Purpose

This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (collectively, the Enterprises)[1] Federal Housing Finance Agency's (FHFA) supervisory guidance for managing insider trading risk and related conflicts of interest to support a safe and sound operating environment. Insider trading risk management is a key component of an Enterprise's compliance risk management program.

Background

Insider trading risk is the risk of legal or regulatory sanctions, damage to current or projected financial condition, damage to business resilience,[2] or damage to reputation resulting from nonconformance with U.S. Securities and Exchange Commission (SEC) insider trading laws and disclosure requirements,[3] rules, prescribed practices, internal policies and procedures, and ethical and related conflict-of-interest standards (insider trading obligations).

The phrase “insider trading" may refer to legal and illegal conduct. Insider trading is legal when an investor trades a security[4] but does not have material nonpublic information (MNPI) or when the trade is made pursuant to a Rule 10b5-1 passive investment plan.[5]

Illegal insider trading occurs when a person or entity in possession of MNPI, obtained through their employment or other involvement with a company, purchases, sells or otherwise trades their own company's securities or non-company securities based on MNPI, or when a person or entity improperly discloses MNPI to a third party[6] (collectively, illegal insider trading activity).

Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act),[7] other securities laws,[8] and common law obligations broadly prohibit fraudulent activities of any kind in connection with the offer, purchase, or sale of securities.[9] SEC regulations[10] do not define the terms "material" and "nonpublic" but rely on definitions established in case law. Material information can be positive or negative and can relate to virtually any aspect of the Enterprise's business or to a type of security. Information is material if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision[11] or if there is a substantial likelihood that it would be viewed “by the reasonable investor as having significantly altered the 'total mix' of information made available."[12] Information is nonpublic if it has not been made generally available to investors.[13]

Insider trading risks include exposure to private civil actions or civil, criminal, and administrative actions by regulators, law enforcement, or other government agencies, such as:

• The SEC's enforcement of Sections 10(b), 16, and 20(a) of the Exchange Act[14​] and Rule 10b-5;​[15]
• The U.S. Department of Justice's (DOJ) criminal prosecution of individuals and corporations related to insider trading and securities fraud under Section 807 of the Sarbanes-Oxley Act of 2002;^[16]
• FHFA's enforcement of fraud reporting requirements related to insider trading activity pursuant to the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended by the Housing and Economic Recovery Act of 2008 (Safety and Soundness Act);^[17]
• FHFA's enforcement of applicable laws, regulations, orders, or adverse examination findings and communications;[18]
• Enforcement of applicable state laws and regulations addressing insider trading activities that violate corporate fiduciary duties of care and loyalty;^[19] and
• Recourse for misappropriation of MNPI.

​Additionally, effective management of insider trading risk requires compliance with the following FHFA regulations:

• 12 CFR 1239.10 (Code of Conduct and Ethics);
• 12 CFR 1239.11 (Risk Management); and
• 12 CFR 1239.12 (Compliance Program).

Effective insider trading risk management also requires consideration of the guiding principles of sound risk management set forth in the Appendix to 12 CFR Part 1236, Prudential Management and Operations Standards (PMOS). With respect to various risk-management areas, the PMOS articulate guidelines on general responsibilities of the Enterprises' boards and senior management; establishment of policies, standards, and procedures; adequate resources, systems, and controls; and an adequate internal audit function.[20]

Guidance

The Enterprise is expected to establish and maintain an effective compliance program based on enterprise-wide risk assessment processes[21] to manage insider trading activities and the inherent risks of those processes. Through its risk assessments, the Enterprise identifies business areas and roles presenting heightened insider trading risk and identifies effective controls to minimize that risk. To mitigate insider trading risk, the Enterprise should examine the nature of its business and its prior history of insider trading risk events, determine what types of illegal insider trading activities pose the greatest risk, and adopt effective controls to detect and prevent such misconduct.[22] By implementing a well-designed, adequately resourced, and effective compliance program, an Enterprise can make it less likely that covered parties[23] will engage in illegal insider trading activity.[24]

I.          Corporate Governance

A.         Roles and Responsibilities

The Enterprise's board of directors (board) plays a pivotal role in the effective governance of insider trading risk.[25] The Enterprise is responsible for establishing and maintaining a written code of conduct and ethics that is reasonably designed to assure that its directors, officers, and employees discharge their duties and responsibilities in an objective and impartial manner that promotes honest and ethical conduct, compliance with applicable laws, rules, and regulations, accountability for adherence to the code, and prompt internal reporting of violations of the code to appropriate persons identified in the code (Code of Conduct).[26] The Code of Conduct is an invaluable resource helping employees locate relevant governing documents, services, and other resources related to insider trading, ethics, and compliance generally. The Enterprise may also benefit from adopting a separate Code of Conduct for members of the Board of Directors (Director Code). An appropriate Director Code reflects that Directors have higher exposure to insider trading risk given their access to MNPI.

The Code of Conduct and the Director Code should encourage high ethical standards, promote a culture of compliance with insider trading obligations,[27] and discourage unethical behavior or circumvention of compliance obligations.[28] Promoting a culture of compliance with insider trading obligations includes documenting and communicating clear expectations about compliance with insider trading laws; clearly communicating related conflict of interest and business ethics standards and expectations; articulating the principle that employees and management conduct all activities in accordance with both the letter and the spirit of insider trading obligations; and creating an environment where employees are encouraged to raise legal, compliance, and ethics questions and concerns without fear of retaliation.[29]

B.         Insider Trading Governing Documents

Committee charters, delegations of authority, policies, standards, and procedures that address insider trading obligations (insider trading governing documents) are excellent communication tools.[30] The insider trading governing documents should assign clear and consistent roles and responsibilities for managing insider trading risk and for reviewing and resolving related conflicts of interest. An Enterprise's insider trading governing documents should include change management procedures for effectively monitoring and operationalizing new or modified insider trading obligations and for communicating these changes across the three lines of defense.

C.        Illegal Insider Trading Prohibitions

An Enterprise's insider trading governing documents should address statutory and regulatory prohibitions against illegal insider trading activities.[31] An Enterprise's insider trading governing documents should make clear that an Enterprise's exposure to insider trading risk is increased when an Enterprise fails to supervise staff in possession of MNPI, fails to establish adequate policies and procedures for handling MNPI,[32] and fails to report instances of insider trading to the appropriate regulators.[33]

D.        Conflicts of Interest

Misuse of MNPI for personal benefit in securities transactions is a conflict of interest related to insider trading.[34] An Enterprise's insider trading governing documents should establish procedures for reviewing and resolving potential material conflicts of interest related to insider trading; responding to requests for waivers or exceptions to trading prohibitions and addressing any other insider trading obligations or restrictions set forth in the insider trading governing documents. Each Enterprise should maintain written records of all identified material conflicts of interest related to insider trading.

II.        Risk Identification and Assessment

The insider trading governing documents should operationalize insider trading risk-management obligations into the Enterprise's day-to-day business processes, job duties, and responsibilities. The Enterprise's insider trading governing documents should: identify potential MNPI; determine which transactions, disclosures, and personnel are covered by the insider trading obligations; evaluate the quality of risk management; assess residual insider trading risk; and promote independent reviews, escalation, and tracking of identified issues. The insider trading governing documents should also include methods of measuring insider trading risk (e.g., by using key risk indicators) and use such measurements to enhance compliance risk assessments.[35]

A.         Identifying MNPI

Management, with appropriate board oversight, should establish effective information management systems[36] to protect MNPI and other sensitive information. Data security management policies, standards, and procedures should contain specific security requirements established for categories of sensitive data.[37]

B.         Identifying Covered Transactions

Effective insider trading governing documents highlight the broad scope of insider trading obligations and make clear that these obligations apply to the purchase and sale of all securities and not just common stock. Prohibitions against illegal trading apply to the purchase and sale of an Enterprise's stock, hedging Enterprise securities, purchase and sales of Enterprise securities pledged in a margin account or as collateral for a loan, trading debt securities issued by the Enterprise and any other securities issued by the Enterprise. The prohibitions also apply to securities of non-Enterprise companies, including securities of third parties, if a covered party (defined below) learns information in the course of his or her duties that may affect the value of those other non-Enterprise securities. Effective insider trading governing documents and risk assessment procedures may include a list of examples of transactions subject to the insider trading obligations (covered transactions) as well as lists of institutions and securities that are covered or restricted. An Enterprise's insider trading governing documents should also address permissible trading windows, pre-clearance of acceptable transactions, and blackout periods, as applicable, when the Enterprise prohibits trading and the extent to which various covered parties are subject to such terms.

C.        Covered Parties

FHFA expects an Enterprise to make clear that insider trading obligations apply to the Enterprise, its employees, officers, directors, select contingent workers, other third parties with access to MNPI, and individuals receiving “tips" of MNPI, if the person receiving the tip is a family member or has a meaningfully close personal relationship with the party improperly disclosing the MNPI (covered parties). The Enterprise should establish standards and procedures for determining which third parties, counterparties, vendors, business partners, consultants, or advisers are considered covered parties. Such selection standards should include consideration of the relationship with the third party and the extent to which the third party has access to MNPI.[38] Not all elements of the Enterprise's insider trading compliance program are anticipated to apply equally to all covered parties. The insider trading governing documents should also describe procedures for adding and removing covered parties from monitoring requirements based on changes in job responsibilities or access to MNPI.[39]

D.        Evaluating Quality of Risk Management and Assessing Residual Risk

An Enterprise's risk assessment processes should include risk-control self-assessments, key risk indicators, and key performance indicators.[40] An Enterprise's assessment of insider trading risk should include processes that evaluate the likelihood of noncompliance with insider trading obligations. The risk assessment and insider trading governing documents should also include processes for evaluating the effectiveness of controls in place to manage insider trading risk and to protect and prevent improper disclosure of MNPI,[41] and include processes for reviewing whether regulatory, legal, or other related compliance risk categories' residual risk levels align with risk appetite.[42]

III.       Controls

In addition to establishing an effective governance framework, comprehensive insider trading governing documents, and an effective risk identification and assessment system, an Enterprise's robust internal controls should also include identifying, managing, and reporting on insider trading-related controls.[43]

A.         Managing and Protecting MNPI

The insider trading governing documents and associated controls should be designed to ensure that MNPI is properly protected.[44] Covered parties should understand that they are responsible for treating confidential information that may be MNPI in accordance with the expectations in the Enterprise's insider trading governing documents. Covered parties are prohibited from disclosing MNPI to others (including other people within the Enterprise, family members, friends, or employees of a director's member institution, etc.) unless the person has a need to know the information for legitimate Enterprise-related reasons.

The development of information barriers is important to securing MNPI.[45] These barriers may include organizational, technological, and physical workspace separation of people with access to MNPI from people who do not need access.[46] Information barriers may also include processes such as watch lists, restricted lists, accompanying reviews of employee and proprietary trading, written procedures, and documentation of reviews.[47]

B.         Acknowledgments and Nondisclosure Agreements

The Enterprise should establish procedures to determine the need for covered parties to execute annual acknowledgements and nondisclosure agreements based upon the materiality of the relationship with the covered party and the extent to which that party has access to MNPI.

C.        Post-Employment Controls

The Enterprise should implement controls designed to ensure that all MNPI in the possession of a covered party will be returned to the Enterprise or destroyed at the termination of his or her relationship with the Enterprise. Covered parties should understand that if their employment or contract period with the Enterprise terminates at a time when they possess MNPI, they continue to be responsible for protecting that information and continue to be prohibited from disclosing or trading on that information until the information is disclosed to the public or until the information is no longer material. It is the covered party's obligation to determine whether these conditions are met.

D.        Training

Enterprise employees should be held accountable and be aware of their insider risk management roles and responsibilities.[48] An Enterprise should require all employees, board members, and third-party providers with access to MNPI to annually review or be trained on the relevant provisions of the insider trading governing documents and complete annual training covering key insider trading topics including conflicts of interest.

IV.       Internal Surveillance and Monitoring

Insider trading risk should be monitored regularly to identify changes or trends in exposures over time.[49] The insider trading governing documents should include procedures for:

Determining whether a covered party's trading and MNPI protection activities will be monitored, and if so how;

Automating processes for monitoring and scanning covered parties' brokerage accounts;

Ensuring that annual certifications and employment contracts address post-employment, post-contract trading and disclosures and prohibit improper disclosures and improper trading until MNPI is disclosed to the public or until the information is no longer material;

Evaluating whether a covered party's access to MNPI warrants oversight related to personal trade activity or other MNPI related restrictions;

Identifying and assessing business processes with heightened risk for illegal insider activity;

Investigating, tracking, and reporting possible illegal insider activity;

Detecting illegal insider activity if and when it occurs;

Evaluating and responding to illegal insider activity; and

Monitoring and independently testing business lines to determine overall adequacy and effectiveness of insider trading risk management.

V.        Disclosures and Reporting

A.         Internal Reporting

An effective compliance program should generate periodic internal disclosures, notifications, and reporting information on insider trading risk in a form that comports with the insider trading governing documents. The compliance officer's reports to the chief executive officer[50] and to the board[51] must address the adequacy of the Enterprise's compliance policies and procedures, including those related to insider trading.[52] The substance of such reporting should be relevant, accurate, complete, timely, consistent, and comprehensive, and should enable the execution of sound and informed risk management decisions.[53] Such reports should contain sufficient information to ensure effective oversight, escalation and timely resolution of insider trading noncompliance and control deficiencies.[54] These internal reports should be designed to ensure that the board and relevant committees are properly informed of the Enterprise's insider risk management activities[55] and the outcomes of such activities, including significant instances of noncompliance with insider trading obligations.[56]

The Enterprise's insider trading governing documents should address the Enterprise's obligation[57] to submit timely reports to FHFA, Financial Crimes Enforcement Network, SEC, and other applicable regulators when the Enterprise discovers or suspects possible insider trading, or other fraud related to the purchase or sale of any loan or financial instrument.[58]

Enterprise policies, standards and procedures should incorporate the reporting obligations and limitations set forth in Section 16 of the Exchange Act.[59] Section 16 establishes regulatory filing responsibilities of specified reporting insiders, such as Section 16 officers[60] and members of the board of directors.[61]

​Insider trading governing documents should also comply with applicable laws and regulations pertaining to the full and fair disclosure of information to the public.​[62]

Related Guidance and Regulations

12 CFR Part 1236, Appendix, Prudential Management and Operations Standards.

12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance.

Enterprise Risk Management Program, Federal Housing Finance Agency Advisory Bulletin 2020-06, December 11, 2020.

Financial Reporting and Disclosure and External Audit, Federal Housing Finance Agency Advisory Bulletin 2020-04, August 20, 2020.

Compliance Risk Management, Federal Housing Finance Agency Advisory Bulletin 2019-05, October 3, 2019.

Enterprise Fraud Reporting, Federal Housing Finance Agency Advisory Bulletin 2019-04, September 18, 2019.

Business Resiliency Management, Federal Housing Finance Agency Advisory Bulletin 2019-01, May 7, 2019.

Oversight of Third-Party Provider Relationships, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.

Information Security Management, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.

Internal Audit Governance and Function, Federal Housing Finance Agency Advisory Bulletin 2016–05, October 7, 2016.

Data Management and Usage, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.

Fraud Risk Management, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015.

Operational Risk Management, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.

FHFA Enforcement Policy, Federal Housing Finance Agency Advisory Bulletin 2013-03, May 31, 2013.

_______________________________

​ [1] Common Securitization Solutions, LLC is an “affiliate" of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended. 12 U.S.C. § 4502(1), and this AB applies to it.

[2]See FHFA Advisory Bulletin 2019-01, Business Resiliency Management (May 7, 2019).

[3]See 17 CFR 243.100–243.103 (Regulation FD), 17 CFR 240.10b5–1 (Rule 10b5-1), and 17 CFR 240.10b5–2 (Rule 10b5-2).

[4]See 15 U.S.C. § 78c(a)(10) for definition of “security."

[5] Rule 10b5-1 plans are passive investment plans through which companies and corporate insiders relinquish direct control over transactions.

[6]See discussion in Section II.C. below.

[7] 15 U.S.C. § 78a et seq.

[8] Sections 10(b), 16 and 21A(b)(1) of the Exchange Act. See generally U.S. Securities and Exchange Commission: The Laws that Govern the Securities Industry. Retrieved from www.investor.gov/introduction-investing/investing-basics/role-sec/laws-govern-securities-industry.

[9] SEC: Rules and Regulations for the Securities and Exchange Commission and Major Securities Laws. Retrieved from www.sec.gov/about/laws/secrulesregs.htm.

[10]See SEC's Final Rule: Selective Disclosure and Insider Trading, 65 FR 51715, 51721 (August 24, 2000) (hereinafter Final Fair Disclosure Rule). See also 17 CFR 243.100–243.103 (Regulation FD), 17 CFR 240.10b5–1 (Rule 10b5-1), and 17 CFR 240.10b5–2 (Rule 10b5-2).

[11] Final Fair Disclosure Rule, footnote 38.

[12] Id., footnote 39.

[13] Id., footnote 40.

[14] 15 U.S.C. § 78u (identifying civil penalties for insider trading).

[15]See 17 CFR 240.10b-5.

[16] 18 U.S.C § 1348 (Jan. 14, 2019).

[17] 12 U.S.C. § 4642. See also 12 CFR 1233.3(a); FHFA Advisory Bulletin 2019-04: Enterprise Fraud Reporting (Sept. 18, 2019); and FHFA Advisory Bulletin 2015-07: Fraud Risk Management (Sept. 29, 2015).

[18]See FHFA Advisory Bulletin 2013-03, FHFA Enforcement Policy (May 31, 2013). See also FHFA Advisory Bulletin 2017–01, Classifications of Adverse Examination Findings (Mar. 13, 2017).

[19] For Fannie Mae, see Del. Code Ann. § 141(a) (2011). For Freddie Mac, see Va. Code Ann. § 13.1-690(A) (2012).

​[20] For the internal audit function, see also FHFA Advisory Bulletin 2016–05, Internal Audit Governance and Function (Oct. 7, 2016).

[21] PMOS, Standard 1, Principle 8.

[22]See FHFA Advisory Bulletin 2019-05, Compliance Risk Management (Oct. 3, 2019) (AB 2019-05). See also U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (June 1, 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download (DOJ Guidance on Compliance Programs).

​[23]See discussion in Section II.C. below.

[24] 12 CFR 1239.11(a). See also AB 2019-05.

[25] The Enterprise is required to establish and maintain a comprehensive risk management program in accordance with all applicable laws and regulations. See Corporate Governance Rule, 12 CFR Part 1239. See also FHFA Advisory Bulletin 2020-06, Enterprise Risk Management Program (Dec. 11, 2020) (AB 2020-06), AB 2019-05, and PMOS, Responsibilities of the Board of Directors and Senior Management: Principles 1, 4 – 7 and Standard 8, Principles 1 and 3.

[26] 12 CFR 1239.10.

[27] PMOS, Responsibilities of the Board of Directors and Senior Management: Principle 9. See also PMOS, Standard 1, Principles 3, 4, and 16.

[28]See Section 1, AB 2019-05, and AB 2020-06.

[29]See AB 2019-05. Additionally, the Sarbanes-Oxley Act protects corporate whistleblowers for providing information about insider trading, securities fraud, shareholder fraud, bank fraud, a violation of any SEC rule or regulation, mail fraud, or wire fraud. Seehttps://www.sec.gov/whistleblower/retaliation.

[30]See PMOS, Standard 1, Principles 2 and 16. See AB 2019-05, page 5.

[31]See 12 CFR 1239.3(a) and 12 CFR 1239.11(a)(3)(ii).

[32]See DOJ Guidance on Compliance Programs. The document is designed to assist “prosecutors in making informed decisions as to whether, and to what extent, the corporation's compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations)."

[33]See Sections 20(a) and 21A(b)(1) of the Exchange Act. See alsoGraham v. SEC, 222 F.3d 994, 1000 (D.C. Cir. 2000) (reviewing the elements of aiding and abetting liability).

[34] This AB addresses conflicts of interest arising from misuse of MNPI for personal benefit in securities transactions. This AB does not address supervisory expectations related to managing risks associated with other types of conflicts of interest, such as outside activities, political activities, and business courtesies.

[35]See AB 2019-05, Section 2, page 5.

[36]See FHFA Advisory Bulletin 2016-04, Data Management and Usage (Sept. 29, 2016) (AB 2016-04), page 1.

[37]See AB 2016-04, page 4. See also FHFA Advisory Bulletin 2017-02, Information Security Management (Sept. 28, 2017) (AB 2017-02), page 10.

[38]See FHFA Advisory Bulletin 2018-08, Oversight of Third-Party Provider Relationships (Sept. 28, 2018).

[39]See 15 U.S.C. § 78u-1(a)(1)(B).

[40]See FHFA Advisory Bulletin 2014-02, Operational Risk Management (Feb. 18, 2014) (ORM AB), page 3.

[41] PMOS, Standard 1, Principles 4 and 5. See also ORM AB, page 3.

[42] AB 2020-06, Sections I.A, B, and C.

[43] PMOS, Standard 1, Principle 10.

[44]See AB 2017-02.

[45] SEC defines “information barriers" as written policies and procedures reasonably designed to prevent misuse of MNPI in violation of the securities laws. See discussion in Section III.A. below. See generally SEC, Staff of the Office of Compliance Inspections and Examinations, Staff Summary Report on Examinations of Information Barriers (Sept. 27, 2012) (Information Barrier Summary Report), located at https://www.sec.gov/about/offices/ocie/informationbarriers.pdf.

[46] AB 2017-02.

[47] Information Barrier Summary Report, page 7.

[48]See 12 CFR 1239.11(a)(3) and PMOS, Standard 8.

[49] AB 2020-06, Section III.

[50] 12 CFR 1239.12.

[51] Ibid.

[52] Ibid. See also AB 2019-05.

[53]See 12 CFR 1239.11(c)(3)(ii) and AB 2016-04.

[54] ORM AB, page 5. See also AB 2016-04.

[55]See AB 2020-06 (“Systems and processes supporting risk and control reporting should align under a common data architecture to facilitate and support the Enterprise's risk aggregation and enterprise-wide reporting.")

[56] 12 CFR 1239.11(b), 12 CFR 1239.11(c)(3)(iv), and 1239.12.

[57] 12 U.S.C. § 4642.

[58]See 12 CFR 1233.3(a) and the guidelines in FHFA Advisory Bulletin 2019-04: Enterprise Fraud Reporting (Sept. 18, 2019). See also FHFA Advisory Bulletin 2020-04, Financial Reporting and Disclosure and External Audit (Aug. 20, 2020).

[59] Section 16 of the Securities and Exchange Act of 1934, specifies mandatory disclosure requirements for “[e]very person who is directly or indirectly the beneficial owner of more than 10 percent of any class of any equity security (other than an exempted security) which is registered pursuant to 12, or who is a director or an officer of the issuer of such security." Exchange Act. See also 17 CFR 240.16a-2 (Persons and transactions subject to Section 16 of the Exchange Act).

[60] Section 16 officers refers to officers of the Enterprise as defined by Rule 16a-1(f) under the Exchange Act.

[61]See SEC: Investor Bulletin Insider Transactions and Forms 3, 4, and 5. Retrieved at www.sec.gov/files/forms-3-4-5.pdf.

[62]See Final Fair Disclosure Rule.​