. Servicing transfer requests may also be initiated by the owner of the MSRs or the servicer of the mortgage portfolio. For example, changes in capital regulations or servicing profitability may prompt commercial banks and financial services companies to seek to reduce MSR holdings. Some non-bank mortgage servicing companies have recently increased acquisitions of MSRs and the servicing of mortgage loans.</p><p>There are different variations for structuring transfers to the acquiring entities. Historically, both the ownership of the MSRs and the servicing of the mortgage loans were transferred to the same entity. However, the MSRs owner and the mortgage AB 2014-06 (June 11, 2014) Public servicer may be separate entities, which would necessitate one or more sub-servicer arrangements. For example, the MSRs owner may be established as a limited liability company with the primary purpose of sub-contracting servicing to one or more servicers. In some situations, more than one entity is responsible for the representations and warranties related to the origination, selling, or servicing of a transferred mortgage servicing portfolio. Different types of entities involved in MSR holding structures can impact the financial, operational, and legal risks associated with any given transfer.</p><p>Any sale and transfer of MSRs or transfer of the operational aspect of servicing mortgage loans owned or guaranteed by Fannie Mae or Freddie Mac requires the approval of the applicable Enterprise in accordance with its seller/servicer guide.</p><div><h2>​Guidance</h2><p>​An&#160;Enterprise&#160;should&#160;only&#160;approve&#160;those&#160;transactions&#160;that&#160;are&#160;consistent&#160;with&#160;sound&#160;business&#160;practice,&#160;aligned&#160;with&#160;the&#160;Enterprise’s board-approved risk appetite, and in compliance with regulatory and&#160;Conservator&#160;requirements.&#160;Certain&#160;bulk servicing transfers also require the approval of FHFA as Conservator for the Enterprises.​</p><p>Each Enterprise should have in place policies and procedures within its risk management&#160;program for evaluating risks of proposed sales or transfers of MSRs and transfers of the&#160;servicing of mortgage loans, considering the particular circumstances of the transfers&#160;(e.g., volume and profile of the loans transferred, structure and complexity of&#160;the&#160;transaction, counterparty exposure, servicing concentrations, and/or borrower&#160;experience). The Enterprise’s policies and procedures should identify, assess, and&#160;appropriately mitigate risk. The policies and procedures should provide for risk-based&#160;periodic reporting to the board of the transfers’ risk effect on the mortgage servicing&#160;portfolio. The Enterprise should maintain documentation of supporting analysis of&#160;transfer approval decisions that is sufficient to enable subsequent supervisory review.</p></div><div><p>​This advisory bulletin sets forth guidance for how each Enterprise should develop&#160;policies and procedures for reviewing and approving the sale and transfer of MSRs or the&#160;transfer of the servicing of mortgage loans. The policies and procedures should enable&#160;the Enterprise to understand its potential counterparty risk exposure resulting from&#160;servicing transfers.</p><p>​Analysis of Mortgage Servicing Transfers</p><p>The Enterprise should analyze and document the terms and conditions of all proposed&#160;transactions. The Enterprise should evaluate the risks and potential benefits of proposed&#160;transfers, taking into account relevant factors regarding the transferee, the transferor, and&#160;the borrower, as well as, the Enterprise’s overall risk management strategy for servicers.&#160;The analysis should incorporate and reflect the views of both risk management and&#160;business line management.</p><p>The analysis should reflect a risk-based approach and consideration of all relevant risks, including (but not limited to) the&#160;following factors&#58;</p><h4>Financial Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Financial strength of the transferee servicer or the MSRs owner based upon a current analysis;</span><br></li><li><span style="line-height&#58;1.6;">Existing and anticipated sources of capital and liquidity for the transferee servicer or the MSRs owner;</span><br></li><li><span style="line-height&#58;1.6;">Confirmation of the responsible party(ies) for origination and servicing representation and warranty obligations;</span><br></li><li><span style="line-height&#58;1.6;">Ability of all relevant participants to meet contractual obligations, including representations and warranties and other&#160;contractual obligations, including during adverse scenarios in which the counterparty may have trouble accessing liquidity and capital;</span><br></li><li><span style="line-height&#58;1.6;">Terms of any financial support arrangements (e.g., letters of credit, net worth or other guarantees, or other investment structures that securitize the servicing income or the advance receivables); and</span><br></li><li><span style="line-height&#58;1.6;">Complexity of the counterparty financial structure, including financial arrangements with other parties.</span><br></li></ul><h4>​Operational Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">The Enterprise’s, the transferee’s, and the transferor’s business objective for the proposed transfer;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s status as an “approved” servicer by the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s delegations and authority to conduct business on behalf of the Enterprise in relation to the servicing portfolio being transferred;</span><br></li><li><span style="line-height&#58;1.6;">Organizational structure, location, management team, and operations of the transferee servicer and any sub-servicers;</span><br></li><li><span style="line-height&#58;1.6;">Transferee servicer’s and any sub-servicer’s expertise and performance record, including the results of recently conducted Enterprise on-site reviews;</span><br></li><li><span style="line-height&#58;1.6;">Servicing fee distribution between the MSRs owner and the transferee servicer to ensure proper alignment of incentives and coverage of costs;</span><br></li><li><span style="line-height&#58;1.6;">Servicer capacity, taking into account staffing, facilities, information technology systems, and any sub-servicing arrangements;</span><br></li><li><span style="line-height&#58;1.6;">Outstanding obligations and past performance regarding repurchase recoveries and compensatory fee recoveries;</span><br></li><li><span style="line-height&#58;1.6;">Operational complexity of the transaction;</span><br></li><li><span style="line-height&#58;1.6;">Third party service providers or vendors contractually obligated to the servicer, but not to the Enterprise;</span><br></li><li><span style="line-height&#58;1.6;">Adequacy of the transferee servicer’s business continuity plan, inclusive of any applicable sub-servicers or material vendors;</span><br></li><li><span style="line-height&#58;1.6;">Current and potential effects of the transfer on borrowers, including those associated with in-process workouts, bankruptcies, and litigation; and</span><br></li><li><span style="line-height&#58;1.6;">Overall effect of the transfer on the servicer relationship and any resulting counterparty concentrations for an Enterprise.</span><br></li></ul><h4>Legal and Compliance Risk Factors</h4><ul><li><span style="line-height&#58;1.6;">Potential compliance risk associated with the characteristics of the mortgage loans being serviced;</span><br></li><li><span style="line-height&#58;1.6;">Based upon publicly available information, the transferor servicer’s, transferee servicer’s, and any sub-servicer’s record of compliance with consumer protection laws, including provisions of the Consumer Financial Protection Bureau’s Regulation X, which implements the Real Estate Settlement Procedures Act;</span><br></li><li><span style="line-height&#58;1.6;">Extent to which the transferor servicer, transferee servicer, and any sub-servicer is subject to federal or state regulatory oversight; and</span><br></li><li><span style="line-height&#58;1.6;">Any public regulatory or other enforcement actions relating to safety and soundness, legal, or compliance issues (e.g., consumer compliance, fraud, financial reporting) of the servicers or sub-servicers.</span><br></li></ul><p>Policies and procedures should be consistent with prudent counterparty risk management practices and with FHFA&#160;guidance, including risk-based contingency planning in accordance with FHFA Advisory Bulletin AB-2013-01, Contingency Planning for High-Risk or High-Volume Counterparties, as appropriate.</p><div><p><em class="ms-rteFontSize-2">Transfer Execution Monitoring</em></p><p>The Enterprise’s policies and procedures should clearly outline its expectations to facilitate the transfer of data and records. Further, the Enterprise should have a risk-based process to monitor the execution of the transfers so that all servicing transfers occur in a timely manner and in accordance with approved terms, servicing guide requirements, and applicable mortgage servicing transfer-related laws and regulations. The Enterprise should also have a process to update and&#160;maintain its systems to accurately identify all parties involved in the servicing of a particular loan portfolio.</p><p>Monitoring should cover the transfer of loan records, information regarding loans with loss mitigation in process (including loan modifications), compliance with laws and regulations relating to mortgage servicing transfers, compliance with&#160;approved terms including loan product types and status of loans to be transferred, and quality control review results. For loans that are subject to existing loss mitigation agreements or have loan modification agreements in process, the&#160;transfer terms should require the transferee servicer to honor and abide by such agreements or propose options that are no less beneficial to the borrower, and provide for the transferee servicer to obtain all information needed to complete the modification. Transfer execution monitoring should encompass consideration of all relevant participants, including the MSRs owners, servicers, sub-servicers, and third party service providers and vendors, as appropriate.</p><p>Policies and procedures for Enterprise approval determinations should incorporate assessments of the effectiveness of any prior transfers. Transfer execution monitoring AB 2014-06 (June 11, 2014) Public​&#160;should continue for a sufficient period of time post-transfer to enable the Enterprise to evaluate the effectiveness of the transfer and incorporate that evaluation in future approval decisions.</p><h2>​Related Guidance</h2><p>​​Contingency Planning for High-Risk or High-Volume Counterparties, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013, establishes guidelines for contingency plans for high-risk or high-volume counterparties and describes the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.</p><div><br></div></div></div>9/18/2014 7:25:23 PMHome / Supervision & Regulation / Advisory Bulletins / Mortgage Servicing Transfers Advisory Bulletin The Federal Housing Finance Agency (FHFA) is issuing this advisory 2968https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on the Retirement of the Microsoft Windows XP Operating System19343All3/20/2014 4:00:00 AMAB 2014-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​<strong><font face="Times New Roman"><p align="left">​ADVISORY BULLETIN </p><p align="left">AB 2014-04 </p><p>Guidance on the Retirement of the Microsoft Windows XP Operating System </p></font></strong></td></tr></tbody></table><p><br>This advisory bulletin is being issued by the Federal Housing Finance Agency (FHFA) to ensure that Fannie Mae, Freddie Mac, the Federal Home Loan Banks (collectively, the Regulated Entities), and the Office of Finance are aware of and responsive to the retirement and ending of support of Windows XP and Office 2003. This advisory bulletin is consistent with guidance issued by other federal financial regulatory agencies.</p><p>The Windows XP operating system and Office 2003 are no longer receiving technical assistance from Microsoft, including updates and patching, after April 8, 2014. While the technology will continue to function, without support it may become more prone to operational breakdowns and security risks.</p><p>The Regulated Entities and the Office of Finance should review the effectiveness of their system and patch management programs to ensure that the risks associated with this retirement are appropriately understood and mitigated. The review should also consider exposures from third party services providers and other vendors that use Windows XP or Office 2003 upon which the Regulated Entity or the Office of Finance has a material reliance.</p>10/30/2014 1:18:31 PMHome / Supervision & Regulation / Advisory Bulletins / Guidance on the Retirement of the Microsoft Windows XP Operating System Advisory Bulletin 1431https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Rescission of the Federal Home Loan Bank Examination Manual and the Division of Enterprise Regulation Supervision Handbook19342All3/11/2014 4:00:00 AMAB 2014-03<p>​​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2014-03 </p><p>Rescission of the Federal Home Loan Bank Examination Manual and the Division of Enterprise Regulation Supervision Handbook </p></td></tr></tbody></table><p><br><strong>PURPOSE </strong></p><p>This advisory bulletin rescinds the Federal Housing Finance Board Federal Home Loan Bank (FHLBank) Examination Manual and Federal Housing Finance Agency (FHFA) Division of Enterprise Regulation Supervision Handbook. </p><p><strong>ISSUE </strong><br>The documents identified have been superseded by the FHFA Examination Manual. </p><p><strong>BACKGROUND </strong></p><p>The FHFA Examination Manual was issued on December 19, 2013. The FHFA Examination Manual represents the result of an agency initiative to implement a common examination program for the examinations of Fannie Mae and Freddie Mac, the FHLBanks, and the Office of Finance. </p><p><strong>RESCINDED SUPERVISION GUIDANCE </strong></p><p>The following documents are rescinded&#58; </p><ul><li>Federal Housing Finance Board FHLBank Examination Manual </li><li>FHFA Division of Enterprise Regulation Supervision Handbook </li></ul><p><strong>EFFECTIVE DATE </strong></p><p>The advisory bulletin is effective immediately. </p>7/10/2014 12:58:45 PMThis advisory bulletin rescinds the Federal Housing Finance Board Federal Home Loan Bank (FHLBank) Examination Manual and Federal Housing Finance Agency (FHFA) Division of 640https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Operational Risk Management19341All2/18/2014 5:00:00 AMAB 2014–02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​​​ADVISORY BULLETIN </p><p>AB 2014 – 02 </p><p>OPERATIONAL RISK MANAGEMENT </p></td></tr></tbody></table><p>&#160;</p><h2>Introduction</h2><p>This advisory bulletin (AB) applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks), and the Office of Finance (for purposes of this AB collectively, the regulated entities). The AB describes the four basic components of a program to manage operational risk effectively&#58; risk identification and assessment; measurement and modeling; reporting; and risk management decision-making. It also addresses governance aspects of operational risk management, i.e., the duties and responsibilities of management and the board of directors.</p><p>For the Enterprises, this AB rescinds and replaces the Office of Federal Housing Enterprise Oversight (OFHEO) Enterprise Guidance on Operational Risk Management PG-08-002, dated September 23, 2008. FHFA will issue additional guidance on collecting data about operational risk events and reporting such events to management and boards of directors of the regulated entities, and to FHFA. Until that guidance is issued, the Enterprises are to continue collecting data and reporting to FHFA pursuant to the August 10, 2007 letters from OFHEO Director Lockhart and the June 25, 2012 operational event data collection instructions.</p><h2>Background</h2><p>In its examination rating system (CAMELSO<sup id="ref1"><a href="#ft1">[1]</a></sup>) and its Prudential Management and Operations Standards (PMOS<sup id="ref2"><a href="#ft2">[2]</a></sup>), FHFA identified matters examiners may assess when evaluating a regulated entity’s management of its operational risk. This AB provides further guidance to the regulated entities on the effective management of operational risk and is intended to promote the safety and soundness of the regulated entities by providing specific guidance upon which each regulated entity should manage operational risk. To be effective, a regulated entity’s operational risk policies, procedures and practices should&#58; (1) reflect the complexity, operations, conditions and strategic plans of the regulated entity, as well as the economic and legal environment within which the regulated entity conducts business; and (2) be appropriate for the scale and nature of the regulated entity’s business.<sup id="ref3"><a href="#ft3">[3]</a></sup> FHFA expects that each regulated entity’s operational risk management program will evolve over time, just as industry and supervisory standards such as the work of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission and the Basel Committee on Banking Supervision have evolved.</p><p>Sound management of operational risk includes developing and applying operational risk management policies, procedures and processes consistently across the regulated entity. A regulated entity’s operational risk management program should conform to professional practices, comply with regulatory requirements, and achieve results consistent with the regulated entity’s objectives. The scope of the operational risk management program should encompass&#58;</p><ul><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>risk identification- including defining operational risk;</p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>risk assessment-including analysis of the severity and likelihood of operational events given the effectiveness of controls in place;</p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>measurement-including the direction and magnitude of changes in risk profile and may include modeling-including the treatment of diverse loss types in a common and analytical framework;</p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>reporting-including operational event reporting that provides timely and actionable information to management; and</p></li><li style="padding-bottom&#58;0px;margin&#58;0px;padding-left&#58;0px;padding-right&#58;0px;padding-top&#58;0px;"><p>risk management decision-making-including evidence that management decisions about operational risk mitigation strategies are informed by data and information gathered in the other processes of the program.</p></li></ul><p>A regulated entity should establish&#58; (1) an operational risk management culture across the regulated entity to identify and address operational risks; and (2) a measurement system that quantifies operational risk. The regulated entity’s overall risk management program should integrate operational risk management processes. An effective operational risk management program should result in demonstrable benefits to the regulated entity, including managers and staff at the regulated entities identifying and economically managing operational risks.</p><h2>Guidance</h2><h3>A. Components of Operational Risk Management</h3><p>Effective operational risk management includes four key components&#58;</p><ol><li>identification and assessment;</li><li>measurement and modeling;</li><li>reporting; and</li><li>risk management decision-making.</li></ol><p>Each of these components is described below.</p><h4>1. Identification and Assessment</h4><p>Before identifying and assessing operational risk, a regulated entity needs to define and effectively communicate across the regulated entity what is meant by “operational risk.” At a minimum, the regulated entity’s definition should consider the definition adopted for purposes of this bulletin; specifically, operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. The regulated entity’s definition should encompass risks related to housing mission-related activities, including activities related to affordable housing programs or goals. The regulated entity should formulate its definition of operational risk to communicate clearly the elements of risk that are and are not included within its definition of operational risk. That definition should fit into the regulated entity’s overall risk management framework so that all significant risks that the entity is exposed to can be appropriately managed. As part of its role in overseeing and assessing management’s efforts to implement a common risk language and a risk awareness culture across the regulated entity, the regulated entity’s board of directors should review and approve the definition of operational risk as part of its approval of the regulated entity’s operational risk management policy.</p><p>The regulated entity should develop processes and mechanisms to assist in identifying operational risks. These should be appropriate for the scale and nature of the regulated entity’s business, operations, and condition. According to current best practices of risk management, these processes and mechanisms generally should include risk-control self-assessments (RCSA), key risk indicators (KRIs), and key performance indicators (KPIs).</p><p>The regulated entity’s assessment of operational risk should include processes that evaluate both the severity and likelihood of operational events and give consideration to the quality of controls and infrastructure that are designed to prevent, avoid, or reduce the likelihood of operational events from occurring and their impact should they occur. The regulated entity should have a process for assessing changes in the business environment and its impact on operational risk. This should include assessing the impact of changes in the volume and complexity of the regulated entity’s operations due to developments in the financial, legal, and regulatory environment. The regulated entity should establish a process to identify and assess the level and trends in operational risk and related internal control structures. Assessments should be current and comprehensive (i.e., address the factors listed in the Operational Risk section in AB 2012-03 of CAMELSO, and the standards related to operational risk in PMOS) across the regulated entity. The regulated entity’s process for risk assessments should be sufficiently flexible to accommodate increasing complexity, new activities, and changes in internal control systems.</p><p>Details on FHFA expectations related to the sources for identifying operational risk follow.</p><ol style="list-style-type&#58;lower-alpha;"><li><p><em>Internal Operational Event and Loss Data</em> – A regulated entity’s operational risk measurement system should incorporate event and loss data derived from an operational event tracking system. The database may draw upon multiple sources of information including business-line level databases that report and/or track exceptions and issues. Definitions and scope of critical information that feed into the operational event database should be consistently applied across the regulated entity. The database should ultimately include operational event and loss data covering a meaningful time span, normally five or more years. Data, even if deemed ‘stale’ because of implementation of a new control or other management action, should not be discarded since it remains relevant for other uses such as scenario analysis, regulatory compliance reporting, and “lessons learned” materials for management. In addition, operational events are often complex and evolutionary and, thus, events that are apparently unconnected or contained may turn out to have further ramifications or be tied to subsequent events.</p></li><li><p><em>Business Environment Assessment </em>– A regulated entity’s operational risk measurement system should incorporate a process for assessing changes in the business environment and the impact on operational risk. This should include assessing the impact of changes in the volume and complexity of the regulated entity’s operations caused by developments in the financial, legal, and regulatory environment. The regulated entity should establish a process to identify and assess the level and trends in operational risk and related internal control structures. Assessments should be current and comprehensive across the regulated entity. The process should be sufficiently flexible to accommodate increasing complexity, new activities, and changes in internal control systems.</p></li><li><p><em>Internal Risk and Control Environment Assessment </em>– A regulated entity’s operational risk measurement system should have a component that takes into account the condition of the internal control environment. The regulated entity may adjust measures of operational risk (including operational risk capital measures) based on measurement tools and indicators that gauge, in a forward- looking manner, improvement or deterioration in an entity’s operational risk exposure and/or control environment. Sources may include internally generated KRIs and performance triggers, internal and external audit reports, examination findings and other periodic reviews such as RCSA.</p></li><li><p><em>External Loss Data and Scenario Analysis</em> – Scenario analysis (identifying events that have not occurred, but could occur at the regulated entity) and external data on industry operational loss events can be important tools of an effective operational risk management program if carefully designed and integrated into the processes and systems for risk measurement and management. The regulated entity’s operational risk measurement system should include a review of external data to gain an understanding of operational loss experience of similarly sized organizations in similar lines of business. External data can complement internal operational event data as an input into a system for measuring the entity’s operational risk exposure or to inform scenario analysis.</p></li><li><p><em>Evaluation </em>- A timely evaluation and update of a regulated entity’s operational risk measurement system is appropriate whenever the entity becomes aware of information that may have a material effect on the estimate of operational risk exposure. A complete evaluation of the entity’s operational risk management program, should be conducted by a qualified, independent team of experts, staffed either internally or externally, often enough to reflect the possibility of changes in the entity’s risk environment, normally at least annually.</p></li></ol><p>The framework for identifying and assessing risks should be applied across the regulated entity and should be periodically reviewed and independently validated.</p><h4>2. Measurement and Modeling</h4><p>A regulated entity should have effective means of measuring operational risks in order to manage those risks. Management and the board of directors should establish qualitative and quantitative risk measures that indicate the direction and magnitude of the regulated entity’s operational risk profile (and changes in the risk profile). Also, management and the board should have current and complete information about the limitations of those risk measures. The measures should be appropriate for the scale and nature of the regulated entity’s business.</p><p>A regulated entity’s internal operational risk measurement system should be supported by data about the incidence of, and losses (including potential losses) related to, operational events. The operational risk measurement system should take into account the condition of the regulated entity’s internal control environment. The regulated entity may adjust measures of operational risk based on measurement tools and indicators that gauge in a forward-looking manner improvement or deterioration in a regulated entity’s operational risk exposure and/or control environment. Sources of such qualitative and quantitative information could include internally gathered key risk indicators and performance triggers, internal and external audit reports, examination findings, and other periodic reviews.</p><p>The regulated entity’s operational risk measurement system should include a review of external data to gain an understanding of operational loss experience at peer institutions and within the industry. External data may serve a number of different purposes in an operational risk measurement system. For example, external data can complement internal loss data as an input into a system for measuring the regulated entity’s operational risk. Even where external loss data are not an explicit input into the measurement system, such data may provide a means to assess the adequacy of the regulated entity’s internal data. External data may also inform scenario analysis, provide additional data for severity distributions, or be used for validating an economic capital model. If a regulated entity incorporates scenario analysis into its operational risk measurement system, it should document the process for conducting scenario analysis including the manner in which the scenarios are generated; the frequency with which they are updated; the scope and coverage of operational loss events they are intended to reflect; and the results of the analysis and how these results impact operational risk measurement.</p><p>If a regulated entity determines its risk profile warrants modeling one or more components of its operational risk, the models should connect the real and probabilistic sides of operational risk management, and treat diverse loss types in a common analytical framework.<sup id="ref4"><a href="#ft4">[4]</a></sup> The reasoning for differential incorporation of the risk assessment components in the model should be transparent and consistently applied.</p><p>Regardless of the methodologies the regulated entity uses for measuring and modeling operational risk, the measures and models should&#58;</p><ul><li>be consistent with the regulated entity’s definition of operational risk;</li><li>use valid data acquired from reliable system(s) or process(es);</li><li>be periodically updated to reflect new risks;</li><li>be tested for sensitivity changes in data, assumptions, and model specifications; and</li><li>be periodically and independently validated (for example, by the internal audit function).</li></ul><h4>3. Risk Reporting</h4><p>In order to carry out their respective responsibilities, senior management and the board of directors should receive regular reports with appropriate and timely information, relevant to their respective roles, related to operational risk events and the regulated entity’s operational risk profile. Reports for the board of directors should provide sufficient information for the board to carry out its oversight responsibilities, and reports for management should include actionable information that supports business and risk-management decisions.<br>A regulated entity should have a reporting structure that provides for consistent reporting and escalation procedures across business units and functions. The regulated entity’s operational risk event reporting system should be entity-wide, rely on established reporting thresholds that do not exclude important internal operational event data, and support the assessment of the regulated entity’s operational risk exposure. The particular risk profile of a business line may be considered when establishing risk limits and reporting and escalation thresholds (what is significant in one business line may not be in another), but the establishment of and adjustments to thresholds and limits should be a systematic procedure applied consistently across the regulated entity<br>While the level of detail in reports to the board of directors and management may vary, reports to both about operational risk would normally be expected to address, at a minimum&#58;</p><ul><li><p>significant operational loss events in the prior quarter, including near misses;</p></li><li><p>significant changes, including to the regulated entity’s business environment that may signal actual or potential increased or decreased risk of future losses;</p></li><li><p>significant changes to the regulated entity’s processes or resources, including comparisons to previous reports and using specific indicators or metrics; and</p></li><li><p>policy and risk tolerance exceptions.</p></li></ul><h4>4. Risk Management Decision-Making</h4><p>Effective operational risk management includes making decisions, when appropriate, based on operational risk identification and assessment, measurement and modeling, and reporting. Such decisions may include, for example, deciding to avoid, transfer, or mitigate unwanted risk, and monitor and allocate resources appropriately to operational risks explicitly accepted.</p><p>The link between risk management decision-making and risk identification and assessment, measurement and modeling, and reporting can be demonstrated, for example, by&#58; (1) processes that encourage effective management based on the assessment and reporting of changes in operational risk, and discourage behavior that weakens risk management or the internal control environment; or (2) an internal written communication documenting that management at the regulated entity takes the results of the operational risk measurement and reporting systems into account when making business decisions.</p><p>For example, FHFA expects that that the FHLBanks will incorporate the documented results of operational risk assessments and/or models into their retained earnings plans; and that the Enterprises will base the allocations of economic capital, in part, on documented analysis of the other components of the operational risk identification and assessment, measurement and modeling, and reporting. While the Enterprises’ allocations should be consistent with the broader economic capital measurement and allocation systems, operational risk capital allocation should be demonstrably commensurate with the operational risk in a particular area or business and should serve as an incentive mechanism to implement cost-effective controls and active management of operational risk including techniques of avoidance, transfer, mitigation, and appropriate monitoring and resource allocation for explicitly retained risks.</p><p>Consistent application of a decision framework ensures a common marginal risk/return trade-off across the firm’s lines of business, translating into risk mitigation strategies and investments consistent with each other and the entity’s risk policies. Choosing among available risk mitigation strategies should involve an appropriate management review informed by one or more decision frameworks such as cost/benefit analysis, estimation of risk-adjusted return on capital (RAROC), expected utility analysis, or other approaches.</p><p>The regulated entity’s operational risk management decision-making should be supported by the periodic review and updating of the other components of the operational risk management program (risk identification and assessment, measurement and modeling and reporting). To facilitate improved risk management decision-making, the regulated entities should regularly and independently validate the components of their operational risk management program against changes in the internal control environment, risk profile, and external business and market developments.</p><h3>B. Governance of Operational Risk Management</h3><p>Five important governance components of operational risk management are&#58; (1) an operational risk policy; (2) board oversight; (3) executive and senior management leadership; (4) operational risk officer implementation; and (5) business unit management and staff commitment.</p><h4>1. Operational Risk Policy</h4><p>A comprehensive operational risk management policy forms the foundation of effective operational risk management. The policy should define operational risk as well as the roles and responsibilities of key stakeholders and of entitywide operational risk management functions. These roles and responsibilities should support and promote an operational risk management culture across the regulated entity that effectively identifies and economically manages operational risks. While the operational risk governance structure will vary depending on the scale and nature of the regulated entity’s business, it should be fully integrated into the regulated entity’s overall risk management governance structure, and should demonstrate the status of operational risk management within the regulated entity.</p><p>The roles and responsibilities should be designed to minimize the potential for conflicts of interest, and should support&#58;</p><ul><li><p>the prudent acceptance of operational risk;</p></li><li><p>the efficient and consistent efforts to manage operational risk; and</p></li><li><p>the effective and timely communication – vertically and horizontally across the entity – about operational risk exposures and management.</p></li></ul><h4>2. Board Oversight</h4><p>The board of directors is responsible for establishing an appropriate “tone at the top” that promotes a strong and effective risk management culture, including operational risk management, at the regulated entity. The board or its risk management committee is responsible for approving the operational risk management program and overseeing that adequate resources are available and allocated to effectively manage operational risk. The board or its risk management committee should maintain awareness and understanding of the sources of operational risk, the strategies employed across the regulated entity to manage operational risk, and the level and direction of operational risk at the regulated entity. The board or its risk management committee is responsible for overseeing management’s efforts to keep the level of operational risk within established limits. Specific board or board risk management committee responsibilities related to the governance aspects of operational risk management include&#58;</p><ul><li><p>ensuring the independent operational risk management function is at a sufficiently senior level in the organization to provide the appropriate stature for the position and support a strong risk management culture;</p></li><li><p>setting and/or approving operational risk limits and tolerances;</p></li><li><p>overseeing the periodic review and independent assessment of the processes and methodologies used to identify, assess, measure, and model operational risk;</p></li><li><p>reviewing and analyzing regular reports from the operational risk officer and other sources on the level and composition of operational risk; and</p></li><li><p>holding management accountable for unacceptable results or conditions under its purview.</p></li></ul><h4>3. Executive and Senior Management</h4><p>Executive and senior management are also responsible for fostering a tone that promotes the strong and effective management of operational risk across the regulated entity. These highest levels of management are responsible for implementing board approved strategies and policies, and ensuring that controls are in place to keep operational risk within established limits and tolerances. Executive and senior management are responsible for&#58; (1) ensuring that the operational risk policy and standards are consistently applied across the regulated entity’s business lines, units, and operations; and (2) allocating sufficient resources to operational risk management functions throughout the regulated entity. Specific executive and senior management responsibilities related to operational risk management include&#58;</p><ul><li><p>reviewing annually (and updating as appropriate) operational risk-related policies and procedures, and submitting policies to the board for approval;</p></li><li><p>ensuring all staff receive appropriate training and tools to implement the operational risk management program effectively;</p></li><li><p>enforcing board established operational risk limits and tolerances;</p></li><li><p>ensuring the independent assessment of the processes and methodologies used to identify, assess, measure, and model operational risk; and reviewing the results and taking appropriate action in light of the independent assessments; and</p></li><li><p>preparing, reviewing and analyzing accurate and timely regular reports on the level and composition of operational risk for decision-making and oversight, including reports on operational events, risk and control assessments, and the effectiveness of the operational risk management function.</p></li></ul><h4>4. Operational Risk Officer</h4><p>This guidance encompasses risk-management execution responsibilities in the term “operational risk officer.” It may not be necessary that there actually be an officer with that title to effectively implement this guidance. For example, the ORO functions may be carried out by the CRO, or some other configuration of officers.<br><br>The operational risk officer (ORO) is responsible for the day-to-day implementation (including the operation, maintenance and improvement) of the operational risk management program. The ORO is independent of the business lines. The ORO works collaboratively and cooperatively with the regulated entity’s business units and internal audit function. The ORO is responsible for developing, recommending and implementing strategies for&#58; identifying, assessing, measuring, monitoring, reporting, avoiding, transferring, mitigating and monitoring operational risk across the regulated entity. The ORO is responsible for developing and implementing policies and procedures for operational risk management; the regulated entity’s operational risk assessment methodology; and the operational event data collection and reporting system. Specific ORO responsibilities would normally include&#58;</p><ul><li><p>maintaining operational risk management policy and procedure documentation that identifies roles and responsibilities of executive and senior management, business unit management, internal audit, and the operational risk management function;</p></li><li><p>developing the regulated entity’s operational risk management strategy;</p></li><li><p>collecting and reporting operational event data that meets internal and FHFA reporting needs and requirements;</p></li><li><p>developing an effective analytic framework that uses operational event data for calculating operational risk exposure; and for the Enterprises, economic capital, and for the FHLBanks, retained earnings and overall capital adequacy;</p></li><li><p>developing and administering the self-assessment of operational risk and internal controls for business units across the regulated entity; and</p></li><li><p>establishing and enforcing criteria (such as content, distribution, frequency) for management reporting of operational risk from the business units through senior and executive management to the board of directors.</p></li></ul><h4>5. Business Unit Management and Staff</h4><p>Business unit management and staff are responsible for demonstrating a commitment to an effective operational risk management and internal control function by implementing operational risk management-related policies and procedures. They are responsible for&#58; taking actions that are consistent with the articulated risk appetite; safeguarding resources; producing reliable management reports; complying with applicable laws and regulations; and minimizing the potential for human error and fraud. They are also responsible for using operational risk management tools such as self-assessments, and for reporting the results of such assessments as directed by the ORO.</p><p>FHFA examiners will evaluate the regulated entities’ operational risk management practices as part of the annual examination.<br>Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. This bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Supervision Policy, or Carol Connelly, Principal Examiner, Examination Standards Branch with comments or questions pertaining to this bulletin. This Advisory Bulletin is a Public document.</p><p>&#160;</p><hr width="33%" align="left" /><p><sup id="ft1"><a href="#ref1">[1]</a></sup> AB 2012-03 FHFA Examination Rating System (December 19, 2012).</p><p><sup id="ft2"><a href="#ref2">[2]</a></sup> 12 CFR part 1236, Appendix A.</p><p><sup id="ft3"><a href="#ref3">[3]</a></sup> For example, the limited nature of the business of the Office of Finance will result in operational risk policies, procedures and practices that are significantly different from those of either the FHLBanks or the Enterprises.</p><p><sup id="ft4"><a href="#ref4">[4]</a></sup> FHFA guidance on model risk management may be found in AB 2013-07 Model Risk Management Guidance (November 20, 2013).</p>The AB describes the four basic components of a program to manage operational risk effectively: risk identification and assessment; measurement and modeling; reporting; and risk management decision-making.9/18/2014 7:28:51 PMHome / Supervision & Regulation / Advisory Bulletins / Operational Risk Management Advisory Bulletin This advisory bulletin (AB) applies to Fannie Mae and Freddie Mac (the 4065https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Liquidity Risk Management19340Fannie Mae & Freddie Mac2/18/2014 5:00:00 AMAB 2014–01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​ <p align="left">​ADVISORY BULLETIN </p><p align="left">AB 2014 – 01 </p><p align="left">LIQUIDITY RISK MANAGEMENT </p></td></tr></tbody></table><font face="Times New Roman"></font><font face="Times New Roman"><h2><br>Introduction</h2></font><font face="Times New Roman"><p align="left">This Advisory Bulletin establishes guidelines for liquidity risk management at Fannie Mae and Freddie Mac (the Enterprises). The guidelines describe the principles the Enterprises should follow to identify, measure, monitor, and control liquidity risk. The Division of Enterprise Regulation (DER) will evaluate the Enterprises’ liquidity risk management programs as part of the examinations.</p><p align="left">This guidance does not supplant existing regulations that pertain to risk management at the Enterprises.</p></font><font face="Times New Roman"><h2>Background</h2></font><font face="Times New Roman"><p align="left">Liquidity risk is the risk that an Enterprise is unable to meet its financial obligations as they come due or meet the credit needs of its customers in a timely and cost-efficient manner. The Enterprises must be financially sound to perform their public missions and should have a comprehensive liquidity risk management framework to limit and control liquidity risk exposures.</p><p align="left">Federal Housing Finance Agency (FHFA) Prudential Management and Operations Standards (PMOS) were effective August 7, 2012, and supplement existing FHFA regulations. They address ten separate areas relating to the management and operation of the Enterprises. Standard 5 (Adequacy and Maintenance of Liquidity and Reserves) highlights the need for each Enterprise to establish a liquidity management framework, articulate liquidity risk tolerances, and establish a process for identifying, measuring, monitoring, controlling, and reporting its liquidity position and liquidity risk exposures. In addition, Standard 5 includes requirements for conducting stress tests to identify sources of potential liquidity strain and requirements for establishing contingency funding plans (CFP). Standard 8 (Overall Risk Management Processes) establishes the responsibilities of boards of directors and senior management and the need for the Enterprises to establish risk management practices that measure, monitor, and control liquidity risk.</p></font><font face="Times New Roman"><h2>Guidance</h2></font><font face="Times New Roman"><p align="left">Each Enterprise’s risk management processes should enable it to identify, measure, monitor, and control their liquidity exposures. Management should be able to accurately identify and quantify the primary sources of risk to liquidity. To properly identify the sources of risk, management should understand both existing and emerging risks. </p><p align="left">Key elements of an effective risk management process include adequate board of directors (board) and senior management oversight; appropriate liquidity management policies, procedures, and limits; appropriate risk measurement methodology, monitoring, and reporting systems; adequate management information systems and internal controls; an effective contingency funding plan; adequate levels of highly liquid assets; a funding strategy that provides appropriate diversification of funding, regularly assesses market access, and identifies alternative sources of funding; and active management of intraday liquidity and collateral.</p></font><font face="Times New Roman"><h3>Adequate board of directors and senior management oversight</h3></font><font face="Times New Roman"><p align="left">The board is ultimately responsible for the liquidity risk assumed by the Enterprise and for guiding the strategic direction of liquidity management. The board, or a committee thereof, should establish and approve appropriate liquidity risk tolerances and limits, and should oversee the establishment and approval of liquidity management strategies, policies, and procedures, and review them at least annually. In addition, the board should have a fundamental understanding of the Enterprise’s business activities and associated liquidity risks and should ensure that senior management has the necessary expertise to effectively manage liquidity.</p><p align="left">Senior management oversees the daily and long-term management of liquidity and is responsible for carrying out the strategic objectives of the board. Senior management should develop liquidity risk management strategies, policies, and practices for approval by the board, implement sound internal controls for managing liquidity risk, and establish effective information systems and contingency funding plans. In addition, senior management must also establish reporting systems that produce timely and accurate information on the Enterprise’s liquidity position and sources of risk exposure, and provide regular reports to the board. </p><p align="left">Senior management should also maintain an organizational structure that clearly assigns responsibility, authority, and relationships for managing liquidity risk and ensure that personnel are appropriately trained and competent with regard to the Enterprise’s established policies and tolerances.</p></font><font face="Times New Roman"><h3>Appropriate liquidity management policies, procedures, and limits</h3></font><font face="Times New Roman"><p align="left">Each Enterprise should implement a risk management policy that addresses standards regarding day-to-day operational liquidity needs and plans for dealing with contingent liquidity needs, including potential temporary, intermediate-term, and long-term liquidity disruptions. Policies should specify the Enterprise’s board established liquidity risk tolerances and procedures for controlling risk exposures within those limits. The policy should be consistent with the Enterprise’s overall business strategy.</p><p align="left">The policy should include&#58; an enumeration of specific types of investments to be held for liquidity purposes, a description of the Enterprise’s ability to access capital markets during periods of market stress, and the methodology to be used for determining the Enterprise’s operational and contingency liquidity needs. Policy guidelines should include both quantitative and qualitative targets and should contain provisions for documenting and periodically reviewing assumptions used in liquidity projections. In addition, the policy should specify the nature and frequency of liquidity risk reporting for management and the board, and establish responsibilities and accountability at every level of the management structure, particularly in regard to actions to be taken if limits or positions are breached.</p></font><font face="Times New Roman"><h3>Appropriate risk measurement methodology, monitoring, and reporting systems</h3></font><font face="Times New Roman"><p align="left">Each Enterprise should establish appropriate models to accurately measure its liquidity exposures, identify potential liquidity shortfalls, and simulate various market scenarios. Measurement systems should include robust methods for projecting cash flows and an Enterprise’s liquidity needs over appropriate time horizons, including intraday, day-to-day, short-term weekly and monthly horizons, medium-term horizons of up to one year, and longerterm liquidity needs of one year or more. These systems should also measure tenor and provider concentrations to ensure reliance on certain funding structures or sources of funds is appropriately identified and controlled.</p><p align="left">Cash flow and model assumptions should be reasonable, appropriate, and adequately documented, and should be periodically reviewed by senior management. Measuring and reporting systems should capture all significant on- and off-balance-sheet items and be adjusted as products or risks change.</p><p align="left">Each Enterprise should ensure that assets are properly valued according to relevant financial reporting and supervisory standards. In determining potential liquidity needs and risk management strategies, the possibility of losses and deterioration in valuations from potential credit and market events should be considered and the Enterprise should take this into account in assessing the feasibility and impact of asset sales on its liquidity position during stress events.</p></font><font face="Times New Roman"><h4>Stress Testing</h4></font><font face="Times New Roman"><p align="left">Each Enterprise should conduct stress tests on a regular basis for a variety of Enterprise-specific and market-wide stress scenarios across a range of time horizons. Stress test results should be used to identify sources of potential liquidity strain, to ensure that current exposures remain in accordance with established risk tolerances, and to analyze effects on the Enterprise’s cash flows, profitability, and solvency. Management should use results of stress tests to adjust liquidity management policies and positions and to develop effective contingency plans.</p></font><font face="Times New Roman"><h4>Collateral Position Management</h4></font><p align="left">An Enterprise should have the ability to calculate all of its collateral positions in a timely manner, including the value of assets currently pledged relative to the amount of security required and unencumbered assets available to be pledged. An Enterprise should be aware of the operational and timing requirements associated with accessing the collateral given its physical location (i.e., the custodian entity or securities settlement system with which the collateral is held). The Enterprises should also fully understand the potential demand for additional collateral arising from various types of contractual contingencies during periods of both market-wide and Enterprise-specific stress.</p><h4>Management Reporting</h4><p align="left">Senior management should receive reports on the adequacy of an Enterprise’s liquidity, including the level and trend of risks to the Enterprise’s liquidity at least monthly; the board, or a committee thereof, should receive reports at least quarterly. If liquidity risk is high or if it is moderate and increasing, the reports should be more frequent. These reports should convey how much risk the Enterprise is assuming, its compliance with risk limits, and whether strategies are consistent with the board’s expressed risk tolerance. Additional reportable items may include cash flow projections, critical assumptions used in cash flow projections, asset and funding concentrations, key early warning or risk indicators, funding availability, status of contingent funding sources, or collateral usage.</p><h2>Adequate management information systems and internal controls</h2><p align="left">Senior management should establish adequate internal controls to ensure board-established liquidity risk policies and objectives will be achieved. Adequate internal controls should address items such as the Enterprise’s compliance with policies, procedures, and regulations, and the effectiveness of risk measurement and reporting.</p><p align="left">Internal audit should regularly review and evaluate the various components of the Enterprise’s liquidity risk management process. These reviews should assess the extent to which the Enterprise’s liquidity risk management practices comply with both supervisory guidance and industry sound practices, and should report instances of noncompliance to management and the board. The reviews should ensure that front- and back-office systems capably support current and projected operations.</p><h3>An effective contingency funding plan (CFP)</h3><p align="left">Each Enterprise should have a formal contingency funding plan that clearly sets out strategies for addressing liquidity shortfalls in emergencies. The CFP should represent management’s best estimate of balance sheet changes that may result from a liquidity event based on stress testing and scenario analysis. The CFP should be clearly integrated into the Enterprise’s overall liquidity risk management framework. It should provide plans, courses of actions, clear lines of responsibility, and escalation procedures to ensure liquidity sources are sufficient to fund normal operations during potential temporary, intermediate-term, and long-term liquidity disruptions. The CFP should provide a framework with significant flexibility so an Enterprise can respond quickly to a variety of situations.</p><p align="left">Effective contingency funding plans should identify Enterprise-specific and market-wide stress events and scenarios that may have a significant effect on an Enterprise’s liquidity. A CFP should then identify minimum and maximum liquidity needs under various stress events and weigh alternative courses of action designed to meet those needs. The result should be a realistic analysis of cash inflows, outflows, and funds availability at different time intervals during the potential liquidity stress event in order to measure the Enterprise’s ability to fund operations and address intraday liquidity needs. A CFP should also identify alternative contingent liquidity resources that can be employed under adverse liquidity circumstances.</p><p align="left">To ensure the Enterprise can make timely and well-informed decisions, the CFP should clearly specify roles and responsibilities, including the authority to invoke the CFP and alternates for key roles, and include realistic action plans to execute the various elements of the plan for given levels of stress. The CFP should provide for more frequent and more detailed liquidity risk reporting as the stress situation intensifies and should establish a plan to deliver timely, clear, consistent, and frequent communication to internal and external parties, as appropriate.</p><p align="left">A CFP should establish a monitoring framework for contingent events, including the use of early-warning indicators and event triggers. Early-warning signals should identify the emergence of increased liquidity risk and may include, but are not limited to, negative publicity concerning an asset class owned by the Enterprise, increased potential for deterioration in the Enterprise’s financial condition, widening debt spreads, growing concentrations in assets or liabilities, difficulty accessing funding, or increasing funding costs.</p><p align="left">Each Enterprise’s CFP should be revised and updated regularly to reflect changes in market or business conditions. In addition, a CFP should be tested to assess its reliability and operational soundness under stress conditions. Testing should ensure that roles and responsibilities are up-to-date and appropriate; that legal and operational documents are up-to-date and appropriate; that cash and collateral can be moved where and when needed; and that contingent liquidity lines can be drawn when needed.</p><h3>Adequate levels of highly liquid assets</h3><p align="left">An Enterprise should maintain adequate reserves of highly liquid assets, including adequate reserves of unencumbered, marketable securities that can be liquidated to meet unexpected needs. These assets should have no legal, regulatory, or operational impediments and should be held as insurance against a range of liquidity stress scenarios including those that involve the loss or impairment of typically available unsecured and secured funding sources.</p><p align="left">The quality of unencumbered liquid assets is important as it will ensure accessibility during the time of most need. The size of the liquidity cushion should be supported by estimates of liquidity needs performed under an Enterprise’s stress testing, as well as aligned with the risk tolerance and risk profile of the Enterprise.</p><h3>A funding strategy that provides appropriate diversification of funding, regularly assesses market access, and identifies alternative sources of funding</h3><p align="left">The Enterprises should each establish funding strategies that provide effective diversification of funding. In general, funding concentrations should be avoided. The Enterprises should diversify available funding sources in the short-, medium-, and long-term. Funding strategies should take into account correlations between sources of funds and market conditions.</p><p align="left">An essential component of ensuring funding diversity is maintaining market access. Market access is critical for effective liquidity risk management as it affects both the ability to raise new funds and to liquidate assets. Senior management should identify the main factors that affect the Enterprise’s ability to raise funds and monitor those factors and should ensure that market access is being actively managed, monitored, and tested by the appropriate staff.</p><p align="left">An Enterprise should identify alternative sources of funding that strengthen its capacity to withstand a variety of severe Enterprise-specific and market-wide liquidity shocks. Depending upon the nature, severity, and duration of the liquidity disruption, potential sources of funding include, but are not limited to, the following&#58;</p><ul><li style="margin&#58;0px;padding&#58;0px;"><p>Cash and highly liquid US government securities </p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Issuance of unsecured or longer-term debt instruments</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Asset securitization</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Sale (either outright or through repurchase agreements) or pledging of liquid assets.</p></li></ul><h3>Active management of intraday liquidity and collateral</h3><p align="left">The Enterprises should actively manage their intraday liquidity and collateral to meet payment and settlement obligations in a timely manner under both normal and stressed conditions. Senior management should establish an intraday liquidity strategy that allows the Enterprise to identify time-specific and other critical obligations, and sequence payments based on priority. In addition, the intraday strategy should&#58;</p><ul><li style="margin&#58;0px;padding&#58;0px;"><p>Monitor and measure expected daily gross liquidity inflows and outflows.</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Manage and mobilize collateral when necessary to obtain intraday credit.</p></li><li style="margin&#58;0px;padding&#58;0px;"><p>Ensure that liquidity planners understand the amounts of collateral and liquidity needed to perform payment-system obligations when assessing the Enterprise’s overall liquidity needs.</p></li></ul><h2>Related Guidance</h2><p align="left">12 CFR Part 1720 Safety and Soundness Standards, which addresses balance sheet growth and management and non-mortgage liquidity investments.</p><p align="left">12 CFR Part 1236 Prudential Management and Operations Standards.</p>This Advisory Bulletin establishes guidelines for liquidity risk management at Fannie Mae and Freddie Mac. The guidelines describe the principles the Enterprises should follow to identify, measure, monitor, and control liquidity risk.12/13/2017 10:21:18 PMHome / Supervision & Regulation / Advisory Bulletins / Liquidity Risk Management Advisory Bulletin This Advisory Bulletin establishes guidelines for liquidity risk management 1512https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Collateralization of Advances and Other Credit Products Perfection and Control of Collateral19339FHL Banks12/23/2013 5:00:00 AMAB 2013-10<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN </p><p>AB 2013-10 </p><p>COLLATERALIZATION OF ADVANCES AND OTHER CREDIT PRODUCTS; PERFECTION AND CONTROL OF COLLATERAL </p></td></tr></tbody></table><p> <br>This Advisory Bulletin (AB-2013-10) applies only to the Federal Home Loan Banks. </p><h2>PURPOSE </h2><p>The Federal Home Loan Bank Act, as amended (the Bank Act), requires that each advance to a member or housing associate from a Federal Home Loan Bank (FHLBank) be fully secured. The regulations of the Federal Housing Finance Agency (FHFA) further require that each FHLBank execute a written security agreement with each borrowing member that, at a minimum, gives the FHLBank a &quot;perfectible&quot; security interest in the pledged collateral and allows an FHLBank to perfect its security interest at any time.<sup id="ref1"><a href="#ft1">[1]</a></sup> These and other provisions of the regulations recognize that each FHLBank generally may determine how and when to perfect its security interest. Depending on the particular circumstances, however, such as the financial condition of the member, the type of member, or the nature of the collateral, safety and soundness considerations may dictate that an FHLBank take steps beyond those minimal steps required by the regulations to ensure that it will have access to the collateral in the case of default. This advisory bulletin communicates FHFA’s expectations on credit risk management practices that ensure FHLBank advances remain &quot;fully secured,&quot; as required by statute, relative to perfection and control of collateral, when accepting particular types of collateral. FHFA examiners will consider these practices when assessing how the FHLBanks obtain and perfect their security interests in collateral. </p><h2>ISSUE </h2><h3>Perfection and Control of Security Interests in Collateral </h3><p>The manner in which an FHLBank obtains and perfects its security interest is governed by the Uniform Commercial Code (UCC), as enacted by the laws of the appropriate state. As a matter of practice, most FHLBanks allow members to pledge collateral in three ways&#58; (1) by a blanket lien, in which the security interest attaches to particular categories of a member’s balance sheet assets; (2) by a listing arrangement, in which a member lists specific assets that are pledged to secure its advances; or (3) by delivery, in which the member delivers the collateral to the FHLBank or its custodian. An FHLBank can perfect its security interest in any securities collateral or loan collateral by filing a UCC-1 financing statement in the appropriate jurisdiction, regardless of whether the collateral has been pledged via a blanket lien, listing, or delivery. In most cases, a security interest that has been perfected by filing will be enforceable against third parties who assert a competing interest in the collateral, including a receiver or bankruptcy trustee and other creditors of the failed member. However, for both whole loan collateral and securities collateral, the UCC provides alternative methods of perfection that give a secured creditor a perfected security interest that is superior to the security interests of nearly all other competing creditors, including those who have perfected their security interests through filing. An FHLBank can obtain such as a “first-priority” perfected security interest in mortgage loan collateral by obtaining possession of the promissory notes, and in securities collateral by acquiring “control” of securities through one of the methods specified in the UCC. In nearly all circumstances, an FHLBank that obtains a first-priority perfected security interest will have placed itself in the most secure possible position with respect to the pledged collateral.</p><h2>BACKGROUND</h2><h3>Mortgage Loan Collateral</h3><p>Under the UCC, a secured lender can perfect its security interest in mortgage loans (including those secured by residential or commercial real estate) either by filing a UCC-1 financing statement that describes the notes that are subject to the security interest or by taking possession of the promissory notes. While either approach would result in the FHLBank being “fully secured” for purposes of the FHFA regulations, taking possession of the notes provides the highest level of protection for an FHLBank. An FHLBank that perfects its security interest through possession generally will have a security interest that is superior to those of all competing creditors, including those who had perfected their security interest in the same notes through filing before the FHLBank took possession of the notes. In most cases, possession of the notes will give an FHLBank a first-priority security interest even if it knows of a prior UCC-1 filing by another creditor for the same collateral. Possession of the promissory notes also protects an FHLBank by preventing a member from selling loans that are pledged to the FHLBank as collateral for advances.</p><h3>Investment Securities Collateral</h3><p>​The UCC provisions regarding security interests in investment securities differ depending on whether the beneficial owner holds the security directly as the owner of record on the books of the issuer or indirectly through a custodian, broker, or other securities intermediary. The UCC refers to an investment security that is held directly as a “security,” which may be either “certificated” or “uncertificated.” The UCC refers to an interest in a security that is held indirectly through a securities intermediary as a “security entitlement,” and to the person having the security entitlement as the “entitlement holder.” Most securities collateral pledged by FHLBank members will be in the form of “security entitlements,” rather than in the form of “certificated securities” or “uncertificated securities.”</p><p>A secured party may perfect its security interest in each of these types of securities collateral either by filing a UCC-1 financing statement or by obtaining “control” of the securities collateral through one of the methods specified in the UCC. Either approach would result in an FHLBank being “fully secured” for purposes of the FHFA regulations. However, for safety and soundness purposes, FHLBanks should not rely solely on a UCC-1 filing to be “fully secured.” Instead, the FHLBank should take “control” of the securities collateral, creating a first-priority security interest in the collateral that is senior to those of all competing creditors.</p><p>Generally speaking, an FHLBank may obtain control of a security entitlement by becoming the “entitlement holder” or by entering into a “control agreement” with the member and its securities custodian. An FHLBank can become the entitlement holder of a member’s security entitlements by requiring the member to transfer them to the FHLBank or to the FHLBank’s account with its securities custodian. An FHLBank that allows a member to keep the securities collateral with its own securities custodian may obtain control of that collateral by entering into one or more agreements with the member and the member’s securities custodian, under which the member authorizes the FHLBank to direct the custodian to liquidate the collateral without further consent of the member; the member authorizes the custodian to follow the FHLBank’s directions; and the custodian agrees to follow the FHLBank’s directions.</p><p>Because security entitlements are intangible and can be transferred electronically, the main risks to an FHLBank that does not obtain control of such securities collateral is that the member may later sell the collateral or pledge it to another creditor. If a subsequent creditor were to obtain control of the collateral, the FHLBank’s claim would likely be subordinate to that of the other creditor.</p><h3>Priority of Security Interests</h3><p>The UCC includes provisions to determine the respective priorities among the claims of competing creditors to the same collateral. A perfected security interest will always have priority over an unperfected security interest, regardless of the method of perfection. Among security interests that have been perfected in the same manner, priority is determined by the order in which the secured creditors perfected their respective security interests. Among security interests that have been perfected by different methods, a security interest that has been perfected by the means required to obtain a first-priority security interest will have priority over security interests that have been perfected in a different manner. Thus, an FHLBank that perfects its security interest in mortgage loan notes through possession, or that perfects its security interest in securities collateral by control, generally will have a security interest that is superior to all unperfected security interests and security interests that have been perfected solely by filing.</p><h2>GUIDANCE</h2><h3>Credit Management Practices for Mortgage Loan Collateral</h3><p>In the case of whole mortgage loan collateral, an FHLBank should obtain and perfect its security interest in the manner that the FHLBank determines to be most appropriate to protect its financial interests, given the financial condition of the borrowing member. If a member’s financial condition deteriorates to a point where an FHLBank believes that the member may soon default or fail, then the FHLBank should consider whether it would be appropriate to obtain possession of the collateral. </p><p>While the securities industry has developed an electronic recordkeeping and transfer system that allows an FHLBank to “control” member securities collateral with relative ease, ownership and transfer of mortgage loans is still evidenced in most cases through a physical promissory note. Because of the large volume of mortgage notes needed to secure FHLBank advances, taking possession of and monitoring a member’s mortgage loan collateral is a cumbersome process. Most FHLBanks, therefore, have concluded that the additional safety provided by the possession of whole loan collateral does not in many cases justify the time and expense involved in obtaining possession of the notes. Indeed, the “lien priority” provision of Section 10(e) of the Bank Act was enacted, in part, to give the FHLBanks the equivalent of an automatic perfected security interest in advances collateral at a time when possession was the only method through which a creditor could perfect its security interest in promissory notes under the UCC. That lien provision has been of less benefit to the FHLBanks since 2001, when the UCC was amended to permit a creditor to perfect its security interest in promissory notes through filing. Despite the existence of that statutory priority, most FHLBanks also file a UCC-1 for all pledged whole loan collateral. That is an important practice to resolve any question of priority between an FHLBank and a competing secured creditor who files a subsequent UCC-1.</p><p>FHFA expects each FHLBank to have established procedures and criteria to determine whether it will take physical possession of whole loan collateral, including but not limited to commercial real estate (CRE) loan collateral, in a particular situation. These criteria may include, for example, the financial condition of the member, the extent of advances borrowings, the nature of the member’s collateral, the use of other forms of secured borrowing by the member, whether the FHLBank has a blanket lien on all or most of the member’s assets, the size of the loan, and the extent to which the FHLBank is granting a member borrowing capacity against such collateral. A decision by an FHLBank not to take possession of the underlying CRE loan promissory note for any particular member should be consistent with its credit and collateral risk management policies, procedures, and practices, which should include provisions for managing the risks inherent in high-balance loans, such as CRE loans.</p><h3>Credit Management Practices for Investment Securities Collateral</h3><p>Because of the significant benefit of a first-priority security interest and the relative ease through which an FHLBank can take a first-priority security interest in securities collateral through electronic “control” of the securities, an FHLBank should in all instances obtain “control” of securities collateral when granting a member borrowing capacity against this form of collateral. Such action would be further warranted by the fact that securities and “security entitlements” may be more easily transferred or pledged to another creditor than other types of collateral. FHFA examiners will assess the extent to which an FHLBank has obtained a first-priority perfected security interest in securities collateral pledged by its members.</p><p>Examiners will review policies, procedures, and practices when examining the FHLBanks’ collateralization of advances and other credit products. Each FHLBank should maintain documented analysis to support decisions regarding actions to perfect and control collateral.</p><p>&#160;</p><hr width="33%" align="left" /><p> <sup id="ft1"> <a href="#ref1">[1]</a></sup> 12 C.F.R. § 1266.2(b)(3), § 1266.9(a)(3).</p>7/10/2014 2:12:39 PMHome / Supervision & Regulation / Advisory Bulletins / Collateralization of Advances and Other Credit Products Perfection and Control of Collateral Advisory Bulletin 2117https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Collateralization of Advances and Other Credit Products to Insurance Company Members19338FHL Banks12/23/2013 5:00:00 AMAB 2013-09<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2013 – 09 </p><p>COLLATERALIZATION OF ADVANCES AND OTHER CREDIT PRODUCTS TO INSURANCE COMPANY MEMBERS </p></td></tr></tbody></table><p>&#160;</p><p>This Advisory Bulletin (AB-2013-09) applies only to the Federal Home Loan Banks (FHLBanks). </p><h2>PURPOSE </h2><p>This Advisory Bulletin provides guidance on credit risk management practices to ensure FHLBank advances remain fully secured when lending to insurance company members. The first line of defense to ensure repayment of an advance or other credit product is the financial health of the member, irrespective of whether the member is a depository institution or an insurance company. The second line of defense is the quality of the collateral and the extent to which the FHLBank has a first-priority security interest in the collateral. </p><h2>ISSUE </h2><p>The FHLBanks face risks lending to insurance companies that differ in certain respects from the risks associated with lending to federally-insured depository institutions. The different risks associated with lending to insurance companies include&#58; </p><ol><li><p>Insurance companies are in a different line of business from depository institutions, and their financial statements may differ from those of depositories because they generally report using Statutory Accounting Principles (SAP) instead of Generally Accepted Accounting Principles in the United States (GAAP). The procedures an FHLBank uses to assess the creditworthiness of insurance companies must reflect the nature of their business. Any differences in reporting must be considered in analyzing an insurance company member;</p></li><li><p>Insurance companies are regulated principally by state authorities. While the laws governing insurance companies are generally similar from state to state, there are potentially unique features among the states regarding the regulation of insurance companies. Ultimately, the laws of the domiciliary state will control with respect to the rehabilitation or liquidation of an insurance company. Thus, it is important that each FHLBank be thoroughly familiar with the state insurance laws and regulatory framework for each state in which it has an insurance company member domiciled. The domiciliary state of an insurance company member, however, will not necessarily be within an FHLBank’s district because the location of FHLBank membership is determined by an insurance company’s principal place of business, which may differ from the insurance company’s state of domicile. An FHLBank that has such members must be familiar with the insurance laws of the domiciliary state under whose laws those members are organized and regulated;</p></li><li><p>The lack of judicial consideration of whether, under the McCarran-Ferguson Act, the lien priority provision of section 10(e) of the Federal Home Loan Bank Act, as amended, would apply to security interests granted by insurance company members or would be subordinated to the state laws governing insurance companies;</p></li><li><p>The laws dealing with a failed insured depository institution are well known and uniform across the country; whereas, the laws dealing with the failure of an insurance company are less well known to the FHLBanks and, though similar, may vary somewhat from state to state; and</p></li><li><p>A potentially longer rehabilitation, liquidation, or sale process for a failed insurer, particularly a life insurance company, compared to a failed insured depository.</p></li></ol><h2>GUIDANCE</h2><p>In assessing an FHLBank’s lending to insurance companies and collateral position with<br>insurance company members, the FHFA and its Division of Federal Home Loan Bank<br>Regulation will evaluate, as appropriate, the following&#58;</p><ol><li><p>Whether the FHLBank communicates regularly with the state insurance regulator in each state where it has an insurance company member domiciled to establish an understanding of the benefits and costs associated with FHLBank membership and with respect to the prudential operations of insurance company members generally, the regulator’s views on the extent to which its insurance company members may obtain advances from an FHLBank, and an FHLBank’s access to collateral in the event of an insurance company liquidation or rehabilitation.</p></li><li><p>Whether, for each state in which an FHLBank’s insurance company member is domiciled, the FHLBank has a documented, up-to-date legal analysis that addresses the state’s insurance laws with respect to&#58;</p></li><ol style="list-style-type&#58;lower-alpha;"><li><p>The authority of the insurance company to be a member and own FHLBank stock;</p></li><li><p>The authority of the insurance company member to enter into a secured borrowing relationship with the FHLBank;</p></li><li><p>The circumstances in which a judicial or administrative stay may be imposed in the case of a rehabilitation or liquidation of an insurance company, and the extent to which such a stay could apply to a secured creditor and its ability to liquidate an insurance company’s collateral;</p></li><li><p>The circumstances in which a rehabilitator or liquidator for an insurance company may avoid transactions or agreements to which the insurance company is a party, including the length of any voidable preference period, and whether it would be possible to avoid bona fide extensions of secured credit made within the preference period;</p></li><li><p>Any other legal restrictions that might hinder the ability of the FHLBank to achieve “control” of collateral pledged by an insurance company; and</p></li><li><p>If the FHLBank and insurance company use a funding agreement to document an advance, whether the insurance company has the authority under applicable state law to enter into the funding agreement and to pledge collateral to support its obligations under the funding agreement, such that the FHLBank would be recognized as a secured creditor and could obtain a first-priority perfected security interest in the pledged collateral.</p></li></ol><li><p>Whether in light of the legal risks described in item 2 above the FHLBank has adopted and implemented appropriate policies and procedures to manage those risks.</p></li><li><p>Whether the FHLBank has an established documented analytical framework and procedures for assessing periodically the creditworthiness of insurance company members using both internal and third-party sources. Whether the FHLBank’s procedures differentiate insurance companies that lay off most of their exposure to a single reinsurance company and, if so, whether the FHLBank looks through to the strength of the reinsurance company.</p></li><li><p>Whether the FHLBank has experienced staff trained to analyze SAP and GAAP financial statements of insurance companies to assess their financial condition and creditworthiness.</p></li><li><p>Whether the FHLBank has evaluated and documented the methodology used to establish and update haircuts for insurance company collateral. In particular, whether the FHLBank has incorporated into its haircut analysis the possibility of being subject to a judicial or administrative stay of its right to liquidate its collateral, or the possibility that certain of its advances or collateral agreements may be voided under the state law voidable preference powers associated with insurance companies in rehabilitation or liquidation. An FHLBank should have objective standards to measure credit quality and should be prepared to take further action, if warranted, to protect its interests in the case of default.</p></li><li><p>Whether the FHLBank has a written collateral liquidation policy for insurance company members and has identified resources and developed a contingency plan to liquidate the various types of collateral that it accepts from its insurance company members, if necessary.</p></li><li><p>Whether the FHLBank has established policies related to lending to captive insurance companies that take into account the nature and extent of their insurance activities, the source of the collateral being pledged, and whether they are affiliated with entities that are subject to regimes of “inspection and regulation” comparable to those of insured depositories or non-captive insurance companies.</p></li></ol><p>Examiners will review policies, procedures, and practices when examining the FHLBanks’ collateralization of advances and other credit products. Each FHLBank should maintain documented analysis to support decisions regarding actions to perfect and control collateral.</p><p>&#160;</p>7/11/2014 6:48:26 PMHome / Supervision & Regulation / Advisory Bulletins / Collateralization of Advances and Other Credit Products to Insurance Company Members Advisory Bulletin 1779https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on On-Site Monitoring of Projects under the Affordable Housing Competitive Application Program19337FHL Banks12/13/2013 5:00:00 AMAB 2013-08<p>​​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2013-08 </p><p>Guidance on On-Site Monitoring of Projects under the Affordable Housing Competitive Application Program </p></td></tr></tbody></table><p>&#160;</p><h2>Introduction </h2><p>This advisory bulletin (AB) provides guidance to the Federal Home Loan Banks (FHLBanks) on incorporating site visits into their project monitoring policies and procedures for certain projects awarded funds under the competitive application program of the Affordable Housing Program (AHP). This AB does not mandate site visits for AHP projects. Rather, it describes the existing monitoring requirements of the AHP regulation and provides guidance to the FHLBanks on how they may meet those requirements by identifying risks and conditions that may warrant a visit to the project site. </p><h2>Guidance </h2><p>Under the AHP regulation, the FHLBanks are responsible for monitoring AHP projects and are required to adopt written policies for their initial and long-term monitoring. The FHLBanks’ monitoring policies must be included in their AHP Implementation Plans. <span style="text-decoration&#58;underline;">See </span>12 C.F.R. § 1291.7(a). The AHP regulation identifies non-exclusive risk factors for the FHLBanks to consider in developing their monitoring policies. Periodically, the FHLBanks should reevaluate the effectiveness of their monitoring policies to determine whether changes in those risks and other conditions may warrant amending their existing initial and long-term monitoring policies. </p><p>Any such reevaluation should include an assessment of facts and circumstances that would result in the need or preference to complement off-site monitoring with project site visits. For 2014, we expect that each FHLBank’s management will conduct such a reevaluation in consultation with its board of directors and Advisory Council early in the year and document the conclusions and associated discussions. As warranted, an FHLBank should revise its monitoring policies and procedures and implement any changes no later than June 30, 2014. </p><p>Off-site monitoring generally provides sufficient information for an FHLBank to evaluate whether projects comply with their AHP application commitments and the AHP regulation. However, when there are issues that cannot be resolved or confirmed off-site, an FHLBank should consider visiting the project when the visit could aid the FHLBank in addressing these issues. </p> ​ <p>An FHLBank should design its monitoring policies and procedures to provide the FHLBank with the essential, objective information it needs to adequately monitor its AHP projects and promptly identify projects that may be at risk of noncompliance. Those policies and procedures should allow the FHLBank to take timely action to address any noncompliance or to maximize the effectiveness of the FHLBank’s AHP subsidy recovery efforts. Factors cited in the regulation, which may influence whether to conduct site visits, include&#58; the amount of AHP subsidy in the project; the type, size, or location of the project; project sponsor experience; and any monitoring of the project by other government entities. Additional factors for consideration could include the costs and potential benefits of conducting a site visit, and a project’s risk of AHP noncompliance. </p><h3>Initial Monitoring&#58; </h3><p>&#160;The AHP regulation requires each FHLBank to adopt a written policy for the initial monitoring of owner-occupied and rental projects under the competitive application program. <span style="text-decoration&#58;underline;">See </span>12 C.F.R. § 1291.7(a)(1)(i). Under the regulation, an FHLBank’s monitoring policy must require AHP project sponsors or owners to provide the information necessary for the FHLBank to determine whether&#58; the project is progressing satisfactorily towards completion and occupancy by eligible households; the AHP subsidies are used for eligible purposes according to the commitments in the AHP application; the project’s household incomes and rents comply with the income targeting and rent commitments made in the AHP application; the project’s actual costs were reasonable in accordance with the FHLBank’s project cost guidelines and the AHP subsidies were necessary for the completion of the project as currently structured; each AHP-assisted unit of an owner-occupied project and rental project is subject to an AHP retention agreement; and any services and activities committed in the AHP application have been provided. </p><p>An FHLBank’s monitoring policy must also include requirements for&#58; (i) FHLBank review of back-up project documentation on household incomes and rents maintained by the project sponsor or owner; and (ii) maintenance and FHLBank review of other project documentation in the FHLBank’s discretion. An FHLBank may not select projects for initial monitoring using a sampling plan, but may use a reasonable risk-based sampling plan to review the back-up project documentation. <span style="text-decoration&#58;underline;">See </span>12 C.F.R. § 1291.7(a)(1)(ii), (iii). </p><p>Generally, the FHLBank may verify these requirements off-site through the review of&#58; certificates of occupancy; project owner certifications of household incomes and rents; and certifications or, as appropriate, executed contracts, for the provision of any services and activities committed to at the project. However, if the documentation is not provided to the FHLBank in a complete or satisfactory manner and the information cannot be obtained off-site, a site visit may be warranted. </p><p>An FHLBank’s initial monitoring policy may identify characteristics and conditions where a site visit might provide a more accurate or complete assessment of the project’s potential for noncompliance than might be identified through off-site monitoring. For example, with some projects the risk of noncompliance could be greater during the construction and initial lease-up phase of the project. A visual inspection could provide valuable information on whether the project is making satisfactory progress. Or, in the absence of adequate documentation, a site visit might be useful to verify that services committed in the AHP application are being provided. &#160;</p><h3>Long-Term Monitoring&#58;&#160; </h3><p>Rental projects must comply with certain requirements specified in the AHP regulation over a required 15-year retention period. The AHP regulation provides for three methods of long-term monitoring of completed rental projects under the competitive application program, depending on the characteristics of the rental project. For completed AHP rental projects where an FHLBank does not rely on monitoring by a federal, state, or local government entity, the FHLBank is required to adopt a written monitoring policy for monitoring such projects commencing in the second year after completion through the 15-year AHP retention period. This monitoring determines whether household incomes and rents comply with the income targeting and rent commitments, respectively, made in the approved AHP application. The policy must include requirements for&#58; (i) FHLBank review of annual certifications by projects owners that household incomes and rents are in compliance with the commitments made in the approved AHP application; (ii) FHLBank review of back-up project documentation on household incomes and rents maintained by the project owner; and (iii) maintenance and FHLBank review of other project documentation in the FHLBank’s discretion. <span style="text-decoration&#58;underline;">See </span>12 C.F.R. § 1291.7(a)(4)(i), (ii).</p><p>The FHLBanks’ monitoring policies must take into account risk factors such as the amount of AHP subsidy in the project, type of project, size of project, location of project, sponsor experience, and any monitoring of the project provided by a federal, state, or local government entity. An FHLBank may use a reasonable, risk-based plan to select the rental projects to be monitored and to review the annual project owner certifications, back-up, and any other project documentation. <span style="text-decoration&#58;underline;">See </span>12 C.F.R. § 1291.7(a)(4)(iii). </p><p>For completed AHP rental projects that have been allocated federal Low-Income Housing Tax Credits (LIHTC or tax credits), an FHLBank may rely on the monitoring of the state-designated housing credit allocation agency of the income-targeting and rent requirements applicable under the LIHTC Program, and the FHLBank need not obtain and review reports from such agency or otherwise monitor the projects’ long-term AHP compliance. <span style="text-decoration&#58;underline;">See </span>12 C.F.R. § 1291.7(a)(2).<sup id="ref1"><a href="#ft1">[1]</a></sup> </p><p>For completed AHP rental projects that received funds other than tax credits from federal, state, or local government entities, an FHLBank may rely on the monitoring by these entities of the income targeting and rent requirements applicable under their programs, provided that the FHLBank can show that&#58; (i) the compliance profiles regarding income targeting, rent, and retention period requirements of the AHP and the other program are substantively equivalent; (ii) the entity has demonstrated and continues to demonstrate its ability to monitor the project; (iii) the entity agrees to provide reports to the FHLBank on the project’s incomes and rents for the full 15-year AHP retention period; and (iv) the FHLBank reviews the reports from the monitoring entity to confirm that they comply with the FHLBank’s monitoring policies. <span style="text-decoration&#58;underline;">See </span>12 C.F.R. § 1291.7(a)(3). <br> <br>For the vast majority of AHP projects, an FHLBank can successfully conduct long-term monitoring off-site by reviewing the household income targeting and rent documentation submitted by the project sponsors or owners, or by relying on monitoring by federal, state, or local government entities where permitted in the AHP regulation. In some circumstances, site visits may be warranted if information provided to the FHLBank is inadequate to establish compliance, or an FHLBank finds indications of a project’s possible noncompliance with the income targeting and rent commitments, and the issues cannot be resolved off-site. For example, an FHLBank may consider visiting a project to follow up with the project sponsor or owner if either party has not responded to FHLBank requests for information in a timely or satisfactory manner.&#160;</p><p>Regardless of whether an FHLBank monitors an AHP project or relies upon the monitoring of a government entity, the FHLBank could be ultimately responsible for recovering the amount of any AHP funds not used in compliance with the project’s AHP application commitments or the AHP regulation. <span style="text-decoration&#58;underline;">See </span>12 C.F.R. § 1291.8(a). If an FHLBank is presented with credible information from a reliable source that the third-party monitoring is insufficient or has ceased, or if the FHLBank has sufficient reason to believe that household incomes and rents for a project do not comply with the income targeting and rent commitments made in the approved application, then the FHLBank should conduct its own monitoring of the project and that might include site visits, as warranted. It may be prudent for an FHLBank’s written monitoring policies to include provisions for the frequency and scope of project site visits to address such situations.</p><h3>Additional Examples of Factors for Possible Inclusion in Monitoring Policies&#58;</h3><p>In addition to those factors discussed above that might warrant a project site visit, below are some non-exclusive examples an FHLBank should consider for inclusion in its monitoring policies&#58; </p><ul><li><p>The project is a problem project or has been placed on the FHLBank’s watch list; </p></li><li><p>The FHLBank has become aware of possible problems in the project from such sources as funders, monitoring entities, or interested parties, or through unfavorable attention in the media indicating possible AHP noncompliance; </p></li><li><p>The project is solely or primarily funded with AHP subsidy, the amount of AHP subsidy in the project is substantial, or the project has a large number of AHP units; </p></li><li><p>Changed circumstances or new information call into question the operational capacity of the project sponsor or owner, or the continued operational feasibility of the project; and </p></li><li><p>The FHLBank suspects that the owner, sponsor, managing agent, or other party may have misrepresented factual information or falsified income verifications or altered tenant files. </p></li></ul><p>FHFA examiners will review an FHLBanks’ monitoring policies, procedures, and practices to determine whether they identify risks and conditions that may warrant a visit to the project site. </p><p>Effective Date&#58; December 13, 2013 </p><p>&#160;</p><hr width="33%" align="left" /><p> <sup id="ft1"><a href="#ref1">[1]</a></sup><span class="ms-rteFontSize-2"> FHFA’s experience with the LIHTC Program has been that Internal Revenue Service penalties to investors appear to be an effective deterrent to a project’s noncompliance with the household income targeting and rent requirements. It is also important to note that under the LIHTC, allocating agencies conduct regular site visits to monitor compliance with habitability standards. <span style="text-decoration&#58;underline;">See </span>26 U.S.C. § 42(m)(1)(B)(iii). </span></p>3/5/2019 8:10:34 PMHome / Supervision & Regulation / Advisory Bulletins / Guidance on On-Site Monitoring of Projects under the Affordable Housing Competitive Application Program Advisory 2154https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Model Risk Management Guidance19336All11/20/2013 5:00:00 AMAB 2013-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <font face="Times New Roman"> <p>ADVISORY BULLETIN</p> <p align="left">AB 2013-07</p> <p>Model Risk Management Guidance</p></font></td></tr></tbody></table><h2>&#160;</h2><h2>Purpose </h2><p>This advisory bulletin replaces Federal Housing Finance Agency Advisory Bulletin 2009-AB-03 (Validation and Documentation of Models and Related Controls on Internal Processes). The earlier advisory bulletin provided guidance on model risk management for the Federal Home Loan Bank (FHLBank) System. This guidance’s scope includes Fannie Mae and Freddie Mac in addition to the FHLBanks and the Office of Finance (collectively, the Regulated Entities).<sup id="ref1"><a href="#ft1">[1]</a></sup> A Regulated Entity’s model risk management framework should reflect the entity’s size, complexity and extent of model use and level of risk exposure. Large, complex entities that develop their own models should have an appropriately rigorous framework in place. Both Fannie Mae and Freddie Mac are considered to be large, complex enterprises for purposes of this bulletin. As less complex entities, based on the current extent and scale of their model development, the FHLBanks should have a framework that is commensurate with their model use and risk exposure.</p><p>This advisory bulletin sets the minimum thresholds, based on the extent and scale of each Regulated Entity’s model development, for the Federal Housing Finance Agency’s supervisory expectations for model risk management by outlining the framework of baseline control and governance requirements. This bulletin is intended to be applied using a risk-based approach to models, model-based applications, modeling processes and significant end-user computing tools that are used to help make key business and financial decisions. Regulated Entities should apply the same principles outlined in this advisory bulletin to internally-developed and vendor-provided models, whether used and managed in-house or externally by a vendor.</p><p>This advisory bulletin draws on FHFA’s supervisory experience at the Regulated Entities and is consistent with related guidance issued by other federal financial regulatory agencies.<sup id="ref2"><a href="#ft2">[2]</a></sup></p><h2>Background and Key Points</h2><p>The Regulated Entities use models in a variety of areas including but not limited to financial instrument valuation, compliance, capital reserves measurement, loss allowance, financial reporting, and market and credit risk measurement and control. Although models are often essential, reliance on inaccurate or inappropriate models may lead to poor or costly decisions.</p><p>Effective risk-based model risk management entails a comprehensive approach in identifying risk throughout the model lifecycle. A Regulated Entity should embed a risk management framework in its policies, procedures, roles and responsibilities of model stakeholders, and a well-coordinated committee structure. This framework promotes periodic monitoring and reporting of model risk horizontally and vertically across a Regulated Entity. It envisions the placement of stronger process control where risk arises; an appropriate organizational structure to promote transparency of risk; an independent model risk management group; and clear direction from a Regulated Entity’s compliance units, senior management, and its board of directors (the board). The board’s risk committee sets the model risk appetite at the corporate level. Model stakeholders including model users, developers, owners, and oversight groups should have clear accountabilities to promote compliance with model risk limits and management guidelines.</p><p>This framework incorporates recent trends in model risk management. Specifically, it adopts the practice of managing inherent model risk at the source – the assignment of model risk management responsibilities to model developers, owners and users. Also, the framework expands the risk management group’s role from one solely performing validation activities to one that is more proactive in risk identification and measurement. Additionally, the framework recommends that the board and senior management exercise oversight through working groups and committees. Working groups and management committees provide model stakeholders forums in which to discuss model issues and approve mitigating actions. The framework likewise expands the assurance function of internal audit in large, complex enterprises to include continuous monitoring of model controls and an enhanced ability to review the effectiveness of the validation function. For less complex entities, internal audit’s role could be more limited and focus on compliance with relevant policies and procedures.</p><p>Critical to the success of managing model risk is full ownership by model developers, owners and users of the responsibilities of managing risk consistent with the view that model risk is a risk management responsibility rather than a compliance obligation. Model risk is best managed at its source through a structured and disciplined approach in model development, testing, implementation, validation, and use. This is executed through a formalized control framework with a highly specific set of control procedures and standards present through the model lifecycle. Model owners and developers manage risk through proper development and implementation of models in accordance with these guidelines. Similarly, the model user takes guidance from specific control procedures to ensure that the model is used appropriately and all manner of model use is&#160;reported and inventoried. Examples of control guidelines include model documentation standards, model performance standards, model change and control procedures, and technical model development standards to guide model implementation.</p><p>An independent model risk management group provides a secondary layer of control by identifying and measuring residual model risk via its model validation, periodic review, and ongoing monitoring activities.</p><p align="left">Senior management and the board perform vital governance and oversight functions through their review and approval of proposed remediation or mitigation approaches. Management committees provide the appropriate forums where corporate model strategies are discussed and management approves short-term model risk mitigation actions and longer-term model risk remediation approaches. At large, complex enterprises, internal audit assesses the design and effectiveness of the overall model risk management framework through its model and business process audits and its assessment of the validation function’s effectiveness.</p><p align="left">In establishing this framework, senior management should ensure that roles and responsibilities are clear and that model risk issues are identified and reported horizontally and vertically across a Regulated Entity. Clear accountability is needed to ensure that model stakeholders have the proper incentives to manage their respective risk areas.</p><p align="left">Senior management should create an appropriate organizational structure to promote effective organizational challenge of models. Key elements of having effective organizational challenge to models include findings management, performance tracking, reporting, and an escalation process. The independent validation group should be adequately staffed and have the requisite skills and experience to assess the conceptual design of the modeling approach. Model risk should be transparent and reported to the board and senior management. Remedial actions should be timely and escalation procedures clear. All stakeholders, including modelers, model users and independent validators, should participate actively to influence model development planning and prioritization. The support of senior management and the board is vital in promoting a culture of collaborative model risk awareness across a Regulated Entity.</p><p align="left">Regulated Entities should customize their model risk management framework based on the extent and complexity of model use and their level of risk exposure. Large, complex enterprises that develop their own models should have a more rigorous and extensive framework in place. Less complex and smaller entities should design their framework to ensure minimum supervisory requirements are met in a cost-effective manner.</p><p align="left"> <strong>See Attached for FHFA Model Risk Management Guidance Handbook</strong></p><p align="left">&#160;</p><hr width="33%" align="left" /><p style="text-align&#58;left;"> <sup id="ft1"> <a href="#ref1">[1]</a></sup> Although the Office of Finance is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended, for purposes of convenience, this advisory bulletin includes the Office of Finance when referring to the Regulated Entities collectively, unless otherwise noted.</p><p> <sup id="ft2"> <a href="#ref2">[2]</a></sup> Board of Governors of the Federal Reserve System and Office of the Comptroller of the Currency. Supervisory Guidance on Model Risk Management. OCC 2011-12 (April 4, 2011).</p>6/16/2014 2:16:02 PMHome / Supervision & Regulation / Advisory Bulletins / Model Risk Management Guidance Advisory Bulletin This advisory bulletin replaces Federal Housing Finance Agency Advisory 5655https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on Scoring Tie-Break Methodologies in the Affordable Housing Competitive Application Program19335FHL Banks10/8/2013 4:00:00 AMAB 2013-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <p>DIVISION OF FEDERAL HOME LOAN BANK REGULATION </p><p>ADVISORY BULLETIN </p><p>AB 2013-06 </p><p>Guidance on Scoring Tie-Break Methodologies in the Affordable Housing Competitive Application Program </p></td></tr></tbody></table><h2>&#160; </h2><h2>Introduction </h2><p>This advisory bulletin provides guidance under the Affordable Housing Program (AHP) regulation, 12 C.F.R. part 1291, on how the Federal Home Loan Banks (FHLBanks or Banks) may treat AHP competitive program applications in the event that two or more applications have identical scores in the same funding round and there is insufficient AHP subsidy to approve all of the tied applications. This guidance supersedes any previous guidance to the contrary. </p><h2>Guidance </h2><h3>A. General </h3><p>An FHLBank may minimize the possibility that AHP applications will receive identical scores by designing its method of allocating scoring points to provide sufficient variability in the scoring points awarded to different applications. For example, a Bank might design a particular scoring criterion as a variable rather than a fixed criterion (see §1291.5(d)(3)), which might include carrying individual scores out to multiple decimal places. Unlike a fixed criterion, where an application meeting a specific criterion receives the total amount of points allowable, with a variable point criterion the application is scored on how well it meets the criterion. This approach allows for greater differentiation in scores and decreases the possibility of a tie. </p><p>If two or more AHP applications receive identical numerical scores, an FHLBank may not divide the amount of remaining subsidy equally among the applications with the same scores. </p><p>If an AHP application receives a numerical score identical to the score of another application in that funding round, and, if that application requests more subsidy than the amount of AHP funds that remain to be awarded, then the FHLBank shall approve that application as an alternate and exclude it from participation in the tie-breaking event. </p><h3>B. Establishment and Implementation of Scoring Tie-Break Policies </h3><p>An FHLBank may establish a scoring tie-break policy to address the possibility of a tie between or among two or more applications. The FHLBank should consult with its Advisory Council prior to adoption of such policy, and the policy should be adopted in advance of a funding period. </p><p>If an FHLBank adopts a tie-break policy, it should include the methodology used to break a tie in its AHP Implementation Plan (IP). Inclusion of the tie-break methodology in the IP ensures that applicants will receive prior notice of the policy. </p><p>An FHLBank’s scoring tie-break methodology should be reasonable, transparent, verifiable and impartial. The methodology is intended solely to break a scoring tie and should not affect the eligibility of the applications, including financial feasibility, or their scores and resultant rankings. </p><p>If an application does not prevail in breaking the tie, the Bank must approve it as an alternate pursuant to §1291.5(e)(2) and, within one year of approval, the Bank may fund the application if previously committed AHP subsidies become available and the amount of funding is sufficient to fund the alternate application. </p><p>The AHP regulation prohibits adoption of additional scoring criteria not specified or permitted in the regulation. However, an FHLBank electing to adopt a tie-break method may, as one option, draw its tie-breaking principles from the FHLBank’s AHP scoring criteria adopted in its IP pursuant to the AHP regulation at 12 CFR § 1291.5(d). </p><p>Each time the tie-break policy is applied to an application, the FHLBank should document its analysis and results in writing. </p><p>The FHLBanks’ scoring tie-break policies and written analyses and results of scoring tie-breaks are subject to review by FHFA’s examiners. </p><h3>C. Illustrative Examples of Scoring Tie-Break Methodologies </h3><p>The following are non-exclusive examples of scoring tie-break methodologies that an FHLBank could adopt. </p><p> <strong>Example 1.</strong> This example entails comparing the tied applications’ scores on three separate scoring criteria. </p><ul><ul style="list-style-type&#58;none;list-style-image&#58;none;"><li><p> <strong>Step 1&#58;</strong> In the event of a scoring tie between two or more applications, the application that scored the highest number of points under the Second District Priority scoring criterion receives the AHP award (§1291.5(d)(5)(vii)). If the applications’ scores are still tied, proceed to Step 2. </p></li><li><p> <strong>Step 2&#58;</strong> Compare the applications’ scores under the First District Priority criterion (§1291.5(d)(5)(vi)). The application that scored the highest number of points under the First District Priority receives the AHP award. If the scores are still tied, proceed to Step 3. </p></li><li><p> <strong>Step 3&#58;</strong> The application with the highest score under the Community Stability criterion receives the AHP award (§1291.5(d)(5)(ix)). </p></li></ul></ul><p> <strong>Example 2.</strong> This example entails comparing the tied applications’ scores on three separate criteria under the Second District Priority scoring criterion. Assume the FHLBank has allocated 20 total variable points to its Second District Priority scoring criterion for the following housing priorities&#58; up to 10 points for the preservation of existing affordable units through acquisition or redevelopment that would otherwise be lost as affordable housing stock and/or converted to market-rate units; up to 7 points for the use of properties or units that have been foreclosed upon; and up to 3 points for the extent to which a member or members participate(s) financially in a project, excluding pass-through of the AHP subsidy. </p><ul dir="ltr" style="text-align&#58;left;margin-right&#58;0px;"><ul style="list-style-type&#58;none;list-style-image&#58;none;"><li><p> <strong>Step 1&#58; </strong>Compare the tied applications’ scores under the preservation criterion. The application with the highest score is approved for funding. If the applications’ scores are still tied, proceed to Step 2. </p></li><li><p> <strong>Step 2&#58; </strong>Compare the tied applications’ scores under the foreclosed-upon criterion. The application with the highest score is approved for funding. If the applications’ scores are still tied, proceed to Step 3. </p></li><li><p> <strong>Step 3&#58;</strong> Compare the tied applications’ scores under the member-participation criterion. The application with the highest score is approved for funding. </p></li></ul></ul><p>​</p>7/10/2014 1:15:13 PMHome / Supervision & Regulation / Advisory Bulletins / Guidance on Scoring Tie-Break Methodologies in the Affordable Housing Competitive Application Program Advisory Bulletin 1954https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Management of Deficiency Balances19334Fannie Mae & Freddie Mac9/16/2013 4:00:00 AMAB 2013–05<p>​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2013 – 05 </p><p>MANAGEMENT OF DEFICIENCY BALANCES </p></td></tr></tbody></table><h2><strong>&#160;</strong></h2><h2>Introduction </h2><strong><em><span style="text-decoration&#58;underline;"><font size="3"></font></span></em></strong><p>This advisory bulletin establishes supervisory expectations for deficiency balance management at Fannie Mae and Freddie Mac (the Enterprises). The bulletin describes factors that should be considered when deciding whether to pursue recovery of deficiency balances as part of a deficiency balance management program. The guidance in this bulletin is not intended to require actions to recover deficiency balances from borrowers who have made efforts to cure their default or to participate in a refinance, modification, or other foreclosure avoidance program. </p><h2>Background </h2><strong><em><span style="text-decoration&#58;underline;"><font size="3"></font></span></em></strong><font face="Times New Roman,Times New Roman" size="3"><font face="Times New Roman,Times New Roman" size="3"><p>There is a deficiency balance when the proceeds from a foreclosure sale are insufficient to satisfy the outstanding unpaid principal balance, accrued but unpaid interest, and other expenses associated with a defaulted loan. When permitted under federal law and the laws of the jurisdiction governing the foreclosure, Fannie Mae and Freddie Mac may take action to recover the deficiency balance from the defaulting borrower. Such actions may include obtaining a deficiency judgment and other collection efforts. Pursuing recovery of a deficiency balance when economically beneficial to the Enterprise will reduce credit losses, and may act as a deterrent to so-called &quot;strategic defaulters,&quot; that is, borrowers who possess the financial ability to meet their mortgage loan contractual obligations but choose to stop making payments. </p></font></font><h2>Guidance </h2><strong><em><span style="text-decoration&#58;underline;"><font size="3"></font></span></em></strong><font face="Times New Roman,Times New Roman" size="3"><p>The Enterprises should maintain formal policies and procedures for managing and monitoring their deficiency balance collection decisions and processes consistent with prudent practices utilized in the financial services industry. An effective deficiency balance management program requires coordination among all parties involved in recovery activities, including third-party service providers. The Enterprises should establish controls to monitor the activities of these counterparties to ensure that deficiency balance management processes are timely, effective, and efficient, and consider possible remedial actions if they are not.</p><font size="3"><p>The Enterprises’ deficiency balance management programs should identify relevant factors to consider when determining whether to take action to recover a deficiency balance and the appropriate form of action. Those factors should include, but are not limited to, the following&#58; </p><ol><span style="text-decoration&#58;underline;"><font size="3"></font></span><font size="3"><li><p><span style="text-decoration&#58;underline;">Jurisdiction of Foreclosure&#58; </span>The laws governing foreclosure processes and collection of deficiency balances vary by state. Some states prohibit the practice and others place restrictions and timeframes on a lender’s ability to obtain and collect deficiency judgments. It is important that each Enterprise and its vendors comply with the applicable statute of limitations in order to preserve the ability to pursue collection. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Federal and other Law&#58; </span>The Enterprise should consider whether a borrower has filed for bankruptcy or there is other litigation involving the property. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Mortgage Insurance&#58; </span>For federally insured loans, the Department of Housing and Urban Development or the Department of Veterans Affairs may require the lender to pursue a deficiency judgment. For loans with private mortgage insurance, the terms of the policy that may affect the Enterprise’s ability to pursue a deficiency judgment must be considered. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Loss Mitigation Efforts&#58; </span>A borrower’s efforts to cure the default or pursue an alternative to foreclosure, such as loan refinance or modification program offered by the Enterprise. An additional factor is the borrower’s participation in the Enterprise’s short sale or deed-in-lieu programs, which provide for a waiver of the Enterprise’s right to pursue deficiency judgments. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Loan/Borrower-related Factors&#58; </span>An Enterprise should take into account particular characteristics of the loan and borrower that may indicate the likelihood of success of deficiency judgment in a particular case. These factors would include, for example, whether the foreclosed property was owner-occupied or purchased for investment purposes; whether the borrower defaulted on more than one mortgage held by the Enterprise; and available information (e.g., in a credit report) about whether the borrower has kept other financial obligations current. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Elements of Bad Faith&#58;</span> Characteristics of strategic default behavior or possible fraudulent acts, such as loan documents that appear inaccurate or falsified, should be considered. </p></li><span style="text-decoration&#58;underline;"></span><li><p><span style="text-decoration&#58;underline;">Business Judgment&#58;</span> The decision to pursue collection should make economic sense to the Enterprise and reflect that the associated costs are in line with the Enterprise’s loss mitigation strategies. The amount of the deficiency, the reason for the default, the financial condition of the borrower, legal fees, and the availability and cost of qualified collection vendor(s) might all influence the decision to pursue a deficiency balance. </p></li></font></ol><font size="3"></font></font><font size="3"><font size="3"><p align="justify">The Enterprise’s determinations regarding deficiency balances should indicate relative weights of the different factors considered by the Enterprise. The Enterprise’s documented process in place for deficiency balance determinations should include a risk-based process for internal review of decisions as appropriate. </p><p>Examiners will review policies, procedures, and practices when examining Fannie Mae and Freddie Mac’s deficiency balance management programs. Each Enterprise should maintain documented analysis to support decisions regarding actions to recover deficiency balances. </p></font></font></font>11/6/2014 9:28:42 PMHome / Supervision & Regulation / Advisory Bulletins / Management of Deficiency Balances Advisory Bulletin This advisory bulletin establishes supervisory expectations for 1829https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Rescission of Division of Bank Regulation Advisory Bulletins19333FHLB & Office of Finance7/16/2013 4:00:00 AMAB 2013-04<h2>​</h2><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2013-04 </p><p>Rescission of Division of Bank Regulation Advisory Bulletins </p></td></tr></tbody></table><h2>&#160;</h2><h2>Background </h2><p>In an effort to keep all guidance related to the examination process current, the Federal Housing Finance Agency (FHFA) undertook a review of all outstanding Advisory Bulletins (AB) that have been issued by the Federal Housing Finance Board (Finance Board) or the FHFA that related to the examination of the Federal Home Loan Banks (FHLBanks). An AB reflects FHFA’s position on a supervisory matter and the guidance is relied upon by our examination staff as part of the oversight of FHLBanks. </p><p>We reviewed all outstanding ABs issued from 1996 to the present. Criteria for rescission included guidance that related to actions that have been completed, guidance that has been codified in FHFA regulations or superseded by other guidance, and guidance that was deemed no longer relevant or applicable in the current environment. In some cases, the guidance was replaced through the issuance of amended ABs, the issuance of Regulatory Reporting Updates, or inclusion in the FHFA Data Reporting Manual. In other cases, the guidance references former Finance Board regulations that are no longer in existence.</p><h2>Guidance </h2><p>This Advisory Bulletin rescinds 29 ABs issued between 1996 and 2007 by the Finance Board relating to the examination of the FHLBanks. The rescinded AB, the reason for rescission, and the guidance that replaced it, if any, are listed in the attachment. The reason the AB is rescinded is because of one of the following reasons&#58; </p><ul><li><p><strong>Outdated </strong>– The document is no longer needed. </p></li><li><p><strong>Replaced </strong>– The document is superseded by subsequent guidance. </p></li><li><p><strong>Incorporated </strong>– The document conveyed guidance that was incorporated in FHFA regulations. </p></li></ul><p>The rescinded ABs are removed from active public files and placed into an FHFA internal file.&#160;<br></p>10/23/2014 7:32:56 PMHome / Supervision & Regulation / Advisory Bulletins / Rescission of Division of Bank Regulation Advisory Bulletins Advisory Bulletin In an effort to keep all guidance related 1351https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
FHFA Enforcement Policy19362All5/31/2013 4:00:00 AMAB 2013-03<p>​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​<font size="3">ADVISORY BULLETIN </font></p><p><font size="3">AB 2013-03 </font></p><p><font size="3">FHFA ENFORCEMENT POLICY</font></p></td></tr></tbody></table><h2>&#160; </h2><h2>PURPOSE </h2><strong><font size="3"></font></strong><font face="Times New Roman,Times New Roman" size="3"><p>This advisory bulletin disseminates the Federal Housing Finance Agency (FHFA) policy for taking enforcement actions, when determined appropriate, to address compliance with laws, rules, or regulations; supervisory guidance, examination findings, or failure to comply with final agency orders; capital deficiencies; failure to meet prudential standards; and/or unsafe or unsound practices or conditions. </p><p>The enforcement policy provides FHFA guidance for internal agency purposes. FHFA is sharing the policy with the public as a means to promote supervisory transparency. The policy is not intended, does not, and may not be relied upon, to create rights, substantive or procedural, enforceable at law or in any administrative proceeding. </p><h2>SCOPE </h2><strong><font size="3"></font></strong><font face="Times New Roman,Times New Roman" size="3"><font face="Times New Roman,Times New Roman" size="3"></font></font><p>The enforcement policy is applicable to FHFA actions pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. Actions may take the form of informal enforcement actions; formal enforcement actions, such as cease-and-desist proceedings under 12 USC 4631; cease-and-desist orders and civil money penalties under 12 USC 4566(c)(1) and (c)(7), 12 USC 4581 and 4585, and 1430c(d); prompt corrective action directives under 12 USC 4611 et seq.; prudential management and operations standards orders under 12 USC 4513b; prompt supervisory responses under 12 CFR part 1777, subpart A; or some combination thereof. </p><font face="Times New Roman,Times New Roman" size="3"><font face="Times New Roman,Times New Roman" size="3"><p>The enforcement policy rescinds and replaces the FHFA Division of Federal Home Loan Bank Regulation Enforcement Policy (2012-DBR-01) issued in August 2012. The policy does not supersede or limit the applicability of any other FHFA regulation or policy that may provide more explicit guidance and direction, or establish supplemental procedures. The guidance provided in the enforcement policy does not remove or limit FHFA’s discretion and judgment in making decisions about whether to take an enforcement action, or determining which type of enforcement action may be appropriate in a given set of circumstances. </p><font size="3"></font></font></font></font>6/16/2014 2:15:23 PMHome / Supervision & Regulation / Advisory Bulletins / FHFA Enforcement Policy Advisory Bulletin This advisory bulletin disseminates the Federal Housing Finance Agency (FHFA 1219https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Clarification of Implementation for Advisory Bulletin 2012-0219361All5/13/2013 4:00:00 AMAB 2013-02<p>​</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2013-02 </p><p>Clarification of Implementation for Advisory Bulletin 2012-02, Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention </p></td></tr></tbody></table><p align="justify">&#160;</p><strong><h2>Background </h2><strong><em><font size="3"></font></em></strong><p>On April 9, 2012, the Federal Housing Finance Agency (FHFA) issued Advisory Bulletin 201202, Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention. That guidance establishes a standard methodology for classifying loans, other real estate owned, and certain other assets, excluding investment securities, and prescribes the timing of asset charge-offs based on these classifications. Advisory Bulletin 2012-02 was effective upon issuance; however, FHFA has subsequently clarified details of the implementation date. </p><font size="3"><h2>Guidance </h2></font><p>Implementation of the asset classification framework may occur in two phases. The asset classification provisions in Advisory Bulletin 2012-02 should be implemented by January 1, 2014. The charge-off provisions have been extended and should be implemented no later than January 1, 2015. </p><font size="3"></font></strong>6/16/2014 2:15:12 PMHome / Supervision & Regulation / Advisory Bulletins / Clarification of Implementation for Advisory Bulletin 2012-02 Advisory Bulletin 1770https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Contingency Planning for High-Risk or High-Volume Counterparties19360All4/1/2013 4:00:00 AMAB 2013–01<h2>​</h2><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​ADVISORY BULLETIN </p><p>AB 2013 – 01 </p><p>CONTINGENCY PLANNING FOR HIGH-RISK OR HIGH-VOLUME COUNTERPARTIES </p></td></tr></tbody></table><br><br><h2>Introduction </h2><p>This Advisory Bulletin establishes guidelines for contingency plans for high-risk or high-volume counterparties at Fannie Mae and Freddie Mac (the Enterprises), and the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities). The guidelines describe the criteria the regulated entities should use to develop plans for managing counterparty credit risk exposures.</p><p>This guidance does not supplant existing regulations that pertain to risk management at the regulated entities.</p><h2>Background </h2><p>A regulated entity’s prudent management of counterparty risk includes establishing and maintaining written policies and procedures to prevent excessive exposure to any counterparty in relation to the counterparty’s financial condition, or excessive exposure owing to a high volume or concentration of transactions with a particular counterparty or group of related counterparties. Counterparty risk management practices should measure counterparty risk limits and exposures against policy limits (including ranges and tolerances for each factor being monitored), institute procedures for initial and ongoing monitoring of a counterparty’s condition and total exposure, and establish a framework for internal reporting on counterparty risk exposures and concentrations to boards of directors and senior management. Counterparty credit risk management practices should also include contingency plans to respond when internal limits are breached.</p><p>Federal Housing Finance Agency (FHFA) Prudential Management and Operations Standards (PMOS) were effective August 7, 2012, and supplement existing FHFA regulations. They address ten separate areas relating to the management and operation of the FHLBanks and the Enterprises. Standard 8 (Overall Risk Management Processes) and Standard 9 (Management of Credit and Counterparty Risk) highlight the need for the regulated entities to establish risk management practices that measure, monitor, and control credit risk and the need to have appropriate credit risk policies, procedures, controls, and systems.</p><p>This guidance considers and is generally consistent with the Interagency Supervisory Guidance on Counterparty Credit Risk Management issued by the federal banking regulators in June, 2011, which established specific guidance on counterparty credit risk management, including managing concentrated exposures and counterparty terminations.</p><h2>Guidance </h2><p>The regulated entities should establish criteria for identifying high-risk or high-volume counterparties based on internal limits, including ranges and tolerances. The analysis to identify a high-risk or high-volume counterparty should include an assessment of whether the deterioration in the condition of the counterparty or an elimination or reduction in an exposure could result in a material loss or significant disruption to operations. The regulated entities should have written contingency plans for high-risk and high-volume counterparties, including plans for individual counterparties or groups of related counterparties. These plans should provide a variety of actions that can be followed in the event internal limits are breached, including steps to reduce counterparty exposure and procedures for an exit strategy.</p><p>FHFA expects each regulated entity’s risk management practices to include&#58;</p><ol><li><p>A process to conduct initial and ongoing monitoring and updating of each counterparty’s or group of related counterparties’ condition and risk profile, and the entity’s overall exposure to each counterparty, groups of related counterparties, and total entity-wide exposures; and to track emerging events that may affect counterparty condition and risk profile, in accordance with Standard 8 (Overall Risk Management Processes) of the PMOS guidelines.</p></li><li><p>A comprehensive set of risk limits and a mechanism for reporting violations and breaches of risk limits to senior management and the board of directors, in accordance with Standard 8 (Overall Risk Management Processes) of the PMOS guidelines.</p></li><li><p>Policies that limit concentrations of credit risk and establish limits on exposures to individual counterparties and groups of related counterparties, in accordance with Standard 9 (Management of Credit and Counterparty Risk) of the PMOS guidelines.</p></li><li><p>Step-by-step procedures and decision-making responsibilities within a written contingency plan, including delegations of authority and a description of circumstances that would require action and escalation of issues.</p></li><li><p>Procedures that provide for orderly reduction of counterparty exposures that exceed internal limits commensurate with the size, type, and volatility of the risk in the exposure. Such actions could include, but are not limited to&#58; (1) Transferring any exposure that exceeds internal limits to other counterparties after conducting appropriate reviews of their financial condition; (2) Establishing new reduced limits, or prohibiting additional transactions with the counterparty; and (3) Specifying timeframes to meet targeted reduction goals for different types of exposures, including steps to reduce exposure when a counterparty’s financial condition is deteriorating.</p></li><li><p>A schedule for periodic testing of contingency plans. The tests should recreate a regulated entity’s response when internal limits are breached to test communications and procedures and assess the contingency plan’s effectiveness. Testing should also identify other qualified counterparties and assess whether they could be used in the event a contingency plan is enacted. Testing should be risk-based and conducted at a frequency that is commensurate with the materiality of exposures.</p></li><li><p>Standards to quickly and accurately assess the quantitative impact a counterparty’s failure would have on the regulated entity.</p></li><li><p>Requirements for periodic review and update of contractual terms that relate to counterparty terminations, and confirmation that current agreements specify the definition of events of default and other termination conditions, and the termination process that will be used.</p></li></ol><p>Examiners will review policies, procedures and practices related to credit and counterparty risk management, including an entity’s contingency plans for high-risk and high-volume counterparties.</p><h2>Related Guidance</h2><p>12 CFR 932.9 of the Federal Housing Finance Board’s regulations sets forth limitations on unsecured extensions of credit to a single counterparty or affiliated counterparties. </p><p><em>Rules and Regulations of the Federal Housing Finance Agency</em><em> (12 CFR Part 1236). </em>FHFA’s Prudential Management and Operations Standards. </p><p>Monitoring Unsecured Credit Exposures and Concentrations, Federal Housing Finance Board<span style="text-decoration&#58;underline;"> Advisory Bulletin </span>98-10, December 8, 1998. </p><p><em>Risk Management Oversight</em>, Federal Housing Finance Board <span style="text-decoration&#58;underline;">Advisory Bulletin </span>05-05, May 18, 2005. </p>6/16/2014 2:15:01 PMHome / Supervision & Regulation / Advisory Bulletins / Contingency Planning for High-Risk or High-Volume Counterparties Advisory Bulletin The analysis to identify a high-risk 1694https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2020 Federal Housing Finance Agency