Federal Housing Finance Agency Print

Get Started Here:

Advisory Bulletins

 Advisory Bulletins

 

 

AB 2023-06: FHLBank Framework for Pilot and Voluntary Programs44435FHL Banks11/9/2023 5:00:00 AMAB 2023-06<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin&#58;0px;padding&#58;0px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;vertical-align&#58;baseline;table-layout&#58;fixed;border-spacing&#58;0px;font-stretch&#58;inherit;background-color&#58;#ffffff;"><tbody style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><tr style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN​</span></p><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">AB 2023-06​&#58;&#160; FHLBank Framework for Pilot and Voluntary Programs</span></p><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;"><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2023-06_FHLBank-Framework-for-Pilot-and-Voluntary-Programs.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2023-06​]</a>&#160; &#160;</span>​<br></p></td></tr></tbody></table> ​ <h1 style="padding-top&#58;0px;"> <span style="text-decoration&#58;underline;"><em><strong>Purpose</strong></em></span></h1><p style="padding-top&#58;8px !important;">​This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance to the Federal Home Loan Banks (FHLBanks) about FHFA’s expectation that each FHLBank’s board of directors establish a framework that sets specific prudential parameters and operational standards for the FHLBank’s development and implementation of, and reporting on, pilot programs and voluntary programs. Each FHLBank’s board should adopt its pilot and voluntary program framework as soon as practicable, but no later than March 29, 2024.</p><h1> <span style="text-decoration&#58;underline;"> <em> <strong>Backgr​ound</strong></em></span></h1><p style="padding-top&#58;8px !important;">During the public input phases of the “FHLBank System at 100&#58; Focusing on the Future” initiative, FHFA heard from stakeholders and other interested parties that the FHLBanks are effectively achieving one component of their mission by providing their members and housing associates a source of stable and reliable liquidity. FHFA also heard from stakeholders that the FHLBanks should do more to support the affordable housing and community development components of their mission, especially in addressing needs of underserved or financially vulnerable populations.</p><p>Based on this input, FHFA believes that the FHLBanks should develop innovative pilot programs, and offer voluntary programs, to increase prudently their support for affordable housing, equity advancement, and community development for underserved and financially vulnerable populations in their districts and other initiatives, including through the FHLBanks’ core business activities. Pilot programs or voluntary programs could be designed, for example, to support increases in the supply of affordable single-family and multifamily housing, help close racial homeownership gaps, address residential climate resiliency improvements, or address other needs.</p><p>A pilot program or voluntary program must be permissible under applicable statutory, regulatory, or other legal authorities, and may not be used to circumvent existing statutory or regulatory requirements or FHFA guidance. Pilot programs generally would be new FHLBank business activities implemented with a small size and defined time frame and with the expectation that, after a given period, careful analysis of the benefits and drawbacks will be conducted and considered. One intent of a pilot program is to “test and learn,” with some pilot programs being converted to more permanent and larger scale implementation, and others ending because they did not meet their objectives, or because the FHLBank identified alternative means of meeting the same objectives. Products, programs, and services implemented under established FHFA statutory and regulatory authorities<a href="#Ftn1" class="super-script">1</a> would not be considered pilot programs.</p><p>Voluntary programs generally serve to supplement the FHLBanks’ statutory and regulatory programs, and have included grants, down payment assistance programs, and special purpose credit programs.</p><h1> <span style="text-decoration&#58;underline;"><em><strong>Guidanc​​e​</strong></em></span></h1><p style="text-decoration&#58;underline;padding-top&#58;6px !important;font-size&#58;14px !important;">Framework</p><p>FHFA expects each FHLBank’s board of directors to establish a framework that sets specific prudential parameters and operational standards for the FHLBank’s development and implementation of, and reporting on, pilot programs and voluntary programs. The framework should be adopted as soon as practicable, but no later than March 29, 2024. The framework will apply prospectively to new pilot programs and voluntary programs offered after adoption of the framework. The framework should, at a minimum, include the following&#58;</p><p> <em>Needs Assessment.</em>&#160;&#160;An FHLBank should identify the needs that could be addressed through a pilot program or voluntary program, for example, specific unmet affordable housing, equity, and/or community development needs of underserved or financially vulnerable populations in its district. The FHLBank should leverage the needs assessment conducted in preparing its Targeted Community Lending Plan<a href="#Ftn2" class="super-script">2</a>​ in identifying unmet affordable housing, equity, and community development needs, and other planning activities in identifying other unmet needs.</p><p> <em>Board-established Prudential Parameters.</em>&#160;&#160;Safe and sound operations are of paramount importance when FHLBanks consider the structural approach to developing, implementing, and reporting on new pilot and voluntary programs, products, or services. Therefore, when establishing a program framework, an FHLBank’s board should establish specific internal prudential parameters for the FHLBank’s development and implementation of, and reporting on, the programs. Prudential parameters to limit the FHLBank’s risk exposure to a pilot program should include, but are not limited to, the establishment of a (1) small dollar volume cap, and (2) specific sunset date. When establishing a prudential limit for a voluntary program, the FHLBank’s board should consider, at a minimum, a dollar volume cap.</p><p> <em>Board-established Operating Standards.</em>&#160;&#160;An FHLBank’s board should set specific internal operating standards, including directing FHLBank management to&#58; </p><ul class="FHFA-List"><li>Obtain a w​ritten legal opinion of counsel that a pilot program or voluntary program is permissible under applicable statutory, regulatory, or other legal authorities.<br></li><li>Identify the goals of the pilot program or voluntary program and how the FHLBank will assess outcomes. Evaluate and document the FHLBank’s potential risk exposure from the program. Identify what factors, if any, may trigger early termination of a pilot program or voluntary program.</li><li>Evaluate FHLBank resource needs for implementing a pilot program or voluntary program, including staff, technology, marketing, and outreach.</li><li>Receive approval from the board prior to the FHLBank offering a pilot program or voluntary program. Provide the board with periodic or milestone reviews and updates on a program, including a discussion of the prudential parameters and related risks. For pilot programs, as the sunset date approaches, management should provide the board with a written management assessment, recommendations for any next steps, and the rationale for those recommendations (including whether management believes converting a pilot program to a permanent program requires the submission of a notice to FHFA under the New Business Activity regulation).</li><li>Develop a policy addressing the types of information that will be posted on the FHLBank’s public website regarding a pilot program or voluntary program, such as the goals and a description of the offered program.</li></ul>​ <p>This AB does not apply to routine charitable contributions and sponsorships below a reasonable threshold established by the FHLBank’s board.​​​</p><p style="text-decoration&#58;underline;font-size&#58;14px !important;padding-top&#58;12px !important;">FHFA​ Supervision of Pilot Pr​ograms and Voluntary Programs</p><p> <em>Submission of Adopted Framework to FHFA&#58;</em>&#160;&#160;Each FHLBank’s board should submit its framework to FHFA’s Deputy Director of the Division of FHLBank Regulation (DBR) within 30 days of approval by the board. An FHLBank need not await FHFA approval or non-objection before implementing the framework.</p><p> <em>Notification to FHFA Prior to Offering Program&#58;</em>&#160;&#160;An FHLBank should notify the DBR Deputy Director in writing prior to offering a pilot program or voluntary program. For Special Purpose Credit Programs, an FHLBank should notify the DHMG Deputy Director concurrently with the notification to the DBR Deputy Director. The notification should include, at a minimum, a description of the program, the goal(s) of the program, its dollar volume, its sunset date (if a pilot), confirmation of board approval of the implementation of the program, and a copy of the written legal opinion of counsel. An FHLBank need not await FHFA approval or non-objection before offering the pilot program or voluntary program.</p><p> <em>Notification to FHFA at Conclusion of Pilot Program&#58;</em>&#160; An FHLBank should also notify the DBR Deputy Director in writing at the conclusion of a pilot program. At the conclusion of Special Purpose Credit Programs, an FHLBank should notify the DHMG Deputy Director concurrently with the notification to the DBR Deputy Director. The notification should include, at a minimum&#58; the written management assessment of the effectiveness of the pilot program that addresses the extent to which the pilot program met its goals; and management’s recommendations for any next steps and the rationale for those recommendations (including whether converting a pilot program to a permanent program requires the submission of a notice to FHFA under the New Business Activity regulation).</p><p>​ <em>Assessment of Frameworks and Programs&#58;</em>&#160; As part of its regular supervisory process, FHFA will assess FHLBank pilot and voluntary program frameworks and individual pilot programs and voluntary programs in the context of risk management and safety and soundness principles, including governance practices.</p><p style="text-decoration&#58;underline;font-size&#58;14px !important;padding-top&#58;12px !important;">New Busine​ss Activit​y Regulation</p><p style="margin-bottom&#58;10px !important;">FHFA’s New Business Activity Regulation defines a new business activity as “any business activity undertaken, transacted, conducted, or engaged in by [an FHLBank] that entails material risk not previously managed by the [FHLBank].”<a href="#Ftn3" class="super-script">3</a> The preamble to the New Business Activity Regulation states, “[w]ith respect to new activities that the [FHLBanks] commence after determining that they do not present new material risks, FHFA will assess the risks associated with those activities as part of its regulatory supervisory process, including examinations.”<a href="#Ftn4" class="super-script">4</a> Pilot programs and voluntary programs typically should not present a material risk to an FHLBank. However, there may be cases where specific pilot programs or voluntary programs may present material risks, in which case they would be subject to the requirements of the New Business Activity Regulation. An FHLBank should not use pilot programs or voluntary programs to circumvent the requirements for activities that would be subject to FHFA review pursuant to the New Business Activities Regulation.</p> ​​<hr />​​ <p class="Footnote"> <a name="Ftn1" class="super-script">1</a> For example, AHP programs under 12 CFR part 1291, CICA programs under 12 CFR part 1292, and advance products under 12 CFR part 1266.</p><p class="Footnote"> <a name="Ftn2" class="super-script">2&#160;</a><em>See</em> 12 CFR 1290.6(a)(5).</p><p class="Footnote"> <a name="Ftn3" class="super-script">3&#160;</a><em>See</em> 12 CFR 1272.1.</p><p class="Footnote"> <a name="Ftn4" class="super-script">4&#160;</a><em>See</em> 81 Fed. Reg. 91693 (Dec. 19, 2016).</p><div class="BulletinBox"> FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory Bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this Advisory Bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov​</a>.​</div> <br>​<br>11/9/2023 4:00:30 PMHome / Supervision & Regulation / Advisory Bulletins / AB 2023-06: FHLBank Framework for Pilot and Voluntary Programs Advisory Bulletin [view PDF of Advisory Bulletin 2023-06 3936https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
AB 2023-03: FHLBank Changes to Internal Market Risk Models39756FHL Banks4/17/2023 4:00:00 AMAB 2023-03<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin&#58;0px;padding&#58;0px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;vertical-align&#58;baseline;table-layout&#58;fixed;border-spacing&#58;0px;font-stretch&#58;inherit;background-color&#58;#ffffff;"><tbody style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><tr style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN​</span></p><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">AB 2023-03&#58;&#160; FHLBank Changes to Internal Market Risk Models​​</span></p><p style="padding&#58;0px;border&#58;0px currentcolor;line-height&#58;22px;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;"> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2023-03_FHLBank-Changes-to-Internal-Market-Risk-Models.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2023-03]</a>&#160; &#160;</span>​<br></p></td></tr></tbody></table><p style="padding-bottom&#58;0px;margin-bottom&#58;0px;padding-top&#58;12px !important;"> <strong>This Advisory Bulletin (AB-2023-03) applies only to the Federal Home Loan Banks.​</strong></p><h1 style="padding-top&#58;0px;"> <span style="text-decoration&#58;underline;"> <em> <strong>Purpose</strong></em></span></h1><p>This Advisory Bulletin updates previous guidance on how a Federal Home Loan Bank (FHLBank) should obtain approval to implement significant changes to a previously approved internal market risk model after proper notification to the Federal Housing Finance Agency (FHFA).<a href="#Ftn1" class="super-script">1</a> This Advisory Bulletin describes the procedures and documentation for the notification process.</p><p>This Advisory Bulletin rescinds AB 2016-02, <em>FHLBank Changes to Internal Market Risk Models</em>.<a href="#Ftn2" class="super-script">2</a><br></p><h1> <span style="text-decoration&#58;underline;"> <em> <strong>Background</strong></em></span></h1><p style="padding-top&#58;8px !important;"> Each FHLBank received approval of an internal market risk model used to calculate the market risk component of risk-based capital prior to implementing its capital plan pursuant to the predecessor provision to current 12 CFR 1277.5.<a href="#Ftn3" class="super-script">3</a>&#160;&#160;Further, 12 CFR 1277.5(d) states&#58; </p><p style="padding-bottom&#58;0px;margin-bottom&#58;0px;padding-left&#58;40px !important;">Each Bank shall obtain FHFA approval of an internal market risk model …, including subsequent material adjustments to the model made by the Bank, prior to use of any model. Each Bank shall make such adjustments to its model as may be directed by FHFA.</p> ​ <p style="margin-top&#58;0px;padding-top&#58;0px !important;">This provision does not establish a specific process to follow for obtaining approval of “subsequent material adjustments.” In the absence of specific procedures in a regulation for obtaining a required approval, 12 CFR 1211.3 establishes a general approval process for the FHLBanks and FHFA to follow. Section 1211.3 authorizes the Deputy Director for Federal Home Loan Bank Regulation (DBR) or his/her designee to grant approvals for any matters requiring approval under FHFA regulations, and specifically authorizes the Deputy Director, or his/her designee, to “prescribe additional or alternative procedures for any application for approval of any transaction, activity, or item.” Section 1211.3, including the authority to prescribe additional or alternative procedures for seeking approval, is substantially similar to a Federal Housing Finance Board (Finance Board) rule which FHFA adopted as its own subject to certain conforming modifications in 2014.<a href="#Ftn4" class="super-script">4</a></p><p>In 2004, the Finance Board issued Regulatory Interpretation 2004-RI-01, which addressed the predecessor provision to the current FHFA rule. Because the prior rule had allowed the Finance Board to prescribe alternate processes for a required approval, the Regulatory Interpretation permitted an FHLBank to implement reported changes to its internal market risk model immediately after filing a notice with the Finance Board, absent a Finance Board objection. In particular, the Regulatory Interpretation noted that the process did not affect the Finance Board’s authority under the predecessor provision to 12 CFR 1277.5(d) to direct an FHLBank to reverse any change made to the model or to make other changes to the model. As a result, the Regulatory Interpretation stated that using a notification process to fulfill the prior approval requirements set forth in that regulatory provision represented “a change in process rather than a change in the substance of . . . supervisory oversight.” Given that Regulatory Interpretation 2004-RI-01 addressed a provision that FHFA substantively carried over from the Finance Board rules into section 1211.3, these conclusions also apply to FHFA’s authority under current rules.</p><p>The specific procedures described in Regulatory Interpretation 2004-RI-01 as later modified by Advisory Bulletin AB 2016-02 govern the process under which FHLBanks fulfill the regulatory requirement that they obtain approval of significant changes to a previously approved internal market risk model. This Advisory Bulletin retains the substance of AB 2016-02, but includes updated regulatory references and some minor clarifications.<a href="#Ftn5" class="super-script">5</a>&#160; It does not represent a change in FHFA’s supervisory oversight. FHFA staff will continue to review an FHLBank’s internal risk model during regularly scheduled examinations and may undertake a special review if circumstances warrant. FHFA also retains the authority to require model changes under 12 CFR 1277.5(d) if it deems such changes necessary.</p><h1> <span style="text-decoration&#58;underline;"> <em> <strong>Guidance</strong></em></span></h1><p style="padding-top&#58;6px !important;">An FHLBank may implement a significant model change to a previously approved internal market risk model after proper notification to FHFA.<a href="#Ftn6" class="super-script">6</a>&#160;&#160;All model change notifications should be signed by an FHLBank officer and sent to the Manager, Market Risk Modeling Branch, FHFA Division of Bank Regulation, copying the Examiner-in-Charge (EIC). An FHLBank may choose one of two options described below when notifying FHFA of a significant model change.​<br></p><p>​Under the first option, an FHLBank may implement a significant model change that does not involve replacing its existing market risk model, absent a specific objection from FHFA, immediately upon notification to FHFA, provided that the FHLBank meets each of the following conditions&#58;</p><ol><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">The FHLBank’s most recent Report of Examination (ROE) composite and Sensitivity to Market Risk ratings were a 1 or 2;</li><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">The FHLBank’s most recent examination resulted in no Matters Requiring Attention (MRA) or violations pertaining to the FHLBank’s market risk modeling;</li><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">The proposed model change does not decrease the FHLBank’s estimated market risk capital requirement<a href="#Ftn7" class="super-script">7</a> by more than 10 percent relative to the existing approved model; and</li><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">The FHLBank provides appropriate documentation described below&#58; <ul style="list-style-type&#58;lower-alpha;"><li style="padding-left&#58;7px;padding-bottom&#58;0px;margin-bottom&#58;0px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">Assumption Template (see <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Modeling%20Assumptions%20Template.xls">Modeling Assumptions Template</a> attachment);</li><li style="padding-left&#58;7px;padding-top&#58;0px;margin-top&#58;0px;padding-bottom&#58;0px;margin-bottom&#58;0px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">Writte​n description of the model change indicating why the model change is an improvement over the current production model, and its effect on the FHLBank’s market risk metrics, including but not limited to market value sensitivity to parallel and nonparallel interest rate shocks, duration of equity, convexity, key rate duration, constant prepayment rate (CPR), and market risk capital requirement for at least two time periods no less frequently than monthly; and</li><li style="padding-left&#58;7px;padding-top&#58;0px;margin-top&#58;0px;padding-bottom&#58;0px;margin-bottom&#58;0px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">​​​Certification that the proposed model change meets the FHLBank’s Information Technology signoff requirements (e.g., change control procedures) and copies of other required signoff approvals.</li></ul></li></ol>​ <p>FHFA will acknowledge receipt of an FHLBank’s proposed model change notification. If FHFA objects to a specific model change or does not believe the FHLBank meets the conditions described above, it will inform the FHLBank of the reasons for its objection or for believing the FHLBank does not qualify to implement the model change immediately upon notification.</p><p>Under the second option, an FHLBank seeking to replace its existing market risk model, or an FHLBank not meeting the conditions to implement a model change immediately upon notification, must obtain FHFA approval prior to implementing any material change to its market risk model. Under the second option, an FHLBank should provide the following documentation as part of its submission to FHFA&#58;</p><ol><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">Assumptions Template (see <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/Modeling%20Assumptions%20Template.xls">Modeling Assumptions Template</a>​ attachment);</li><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">Written description of the model change indicating why the model change is an improvement over the current production model, and its effect on the FHLBank’s market risk metrics, including, but not limited to, market value sensitivity to parallel and nonparallel interest rate shocks, duration of equity, convexity, key rate duration, CPR, and market risk capital requirement; </li><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">Detailed instrument and sub-portfolio level results of parallel model runs and any other relevant testing the FHLBank performed. The FHLBank should submit parallel testing for at least two time periods no less frequently than monthly along with any internal analysis;</li><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">Any spreadsheets used to prepare input data for the model if these are affected by the proposed model change; and</li><li style="padding-left&#58;7px;line-height&#58;1.4;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif !important;">​Certification that the proposed model change meets the FHLBank’s Information Technology signoff requirements (e.g., change control procedures) and copies of other required signoff approvals.</li></ol><p>Upon receipt of the notification, FHFA will determine whether an FHLBank’s submitted documentation is complete within 30 calendar days and will advise the FHLBank in writing whether additional documentation is needed. Once documentation is complete, FHFA will provide an approval or objection to the model change within 30 calendar days.<a href="#Ftn8" class="super-script">8</a> ​<br></p><hr />​​ <p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn1" class="super-script">[1]</a> ​An FHLBank that follows the guidance described in this Advisory Bulletin will satisfy the regulatory requirement of prior FHFA approval of material adjustments to a market risk model set forth in 12 CFR 1277.5(d).</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn2" class="super-script">[2]</a> AB 2016-02 rescinded an earlier Advisory Bulletin, 2005-AB-06 <em>Changes to Internal Market Risk Models</em>; that recission remains effective.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn3" class="super-script">[3]</a> Prior to 2019, the regulations governing FHLBank capital requirements, including those governing internal market risk models, were located at 12 CFR part 932 (part of the regulations of the former Federal Housing Finance Board). Those regulations were moved, with some revisions, to subpart B of 12 CFR part 1277 in 2019. See <a href="https&#58;//www.federalregister.gov/citation/84-FR-5326" class="external-link">84 Fed. Reg. 5326</a> (Feb. 20, 2019).</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn4" class="super-script">[​4]</a><em>See,</em> Final Rule, Procedures and General Definitions, 79 Fed. Reg. 64661 (Oct. 31, 2014). <em>See also,</em> 12 CFR 907.3 (2008) (the predecessor provision replaced by the 2014 final rule). </p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> ​<a name="Ftn5" class="super-script">[5]</a> Therefore, FHLBanks should rely on the process described in this Advisory Bulletin for fulfilling the approval requirements of 12 CFR 1277.5(d).</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn6" class="super-script">[6]</a> What constitutes a significant model change depends on qualitative and quantitative factors determined by the FHLBank. The following modifications would constitute a significant model change regardless of any change in model output metrics&#58; replacing, adding, or eliminating model input sources; replacing, adding, or eliminating model parameters and assumptions; changing a software product’s processing components or computer code; or changing an application of the model.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;"> <a name="Ftn7" class="super-script">[7]</a> Section 1277.5(a)(1) states&#58; “Each Bank's market risk capital requirement shall equal the market value of the Bank's portfolio at risk from movements in interest rates, foreign exchange rates, commodity prices, and equity prices that could occur during periods of market stress, where the market value of the Bank's portfolio at risk is determined using an internal market-risk model ….” Under AB 2016-02, use of the first option required that the proposed model change not decrease the Bank’s estimated Value-at-Risk by more than 10 percent. Value-at-Risk is a statistic that quantifies the extent of possible losses within a portfolio over a specific time frame. Section 1277.5(a)(2) states&#58; “a Bank may substitute an internal cash flow model to derive a market risk capital requirement….” This AB clarifies that this condition applies to the FHLBank’s market risk-based capital requirement, as opposed to Value-at-Risk—a statistic that meets the requirements of 12 CFR 1277.5(a)(1), but can also be computed for other risk management purposes.</p><p style="font-size&#58;0.9em !important;line-height&#58;1.3em !important;padding-bottom&#58;20px !important;">​ <a name="Ftn8" class="super-script">[8]</a> Thus, if an FHLBank submits appropriate documentation with the model change notification, the FHLBank could expect to receive an approval to the model change from FHFA within 30 calendar days.<br></p><div><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;font-weight&#58;400;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>​FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. &#160;&#160;<br></p></td></tr></tbody></table> ​ ​​ ​​ <div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read aceac580-8e6d-4216-953b-34770626b79f" id="div_aceac580-8e6d-4216-953b-34770626b79f" unselectable="on"></div><div id="vid_aceac580-8e6d-4216-953b-34770626b79f" unselectable="on" style="display&#58;none;"></div></div>​​ <br> <br></div></div>4/17/2023 6:00:35 PMHome / Supervision & Regulation / Advisory Bulletins / AB 2023-03: FHLBank Changes to Internal Market Risk Models Advisory Bulletin [view PDF of Advisory Bulletin 2023-03 6286https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management39067All1/13/2023 5:00:00 AMAB 2023-02<tbody><tr><td><p> <span>​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN</span></p><p> <span>AB 2023-02&#58;&#160; Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management​</span></p><p> <span> <a>[view&#160;PDF of Advisory&#160;Bulletin 2023-02]</a>&#160; &#160;</span>​<br></p></td></tr></tbody></table><h1> <span> <em> <strong>Purpose</strong></em></span></h1><p>The Federal Housing Finance Agency (FHFA) is issuing this Advisory Bulletin (AB) as supplemental guidance to FHFA AB 2017-02&#58; <em>Information Security Management</em>, published on September 28, 2017.<a>[1]</a> This AB is applicable to Freddie Mac, Fannie Mae,<a>[2]</a> the Federal Home Loan Banks, and the Office of Finance (OF) (collectively, the regulated entities<a>[3]</a>) and clarifies FHFA’s existing guidance and provides insight on industry trends.</p><h1> <span> <em> <strong>Background</strong></em></span></h1><p>Since the publication of AB 2017-02&#58; <em>Information Security Management</em>, new cybersecurity threats have emerged, and existing threats have evolved. As the cyber landscape continues to change, FHFA expects the policies, procedures, and practices that the regulated entities use to ensure safe and sound information security risk management to evolve accordingly. The regulated entities’ information security management program should be commensurate with the level of risk and complexity of its threats and should be periodically reviewed to verify that it reflects industry standards. This AB elaborates on and clarifies elements of AB 2017-02&#58; <em>Information Security Management</em>, and FHFA expects each regulated entity to individually assess the risks associated with protecting the confidentiality, integrity, and availability of its information. FHFA expects the regulated entities to protect their information technology (IT) environments using a risk-based approach to determine the appropriate activities to include in a comprehensive program. </p><h1> <span> <em> <strong>Guidance</strong></em></span></h1><p>This AB’s guidance is organized by illustrative questions that a reader may have when considering the emergence of new cybersecurity threats and the evolution of existing threats since the publication of AB 2017-02&#58; Information Security Management. Each regulated entity’s program should consider adopting appropriate industry standards commensurate with the complexity and risk profile of the entity, such as those promulgated by the National Institute of Standards and Technology (NIST).<a>[4]</a> </p><p> <strong>1.&#160;&#160;How does cyber resiliency factor into AB 2017-02&#58; <em>Information Security Management?</em></strong></p><p>Cyber resiliency can be defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”<a>[5]</a> The regulated entities should secure their IT systems in order to continually deliver business operations during cyber events and incidents and/or breaches; remain prepared to detect and respond to compromises to mission critical functions from potential threats; and minimize disruption from an event, incident, or breach.<a>[6]</a></p><p>The confidentiality, integrity, and availability of key regulated entity systems and data should inform information security management at the regulated entities. Incidents affecting the confidentiality, integrity, and availability of systems can significantly impair the operations of the regulated entities. For these reasons, the regulated entities should consider adopting cyber resiliency standards such as those outlined in NIST publications,<a>[7]</a> such as planned redundancy, network segmentation, and strategic contingency planning with third parties to maximize the continuity of business operations.</p><p> <strong>2.&#160;&#160;How can the regulated entities manage the risk from current information security threats?</strong></p><p>The regulated entities should be able to react to and consider the threats outlined below, among others, that expand on the concepts outlined in AB 2017-02&#58; <em>Information Security Management</em>. The regulated entities should also remain familiar with emerging risks and mitigants within the industry by participating in financial sector information sharing workstreams (e.g., FSSCC, FS-ISAC).<a>[8]</a> FHFA expects a continual practice of cyber hygiene such as scanning for and timely patching of vulnerabilities and conducting penetration tests.</p><p>​<span>Social Engineering</span></p><p>Social engineering exploits weaknesses in people rather than in technology. Often, social engineering attackers gather information to support the beginning stages of a sophisticated attack. By improving awareness and implementing technical measures, the regulated entities reduce the chance of social engineering leading to a successful cyberattack.</p><p>Phishing, or similar business email compromise (BEC) attacks, continues to be a commonly used social engineering tactic. Cyber attackers can be innovative and adopt new and creative social engineering tactics to trick company employees into disclosing their credentials or other non-public information. Email and web gateway servers can help defend against BEC attacks through URL filtering. The regulated entities should ensure that these defenses are frequently updated. Additionally, the regulated entities should, as a matter of routine, ensure they update security awareness trainings regularly, conduct social engineering testing (e.g., phishing simulations), and review network device configurations to ensure only legitimate traffic is allowed.</p><p> <span>Malware &amp; Ransomware</span></p><p>While the regulated entities may not be able to prevent being the target of malware and ransomware attacks, having appropriate operational resiliency measures can reduce the effect of these incidents on business operations. Each regulated entity should maintain a communications plan with response and notification procedures for a ransomware incident within its broader incident response plan. The procedures and plans should be tested regularly. All critical information should be regularly backed up as immutable data. Each regulated entity should test the ability to resume critical business processes using backups in a timely manner. The regulated entities should enable spam filters to prevent phishing emails from reaching end users, authenticate inbound email, and use behavior-based malware protection on servers and endpoints. Furthermore, the regulated entities should analyze the need to financially insure against ransomware.</p><p> <span>Accounts</span></p><p>The regulated entities should have individually attributable accounts for accessing IT assets and prohibit the sharing of user accounts. The use of shared accounts increases the risk of sharing passwords and typically will not allow for an attributable audit trail of activity. Furthermore, the regulated entities should enforce security controls over individual and privileged accounts, such as multi-factor authentication. Privileged accounts should be managed centrally and more stringently than non-privileged user accounts. Privileged accounts should be limited to only those who require elevated privileges for specific actions. For example, a privileged account should only be used for approved business purposes. </p> ​ <p><span>Cybersecurity Supply Chain Risk Management&#160;</span><a>[9]</a><br></p><p>The regulated entities increasingly rely on suppliers to support critical functions, which potentially exposes the regulated entities to additional cybersecurity risk. These suppliers have their own suppliers, creating extended supply chains. Complex supply chains and cyber threat actors targeting supplier and acquirer networks increase the importance of supply chain resilience, business continuity, and disaster recovery planning. The regulated entities should consider the following supply chain risk mitigation activities to enhance their third-party risk and business resiliency management programs.<a>[10]</a></p><p>The regulated entities should manage risk from unexpected interruptions to the supply chain to ensure business continuity. Examples of potential disruptions include suppliers ceasing support for hardware and software, merger, acquisition, or change in leadership.<a>[11]</a> The regulated entities should proactively identify risks arising from potential disruptions and mitigate the risks accordingly. The regulated entities will benefit from including contractual provisions to modify or terminate a contract if the supplier is no longer able to meet regulated entity’s requirements. Furthermore, the regulated entities should consider incorporating lessons learned from prior supply chain incidents into planning, response, and recovery processes, and sharing such lessons learned with appropriate parties within the regulated entity.</p><p>The regulated entities should consider strengthening their supplier management programs to monitor for potential security and privacy risks. This includes ensuring that suppliers are meeting regulated entity cybersecurity requirements and remediating any identified issues per agreed-upon timelines. The regulated entities should assess significant suppliers on a regular basis to identify potential changes to the suppliers’ risk profile. </p><p> <strong>3.&#160;&#160;How do third-party provider relationships introduce user access management risks?</strong></p><p>To elaborate on the security risks identified in AB 2018-08&#58; <em>Oversight of Third-Party Provider Relationships</em>, the regulated entities’ engagement with third-party providers can increase user access management risks if external users access the regulated entity’s network and data. If the third-party provider’s contract does not outline specific user access requirements, third-party users may not be subject to sufficiently stringent access controls, and the regulated entities may have insufficient transparency and visibility into the third party’s controls over their users. Finally, poor user access management within third-party providers’ own networks can increase the risk of disclosure of non-public information. As a result, the regulated entities should consider the cyber posture of a third party prior to engagement with the third party. The regulated entities should incorporate the access management guidance provided in this AB into the third-party risk management program, as well as the policies and procedures that implement the guidance detailed in AB 2016-04&#58; <em>Data Management and Usage</em>.<a>[12]</a> </p><p> <strong>4.&#160;&#160;How can information security be addressed at third-party providers?</strong></p><p>Information security risks should be addressed as early as possible during the third-party provider risk management life cycle. The degree of due diligence performed on the third-party providers’ information security program should be commensurate with the risk to the regulated entity’s confidentiality, integrity, and availability of systems and information. The regulated entity should determine if the third party has cybersecurity insurance and the extent and provisions of its coverage. If the third party uses subcontractors,<a>[13]</a> the regulated entity should understand the third party’s ability to control the subcontractors’ access. The regulated entity should approve subcontractor access to its IT systems or data based on the potential risk to the regulated entity. If applicable, the third party should fully disclose the extent of the subcontractors’ access to regulated entity data. Furthermore, if a third party loses or otherwise compromises regulated entity data, the third party should be contractually obligated to notify the affected regulated entity within an agreed-upon timeframe. The third party should have policies, procedures, certifications, and/or accreditations describing its information security program. Information security related expectations for the third party should be explicitly outlined in the contract.</p><p>In addition to performing due diligence and contract negotiation, the regulated entities should conduct ongoing monitoring (and where necessary, on-site reviews) of a third-party provider’s information security program. Periodically, third-party providers should be required to attest that they meet contractually agreed-upon information security requirements, including robust risk management over their own third parties. The regulated entities should also review independent reports on a third-party provider’s security program, such as ISO 27001 certification, and PCI compliance and control reports (e.g., Service Organization Control). As part of ongoing monitoring of the third-party provider, the regulated entities should regularly monitor news, social media, and intelligence feeds for issues that may raise concerns regarding a third-party provider’s information security posture. In scenarios that warrant heightened risk monitoring, the regulated entities may use external third-party providers that specialize in supply chain cyber risk assessments to perform ongoing monitoring over the extended supply chain. </p><p> <strong>5.&#160;&#160;What are examples of appropriate password safeguards?</strong></p><p>To address common attacks, industry best practices recommend a defense-in-depth strategy.<a>[14]</a> Multi-factor authentication is a strong preventative measure against most password attacks. To elaborate on AB 2017-02&#58; <em>Information Security Management</em>, each regulated entity’s program should align with appropriate industry standards on multi-factor authentication, such as those promulgated by NIST, commensurate with the complexity and risk profile of the entity.<a>[15]</a> The regulated entities should also use detective measures such as logging and monitoring failed authentication attempts. Because industry best practices, such as password composition recommendations, adapt frequently to the changing threat landscape, the regulated entities should also review authentication protocols and rules at least annually.</p><p>Additionally, employees and/or contractors should be given the least privilege necessary to perform their job duties. The regulated entity should identify an appropriate party to review privileges regularly, commensurate with the asset’s risk profile. Actions taken using elevated privileges should be monitored. Logs of elevated privilege actions should be parsed into a security information and event management (SIEM) tool.</p><p>To elaborate on the guidance on remote access management set forth in AB 2017-02&#58; <em>Information Security Management</em>, the regulated entities should account for “non-traditional” device<a>[16]</a> access to the network and adapt password security policies, procedures, and standards accordingly. The regulated entity’s management and monitoring of all mobile devices connected to its network through an established mobile device or application management program is critical to promoting sound endpoint security.</p><p>As part of a strong information security culture, training users on security awareness and strong password management techniques can help employees mitigate user access risks. In addition to requiring training on regulated entity policies, procedures, and standards, regulated entities should periodically educate employees on both common and novel password security threats.​</p><p> <strong>6.&#160;&#160;How can the regulated entities address user access management risk given the new threat environment?</strong></p><p>The regulated entities’ information security programs should address risks associated with user access management. In recent years, cyber attackers accessed more entry points (e.g., off-premises “non-traditional” devices, traditional on-premises systems, and the Internet of Things<a>[17]</a>) and used more sophisticated methods of targeting users. Cyber attackers have targeted users with network access to escalate their own privileges and pivot within the network. Thus, the regulated entities should monitor user access, conduct user access reviews, and remove user access when no longer needed. Furthermore, the regulated entity should identify the access necessary for a user to perform job duties before granting access.</p><p> <strong>7.&#160;&#160;What measures can be taken to mitigate the risk of unauthorized privilege escalation?</strong></p><p>Measures taken to mitigate the risk of privilege escalation may be incorporated into multiple layers of the regulated entity’s defense-in-depth posture. Security researchers note that efforts should start with defending against intrusions early in the chain of activities leading to privilege escalation. </p><p>The regulated entities should disable unnecessary or unused services, block unnecessary or unused ports, and use automated command-shell tools (e.g., PowerShell) with discretion. Additionally, the regulated entities should harden defenses at endpoints by appropriately configuring applications such as email and web browsers and limiting executables. </p><p>Attacks using remote desktop protocol and software have increased as more employees work remotely. Unauthorized parties may remotely access a network and escalate privileges to conduct an attack. The regulated entities should avoid the use of default passwords and reliance on default settings for remote desktop technology. The regulated entities may further secure remote access by enforcing strong controls such as requiring multi-factor authentication, patching, and updating software, and restricting access using firewalls. </p><p>Additionally, unauthorized privileged escalation risk may be mitigated by applying principles such as “Zero Trust”<a>[18]</a> from industry best practices of granular and specific access permissions&#58; </p><ul><li>The regulated entities may consider continuously reauthenticating a user rather than granting static authentication at the beginning of a user’s session.</li><li>Regularly review users with administrative or otherwise privileged access and deprovision access once the user no longer needs it.<a>[19]</a></li></ul><p> <strong>8.&#160;&#160;How can the regulated entities mitigate risks presented by incorporating new technology into existing infrastructure?</strong></p><p>New technology may require a learning curve before it is managed effectively. Therefore, it is beneficial for the regulated entities to have reliable and proven processes in place for designing and maintaining a secure and resilient enterprise IT architecture before introducing new technologies. Systems should be evaluated in a test environment before they are incorporated into the production environment. </p><p>The regulated entities may consider developing a risk-based security strategy integrated with the business strategy that defines its appetite for risks posed by new technology. Furthermore, the regulated entities should establish appropriate governance processes for new technology, including risk assessment, and ensure relevant controls are in place prior to the new technology’s implementation. Once the new technology is in use, the regulated entity should continue to monitor and evaluate its risks. If new technology is replacing old technology, the regulated entities should ensure that they properly secure and retire any legacy infrastructure. The regulated entities should have a process in place to train users on any system migrating into production. This can be either formal training or a transfer of knowledge from users of a system in the test environment.</p><p> <strong>9.&#160;&#160;How does information security management of cloud environments differ from information security management of on-premises environments?</strong></p><p>Whereas AB 2018-04&#58; <em>Cloud Computing Risk Management</em>,<a>[20]</a> covers differences between the cloud environment and the on-premises environment and details third-party cloud provider management and information security, the sections below provide additional detail to the cloud information security operations topics parallel to Section III&#58; Operations in AB 2017-02&#58; <em>Information Security Management</em>.</p><p> <span>Continuous Monitoring</span></p><p>The regulated entity should integrate any cloud monitoring and logging tools into an existing SIEM platform for centralized threat detection and management. Most leading cloud service providers (CSP) offer built-in monitoring and logging tools, but the customers are responsible for configuring these tools. If a regulated entity chooses to use a CSP tool, the regulated entity should understand the tool’s capabilities. </p><p> <span>Vulnerability Management</span></p><p>The vulnerability management concepts outlined in AB 2017-02&#58; <em>Information Security Management</em> apply to the cloud environment. Vulnerability management of cloud infrastructure is typically managed by the CSP; however, in a platform-as-a-service and infrastructure-as-a-service model, the customer is responsible for vulnerability management in the cloud. The regulated entities should prioritize vulnerability management for cloud applications at the start of the cloud build processes rather than as an afterthought at the end.</p><p> <span>Baseline Configuration</span></p><p>Regulated entities should include cloud-based IT assets in the IT inventories referenced in AB 2017-02&#58; <em>Information Security Management</em>. The process for baselining and monitoring IT asset configurations should be the same for both on-premises and cloud-hosted assets. Baseline configurations are especially important for virtual servers that are decommissioned and then recommissioned using established baselines. Secure baseline configurations should be established based on manufacturer or industry best practice. Additionally, leading CSPs provide security configuration guidelines for foundational services used for establishing connectivity, authentication, data access, and encryption settings. The regulated entities should identify and adopt appropriate baseline configuration standards that ensure a comprehensive view of potential security configuration gaps within all its cloud-based services and provide assurance that the cloud-based IT environment is configured to maintain the expected level of protection against threats to data.</p><p> <span>Asset Lifecycle</span></p><p>With more critical processes moving to cloud environments, some asset management responsibilities could shift to the CSP. The regulated entities should continue to maintain an asset lifecycle program as detailed in AB 2017-02&#58; <em>Information Security Management</em>. While the regulated entities may have fewer physical infrastructure assets such as servers, the regulated entities may need to enhance asset lifecycle policies and procedures to reflect trends such as BYOD (bring your own device) and increased teleworking. The regulated entities should consider how “nontraditional” devices fit into their asset lifecycle.</p><p> <span>Incident Response and Recovery</span></p><p>The regulated entities should evaluate the design and operating effectiveness of the CSP’s incident response controls. Each Enterprise is expected to meet the provisions of AB 2020-05&#58; <em>Enterprise Cybersecurity Incident Reporting</em>, in the event of a cybersecurity incident at a CSP that compromises the confidentiality, integrity, or availability of an Enterprise asset.<a>[21]</a> Similarly, each Federal Home Loan Bank is expected to meet data reporting provisions established by FHFA’s Division of Federal Home Loan Bank Regulation.</p><p> <span>Awareness and Training</span></p><p>The regulated entities should consider how using cloud technology affects the existing information security culture. Existing policies and procedures may need to be modified or supplemented to provide personnel with adequate information on securely developing and using cloud-based applications. As needed, the regulated entities should administer cloud-specific training to provide personnel with a baseline understanding of cloud systems. The regulated entities should administer role-based training to users with access to cloud systems, with more rigorous training required for those with privileged access.</p><p> <span>User Access Management</span></p><p>When virtually connecting to a CSP, the regulated entities should extend existing user identity and access management policies such as federation<a>[22]</a> to the cloud. The regulated entities should tie identities to a centralized internal identity and consider the use of identity brokers where appropriate.</p><p> <span>Threat Intelligence Sharing</span></p><p>Most cloud industry leaders offer built-in threat intelligence services and publish whitepapers on using these services. Cloud customers are responsible for enabling and configuring these services. CSPs, federal agencies such as the Cybersecurity and Infrastructure Security Agency, and third-party security providers also produce alerts. The regulated entities’ existing SIEM framework should incorporate these alerts. The regulated entities should continue to participate in private and public threat intelligence coordination. As a small number of CSPs are heavily used within the financial sector, information exchange on threats affecting these platforms promotes financial sector security and resiliency. </p><p> <span>Encryption</span></p><p>In addition to the guidance provided in Section III of AB 2017-02&#58; <em>Information Security Management</em>, the regulated entities should also incorporate cloud encryption and key management concepts into policies and procedures. The regulated entities should define what data need to be encrypted and where the data are stored and then implement encryption and key management accordingly. For certain types of data that have specific regulatory or statutory requirements, each regulated entity should carefully evaluate whether the encryption of such data and the location in which such data are stored within a cloud environment comply with these requirements. Regulated entity information security personnel should work with their organization’s compliance and legal staff to clearly understand all applicable encryption-related laws and regulation and to ensure ongoing compliance. Many CSPs offer key management services; therefore, the regulated entities and their CSPs should agree upon roles and responsibilities for key storage and management services and document them in their service contracts. The regulated entities should adopt NIST standards to implement encryption and key management appropriately.<a>[23]</a> </p><p> <strong>10.&#160;&#160;How should the information security program adapt to changing privacy laws?</strong></p><p>As many privacy laws are enacted at the state rather than the federal level, the regulated entities should continuously monitor the applicability of and their compliance with new and changing state privacy laws, as well as any relevant federal laws. These laws may require changes to the regulated entity’s information security program, as privacy laws may have implications on how and where certain data can be stored, the level of security needed to protect that data, and specific data retention and deletion requirements. For example, some state-specific privacy laws stipulate the level and type of encryption needed for certain kinds of data, the circumstances under which certain information can be shared with a third-party provider, notification requirements for data breaches, and the deletion of certain kinds of information on request. Data encryption should be balanced with data transparency to ensure that the relevant data can be easily located and removed when the law requires it to be deleted. Privacy laws underscore the necessity for the regulated entities to understand what data they own, where it is housed, who has access and for what purposes, and how the data is protected. The regulated entities should maintain a comprehensive and current inventory of all data they own, where data is located, with which third parties their data was shared, and for what purpose. Additionally, because laws may have different requirements and applicability depending on the location of the consumer and the kinds of data involved, regulated entity information security personnel should work with the regulated entity’s privacy, compliance, and legal offices to clearly understand the applicable requirements, best practices, and to ensure ongoing compliance with privacy laws. To effectively anticipate and address the implications of any new activity on privacy compliance and information security, the regulated entities should perform a privacy assessment prior to approving any new activities (including pilot initiatives and the commencement of any new third-party service provider relationship). </p><p> <strong>11.&#160;&#160;What are avenues for discovering vulnerabilities?</strong></p><p> <span>Penetration Testing</span></p><p>The regulated entities should engage third parties to perform independent penetration testing,<a>[24]</a> as well as perform internal penetration testing as necessary. Though penetration testing may proactively identify potential vulnerabilities during the development lifecycle, it generally is used to test a deployed system at any specific point in time and should not be used as a substitute for secure development practices. The regulated entities should conduct penetration tests on systems periodically post-deployment.</p><p> <span>Threat Modeling</span></p><p>The regulated entities may also use established frameworks to perform threat modeling<a>[25]</a> on their systems.​ The regulated entities should embed security protections into information systems by creating a feedback loop of identifying, mitigating, and reassessing threats. Rather than finding vulnerabilities in pre-deployed or deployed systems, the regulated entities may find them during the development process if security is prioritized in the design of the system. Additionally, both technical and non-technical vulnerabilities can be highlighted if threat modeling is performed by both the technical and functional stakeholders throughout the software development lifecycle. The regulated entities may incorporate threat modeling into the ongoing management and monitoring of high-risk systems. </p><p> <span>Vulnerability Disclosure Program</span></p><p>A Vulnerability Disclosure Program (VDP) may enable the regulated entity to learn of vulnerabilities through external parties, such as IT and information security researchers, ethical hackers, etc. The discovery and shared disclosure of previously unknown vulnerabilities enables faster identification and remediation. Additionally, a VDP may potentially mitigate reputational risk if the regulated entities are informed of vulnerabilities through a non-public communication channel rather than through exploitation or publication of the vulnerability on public channels.</p><h1> <span> <em> <strong>Related Guidance​</strong></em></span></h1><p> <em>Enterprise Risk Management Program,</em> FHFA AB 2020-06, December 11, 2020.</p><p> <em>Business Resiliency Management,</em> FHFA AB 2019-01, May 7, 2019.</p><p> <em>Oversight of Third-Party Provider Relationships,</em> FHFA AB 2018-08, September 28, 2018.</p><p> <em>Cloud Computing Risk Management,</em> FHFA AB 2018-04, August 14, 2018.</p><p> <em>Information Security Management,</em> FHFA AB 2017-02, September 28, 2017.</p><p> <em>Internal Audit Governance and Function,</em> FHFA AB 2016-05, October 7, 2016.</p><p> <em>Data Management and Usage,</em> FHFA AB 2016-04, September 29, 2016.</p><p> <em>Operational Risk Management,</em> FHFA AB 2014-02, February 18, 2014.</p>​ <hr />​​ <p> <a>[1]</a><a>AB 2017-02&#58; <em>Information Security Management</em>, September 2017</a>.</p><p> <a>[2]</a> Common Securitization Solutions, LLC (CSS) is an “affiliate” of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended. 12 U.S.C. 4502(1), and this AB applies to it. </p><p> <a>[3]</a> The OF is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. See 12 U.S.C. 4502(20). However, for convenience, references to the “regulated entities” in this AB should be read to also apply to the OF. </p><p> <a>[​4]</a> If a regulated entity chooses not to adopt or adhere to the NIST standards, the regulated entity could nevertheless meet FHFA’s supervisory expectations by demonstrating to the examiner’s satisfaction that adoption and adherence to a comparable set of current industry standards is safe and sound information security management.</p><p> <a>[5]</a> Defined in NIST SP 800-160 Vol. 2 Rev. 1, December 2021.</p><p> <a>[6]</a> Refer to <a>AB 2019-01&#58; <em>Business Resiliency Management</em></a>, for more information related to an entity’s ability to minimize disruptions and maintain business operations at predefined levels.</p><p> <a>[7]</a><em>See footnote 4.</em></p><p> <a>[8]</a><em>E.g.</em>, The Financial Services Sector Coordinating Council and Financial Services Information Sharing and Analysis Center.</p><p> <a>[9]</a> Defined in NIST SP 800-161r1, May 2022.</p><p> <a>[10]</a> Refer to <a>AB 2018-08&#58; <em>Oversight of Third-Party Provider Relationships</em></a>, for expectations related to the regulated entities’ risk management of third-party suppliers.</p><p> <a>[11]</a><em>See</em> NIST IR 8276, Key Practices in Cyber Supply Chain Risk Management&#58; Observations from Industry.</p><p> <a>[12]</a><a>AB 2016-04&#58; <em>Data Management and Usage</em>, September 2016</a>.</p><p> <a>[13]</a> Subcontractors are also referred to as fourth parties.</p><p> <a>[14]</a> Defined in NIST SP 800-53 Rev. 5, September 2020.</p><p> <a>[15]</a><em>See footnote 4.</em></p><p> <a>[16]</a><em>E.g.,</em> smartphones, tablets, wearable technology.</p><p> <a>[17]</a> Defined in NIST SP 800-172, February 2020.</p><p> <a>[18]</a> Defined in NIST SP 800-207, August 2020. </p><p> <a>[19]</a> For more information on “Zero Trust” principles, see <a>NIST Special Publication 800-207&#58; Zero Trust Architecture</a> (2020). </p><p> <a>[20]</a><a>AB 2018-04&#58; <em>Cloud Computing Risk Management</em>, August 2018</a>.</p><p> <a>[21]</a><em>See</em><a>AB 2020-05&#58; <em>Enterprise Cybersecurity Incident Reporting</em></a>, for FHFA’s definition of a “reportable cybersecurity incident.”</p><p> <a>[22]</a> Defined in NIST SP 800-63 Rev. 3, June 2017.</p><p> <a>[23]</a><em>See footnote 4.</em></p><p> <a>[24]</a> Defined in NIST SP 800-95, August 2007.</p><p> <a>[25]</a> Defined in NIST SP 800-53 Rev. 5, September 2020.​<br></p><div><div><table><tbody><tr><td><p>​FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a>SupervisionPolicy@fhfa.gov</a>. &#160;&#160;<br></p></td></tr></tbody></table> ​ ​​ <div><div></div><div></div></div>​​ <br></div></div>1/14/2023 4:17:39 PMHome / Supervision & Regulation / Advisory Bulletins / Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management Advisory Bulletin 8664https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Model Risk Management Guidance38732All12/21/2022 5:00:00 AMAB 2022-03<table width="100%" class="ms-rteTable-default" cellspacing="0" style="margin&#58;0px;padding&#58;0px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;vertical-align&#58;baseline;table-layout&#58;fixed;border-spacing&#58;0px;font-stretch&#58;inherit;background-color&#58;#ffffff;"><tbody style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><tr style="font&#58;inherit;margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;vertical-align&#58;baseline;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">​​​​​​​​​​​​​​​​​​​​​​​​ADVISORY BULLETIN</span></p><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;">AB 2022-03&#58;&#160; ​Supplemental Guidance to Advisory Bulletin 2013-07 - Model Risk Management Guidance​</span></p><p style="line-height&#58;22px;padding&#58;0px;border&#58;0px currentcolor;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;color&#58;#404040 !important;"> <span style="margin&#58;0px;padding&#58;0px;border&#58;0px currentcolor;line-height&#58;inherit;font-family&#58;inherit;font-size&#58;inherit;font-style&#58;inherit;font-variant&#58;inherit;vertical-align&#58;baseline;font-stretch&#58;inherit;font-weight&#58;700 !important;"> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2022-03_Supplemental-Guidance-to-AB-2013-07-Model-Risk-Management-Guidance.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2022-03]</a></span><br></p></td></tr></tbody></table><h1> <span style="text-decoration&#58;underline;"><em><strong>PURPOSE</strong></em></span></h1><p>The Federal Housing Finance Agency (FHFA) is issuing this Advisory Bulletin (AB) as supplemental guidance to FHFA AB 2013-07&#58; Model Risk Management Guidance<em>,</em> published on November 20, 2013.&#160;This AB is applicable to Freddie Mac, Fannie Mae,<a href="#footnote1" class="super-script">[1]</a>​&#160;the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities<a href="#footnote2" class="super-script">[2]</a>) and clarifies and expounds on various topics covered in FHFA's existing guidance.&#160; &#160;</p><p style="text-align&#58;justify;">The intent of this AB's guidance, formatted as Frequently Asked Questions (FAQs), is to provide supplemental guidelines that will address some of the gaps in AB 2013-07 prompted by changes in model-related technologies and questions generated from the expanded use of complex models by the FHLBanks. The supplemental guidance also addresses model documentation, the communication of model limitations, model performance tracking, on-top adjustments, challenger models, model consistency, and internal stress testing.&#160; </p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"> <strong> </strong></span></p><h1> <span style="text-decoration-line&#58;underline;"> <em> <strong>BACKGROUND</strong></em></span></h1><p style="text-align&#58;justify;">Since the publication of AB 2013-07, we have observed changes in model-related technologies which have prompted changes in&#160;guidance and generated questions regarding existing guidance. The advent of cloud technology and artificial intelligence/machine learning techniques have led to FHFA's issuance of specific guidance on these topics.<a href="#footnote3" class="super-script">[3]</a>&#160;However, the issuance of that guidance has created gaps in AB 2013-07.&#160; </p><p style="text-align&#58;justify;">In addition, the FHLBanks have increased the use of models, employing internally developed models as well as complex vendor models. Since the issuance of AB 2013-07, FHFA has also amended the regulation addressing FHLBank capital requirements<a href="#footnote4" class="super-script">[4]</a> and issued related FHLBank guidance on modeling. Specifically, FHFA issued additional guidance on market risk models (AB 2016-02; AB 2018-01) and mortgage credit risk models (AB 2018-02).<a href="#footnote5" class="super-script">[5]</a>&#160;The FHLBanks' expanded model use as well as recent FHFA regulations and guidance applicable to the FHLBanks have also created the need for expanded clarification of AB 2013-07.<a href="#footnote6" class="super-script">[6]</a>&#160; &#160;&#160;</p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"> <strong> </strong></span></p><h1> <span style="text-decoration-line&#58;underline;"> <em> <strong>GUIDANCE​</strong></em></span></h1><p> <strong>1.&#160;&#160;</strong><strong>Model Risk Management Framework</strong></p><p> <strong>1(a).&#160;&#160;</strong><strong>How should “less complex&quot; entities address expectations in AB 2013-07? </strong> <br>Model risk management should be commensurate with a regulated entity's model use and risk exposure. AB 2013-07 provides a distinction between “complex&quot; (Fannie Mae and Freddie Mac) and “less complex&quot; (FHLBanks and OF) entities. Over time, the FHLBanks have expanded the scope, scale, and complexity of their modeling activities. Thus, the FHLBanks and OF should be attentive to changes in the complexity, impact, and scope of their modeling environments and modify their model risk management practices accordingly. Pointedly, the distinction between “complex&quot; and “less complex&quot; does not exempt “less complex&quot; regulated entities from the expectations in AB 2013-07, but it could affect the frequency and rigor of certain model risk management practices. </p><p style="text-align&#58;justify;"> <strong>1(b).&#160;&#160;</strong><strong>Does the existing definition of “model use&quot; in AB 2013-07 encompass all potential model applications considering recent changes to model uses? </strong> <br>AB 2013-07 defines model use “as using a model's output as a key basis for informing business decision-making, managing risk, or developing financial reports.&quot;&#160;The adoption of artificial intelligence and machine learning techniques has expanded the definition of model use beyond business decision-making, risk management, and the development of financial reports. The regulated entities employ artificial intelligence and machine learning for various business processes (<em>e.g</em>., productivity tools such as facial recognition for access management and document digitization).&#160; </p><p style="text-align&#58;justify;">Although FHFA has articulated expectations for risk management of artificial intelligence and machine learning in AB 2022-02&#58; <em>Artificial Intelligence/Machine Learning Risk Management </em>(Feb. 10, 2022), the governance for models used for business decision-making, risk management, and financial reporting should still adhere to the expectations outlined in AB 2013-07.&#160;Models not directly used for those purposes should follow a governance framework commensurate to the risk, consistent with AB 2013-07. For example, if a model is used for scanning and digitizing documents, controls appropriate to the process should be developed to manage the risk. In addition to AB 2013-07, other appropriate FHFA guidance should be considered and applied in those instances.<a href="#footnote7" class="super-script">[7]</a></p><p style="text-align&#58;justify;"> <strong>1(c).&#160;&#160;</strong><strong>​</strong><strong>What are the expectations for mapping of key dependencies on external model-related data, software, storage, and technology?</strong><br>Since the publication of AB 2013-07, FHFA has observed a wider adoption of technologies in the mortgage industry.&#160;Many of these technologies reside externally to the regulated entities and are largely outside of the regulated entities' control. Examples of such technologies are cloud servers, vendor models, and external data used by the regulated entities as inputs for their models. Although FHFA has published guidance related to externally sourced technologies such as AB 2018-04&#58; <em>Cloud Computing Risk Management</em> (Aug. 14, 2018) and AB 2018-08&#58; <em>Oversight of Third-Party Provider Relationships</em> (Sept. 28, 2018), FHFA expects the regulated entities to take a macro-prudential view of the risks posed by externally sourced data and technologies. The regulated entities should map their external dependencies to significant internal systems and processes to determine their systemic dependencies and interconnections. In particular, the regulated entities should have an inventory of key dependencies on externally sourced models, data, software, and cloud providers. This inventory should be regularly updated and reviewed by senior management and presented to the board of directors, as deemed appropriate.<br> </p><p style="text-align&#58;justify;"> ​ <strong>1(d).&#160;&#160;</strong><strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">How should a regulated entity treat processes or components of modeling processes that incorporate qualitative elements or judgements?</strong><strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">&#160;</strong></p><p style="text-align&#58;justify;">AB 2013-07, in its definition of models, covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment, provided that the output is quantitative in nature.&#160; <br></p><p style="text-align&#58;justify;"> <strong>2.&#160;&#160;</strong><strong>Model Documentation</strong></p><p style="text-align&#58;justify;"> ​ <strong>2(a).&#160;&#160;</strong><strong>What elements should the regulated entities' model use policies and procedures include to ensure that model documentation is sufficient? </strong> <br>For all model uses, a regulated entity should have policies and procedures in place to ensure model owners compile and maintain comprehensive model documentation that is sufficiently detailed to enable a qualified third party to independently operate and maintain a model for each model use. A regulated entity's processes should be designed and operated reliably to maintain comprehensive model documentation that is complete prior to the independent model validation for a specific use. A regulated entity should have processes in place for revising or augmenting the documentation based on the results of the model validation prior to model implementation. Procedures and policies that require updates to model documentation are important to memorialize all model components correctly and comprehensively for each model use.&#160; </p><p style="text-align&#58;justify;"> <strong>2(b).&#160;&#160;</strong><strong>How should a regulated entity address and mitigate the risks associated with model limitations across the model lifecycle? </strong> <br>The regulated entities should clearly document significant model limitations within the model documentation, along with any root causes and mitigation strategies where appropriate. A regulated entity should document and clearly communicate to the model user community model limitations identified during model development and model validation. Model limitations do not only arise from technical limitations. Limitations arise in part from weaknesses in the model because of its various shortcomings, approximations, and uncertainties. Limitations are also a consequence of assumptions underlying a model that may restrict the scope of appropriate use to a limited set of specific circumstances and situations. Decision makers need to understand the limitations of a model to avoid using it in ways that are not consistent with the original intent. <br> </p><p style="text-align&#58;justify;"> <strong>3.&#160;&#160;</strong><strong>Model Validation Program </strong></p><p style="text-align&#58;justify;"> <strong>3(a).&#160;&#160;</strong><strong>Should a regulated entity's internal model validation guidelines provide specific standards for an independent validation?</strong><br>A regulated entity's internal model validation guidelines and practices should align with AB 2013-07's specific standards to ensure independent review and challenge to model assumptions, mathematical formulae, and inputs. The internal guidelines should include a sufficient level of detail to ensure that qualified experts perform the review at a sufficient breadth and depth.&#160;Further, the model validation report should include thorough descriptions of these reviews and relevant outcomes.&#160;An independent model validation should extend beyond an affirmation of the model's correctness and reasonableness.&#160; </p><p></p><p style="text-align&#58;justify;"> <strong>3(b).&#160;&#160;</strong><strong>How should the regulated entities evaluate third-party model validations? </strong> <br>When using an external vendor to complete an independent model validation, the regulated entity's model validation group is accountable for the quality, recommendations, and opinions of any third-party review. When evaluating a third-party model validation, a regulated entity should implement model risk management policies and practices that align the vendor-completed specific standards for an independent validation with the specific standards included in AB 2013-07.&#160; <br></p><p style="text-align&#58;justify;"> ​ <strong>3(c).&#160;&#160;</strong><strong>How should model validation findings and other model risk issues be monitored and reported?</strong><br>A regulated entity should establish processes for monitoring the remediation status of identified model validation findings and other model risk issues and for providing reports to senior management and management-level committees.&#160;Findings and issues with production models that are significant in nature should be governed in accordance with the regulated entity's issues management program.&#160;&#160; <br> </p><p style="text-align&#58;justify;"> <strong>3(d).&#160;&#160;</strong><strong>What are acceptable practices for effective challenge? </strong> <br>Model risk management policies, as AB 2013-07 notes, should include acceptable practices for “effective challenge&quot; of models.&#160;Effective challenge involves critical analysis by independent, informed parties who can identify model limitations, evaluate assumptions, and recommend appropriate changes. The efficacy of effective challenge depends on a combination of incentives, competence, and influence.&#160;For example, effective challenge requires that the regulated entities invest human capital resources in qualified personnel and ensure the distinct separation of the model challenge process from the model development process.&#160;In addition, the regulated entity should foster a corporate culture where senior levels of management give those responsible for effective challenge processes explicit authority, support, and stature within the organization.&#160; </p><p></p><p style="text-align&#58;justify;"> ​ <strong>3(e).&#160;&#160;</strong><strong>Do challenger or benchmark models play a role in the effective challenge of models?</strong><br>The regulated entities should have a well-developed effective challenge process in place to assess the effectiveness of models and the reasonableness of key assumptions. This may include a champion-challenger framework in which challenger models give an alternative perspective to a primary, or champion model, and provide a point of comparison allowing for analysis of model results and sensitivity of the output.&#160;It is desirable that potential challenger models are well vetted, and employ alternative approaches to estimation, which may include theoretical or methodological differences from the primary model.&#160;Effective challenge should be in place at all levels of estimation where model or estimation risk is affected – this includes overall loss estimates, component level estimates, assumptions, and component level inputs.&#160;The regulated entities should document the effective challenge process as well as any changes that result from it and the rationale for their decisions. </p><p style="text-align&#58;justify;">Although benchmark models may never be considered to be replacements for the primary model, they provide a point of comparison for understanding how the primary model results differ from other widely-referenced available models used in industry.&#160;Benchmark models may also aid in understanding the primary model.&#160; &#160;<br> </p><p style="text-align&#58;justify;"> ​ <strong>3(f).&#160;&#160;</strong><strong>What should a regulated entity consider when deciding if an end-user computing tool (EUC) or calculator should be subject to the guidance set forth in AB 2013-07?</strong><br>The increase in the complexity and reliance on EUCs and calculators to carry out critical financial operations has also fostered the requirement for enhanced EUC/calculator risk mitigation. &#160;For example, a regulated entity should classify a significant or important EUC, calculator, or other data generating process as a model if the EUC, calculator, or process (1) feeds into or out of a model; (2) makes assumptions; and/or (3) incorporates thresholds or quantitative methodologies. Additionally, EUCs and calculators may be integrated into broader modeling processes. When applicable, a regulated entity should also treat integrated EUCs and calculators as models and subject the EUCs, calculators, or processes to model validations and governance in accordance with the frequency and rigor outlined in the regulated entity's model risk management policies and procedures.&#160;A regulated entity that includes EUCs and calculators as part of the broader modeling process is likely already subjecting those EUCs and calculators to the guidance set forth in AB 2013-07.</p><p> <strong>4.&#160;&#160;</strong><strong>Model Control Framework</strong></p><p style="text-align&#58;justify;"> <strong>4(a).&#160;&#160;</strong><strong>How is model performance tracking integral to the model control framework? </strong> <br>A regulated entity should have policies and procedures in place for ongoing model performance tracking (MPT) for each significant model use prior to model production implementation.&#160;Performance tracking preemptively ensures model integrity through the business cycle. Properly designed model performance tracking metrics, thresholds, and alerts provide the model diagnostics necessary to identify and measure sources of model error.&#160;Model diagnostics are intended to capture model performance degradation timely and facilitate the appropriate corrective action. </p><p style="text-align&#58;justify;">MPT metrics and thresholds should be tied to both downstream use effects and a model's integrity as measured by the accuracy of the key outputs.&#160;Model owners are expected to involve model users and model risk management teams to ensure MPT metrics are appropriate, and thresholds are set below the risk tolerance of the business unit. </p><p style="text-align&#58;justify;"> <strong>4(b).&#160;&#160;</strong><strong>What should a regulated entity consider when establishing thresholds for model performance tracking?</strong><br>Ongoing model performance tracking should include well-supported and documented thresholds and procedures for responding to outputs outside these thresholds.&#160;A regulated entity should select, fully document, and reevaluate, on an ongoing basis, thresholds for each significant model use.&#160;As models alone do not drive these business decisions and risk management, model performance thresholds and alerts should be set at a level below the point where model error approximates or equals management risk limits or risk appetite.</p><p style="text-align&#58;justify;"> <strong>4(c).&#160;&#160;</strong><strong>Should model performance tracking include an evaluation of model adjustments? </strong> <strong>&#160;</strong><br>Ongoing model performance tracking should also include monitoring and analysis of any model overrides, on-top adjustments, recalibration, and use of (or changes to) tuning parameters.&#160;This monitoring should include documented, ongoing analysis establishing that any adjustments are appropriate for the model uses to which they are applied.</p><p style="text-align&#58;justify;"> <strong>4(d).&#160;&#160;</strong><strong>How should a regulated entity use model performance tracking metrics and reports? </strong> <br>MPT results show the model's reasonableness, robustness, and range with respect to its historical performance.&#160; Backward-looking performance metrics provide a useful measure of error due to the model.&#160;In both normal and stressed economic environments, model performance reports can help identify a model's fundamental flaws or weaknesses.&#160;Model performance reports should include aggregate model errors that directly affect business decisions and risk management.&#160;Upstream models errors can propagate to downstream models which could amplify the errors.</p><p style="text-align&#58;justify;"> <strong>4(e).&#160; S</strong><strong>hould regulated entities document support for on-top adjustments that align model predictions to actual results? </strong> <br>Periodically, model outputs will require on-top adjustments to produce more accurate results.&#160;These adjustments can occur at the component level or be applied to the overall result depending on the need for the adjustment.&#160;The regulated entities should develop and document a clear and transparent process for determining (1) when on-top adjustments to models are needed; (2) how the adjustment will be applied; and (3) the length of time for having these adjustments in place before finding a permanent solution.<br> </p><p style="text-align&#58;justify;"> ​ <strong>4(f).&#160;&#160;</strong><strong>Is it sufficient to state that assumptions or on-top adjustments are conservative?</strong><br>Simply indicating that model assumptions or on-top adjustments are “conservative&quot; is a qualitative assessment and does not provide sufficient support for a quantitative assumption or adjustment. A&#160;regulated entity should provide documentation to support significant modeling assumptions or on-top adjustments whether they are “conservative&quot; or not.<br></p><p style="text-align&#58;justify;"> <strong>4(g).&#160;&#160;</strong><strong>What role does effective challenge play in establishing on-top adjustments? </strong> <br>When on-top adjustments are applied, the regulated entities should document the justification for the on-top adjustment, articulate the effect of the adjustment, and state for how long it will be applied.&#160;On-top adjustments should also be subjected to effective challenge.&#160;Model risk management should also track and review on-top adjustments to get a broad view that may reveal an enterprise-wide issue.​<br></p><p style="text-align&#58;justify;"> <strong>4(h).&#160;&#160;</strong><strong>How should a regulated entity manage the recurrent use of on-top adjustments? </strong> <br>The use of on-top adjustments should initiate a review process to determine the reason for the on-top adjustment. The recurrent use of on-top adjustments in model estimates can be an indicator of an insufficient model or process robustness and should trigger a review. This review should assess whether the causes leading to use of the on-top adjustment are temporary. If the on-top adjustment is deemed to be recurrent rather than temporary, then the model or forecast process may require updating. If updates are necessary, the regulated entities should have in place a feedback process that engages with the relevant committees, business units, or individuals in a manner that allows model owners to promptly execute any necessary updates to the models. With the continued use of on-top adjustments, a regulated entity's documentation of the need to maintain the adjustments during the next validation cycle is an important feature of any review process. Full documentation of the findings of the review process, and the rationale for any decision and outcome, is another important element concluding the review process.</p><p> <strong>4(i).&#160;&#160;</strong><strong>Is a regulated entity expected to incorporate model</strong><strong>ing</strong><strong> assumption</strong><strong>s</strong><strong> and inputs in the same manner </strong> <strong>across various</strong><strong> model uses? </strong> <br>The regulated entities' policies and procedures should ensure that models, assumptions, and inputs, such as housing price appreciation or macroeconomic factors, are used in a consistent manner across the various financial and business practices where applicable. However, model flexibility is desirable to address circumstances in which models and assumptions cannot be used consistently. For example, if accounting rules prescribe a specific use, then the regulated entity would need a process to address that use and to evaluate and assess the effect of the inconsistency. The regulated entity should document the occurrence, the reason for the differences, and if it has a material effect, determine what steps may be needed to mitigate the effect.&#160; <br></p><p style="text-align&#58;justify;"> ​ <strong>4(j).&#160;&#160;</strong><strong>What are model implementation risks and how can these be mitigated?</strong><br>Errors can occur at any point from design through implementation, thus model risk management should include disciplined and knowledgeable development, testing and implementation processes. Data and other model inputs used to generate model results often rely on EUCs, upstream&#160;models, or other supplemental data generating processes that can be subject to human error or operational errors. A regulated entity should regularly evaluate and confirm that data or other input generating processes align with the documented model theory and have not been subject to human error.&#160; </p><p> <strong>5.&#160;&#160;</strong><strong>Internal Scenario and Sensitivity Analysis and Stress Testing</strong></p><p style="text-align&#58;justify;"> <strong>5(a).&#160;&#160;</strong><strong>What are FHFA's model expectations for scenario analysis?</strong><br>A regulated entity should use scenario analyses to assess the reliability, effectiveness, and stability of forecasts the models produce in a variety of situations and to identify potential issues with the models that can lead to inaccurate results.&#160;Scenario analysis should be distinguished from stress testing as both can be applied enterprise-wide and will often employ the regulated entities' most significant models. Internal scenario analysis and stress testing should be conducted on a recurring basis but should also be conducted as needed.<br> </p><p style="text-align&#58;justify;"> ​ <strong>5(b).&#160;&#160;</strong><strong>What are FHFA's model expectations for sensitivity analyses?</strong><br>Sensitivity analysis can be conducted to assess the effect of many model-related factors (<em>e.g</em>., variables, model specification, key assumptions, constraints on intermediate outputs such as a loss severity floor). Because models are highly influenced by underlying assumptions in forecasted values, the regulated entity should assess how different assumptions and processes can affect the estimates. The regulated entity should use realistic expectations and an approach that makes intuitive sense when stressing key variables. Sensitivity analyses should be completed for each significant component model as well as the overall model or forecast. A regulated entity should vet thresholds or criteria they use for sensitivity analysis to ensure they are meaningful and realistic.</p><p style="text-align&#58;justify;"> <strong>5(c).&#160;&#160;</strong><strong>What are FHFA's model expectations for internal stress testing?</strong><br>Stress testing is a critical tool for a regulated entity's risk management because it alerts senior management to unexpected adverse outcomes for a range of potential risks. Stress testing also may enable the regulated entity to better understand its models' expected losses by exposing model behavior or risk factor behavior that may not be otherwise realized. This may lead to reconsideration of existing model formulations that improve performance or enhance the usefulness of the model.&#160;Stress test scenarios should be designed to capture risks relevant to model predictions for each model use. Stress test scenarios should be developed using reasonable, potential scenarios and incorporate historical events and hypothetical future events, or those not observed historically, (<em>e.g</em>., scenarios without government intervention). Stress test scenarios should also consider potential systematic issues that may adversely affect the model's forecasts.&#160; </p><p style="text-align&#58;justify;">A stress test is designed to simulate the effect of one or more shocks or prolonged downturns on the entire regulated entity. A “shock&quot; is a large, sudden, adverse change in the state of the external world or the internal state of a regulated entity. A shock appears suddenly, and its effects are felt immediately. A “prolonged downturn&quot; is a large, adverse change in the state of the world that emerges and becomes apparent slowly over time. Stress scenarios should be designed to ensure that, in the aggregate, the scenario is sufficiently stressful to challenge the risk management processes, capital, and earnings positions of the regulated entity. Scenario severity should consider countercyclical scenario design principles (<em>i.e</em>., a more pronounced economic downturn when current conditions are stronger and a less pronounced economic downturn when current conditions are weak).<br></p><p style="text-align&#58;justify;">Each scenario variable follows a predetermined path over time.&#160;For computational ease, a stress test can assume that the regulated entity has “exact foresight,&quot; a more deterministic approach where at each point in time within the planning horizon the regulated entity knows the exact path that a variable will follow. Alternatively, a stress test can assume that a regulated entity has only “incomplete foresight&quot; – that at each point in time the regulated entity can only imperfectly forecast a variable's future path. To ensure that stress tests are realistic regarding what can be known <em>ex ante</em> about the future, stress tests should include incomplete foresight when feasible. Incomplete foresight incorporates a more stochastic approach to scenario generation of variables where outcomes are random or uncertain. In addition, stress tests should provide a range of potential losses in addition to point estimates, and these results should be regularly reported to senior management so that they are aware of the output uncertainties associated with models.<br></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"> <strong> </strong></span></p> ​ <h1> <span style="text-decoration&#58;underline;"> <em> <strong>RELATED GUIDANCE AND REGULATIONS​</strong></em></span></h1><p style="text-align&#58;left;padding-top&#58;8px !important;"> <em>​Model Risk Management Guidance</em>, FHFA AB 2013-07 (Nov. 20, 2013).</p><p style="text-align&#58;justify;"> <em>Operational Risk Management</em>, FHFA AB 2014-02 (Feb. 18, 2014). </p><p style="text-align&#58;justify;"> <em>FHLBanks Changes to Internal Market Risk Models</em>, FHFA AB 2016-02 (Apr. 21, 2016).</p><p style="text-align&#58;justify;"> <em>Data Management and Usage</em>, FHFA AB 2016-04 (Sept. 29, 2016).</p><p style="text-align&#58;justify;"> <em>Information Security Management</em>, FHFA AB 2017-02 (Sept. 28, 2017).</p><p style="text-align&#58;justify;"> <em>Scenario Determination for Market Risk Models Used for Risk-Based Capital</em>, FHFA AB 2018-01 (Feb. 7, 2018).</p><p style="text-align&#58;justify;"> <em>FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk</em>, FHFA AB 2018-02 (Apr. 26, 2018).</p><p style="text-align&#58;justify;"> <em>Cloud Computing Risk Management</em>, FHFA AB 2018-04 (Aug. 14, 2018).</p><p style="text-align&#58;justify;"> <em>Oversight of Third-Party Provider Relationships</em>, FHFA AB 2018-08 (Sept. 28, 2018).</p><p style="text-align&#58;justify;"> <em>Business Resiliency Management</em>, FHFA AB 2019-01 (May 7, 2019).</p><p style="text-align&#58;justify;">​ <em>Compliance Risk Management</em>, FHFA AB 2019-05 (Oct. 3, 2019).</p><p style="text-align&#58;justify;">​ <em>Enterprise Risk Management Program</em>, ​FHFA AB 2020-06 (Dec. 11, 2020).</p><p style="text-align&#58;justify;"> <em>Artificial Intelligence/Machine Learning Risk Management</em>, FHFA AB 2022-02 (Feb. 10, 2022).<br></p><p>12 CFR part 1236, Appendix, Prudential Management and Operations Standards<br></p><p style="text-align&#58;justify;">12 CFR part 1277, Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans.<br></p><hr />​ <p> <a name="footnote1" class="super-script">[1]</a>​ Common Securitization Solutions, LLC (CSS) is an “affiliate&quot; of both Fannie Mae and Freddie Mac, as defined in</p><p>the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended.&#160; 12 U.S.C. 4502(1), and this AB applies to it.</p><p> <a name="footnote2" class="super-script">[2​]</a>​ The OF is not a “regulated entity&quot; as the term is defined in the Federal Housing Enterprises Financial</p><p>Safety and Soundness Act as amended.&#160; <em>See</em> 12 U.S.C. 4502(20).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.</p><p style="text-align&#58;justify;"> <a name="footnote3" class="super-script">[3]</a>​ <em>Cloud Computing Risk Management</em>, FHFA AB 2018-04 (Aug. 14, 2018).&#160; <em>Artificial Intelligence/Machine Learning Risk Management</em>, FHFA AB 2022-02 (Feb. 10, 2022).</p><p style="text-align&#58;justify;"> <a name="footnote4" class="super-script">[4]</a>​ 12 CFR part 1277—Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans; <em>see </em>84 Fed. Reg. 5426 (Feb. 20, 2019) (amending FHFA's regulation on FHLBank capital requirements).</p><p style="text-align&#58;justify;"> <a name="footnote5" class="super-script">[5]</a>​ <em>FHLBank Changes to Internal Market Risk Models</em>, FHFA AB 2016-02 (Apr. 21, 2016); <em>Scenario Determination for Market Risk Models Used for Risk-Based Capital</em>, FHFA AB 2018-01 (Feb. 7, 2018); <em>FHLBank Use of Models and Methodologies for Internal Assessments for Mortgage Asset Credit Risk</em>, FHFA AB 2018-02 (Apr. 26, 2018).</p><p style="text-align&#58;justify;"> <a name="footnote6" class="super-script">[6]</a>​ The capital rule (12 CFR part 1277—Federal Home Loan Bank Capital Requirements, Capital Stock and Capital Plans) requires the FHLBanks to use models for credit risk (as opposed to their previous reliance on credit ratings). FHFA's Division of Bank Regulation (DBR) can direct an FHLBank to revise its credit risk methodology or model to address any deficiencies identified by FHFA.​<br></p><p style="text-align&#58;justify;">DBR's capital rule also requires that the FHLBanks seek approval for changes to their market risk models​.&#160;A Bank making a change to a market risk model should follow the process outlined in AB 2016-02.&#160;</p><p style="text-align&#58;justify;"> <a name="footnote7" class="super-script">[7​]</a>​ Other appropriate FHFA guidance includes, for example&#58; &#160;<em>Artificial Intelligence/Machine Learning Risk Management</em>, FHFA AB 2022-02 (Feb. 10, 2022); <em>Enterprise Risk Management Program</em><em>, </em>FHFA AB 2020-06 (Dec. 11, 2020); <em>Compliance Risk Management</em>, FHFA AB 2019-05 (Oct. 3, 2019); <em>Business Resiliency Management</em>, FHFA AB 2019-01 (May 7, 2019); <em>Oversight of Third-Party Provider Relationships</em>, FHFA AB 2018-08 (Sept. 28, 2018); <em>Information Security Management</em>, FHFA AB 2017-02 (Sept. 28, 2017); <em>Data Management and Usage</em>, FHFA AB 2016-04 (Sept. 29, 2016); <em>Operational Risk Management</em>, FHFA AB 2014-02 (Feb. 18, 2014). </p><p>​&#160;<br></p><p></p><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;font-weight&#58;400;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>​FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. &#160;&#160;<br></p></td></tr></tbody></table> ​ ​​ <br></div> ​<br>​<br>1/17/2023 10:42:17 PMHome / Supervision & Regulation / Advisory Bulletins / Model Risk Management Guidance Advisory Bulletin AB 2022-03:  ​Supplemental Guidance to Advisory Bulletin 2013-07 11128https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Supervisory Letter on FHLBank Membership Issues - September 202135450FHL Banks9/9/2021 4:00:00 AM<p>​A number of issues relating to Federal Home Loan Bank (FHLBank or Bank) membership eligibility have arisen recently both through the examination process and as a result of inquiries to the Federal Housing Finance Agency (FHFA). FHFA has issued this supervisory letter to ensure that all FHLBanks are aware of these issues and to provide uniform guidance in the event other Banks encounter similar circumstances.<br></p>9/9/2021 4:30:40 PMHome / Supervision & Regulation / Advisory Bulletins / Supervisory Letter on FHLBank Membership Issues - September 2021 Advisory Bulletin A number of issues relating to 9532https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention34027FHLB & Fannie Mae & Freddie Mac8/25/2021 4:00:00 AMAB 2021-03​​​​​​​​​​<br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2021-03&#58;&#160;&#160;FRAMEWORK FOR ADVERSELY CLASSIFYING LOANS, OTHER REAL ESTATE OWNED, AND OTHER ASSETS AND LISTING ASSETS FOR SPECIAL MENTION</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"> <em> <strong></strong></em></em></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"><strong><em></em></strong></span></p><p> <em style="text-decoration&#58;underline;"><strong>Purpose</strong></em><br></p><p>​This Advisory Bulletin (Advisory Bulletin, or guidance) establishes guidelines for adverse and non-adverse classification of assets (assets refer to on-balance sheet or off-balance sheet credit exposures) at Fannie Mae and Freddie Mac (Enterprises) and the Federal Home Loan Banks (FHLB​anks) (collectively, the regulated entities).&#160; These guidelines describe sound practices for managing credit risk at the regulated entities.&#160; This guidance does not apply to investment securities.<a href="#footnote1">[1]</a>&#160; ​This Advisory Bulletin rescinds and replaces <em>Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets For Special Mention</em> (AB 2012-02), and rescinds <em>Clarification of Implementation for Advisory Bulletin 20</em><em>12-02, Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention</em>&#160;(AB 2013-02).<br></p><p>FHFA examiners will evaluate how the regulated entities apply this guidance to their classification practices.</p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>The purpose of this Advisory Bulletin is to establish a standard and uniform methodology for classifying regulated entity assets based on their credit quality, as well as to affirm the basis for writing off loans classified as Loss.&#160; Asset classification is a critical element in evaluating the risk profile of the regulated entities.&#160; Asset classification also provides a mechanism to validate the regulated entity's internal risk identification processes and establishes a common set of classification definitions to serve as the basis for asset quality metrics.&#160; In addition, this Advisory Bulletin describes procedures for listing assets for Special Mention, which can be an effective method to identify and rectify weaknesses in credit management practices before deterioration occurs.&#160; This guidance considers and is generally consistent with the <em>Uniform Retail Credit Classification and Account Management Policy&#160;&#160;</em>issued by the Federal Financial Institutions Examination Council (FFIEC) in June 2000, which established specific procedures for the adverse classification of residential mortgage loans and other retail loans.<br></p><p>This Advisory Bulletin is intended to be consistent with applicable statutes, regulations, and Generally Accepted Accounting Principles (GAAP).&#160; It does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards, <em>i.e.,</em>&#160;GAAP.&#160; Any conflicts should be resolved to comply with applicable laws and regulations, and to conform to applicable accounting standards.&#160;&#160;<br></p><p style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p> <strong>I. Definitions</strong></p><p>The following definitions apply when considering the adverse classification of assets at the regulated entities.<br></p><p>An asset classified <strong> <em>Substandard </em></strong>is protected inadequately by the current net worth and paying capacity of the obligor, or by the collateral pledged, if any.&#160; Assets so classified must have a well-defined weakness or weaknesses that jeopardize the liquidation of the debt.&#160;&#160;They are characterized by the distinct possibility that the institution will sustain some loss if the deficiencies are not corrected.<br></p><p>An asset classified <strong> <em>Doubtful</em></strong> has all the weaknesses inherent in one classified <strong> <em>Substandard </em></strong>with the added characteristic that the weaknesses make collection or liquidation in full, on the basis of currently existing facts, conditions, and values, highly questionable and improbable.<br></p><p>An asset, or portion thereof, classified <strong> <em>Loss </em></strong>is considered uncollectible, and of such little value that its continuance on the books is not warranted.&#160; This classification does not mean that the asset has absolutely no recovery or salvage value; rather, it is not practical or desirable to defer writing off an essentially worthless asset (or portion thereof), even though partial recovery may occur in the future.<br></p><p></p><p> <strong>II. Adverse Classification of Assets</strong></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>A. Single-Family Residential Mortgage Loans</em></p></blockquote><p> <strong></strong></p><p> <span style="color&#58;#444444;">Single-family residential mortgage loans, including FHLBank Acquired Member Assets (AMA),</span><a href="#footnote2" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[2]</a><span style="color&#58;#444444;">&#160;​consist of first mortgages secured by one-to-four family residential real estate.&#160;&#160;Given their size, general homogeneity, and the volume of residential mortgage loans at the Enterprises and the FHLBanks, it may be impractical to individually review specific loans to determine credit quality.&#160; Such loans should be classified using the following guidelines&#58;</span></p><ul><li> <span style="color&#58;#444444;">​Single-family residential real estate loans that are delinquent 90 days or more with loan-to-value ratios greater than 60 percent, should be classified Substandard.</span></li><li> <span style="color&#58;#444444;">A current assessment of value should be made before a single-family residential mortgage loan with a loan-to-value ratio greater than 60 percent is more than 180 days past due.&#160; Any outstanding loan balance in excess of the sum of (i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding</span><a href="#footnote3" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[3]</a><span style="color&#58;#444444;">&#160;​credit enhancements should be classified Loss not later than when the loan is 180 days delinquent.&#160; Properly secured residential real estate loans with loan-to-value ratios equal to or less than 60 percent are generally not classified based solely on delinquency status.</span></li><li> <span style="color&#58;#444444;">When a borrower is in bankruptcy, a portion of the loan should be classified as Loss and written down to the fair value of the collateral, less costs to sell, within 60 days of receipt of the notification of filing from the bankruptcy court or within the delinquency time frames specified in this policy, whichever is shorter, unless it can be clearly demonstrated and documented that repayment is likely to occur.&#160; Any loan balance remaining after write-off should be classified Substandard until the borrower demonstrates the ability and willingness to repay for a period of at least six consecutive months.</span></li><li> <span style="color&#58;#444444;">Fraudulent loans, if not covered by any existing representations and warranties in the loan purchase agreement, should be classified as Loss and written off within 90 days of discovery of the fraud, or within the delinquency time frames specified in this adverse classification policy, whichever is shorter.</span></li></ul><p>Regulated entities should write off the portion of the asset adversely classified as Loss except in certain limited circumstances.<a href="#footnote4">[4]</a>&#160; ​A write-off should result in the balance of the asset being reduced by the amount of the loss.&#160; The write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses.<br></p><p>If the regulated entity can clearly document that the delinquent loan is well-secured and in the process of collection, such that collection will occur regardless of delinquency status, then the loan need not be adversely classified.&#160; A well-secured loan is collateralized by a perfected security interest in real property with an estimated fair value, less costs to sell, sufficient to recover the loan balance.&#160; &quot;In the process of collection&quot; means that either a collection effort or legal action is proceeding and is reasonably expected to result in recovery of the loan balance or restoration of the loan to a current status, generally within the next 90 days.&#160; Other exceptions to this adverse classification policy might be for loans that are supported by valid insurance claims, such as federal loan guarantee programs.</p><p>In determining a single-family mortgage loan's delinquency status, the regulated entity should use one of two methods to recognize partial payments.&#160; A payment equivalent to 90 percent or more of the contractual payment may be considered a full payment in computing delinquency.&#160; Alternatively, the regulated entity may aggregate payments and give credit for any partial payment received.&#160; For example, if a regular payment is $300 and the borrower makes payments of only $150 per month for a six-month period, the loan would be $900, or three full months delinquent.&#160; A regulated entity may use either or both methods for loans in its portfolio but may not use both methods simultaneously with a single loan.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>B. Multifamily Residential Mortgage Loans</em><br></p></blockquote><p>Multifamily residential mortgage loans consist of first mortgages secured by multifamily (5 units or more) residential real estate.&#160; Multifamily real estate loans should not be adversely classified if they are current and are adequately protected by the underlying collateral value and debt service capacity of the property, or a guarantor with demonstrated ability and willingness to perform on the loan.&#160; The following applies to the adverse classification of multifamily residential mortgage loans.</p><p>To determine the appropriate adverse classification, examiners will evaluate the prospects that the loan will be repaid in the normal course of business considering all relevant information.&#160; This includes information on the borrower's creditworthiness and payment record, the nature and degree of protection provided by the cash flow and value of the underlying collateral, and any support provided by financially responsible guarantors.&#160; As a general principle, a performing multifamily real estate loan should not automatically be adversely classified or written off solely because the value of the underlying collateral has declined to an amount that is less than the loan balance.&#160; Similarly, loans to sound borrowers that are refinanced or renewed in accordance with prudent underwriting standards and have not been formally restructured due to troubled condition should not be adversely classified unless well-defined weaknesses exist that jeopardize repayment in the normal course of business.&#160; However, it would be appropriate to adversely classify a performing loan when well-defined weaknesses exist that jeopardize repayment – such as the lack of credible support from reliable sources – using the definitions of Substandard, Doubtful, and Loss set forth above.<br></p><p>Multifamily loans with well-defined weaknesses that subject the regulated entity to the possibility of loss, even if the loan is not seriously delinquent (90 days or more), should be classified Substandard.&#160; For a multifamily loan where there are no available and reliable sources of repayment other than the sale of the underlying real estate collateral, any portion of the loan balance that exceeds the sum of&#160;(i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding credit enhancements, should be classified Loss and written off.&#160; The remaining portion of the loan balance that is adequately secured should generally be classified no worse than Substandard.&#160; The amount of the loan balance in excess of the value of the collateral, or portions thereof, should be classified Doubtful, and not Loss, only when the potential for loss may be mitigated by the outcome of certain near-term (generally, within 90 days) pending events.&#160; The Doubtful classification is seldom used and is reserved for situations like those described here.<br></p><p>Regulated entities should write off the portion of the asset adversely classified as Loss except in certain limited circumstances.<a href="#footnote5">[5]</a>&#160;&#160;A write-off should result in the balance of the asset being reduced by the amount of the loss.&#160; The write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses.<br></p><p>When analyzing a formally restructured multifamily loan, the examiner will focus on the borrower's ability to repay the loan in accordance with its modified terms.&#160; Adversely classifying a formally restructured loan would be appropriate, if, after the restructuring, well-defined weaknesses continue to exist that jeopardize the repayment of the loan in accordance with the modified terms.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>C. Other Real Estate Owned</em></p></blockquote><p>Other Real Estate Owned (REO) should be evaluated for possible adverse classification of Substandard, Doubtful or Loss.&#160; The regulated entity should make periodic (at least annual) reappraisals of the value of the REO.&#160;&#160;In cases when a reliable appraisal is not available, or the appraisal on file is outdated, there are other acceptable methods the regulated entity can use for determining and documenting the value of the REO.&#160; For purposes of classification, any portion of the balance of the REO in excess of fair value, less costs to sell, should be classified Loss.&#160; However, the portion of the held-for-sale REO classified as Loss should not be written off.&#160; Examiners will review all relevant factors in evaluating the regulated entity's adverse classification of the remaining book value of the REO.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-weight&#58;400;">D. Other Assets (including Off-Balance Sheet Credit Exposures)</em></p></blockquote><p>Although not specifically enumerated, the regulated entities may have other assets such as accrued interest receivables, property tax and insurance advance receivables, reverse repurchase (repo) receivables, and insurance benefit receivables that warrant adverse classification.&#160; Similarly, off-balance sheet credit exposures such as standby letters of credit and financial guarantees may also warrant adverse classification.&#160; Examiners will review all relevant factors in evaluating the regulated entity's adverse classification of the assets and off-balance sheet credit exposures.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>E. FHLBank Advances</em></p></blockquote><p>Advances made by the FHLBanks to their members and housing associates generally pose minimal credit risk.&#160; Advances must be fully secured by eligible collateral and, in the case of member advances, are further secured by the borrowing members'&#160;FHLBank capital stock.&#160; In addition, the Federal Home Loan Bank Act grants each FHLBank a priority lien over the liens of other similarly-situated creditors on assets securing member advances.<a href="#footnote6">[6]</a> &#160;However, there may be instances in which collateral adequacy may be uncertain and/or the priority lien may not be relied upon, such as in the case of advances to&#160; housing associates, or where another creditor has a superior lien under applicable law (for example, where the other creditor's lien is perfected, but the FHLBank's lien is not).&#160; In such cases, examiners will evaluate the facts and circumstances to determine whether it is appropriate to adversely classify the advance.</p><p> <strong>III. Non-Adverse Classification of Assets – Special Mention</strong><br></p><p>In some instances, it may be appropriate to list an asset for Special Mention.&#160; The following definition should be used for listing an asset for Special Mention&#58;<br></p><p>A <strong> <em>Special Mention </em></strong>asset has potential weaknesses that deserve management's close attention.&#160; If left uncorrected, these potential weaknesses may result in deterioration of the assets'&#160;repayment prospects or may cause deterioration in the regulated entity's credit position at some future date.&#160; <strong> <em>Special Mention</em></strong> assets are not adversely classified and do not expose a regulated entity to sufficient risk to warrant adverse classification.<br></p><p>Ordinarily, assets listed for Special Mention have deficiencies in the administration of those assets which corrective management action might remedy, for example, weak loan origination and/or weak servicing policies.&#160; While inadequate policies and practices could ultimately result in deterioration of the asset and adverse classification, an asset should not be adversely classified unless it also meets one or more of the adverse classification indicators.&#160; The Special Mention classification serves as an indicator of the quality of the asset portfolio and should be used to provide direction to management on corrective measures that might be taken to strengthen an asset to avoid potential deterioration in the asset's quality.<br></p><p>Mortgages held by the regulated entities that are in loss mitigation, or have been modified and are performing according to the terms of the modification, should be listed as Special Mention but not adversely classified.&#160; The loan no longer needs to be listed as Special Mention after performance according to the terms of the modification has occurred for a period of six consecutive months.&#160; If the loan becomes delinquent after modification, adverse classification could apply according to the previously described criteria.<br></p><p>The level of adversely classified assets or assets listed for Special Mention is an indicator of the regulated entity's asset quality and overall risk profile, and may indicate whether risk management practices regarding underwriting and loan administration are effective.&#160; At a minimum, management and boards of directors of the regulated entities should evaluate risk management and other asset-specific policies and procedures annually to ensure that appropriate risk controls have been implemented.<a href="#footnote7">[7]</a>&#160;&#160;If the level of adversely classified assets suggests deterioration in any asset category, more frequent evaluations of the related policies and procedures are appropriate.&#160; Risk management and other policies will be reviewed by FHFA as part of its supervision program.<br></p><p> <strong> <em>Related Guidance and Regulations</em></strong><br></p><p>FASB ASC 326-20, Financial Instruments - Credit Losses – Measured at Amortized Cost<br></p><p>Uniform Retail Credit Classification and Account Management Policy, FFIEC<br></p><div><p> <a name="footnote1">[1]</a>&#160;Investment securities refer to securities subject to the guidance of the Financial Accounting Standards Board (FASB)'s Accounting Standards Codification (ASC), Topic 320, Investments – Debt Securities, and Subtopic 325-40, Investments – Other - Beneficial Interests in Securitized Financial Assets.<br></p><p> <a name="footnote2">[2]</a>&#160;The AMA regulation (12 CFR part 1268) authorizes FHLBanks to acquire certain assets (principally, conforming residential mortgage loans) from their members and housing associates and prescribes the parameters within which each FHLBank may do so.&#160;<br></p><p> <a name="footnote3">[3]</a>&#160;Examples of non-freestanding credit enhancements include, but are not limited to, private mortgage insurance, the Federal Housing Administration's (FHA) insurance, the Department of Veteran Affairs'&#160;(VA) guarantee, and for the FHLBanks'&#160;Acquired Member Assets (AMA) program, the various types of permissible agreements to share credit losses in purchased loans with the selling members.</p><p> <a name="footnote4">[4]</a>&#160;1) As required to maintain compliance with GAAP.&#160; 2) For loans classified as Held For Sale (HFS) and loans which a regulated entity has elected to account for under the Fair Value Option (FVO), no portion classified as Loss would be written off.<br></p><p> <a name="footnote5">[5]</a>&#160;1) As required to maintain compliance with&#160; GAAP. 2) For loans classified as Held For Sale (HFS) and loans which a regulated entity has elected to account for under the Fair Value Option (FVO), no portion classified as Loss would be written off.<br></p><p> <a name="footnote6">[6]&#160;</a><em>See </em>12 U.S.C. §&#160;1430(e).&#160; Although this provision grants FHLBank liens priority over those of similarly-situated creditors, it does not grant FHLBank liens priority over those of creditors with liens entitled to priority under otherwise applicable law.<br></p><p> <a name="footnote7">[7]</a>&#160;<em>See </em>12 CFR part 1236, Appendix (Prudential Management and Operations Standards).​&#160;&#160;<br></p></div><div> <br> </div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory&#160;bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160;&#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table> <br>8/25/2021 2:00:32 PMHome / Supervision & Regulation / Advisory Bulletins / Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special 10356https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Agency Commercial Mortgage-Backed Securities Risk Management35784FHL Banks8/16/2021 4:00:00 AMAB 2021-02<p> <br> </p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2021-02&#58; AGENCY COMMERCIAL MORTGAGE-BACKED SECURITIES RISK MANAGEMENT</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong></strong></em></em></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"><strong><em>Purpose</em></strong></span><br>This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance regarding Federal Home Loan Banks' (individually Bank, or collectively Banks) investments in Agency Commercial Mortgage-Backed Securities (CMBS) issued and guaranteed by either the U.S. Government (Ginnie Mae) or by one of the Government-Sponsored Enterprises (Fannie Mae and Freddie Mac, or collectively the Enterprises).&#160;The guidance recommends risk management practices, including the establishment of certain limits, to address the risks associated with unexpected prepayments of Agency CMBS investments.&#160; FHFA encourages early adherence to this AB.&#160; However, by December 31, 2021, all Banks should have appropriate Agency CMBS concentration risk limits in place.&#160; <br></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"><strong><em>Background</em></strong></span><br>The Banks have exposures to Agency CMBS within their investment portfolios.<a href="#footnote1">[1]</a>&#160; Agency CMBS include prepayment protection clauses that are not offered on Agency Residential Mortgage-Backed Securities (RMBS).&#160; Prepayment (i.e., call) protection features included on the underlying loans within Agency CMBS are designed to discourage borrower prepayments and protect investors through the payment of fees if voluntary prepayments occur.&#160; The additional prepayment protection offered by Agency CMBS makes these investments attractive alternatives to Agency RMBS.&#160; <br></p><p style="text-align&#58;justify;">The loans included in Agency CMBS may include varying call protection features such as lockout periods, yield maintenance, point penalties, and defeasance.&#160; In addition, these loans may have complex structures, including amortization schedules beyond thirty years and floating interest rates.&#160; The variability of call protection features combined with the complexity of loan structures make estimating Agency CMBS prepayments difficult, leaving investors at risk when prepayments occur unexpectedly.&#160; <br></p><p style="text-align&#58;justify;">Voluntary prepayments may occur when borrowers determine that the benefits associated with prepayment exceed the cost of any resulting penalties.&#160; For example&#58;&#160; </p><ul><li>When short term interest rates rise and the interest rate curve flattens, borrowers with floating-rate loans may refinance into fixed-rate products.&#160; </li><li>When interest rates decrease, borrowers with fixed-rate loans may refinance into lower fixed- or floating-rate loans.</li><li>Borrowers with loans secured by properties with significant appreciation may leverage the equity through cash-out refinances or more favorable loan terms and/or rates.</li><li>Certain loans are structured so that the penalties decline over their lives.&#160; Borrowers may be more likely to prepay these loans when they become more seasoned.<br></li></ul><p style="text-align&#58;justify;">Additionally, Agency CMBS may include floating-rate loans where borrowers are assessed only partial or no penalties for early prepayments, provided the loans are refinanced with specified loan products.<a href="#footnote2">[2]</a>​&#160; When this occurs, Agency CMBS investors receive minimal or no compensation for voluntary prepayments.&#160; <br></p><p style="text-align&#58;justify;">Furthermore, involuntary prepayments, or defaults, may occur.&#160; Involuntary prepayments are more likely to occur in periods of economic downturn generally driven by weakened real estate market fundamentals, such as declining property values, rising vacancies, breaches of lender representations and warranties, and possibly rising interest rates for adjustable rate borrowers.&#160; Although Ginnie Mae and the Enterprises guarantee timely principal payments to bondholders upon default, investors do not receive any prepayment fees under these involuntary prepayment scenarios.&#160; <br></p><p style="text-align&#58;justify;">In summary, unexpected prepayments may force Banks to reinvest in lower yielding assets, write off any premiums when valued above par, and incur the costs of associated debt overhang and transactions to unwind hedges.&#160; Depending on the nature of Agency CMBS and prepayment, a Bank may receive limited or no penalty fees to cover these costs.&#160; <br></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"><strong><em>Guidance</em></strong></span></p><p style="text-align&#58;justify;">As described above, prepayments on Agency CMBS investments expose Banks to potential losses.&#160; Agency CMBS investments with a relatively high premium to par value increase Banks' exposure to prepayment risk and the resulting losses.&#160; To minimize the risk of losses from Agency CMBS investments, Banks should consider incorporating the following risk management practices into their existing market and model risk management programs.<br></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;">Pre-purchase Analytics</span><br>Banks should analyze each Agency CMBS prior to purchase.&#160; The analysis should include a careful assessment of the security's structure, including prepayment protection features, price variability, and prepayment history for a comparable benchmark Agency CMBS.&#160; Most importantly, the pre-purchase analysis should include stress scenarios to compare the amount of call protection premiums or fees the Bank will receive versus any loss of income resulting from the reinvestment of the prepayment proceeds under various stressed interest rate scenarios.&#160; In addition, a Bank's pre-purchase analysis should ensure that the security the Bank is considering for purchase conforms to the Bank's investment strategy and is consistent with the Bank's board-approved strategic plans and risk appetite.<br></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;">Minimum Risk-Adjusted Spread Requirement</span></p><p style="text-align&#58;justify;">Each Bank should establish a minimum acceptable risk-adjusted spread requirement for Agency CMBS investments.&#160; Banks should consider factors such as their risk appetite when establishing the required minimum.<a href="#footnote3">[3​]</a>&#160; Regardless of the approach, Banks should make certain each Agency CMBS purchase meets the established minimum risk-adjusted spread requirement.<br></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;">Concentration Limits</span></p><p style="text-align&#58;justify;">To limit exposure to both voluntary and involuntary prepayments, Banks should diversify their Agency CMBS investments to prevent concentrations of loans with shared characteristics.&#160; To accomplish this, Banks should establish appropriate limits based on the characteristics of the underlying loans within Agency CMBS investments.&#160; For example, Banks should consider individual loan size limits within a securitization, especially for single loan pool CMBS.&#160; In addition, Banks should consider implementing limits for loans, as a percentage of all Agency CMBS loans, for the following&#58;</p><ul><li>Floating-rate securities versus fixed-rate securities;</li><li>Geographic location of collateral such as region, state, city, zip code, or Metropolitan Statistical Area (MSA);</li><li>Collateral types – multifamily, student housing, senior living;</li><li>Loan products with minimal or no prepayment penalties under certain conditions of refinance, as available and determined by the Bank at acquisition; and</li><li>Loan originators.</li></ul><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;">Reporting</span><br>Banks should monitor and report on Agency CMBS investments as a separate investment segment.&#160; A Bank's Asset-Liability Committee (ALCO) and a responsible board committee should receive quarterly reporting on Agency CMBS investments.&#160; At a minimum, quarterly reporting should include the following&#58;</p><ol><li> <em>Minimum Risk-adjusted Spread</em> – Current minimum acceptable risk-adjusted spread requirement and monthly conformance with this minimum.</li><li> <em>Concentration Limits</em> – Current limits for Agency CMBS loans with specific characteristics and monthly conformance with these limits.</li><li> <em>E​arnings - </em>Income or loss associated with Agency CMBS investments.</li><li> <em>Strategy </em>– Any planned changes to the existing funding and hedging strategies for purchases and portfolio rebalancing.</li></ol><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;">Prepayment Projections</span><br>Currently, Banks use static prepayment assumptions and/or vendor supplied multifamily prepayment models for Agency CMBS valuations.&#160; To support and improve the accuracy of Agency prepayment projections, Banks may use Bank-derived curves or vendor models which meet the principles outlined in FHFA AB 2013-07, and should further consider the following&#58;</p><ol><li>Developing research-based prepayment curves for fixed- and floating-rate Agency CMBS.&#160; Once developed, Banks should perform periodic reevaluations of the constructed curves by comparing them to appropriate third-party curves (if using static prepayment assumptions). </li><li>Performing prepayment back-testing at appropriate levels to provide meaningful assessments of the Agency CMBS portfolio's performance.</li><li>When relying on a prepayment model, benchmarking the model's performance against third-party prepayment projections as appropriate.&#160; </li><li>Based on portfolio composition, periodically assessing and stress-testing the key drivers of prepayment performance, for example, stressful interest rate levels, yield curve shape changes, and spread widening scenarios. </li><li>Establishing appropriate analytical threshold(s) for prepayment differences ascertained during prepayment back-testing and benchmarking analyses that would trigger investigations into the causes of differences in prepayment behavior and changes to prepayment modeling assumptions.</li></ol><p style="text-align&#58;justify;">While the above actions will improve upon current prepayment estimations, a Bank may need a vendor-provided prepayment model in concert with a stochastic interest rate model to more accurately estimate the prepayment behavior of Agency CMBS.&#160; Each Bank should carefully evaluate the available modeling alternatives and determine if any single model, or a combination of multiple models, is suitable to meet its Agency CMBS portfolio's analytical needs.&#160; In acquiring the model(s), Banks should make certain that the model's estimation process fully and accurately incorporates the prepayment penalties charged to borrowers and passed on to the investors.&#160; Any mitigating risk factors such as tranche priority in sequential pay structures should be documented.<br><span style="text-decoration&#58;underline;"><strong><em>&#160;</em></strong></span><br><span style="text-decoration&#58;underline;"><strong><em>Related Guidance and Regulations</em></strong></span><br>The following provides a summary of some of FHFA's regulation and guidance for governance and investments&#58;<br></p><ul><li> <em>Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Regulation. </em> <em>&#160;</em>This regulation provides that the management of each regulated entity shall be by or under the direction of its board of directors.<a href="#footnote4">[4]</a> &#160;It states, “while a board of directors may delegate the execution of operational functions to officers and employees of the regulated entity, the ultimate responsibility of each entity's board of directors for that entity's oversight is non-delegable.&quot;<a href="#footnote5">[5]</a>&#160;Included in the responsibilities of each Bank's board of directors is the establishment of a risk management program that aligns with the Bank's risk appetite and that each of the Bank's business lines has appropriate risk limitations.<a href="#footnote6">[6]</a><br></li></ul><ul><li> <em>Prudential Management and Operating Standards (PMOS). </em> <em>&#160;</em>FHFA addresses limits on investments and management of assets in guidelines set out in the appendix to its PMOS regulation, including the following&#58;<a href="#footnote7">[7]</a><br></li></ul><ul><ul><li>Standard 3 (Management of Market Risk Exposure) which highlights the expectation that each regulated entity has a clearly defined and well documented strategy for managing market risk and establishes responsibilities for the board and senior management;</li><li>Standard 4 (Management of Market Risk – Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting) includes guidelines for market risk management in these areas;</li><li>Standard 6 (Management of Asset and Investment Portfolio Growth);</li><li>Standard 7 (Investments and Acquisitions of Assets);</li><li>Standard 8 (Overall Risk Management Processes) includes responsibilities for internal audit, the board, and senior management along with an independent risk management function; and</li><li>Standard 9 (Management of Credit and Counterparty Risk).</li></ul></ul>The failure to meet any of the PMOS may constitute an unsafe or unsound practice for purposes of FHFA's administrative enforcement authority<a href="#footnote8">[8]</a>&#160; If FHFA determines that a Bank has failed to meet a standard, it also may require the Bank to submit a corrective plan.<a href="#footnote9">[9]</a><br><br> <p></p><hr />​​ <br> <p></p><p> <a name="footnote1"><span style="text-decoration&#58;underline;">[1]</span></a> The Federal Home Loan Bank Investments regulation permits investments in Agency CMBS.&#160; <em>See</em> 12 CFR part 1267.</p><p> <a name="footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a> For example, Fannie Mae's Structured Adjustable-Rate Mortgages (SARM) allow borrowers to convert their floating-rate loans to one of Fannie Mae's fixed-rate loan programs by paying a one percent premium which is not passed on to investors.</p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a> If a Bank cannot use an option-adjusted spread approach to determine the risk-adjusted spread for each Agency CMBS, then the Bank may choose to apply a purchase price premium, duration, or net interest income spread approach.&#160; </p><p> <a name="footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR § 1239.4.</p><p> <a name="footnote5"><span style="text-decoration&#58;underline;">[5]</span></a> 12 CFR § 1239.4(a).</p><p> <a name="footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a> 12 CFR § 1239.11(a).</p><p> <a name="footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> 12 CFR part 1236, Appendix.</p><p style="text-align&#58;left;"> <a name="footnote8"><span style="text-decoration&#58;underline;">[8]</span></a> 12 CFR § 1236.3(d).&#160; FHFA has authority to address unsafe or unsound practices through issuance of an order to cease-and-desist, assessment of civil money penalties, or removal from office.&#160; <em>See</em> 12 U.S.C. §§ 4631(a)(1), 4636(b)(2)(A), 4636a(a)(1), 4636a(a)(2)(A).</p><p> <a name="footnote9" style="text-decoration&#58;underline;"><span style="text-decoration&#58;underline;">[9]</span></a>&#160;12 CFR § 1236.4.<br><br></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table><p>&#160;​<br></p><p> <br>​<br>​​<br></p>8/18/2021 3:44:30 PMHome / Supervision & Regulation / Advisory Bulletins / Agency Commercial Mortgage-Backed Securities Risk Management Advisory Bulletin FHFA encourages early adherence to this 15395https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Board Diversity Data Collection33110FHLB & Office of Finance3/17/2021 4:00:00 AMAB 2021-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2021-01&#58; BOARD DIVERSITY DATA COLLECTION</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​</strong></em></em></p><p> <em style="text-decoration&#58;underline;"> <em> <strong>Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) applies to the Federal Home Loan Banks (Banks) and the Banks’ Office of Finance (OF). The AB provides guidance on standards for data collection relating to the diversity of boards of directors (Boards) of each Bank and the OF. This AB outlines the expectations set by the Federal Housing Finance Agency (FHFA or Agency) Office of Minority and Women Inclusion (OMWI) regarding the content and frequency of data reporting on the demographic makeup of the Boards.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>Section 1116 of the Housing and Economic Recovery Act of 2008 requires the regulated entities to develop and implement standards and procedures to ensure the inclusion and utilization of minorities and women, and minority- and women-owned businesses, in all business and activities of the regulated entity at all levels.<a href="#footnote1">[1]</a> FHFA’s regulations implementing those statutory requirements, located at 12 CFR Part 1223,&#160; include several provisions addressing the diversity of Banks’ boards. The regulations include a provision&#160; encouraging the consideration of diversity in nominating or soliciting nominees for positions on the Boards of each regulated entity, see 12 CFR 1223.21(b)(7), and require each Bank and the OF to report annually the numbers of individuals who comprise their Boards by minority and gender classification, see 12 CFR 1223.23(b)(10)(i).</p> <a> <p>Among other things, the regulation also requires the regulated entities to adopt strategic plans to promote and ensure the inclusion of minorities, women, and individuals with disabilities in their workforce at all levels of the organization, as well as minority-, women-, and disabled-owned businesses in their contracting activities and financial activities. See 12 CFR 1223.21(d). Consistent with FHFA’s corporate governance regulation, the Board has ultimate responsibility for its regulated entity’s achievement of the&#160; requirements of the regulation. See 12 CFR 1239.4(a).</p> </a> <p> On July 9, 2020, FHFA issued an AB on Board diversity, <a href="#footnote2">[2]</a> which provides guidance on how each Board should oversee the regulated entity’s diversity and inclusion (D&amp;I) efforts and how the Banks and the OF should routinely assess the skills of Board members to ensure that they are able to meet their obligations to manage the regulated entity’s D&amp;I efforts and initiatives. The 2020 AB also speaks to the importance of Board diversity and notes that a Board’s efforts to develop, maintain, and sustain a diverse Board should be a combination of seeking diverse representation on the Board, as well as looking for individuals possessing the required knowledge, skills, and abilities to contribute to the execution of the Board’s D&amp;I oversight responsibilities.</p><p>In conjunction with AB 2020-02, and to assist the Banks and the OF in thoroughly assessing the results of their D&amp;I efforts, the Banks and the OF should implement diversity data collection standards to evaluate the levels of diversity on their Boards. In furtherance of FHFA’s efforts to ensure that the Banks and the OF are taking appropriate steps to promote D&amp;I within their organizations and on their Boards, and to clarify the steps the regulated entities should take for data collection, FHFA is issuing this AB to illustrate standards all Banks and the OF should adopt for the collection of Board diversity data required to be reported under 12 CFR 1223.23(b)(10)(i).</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p>Collecting Board diversity data in accordance with the standards outlined herein is the responsibility of the full Board at each Bank and the OF, with key support from each Board Chair, Vice Chair, and OMWI Officer. Board diversity data collection and handling requirements should be included in the regulated entity’s policies such as the D&amp;I policy, and Board diversity data collection and handling processes should be defined through documented roles and responsibilities in a procedures document. Data collection standards adopted by a Bank or the OF in accordance with this AB should align with and adhere to other internal Bank and OF D&amp;I program data handling requirements and FHFA OMWI data reporting guidelines, as noted in the FHFA OMWI Data Reporting Manual (DRM). Data collection standards should protect the confidentiality of the demographic information of individual Board members. Data handling practices should adhere to Bank and OF policies on information security and records retention.</p><p> <strong>Board Diversity Data Collection Standards</strong></p><p>The following Board Diversity Data Collection standards are intended to address all aspects of Board diversity data collection, handling, and reporting in accordance with applicable regulations and other requirements as communicated in other forms of supervisory guidance, as well as individual management policies. Each regulated entity is responsible for meeting the criteria within each standard described herein. Furthermore, each Bank and the OF should ensure policies, processes, and procedures are in place to ensure Board diversity data collection and reportingadheres to FHFA OMWI DRM and OMWI Annual Report and quarterly data reporting (QDR) instructions and guidance.</p> <p style="margin-left&#58;10px;">1. Board Diversity Data Collection and Reporting Frequency</p><p>Each regulated entity should, no less than annually, perform a voluntary Board diversity self-identification survey to capture the diversity demographics of the full Board (existing and newly elected). The survey should be provided to all directors (current and newly elected), and each regulated entity should establish a deadline for timely response. Non-responses to surveys should be clearly noted in the Bank and the OF’s OMWI Annual Report and QDR submissions and be captured separately from responses that did not self-identify demographic information.</p><p>In situations where incumbent directors vacate positions mid-term (planned or unplanned), the regulated entity has the option to relaunch the Board diversity self-identification survey to the full Board, capturing all new and existing director responses. This practice supports confidentiality of all director submissions and avoids confidentiality issues that might arise with the collection of only one response from a new director. FHFA recognizes, however, that this practice may become impractical or burdensome in the event a Bank or the OF encounters multiple Board vacancies in a single year. Therefore, at a minimum, the regulated entities should collect the diversity information of all new directors when they onboard. FHFA is not suggesting that the regulated entities conduct a full survey every time a new director onboards if the entities are able to ensure the confidentiality of the data collection process when they have only a single response. Further, the regulated entities are not required to submit a new report to FHFA each time this happens if a report is not otherwise due. To ensure the confidentiality of the data, the regulated entity should adhere to the data reporting schedules in the FHFA OMWI DRM and OMWI Annual Report and QDR guidance.</p><p style="margin-left&#58;10px;">2. Self- Identification Survey Template Attributes</p><p>Each Bank and the OF should develop a Board diversity self-identification survey (survey) template with defined attributes that comply with current FHFA OMWI reporting requirements and guidance. The survey will capture gender, race/ethnicity, and disability data using defined Equal Employment Opportunity Commission categories consistent with FHFA OMWI Board of Directors and Workforce Reporting for QDR submissions. The survey template may be electronic or paper, and handling of the directors’ survey responses should adhere to Bank or OF policies on information security and records retention. The survey template should include the following attributes <a href="#footnote3">[3]</a> in each reporting section&#58;</p><p style="margin-left&#58;10px;"> <span style="text-decoration&#58;underline;">Gender&#58;</span> Male, Female</p><p style="margin-left&#58;10px;"> <span style="text-decoration&#58;underline;">Race/Ethnicity&#58;</span> Hispanic or Latino, White (Not Hispanic or Latino), Black or African American (Not Hispanic or Latino), Native Hawaiian or Pacific Islander (Not Hispanic or Latino), Asian (Not Hispanic or Latino), American Indian or Alaska Native (Not Hispanic or Latino), and Two or More Races </p><p style="margin-left&#58;10px;"> <span style="text-decoration&#58;underline;">Disability&#58;</span> I do not have a disability; I have a disability </p><p>&#160;</p><p style="text-decoration&#58;underline;"> <strong> <em></em></strong>&#160;</p><p style="text-align&#58;left;">Entities may elect to collect other diversity attributes (such as veteran status), or they may choose to add other descriptors within a designated attribute (such as non-binary gender options under the gender reporting section). Additional attributes, however, are not needed for reporting to FHFA OMWI at this time.</p><p style="text-align&#58;left;"> <strong>Survey Administration and Data Handling Practices</strong></p><p>Each Bank and OF’s D&amp;I Policy should require that the regulated entities develop a documented process or procedure for administering the Board diversity self-identification survey. This process or procedure should identify roles and responsibilities that establish and define involvement of the Bank and OF’s OMWI Officer in reviewing the reported data, as well as the subsequent reporting of Board diversity demographics to the FHFA OMWI in both QDR and OMWI Annual Reports. Each Bank and the OF should define the records retention period for the data, consistent with their records retention policies and practices. Survey administration timing may be determined by the Board’s election and incumbent seat lifecycles.</p><p style="text-align&#58;left;"> <strong>Data Reporting/Submissions</strong></p><p>The Banks’ and the OF’s OMWI Officers (or OMWI staff as directed by the OMWI Officer) are responsible for oversight of the Board diversity demographic data collection and reporting in the aggregate. All data reporting should comply with FHFA OMWI data reporting guidelines.</p><p>All data reporting and data reporting frequency should comply with FHFA requirements for reporting under 12 CFR Part 1223.</p><p style="text-align&#58;left;">&#160;</p><hr width="25%" align="left" /><p> <a> </a><a name="footnote1"><span style="text-decoration&#58;underline;">[1]</span></a>&#160;P.L. 110-289, July 30, 2008, codified at 12 U.S.C. § 4520.</p><p> <a name="footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a>&#160;AB 2020-02, Board Diversity, <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Board-Diversity.aspx">https&#58;//www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Board-Diversity.aspx</a>.</p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a><em>&#160;</em>The Banks and the OF are permitted to include additional descriptors, including a response option of “Wish to Not Self Identify.” However, any additional information collected beyond the data points listed herein may or may not be collected in the annual or quarterly reports to FHFA.</p><p> <em>&#160; </em></p> <em> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes. Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact Paul Priest at <a href="mailto&#58;Paul.Priest@fhfa.gov">Paul.Priest@fhfa.gov</a> or (202) 649-3490, or Felicia Bland at <a href="mailto&#58;Felicia.Bland@fhfa.gov">Felicia.Bland@fhfa.gov</a> or (202) 365-7471.</p></td></tr></tbody></table> <p>&#160;</p></em>3/17/2021 6:00:54 PMHome / Supervision & Regulation / Advisory Bulletins / Board Diversity Data Collection Advisory Bulletin AB 2021-01: BOARD DIVERSITY DATA COLLECTION The 2020 AB also speaks to 9001https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Financial Reporting and Disclosure and External Audit28435All8/20/2020 4:00:00 AMAB 2020-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-04&#58; FINANCIAL REPORTING AND DISCLOSURE AND EXTERNAL AUDIT</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) articulates the Federal Housing Finance Agency's (FHFA) supervisory expectations for oversight and management of financial reporting and disclosures and of the external audit function. </p><p>This AB applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks), and the FHLBanks' Office of Finance (OF) (collectively, the regulated entities) <a href="#footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a> and is effective immediately. &#160;This AB rescinds, and along with AB 2016-05 Internal Audit Governance and Function, replaces FHFA's Examination for Accounting Practices guidance.&#160; </p><p>Transparent financial reporting and disclosures, subject to strong internal control over financial reporting (ICFR) and confirmed by a high-quality external audit, help ensure that published financial information is reliable and free from material misstatements for all stakeholders.&#160; &#160;&#160;Timely, accurate, complete, and meaningful reporting and disclosures regarding financial condition and performance support FHFA's risk-focused supervision of the regulated entities.&#160; For FHFA as a prudential regulator, such reporting facilitates effective risk assessments, off-site monitoring, and examination planning. &#160;Financial condition and performance metrics for capital adequacy, liquidity, earnings adequacy, and asset quality are based on information in these reports.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>The Office of Federal Housing Enterprise Oversight (OFHEO) issued the Examination for Accounting Practices guidance to the Enterprises in 2006. &#160;FHFA revised and updated that guidance in 2009 and expanded its application to the FHLBanks. &#160;With the issuance of this financial reporting and external audit guidance and AB 2016-05 Internal Audit Governance and Function, FHFA has updated and revised the 2009 guidance to reflect our regulatory experience and that of other financial regulators, and to more clearly communicate FHFA's supervisory expectations in these areas to the regulated entities.&#160;</p><p>Regarding financial reporting and external audit, the regulated entities are governed by different, yet generally concordant, FHFA and/or Securities and Exchange Commission (SEC) regulations and auditing standards. <a href="#footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a>&#160; Notably&#58;&#160;</p><ul><li>The Enterprises are SEC registrants. Their external audits are subject to Public Company Accounting Oversight Board (PCAOB) auditing standards.&#160; Under FHFA regulations, the Enterprises are subject to specified New York Stock Exchange (NYSE) requirements.</li><li>The FHLBanks are SEC registrants.&#160; Their external audits are subject to PCAOB auditing standards and under FHFA regulations, are subject to Generally Accepted Auditing Standards (GAAS) and Generally Accepted Government Auditing Standards (GAGAS). <a href="#footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a>&#160; Applicable FHFA rules further detail specific requirements for audit committees regarding external audit and financial reporting oversight.</li><li>The OF is not an SEC registrant.&#160; Under FHFA regulations, FHLBank System combined financial reports are subject to GAAS and GAGAS. <a href="#footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a>&#160; The regulations also address oversight of the external auditor for the combined financial reports. <a href="#footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a></li></ul><p>Each Enterprise and FHLBank is covered by FHFA's Prudential Management and Operations Standards (PMOS) and each regulated entity reports financial information in conformance with U.S. Generally Accepted Accounting Principles (GAAP). <a href="#footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a>&#160; Enterprise and FHLBank management assess the effectiveness of their respective entity's ICFR based on the criteria in the Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).&#160;</p><p>The referenced FHFA, SEC, and NYSE rules and regulations, as applicable, address a wide range of audit committee governance topics including&#58;&#160;</p><ul><li>Committee composition and members' qualifications, including financial literacy and expertise, and independence requirements;</li><li>Committee oversight of the integrity of financial statements and earnings releases and compliance with legal and regulatory requirements;</li><li>Committee charter content and minimum frequency of reviews and re-approval;</li><li>Boards' responsibility to provide the audit committee sufficient funding for payments to the external auditor and to advisors/counsel that the committee retains as it deems necessary to carry out its duties;</li><li>Committee duties and responsibilities regarding external auditor oversight including&#58;</li><ul><li>Responsibility for selecting the auditor, evaluating the auditor's performance, replacing the auditor if needed, and ensuring that the auditor is solely responsible to the committee;</li><li>Ensuring that the external auditor submits a formal written statement regarding relationships and services that may adversely affect independence and discussing any disclosed relationships that may impact objectivity and independence with the external auditor;</li><li>Reviewing the auditor's internal quality control procedures;</li><li>Meeting with, including in executive sessions, auditors and management;</li><li>Reviewing and approving procedures for handling complaints received by the regulated entity regarding accounting, internal accounting controls, or auditing matters; and confidential, anonymous submission by regulated entity staff of concerns regarding questionable accounting or auditing matters; and</li><li>Providing for an annual committee self-evaluation or external review.</li></ul></ul><p>The guidance in this AB is intended to be consistent with applicable statutes, regulations, GAAP, and auditing standards.&#160; In some instances, substantive elements of guidance herein for all regulated entities may be addressed by FHFA regulation, SEC regulation, or applicable accounting or auditing standards for one or more regulated entities.&#160; This guidance does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards.&#160; Any perceived conflicts should be resolved so as to comply with applicable laws and regulations, and in conformance with accounting standards.</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p> <strong>I. Financial Reporting and Disclosure Oversight and Management</strong></p><p>Regulated entities' boards of directors and senior managers are responsible, within their respective roles as described in FHFA's corporate governance regulation and prudential standards, for the institution operating in a safe and sound manner. &#160;Entities should maintain effective accounting and reporting systems and ICFR to produce reliable and accurate financial reports and meaningful disclosures.&#160;</p><p>To address accounting, financial reporting, and disclosure, audit committees should&#58;&#160;</p><ul><li>Review and discuss annual audited financial statements, quarterly SEC filings or equivalent financial statements, and earnings releases;</li><li>Meet regularly with management and external auditors and hold regular executive sessions with the external auditor;</li><li>Oversee that management establishes, implements, and maintains accounting policies and procedures that comply with applicable laws, rules, and regulations and conform to applicable guidance, including GAAP and other relevant reporting and disclosure standards;</li><li>Ensure that the regulated entity has policies in place to notify FHFA of any accounting treatments or policies identified as posing significant legal, reputation, or safety and soundness risk, with a focus on accounting treatments or policies that do not employ GAAP or preferred methods; and</li><li>Direct management to provide the committee with adequate information and reports to carry out its duties and responsibilities and challenge management and auditors where appropriate.&#160;</li></ul><p> <em>A. Assessing Materiality&#160;</em></p><p>An entity's audit committee should review and clearly understand how management and the external auditor assess financial statement materiality. &#160;For public financial disclosures, FHFA's regulated entities should follow materiality guidelines established by the SEC and other U.S. standard-setters and regulators as appropriate.&#160; FHFA is informed by the SEC's statements regarding materiality and generally considers them as part of its ongoing review of regulated entities' accounting practices and controls.&#160;</p><p>A regulated entity's determination that an accounting matter is material or presents a materiality issue may be a factor in FHFA's oversight of a regulated entity. &#160;An item not being deemed to be “material&quot; or not having “materiality&quot; for financial reporting purposes, however, would not necessarily preclude FHFA from having supervisory concerns about the item. &#160;Further, FHLBanks may be required to provide information that is less than material to their individual financial statements to the OF in order to support FHLBank System combined financial filings.&#160;</p><p> <em>B. Accounting Policies and Procedures&#160;</em></p><p>FHFA expects each regulated entity's management, with appropriate audit committee oversight, to establish and maintain&#58;&#160;</p><ul><li>A formal written procedure for developing accounting policies;</li><li>A process for disclosing those policies and the regulated entity's compliance with applicable regulatory requirements and GAAP to the committee;</li><li>Accounting and disclosure policies and procedures that reflect applicable regulatory requirements and GAAP; and</li><li>A complete and current accounting guide that lists all of the regulated entity's accounting policies, including a procedure for documenting the business purpose of all significant types of transactions.&#160;</li></ul><p>Each regulated entity currently submits its accounting guide to FHFA annually, and significant revisions to FHFA quarterly, although the FHFA Chief Accountant may request more frequent submissions.&#160;&#160;&#160;</p><p> <em>C. Internal Control over Financial Reporting</em></p><p>Each regulated entity is responsible for designing, implementing, monitoring, and maintaining its ICFR. <a href="#footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> &#160;&#160;Each regulated entity should ensure that its ICFR system is designed to minimize the risk of a material financial misstatement, whether due to reporting error, fraud, or other external or company-specific risks.&#160;</p><p>FHFA expects regulated entities to develop, implement, and maintain robust business and accounting systems and processes subject to rigorous quality controls to minimize the possibility of material misstatements.&#160; Regulated entities should remediate identified deficiencies timely and should not allow significant control deficiencies to persist.&#160;&#160;</p><p>ICFR review functions <a href="#footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a> should be structured to ensure that those persons performing and evaluating testing are appropriately independent of the controls being tested. &#160;Each regulated entity should ensure that it has protocols in place for its employees and vendors to comply with the regulated entity's ICFR-related policies and procedures.&#160;</p><p>Each regulated entity should have a system in place to provide reasonable assurance that accounting and disclosure policies and procedures reflect regulatory and GAAP requirements and should have proper procedures and processes in place to evaluate compliance with those requirements.&#160; The ICFR risk assessment process should include assessing new products and business lines, as well as significant growth, shrinkage, and other changes in existing products and business lines. &#160;This should help ensure that key controls are identified and tested so that potential control deficiencies are identified timely and properly addressed.&#160;</p><p>Each regulated entity's management should ensure, and its audit committee should oversee, that the regulated entity establishes, implements, and maintains effective controls over information reported to FHFA through FHFA's Call Report System and in formal data requests.&#160;</p><p> <em>D. Regulated Entity Accounting Staff</em></p><p>Each regulated entity's management should hire sufficient numbers of technically competent accounting staff and that staff should remain professionally competent and current in professional standards. &#160;Accounting departments should implement and maintain quality control procedures to ensure that they follow accounting policies and procedures.&#160; Further, accounting staff should be charged with reporting any non-compliance with GAAP to appropriate management and/or auditors.&#160;</p><p> <em>E. Financial Statements</em></p><p>As SEC registrants, each FHLBank and Enterprise must prepare and timely file with the SEC periodic financial statements and disclosures that comply with applicable SEC regulations. &#160;Each regulated entity also should prepare and timely file financial statements and information as required by FHFA regulations.&#160; FHFA encourages the regulated entities to maximize transparency in their public financial reporting and disclosures, and to establish and implement policies that lead to comparable and consistent accounting and disclosures to the extent practicable. <a href="#footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a></p><p>FHFA expects each FHLBank and Enterprise to submit to FHFA any financial information, disclosures, or other items it submits to the SEC that are not available to FHFA in public filings. &#160;FHFA also expects each regulated entity to provide additional information about the financial information, disclosures, and other items it submits to the SEC when and in the manner requested by FHFA.</p><p> <em>F. Non-GAAP Measures in Financial Statements</em></p><p>Regulated entities should consider risks associated with presenting non-GAAP measures in public financial reports, along with their responsibilities to transparently inform stakeholders about the entity's financial condition and results of operations.&#160; If a regulated entity decides to disclose a non-GAAP measure in its periodic filings, that measure should be subject to rigorous internal controls, should not be presented more prominently than similar GAAP measures, and should otherwise conform to applicable regulations.&#160; Any new proposed non-GAAP measure should be discussed with the audit committee, as appropriate, prior to initial publication.&#160; </p><p> <em>G. Alternate and Preferable GAAP Accounting Treatments</em></p><p>At least quarterly, each regulated entity's audit committee should review management's analyses of significant financial reporting issues and accounting judgments made in preparing the entity's financial statements.&#160; To facilitate this review, management should highlight, and the committee should review, significant new or unusual items arising during the financial quarter, and management's anticipated implementation of significant new or revised GAAP.&#160; These reviews should include effects of alternative GAAP methods.&#160; The audit committee should also review and discuss these areas (and others as described in applicable rules, regulations, and guidance) with the external auditor.&#160;</p><p>FHFA believes that it is prudent for the regulated entities' audit committees to assess the costs and benefits of engaging an independent third party to evaluate one or more accounting policy areas at least every two years.&#160; Committees should report their findings to their board of directors and to FHFA.&#160; Such a review may be appropriate for new or revised GAAP guidance and/or for new types of transactions that the regulated entity expects to become material, especially those for which the accounting may involve significant estimates and/or management judgments.&#160;&#160;&#160;</p><p>If the audit committee determines that the results of any such assessment warrant a targeted evaluation, it should then consider the appropriate form and scope of the engagement.&#160; Given the potential relevance of such assessments to FHFA's supervisory responsibilities, the regulated entity should structure any targeted evaluation engagement so as to make reports and workpapers available for review by FHFA.&#160;</p><p> <strong>II. External Audit Function Oversight</strong></p><p>Rigorous and effective audit committee oversight of external audit functions is critical to secure the benefits of an independent, high-quality audit.&#160; FHFA expects each regulated entity's audit committee to perform this role in accordance with applicable FHFA, SEC, and NYSE requirements.&#160; Further, FHFA expects each audit committee to establish and maintain appropriate charter elements, and well-documented policies where needed, around this oversight role. &#160;Finally, FHFA encourages regulated entities to develop, and audit committees to regularly review and approve for publication, disclosures that provide insight and information to stakeholders about how the committees oversee their external auditors.</p><p>A. Overseeing the External Audit Relationship</p><p>The concepts in this section should be considered when appointing, retaining, or terminating an external auditor.</p><p>1. Monitoring Performance</p><p>Each regulated entity's audit committee should perform and document a comprehensive assessment of the external audit firm's performance at least annually.&#160; As part of the review, the committee should request and review input from audit committee members, management, and internal auditors regarding the performance of the external auditors.&#160; The current external auditor's tenure should be considered as a factor in the assessment.&#160;</p><p>FHFA expects each audit committee to identify and consider Audit Quality Indicators (AQIs) to inform dialogue and discussions with the external auditor. &#160;AQIs are qualitative and quantitative performance metrics to help inform stakeholders, including audit committees, about key conditions or attributes that may contribute to audit quality. &#160;AQIs may be defined at both the auditing firm and the audit engagement team levels.&#160; While there is no regulation or auditing standard requiring firms to report or audit committees to use AQIs, larger auditing firms provide firm-level AQIs and/or similar information to their stakeholders. <a href="#footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a> &#160;FHFA views identifying and assessing AQIs as a best practice in assessing external auditor performance.&#160;</p><p>The audit committee should consider the external auditor's internal quality control procedures, including the auditing firm's processes for performing quality control reviews, when evaluating the external auditor.&#160; The committee should discuss the auditing firm's internal quality control reviews and external PCAOB inspection results with the external auditors as part of their performance assessment. &#160;The committee should pay particular attention to any deficiencies or non-compliance issues identified by the PCAOB or internal reviews that are relevant to their regulated entity's audit.&#160; To aid in this process, the audit committee should request that the external auditor align any PCAOB inspection deficiencies with potential areas of exposure to the audit of the regulated entity.&#160; The audit committee should have a good understanding of how the audit firm is addressing any identified deficiencies, including remediation plans and timetables.</p><p>Auditing firm tenure is not explicitly addressed by FHFA or SEC regulations. &#160;Even if an incumbent auditing firm has performed satisfactorily, FHFA considers it prudent for audit committees to periodically consider, and document their consideration of, the potential costs and benefits of changing or retaining their incumbent auditing firms at least every five years, or more frequently if circumstances warrant. <a href="#footnote11"> <span style="text-decoration&#58;underline;">[11]</span></a> &#160;</p><p>2. Monitoring Independence</p><p>External auditor independence is necessary for a reliable audit. &#160;Therefore, each regulated entity's audit committee should carefully consider regulatory and professional requirements regarding independence in fact and appearance during all phases of the audit engagement. <a href="#footnote12"> <span style="text-decoration&#58;underline;">[12]</span></a>&#160; Independence requirements apply to the external auditing firm, to engagement and concurring partners, and to auditing firm staff and contractors working on the engagement. The audit committee should have a robust process for monitoring and assessing the external auditor's independence, including understanding how the external auditor assesses and monitors independence within the auditing firm.&#160;</p><p>The external auditor's communications to the audit committee regarding independence and the committee's related discussions and decisions regarding the auditor's independence should be appropriately documented.&#160; Arrangements regarding any permissible non-audit services to be provided by the audit firm should be clear and transparent, should not involve contingent compensation other than appropriate arrangements for tax work, and should be pre-approved by the audit committee.&#160; If the committee delegates some of its pre-approval authority to, for example, its Chair, it should subsequently ratify the delegate's approval.&#160;&#160;</p><p>At least annually, the committee should review the nature of all services performed by the external audit firm and assess the relative magnitude of fees and personnel involved.&#160; The committee should then consider establishing safeguards, as needed, to mitigate potential threats to audit independence that may arise as a result of providing these other services.&#160; Further, the audit committee should be informed about and consider business and financial relationships between the auditor and the regulated entity or its officers, directors, or significant shareholders, and about employment of former regulated entity employees by the auditing firm and vice versa, as necessary to identify and address circumstances that could indicate a lack of independence or the appearance thereof.&#160;</p><p> <em>B. Communication with External Auditor and Audit Engagement Letters</em></p><p>Each regulated entity's audit committee and its external auditor should have an open working relationship.&#160; Communications should be frank and robust and should cover the full range of potential topics related to financial reporting and audit risks.&#160; Significant discussions during scheduled audit committee meetings should be clearly documented in committee minutes.&#160; Other relevant substantive discussions should be appropriately documented in audit committee packages or minutes.&#160; Audit committees can promote effective communications by&#58;&#160;</p><ul><li>Maintaining a direct line of communication with the external auditor, including periodic, informal contact by the committee chair and regular executive sessions;</li><li>Requesting periodic involvement of other external audit partners, such as concurring, review, and tax partners at the audit committee meetings; </li><li>Discussing the external auditor's audit risk assessment and audit plan for the regulated entity;</li><li>Discussing with the auditor (and management, as applicable) any new, unusual, or non-standard representations made by management in their management representations letter; and</li><li>Requesting and reviewing insights from audit committee members, management, and internal auditors regarding the performance of the external auditors, at least annually.&#160;</li></ul><p>It is also important for the audit committee to have ongoing communication with the external auditor regarding its audit fees.&#160; One objective of those communications is to provide assurance to the audit committee that negotiations for the fees and the fee arrangements themselves encourage the external auditor to conduct rigorous, high-quality audits and reviews.&#160;</p><p>The engagement letter is the key document defining the relationship between the regulated entity and its external auditor.&#160; FHFA's authority to examine the regulated entities allows it to have access to all regulated entity documents, including accounting records. &#160;FHFA expects regulated entities' external audit engagement letters to be consistent with FHFA's examination authority. &#160;Accordingly, FHFA expects that each regulated entity's engagement letter should&#58;&#160;</p><ul><li>Provide that the external auditor may, upon FHFA's request, provide FHFA with access to the senior audit partners on the engagement and any other personnel whom such partners deem necessary, as well as to the external auditor's working papers prepared in the course of performing the services set forth in the engagement letter, and that such access to the external auditor may be without regulated entity personnel in attendance;</li><li>Not contain any provisions that would be characterized as unsafe and unsound under the “Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters&quot;;<a href="#footnote13"><span style="text-decoration&#58;underline;">[13]</span></a> and</li><li>Provide that the external auditor, without the approval of the regulated entity, may meet with FHFA with such frequency and about such matters as determined by FHFA, and may provide reports or other communications arising from the audit engagement directly to FHFA.</li></ul><p> <em>C. Audit Committee Transparency</em></p><p>FHFA regulations and guidelines require that the audit committees for the regulated entities review their charters annually and that the boards of directors reapprove them at least every three years. <a href="#footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a> &#160;&#160;FHFA's regulated entities regularly publish their audit committee charters.&#160; Besides serving as the committee's roadmap to help ensure that it fulfills all of its duties and obligations, a well-drafted charter can provide outside readers with insights on the committee's governance and functions.&#160;</p><p>Under the PCAOB standards, auditor tenure is now a required element of the independent auditor's report.&#160; Also, critical audit matters—which are matters that have been communicated to the audit committee, are related to accounts or disclosures that are material to the financial statements, and involved especially challenging, subjective, or complex auditor judgment—must be reported by the auditor beginning in the next few years. <a href="#footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a>&#160; While this reporting is the responsibility of public companies' external auditors, we believe that these requirements evidence increased demand by financial statement users for information on audits and audit governance.&#160;&#160;</p><p>While effective audit committee oversight of and engagement with the external auditor are keys to obtaining a high-quality audit, there are no formal rules or standards that require those topics to be reported to shareholders. &#160;That said, industry studies confirm an increasing trend among public companies to make enhanced voluntary disclosures about their audit committees' oversight of the external audit function. &#160;Examples include disclosures about the factors that the audit committee considers when appointing or retaining an external auditor, the role of the audit committee in fee negotiations and compensation, the length of time the auditor has been engaged, whether evaluations of the auditing firm are done annually, and audit partner selection and rotation. <a href="#footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a>&#160;</p><p>FHFA encourages each regulated entity's audit committee to consider providing such voluntary disclosures regarding its role in supporting a quality audit. &#160;The audit committee should remain aware of industry trends and developments regarding audit committee transparency and should work to provide the regulated entity's stakeholders with relevant information regarding their activities to the extent practicable.&#160;</p><p> <strong>III. Annual Review by Audit Committee</strong></p><p>At least annually, each regulated entity's audit committee should review, with any appropriate professional assistance, the committee's performance in light of the requirements of laws, rules, and regulations that are applicable to its activities and duties.&#160; The committee should also assess whether it is operating consistent with applicable regulatory guidance.&#160; The audit committee should provide the FHFA Chief Accountant with the materials and procedures employed in such review, as well as the final report. &#160;The review may be done as part of a committee self-assessment, an outside review, or a combination of approaches.&#160;</p><p> <strong>Related Regulations and Guidance</strong></p><p>12 CFR Part 1236 and Appendix – Prudential Management and Operations Standards&#160;</p><p>12 CFR Part 1239 – Responsibilities of Boards of Directors, Corporate Practices and Corporate Governance Matters&#160;</p><p>12 CFR Part 1273 – Office of Finance&#160;</p><p>12 CFR Part 1274 – Financial Statements of the Banks&#160;</p><p>Securities and Exchange Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, 72 Fed. Reg. 35324 (June 27, 2007) (codified at 17 CFR Part 241)</p><p>Securities and Exchange Commission Rule 10A-3&#58; Listing Standards Relating to Audit Committees (National Securities Exchanges), 17 CFR § 240.10A-3</p><p>Securities and Exchange Commission Rule Reg. S-X&#58; Form and Content of and Requirements for Financial Statements, Securities Act of 1933, Securities Exchange Act of 1934, Investment Company Act of 1940, Investment Advisers Act of 1940, and Energy Policy and Conservation Act of 1975 (Qualifications and Reports of Accountants), 17 CFR § 210.2-01 through -07</p><p>Securities and Exchange Commission Rule Reg. S-K&#58; Standard Instructions for Filing Forms under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975, 17 CFR Part 229</p><p>Public Company Accounting Oversight Board Rule 3526&#58; Auditor Communications with Audit Committees Concerning Independence</p><p>NYSE, Inc., Listed Company Manual, § 303A (Corporate Governance Standards) (2018)</p><p> <br>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"><span style="text-decoration&#58;underline;">[1]</span></a>&#160;The OF is not a “regulated entity&quot; as the term is defined by 12 U.S.C. 4502(20), but for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF as regards its roles in issuing combined financial reports and engaging the external auditor for those reports, and to regulated entities' affiliates as regards their roles, if any, in issuing public financial reports and in engaging external auditors.</p><p> <a name="footnote2"><span style="text-decoration&#58;underline;">[2]</span></a>&#160;Duties of FHLBank audit committees are described in 12 CFR 1239.32. Duties of the OF audit committee are described in 12 CFR 1273.9. Part 1239 stipulates that the duties and responsibilities of Enterprise audit committees are set forth under rules issued by the New York Stock Exchange, and further requires that those committees comply with requirements set forth under section 301 of the Sarbanes-Oxley Act, 15 U.S.C.§ 78j-1(f). The Prudential Management and Operations Standards set forth in the Appendix to 12 CFR Part 1236 also include standards applicable to the audit committees of the FHLBanks and Enterprises.</p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a><em>&#160;See </em>12 CFR 1274.2(c).</p><p> <a name="footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a><em>&#160;See </em>12 CFR 1274.2(c).</p><p> <a name="footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a><em>&#160;See </em>12 CFR 1274.2(d), (e).</p><p> <a name="footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a><em>&#160;See </em>12 CFR Part 1236, Appendix (Standard 10.1) and 12 CFR 1273.6(b) (2).</p><p> <a name="footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> SEC Exchange Act Rule 13a-15(f) defines the term “internal control over financial reporting&quot; as&#58; a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that&#58;</p><ol><li>Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;</li><li>Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and</li><li>Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.</li></ol><p> <em>See </em>17 CFR 240.13a-15(f).</p><p> <a name="footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a> For the OF, this refers to the ICFR over the OF's process for producing the FHLBanks' combined financial reports.&#160;</p><p> <a name="footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a> On comparability and consistency, see FASB Statement of Financial Accounting Concepts No. 8 as amended August 2018.</p><p> <a name="footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a> See Center for Audit Quality, “Audit Quality Indicators&#58;&#160; The Journey and Path Ahead,&quot; Jan. 12, 2016.</p><p> <a name="footnote11"> <span style="text-decoration&#58;underline;">[11]</span></a> The FHLBanks and the OF, in light of the FHLBank System's requirement to issue combined financial statements, have historically engaged the same external audit firm.&#160; Therefore, they undertake external auditor performance reviews and decisions on which audit firm to engage jointly.</p><p> <a name="footnote12"> <span style="text-decoration&#58;underline;">[12]</span></a> The external auditor must meet the requirements of independence set forth by the PCAOB Auditing Standard 1005 and in the SEC regulations at 17 CFR § 210.2-01.&#160;</p><p> <a name="footnote13"> <span style="text-decoration&#58;underline;">[13]</span></a> 71 Fed. Reg. 6847 (Feb. 9, 2006).</p><p> <a name="footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a><em>&#160;See </em>12 CFR Part 1236, Appendix (Prudential Management and Operations Standard 2.2) (regulated entity boards); 12 CFR 1239.32(d) (1), (2) (Bank audit committees and boards of directors); 12 CFR 1273.9(c) (1) (i), (ii) (Office of Finance). Enterprise boards of directors must adopt a written charter for each board committee and comply with the committee requirements of the NYSE rules and section 301 of the Sarbanes-Oxley Act, 15 U.S.C. § 78j-1. <em>See </em>12 CFR 1239.5(b). Neither those incorporated provisions nor the regulation itself imposes any requirements with respect to the review or re-approval of committee charters.</p><p> <a name="footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a><em>&#160;See </em>PCAOB Auditing Standard 3101.</p><p> <a name="footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a><em>&#160;See </em>2018 Audit Committee Transparency Barometer prepared by the Center for Audit Quality and by Audit Analytics (November 2018).</p><p> <em>&#160; </em></p> <em> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </p></td></tr></tbody></table> <p>&#160;</p></em>8/20/2020 5:00:54 PMHome / Supervision & Regulation / Advisory Bulletins / Financial Reporting and Disclosure and External Audit Advisory Bulletin AB 2020-04: FINANCIAL REPORTING AND DISCLOSURE 12280https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on the Use of Proxies28094FHL Banks7/20/2020 4:00:00 AMAB 2020-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-03&#58; GUIDANCE ON THE USE OF PROXIES FOR DETERMINING THE INCOME OF SUBSEQUENT PURCHASERS OF OWNER-OCCUPIED UNITS SOLD BY AHP-ASSISTED HOUSEHOLDS DURING THE AHP RETENTION PERIOD </strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"> <em> <strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) contains guidance, pursuant to the Affordable Housing Program (AHP) regulation, on the Federal Home Loan Banks’ (FHLBanks) or their designees’ use of proxies for determining whether the subsequent purchaser of an owner-occupied unit sold, transferred, or assigned by an AHP-assisted household during the AHP five-year retention period is low- or moderate-income (LMI). Specifically, the guidance provides for the use of a proxy based on the U.S. Department of Housing and Urban Development’s (HUD) HOME Investment Partnerships Program (HOME) and Housing Trust Fund (HTF) homeownership value limits for existing housing. The AB also discusses the option for FHLBanks to adopt an alternative proxy or proxies that are reliable indicators that the subsequent purchaser is LMI. In addition, the AB provides guidance on documentation requirements as well as content of a FHLBank’s AHP Implementation Plan.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>The Federal Housing Finance Agency’s (FHFA) AHP regulation provides that, for each household that receives AHP subsidy for purchase, for purchase in conjunction with rehabilitation, or for construction of an owner-occupied unit, the unit must be subject to a retention agreement. <a href="#footnote1">[1]</a> The retention agreement must provide that, if the AHP-assisted household sells, transfers, or assigns (hereafter referred to as &quot;sells,&quot; for ease of reading) the unit within five years of closing on the unit, the FHLBank is to be repaid a pro rata portion of the AHP subsidy from any net proceeds realized by the household minus the household’s investment, subject to certain exceptions. <a href="#footnote2">[2]</a> One such exception is when the AHP-assisted household sells the unit to a LMI household, i.e., a household with income at or below 80 percent of the area median income (AMI). <a href="#footnote3">[3]</a> This exception predates the 2018 AHP final rule. <a href="#footnote4">[4]</a> Because subsequent purchasers of units sold by AHP-assisted households are under no obligation to provide income documentation to the FHLBanks or their designees for purposes of determining the AHP-assisted household’s AHP subsidy repayment obligation, it has been difficult for FHLBanks and their designees to determine subsequent purchasers’ actual incomes and, therefore, whether this subsidy repayment exception applies. Accordingly, FHFA requested comments in the 2018 AHP proposed rule preamble on potential geographically-based and person-based proxy approaches for determining subsequent purchaser income. </p><p>After reviewing the comments received on the proposed rule, FHFA determined in the 2018 AHP final rule that the use of proxies for determining subsequent purchaser income would facilitate the FHLBanks’ implementation of the LMI subsequent purchaser exception.<a href="#footnote5"> [5]</a> Accordingly, the final rule revised the regulation to provide for the use of proxies pursuant to guidance to be issued by FHFA for determining a subsequent purchaser’s income. Specifically, the final rule provides that for any sale by an AHP-assisted household of an owner-occupied unit after a date established by FHFA in the guidance, a FHLBank or its designee must determine the subsequent purchaser’s income using one or more proxies that are reliable indicators of the subsequent purchaser’s income, which may be selected by the FHLBank pursuant to the guidance, unless documentation demonstrating the subsequent purchaser’s actual income is available.<a href="#footnote6"> [6]</a> This AB contains the guidance referenced in the final rule on the use of proxies for this purpose. </p><p style="text-decoration&#58;underline;"> <em> <strong>Guidance</strong></em></p><p> <span style="text-decoration&#58;underline;">The Proxy&#58; HUD HOME and HTF Homeownership Value Limits for Existing Housing </span></p><p>FHFA has determined that the sale of an owner-occupied unit by an AHP-assisted household at a price that is at or below the applicable HUD HOME and HTF homeownership value limit for existing housing (hereinafter &quot;value limit&quot;) is a reliable indicator that the subsequent purchaser of the unit is LMI.<a href="#footnote7"> [7]</a> In reaching this conclusion, FHFA analyzed Home Mortgage Disclosure Act (HMDA) data which indicates that, in 2018, approximately 58 percent of national HMDA-reported home sales at or below the applicable value limit were to LMI purchasers. Significantly, in the ten states in which the greatest number of AHP owner-occupied subsidies under the FHLBanks’ competitive application programs and homeownership set-aside programs were awarded in 2018, over 65 percent of such sales were to LMI purchasers. </p><p>FHFA also analyzed the 2018 HMDA income data to determine the percentage of homebuyers who purchased a home above the applicable value limit that were LMI. FHFA found that only 14.6 percent of 2018 HMDA homebuyers who purchased a home above the applicable value limit were LMI, making it relatively unlikely that applying the HOME and HTF price limits as a proxy would be under-inclusive of low-and-moderate income subsequent purchasers. </p><p>Because proxies are approximations, no proxy can definitively determine the income of a subsequent purchaser. FHFA acknowledges this limitation of proxies generally, and the possibility that any proxy based on house sales price might fail to fully account for gentrification of areas in which the home is located, as noted by some commenters on the proposed rule. In rapidly gentrifying areas, a comparatively higher percentage of non-LMI purchasers may purchase homes at or below the value limit than in areas experiencing lower rates of gentrification. </p><p>However, as noted above, the data generally suggest that house sales price at or below the applicable value limit reliably indicates that the subsequent purchaser is LMI. This proxy indicates subsequent purchaser LMI status even more reliably when the review analyzes the ten states with the highest number of AHP owner-occupied subsidies historically. </p><p>In addition, although FHFA’s priority in selecting a proxy is identifying one that reliably indicates subsequent purchaser income, FHFA has selected one that, as applied to AHP-assisted households, weighs in favor of allowing households to retain AHP subsidy and thereby enjoy the full benefits of homeownership. FHFA analyzed data available under the FHLBanks’ homeownership set-aside programs to determine the likelihood that any particular AHP-assisted household would be required to repay AHP subsidy under the value limits proxy. In 2018, only 7.7 percent of AHP-assisted households who received set-aside grants in connection with purchase purchased their homes at a price greater than the applicable value limit, which suggests that the large majority of home sales by AHP-assisted households will qualify for the LMI subsequent purchaser exception under this proxy. <a href="#footnote8">[8]</a> </p><p style="text-decoration&#58;underline;">Implementing the Proxy</p><p>The FHLBanks or their designees may use the value limits, posted on the HUD Exchange, as a proxy for determining whether the exception to the AHP subsidy repayment requirement for sales to subsequent LMI purchasers applies. HUD calculates and posts the value limits annually on the HUD Exchange website. FHFA will also post the value limits on its website and notify the FHLBanks when new annual value limits are available. </p><p>However, if a FHLBank or its designee has documentation demonstrating the subsequent purchaser’s actual income, the FHLBank may not apply the value limits proxy or any other proxy to determine subsequent purchaser income. If neither the FHLBank nor its designee has such documentation, and the FHLBank elects to apply the value limits proxy, the FHLBank or its designee must use the value limits in effect at the time the AHP-assisted household sells its unit during the AHP five-year retention period. The FHLBank or its designee will determine the applicable value limit based on the specific county where the unit is located and the size of the unit (i.e., 1-unit, 2-unit, 3-unit, or 4-unit). The FHLBank or its designee will then compare the price at which the AHP-assisted household sold the unit to that value limit. If the sales price is less than or equal to the value limit, the subsequent purchaser is regarded as LMI under the value limits proxy. If the sales price is more than the applicable value limit, the subsequent purchaser is not regarded as LMI under the value limits proxy. The FHLBank or its designee must document its determinations under the value limits proxy.</p><p style="text-decoration&#58;underline;">Alternative Bank Proxies</p><p>In lieu of or in addition to the value limits proxy, a FHLBank may, in its discretion, adopt an alternative proxy or proxies that are reliable indicators that the subsequent purchaser of an owner-occupied unit sold by an AHP-assisted household is LMI. The FHLBank should retain documentation and data that provide a sufficient basis for the adoption of the alternative proxy or proxies, including an explanation of how the proxy or proxies reliably indicate(s) that the subsequent purchaser is LMI. In addition, as with application of the value limits proxy, the FHLBank should document its determinations under an alternative proxy for each subsequent purchaser’s income. </p><p style="text-decoration&#58;underline;">AHP Implementation Plans</p><p>The FHLBanks must ensure that their AHP Implementation Plans include the specific proxy or proxies they have chosen to adopt pursuant to this AB. <a href="#footnote9">[9]</a> If a FHLBank adopts more than one proxy, its AHP Implementation Plan must include the policies determining which proxy or set of proxies will be applied in any particular circumstance. If these policies provide for the application of more than one proxy per sale, they must specify how conflicting determinations of subsequent purchaser LMI income will be resolved. <a href="#footnote10">[10]</a> </p><p style="text-decoration&#58;underline;">Effective Date</p><p>This AB is effective for any sale of an owner-occupied unit by an AHP-assisted household that occurs on or after January 1, 2021 and is during the unit’s AHP five-year retention period. However, FHFA strongly encourages the FHLBanks to implement this AB before that date as practicable. </p><p>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a> 12 CFR 1291.23(d)(1); 1291.42(e); 1291.15(a)(7); <em>see also Questions and Answers on the November 28, 2018 Final Rule--Part I (July 2019)</em>, available at fhfa.gov. </p><p> <a name="footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a> 12 CFR 1291.15(a)(7)(v); 1291.1 (par. (1) of the definition of &quot;retention period&quot;). </p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a> 12 CFR 1291.15(a)(7)(ii)(B); 1291.1 (definition of &quot;low- or moderate-income household&quot;).&#160; </p><p> <a name="footnote4"><span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR 1291.9(a)(7)(ii)(B) (Jan. 1, 2018 edition). </p><p> <a name="footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a> 83 Fed. Reg. 61186, 61204 (Nov. 28, 2018). </p><p> <a name="footnote6"><span style="text-decoration&#58;underline;">[6]</span></a> 12 CFR 1291.15(a)(7)(ii)(B). </p><p> <a name="footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> For more information on these value limits, how they are derived, and their function in the applicable HUD programs, see the HOME and HTF program pages on the HUD Exchange website at www.hudexchange.info. </p><p> <a name="footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a><em>&#160;</em>FHFA does not collect the prices at which competitive application program subsidy recipients purchase or sell their homes. FHFA also does not collect the prices at which homeownership set-aside program subsidy recipients purchase their homes, unless the subsidy is used in connection with purchase (e.g., down payment assistance). In 2018, 68 percent of all AHP owner-occupied subsidies were awarded through set-aside programs, and 92 percent of set-aside subsidies were used in connection with purchase. </p><p> <a name="footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a> 12 CFR 1291.15(a)(7)(ii)(B). </p><p> <a name="footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a>&#160;12 CFR 1291.13(b)(6).&#160;&#160;&#160;&#160;&#160;&#160;&#160;</p><p> <em>&#160; </em></p> <em> <p>&#160;</p> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes. Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact Ted Wartell at <a href="mailto&#58;Ted.Wartell@fhfa.gov">Ted.Wartell@fhfa.gov</a> or by phone at 1-202-649-3157; or Tiffani Moore at <a href="mailto&#58;Tiffani.Moore@fhfa.gov">Tiffani.Moore@fhfa.gov</a> or by phone at 1-202-649-3304. </p></td></tr></tbody></table> <p>&#160;</p></em> <p>&#160;</p>7/20/2020 8:58:52 PMHome / Supervision & Regulation / Advisory Bulletins / Guidance on the Use of Proxies Advisory Bulletin AB 2020-03: GUIDANCE ON THE USE OF PROXIES FOR DETERMINING THE INCOME 9018https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
© 2024 Federal Housing Finance Agency
Contact Us Mobile

Want to Subscribe?

© 2024 Federal Housing Finance Agency