This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for interest rate risk management at the Federal Home Loan Banks (Banks), Fannie Mae, and Freddie Mac (the Enterprises), collectively known as the regulated entities.  This guidance supersedes the Federal Housing Finance Board's advisory bulletin, Interest Rate Risk Management (AB 2004-05).  Interest rate risk management is a key component in the management of market risk.  These guidelines describe principles the regulated entities should follow to identify, measure, monitor, and control interest rate risk.  The AB is organized as follows:

I.   Governance

A. Responsibilities of the Board

B. Responsibilities of Senior Management

C. Risk Management Roles and Responsibilities

D. Policies and Procedures

II.   Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls

A. Limits

B. Interest Rate Risk Mitigation

C. Internal Controls

III. Risk Measurement System, Monitoring, and Reporting

A. Interest Rate Risk Measurement System

B. Scenario Analysis and Stress Testing

C. Monitoring and Reporting

Background

Interest rate risk is the risk that changes in interest rates may adversely affect financial condition and performance.  More specifically, interest rate risk is the sensitivity of cash flows, reported earnings, and economic value to changes in interest rates.  As interest rates change, expected cash flows to and from a regulated entity change.  The regulated entities may be exposed to changes in:  the level of interest rates; the slope and curvature of the yield curve; the volatilities of interest rates; and the spread relationships between assets, liabilities, and derivatives.  Interest rate risk may include repricing risk, basis risk, option risk, option-adjusted spread (OAS) risk, prepayment risk, and model risk.  Excessive interest rate risk can threaten liquidity, earnings, capital, and solvency. 

The regulated entities can manage interest rate risk with respect to economic value of equity, earnings, or both.  These approaches are complementary because they provide different types of relevant information, but each has limitations.  The economic value of equity represents the underlying net market value (or net present value) of a regulated entity's assets and liabilities, including any off-balance sheet items.  A common risk management objective is to keep the market value of equity from falling below pre-specified limits over a range of interest rate scenarios.  One limitation of this approach is that market value measures do not identify when future earnings problems may occur.  When the focus is on earnings, the risk management objective is to maintain earnings within an acceptable range over specified time horizons, which are generally short-term, ranging from one year to five years.  If the objective is to ensure that net income will remain within certain parameters during the given time period over a range of interest rate scenarios, management overlooks risks that exist beyond the forecast horizon.

FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236, four of which are relevant to managing interest rate risk.  Standard 3 (Management of Market Risk Exposure) highlights the expectation for each regulated entity to have a clearly defined and well-documented strategy for managing market risk and establishes responsibilities for the board of directors or delegated board committee (board) and senior management.  Standard 4 (Management of Market Risk – Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting) includes guidelines for market risk management in these areas.  Standard 2 (Independence and Adequacy of Internal Audit Systems) and Standard 8 (Overall Risk Management Processes) include responsibilities for internal audit, the board, and senior management along with an independent risk management function.

Guidance

Each regulated entity's risk management practices should enable it to identify, measure, monitor, and control its interest rate risk exposures.  An effective interest rate risk management function includes appropriate management of risk exposure, policies and procedures, risk limits, internal controls, risk measurement systems, monitoring, and reporting.  A regulated entity should periodically review industry standards with regard to interest rate risk management.

I.       Governance

The board and senior management should ensure that the regulated entity has in place appropriate policies, procedures, and internal controls for managing and controlling the regulated entity's exposure to interest rate risk.  The board should oversee the adequacy of senior management's actions.  Senior management should also ensure the regulated entity's risk measurement, monitoring, and reporting systems are reliable and effective. 

A.     Responsibilities of the Board

The board should oversee the adequacy of actions taken by senior management to identify, measure, manage, control, and report on interest rate risk exposures.  The board should establish the regulated entity's tolerance for interest rate risk, approve major interest rate risk limits, and provide management with clear guidance regarding the level of acceptable interest rate risk.  The board should approve major strategies and policies relating to the management of interest rate risk.  The board should ensure such major strategies and policies are consistent with the regulated entity's overall business plan.

The board should review interest rate risk exposures on a periodic basis.  Reports provided to the board should include appropriate details to allow the board to remain sufficiently informed about the nature and level of the regulated entity's interest rate risk exposures in light of current market conditions, established risk limits, operating performance, and other relevant factors.  As a group, the board should have the requisite knowledge and background to assess the information provided and recommend further actions.

At least annually, or more frequently if there are significant changes in market or financial conditions, the board should review the interest rate risk management framework and major policies, limits, and internal controls.  The regulated entity's risk tolerance; management's compliance with risk limits; results of stress tests; the level of the regulated entity's capital; and the effectiveness of the risk management framework, measurement systems, and reporting systems should inform the board's review of the risk limits.  The board should document any changes to board-approved interest rate risk limits in its minutes.  The board should also ensure that management takes appropriate corrective measures when interest rate risk limit breaches occur.   

B.     Responsibilities of Senior Management

Senior management implements board-approved strategies and policies relating to the management of interest rate risk.  Senior management should ensure interest rate risk policies and procedures are clearly written, sufficiently detailed, adhered to, periodically reviewed, and should recommend updates for board approval, as appropriate.  Senior management should ensure adequate organizational structure, systems, and resources are available to manage and control interest rate risk, and that personnel are appropriately trained and competent.

Senior management should periodically review and discuss with the board information regarding the nature and level of the regulated entity's interest rate risk exposures.  Senior management should inform the board of how changing market conditions could affect interest rate risk exposure.  The discussions should be sufficient in detail and timeliness to permit the board to understand and assess the management and control of the regulated entity's interest rate risk exposures.  Senior management should report interest rate risk limit breaches to the board and identify appropriate remedial actions.  Senior management should make the board aware of the advantages and disadvantages of the regulated entity's chosen interest rate risk management strategy and alternative strategies. 

C.     Risk Management Roles and Responsibilities

Policies and procedures should delineate the roles and responsibilities of persons assigned to measure, manage and control interest rate risk so they operate with sufficient independence from the business units, as applicable.   

Business units encounter interest rate risk on a daily basis and should follow policies and procedures when taking steps to manage and maintain interest rate risk within approved limits.  Senior management, through an asset and liability management (or similar) committee, is responsible for managing and controlling interest rate risk.

The risk management function, or unit, is responsible for interest rate risk measurement, risk monitoring, and independent oversight, including the establishment and enforcement of board-approved interest rate risk limits.  It should also be responsible for ensuring that the business units have effective processes in place to identify, assess, monitor, and report on key interest rate risks. The chief risk officer must report regularly to the risk committee and to the chief executive officer.[1])

Internal audit should conduct periodic evaluations of internal controls around interest rate risk management.  Internal audit should conduct risk-based audits of the regulated entity's interest rate risk management and determine whether management promptly addresses findings or weaknesses regarding interest rate risk management.  Internal audit should review adherence to interest rate risk management policies and procedures.

D.    Policies and Procedures

A regulated entity should have interest rate risk management policies and procedures appropriate for its risk profile.  This includes being clearly written, sufficiently detailed, formally approved at the appropriate level, and, as applicable, periodically reviewed by the board and senior management.  Approved policies and procedures should include defined interest rate risk limits and assign lines of authority and responsibility for managing interest rate risk.  Procedures should exist for monitoring compliance with limits and to follow up on instances of noncompliance or breaches.    

Management should ensure that policies and procedures to identify and manage inherent risks are sufficient before undertaking new products, offerings, or activities. 

The regulated entity should also have policies and procedures for any management, ad hoc, or “on top" adjustments to model-generated interest rate risk metrics, and provide clear instructions on needed approvals and documentation requirements.  The documentation should explain the adjustment and the reason it is necessary as well as how long it will be required.  The regulated entity's enterprise risk management or another authorized management risk committee should be made aware of, and approve, any major management, ad hoc, or “on top" adjustments to interest rate risk metrics.

II.       Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls

A regulated entity should have a clearly defined and well-documented strategy for managing and mitigating interest rate risk, consistent with its overall business plan.  The regulated entity should identify, manage, monitor, and control interest rate risk exposures on a business unit and an enterprise-wide basis.

It is incumbent on the regulated entity to understand the adopted strategy's impact on financial condition, whether the objective is to control risk to economic value of equity, earnings, some other target, or a combination thereof.  Overemphasis on one approach may not be optimal and may lead to problems over time.  For example, meaningful declines in the market value of equity to the book value of equity ratio, prospective earnings, or related indicators may signal interest rate risk management weaknesses, even if these declines occur within the context of low reported risk and compliance with approved policies and limits.

A.     Limits

A regulated entity should establish an interest rate risk framework that includes interest rate risk metrics, a comprehensive set of board-approved interest rate risk limits, and management threshold levels, set below board limits, to serve as warning triggers and initiate discussion regarding risk levels.  The risk limits should be consistent with the regulated entity's risk profile, profitability objectives, and liquidity and capital needs.  Limits should not be set so far above actual risk exposures that they are meaningless or have no effect on risk taking behavior.  The regulated entity should also maintain a record of all limit breaches.

Different metrics used for setting interest rate risk limits may include, as applicable:  duration of equity, convexity of equity, volatility duration, market value sensitivity to yield curve parallel moves and twists, key-rate duration, maturity gap of assets and liabilities, prepayment duration, spread duration, market value of equity to par value of capital stock, market value of equity to book value of equity, retained earnings, net interest income sensitivity, and Value at Risk.  A regulated entity should understand the advantages and disadvantages of the interest rate risk limits framework it has chosen to utilize.

B.     Interest Rate Risk Mitigation

A regulated entity should mitigate interest rate risk to keep risks within approved levels and should be able to identify problems that occur even when risks are within approved levels.  For example, a regulated entity should be able to recognize significant accumulating losses from interest rate risk, explain the causes of losses, and manage risk exposure at some point even if the regulated entity is in compliance with approved strategy, policies, and limits. 

A regulated entity can mitigate interest rate risk through a variety of strategies including: matched funding, funding with debt having embedded options, hedging using derivatives, and building retained earnings.  Matched funding allows a regulated entity to match the maturity of its assets and liabilities.  Funding with debt having embedded options could allow regulated entities to mitigate exposures of assets with explicit and implicit options such as mortgages.  Hedging using derivatives allows the regulated entity to mitigate interest rate risk by changing its cash flows and economic exposure stemming from certain changes in interest rates.  Building retained earnings allows the regulated entity to have a larger capital base to absorb the impact of an adverse interest rate change.  Having a robust net interest income stream also allows a regulated entity to absorb the effects of adverse interest rate movements.

C.     Internal Controls

A regulated entity should have sufficient internal controls around interest rate risk management.  The internal control process should aim to ensure effective and efficient management of interest rate risk; reliable measurement of interest rate risk; reliable reporting and communication of interest rate risk; and compliance with applicable statutes, regulations, and policies governing interest rate risk.  Additionally, internal controls should support periodic reviews and evaluations of policies and procedures as well as the accuracy and reliability of risk measurement systems.

A regulated entity should monitor the adequacy and effectiveness of its internal controls and information systems on an ongoing basis through a formal self-assessment process.  Business units, enterprise risk management, and internal audit should conduct periodic evaluations of internal controls for interest rate risk management.  

III.       Risk Measurement System, Monitoring, and Reporting

The regulated entities should choose which method(s) to use to measure interest rate risk.  Methods may include: Duration Analysis, Earnings Simulation Analysis, Earnings at Risk, Capital at Risk, Value at Risk, Economic Value of Equity, or other methods.  Generally, a regulated entity would measure interest rate risk by valuing its assets, liabilities, derivatives, and off-balance sheet exposures in different interest rate environments.  A regulated entity should understand the advantages and disadvantages of its chosen interest rate risk measurement method(s).

A.     Interest Rate Risk Measurement System

A regulated entity should have an interest rate risk measurement system (i.e., a model or set of models) that captures all material sources of interest rate risk, including repricing risk, yield curve risk, basis risk, prepayment risk, and option risk.  The sophistication of the risk measurement system should be commensurate with the complexity of the financial instruments held by the regulated entity.  The risk measurement system should also provide meaningful and timely measures of the regulated entity's risk exposures and use generally accepted financial concepts, valuation methodologies, and risk measurement techniques.  

The risk measurement system should be capable of valuing all of the regulated entity's assets and liabilities, including off-balance sheet positions and derivatives, and estimating the effect of changes in interest rates and other key risk factors on the regulated entity's earnings and market value of equity over a range of scenarios.  A regulated entity should properly document and bring to management's attention instances where the risk measurement system cannot reliably value an instrument or requires a model workaround.  Any management, ad hoc, or “on top" adjustments to model output should be made according to approved procedures.  The measurement system should use directly or indirectly observed market prices for its estimates of market values where feasible.  A regulated entity should test new products to verify the risk measurement system can properly measure the exposure of the new product. 

Periodically, enterprise risk management or another authorized management risk committee should review the interest rate risk measurement system for accuracy and reliability, including comparison to actual portfolio behaviors when feasible.  Management should ensure the integrity and timeliness of the data inputs used to measure interest rate risk exposures and that assumptions and parameters are reasonable and properly documented.  Management should also understand strengths and weaknesses of the model(s) used, including sensitivity to changes in key assumptions.  

B.     Scenario Analysis and Stress Testing

A regulated entity should routinely conduct scenario analysis as a part of interest rate risk management as it relates to market value measures and net income measures.  Scenarios should include increasing and decreasing parallel and nonparallel interest rate shocks of varying magnitudes as well as an instantaneous and gradual steepening and flattening of the yield curve.  The regulated entity should also consider changes in prepayment speeds for mortgage-related instruments, volatility for securities impacted by interest rate volatility, and relevant interest rate spreads for different securities.  The scenarios should identify the main exposures within a regulated entity's interest rate risk profile.  A regulated entity could perform analysis to identify which assumptions or inputs cause the largest impact.

A regulated entity should perform periodic stress testing of interest rate risk management positions.  The stress scenarios should include interest rate shocks and shifts in the economic environment that are of a magnitude such that it tests the effectiveness of the interest rate risk management of the regulated entity.  These stress scenarios should vary over time.  The regulated entity should include scenarios conducted for its annual strategic business plan or annual stress testing as applicable.

The regulated entity should give special consideration to financial instruments or markets where it has significant concentrations, financial instruments in which a regulated entity's position may be more difficult to unwind or hedge during periods of market stress, and complex financial instruments with embedded options that may be more difficult to evaluate in stressful scenarios.

If management or the board finds the results from the scenario analysis or stress testing unacceptable, management should determine a course of action and may need to modify, rebalance, or hedge so that performance would be acceptable under the identified scenarios.  The board and senior management should periodically review the design of the stress tests to ensure that they capture conditions where the regulated entity is most vulnerable.

C.     Monitoring and Reporting

A regulated entity should routinely monitor and report interest rate risk exposures using scenario analysis to business unit managers, senior management, and the board at a level appropriate for each.  The interest rate risk reports should be accurate, informative, and timely.  The reports should show adherence to approved interest rate risk policies and limits and any exceptions or breaches of limits and policies. The reports should identify and explain limit breaches.

The interest rate risk reports should reflect and show trends in measures used to evaluate interest rate risk management objectives.  Reports should show the market value of the regulated entity's assets, liabilities, and off-balance sheet exposures, including derivatives, under a range of scenarios.  With respect to earnings, reports should show net income over a specified time horizon under various scenarios.  Reports should also include backtesting results to compare past forecasts, or risk estimates, with actual results.   

Interest rate risk reports should identify any changes to risk models and model assumptions, describe the rationale for the changes, and analyze their impact on risk measures and risk limits.  Interest rate risk reports should also note any management, ad hoc, or “on top" adjustments to interest rate risk models, the reason for the adjustment, and the start and expected end date for the use of the adjustment. 

Related Guidance

Model Risk Management Guidance, Federal Housing Finance Agency, Advisory Bulletin AB-2013-07, November 20, 2013.

Internal Audit Governance and Function, Federal Housing Finance Agency, Advisory Bulletin AB-2016-05, October 7, 2016.

Appendix to 12 CFR Part 1236 - Prudential Management and Operating Standards. 

12 CFR Part 1239 – Responsibilities of Board of Directors, Corporate Practices, and Corporate Governance. 

________________________

[1] 12 CFR 1239.11(c)(5)