Federal Housing Finance Agency Print

 Advisory Bulletins

 

 

Financial Reporting and Disclosure and External Audit28435All8/20/2020 4:00:00 AMAB 2020-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-04&#58; FINANCIAL REPORTING AND DISCLOSURE AND EXTERNAL AUDIT</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) articulates the Federal Housing Finance Agency's (FHFA) supervisory expectations for oversight and management of financial reporting and disclosures and of the external audit function. </p><p>This AB applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks), and the FHLBanks' Office of Finance (OF) (collectively, the regulated entities) <a href="#footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a> and is effective immediately. &#160;This AB rescinds, and along with AB 2016-05 Internal Audit Governance and Function, replaces FHFA's Examination for Accounting Practices guidance.&#160; </p><p>Transparent financial reporting and disclosures, subject to strong internal control over financial reporting (ICFR) and confirmed by a high-quality external audit, help ensure that published financial information is reliable and free from material misstatements for all stakeholders.&#160; &#160;&#160;Timely, accurate, complete, and meaningful reporting and disclosures regarding financial condition and performance support FHFA's risk-focused supervision of the regulated entities.&#160; For FHFA as a prudential regulator, such reporting facilitates effective risk assessments, off-site monitoring, and examination planning. &#160;Financial condition and performance metrics for capital adequacy, liquidity, earnings adequacy, and asset quality are based on information in these reports.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>The Office of Federal Housing Enterprise Oversight (OFHEO) issued the Examination for Accounting Practices guidance to the Enterprises in 2006. &#160;FHFA revised and updated that guidance in 2009 and expanded its application to the FHLBanks. &#160;With the issuance of this financial reporting and external audit guidance and AB 2016-05 Internal Audit Governance and Function, FHFA has updated and revised the 2009 guidance to reflect our regulatory experience and that of other financial regulators, and to more clearly communicate FHFA's supervisory expectations in these areas to the regulated entities.&#160;</p><p>Regarding financial reporting and external audit, the regulated entities are governed by different, yet generally concordant, FHFA and/or Securities and Exchange Commission (SEC) regulations and auditing standards. <a href="#footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a>&#160; Notably&#58;&#160;</p><ul><li>The Enterprises are SEC registrants. Their external audits are subject to Public Company Accounting Oversight Board (PCAOB) auditing standards.&#160; Under FHFA regulations, the Enterprises are subject to specified New York Stock Exchange (NYSE) requirements.</li><li>The FHLBanks are SEC registrants.&#160; Their external audits are subject to PCAOB auditing standards and under FHFA regulations, are subject to Generally Accepted Auditing Standards (GAAS) and Generally Accepted Government Auditing Standards (GAGAS). <a href="#footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a>&#160; Applicable FHFA rules further detail specific requirements for audit committees regarding external audit and financial reporting oversight.</li><li>The OF is not an SEC registrant.&#160; Under FHFA regulations, FHLBank System combined financial reports are subject to GAAS and GAGAS. <a href="#footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a>&#160; The regulations also address oversight of the external auditor for the combined financial reports. <a href="#footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a></li></ul><p>Each Enterprise and FHLBank is covered by FHFA's Prudential Management and Operations Standards (PMOS) and each regulated entity reports financial information in conformance with U.S. Generally Accepted Accounting Principles (GAAP). <a href="#footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a>&#160; Enterprise and FHLBank management assess the effectiveness of their respective entity's ICFR based on the criteria in the Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).&#160;</p><p>The referenced FHFA, SEC, and NYSE rules and regulations, as applicable, address a wide range of audit committee governance topics including&#58;&#160;</p><ul><li>Committee composition and members' qualifications, including financial literacy and expertise, and independence requirements;</li><li>Committee oversight of the integrity of financial statements and earnings releases and compliance with legal and regulatory requirements;</li><li>Committee charter content and minimum frequency of reviews and re-approval;</li><li>Boards' responsibility to provide the audit committee sufficient funding for payments to the external auditor and to advisors/counsel that the committee retains as it deems necessary to carry out its duties;</li><li>Committee duties and responsibilities regarding external auditor oversight including&#58;</li><ul><li>Responsibility for selecting the auditor, evaluating the auditor's performance, replacing the auditor if needed, and ensuring that the auditor is solely responsible to the committee;</li><li>Ensuring that the external auditor submits a formal written statement regarding relationships and services that may adversely affect independence and discussing any disclosed relationships that may impact objectivity and independence with the external auditor;</li><li>Reviewing the auditor's internal quality control procedures;</li><li>Meeting with, including in executive sessions, auditors and management;</li><li>Reviewing and approving procedures for handling complaints received by the regulated entity regarding accounting, internal accounting controls, or auditing matters; and confidential, anonymous submission by regulated entity staff of concerns regarding questionable accounting or auditing matters; and</li><li>Providing for an annual committee self-evaluation or external review.</li></ul></ul><p>The guidance in this AB is intended to be consistent with applicable statutes, regulations, GAAP, and auditing standards.&#160; In some instances, substantive elements of guidance herein for all regulated entities may be addressed by FHFA regulation, SEC regulation, or applicable accounting or auditing standards for one or more regulated entities.&#160; This guidance does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards.&#160; Any perceived conflicts should be resolved so as to comply with applicable laws and regulations, and in conformance with accounting standards.</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p> <strong>I. Financial Reporting and Disclosure Oversight and Management</strong></p><p>Regulated entities' boards of directors and senior managers are responsible, within their respective roles as described in FHFA's corporate governance regulation and prudential standards, for the institution operating in a safe and sound manner. &#160;Entities should maintain effective accounting and reporting systems and ICFR to produce reliable and accurate financial reports and meaningful disclosures.&#160;</p><p>To address accounting, financial reporting, and disclosure, audit committees should&#58;&#160;</p><ul><li>Review and discuss annual audited financial statements, quarterly SEC filings or equivalent financial statements, and earnings releases;</li><li>Meet regularly with management and external auditors and hold regular executive sessions with the external auditor;</li><li>Oversee that management establishes, implements, and maintains accounting policies and procedures that comply with applicable laws, rules, and regulations and conform to applicable guidance, including GAAP and other relevant reporting and disclosure standards;</li><li>Ensure that the regulated entity has policies in place to notify FHFA of any accounting treatments or policies identified as posing significant legal, reputation, or safety and soundness risk, with a focus on accounting treatments or policies that do not employ GAAP or preferred methods; and</li><li>Direct management to provide the committee with adequate information and reports to carry out its duties and responsibilities and challenge management and auditors where appropriate.&#160;</li></ul><p> <em>A. Assessing Materiality&#160;</em></p><p>An entity's audit committee should review and clearly understand how management and the external auditor assess financial statement materiality. &#160;For public financial disclosures, FHFA's regulated entities should follow materiality guidelines established by the SEC and other U.S. standard-setters and regulators as appropriate.&#160; FHFA is informed by the SEC's statements regarding materiality and generally considers them as part of its ongoing review of regulated entities' accounting practices and controls.&#160;</p><p>A regulated entity's determination that an accounting matter is material or presents a materiality issue may be a factor in FHFA's oversight of a regulated entity. &#160;An item not being deemed to be “material&quot; or not having “materiality&quot; for financial reporting purposes, however, would not necessarily preclude FHFA from having supervisory concerns about the item. &#160;Further, FHLBanks may be required to provide information that is less than material to their individual financial statements to the OF in order to support FHLBank System combined financial filings.&#160;</p><p> <em>B. Accounting Policies and Procedures&#160;</em></p><p>FHFA expects each regulated entity's management, with appropriate audit committee oversight, to establish and maintain&#58;&#160;</p><ul><li>A formal written procedure for developing accounting policies;</li><li>A process for disclosing those policies and the regulated entity's compliance with applicable regulatory requirements and GAAP to the committee;</li><li>Accounting and disclosure policies and procedures that reflect applicable regulatory requirements and GAAP; and</li><li>A complete and current accounting guide that lists all of the regulated entity's accounting policies, including a procedure for documenting the business purpose of all significant types of transactions.&#160;</li></ul><p>Each regulated entity currently submits its accounting guide to FHFA annually, and significant revisions to FHFA quarterly, although the FHFA Chief Accountant may request more frequent submissions.&#160;&#160;&#160;</p><p> <em>C. Internal Control over Financial Reporting</em></p><p>Each regulated entity is responsible for designing, implementing, monitoring, and maintaining its ICFR. <a href="#footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> &#160;&#160;Each regulated entity should ensure that its ICFR system is designed to minimize the risk of a material financial misstatement, whether due to reporting error, fraud, or other external or company-specific risks.&#160;</p><p>FHFA expects regulated entities to develop, implement, and maintain robust business and accounting systems and processes subject to rigorous quality controls to minimize the possibility of material misstatements.&#160; Regulated entities should remediate identified deficiencies timely and should not allow significant control deficiencies to persist.&#160;&#160;</p><p>ICFR review functions <a href="#footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a> should be structured to ensure that those persons performing and evaluating testing are appropriately independent of the controls being tested. &#160;Each regulated entity should ensure that it has protocols in place for its employees and vendors to comply with the regulated entity's ICFR-related policies and procedures.&#160;</p><p>Each regulated entity should have a system in place to provide reasonable assurance that accounting and disclosure policies and procedures reflect regulatory and GAAP requirements and should have proper procedures and processes in place to evaluate compliance with those requirements.&#160; The ICFR risk assessment process should include assessing new products and business lines, as well as significant growth, shrinkage, and other changes in existing products and business lines. &#160;This should help ensure that key controls are identified and tested so that potential control deficiencies are identified timely and properly addressed.&#160;</p><p>Each regulated entity's management should ensure, and its audit committee should oversee, that the regulated entity establishes, implements, and maintains effective controls over information reported to FHFA through FHFA's Call Report System and in formal data requests.&#160;</p><p> <em>D. Regulated Entity Accounting Staff</em></p><p>Each regulated entity's management should hire sufficient numbers of technically competent accounting staff and that staff should remain professionally competent and current in professional standards. &#160;Accounting departments should implement and maintain quality control procedures to ensure that they follow accounting policies and procedures.&#160; Further, accounting staff should be charged with reporting any non-compliance with GAAP to appropriate management and/or auditors.&#160;</p><p> <em>E. Financial Statements</em></p><p>As SEC registrants, each FHLBank and Enterprise must prepare and timely file with the SEC periodic financial statements and disclosures that comply with applicable SEC regulations. &#160;Each regulated entity also should prepare and timely file financial statements and information as required by FHFA regulations.&#160; FHFA encourages the regulated entities to maximize transparency in their public financial reporting and disclosures, and to establish and implement policies that lead to comparable and consistent accounting and disclosures to the extent practicable. <a href="#footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a></p><p>FHFA expects each FHLBank and Enterprise to submit to FHFA any financial information, disclosures, or other items it submits to the SEC that are not available to FHFA in public filings. &#160;FHFA also expects each regulated entity to provide additional information about the financial information, disclosures, and other items it submits to the SEC when and in the manner requested by FHFA.</p><p> <em>F. Non-GAAP Measures in Financial Statements</em></p><p>Regulated entities should consider risks associated with presenting non-GAAP measures in public financial reports, along with their responsibilities to transparently inform stakeholders about the entity's financial condition and results of operations.&#160; If a regulated entity decides to disclose a non-GAAP measure in its periodic filings, that measure should be subject to rigorous internal controls, should not be presented more prominently than similar GAAP measures, and should otherwise conform to applicable regulations.&#160; Any new proposed non-GAAP measure should be discussed with the audit committee, as appropriate, prior to initial publication.&#160; </p><p> <em>G. Alternate and Preferable GAAP Accounting Treatments</em></p><p>At least quarterly, each regulated entity's audit committee should review management's analyses of significant financial reporting issues and accounting judgments made in preparing the entity's financial statements.&#160; To facilitate this review, management should highlight, and the committee should review, significant new or unusual items arising during the financial quarter, and management's anticipated implementation of significant new or revised GAAP.&#160; These reviews should include effects of alternative GAAP methods.&#160; The audit committee should also review and discuss these areas (and others as described in applicable rules, regulations, and guidance) with the external auditor.&#160;</p><p>FHFA believes that it is prudent for the regulated entities' audit committees to assess the costs and benefits of engaging an independent third party to evaluate one or more accounting policy areas at least every two years.&#160; Committees should report their findings to their board of directors and to FHFA.&#160; Such a review may be appropriate for new or revised GAAP guidance and/or for new types of transactions that the regulated entity expects to become material, especially those for which the accounting may involve significant estimates and/or management judgments.&#160;&#160;&#160;</p><p>If the audit committee determines that the results of any such assessment warrant a targeted evaluation, it should then consider the appropriate form and scope of the engagement.&#160; Given the potential relevance of such assessments to FHFA's supervisory responsibilities, the regulated entity should structure any targeted evaluation engagement so as to make reports and workpapers available for review by FHFA.&#160;</p><p> <strong>II. External Audit Function Oversight</strong></p><p>Rigorous and effective audit committee oversight of external audit functions is critical to secure the benefits of an independent, high-quality audit.&#160; FHFA expects each regulated entity's audit committee to perform this role in accordance with applicable FHFA, SEC, and NYSE requirements.&#160; Further, FHFA expects each audit committee to establish and maintain appropriate charter elements, and well-documented policies where needed, around this oversight role. &#160;Finally, FHFA encourages regulated entities to develop, and audit committees to regularly review and approve for publication, disclosures that provide insight and information to stakeholders about how the committees oversee their external auditors.</p><p>A. Overseeing the External Audit Relationship</p><p>The concepts in this section should be considered when appointing, retaining, or terminating an external auditor.</p><p>1. Monitoring Performance</p><p>Each regulated entity's audit committee should perform and document a comprehensive assessment of the external audit firm's performance at least annually.&#160; As part of the review, the committee should request and review input from audit committee members, management, and internal auditors regarding the performance of the external auditors.&#160; The current external auditor's tenure should be considered as a factor in the assessment.&#160;</p><p>FHFA expects each audit committee to identify and consider Audit Quality Indicators (AQIs) to inform dialogue and discussions with the external auditor. &#160;AQIs are qualitative and quantitative performance metrics to help inform stakeholders, including audit committees, about key conditions or attributes that may contribute to audit quality. &#160;AQIs may be defined at both the auditing firm and the audit engagement team levels.&#160; While there is no regulation or auditing standard requiring firms to report or audit committees to use AQIs, larger auditing firms provide firm-level AQIs and/or similar information to their stakeholders. <a href="#footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a> &#160;FHFA views identifying and assessing AQIs as a best practice in assessing external auditor performance.&#160;</p><p>The audit committee should consider the external auditor's internal quality control procedures, including the auditing firm's processes for performing quality control reviews, when evaluating the external auditor.&#160; The committee should discuss the auditing firm's internal quality control reviews and external PCAOB inspection results with the external auditors as part of their performance assessment. &#160;The committee should pay particular attention to any deficiencies or non-compliance issues identified by the PCAOB or internal reviews that are relevant to their regulated entity's audit.&#160; To aid in this process, the audit committee should request that the external auditor align any PCAOB inspection deficiencies with potential areas of exposure to the audit of the regulated entity.&#160; The audit committee should have a good understanding of how the audit firm is addressing any identified deficiencies, including remediation plans and timetables.</p><p>Auditing firm tenure is not explicitly addressed by FHFA or SEC regulations. &#160;Even if an incumbent auditing firm has performed satisfactorily, FHFA considers it prudent for audit committees to periodically consider, and document their consideration of, the potential costs and benefits of changing or retaining their incumbent auditing firms at least every five years, or more frequently if circumstances warrant. <a href="#footnote11"> <span style="text-decoration&#58;underline;">[11]</span></a> &#160;</p><p>2. Monitoring Independence</p><p>External auditor independence is necessary for a reliable audit. &#160;Therefore, each regulated entity's audit committee should carefully consider regulatory and professional requirements regarding independence in fact and appearance during all phases of the audit engagement. <a href="#footnote12"> <span style="text-decoration&#58;underline;">[12]</span></a>&#160; Independence requirements apply to the external auditing firm, to engagement and concurring partners, and to auditing firm staff and contractors working on the engagement. The audit committee should have a robust process for monitoring and assessing the external auditor's independence, including understanding how the external auditor assesses and monitors independence within the auditing firm.&#160;</p><p>The external auditor's communications to the audit committee regarding independence and the committee's related discussions and decisions regarding the auditor's independence should be appropriately documented.&#160; Arrangements regarding any permissible non-audit services to be provided by the audit firm should be clear and transparent, should not involve contingent compensation other than appropriate arrangements for tax work, and should be pre-approved by the audit committee.&#160; If the committee delegates some of its pre-approval authority to, for example, its Chair, it should subsequently ratify the delegate's approval.&#160;&#160;</p><p>At least annually, the committee should review the nature of all services performed by the external audit firm and assess the relative magnitude of fees and personnel involved.&#160; The committee should then consider establishing safeguards, as needed, to mitigate potential threats to audit independence that may arise as a result of providing these other services.&#160; Further, the audit committee should be informed about and consider business and financial relationships between the auditor and the regulated entity or its officers, directors, or significant shareholders, and about employment of former regulated entity employees by the auditing firm and vice versa, as necessary to identify and address circumstances that could indicate a lack of independence or the appearance thereof.&#160;</p><p> <em>B. Communication with External Auditor and Audit Engagement Letters</em></p><p>Each regulated entity's audit committee and its external auditor should have an open working relationship.&#160; Communications should be frank and robust and should cover the full range of potential topics related to financial reporting and audit risks.&#160; Significant discussions during scheduled audit committee meetings should be clearly documented in committee minutes.&#160; Other relevant substantive discussions should be appropriately documented in audit committee packages or minutes.&#160; Audit committees can promote effective communications by&#58;&#160;</p><ul><li>Maintaining a direct line of communication with the external auditor, including periodic, informal contact by the committee chair and regular executive sessions;</li><li>Requesting periodic involvement of other external audit partners, such as concurring, review, and tax partners at the audit committee meetings; </li><li>Discussing the external auditor's audit risk assessment and audit plan for the regulated entity;</li><li>Discussing with the auditor (and management, as applicable) any new, unusual, or non-standard representations made by management in their management representations letter; and</li><li>Requesting and reviewing insights from audit committee members, management, and internal auditors regarding the performance of the external auditors, at least annually.&#160;</li></ul><p>It is also important for the audit committee to have ongoing communication with the external auditor regarding its audit fees.&#160; One objective of those communications is to provide assurance to the audit committee that negotiations for the fees and the fee arrangements themselves encourage the external auditor to conduct rigorous, high-quality audits and reviews.&#160;</p><p>The engagement letter is the key document defining the relationship between the regulated entity and its external auditor.&#160; FHFA's authority to examine the regulated entities allows it to have access to all regulated entity documents, including accounting records. &#160;FHFA expects regulated entities' external audit engagement letters to be consistent with FHFA's examination authority. &#160;Accordingly, FHFA expects that each regulated entity's engagement letter should&#58;&#160;</p><ul><li>Provide that the external auditor may, upon FHFA's request, provide FHFA with access to the senior audit partners on the engagement and any other personnel whom such partners deem necessary, as well as to the external auditor's working papers prepared in the course of performing the services set forth in the engagement letter, and that such access to the external auditor may be without regulated entity personnel in attendance;</li><li>Not contain any provisions that would be characterized as unsafe and unsound under the “Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters&quot;;<a href="#footnote13"><span style="text-decoration&#58;underline;">[13]</span></a> and</li><li>Provide that the external auditor, without the approval of the regulated entity, may meet with FHFA with such frequency and about such matters as determined by FHFA, and may provide reports or other communications arising from the audit engagement directly to FHFA.</li></ul><p> <em>C. Audit Committee Transparency</em></p><p>FHFA regulations and guidelines require that the audit committees for the regulated entities review their charters annually and that the boards of directors reapprove them at least every three years. <a href="#footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a> &#160;&#160;FHFA's regulated entities regularly publish their audit committee charters.&#160; Besides serving as the committee's roadmap to help ensure that it fulfills all of its duties and obligations, a well-drafted charter can provide outside readers with insights on the committee's governance and functions.&#160;</p><p>Under the PCAOB standards, auditor tenure is now a required element of the independent auditor's report.&#160; Also, critical audit matters—which are matters that have been communicated to the audit committee, are related to accounts or disclosures that are material to the financial statements, and involved especially challenging, subjective, or complex auditor judgment—must be reported by the auditor beginning in the next few years. <a href="#footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a>&#160; While this reporting is the responsibility of public companies' external auditors, we believe that these requirements evidence increased demand by financial statement users for information on audits and audit governance.&#160;&#160;</p><p>While effective audit committee oversight of and engagement with the external auditor are keys to obtaining a high-quality audit, there are no formal rules or standards that require those topics to be reported to shareholders. &#160;That said, industry studies confirm an increasing trend among public companies to make enhanced voluntary disclosures about their audit committees' oversight of the external audit function. &#160;Examples include disclosures about the factors that the audit committee considers when appointing or retaining an external auditor, the role of the audit committee in fee negotiations and compensation, the length of time the auditor has been engaged, whether evaluations of the auditing firm are done annually, and audit partner selection and rotation. <a href="#footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a>&#160;</p><p>FHFA encourages each regulated entity's audit committee to consider providing such voluntary disclosures regarding its role in supporting a quality audit. &#160;The audit committee should remain aware of industry trends and developments regarding audit committee transparency and should work to provide the regulated entity's stakeholders with relevant information regarding their activities to the extent practicable.&#160;</p><p> <strong>III. Annual Review by Audit Committee</strong></p><p>At least annually, each regulated entity's audit committee should review, with any appropriate professional assistance, the committee's performance in light of the requirements of laws, rules, and regulations that are applicable to its activities and duties.&#160; The committee should also assess whether it is operating consistent with applicable regulatory guidance.&#160; The audit committee should provide the FHFA Chief Accountant with the materials and procedures employed in such review, as well as the final report. &#160;The review may be done as part of a committee self-assessment, an outside review, or a combination of approaches.&#160;</p><p> <strong>Related Regulations and Guidance</strong></p><p>12 CFR Part 1236 and Appendix – Prudential Management and Operations Standards&#160;</p><p>12 CFR Part 1239 – Responsibilities of Boards of Directors, Corporate Practices and Corporate Governance Matters&#160;</p><p>12 CFR Part 1273 – Office of Finance&#160;</p><p>12 CFR Part 1274 – Financial Statements of the Banks&#160;</p><p>Securities and Exchange Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, 72 Fed. Reg. 35324 (June 27, 2007) (codified at 17 CFR Part 241)</p><p>Securities and Exchange Commission Rule 10A-3&#58; Listing Standards Relating to Audit Committees (National Securities Exchanges), 17 CFR § 240.10A-3</p><p>Securities and Exchange Commission Rule Reg. S-X&#58; Form and Content of and Requirements for Financial Statements, Securities Act of 1933, Securities Exchange Act of 1934, Investment Company Act of 1940, Investment Advisers Act of 1940, and Energy Policy and Conservation Act of 1975 (Qualifications and Reports of Accountants), 17 CFR § 210.2-01 through -07</p><p>Securities and Exchange Commission Rule Reg. S-K&#58; Standard Instructions for Filing Forms under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975, 17 CFR Part 229</p><p>Public Company Accounting Oversight Board Rule 3526&#58; Auditor Communications with Audit Committees Concerning Independence</p><p>NYSE, Inc., Listed Company Manual, § 303A (Corporate Governance Standards) (2018)</p><p> <br>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"><span style="text-decoration&#58;underline;">[1]</span></a>&#160;The OF is not a “regulated entity&quot; as the term is defined by 12 U.S.C. 4502(20), but for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF as regards its roles in issuing combined financial reports and engaging the external auditor for those reports, and to regulated entities' affiliates as regards their roles, if any, in issuing public financial reports and in engaging external auditors.</p><p> <a name="footnote2"><span style="text-decoration&#58;underline;">[2]</span></a>&#160;Duties of FHLBank audit committees are described in 12 CFR 1239.32. Duties of the OF audit committee are described in 12 CFR 1273.9. Part 1239 stipulates that the duties and responsibilities of Enterprise audit committees are set forth under rules issued by the New York Stock Exchange, and further requires that those committees comply with requirements set forth under section 301 of the Sarbanes-Oxley Act, 15 U.S.C.§ 78j-1(f). The Prudential Management and Operations Standards set forth in the Appendix to 12 CFR Part 1236 also include standards applicable to the audit committees of the FHLBanks and Enterprises.</p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a><em>&#160;See </em>12 CFR 1274.2(c).</p><p> <a name="footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a><em>&#160;See </em>12 CFR 1274.2(c).</p><p> <a name="footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a><em>&#160;See </em>12 CFR 1274.2(d), (e).</p><p> <a name="footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a><em>&#160;See </em>12 CFR Part 1236, Appendix (Standard 10.1) and 12 CFR 1273.6(b) (2).</p><p> <a name="footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> SEC Exchange Act Rule 13a-15(f) defines the term “internal control over financial reporting&quot; as&#58; a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that&#58;</p><ol><li>Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;</li><li>Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and</li><li>Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.</li></ol><p> <em>See </em>17 CFR 240.13a-15(f).</p><p> <a name="footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a> For the OF, this refers to the ICFR over the OF's process for producing the FHLBanks' combined financial reports.&#160;</p><p> <a name="footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a> On comparability and consistency, see FASB Statement of Financial Accounting Concepts No. 8 as amended August 2018.</p><p> <a name="footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a> See Center for Audit Quality, “Audit Quality Indicators&#58;&#160; The Journey and Path Ahead,&quot; Jan. 12, 2016.</p><p> <a name="footnote11"> <span style="text-decoration&#58;underline;">[11]</span></a> The FHLBanks and the OF, in light of the FHLBank System's requirement to issue combined financial statements, have historically engaged the same external audit firm.&#160; Therefore, they undertake external auditor performance reviews and decisions on which audit firm to engage jointly.</p><p> <a name="footnote12"> <span style="text-decoration&#58;underline;">[12]</span></a> The external auditor must meet the requirements of independence set forth by the PCAOB Auditing Standard 1005 and in the SEC regulations at 17 CFR § 210.2-01.&#160;</p><p> <a name="footnote13"> <span style="text-decoration&#58;underline;">[13]</span></a> 71 Fed. Reg. 6847 (Feb. 9, 2006).</p><p> <a name="footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a><em>&#160;See </em>12 CFR Part 1236, Appendix (Prudential Management and Operations Standard 2.2) (regulated entity boards); 12 CFR 1239.32(d) (1), (2) (Bank audit committees and boards of directors); 12 CFR 1273.9(c) (1) (i), (ii) (Office of Finance). Enterprise boards of directors must adopt a written charter for each board committee and comply with the committee requirements of the NYSE rules and section 301 of the Sarbanes-Oxley Act, 15 U.S.C. § 78j-1. <em>See </em>12 CFR 1239.5(b). Neither those incorporated provisions nor the regulation itself imposes any requirements with respect to the review or re-approval of committee charters.</p><p> <a name="footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a><em>&#160;See </em>PCAOB Auditing Standard 3101.</p><p> <a name="footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a><em>&#160;See </em>2018 Audit Committee Transparency Barometer prepared by the Center for Audit Quality and by Audit Analytics (November 2018).</p><p> <em>&#160; </em></p> <em> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </p></td></tr></tbody></table> <p>&#160;</p></em>8/20/2020 5:00:54 PMHome / Supervision & Regulation / Advisory Bulletins / Financial Reporting and Disclosure and External Audit Advisory Bulletin AB 2020-04: FINANCIAL REPORTING AND DISCLOSURE 1472https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Guidance on the Use of Proxies28094FHL Banks7/20/2020 4:00:00 AMAB 2020-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-03&#58; GUIDANCE ON THE USE OF PROXIES FOR DETERMINING THE INCOME OF SUBSEQUENT PURCHASERS OF OWNER-OCCUPIED UNITS SOLD BY AHP-ASSISTED HOUSEHOLDS DURING THE AHP RETENTION PERIOD </strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"> <em> <strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) contains guidance, pursuant to the Affordable Housing Program (AHP) regulation, on the Federal Home Loan Banks’ (FHLBanks) or their designees’ use of proxies for determining whether the subsequent purchaser of an owner-occupied unit sold, transferred, or assigned by an AHP-assisted household during the AHP five-year retention period is low- or moderate-income (LMI). Specifically, the guidance provides for the use of a proxy based on the U.S. Department of Housing and Urban Development’s (HUD) HOME Investment Partnerships Program (HOME) and Housing Trust Fund (HTF) homeownership value limits for existing housing. The AB also discusses the option for FHLBanks to adopt an alternative proxy or proxies that are reliable indicators that the subsequent purchaser is LMI. In addition, the AB provides guidance on documentation requirements as well as content of a FHLBank’s AHP Implementation Plan.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>The Federal Housing Finance Agency’s (FHFA) AHP regulation provides that, for each household that receives AHP subsidy for purchase, for purchase in conjunction with rehabilitation, or for construction of an owner-occupied unit, the unit must be subject to a retention agreement. <a href="#footnote1">[1]</a> The retention agreement must provide that, if the AHP-assisted household sells, transfers, or assigns (hereafter referred to as &quot;sells,&quot; for ease of reading) the unit within five years of closing on the unit, the FHLBank is to be repaid a pro rata portion of the AHP subsidy from any net proceeds realized by the household minus the household’s investment, subject to certain exceptions. <a href="#footnote2">[2]</a> One such exception is when the AHP-assisted household sells the unit to a LMI household, i.e., a household with income at or below 80 percent of the area median income (AMI). <a href="#footnote3">[3]</a> This exception predates the 2018 AHP final rule. <a href="#footnote4">[4]</a> Because subsequent purchasers of units sold by AHP-assisted households are under no obligation to provide income documentation to the FHLBanks or their designees for purposes of determining the AHP-assisted household’s AHP subsidy repayment obligation, it has been difficult for FHLBanks and their designees to determine subsequent purchasers’ actual incomes and, therefore, whether this subsidy repayment exception applies. Accordingly, FHFA requested comments in the 2018 AHP proposed rule preamble on potential geographically-based and person-based proxy approaches for determining subsequent purchaser income. </p><p>After reviewing the comments received on the proposed rule, FHFA determined in the 2018 AHP final rule that the use of proxies for determining subsequent purchaser income would facilitate the FHLBanks’ implementation of the LMI subsequent purchaser exception.<a href="#footnote5"> [5]</a> Accordingly, the final rule revised the regulation to provide for the use of proxies pursuant to guidance to be issued by FHFA for determining a subsequent purchaser’s income. Specifically, the final rule provides that for any sale by an AHP-assisted household of an owner-occupied unit after a date established by FHFA in the guidance, a FHLBank or its designee must determine the subsequent purchaser’s income using one or more proxies that are reliable indicators of the subsequent purchaser’s income, which may be selected by the FHLBank pursuant to the guidance, unless documentation demonstrating the subsequent purchaser’s actual income is available.<a href="#footnote6"> [6]</a> This AB contains the guidance referenced in the final rule on the use of proxies for this purpose. </p><p style="text-decoration&#58;underline;"> <em> <strong>Guidance</strong></em></p><p> <span style="text-decoration&#58;underline;">The Proxy&#58; HUD HOME and HTF Homeownership Value Limits for Existing Housing </span></p><p>FHFA has determined that the sale of an owner-occupied unit by an AHP-assisted household at a price that is at or below the applicable HUD HOME and HTF homeownership value limit for existing housing (hereinafter &quot;value limit&quot;) is a reliable indicator that the subsequent purchaser of the unit is LMI.<a href="#footnote7"> [7]</a> In reaching this conclusion, FHFA analyzed Home Mortgage Disclosure Act (HMDA) data which indicates that, in 2018, approximately 58 percent of national HMDA-reported home sales at or below the applicable value limit were to LMI purchasers. Significantly, in the ten states in which the greatest number of AHP owner-occupied subsidies under the FHLBanks’ competitive application programs and homeownership set-aside programs were awarded in 2018, over 65 percent of such sales were to LMI purchasers. </p><p>FHFA also analyzed the 2018 HMDA income data to determine the percentage of homebuyers who purchased a home above the applicable value limit that were LMI. FHFA found that only 14.6 percent of 2018 HMDA homebuyers who purchased a home above the applicable value limit were LMI, making it relatively unlikely that applying the HOME and HTF price limits as a proxy would be under-inclusive of low-and-moderate income subsequent purchasers. </p><p>Because proxies are approximations, no proxy can definitively determine the income of a subsequent purchaser. FHFA acknowledges this limitation of proxies generally, and the possibility that any proxy based on house sales price might fail to fully account for gentrification of areas in which the home is located, as noted by some commenters on the proposed rule. In rapidly gentrifying areas, a comparatively higher percentage of non-LMI purchasers may purchase homes at or below the value limit than in areas experiencing lower rates of gentrification. </p><p>However, as noted above, the data generally suggest that house sales price at or below the applicable value limit reliably indicates that the subsequent purchaser is LMI. This proxy indicates subsequent purchaser LMI status even more reliably when the review analyzes the ten states with the highest number of AHP owner-occupied subsidies historically. </p><p>In addition, although FHFA’s priority in selecting a proxy is identifying one that reliably indicates subsequent purchaser income, FHFA has selected one that, as applied to AHP-assisted households, weighs in favor of allowing households to retain AHP subsidy and thereby enjoy the full benefits of homeownership. FHFA analyzed data available under the FHLBanks’ homeownership set-aside programs to determine the likelihood that any particular AHP-assisted household would be required to repay AHP subsidy under the value limits proxy. In 2018, only 7.7 percent of AHP-assisted households who received set-aside grants in connection with purchase purchased their homes at a price greater than the applicable value limit, which suggests that the large majority of home sales by AHP-assisted households will qualify for the LMI subsequent purchaser exception under this proxy. <a href="#footnote8">[8]</a> </p><p style="text-decoration&#58;underline;">Implementing the Proxy</p><p>The FHLBanks or their designees may use the value limits, posted on the HUD Exchange, as a proxy for determining whether the exception to the AHP subsidy repayment requirement for sales to subsequent LMI purchasers applies. HUD calculates and posts the value limits annually on the HUD Exchange website. FHFA will also post the value limits on its website and notify the FHLBanks when new annual value limits are available. </p><p>However, if a FHLBank or its designee has documentation demonstrating the subsequent purchaser’s actual income, the FHLBank may not apply the value limits proxy or any other proxy to determine subsequent purchaser income. If neither the FHLBank nor its designee has such documentation, and the FHLBank elects to apply the value limits proxy, the FHLBank or its designee must use the value limits in effect at the time the AHP-assisted household sells its unit during the AHP five-year retention period. The FHLBank or its designee will determine the applicable value limit based on the specific county where the unit is located and the size of the unit (i.e., 1-unit, 2-unit, 3-unit, or 4-unit). The FHLBank or its designee will then compare the price at which the AHP-assisted household sold the unit to that value limit. If the sales price is less than or equal to the value limit, the subsequent purchaser is regarded as LMI under the value limits proxy. If the sales price is more than the applicable value limit, the subsequent purchaser is not regarded as LMI under the value limits proxy. The FHLBank or its designee must document its determinations under the value limits proxy.</p><p style="text-decoration&#58;underline;">Alternative Bank Proxies</p><p>In lieu of or in addition to the value limits proxy, a FHLBank may, in its discretion, adopt an alternative proxy or proxies that are reliable indicators that the subsequent purchaser of an owner-occupied unit sold by an AHP-assisted household is LMI. The FHLBank should retain documentation and data that provide a sufficient basis for the adoption of the alternative proxy or proxies, including an explanation of how the proxy or proxies reliably indicate(s) that the subsequent purchaser is LMI. In addition, as with application of the value limits proxy, the FHLBank should document its determinations under an alternative proxy for each subsequent purchaser’s income. </p><p style="text-decoration&#58;underline;">AHP Implementation Plans</p><p>The FHLBanks must ensure that their AHP Implementation Plans include the specific proxy or proxies they have chosen to adopt pursuant to this AB. <a href="#footnote9">[9]</a> If a FHLBank adopts more than one proxy, its AHP Implementation Plan must include the policies determining which proxy or set of proxies will be applied in any particular circumstance. If these policies provide for the application of more than one proxy per sale, they must specify how conflicting determinations of subsequent purchaser LMI income will be resolved. <a href="#footnote10">[10]</a> </p><p style="text-decoration&#58;underline;">Effective Date</p><p>This AB is effective for any sale of an owner-occupied unit by an AHP-assisted household that occurs on or after January 1, 2021 and is during the unit’s AHP five-year retention period. However, FHFA strongly encourages the FHLBanks to implement this AB before that date as practicable. </p><p>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a> 12 CFR 1291.23(d)(1); 1291.42(e); 1291.15(a)(7); <em>see also Questions and Answers on the November 28, 2018 Final Rule--Part I (July 2019)</em>, available at fhfa.gov. </p><p> <a name="footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a> 12 CFR 1291.15(a)(7)(v); 1291.1 (par. (1) of the definition of &quot;retention period&quot;). </p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a> 12 CFR 1291.15(a)(7)(ii)(B); 1291.1 (definition of &quot;low- or moderate-income household&quot;).&#160; </p><p> <a name="footnote4"><span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR 1291.9(a)(7)(ii)(B) (Jan. 1, 2018 edition). </p><p> <a name="footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a> 83 Fed. Reg. 61186, 61204 (Nov. 28, 2018). </p><p> <a name="footnote6"><span style="text-decoration&#58;underline;">[6]</span></a> 12 CFR 1291.15(a)(7)(ii)(B). </p><p> <a name="footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> For more information on these value limits, how they are derived, and their function in the applicable HUD programs, see the HOME and HTF program pages on the HUD Exchange website at www.hudexchange.info. </p><p> <a name="footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a><em>&#160;</em>FHFA does not collect the prices at which competitive application program subsidy recipients purchase or sell their homes. FHFA also does not collect the prices at which homeownership set-aside program subsidy recipients purchase their homes, unless the subsidy is used in connection with purchase (e.g., down payment assistance). In 2018, 68 percent of all AHP owner-occupied subsidies were awarded through set-aside programs, and 92 percent of set-aside subsidies were used in connection with purchase. </p><p> <a name="footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a> 12 CFR 1291.15(a)(7)(ii)(B). </p><p> <a name="footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a>&#160;12 CFR 1291.13(b)(6).&#160;&#160;&#160;&#160;&#160;&#160;&#160;</p><p> <em>&#160; </em></p> <em> <p>&#160;</p> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes. Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact Ted Wartell at <a href="mailto&#58;Ted.Wartell@fhfa.gov">Ted.Wartell@fhfa.gov</a> or by phone at 1-202-649-3157; or Tiffani Moore at <a href="mailto&#58;Tiffani.Moore@fhfa.gov">Tiffani.Moore@fhfa.gov</a> or by phone at 1-202-649-3304. </p></td></tr></tbody></table> <p>&#160;</p></em> <p>&#160;</p>7/20/2020 8:58:52 PMHome / Supervision & Regulation / Advisory Bulletins / Guidance on the Use of Proxies Advisory Bulletin AB 2020-03: GUIDANCE ON THE USE OF PROXIES FOR DETERMINING THE INCOME 1388https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Board Diversity27914FHL Banks7/9/2020 4:00:00 AMAB 2020-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-02&#58; <strong>Board Diversity</strong></strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​</strong></em></em></p><p> <em style="text-decoration&#58;underline;"> <em> <strong>Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) applies to the Federal Home Loan Banks (Banks) and the Banks’ Office of Finance (OF) (collectively, the System). The AB provides guidance on the diversity and inclusion (D&amp;I) program oversight responsibilities of the System’s boards of directors (Board). The AB addresses D&amp;I programs required of the System and for which the Boards should exercise appropriate oversight. To meet oversight obligations, the Board should become familiar with the legal concepts related to D&amp;I, its administration by the System, the role of the Federal Housing Finance Agency (FHFA or Agency) related to statutory and regulatory authorities and expectations related to D&amp;I.</p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>Congress adopted provisions regarding D&amp;I for regulated entities and FHFA as section 1116 of the Housing and Economic Recovery Act of 2008. 12 U.S.C. § 4520. The statute required the regulated entities to create an office or designate an office to carry out the section focused on diversity in management, employment, and business activities in accordance with standards and requirements as the Director of FHFA would establish. In December 2010, FHFA adopted a final rule implementing the law, at 12 CFR Part 1223, for its respective regulated entities. The regulation included a requirement to encourage the consideration of diversity in nominating or soliciting nominees for positions on the Board of Directors of each regulated entity. 12 CFR 1223.21(b)(7). </p><p>Formal D&amp;I supervision of the regulated entities began after the FHFA Office of Minority and Women Inclusion (OMWI) performed baseline reviews of their D&amp;I programs in 2015 and 2016 <a href="#footnote1">[1]</a>.</p><p>In 2015, the Agency amended the regulation to require each Bank and the OF to report annually on demographic information related to their Boards. 12 CFR 1223.23(b)(10)(i). Subsequently, the Agency developed and implemented a D&amp;I Examination Module that became effective on January 1, 2017 <a href="#footnote2">[2]</a>. In July 2017, FHFA finalized regulation amendments requiring the regulated entities, among other things, to adopt strategic plans to promote and ensure the inclusion of minorities, women, and individuals with disabilities in their workforce at all levels of the organization, as well as minority-, women-, and disabled-owned businesses in their contracting activities and financial activities. 12 CFR 1223.21(d). Consistent with FHFA’s corporate governance regulation, 12 CFR 1239.4(a), the Board has ultimate responsibility for its regulated entity’s achievement of the requirements of the regulation.&#160;</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p> <strong>Board Oversight </strong> </p><p>Each Board of Directors is responsible for oversight of the entity’s respective D&amp;I programs in their entirety, which includes setting the strategic goals and ensuring the appropriate management “tone at the top.” Each Board should oversee the entity’s D&amp;I program through review of its efforts as evidenced in reports provided by management, including the Chief Executive Officer and OMWI Officer. Such reports should include information and data on D&amp;I strategic goals; resource adequacy (human, technological, and financial); and integration of contractual parties with the entity’s businesses and activities. <br>To address management activities regarding D&amp;I, directors must have ongoing familiarity with D&amp;I requirements and pay due attention to the entity’s D&amp;I efforts and accomplishments. The Board should seek to assure itself that the entity’s D&amp;I program is conducted in line with statutory and regulatory requirements to promote diversity and ensure inclusion. The Board should expect ongoing reporting regarding the entity’s initiatives as well as D&amp;I accomplishments, progress, or challenges for the entity in areas identified by statute and regulation. </p><p> <strong>Board Directors — Effective Oversight</strong></p><p> In order to facilitate effective oversight of the D&amp;I program, the Board should be provided sufficient information on an ongoing basis on D&amp;I obligations and progress to oversee effectively the entity’s D&amp;I programs. The Board should assure that the reporting by management and the OMWI Officer is in line with law and regulation. If necessary, the Board should seek such external assistance, as it may require, to review, understand, and provide input on the entity’s D&amp;I program. The Board should consider, as well, efforts to enhance diversity among its membership in line with law and regulation.</p><p>With respect to Board skills assessments, FHFA notes the following areas of D&amp;I law, regulation, and programs that should be familiar to directors and be part of routine reporting by the management of each entity in the System&#58; </p><ol><li>Diversity. Ability to assess whether the management of each entity in the System seeks to promote D&amp;I based on its experience working with minorities, women, and individuals with disabilities and in seeking the skill sets from a diverse group for employment and contracting.&#160;</li><li>Equal Opportunity Principles. An understanding of fundamental equal employment opportunity and D&amp;I principles.</li><li>Managing Diversity Programs and Initiatives. The Board should be able to assess whether each entity’s management and OMWI Officer have the requisite ability to develop initiatives and to deploy programs that support inclusion of diverse populations in employment and contracting. Such assessment should be founded on reports with usable standards and metrics.&#160;</li><li>Change Management. The Board should be able to assess management and the OMWI Officer leading organizational development and corporate communication and facilitate outreach and new projects with various stakeholders internal or external to the regulated entity.&#160;</li><li>Strategic Leadership. The Board should adopt and communicate D&amp;I objectives.<br></li></ol><p> <strong>Enhancing Board Oversight</strong></p><p>Each Bank and the OF may conduct an annual assessment of skills and experience possessed by the members of its Board as a whole and may determine whether the capabilities of the Board would be enhanced through the addition of individuals with particular skills and experience. Board D&amp;I experience and knowledge should be included in any such Board assessments. The Board or its corporate governance committee should oversee the implementation of recommendations arising from Board self-assessments. As part of its oversight duties, the corporate governance committee also may identify skills and expertise gaps among the members of the Board and may recommend that the Bank or OF indicate that it seeks persons with those skills as nominees for directorship positions. In addition, the Board should implement training for existing Board members to develop or enhance their ability to meet their obligations to oversee the entity’s D&amp;I obligations.</p><p style="text-align&#58;left;"> <strong>Board Diversity</strong></p><p>A Board's efforts to develop, maintain, and sustain a diverse Board should be a combination of seeking diverse representation on, and providing support to, the Board to meet its D&amp;I oversight responsibilities. &#160;This requires the Board to articulate its role in performing D&amp;I oversight.&#160; At the same time, promoting diversity of the Board itself should be encouraged by the Board through communication of the Bank or OF's obligations under law and regulation and the value of fostering opportunities for diverse candidates for Board service to assist in this oversight responsibility. </p><p style="text-align&#58;left;">Boards may seek to increase director diversity by requiring the Bank or OF to communicate to members its goals of identifying potential diverse candidates.&#160; Boards may engage search firms for identifying potential independent director nominees, as appropriate, and taking such other steps as may promote diversity.&#160; &#160;</p><p style="text-align&#58;left;">&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1">[1]</a> On December 19, 2012, FHFA issued Advisory Bulletin (AB) 2012-03, which implemented the Agency’s decision to include D&amp;I as a criterion in rating the Management component of CAMELSO.&#160; AB 2012-03 provides&#58;</p><blockquote dir="ltr"><p>MANAGEMENT – When rating a regulated entity's management, examiners determine the capability and willingness of the board of directors and management, in their respective roles, to identify, measure, monitor, and control the risks of the regulated entity's activities and to ensure that the regulated entity's safe, sound and efficient operations are in compliance with applicable laws and regulations. When making this determination, examiners assess&#58;</p></blockquote><ul><li><p>the regulated entity's compliance with laws and regulations, including Prudential Management and Operational Standards (PMOS), Office of Minority and Women Inclusion (OMWI) and relevant provisions of the Dodd-Frank Act[.]</p></li></ul><p> <em>See&#58; </em><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/FHFA_AB_2012-03.pdf">https&#58;//www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/FHFA_AB_2012-03.pdf</a>.&#160; CAMELSO stands for Capital, Asset Quality, Management, Earnings, Liquidity, Sensitivity to Market Risk, and Operational Risk.&#160; </p><p> <a name="footnote2">[2]</a> The manual is available at&#58; <a href="/SupervisionRegulation/ExaminerResources/Documents/062717-OMWI-Exam-Module.pdf">https&#58;//www.fhfa.gov/SupervisionRegulation/ExaminerResources/Documents/062717-OMWI-Exam-Module.pdf</a> &#160;</p>&#160;&#160;&#160;&#160;&#160;&#160; <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <font color="#000000" face="Times New Roman" size="3"> </font> <p> FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes.&#160; Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities.&#160; For comments or questions pertaining to this Advisory Bulletin, contact Sharron Levine at <a> </a><a href="mailto&#58;Sharron.Levine@fhfa.gov">Sharron.Levine@fhfa.gov</a>&#160;or James Jordan at <a> </a><a href="mailto&#58;James.Jordan@fhfa.gov">James.Jordan@fhfa.gov</a>.&#160;</p> <font color="#000000" face="Times New Roman" size="3"> </font></td></tr></tbody></table><p>&#160;</p>7/9/2020 1:54:55 PMHome / Supervision & Regulation / Advisory Bulletins / Board Diversity Advisory Bulletin This Advisory Bulletin (AB) applies to the Federal Home Loan Banks (Banks) and the 1510https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Acquired Member Assets Risk Management30323FHL Banks1/31/2020 5:00:00 AMAB 2020-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-01&#58; ACQUIRED MEMBER ASSETS RISK MANAGEMENT</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance regarding a Federal Home Loan Bank's (Bank) risk management of Acquired Member Assets (AMA), including FHFA's expectations that Bank boards of directors establish certain limits. &#160;The Banks should be able to demonstrate their progress toward adherence to this guidance by September 30, 2020 and should have final limits in place by December 31, 2020.&#160; </p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>The mission of the Banks is to provide to their members and housing associates financial products and services that assist and enhance such members' and housing associates' financing of housing and community lending.<a href="#footnote1"><span style="text-decoration&#58;underline;">[1]</span></a>&#160; Similar to taking an advance, when a member sells eligible mortgage loans to a Bank, the Bank serves as a funding source for the member's housing finance lending.&#160;&#160;&#160;&#160;&#160; </p><p>FHFA regulations and guidance related to AMA embody the principles that the Banks must acquire AMA safely and soundly and in a manner that is consistent with the Banks' mission.&#160; Sound governance of AMA programs is critical to safety and soundness and should include the establishment of limits to control the risks inherent in owning mortgage loans.&#160; AMA programs should at the same time fulfill the affordable housing mission requirements articulated in the Bank housing goals.&#160; The guidance in this Advisory Bulletin highlights FHFA's supervisory expectations with respect to sound risk management practices and how they relate to AMA. </p><p style="text-align&#58;left;"> <span style="text-decoration&#58;underline;">Regulatory Environment</span></p><p style="text-align&#58;left;">The following provides a summary of some of the regulation and guidance for governance and AMA.</p><ul style="list-style-type&#58;disc;"><li> <em>Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Regulation.</em><em>&#160; </em>This regulation provides that the management of each regulated entity shall be by or under the direction of its board directors.&#160; It states, “the ultimate responsibility of each entity's board of directors for that entity's oversight is non-delegable.&quot;<a href="#footnote2"><span style="text-decoration&#58;underline;">[2]</span></a> &#160;Included in the responsibilities of each Bank's board of directors is the establishment of a risk management program that aligns with the Bank's risk appetite and that each of the Bank's business lines has appropriate risk limitations.<a href="#footnote3"><span style="text-decoration&#58;underline;">[3]</span></a><em></em></li></ul><ul style="list-style-type&#58;disc;"><li> <em>Prudential Management and Operating Standards (PMOS) Regulation.</em>&#160; FHFA addresses limits on investments and management of assets in its PMOS regulation, the appendix to which establishes eleven standards as guidelines, including Standard 6 (Management of Asset and Investment Portfolio Growth), Standard 7 (Investments and Acquisitions of Assets), and Standard 9 (Management of Credit and Counterparty Risk).<a href="#footnote4"><span style="text-decoration&#58;underline;">[4]</span></a>&#160;&#160; The failure to meet any of the PMOS may constitute an unsafe or unsound practice for purposes of FHFA's administrative enforcement authority.<a href="#footnote5"><span style="text-decoration&#58;underline;">[5]</span></a>&#160; If FHFA determines that a Bank has failed to meet a standard, it also may require the Bank to submit a corrective plan.<a href="#footnote6"><span style="text-decoration&#58;underline;">[6]</span></a><br></li><li> <em>AMA Regulation</em>. &#160;FHFA's AMA regulation prescribes the parameters within which the Banks may purchase mortgage loans from members and housing associates (known as participating financial institutions or PFIs).&#160; The core of the AMA rule is a three-part test, the first and second parts of which focus on asset eligibility and member nexus, respectively.&#160; The third part focuses on the transactions through which a Bank acquires AMA – specifically, credit risk-sharing.<a href="#footnote7"><span style="text-decoration&#58;underline;">[7]</span></a>&#160;&#160;&#160; <br></li><li> <em>Core Mission Achievement Advisory Bulletin</em>.&#160; FHFA's Core Mission Achievement Advisory Bulletin describes AMA, along with advances, as “Primary Mission Assets,&quot; which are fundamental to the business of a Bank and most directly contribute to its mission.<a href="#footnote8"><span style="text-decoration&#58;underline;">[8]</span></a>&#160; It states, “[b]ecause a portfolio of residential mortgage loans presents risks not present with advances, FHFA expects that each Bank's board of directors will establish a prudential limit on its maximum holding of AMA, which should be governed by the Bank's ability to manage the risks inherent in holding mortgages.&quot;&#160; FHFA included similar language in the preamble to the final AMA rule<a href="#footnote9"><span style="text-decoration&#58;underline;">[9]</span></a> and in the AMA Price Risk Governance Advisory Bulletin.<a href="#footnote10"><span style="text-decoration&#58;underline;">[10]</span></a>&#160; </li></ul><ul style="list-style-type&#58;disc;"><li> <em>AMA Price Risk Governance Advisory Bulletin.</em>&#160; FHFA's AMA Price Risk Governance Advisory Bulletin describes the practices a Bank should employ, through management and controls, to mitigate its exposure to AMA price risk.&#160; AMA price risk, for purposes of the Advisory Bulletin, is the risk that the price the Bank pays for an AMA mortgage loan is too high relative to intrinsic value based on prevailing and forecasted market conditions at the time of acquisition.<a href="#footnote11"><span style="text-decoration&#58;underline;">[11]</span></a><br></li><li> <em>Bank Housing Goals Regulation</em>.&#160; FHFA's Housing Goals regulation establishes housing goals for AMA purchases of loans to low-income borrowers, very low-income borrowers, and borrowers in low-income areas.<a href="#footnote12"><span style="text-decoration&#58;underline;">[12]</span></a>&#160;&#160;</li></ul><p> <em><strong>Guidance</strong></em></p><p style="text-align&#58;left;"> <em>Board-established Limits.</em>&#160; Each Bank's board of directors should establish limits on its AMA portfolios within the context of its risk appetite<a href="#footnote13"><span style="text-decoration&#58;underline;">[13]</span></a> and the unique characteristics of its membership and district. &#160;At the same time, the board should ensure that the Bank serves as a liquidity source for members – particularly smaller members who may not have the same capacity or access to sell loans in the secondary market that larger members may have. &#160;For purposes of this Advisory Bulletin, the term “smaller members&quot; includes all Bank members whose total assets are below the community financial institution (CFI) asset cap as defined in section 1263.1 of FHFA's regulations, and includes credit unions, insurance companies, and non-depository community development financial institutions.&#160; </p><p style="text-align&#58;left;"> <em>Management Thresholds.</em><em>&#160; </em>To support the board-established risk limits, management of each Bank should establish thresholds that would serve as monitoring tools to manage AMA-related risk exposure.&#160; Management thresholds typically should be set at levels sufficiently below the risk limits established by the board, so that management would have adequate time to address any relevant developments that might otherwise result in a breach of a board-established limit.&#160; If a Bank's AMA holdings were to breach a management threshold, it should have a formal process in place to assess and manage the resulting AMA-related risks.&#160; The process may require management to conduct a targeted analysis or additional ongoing monitoring, which would also provide the board information useful in fulfilling its governance responsibilities.&#160; Examples of actions management might take to avoid breaching management thresholds, or to avoid exceeding board-established limits if a management threshold is breached, might include&#58;</p><ul style="list-style-type&#58;disc;"><li>Imposing loan acquisition restrictions by loan type, e.g., high-balance loans or third-party loans,</li><li>&#160;Limiting loan purchases from a particular member that accounts for a disproportionate amount of total acquisitions, or</li><li>Participating or selling interests in some of its AMA mortgage loans to other Banks.</li></ul><p> <span style="text-decoration&#58;underline;">Establishing Board Limits</span></p><p style="text-align&#58;left;">FHFA expects each Bank's board of directors to approve a strong risk management program, to evaluate AMA-related risks, based on management's proposals, and to establish limits to control those risks.&#160; To accomplish these objectives, each Bank should have staff with a strong understanding of, and insight into, the secondary mortgage market and the risks that affect the acquisition, funding, and servicing of mortgages.&#160; The staff should have a skill set that allows them to evaluate AMA risk beyond the determination of credit enhancement obligations.&#160; Ultimately, the staff should have the necessary expertise to monitor portfolio and market issues before they adversely affect either the mission focus or the safe and sound operation of the Bank.&#160; </p><p style="text-align&#58;left;">FHFA expects that a prudent approach to managing risks associated with a Bank's AMA holdings would include the types of limits described in the paragraphs below.&#160; Boards may adopt other limits to control other AMA-related risks, as identified by Bank staff as being appropriate to the magnitude of the Bank's AMA portfolio.</p><p> <em>AMA Portfolio Limits</em></p><p>Given the risks associated with AMA, which include price, interest rate, operational, credit, model, and liquidity risks, each Bank's board should consider how it can safely and soundly manage its portfolio.&#160; In considering portfolio limits, a Bank should consider, for example, the cost for safely and soundly managing how market risk may evolve in response to fluctuations in the size of the mortgage portfolio,<a href="#footnote14"><span style="text-decoration&#58;underline;">[14]</span></a> and the risk of adverse effects on the Bank's profitability resulting from external factors that may occur in both the short and long term.&#160; Those risks may be magnified by concentrations of loan coupons or vintages.&#160; A board also should consider any risks associated with acquiring a large portion of its AMA mortgages from a single PFI.&#160; When a board is setting portfolio limits, FHFA expects a Bank to consider the needs of its smaller members, who may rely on the Bank as a liquidity source to a greater degree than its larger members, who may have alternative access to the secondary mortgage market. The Bank should ensure that its portfolio limits do not result in the Bank's acquisition of mortgages from smaller members being “crowded out&quot; by the acquisition of mortgages from larger members.&#160;&#160; </p><ul style="list-style-type&#58;disc;"><li> <em>Size of Portfolio. </em>Each Bank's board of directors should establish a limit on its maximum holdings of AMA that is consistent with its risk appetite and the long-term safety and soundness of the Bank.&#160; When establishing the limit on the size of its AMA portfolio, the board may develop its own metrics that it deems most appropriate for its business plans and the needs of its members, such as a percentage of assets or consolidated obligations, or as a multiple of capital.&#160; FHFA will assess the portfolio limit and the metrics used to set it as part of its regular supervisory process.&#160; If a board has considered multiple approaches to setting its portfolio limit and can demonstrate that it has used the most conservative of those approaches in establishing the binding board limit, FHFA generally would consider that to be consistent with the safe and sound operation of the Bank.&#160; FHFA also expects that the board of directors would monitor the appropriateness of its chosen metrics in light of changing conditions in the mortgage markets, capital markets, the Bank's financial condition, and the needs of its members, and consider any appropriate revisions to the metrics used to set the existing portfolio limits.&#160;&#160;</li></ul><ul style="list-style-type&#58;disc;"><li> <em>Growth.</em><em>&#160; </em>Each Bank's board of directors should establish a limit on the amount of AMA the Bank could acquire during a defined period of time in order to mitigate risks associated with rapid growth. &#160;Reasonable metrics for managing rapid growth could include limits based on gross dollar amount acquired and net growth in AMA holdings in dollars or as percent of balances outstanding.&#160;<br></li><li> <em>Single PFI Acquisition</em>. &#160;Each Bank's board of directors should establish annual limits on the dollar amount of AMA that the Bank may acquire from a PFI.&#160; PFI limits should be appropriate to the particular PFI, should be consistent with the Bank's overall AMA portfolio limit, should avoid undue concentrations of the overall AMA portfolio from particular PFIs, and should provide reasonable assurance that the Bank's smaller members will be able to continue to sell AMA to the Bank during the year, regardless of the amount of AMA purchased from the Bank's larger members.&#160;&#160;&#160;&#160;&#160;&#160;</li></ul><p> <em>Loan Concentration Limits</em>&#160;</p><p> FHFA expects each Bank's board of directors to consider the risks associated with an aggregation of loans that have common characteristics, i.e., concentration risk. &#160;Pools of loans that have common characteristics are sensitive to the same economic developments or downturns.&#160; This sensitivity can cause a pool of loans to perform as if it were a single, large exposure, which potentially exposes the Bank to disproportionately greater credit losses that could negatively affect a Bank's capital.&#160; Concentration risk may be further exacerbated for pools composed of loans that have multiple common characteristics, i.e., risk layering. &#160;Each Bank should identify characteristics that, when aggregated in a pool or in the Bank's portfolio, could increase the Bank's risk exposure.&#160; Loan characteristic concentrations each board should consider include&#58;&#160;<br></p><ul style="list-style-type&#58;disc;"><li> <em>Geographic area concentration,</em> which is determined by evaluating the amount or percentage of acquired loans secured by properties within a geographic location.&#160; The geographic areas of AMA loans held by a Bank could be evaluated by, for example, state, county,&#160;or metropolitan statistical area.<a href="#footnote15"><span style="text-decoration&#58;underline;">[15]</span></a> FHFA expects Banks to have specific limits on AMA concentrations in particular housing markets, both in- and out-of-district.&#160; The limits could be relative to a PFI's sales to a Bank, relative to total acquisitions in a given period, or relative to outstanding dollar balances.&#160; <br></li><li> <em>High-balance loan concentration,</em> which is determined by evaluating the amount or percentage of acquired loans that are high-balance loans. “High-balance loans&quot; are conforming loans secured by residential properties located in “high-cost areas&quot; with loan amounts exceeding the baseline conforming loan limits.&#160; Such loans may perform differently than loans at the baseline limits.<a href="#footnote16"><span style="text-decoration&#58;underline;">[16]</span></a>&#160;&#160;</li></ul><p> <em>Third-party Loan Origination Limits</em></p><p>The AMA regulation authorizes the Banks to purchase mortgage loans from a member only if the member (or an affiliate) had originated the loan or had acquired it from a third party for a “valid business purpose.&quot;<a href="#footnote17"><span style="text-decoration&#58;underline;">[17]</span></a>&#160; The Federal Housing Finance Board issued a regulatory interpretation that lists some factors that would be sufficient to demonstrate that a loan acquired from a third-party originator meets the valid business purpose requirement.<a href="#footnote18"><span style="text-decoration&#58;underline;">[18]</span></a>&#160; The interpretation also makes clear that a member must have meaningful influence or control over the mortgage assets it acquires or over the process by which it acquires them in order to demonstrate that the member has acquired them for a valid business purpose.&#160; The factors indicating the existence of a valid business purpose include&#58;&#160; (1) whether purchasing loans from third-party originators represents a core business of the member; (2) how long the member has been involved in purchasing such loans; (3) whether the member is familiar with the third-party originators and experienced with the type, quality, and volume of the assets being purchased from the originators; (4) whether the member has a clear opportunity to identify and address the potential for fraud on an operational level; (5) whether the member itself approves and contracts with the originators; and (6) whether the member itself sets the terms of its contractual relationship with the third party originators, including asset standards and pricing.&#160;&#160;</p><p>As a legal matter, Banks acquiring mortgage loans that have been originated by nonmember third parties must be able to demonstrate that the member has acquired those loans for a “valid business purpose,&quot; as required by the AMA regulations.&#160; The Banks should have processes in place that actively ensure that the member selling the loans to the Bank is exercising meaningful influence over or control of the assets it is selling, as described above.&#160; A perfunctory assessment of whether a member in fact exercises such influence or control would not demonstrate that a member has acquired mortgage loans from a third-party originator “for a valid business purpose,&quot; which could cause the mortgage loans not to qualify as AMA.&#160;&#160;&#160;&#160;&#160;</p><p>Generally, loans originated by third parties are acquired by a Bank from members that have banking services networks that involve nonmembers.&#160; Such loans can potentially carry greater risk than loans originated by a member.&#160; FHFA expects a Bank's board of directors to establish limits on the amount of loans it acquires that are originated by third parties.&#160; Those limits could be based on any reasonable metrics, such as a portion of the Bank's total AMA acquisitions or a portion of its acquisitions from a single member. &#160;FHFA expects Banks to consider the risks associated with the acquisition of third-party originated loans that are secured by properties located outside of the Bank's district.&#160;&#160;</p><p>In consideration of smaller members who may not have the same ability to sell loans in the secondary market that larger members may have, third-party loan origination limits need not apply to smaller members that do not have their own mortgage origination operations. &#160;Nonetheless, such members must still meet the valid business purposes requirements established in the AMA rule and Regulatory Interpretation 2000-RI-25.&#160;</p><p> <em>Pricing Limits</em></p><p>FHFA expects each Bank's board of directors to consider the price risk associated with AMA.&#160; The higher the price a Bank pays for an AMA mortgage loan, the lower its expected earnings will be, all else equal.&#160; If the expected yield on a risk-adjusted basis is too low, a Bank may not earn enough to cover operating costs.&#160; As stated in the AMA Price Risk Governance AB, a Bank “should set mortgage acquisition prices to ensure the resulting expected spread to funding covers its costs and provides adequate compensation for the risk assumed, e.g., option, interest rate, credit, and model risk.&#160; The [Bank's] management committee should provide oversight, which includes approving and periodically reevaluating the minimum expected spread to funding target that guides AMA pricing.&quot;&#160;&#160;</p><p>Each Bank's board of directors should establish a limit on the price at which the Bank will acquire AMA loans.&#160; Mortgages acquired with a relatively high premium to par increase the Bank's exposure to prepayment risk.&#160; The write down of a mortgage premium reduces returns to the Bank and may result in losses.&#160; Each board of directors should establish a price limit on an individual loan basis and a portfolio amortized cost basis as observed at a point in time.&#160; For the latter, a Bank's board should establish a limit on the volume of loans it acquires at a board-determined premium level.&#160; The board should also establish a limit on the percentage of the Bank's total outstanding portfolio that was acquired at the board-determined premium level. </p><p style="text-decoration&#58;underline;"> <strong> <em>FHFA Monitoring of AMA Risk Management</em></strong> </p><p>FHFA will consider each Bank's AMA risk management as part of its regular supervisory process, including the limits established by the Bank's board of directors.&#160; As part of its off-site monitoring of Bank safety and soundness, FHFA may request periodically that each Bank submit to FHFA its board-approved AMA risk limits or thresholds.&#160; </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Supervisory Letter</em></strong></span></p><p>A Bank or the Banks may receive a supervisory letter, as warranted, should FHFA determine adopted board limits are insufficient.&#160; Furthermore, examiners will issue findings during the examination process if a Bank does not have sufficiently safe and sound AMA limits approved by the board of directors.&#160; </p><p style="text-decoration&#58;underline;"> <strong> <em>Related Guidance</em></strong> </p><p>Federal Housing Finance Board Regulatory Interpretation 2000-RI-25, <em>Acquired Member Assets Held for a Valid Business Purpose </em>(Nov. 17, 2000).</p><p> <a name="footnote1"><span style="text-decoration&#58;underline;">[1]</span></a> 12 CFR § 1265.2</p><p> <a name="footnote2"><span style="text-decoration&#58;underline;">[2]</span></a> 12 CFR § 1239.4(a).</p><p> <a name="footnote3"><span style="text-decoration&#58;underline;">[3]</span></a> 12 CFR §§&#160;1239.4(c)(1) and 1239.11(a).&#160; </p><p> <a name="footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR Part 1236, Appendix.</p><p> <a name="footnote5"><span style="text-decoration&#58;underline;">[5]</span></a> 12 CFR § 1236.3(d).&#160; FHFA has the authority to address unsafe or unsound practices through issuance of an order to cease-and-desist, through assessment of civil money penalties, or removal from office.&#160; 12 U.S.C. §§&#160;4631(a)(1), 4636(b)(2)(A), 4636a(a)(2)(A).&#160;&#160; </p><p> <a name="footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a> 12 CFR § 1236.4.</p><p> <a name="footnote7"><span style="text-decoration&#58;underline;">[7]</span></a> 12 CFR §§&#160;1268.3 (asset test), 1268.4 (member nexus), and 1268.5 (credit risk sharing).</p><p> <a name="footnote8"><span style="text-decoration&#58;underline;">[8]</span></a><em>&#160;See </em> <em>FHLBank Core Mission Achievement</em> AB 2015-05, July 14, 2015.</p><p> <a name="footnote9"><span style="text-decoration&#58;underline;">[9]</span></a> 81 FR 91682 (Dec. 19, 2016).</p><p> <a name="footnote10"><span style="text-decoration&#58;underline;">[10]</span></a><em>&#160;See </em> <em>AMA Price Risk Governance</em> AB 2017-03, Nov. 21, 2017.</p><p> <a name="footnote11"><span style="text-decoration&#58;underline;">[11]</span></a><em>&#160;See </em> <em>Acquired Member Asset Price Risk Governance</em>&quot; AB 2017-03, Nov. 21, 2017.</p><p> <a name="footnote12"><span style="text-decoration&#58;underline;">[12]</span></a> 12 CFR Part 1281.</p><p> <a name="footnote13"><span style="text-decoration&#58;underline;">[13]</span></a> The <em>Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance</em> regulation defines “risk appetite&quot; as, “the aggregate level and types of risk the board of directors and management are willing to assume to achieve the regulated entity's strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.&quot;&#160; 12 CFR §&#160;1239.2.&#160; </p><p> <a name="footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a> A mortgage portfolio's prepayment optionality can result in unanticipated funding mismatches that can have a deleterious effect on a Bank's net income, market value of equity, market value of equity to book value of equity ratio, market value of equity to par value of capital ratio, and dividend payment capacity.&#160;&#160;&#160; </p><p> <a name="footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a> In general, in-district state level concentrations are acceptable given Banks must serve their district.&#160; However, FHFA expects the Bank to monitor and analyze housing-market level concentrations both within and outside its district.&#160;&#160;&#160; </p><p> <a name="footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a><em> See </em><a href="/DataTools/Downloads/Pages/Conforming-Loan-Limits.aspx">https&#58;//www.fhfa.gov/DataTools/Downloads/Pages/Conforming-Loan-Limits.aspx</a><em>&#160;</em></p><p> <a name="footnote17"><span style="text-decoration&#58;underline;">[17]</span></a> 12 CFR § 1268.4(a)(1)(ii).</p><p> <a name="footnote18"><span style="text-decoration&#58;underline;">[18]</span></a><em>&#160;See </em>Regulatory Interpretation 2000-RI-25, <em>Acquired Member Assets Held for a Valid Business Purpose</em> (Nov. 17, 2000).&#160; </p>&#160;&#160;&#160;&#160;&#160;&#160; <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. &#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table><p>&#160;</p>1/31/2020 9:48:42 PMHome / Supervision & Regulation / Advisory Bulletins / Acquired Member Assets Risk Management Advisory Bulletin AB 2020-01: ACQUIRED MEMBER ASSETS RISK MANAGEMENT 2997https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Capital Stock Management27088FHL Banks8/15/2019 4:00:00 AMAB 2019-03<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2019-03<br></p><p>CAPITAL STOCK MANAGEMENT<br></p></td></tr></tbody></table><p> &#160;&#160; <br></p><p> <strong style="text-decoration&#58;underline;"> <em>Purpose</em></strong><br></p><p>This Advisory Bulletin (AB)&#160;provides Federal Housing Finance Agency (FHFA) guidance for each Federal Home Loan Bank (Bank) regarding the manner in which it manages its capital accounts.&#160; This guidance augments existing statutory and regulatory capital requirements.&#160; </p><p>This guidance describes FHFA’s supervisory expectations regarding an appropriate level of capital stock that each Bank should maintain, expressed as a percentage of assets, in order to help preserve the cooperative nature of the Banks.&#160; Recent developments have resulted in the Banks responding to growth in their retained earnings, in part, by lowering their levels of capital stock, where both are measured as a proportion of total assets.&#160; Holding a higher proportion of total capital as retained earnings supports the maintenance of the par value of Bank capital stock, but also results in a declining proportion of capital stock which could, at some point, undermine the cooperative nature of the Banks by minimizing their members’ ownership interest in them.<br>&#160;</p><p> <strong style="text-decoration&#58;underline;"> <em>Background</em></strong></p><p> <span style="text-decoration&#58;underline;">Capital Composition</span><br></p><p>Bank regulatory capital is comprised of member paid-in Bank capital stock (capital stock) and retained earnings.<a href="#footnote1">[1]</a>&#160;&#160;&#160; Each Bank has a variety of means to manage the composition of its capital accounts between those two items.&#160; For example, a Bank can increase or decrease the proportion of capital attributable to capital stock by increasing or decreasing stock purchase requirements that an institution must make for membership or for conducting certain activities, primarily member advance borrowings.&#160; The Bank also can issue stock dividends, which converts retained earnings into capital stock.<br></p><p> <span style="text-decoration&#58;underline;">Cooperative Nature of the Bank System</span><br></p><p>Congress established the Banks as cooperative business organizations, meaning that the Banks are to be owned and managed by their members for the purpose of providing services to those members.&#160; Specifically, only members may own capital stock in the Banks or vote to elect persons to the boards of directors, a majority of which must be officers or directors of those member institutions.&#160; The members of the Banks also own the retained earnings of the Banks, in proportion to the amount of Class B capital stock that each member owns.&#160; Only members and certain eligible associates may receive an advance, which is the primary service provided by the Banks, or may sell qualifying mortgage loans to their Bank.<a href="#footnote2">[2]</a>&#160;&#160; </p><p>A fundamental aspect of the cooperative structure is that the members have a financial incentive to be fully engaged in the oversight and business of the Bank.&#160; Being so engaged helps to preserve the value of the members’ investment in the capital stock of the Bank, and to maintain the availability of Bank services that benefit members.&#160; As both owners and customers of the Bank, members also are financially motivated to ensure that the Bank operates in a safe and sound manner.&#160; As a practical matter, however, the members’ financial motivation to properly oversee the operations of the Bank will likely be positively correlated with the members’ tangible investment in the Bank.&#160; </p><p>In recent years, the Banks have achieved significant growth in retained earnings as a proportion of total assets.&#160; Consequently, the Banks have also managed a gradual decline in capital stock as a proportion of assets.&#160; FHFA believes that it is important for a Bank to maintain a minimum capital stock-to-assets ratio in order to help preserve the cooperative structure incentives that encourage members to remain fully engaged in the oversight of their investment in the Bank.&#160; Determining an amount of capital stock that would provide some reasonable assurance that the members would continue to have a financial incentive to remain engaged in the oversight and use of the cooperative is not a matter that readily lends itself to precise calculation.&#160; Nonetheless, FHFA believes that the members of a Bank that maintains a ratio of at least two percent of capital stock to assets will continue to have adequate financial incentive to remain engaged in the cooperative, and encourages each Bank to maintain its capital stock at or above that ratio.&#160;&#160;&#160; </p><p>A factor suggesting that maintaining at least a two percent capital stock-to-assets ratio may align with sufficient member incentive to remain engaged in the cooperative is that this measure is related to the risk of capital stock impairment.&#160; Specifically, the risk of impairment is heightened as the Bank’s total capital declines to near the level of two percent of assets.&#160; This is the threshold at which the prompt corrective action regulation specifies that the Director of FHFA may appoint a conservator or receiver.<a href="#footnote3">[3]</a>&#160;&#160; Either of those actions would significantly increase the likelihood of impairment for the remaining amounts of capital stock.&#160; If a Bank that was approaching the two percent capital level were to be capitalized principally with retained earnings, its members would have little investment at risk if the Bank’s capital levels were to continue to decline, and thus less motivation to engage in actions to revive the safe and profitable operation of the Bank.&#160; Clearly, the motivation of the members to actively support the Bank would increase in step with the proportion of that capital that is capital stock and would be maximized when needed most in the circumstance of a Bank that has only about two percent of capital to assets, and all of that capital is capital stock.<br><br></p><p style="text-decoration&#58;underline;"> <strong> <em>Scope</em></strong></p><p>This Advisory Bulletin applies only to the Banks.<br>&#160;</p><p> <strong style="text-decoration&#58;underline;"> <em>Guidance</em></strong></p><p>Maintaining the level of capital stock in an amount that is equal to or greater than two percent of a Bank’s assets is consistent with helping preserve the cooperative nature of the Bank System. Beginning six months following the date of this Advisory Bulletin, FHFA will consider the proportion of capital stock, as measured on a daily average basis at month end, when assessing each Bank’s capital management practices.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;</p><p>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1">[1]</a> For purposes of this Advisory Bulletin, capital stock includes all member paid-in Bank capital stock, including mandatorily redeemable stock.<br></p><p> <a name="footnote2">[2]</a> Most recently, in the amended Acquired Member Asset rule, FHFA stated that the objective of the member nexus requirement in that rule is to align the mortgage purchase programs with the cooperative structure of the Bank System. 81 Fed. Reg. 91674, 91676 (Dec. 19, 2016).<br></p><p> <a name="footnote3">[3]</a> <em>See</em> 12 CFR 1229.1, 1229.10(a). This threshold is also well known from commercial banking regulation, where the Federal Deposit Insurance Act requires that a bank’s “critical capital” be not less than two percent of total assets. 12 USC 1831o(c)(3)(B).<br></p><p> <br> &#160;</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a><br></p></td></tr></tbody></table>8/16/2019 7:22:36 PMHome / Supervision & Regulation / Advisory Bulletins / Capital Stock Management Advisory Bulletin This Advisory Bulletin (AB) provides Federal Housing Finance Agency (FHFA 2447https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Implementation of Streamlined Monitoring Requirements for Affordable Housing Program Projects Funded by Certain Other Federal Government Rental Housing Programs26200FHL Banks5/9/2019 4:00:00 AMAB 2019-02<div> <strong>DIVISION OF HOUSING MISSION AND GOALS</strong><br> <div> <br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;"> <strong>ADVISORY BULLETIN</strong><strong>&#160; </strong></p><p style="text-align&#58;left;"> <strong>AB 2019-02</strong><strong>&#160;&#160;</strong>&#160;<br></p><p style="text-align&#58;left;"> <strong>IMPLEMENTATION OF STREAMLINED MONITORING REQUIREMENTS FOR AFFORDABLE HOUSING PROGRAM PROJECTS FUNDED BY CERTAIN OTHER FEDERAL GOVERNMENT RENTAL HOUSING PROGRAMS</strong><br></p><p style="text-align&#58;left;"><strong>May 9, 2019</strong><br></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <br> <strong> <em>Purpose</em></strong></p><p>The Federal Housing Finance Agency's (FHFA) Affordable Housing Program (AHP) regulation authorizes streamlined monitoring for AHP-subsidized projects that are also funded by certain other government housing programs and identified by FHFA in separate guidance.&#160; This Advisory Bulletin (AB) identifies those programs.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>FHFA published a final rule in the <em>Federal Register</em> on November 28, 2018 amending the AHP regulation, one component of which permits the Federal Home Loan Banks (Banks) to implement streamlined monitoring for AHP projects funded by certain other government housing programs that FHFA specifies in separate guidance.&#160; Specifically, the amended regulation requires that at initial monitoring of AHP projects funded by such other programs, the Banks review rent rolls (in the case of rental projects) and project sponsor certifications, and any other documentation to verify that the projects meet the requirements in 12 C.F.R. § 1291.50(a)(2), but not any other back-up documentation on household incomes or rents.&#160;<a href="#1">[1]</a>&#160;<span style="font-style&#58;normal;">&#160;</span>For long-term monitoring of AHP rental projects funded by such other programs, the regulation requires that the Banks review annual project sponsor certifications on household incomes and rents and information on the ongoing financial viability of the projects, but not any other back-up documentation on incomes and rents, including rent rolls.&#160;<a href="#2">[2]</a>&#160;<br></p><p style="text-align&#58;left;text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p>As discussed in the proposed&#160;<a href="#3">[3]</a>&#160;and final&#160;<a href="#4">[4]</a>&#160;AHP rules, FHFA has analyzed the monitoring standards and practices of several federal government housing programs to identify programs with substantially equivalent rent, income, and retention requirements to the AHP, as well as very low noncompliance rates.&#160; FHFA's analysis also focused on each monitoring entity's demonstrated ability to monitor the program effectively.&#160; </p><p>FHFA found that the following four housing programs meet the criteria identified above&#58;<br></p><ul><li>HUD Section 202 Program for the Elderly;<br></li><li>HUD Section 811 Program for Housing the Disabled;</li><li>USDA Section 515 Rural Multifamily Program; and</li><li>USDA Section 514 Farmworker Multifamily Program.<br></li></ul><p> <span style="color&#58;#444444;font-style&#58;normal;">Accordingly, the Banks may implement the streamlined monitoring described above for AHP projects funded by any of these four programs.</span><span style="font-style&#58;normal;color&#58;#444444;">&#160;</span><br></p><p>Although the final AHP rule became effective on December 28, 2018, the compliance date for implementing the streamlined monitoring practices is January 1, 2021.&#160; However, Banks may implement the streamlined monitoring before this compliance date.&#160; Banks that opt to do so should provide notice to FHFA pursuant to the email of December 26, 2018, to the Banks from the Deputy Director of the Division of Bank Regulation at <a href="mailto&#58;DeputyDirector-FHLBanks@FHFA.gov">DeputyDirector-FHLBanks@fhfa.gov​</a>.&#160; Banks must also ensure that their AHP Implementation Plans set forth their requirements for monitoring.&#160;<a href="#5">[5​]</a>&#160;<br></p><p>Should a Bank identify potential noncompliance with AHP household income or rent requirements in a project that is subject to streamlined monitoring, it should evaluate whether an expansion of its review to include the back-up documentation, including rent rolls, is warranted to verify compliance with AHP requirements.&#160;</p><p style="font-style&#58;normal;">____________________________________<br></p><p style="font-style&#58;normal;text-decoration-line&#58;underline;"> <span style="font-size&#58;inherit;font-family&#58;inherit;font-weight&#58;700 !important;"> <em></em></span></p><p style="font-style&#58;normal;"> <a name="1">[1]</a>&#160;<em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">See</em><span style="font-style&#58;normal;">&#160;12 C.F.R. § 1291.50(a)(2), (a)(3).</span><br></p><p style="font-style&#58;normal;"> <a name="2">[2]</a>&#160;<em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">See</em><span style="font-style&#58;normal;">&#160;12 C.F.R. § 1291.50(c)(1)(i), (ii).</span>​</p><p> <a name="3">[3]</a>&#160;Affordable Housing Program Amendments, 83 Fed. Reg. 11344, 11365-11366 (Mar. 14, 2018).​<br></p><p> <a name="4">[4]</a>&#160;Affordable Housing Program Amendments, 83 Fed. Reg. 61186, 61126-61127 (Nov. 28, 2018).<br></p><p> <a name="5">[5]</a>&#160;See&#160;12 C.F.R. § 1291.13(b)(11).&#160;</p><p style="text-align&#58;left;">FHFA will continue to assess the monitoring standards and practices of other government housing programs and may make modifications to this guidance in a subsequent AB as appropriate.<br style="text-decoration&#58;underline;"></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;">FHFA has statutory responsibility to ensure that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes.&#160; Advisory Bulletins describe supervisory expectations in particular areas and are used in FHFA examinations of the regulated entities.&#160; For comments or questions pertaining to this AB, contact Ted Wartell at <a href="mailto&#58;Ted.Wartell@fhfa.gov">Ted.Wartell@fhfa.gov</a> or by phone at 1-202-649-3157; or Marcea Barringer at <a href="mailto&#58;Marcea.Barringer@fhfa.govl">Marcea.Barringer@fhfa.gov</a> or by phone at 1-202-649-3275.&#160;<br></p></td></tr></tbody></table> <br> </div></div>5/10/2019 7:33:45 PMHome / Supervision & Regulation / Advisory Bulletins / Implementation of Streamlined Monitoring Requirements for Affordable Housing Program Projects Funded by Certain Other 2068https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Business Resiliency Management26708All5/7/2019 4:00:00 AMAB 2019-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;"> <strong>&#160;</strong><strong>ADVISORY BULLETIN</strong><strong>&#160; </strong></p><p style="text-align&#58;left;"> <strong>AB 2019-01&#58;</strong><strong>&#160; </strong><strong>BUSINESS RESILIENCY MANAGEMENT</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <br> <strong> <em>Purpose</em></strong></p><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance on business resiliency management at Fannie Mae, Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities).<a href="#1">[1]</a>&#160; This AB rescinds and replaces Federal Housing Finance Board Advisory Bulletin 02-3 Disaster Recovery Planning, February 13, 2002.&#160; </p><p>For purposes of this AB, business resiliency management refers to the regulated entity's ability to minimize the impact of disruptions and maintain business operations at predefined levels. &#160;Disruptions can expose the regulated entities to operational, financial, legal, compliance, and reputational risks.&#160; An effective business resiliency management program (program) helps to ensure safe and sound operations at each regulated entity.&#160; </p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p style="text-align&#58;left;">Uncontrolled events, such as natural disasters, pandemics, and cyberattacks, can threaten the regulated entities' ability to perform mission critical operations, such as providing liquidity and access to credit in the mortgage market.&#160; Disruptions in service can expose the regulated entities to a variety of risks and potentially lead to adverse economic consequences in the financial sector.&#160; A program establishes documented strategic processes and procedures that a regulated entity should follow to mitigate and respond to risks in order to continue its business operations. </p><p style="text-align&#58;left;">The core components of a program include the business continuity plan (BCP), disaster recovery plan (DRP) and crisis management plan (CMP) (collectively, plans).&#160; The BCP is the written set of procedures a regulated entity follows to recover, resume, and maintain business functions and their underlying processes at acceptable predefined levels following a disruption.&#160; The BCP accounts for disruptions affecting personnel, equipment, facilities, data, third-party providers, and the technical assets associated with business functions and processes.&#160; The DRP is the documented process to recover and resume the regulated entity's IT infrastructure, business applications, and data services in the event of a major disruption.&#160; The CMP provides documented, coordinated responses to enterprise-wide disruptions, including overseeing the activation of the DRP and BCPs. &#160;</p><p style="text-align&#58;left;">FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity's board of directors and senior management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8, especially Standard 8.11), and maintenance of adequate records (Standard 10). &#160;A business resiliency program that is aligned with this AB will meet FHFA's supervisory expectations on the points that the AB addresses, with respect to those standards.&#160; A business resiliency program that is not aligned with this AB may not meet those standards and may not be safe and sound.<a href="#2">[2]</a></p><p style="text-align&#58;left;text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p>FHFA expects the regulated entities to establish and maintain a program that includes the following&#58;</p><ol style="list-style-type&#58;upper-roman;"><li>Governance</li><li>Business Resiliency Cycle</li><ol style="list-style-type&#58;upper-alpha;"><li>Risk Assessment and Business Impact Analysis</li><li>Risk Mitigation and Plan Development</li><li>Testing and Analysis</li><li>Risk Monitoring and Program Sustainability</li></ol></ol><p>Each regulated entity should establish its program in alignment with its enterprise-wide risk management program,<a href="#3">[3]</a> and in accordance with all relevant FHFA guidance.&#160; The regulated entity should develop strategies, policies, procedures, and internal standards that apply to the program.&#160; The program should guide the regulated entity to respond appropriately to disruptions affecting business operations, personnel, equipment, facilities, IT systems, and information assets.&#160; In order to remain current and effective, the program should adopt a cyclical, process-oriented approach that incorporates the following steps&#58; (1) risk assessment and business impact analysis, (2) risk mitigation and plan development, (3) testing and analysis, and (4) risk monitoring and program sustainability. &#160;</p><p> <strong>I.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Goverance</strong></p><p>The board of directors or a committee thereof (board) is responsible for maintaining a strong business resiliency culture and overseeing the program.&#160; The board provides oversight of senior management's implementation of the program and maintenance of plans that reflect the regulated entity's current operating environment and risk appetite.&#160; The board should review and approve the enterprise-wide business resiliency strategic objectives of the program on an annual basis.&#160; &#160;</p><p>As delegated by the board, senior management<a href="#4">[4]</a> is responsible for executing the program.&#160; Senior management ensures that&#58;</p><ul style="list-style-type&#58;disc;"><li>Each step of the program is carried out by assigned personnel with clear roles and responsibilities;</li><li>There are designated resources and qualified personnel from across the regulated entity's business units and operations to develop and implement plans;&#160; </li><li>Employees are adequately trained and participate in testing exercises, as necessary, to demonstrate understanding of their role when plans are activated in the event of a disruption; </li><li>There is sufficient communication and coordination to properly execute plans and maintain enterprise-wide business resiliency;&#160; </li><li>Effective reporting and metric requirements are in place, such as reviewing internal audit reports and providing reports to the board;&#160; </li><li>The review and approval of plans involving critical business functions are conducted on an annual basis or when there are material changes in the operating environment that affect critical business functions; and</li><li>The board is informed of significant issues involving the strategies, plans, or testing of critical business functions. </li></ul><p> <strong>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Business Resiliency Cycle</strong></p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; A.&#160; Risk Assessment and Business Impact Analysis</em></p><p>Developing an effective plan begins with a risk assessment that determines the potential threats to a regulated entity's business operations.&#160; A risk assessment considers the full spectrum of scenarios that could affect operations, ranging from low impact, high probability occurrences (such as power or telecommunication disruptions) to low probability, high impact occurrences (such as pandemics or natural disasters).&#160; As part of the risk assessment process, the regulated entity should take into account disruptions involving information services, equipment, personnel, facilities, and services by third-party providers.&#160; The regulated entities should also consider their proximity to infrastructure in conjunction with their susceptibility to threats.&#160; </p><p>The business impact analysis (BIA) assesses and prioritizes those business functions and processes, including their associated technical assets, that must be recovered after a disruption.&#160; The BIA should identify the potential impact of uncontrolled events on the regulated entity's ability to execute its business functions and processes.&#160; The regulated entity should also consider the impact of disruptions on its ability to perform its role in the financial marketplace, satisfy legal and regulatory requirements, follow safe and sound practices, maintain public confidence, and achieve its strategic goals.&#160; </p><p>Conducting a thorough and accurate BIA is the basis for developing effective plans and a comprehensive program for the regulated entity.&#160; As part of the BIA, the regulated entities should identify business functions and processes, evaluate and compare business function requirements, and identify interdependencies between critical systems, departments, personnel, and services that may be compromised during a disruption.&#160; The BIA should be risk-focused, taking into consideration the priority of certain business functions and processes. &#160;The BIA should be conducted at least annually.&#160; </p><p>Recovery point objectives (RPOs) and recovery time objectives (RTOs) are calculated results informed by the BIA.&#160; An RPO defines the maximum level of data loss (in terms of time) that can be afforded during a failure.&#160; An RTO estimates the maximum allowable downtime for business processes and associated technical assets that should be recovered after a disruption.&#160; The regulated entity should additionally consider how RTOs and RPOs affect data recovery and reconciliation, especially when business and IT interdependencies are involved.&#160; RTOs inform the regulated entity on how it should categorize and group business processes and technical assets from the most critical functions to the least critical.</p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; B.&#160; Risk Mitigation and Plan Development</em></p><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;<span style="text-decoration&#58;underline;">Risk Mitigation</span></p><p>The regulated entity should use the results from the risk assessment and BIA to determine appropriate recovery solutions that mitigate the risk of a disruption to a level that is acceptable for its business functions and processes.&#160; The recovery solutions may include data synchronization, redundant vendor support, alternative power sources, high-availability technologies for critical business functions, fire detection and suppression systems, and additional reserves of critical equipment and supplies.&#160; The regulated entity should also consider the appropriate insurance coverage for its business, taking into consideration the BIA findings and its risk profile.</p><p>Some business functions have high availability requirements where even minimal downtime presents risk. &#160;The regulated entities should have an alternate, geographically distinct data center as an enterprise-wide disaster recovery solution that maintains availability within pre-determined RTOs and RPOs.&#160; Alternatively, the regulated entity can rely on its cloud service provider.<a href="#5">[5]</a>&#160; A geographically distinct data center should be at an appropriate distance from the regulated entity's primary operations and should not be subject to the same inherent risks as the primary site during a disaster.&#160; Pursuant to the DRP, the alternate site would be activated to recover, by priority, the technical assets of the primary location.&#160; The facility should be capable of operating at the regulated entity's normal volume and be available for use until the regulated entity achieves full recovery from the disaster. &#160;For any FHLBank, partnering with another FHLBank is a useful strategy for short-term resumption of certain business processes, but by itself should not be considered an adequate disaster recovery solution.&#160; </p><p>If a third-party provider is used to mitigate business resiliency risk, the regulated entity should evaluate, according to the risk assessment or BIA, whether its business resiliency objectives are met within its third-party provider risk management framework.<a href="#6">[6]</a>&#160; Commensurate with the risk involved, the regulated entity should consider the strength of a third-party provider's business resiliency program. </p><p>The regulated entities should also consider risk mitigation strategies in addition to those addressing RPOs and RTOs.&#160; For instance, a senior management-approved response plan to handle media inquiries can reduce the risk of reputational harm after a disruptive event.&#160; FHFA also encourages the regulated entities to contact federal, state, and local authorities as needed to determine specific risks or exposures for their geographic location and requirements for accessing emergency zones.&#160; The regulated entities should consider taking advantage of government-sponsored emergency programs and coordinating with agencies, emergency personnel, and service providers during the recovery and resumption of operations.</p><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <span style="text-decoration&#58;underline;">Plan Development</span></p><p>The regulated entity should document how to implement the risk mitigation strategies and recovery solutions in its plans.&#160; Plans should include short-term and long-term recovery operations with steps to transition back to normal business based on the criticality of the business functions and processes affected.&#160; Plans should also account for internal and external dependencies in the event that third-party providers,<a href="#7">[7]</a>&#160;personnel, or certain equipment are unavailable or inefficient.&#160; Plans should avoid single points of failure as the strength of a plan can be diminished by weak components. &#160;If the regulated entity outsources the development of its plans, it is responsible for choosing a service provider that has the requisite expertise appropriate for the entity's size, complexity, and risk environment.&#160;&#160; </p><p>The regulated entity's plans should include the following&#58;</p><ul style="list-style-type&#58;disc;"><li>The assumptions used to develop each plan, understanding that certain assumptions may not be met when a plan is activated;</li><li>Criteria to trigger activation of the plan and escalate incidents, if appropriate;</li><li>Assigned roles and responsibilities for personnel to activate and execute the plans;</li><li>Contingency plans for technical assets, where appropriate;</li><li>Incident response measures to protect the availability, confidentiality, and integrity of information;</li><li>Current contact information for employees, customers, service providers, municipal authorities, and emergency response personnel that is readily accessible at off-site locations; </li><li>Internal and external communication protocols, including notifying FHFA, the board, and customers, and call trees and employee notification procedures;</li><li>Relocation strategies to other facilities and remote access policies and standards if personnel are working from a remote location in the event of a disaster; and</li><li>References to emergency response measures to prevent loss of life and minimize injury and property damage.</li></ul><p>The regulated entity should prioritize the recovery of its business functions and processes according to the RTOs and RPOs as stated in each plan. &#160;Each business function, process, and associated technical asset should map to a BCP.&#160; Technical assets should also be accounted for in the DRP as they relate to the prioritized recovery and protection of the regulated entity's IT infrastructure, business applications, and data. &#160;The regulated entity should determine the enterprise-wide risk thresholds that trigger activating the CMP and the corresponding steps to respond to such incidents at an enterprise level.&#160; The regulated entity should consider the operational, legal, compliance, financial, and reputational risks involved when determining the thresholds to trigger the CMP.&#160; The CMP should include the coordinated responses to implement the DRP and BCPs, handle media inquiries, and oversee emergency response measures.</p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; C.&#160; Testing and Analysis</em></p><p>Testing demonstrates how well each plan achieves the business resiliency objectives defined by the regulated entity.&#160; Each regulated entity should develop a testing program that includes policies, standards, and procedures that address test planning, execution, reporting of test results, and test revisions, as necessary.&#160;&#160;&#160; </p><p>Senior management should designate personnel to oversee the testing of plans and allocate adequate time and resources for test exercises.&#160; Senior management is also responsible for ensuring that employees are aware of their roles (i.e., administrator or participant) in executing tests regularly.&#160; Test plans should periodically rotate employee roles, as appropriate, to reduce reliance on specific individuals who may not be available during a disruptive event.&#160; Testing of plans involving critical business functions should be completed at least annually, and when material changes occur to the business operating environment.&#160; The frequency of testing should be consistent with the criticality of the business function, but should not jeopardize normal business operations.</p><p>Prior to each test, management should validate the testing methods to identify potential problems.&#160; Test plans or exercises should be evaluated to assess whether test objectives are feasible and whether assumptions used in developing the test strategy are reasonable.&#160; Testing of plans should align with the risk assessments and the BIAs to validate pre-determined RPOs and RTOs.&#160; Additionally, priority-based testing should&#58;</p><ul style="list-style-type&#58;disc;"><li>Incorporate a variety of threats, event types, and crisis management scenarios that range from isolated system failures to full-scale disruptions;</li><li>Evaluate identified internal and external interdependencies, including the testing of primary and alternate facilities with key third-party providers; </li><li>Progressively increase in scope and complexity, functions, physical locations, and participants; testing should ultimately process at least a full day's work at the regulated entity's normal levels;</li><li>Include a full-scale DRP test to confirm the entity's ability to conduct and sustain normal business in an alternate data center and the ability to return to pre-defined levels of operations in the primary data center; and</li><li>Over time, adapt to changes in the regulated entity's business activities and risk profile.&#160; </li></ul><p>Internal audit or a qualified independent third party should review the testing program and conduct an independent assessment of selected tests, including the underlying assumptions and methodology.&#160; Management should have oversight of key tests that are observed, verified, and evaluated by the independent party in order to validate the testing process and accuracy of test results.&#160; Test results, deviations from test plans, problems identified during testing, and any specified remediation steps should be properly documented. </p><p>Test results should be periodically analyzed to determine if problems identified during testing can be traced to a common source, remediated, and resolved through revisions to the testing program.&#160; Problems encountered during testing should be corrected and retested in a timely manner.&#160; Test participants or test owners can also provide suggestions to the test scenarios, plans or scripts to improve the test program.&#160; Once tests are completed and assessed, the test program should be updated to address any gaps identified during tests and retested, as necessary, for robustness and effective remediation within a reasonable timeframe.&#160; </p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; D.&#160; Risk Monitoring and Program Sustainability</em></p><p>The regulated entity should also implement risk monitoring to track how changes to the business operating environment, including personnel, technologies, equipment, or third-party providers, may affect business resiliency strategies and plans.&#160;&#160; </p><p>Regular reports of test results and risk monitoring inform senior management of the effectiveness of the regulated entity's program.&#160; Senior management should use this information to determine if gaps exist between the risk assessment or BIA and the existing plans in place.&#160; Based on this gap analysis, RPOs and RTOs may need to be reassessed and risk mitigation strategies may need to be evaluated for particular plans.&#160; Management or plan administrators should revise plans based on test results or when material changes occur to the current business operating environment—including changes to personnel and internal and external dependencies, such as reliance on other business units or outsourced activities.&#160; Relevant business line managers and stakeholders should also be informed of test results so they can address material business resiliency problems identified during testing.&#160; The test and/or audit reports of third-party providers, lessons learned from an actual event, and any emerging risks identified should also be used in a gap analysis for each step of the program.&#160; Updates to plans should be completed in a timely manner and revised plans should be communicated and made available to appropriate managers and employees. </p><blockquote dir="ltr" style="margin-right&#58;0px;"> <strong> <em> <br>Related Guidance</em></strong></blockquote><blockquote dir="ltr" style="margin-right&#58;0px;"><blockquote dir="ltr" style="text-align&#58;left;margin-right&#58;0px;"><blockquote style="margin-right&#58;0px;"><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.<br><br><em>Oversight of Third-Party Provider Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.<br><br><em>Cloud Computing Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.<br><br><em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.<br><br><em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.<br><br><em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.<br><br><em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. <br><br><em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013. <br><br><em>Business Continuation Contingency Planning</em>, Federal Housing Finance Board Advisory Bulletin 03-2, February 10, 2003.<br><br><em>Disaster Recovery Planning</em>, Federal Housing Finance Board Advisory Bulletin 02-3, February 13, 2002 (rescinded by this advisory bulletin).&#160;<br><br></p></blockquote></blockquote></blockquote><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160; <br>Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table> <p> <u></u>&#160;</p><p> <a name="1">[1]</a>&#160;The OF is not a “regulated entity&quot; as the term is defined by statute (<em>see</em> 12 U.S.C. 4502(20)).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.&#160; </p><p> <a name="2">[2]</a>&#160;12 CFR 1236.4</p><p> <a name="3">[3]</a>&#160;12 CFR 1239.11(a).</p><p> <a name="4">[4]</a>&#160;The term “senior management&quot; refers to those employees who plan, direct, and formulate policies, and provide the overall direction of the regulated entity for the development and delivery of products or services, within the parameters approved by the board.</p><p> <a name="5">[5]</a>&#160;<em>See Cloud Computing Risk Management</em>, AB 2018-04.</p><p> <a name="6">[6]</a>&#160;<em>See Oversight of Third-Party Provider Relationships</em>, AB 2018-08.</p><p> <a name="7">[7]</a>&#160;Ibid.</p>5/7/2019 7:00:50 PMHome / Supervision & Regulation / Advisory Bulletins / Business Resiliency Management Advisory Bulletin This advisory bulletin (AB) provides Federal Housing Finance Agency 2871https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Third-Party Provider Relationships25812All9/28/2018 4:00:00 AMAB 2018-08<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display&#58;inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-08&#58;&#160; OVERSIGHT OF THIRD-PARTY PROVIDER RELATIONSHIPS</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p></div></div><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae<strong> </strong>and<strong> </strong>Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities<a href="#1">[1]</a>) on assessing and managing risks associated with third-party provider relationships.&#160; For the purposes of this AB, a third-party provider relationship is a business arrangement between a regulated entity and another entity that provides a product or a service.<a href="#2">[2]</a>&#160; When entering into third-party provider relationships, the regulated entities can be exposed to financial, operational, legal, compliance, and reputational risk.&#160; Effective risk management of third-party provider relationships is essential to the safe and sound operations of the regulated entities.&#160;</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p>FHFA expects each regulated entity to establish and maintain a third-party provider risk management program (program) that includes the following&#58;</p><ol style="list-style-type&#58;upper-roman;"><li>Governance</li><ol style="list-style-type&#58;upper-alpha;"><li>Responsibilities of the Board and Senior Management</li><li>Policies, Procedures, and Internal Standards</li><li>Reporting</li></ol><li>Third-Party Provider Risk Management Life Cycle Phases</li></ol><ol style="list-style-type&#58;upper-roman;"><ol style="list-style-type&#58;upper-alpha;"><li>Risk Assessment</li><li>Due Diligence in Third-Party Provider Selection</li><li>Contract Negotiation </li><li>Ongoing Monitoring</li><li>Termination</li></ol></ol><p style="text-align&#58;left;">A regulated entity's program should enable oversight of third-party provider relationships in accordance with the level of risk presented, the nature of the relationship, the scale of the outsourced product or service, and the risk inherent in the relationship.&#160; Because of this risk-based approach, aspects of this AB may not apply to every third-party provider relationship.&#160; The regulated entities should ensure that the quality and extent of third-party provider risk management corresponds with the level of risk and the complexity of these relationships.&#160; </p><p style="text-align&#58;left;">FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity's board of directors and management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).&#160; In addition, each regulated entity should manage its program as part of its enterprise-wide risk management program and in accordance with all relevant FHFA guidance.<a href="#3">[3]</a>&#160; </p><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><h4> &#160;I.&#160;&#160;&#160;&#160;&#160;&#160; Governance </h4><p> <em>A.&#160;&#160;&#160;&#160; Responsibilities of the Board and Senior Management</em></p></blockquote></blockquote><p style="text-align&#58;left;">The board of directors or board committee (board) should approve a policy establishing the program.&#160; The board-level policy (or management-level policies, as appropriate) should establish criteria for the acceptance and monitoring of risks related to third-party provider engagements and include enterprise-wide risk management processes that reflect the complexity of the regulated entity.&#160; Policies should assign clear roles and responsibilities to entity personnel, establish requirements for documenting decisions concerning third-party providers, and identify internal stakeholders throughout the third-party provider relationship.&#160; Internal audit, or an independent third party if specialized expertise is required, should audit the program periodically, including review of third-party assessments.</p><p>The regulated entity's board is responsible for oversight of the program, while senior management is responsible for executing the regulated entity's program and applicable policies on behalf of the board, consistent with established delegations.&#160; Each regulated entity's board should ensure that senior management has effective processes in place to manage risks related to third-party provider relationships, consistent with the regulated entity's strategic goals, organizational objectives, and risk appetite.&#160; </p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Policies, Procedures, and Internal Standards</em></p></blockquote><p style="text-align&#58;left;">The regulated entities should establish and implement risk management processes in their policies that clearly define risk categories for the oversight of third-party provider relationships.&#160; Risk categories should consider the type and degree of risk inherent in the relationship, the scope and breadth of the third-party provider relationship, the nature of the product or service provided, and the ability to find an acceptable replacement for the third-party provider. &#160;In addition to categorizing these relationships, the regulated entity should document and consistently update its inventory of third-party providers.&#160; The regulated entity's program should articulate governance standards for risk-based due diligence, monitoring, and oversight that reflect the defined risk categories.&#160; The more risk a third-party provider relationship poses to the regulated entity, the more rigorously the regulated entity should perform these activities.&#160; Documentation requirements should correspond to the risk category or the nature of the third-party provider relationship.&#160; Other factors considered in establishing a risk-based approach include third-party provider relationships that could&#58; </p><ul style="list-style-type&#58;disc;"><li>Cause a regulated entity to face significant business, operational, legal, compliance, or reputational risk if the third-party provider fails to meet its obligations;</li><li>Require significant resources and costs to implement and manage the risk (such as a third-party provider that has an integral role in the regulated entity's operations or a financial technology firm that leverages emerging technologies); or</li><li>Have a major effect on the regulated entity's operations if it needs to procure an alternate third-party provider or has to perform the service in house.</li></ul><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Reporting</em> </p></blockquote><p> The regulated entity should implement a reporting system that provides management sufficient information to adjust the program, including policy, resources, expertise, and controls.&#160; Management should receive periodic reports from program stakeholders about commencing new third-party provider relationships, continuing existing ones, or terminating arrangements that do not meet expectations or no longer align with the goals of the regulated entity.&#160; Regular reports to management could incorporate the documentation of phases of the third-party provider relationship, such as analysis of costs, or reputational risks found during ongoing monitoring.&#160; Reports should contain sufficient detail to adequately inform the intended audience and sufficiently support related business decisions.</p><p> To assist the board in oversight of the program, management should provide the board with regular enterprise-wide reports on the regulated entity's management of risks associated with third-party providers.&#160; Management should also notify the board of significant third-party risks, such as business interruptions and terminations for cause, or third-party provider relationships that approach the regulated entity's risk appetite limits.&#160;&#160;</p><p>&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><h4>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160; Third-Party Provider Risk Management Life Cycle Phases</h4></blockquote><p style="text-align&#58;left;">An effective program should include policies and procedures that cover all phases of the regulated entity's third-party provider relationship life cycle&#58; &#160;Risk Assessment, Due Diligence in Third-Party Provider Selection, Contract Negotiation, Ongoing Monitoring, and Termination.&#160; The scope and duration of each phase should be consistent with the program's policy, and multiple phases may be addressed simultaneously.&#160; The documentation for each phase is also dependent on whether the phase applies and the extent to which it applies. &#160;The life cycle phases are discussed in more detail below.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <em></em></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Phase 1 – Risk Assessment </em></p></blockquote><p style="text-align&#58;left;">Each regulated entity's program should include processes to assess the risks associated with engaging a third-party provider to supply a product or service.&#160; These risks may include&#58;</p><ul style="list-style-type&#58;disc;"><li>The operational, compliance, legal, and reputational risks associated with having a third-party provider supply the product or service and the risk that expected benefits do not outweigh the costs;</li><li>The breadth of the products or services that would be delivered by a third-party provider;</li><li>Whether the regulated entity has adequate resources and expertise to monitor the third-party provider relationship;</li><li>The complexity of the arrangement, volume of activity, potential for a third-party provider's use of subcontractors, and the technology required; and</li><li>Potential information security risks associated with giving a third-party provider access to the regulated entity's operating location, information systems, or proprietary or personally identifiable information.</li></ul><p style="text-align&#58;left;">If the regulated entity establishes a third-party provider relationship, the program should provide for management of the associated risks.&#160; As necessary, the risk assessment should include a strategy for the regulated entity to procure adequate resources or expertise to mitigate the risks or justify acceptance of the identified risks.&#160; The regulated entity should review and update its risk assessment and revise risk mitigation strategies when appropriate.&#160; When documenting its risk assessment analysis, the regulated entity should indicate any risk assessment tools used in the process.</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Phase 2 – Due Diligence in Third-Party Provider Selection</em></p></blockquote><p style="text-align&#58;left;">Each regulated entity should conduct due diligence on a third-party provider before entering into a contract.&#160; The degree of due diligence should be commensurate with the level of risk of the outsourced activity and the complexity of the third-party provider relationship.&#160; A regulated entity should not rely solely on its prior experience or knowledge of the third-party provider as a substitute for an objective risk assessment of the third-party provider's ability to supply a product or service in a safe and sound manner.&#160; A regulated entity may refer to a third-party provider's independent audit, Service Organization Control (SOC) report, or recognized certifications to assess certain aspects of the third-party provider's internal risk management controls.&#160; Due diligence review should align with the severity of the risk.&#160; Due diligence results, findings, and recommendations should be documented.</p><p style="text-align&#58;left;">Due diligence prior to entering into a third-party provider relationship should include an evaluation of financial, operational, legal, compliance, and reputational risks of engaging the proposed third-party provider.&#160; As part of the due diligence review, the regulated entity should consider&#58; </p><ul style="list-style-type&#58;disc;"><li>Whether the proposed third-party provider can offer the product or service in compliance with applicable laws and regulations, as well as the regulated entity's internal policies, procedures, and other requirements;</li><li>The third-party provider's overall business model and how current and proposed business activities may affect the risks presented by the third-party provider; </li><li>The third-party provider's business background, experience, and reputation; </li><li>The financial performance, resources, and condition of the proposed third-party provider;</li><li>The third-party provider's insurance coverage;</li><li>The third-party provider's operational and internal controls, including information security, incident reporting and management, and business continuity programs; </li><li>Concentration risks that may arise from relying on a third-party provider for multiple products or services or from a third-party provider's reliance on subcontractors; </li><li>The extent to which the third-party provider relies on subcontractors to perform its obligations, the controls the subcontractor has in place, and the third-party provider's processes to oversee subcontractors that would be directly involved in the outsourced product or service; </li></ul><ul style="list-style-type&#58;disc;"><li>Any potential conflicts of interest with the directors, officers, or employees of the regulated entity concerning potential third-party providers;<a href="#4">[4]</a> and</li><li>Whether there are third-party fee structures that involve potential risks, such as incentives for inappropriate risk-taking, that could arise as a result of such fee structures.&#160; </li></ul><p style="text-align&#58;left;">Each regulated entity's third-party provider selection process should also be designed to ensure, to the extent possible and consistent with safety and soundness, the inclusion of&#160;minority-, women-, and disabled-owned businesses.<a href="#5">[5]</a></p><p style="text-align&#58;left;">Management should review the due diligence results to determine whether the third-party provider is able to adequately provide the product or service at a level of risk acceptable to the regulated entity.&#160; If the third-party provider cannot meet the regulated entity's requirements, management should consider whether to seek an alternate provider, supply the product or service itself, or mitigate the identified risks to the extent practicable. </p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160;&#160;&#160; &#160;Phase 3 – Contract Negotiation </em></p></blockquote><p style="text-align&#58;left;">Each contract with a third-party provider should clearly specify the rights and responsibilities of each party.&#160; Consistent with the risk category involved, the regulated entity should consider what level of legal review is necessary for contracts with third-party providers and should ensure that the attorneys conducting the review for a particular contract have the appropriate subject matter expertise or work in conjunction with appropriate subject matter experts. &#160;Copies of executed contracts should be retained for reference and record-keeping purposes.</p><p style="text-align&#58;left;">The regulated entity should consider the following when negotiating contractual provisions with third-party providers&#58;</p><ul style="list-style-type&#58;disc;"><li>The nature and scope of service; </li><li>Duration of service; </li><li>Performance standards and service levels; </li><li>Experience requirements of third-party providers and their contractors;</li><li>Cost and compensation, including the timing and procedures for payment and expense reimbursement;</li><li>Confidentiality, use, location, and security of information; </li><li>Business continuity and contingency plans and test results;</li><li>Intellectual property ownership, rights, and responsibilities; </li><li>Timely disclosure of conflicts of interest or potential conflicts of interest from the third-party provider;</li><li>Incident reporting and management;</li><li>Dispute resolution process (<em>e.g.</em> arbitration, mediation), termination, and remedies; and</li><li>Internal controls and audit reports.</li></ul><p>The regulated entity should address what constitutes nonperformance and the conditions under which the contract may be terminated by either party.&#160; The contract should also stipulate the circumstances for and responsibilities when termination occurs.&#160; If the regulated entity could no longer legally engage a third-party provider,<a href="#6">[6]</a> the contract should include a provision that enables the regulated entity to terminate the contract for regulatory noncompliance.&#160; </p><p style="text-align&#58;left;">The regulated entity should also ensure that contracts address compliance with the specific laws, regulations, and guidance applicable to the regulated entity, including the regulated entity's right to obtain necessary information to conduct ongoing risk assessments, as well as monitor performance and ensure contract compliance.&#160; Contracts should also address whether the regulated entity has the right to conduct periodic on-site reviews to verify compliance.&#160; If contracts allow for subcontracting, the regulated entity generally should seek to ensure that the primary third-party provider remains responsible for the performance of its subcontractors in accordance with the terms of the primary contract, and be notified of the identity of any material subcontractors, when appropriate. </p><p style="text-align&#58;left;">Contracts for third-party providers should address, as appropriate, the provider's responsibility for continuation of the product or service in the event of an operational failure, such as man-made and natural disasters.&#160; Contracts should address requirements for third-party providers to back up information and maintain disaster recovery and contingency plans with sufficiently detailed operating procedures.&#160; </p><p style="text-align&#58;left;">Other issues such as the maintenance of adequate insurance, ownership of data or licenses, privacy, and liability limitations should be considered, as applicable.&#160; For example, the regulated entity should consider potential legal and security risks to cross-border data storage, transmission, and processing.&#160;&#160;&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>D.&#160;&#160;&#160; Phase 4 – Ongoing Monitoring</em></p></blockquote><p style="text-align&#58;left;">The nature and extent of monitoring of the performance of third-party provider relationships should be commensurate with the level of risk.&#160; Management should also ensure that the regulated entity retains sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third-party provider relationship.&#160; The approach (<em>e.g.</em>, on-site versus off-site review), depth, scope, and frequency of the monitoring and oversight activities should correspond to the risk category involved.&#160; If the regulated entity outsources any part of its monitoring and oversight, management is responsible for choosing a service provider appropriate for the entity's size, complexity, and risk environment.&#160; </p><p style="text-align&#58;left;">Ongoing monitoring should include the due diligence activities referenced in Phase 2 that apply to the particular third-party provider relationship.&#160; Management of the regulated entity should also consider whether the third-party provider is&#58;</p><ul style="list-style-type&#58;disc;"><li>Meeting service-level agreements, performance metrics, and other contractual terms; </li><li>Monitoring and evaluating subcontractor controls that are relevant to the contract work being performed;</li><li>Engaged in agreements with other entities that may pose a conflict of interest or present risks; </li><li>Performing periodic background checks; and</li><li>Complying with applicable legal and regulatory requirements, including documenting such compliance when necessary.</li></ul><p style="text-align&#58;left;">Because both the level and types of risks may change over the lifetime of a third-party provider relationship, a regulated entity should ensure that its ongoing monitoring adapts accordingly.&#160; Periodic assessments should be conducted to determine whether the product or service remains necessary or relevant to the regulated entity's mission or operations.&#160; Each regulated entity should also periodically assess existing third-party provider relationships to determine whether the nature of the product or service provided has changed, resulting in the need for re-designation to a new risk category. &#160;Management should review existing third-party provider contracts to determine whether the terms and conditions address current risks associated with having the product or service supplied by the third-party provider.&#160; Where concerns are identified, the regulated entity should consider addressing those concerns by negotiating an amendment to the contract where appropriate, or revising the contract prior to a renewal. &#160;</p><p style="text-align&#58;left;">When a regulated entity identifies concerns through ongoing monitoring, it should seek to resolve the issues at the earliest opportunity.&#160; Management should ensure procedures exist to escalate issues such as service agreement performance, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, or compliance lapses.&#160; Additionally, management should ensure that the regulated entity's controls for managing these risks from third-party provider relationships are tested regularly.&#160; Weaknesses identified that substantively increase the risk to the regulated entity should be reported to the board based on an assessment of the level of associated risk.</p><p style="text-align&#58;left;">Any assessments and analyses performed during this phase should be documented, as well as any regular risk management and performance reports received from the third-party provider (<em>e.g.</em>, audit reports, security reviews, and reports about compliance with service-level agreements).</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>E.&#160;&#160;&#160;&#160; Phase 5 – Termination</em></p></blockquote><p style="text-align&#58;left;">The terms of each contract will govern how a regulated entity or a third-party provider may terminate the contractual relationship.&#160; A regulated entity may wish to terminate a third-party provider relationship for various reasons, including&#58;&#160;</p><ul style="list-style-type&#58;disc;"><li>Expiration, completion, or satisfaction of the contract;</li><li>Breach of contract;</li><li>To engage an alternate third-party provider;</li><li>To discontinue the product or service; </li><li>To bring the product or service in house; or</li><li>To comply with an FHFA order directing suspension of the third-party provider relationship. </li></ul><p style="text-align&#58;left;">Each regulated entity should have strategies and contingency plans in place to terminate third-party provider relationships in an efficient manner that minimizes risk to the regulated entity, whether the outsourced product or service is transitioned to another third-party provider, brought in house, or discontinued. The regulated entity should consider&#58;</p><ul style="list-style-type&#58;disc;"><li>The capabilities, resources, and time frames required to transition the product or service while still managing legal, regulatory, and other risks;</li><li>Risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party provider relationship;</li><li>Intellectual property ownership, rights, and responsibilities, as well as the handling of any joint intellectual property developed during the course of the arrangement; </li><li>The return of any regulated entity's information in the third-party provider's possession after voluntary or involuntary termination of the contract;</li><li>Reputational risks to the regulated entity if the termination results from the third-party provider's inability to meet expectations; and</li><li>Roles and assistance with transfer or wind down of the outsourced product or service upon termination.</li></ul><p style="text-decoration&#58;underline;"> <strong> <em>Related Guidance</em></strong></p><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix. </p><p> <em>Cloud Computing Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.</p><p> <em>Oversight of Multifamily Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018.</p><p> <em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.</p><p> <em>Data Management and Usage,</em> Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.</p><p> <em>Information Technology Investment Management,</em> Federal Housing Finance Agency Advisory Bulletin 2015-06, September 21, 2015.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships, </em>Federal Housing Finance Agency Advisory Bulletin, 2014-07, December 1, 2014.</p><p> <em>Operational Risk Management,</em> Federal Housing Finance Agency Advisory Bulletin, 2014-02, February 18, 2014. </p><p> <em>Model Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013.</p><p> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.</p><p>___________________________________________<br></p><p> <a name="1">[1]</a> The OF is not a “regulated entity&quot; as the term is defined by statute (<em>see </em>12 U.S.C. 4502(20)).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.&#160; </p><p> <a name="2">[2]</a> This AB does not apply to business arrangements through which a FHLBank provides products or services to its members or housing associates, or to a FHLBank's business arrangements with sponsors participating in its Affordable Housing Program.&#160; &#160;</p><p> <a name="3">[3]</a> 12 CFR 1239.11(a).</p><p> <a name="4">[4]</a> 12 CFR 1239.10(a).</p><p> <a name="5">[5]</a> 12 CFR 1223.2, 1223.21.</p><p> <a name="6">[6]</a><em>See, e.g.</em>, 12 CFR Part 1227.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58;&#160;<a href="mailto&#58;SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>​<br></blockquote></blockquote></blockquote>9/28/2018 6:30:25 PMHome / Supervision & Regulation / Advisory Bulletins / Oversight of Third-Party Provider Relationships Advisory Bulletin AB 2018-08:  OVERSIGHT OF THIRD-PARTY PROVIDER 7595https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Interest Rate Risk Management25813FHLB & Fannie Mae & Freddie Mac9/28/2018 4:00:00 AMAB 2018-09<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display&#58;inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-09&#58; INTEREST RATE RISK MANAGEMENT</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p></div></div><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for interest rate risk management at the Federal Home Loan Banks (Banks), Fannie Mae, and Freddie Mac (the Enterprises), collectively known as the regulated entities. &#160;This guidance supersedes the Federal Housing Finance Board's advisory bulletin, <em>Interest Rate Risk Management</em> (AB 2004-05).&#160; Interest rate risk management is a key component in the management of market risk.&#160; These guidelines describe principles the regulated entities should follow to identify, measure, monitor, and control interest rate risk. &#160;The AB is organized as follows&#58;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>I.&#160;&#160;&#160;Governance</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> A. Responsibilities of the Board</p><p> B. Responsibilities of Senior Management</p><p>C. Risk Management Roles and Responsibilities</p><p>D. Policies and Procedures</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> II.&#160;&#160; Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p>A. Limits</p><p>B. Interest Rate Risk Mitigation</p><p>C. Internal Controls</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>III.&#160;Risk Measurement System, Monitoring, and Reporting</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p>A. Interest Rate Risk Measurement System</p><p>B. Scenario Analysis and Stress Testing</p><p>C. Monitoring and Reporting</p></blockquote><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Interest rate risk is the risk that changes in interest rates may adversely affect financial condition and performance.&#160; More specifically, interest rate risk is the sensitivity of cash flows, reported earnings, and economic value to changes in interest rates.&#160; As interest rates change, expected cash flows to and from a regulated entity change.&#160; The regulated entities may be exposed to changes in&#58;&#160; the level of interest rates; the slope and curvature of the yield curve; the volatilities of interest rates; and the spread relationships between assets, liabilities, and derivatives.&#160; Interest rate risk may include repricing risk, basis risk, option risk, option-adjusted spread (OAS) risk, prepayment risk, and model risk.&#160; Excessive interest rate risk can threaten liquidity, earnings, capital, and solvency.&#160; </p><p>The regulated entities can manage interest rate risk with respect to economic value of equity, earnings, or both. &#160;These approaches are complementary because they provide different types of relevant information, but each has limitations.&#160; The economic value of equity represents the underlying net market value (or net present value) of a regulated entity's assets and liabilities, including any off-balance sheet items.&#160; A common risk management objective is to keep the market value of equity from falling below pre-specified limits over a range of interest rate scenarios.&#160; One limitation of this approach is that market value measures do not identify when future earnings problems may occur.&#160; When the focus is on earnings, the risk management objective is to maintain earnings within an acceptable range over specified time horizons, which are generally short-term, ranging from one year to five years. &#160;If the objective is to ensure that net income will remain within certain parameters during the given time period over a range of interest rate scenarios, management overlooks risks that exist beyond the forecast horizon.</p><p>FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236, four of which are relevant to managing interest rate risk.&#160; Standard 3 (Management of Market Risk Exposure) highlights the expectation for each regulated entity to have a clearly defined and well-documented strategy for managing market risk and establishes responsibilities for the board of directors or delegated board committee (board) and senior management.&#160; Standard 4 (Management of Market Risk – Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting) includes guidelines for market risk management in these areas.&#160; Standard 2 (Independence and Adequacy of Internal Audit Systems) and Standard 8 (Overall Risk Management Processes) include responsibilities for internal audit, the board, and senior management along with an independent risk management function. </p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>Each regulated entity's risk management practices should enable it to identify, measure, monitor, and control its interest rate risk exposures. &#160;An effective interest rate risk management function includes appropriate management of risk exposure, policies and procedures, risk limits, internal controls, risk measurement systems, monitoring, and reporting.&#160; A regulated entity should periodically review industry standards with regard to interest rate risk management.</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>I.&#160;&#160;&#160;&#160;&#160;&#160; Governance</strong></p></blockquote></h2><p>The board and senior management should ensure that the regulated entity has in place appropriate policies, procedures, and internal controls for managing and controlling the regulated entity's exposure to interest rate risk.&#160; The board should oversee the adequacy of senior management's actions.&#160; Senior management should also ensure the regulated entity's risk measurement, monitoring, and reporting systems are reliable and effective.&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Responsibilities of the Board </em></p></blockquote><p>The board should oversee the adequacy of actions taken by senior management to identify, measure, manage, control, and report on interest rate risk exposures. &#160;The board should establish the regulated entity's tolerance for interest rate risk, approve major interest rate risk limits, and provide management with clear guidance regarding the level of acceptable interest rate risk.&#160; The board should approve major strategies and policies relating to the management of interest rate risk. &#160;The board should ensure such major strategies and policies are consistent with the regulated entity's overall business plan. </p><p>The board should review interest rate risk exposures on a periodic basis. &#160;Reports provided to the board should include appropriate details to allow the board to remain sufficiently informed about the nature and level of the regulated entity's interest rate risk exposures in light of current market conditions, established risk limits, operating performance, and other relevant factors.&#160; As a group, the board should have the requisite knowledge and background to assess the information provided and recommend further actions. </p><p>At least annually, or more frequently if there are significant changes in market or financial conditions, the board should review the interest rate risk management framework and major policies, limits, and internal controls. &#160;The regulated entity's risk tolerance; management's compliance with risk limits; results of stress tests; the level of the regulated entity's capital; and the effectiveness of the risk management framework, measurement systems, and reporting systems should inform the board's review of the risk limits.&#160; The board should document any changes to board-approved interest rate risk limits in its minutes.&#160; The board should also ensure that management takes appropriate corrective measures when interest rate risk limit breaches occur.&#160;&#160;&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Responsibilities of Senior Management</em></p></blockquote><p>Senior management implements board-approved strategies and policies relating to the management of interest rate risk.&#160; Senior management should ensure interest rate risk policies and procedures are clearly written, sufficiently detailed, adhered to, periodically reviewed, and should recommend updates for board approval, as appropriate.&#160; Senior management should ensure adequate organizational structure, systems, and resources are available to manage and control interest rate risk, and that personnel are appropriately trained and competent.</p><p>Senior management should periodically review and discuss with the board information regarding the nature and level of the regulated entity's interest rate risk exposures. &#160;Senior management should inform the board of how changing market conditions could affect interest rate risk exposure.&#160; The discussions should be sufficient in detail and timeliness to permit the board to understand and assess the management and control of the regulated entity's interest rate risk exposures.&#160; Senior management should report interest rate risk limit breaches to the board and identify appropriate remedial actions. &#160;Senior management should make the board aware of the advantages and disadvantages of the regulated entity's chosen interest rate risk management strategy and alternative strategies.&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Risk Management Roles and Responsibilities</em></p></blockquote><p>Policies and procedures should delineate the roles and responsibilities of persons assigned to measure, manage and control interest rate risk so they operate with sufficient independence from the business units, as applicable. &#160;&#160;</p><p>Business units encounter interest rate risk on a daily basis and should follow policies and procedures when taking steps to manage and maintain interest rate risk within approved limits.&#160; Senior management, through an asset and liability management (or similar) committee, is responsible for managing and controlling interest rate risk. </p><p>The risk management function, or unit, is responsible for interest rate risk measurement, risk monitoring, and independent oversight, including the establishment and enforcement of board-approved interest rate risk limits.&#160; It should also be responsible for ensuring that the business units have effective processes in place to identify, assess, monitor, and report on key interest rate risks. The chief risk officer must report regularly to the risk committee and to the chief executive officer.<a href="#1">[1]</a>)</p><p>Internal audit should conduct periodic evaluations of internal controls around interest rate risk management. &#160;Internal audit should conduct risk-based audits of the regulated entity's interest rate risk management and determine whether management promptly addresses findings or weaknesses regarding interest rate risk management.&#160; Internal audit should review adherence to interest rate risk management policies and procedures. </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>D.&#160;&#160;&#160; Policies and Procedures</em></p></blockquote><p>A regulated entity should have interest rate risk management policies and procedures appropriate for its risk profile.&#160; This includes being clearly written, sufficiently detailed, formally approved at the appropriate level, and, as applicable, periodically reviewed by the board and senior management.&#160; Approved policies and procedures should include defined interest rate risk limits and assign lines of authority and responsibility for managing interest rate risk. &#160;Procedures should exist for monitoring compliance with limits and to follow up on instances of noncompliance or breaches.&#160; &#160;&#160;</p><p>Management should ensure that policies and procedures to identify and manage inherent risks are sufficient before undertaking new products, offerings, or activities.&#160; </p><p>The regulated entity should also have policies and procedures for any management, ad hoc, or “on top&quot; adjustments to model-generated interest rate risk metrics, and provide clear instructions on needed approvals and documentation requirements.&#160; The documentation should explain the adjustment and the reason it is necessary as well as how long it will be required.&#160; The regulated entity's enterprise risk management or another authorized management risk committee should be made aware of, and approve, any major management, ad hoc, or “on top&quot; adjustments to interest rate risk metrics.</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>II.&#160;&#160;&#160;&#160;&#160;&#160; Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls</strong></p></blockquote></h2><p>A regulated entity should have a clearly defined and well-documented strategy for managing and mitigating interest rate risk, consistent with its overall business plan.&#160; The regulated entity should identify, manage, monitor, and control interest rate risk exposures on a business unit and an enterprise-wide basis.</p><p>It is incumbent on the regulated entity to understand the adopted strategy's impact on financial condition, whether the objective is to control risk to economic value of equity, earnings, some other target, or a combination thereof.&#160; Overemphasis on one approach may not be optimal and may lead to problems over time.&#160; For example, meaningful declines in the market value of equity to the book value of equity ratio, prospective earnings, or related indicators may signal interest rate risk management weaknesses, even if these declines occur within the context of low reported risk and compliance with approved policies and limits.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Limits</em></p></blockquote><p>A regulated entity should establish an interest rate risk framework that includes interest rate risk metrics, a comprehensive set of board-approved interest rate risk limits, and management threshold levels, set below board limits, to serve as warning triggers and initiate discussion regarding risk levels. &#160;The risk limits should be consistent with the regulated entity's risk profile, profitability objectives, and liquidity and capital needs.&#160; Limits should not be set so far above actual risk exposures that they are meaningless or have no effect on risk taking behavior. &#160;The regulated entity should also maintain a record of all limit breaches.</p><p>Different metrics used for setting interest rate risk limits may include, as applicable&#58; &#160;duration of equity, convexity of equity, volatility duration, market value sensitivity to yield curve parallel moves and twists, key-rate duration, maturity gap of assets and liabilities, prepayment duration, spread duration, market value of equity to par value of capital stock, market value of equity to book value of equity, retained earnings, net interest income sensitivity, and Value at Risk.&#160; A regulated entity should understand the advantages and disadvantages of the interest rate risk limits framework it has chosen to utilize.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Interest Rate Risk Mitigation</em></p></blockquote><p>A regulated entity should mitigate interest rate risk to keep risks within approved levels and should be able to identify problems that occur even when risks are within approved levels.&#160; For example, a regulated entity should be able to recognize significant accumulating losses from interest rate risk, explain the causes of losses, and manage risk exposure at some point even if the regulated entity is in compliance with approved strategy, policies, and limits.&#160; </p><p>A regulated entity can mitigate interest rate risk through a variety of strategies including&#58; matched funding, funding with debt having embedded options, hedging using derivatives, and building retained earnings. &#160;Matched funding allows a regulated entity to match the maturity of its assets and liabilities. &#160;Funding with debt having embedded options could allow regulated entities to mitigate exposures of assets with explicit and implicit options such as mortgages.&#160; Hedging using derivatives allows the regulated entity to mitigate interest rate risk by changing its cash flows and economic exposure stemming from certain changes in interest rates. &#160;Building retained earnings allows the regulated entity to have a larger capital base to absorb the impact of an adverse interest rate change.&#160; Having a robust net interest income stream also allows a regulated entity to absorb the effects of adverse interest rate movements. </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Internal Controls </em></p></blockquote><p style="text-align&#58;left;">A regulated entity should have sufficient internal controls around interest rate risk management.&#160; The internal control process should aim to ensure effective and efficient management of interest rate risk; reliable measurement of interest rate risk; reliable reporting and communication of interest rate risk; and compliance with applicable statutes, regulations, and policies governing interest rate risk.&#160; Additionally, internal controls should support periodic reviews and evaluations of policies and procedures as well as the accuracy and reliability of risk measurement systems.</p><p style="text-align&#58;left;">A regulated entity should monitor the adequacy and effectiveness of its internal controls and information systems on an ongoing basis through a formal self-assessment process.&#160; Business units, enterprise risk management, and internal audit should conduct periodic evaluations of internal controls for interest rate risk management. &#160;</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>III.&#160;&#160;&#160;&#160;&#160;&#160; Risk Measurement System, Monitoring, and Reporting</strong></p></blockquote></h2><p>The regulated entities should choose which method(s) to use to measure interest rate risk. &#160;Methods may include&#58; Duration Analysis, Earnings Simulation Analysis, Earnings at Risk, Capital at Risk, Value at Risk, Economic Value of Equity, or other methods. &#160;Generally, a regulated entity would measure interest rate risk by valuing its assets, liabilities, derivatives, and off-balance sheet exposures in different interest rate environments.&#160; A regulated entity should understand the advantages and disadvantages of its chosen interest rate risk measurement method(s). </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Interest Rate Risk Measurement System </em></p></blockquote><p>A regulated entity should have an interest rate risk measurement system (<em>i.e.</em>, a model or set of models) that captures all material sources of interest rate risk, including repricing risk, yield curve risk, basis risk, prepayment risk, and option risk. &#160;The sophistication of the risk measurement system should be commensurate with the complexity of the financial instruments held by the regulated entity.&#160; The risk measurement system should also provide meaningful and timely measures of the regulated entity's risk exposures and use generally accepted financial concepts, valuation methodologies, and risk measurement techniques. &#160;</p><p>The risk measurement system should be capable of valuing all of the regulated entity's assets and liabilities, including off-balance sheet positions and derivatives, and estimating the effect of changes in interest rates and other key risk factors on the regulated entity's earnings and market value of equity over a range of scenarios.&#160; A regulated entity should properly document and bring to management's attention instances where the risk measurement system cannot reliably value an instrument or requires a model workaround.&#160; Any management, ad hoc, or “on top&quot; adjustments to model output should be made according to approved procedures.&#160; The measurement system should use directly or indirectly observed market prices for its estimates of market values where feasible.&#160; A regulated entity should test new products to verify the risk measurement system can properly measure the exposure of the new product.&#160; </p><p>Periodically, enterprise risk management or another authorized management risk committee should review the interest rate risk measurement system for accuracy and reliability, including comparison to actual portfolio behaviors when feasible.&#160; Management should ensure the integrity and timeliness of the data inputs used to measure interest rate risk exposures and that assumptions and parameters are reasonable and properly documented.&#160; Management should also understand strengths and weaknesses of the model(s) used, including sensitivity to changes in key assumptions. &#160;</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Scenario Analysis and Stress Testing</em></p></blockquote><p style="text-align&#58;left;">A regulated entity should routinely conduct scenario analysis as a part of interest rate risk management as it relates to market value measures and net income measures.&#160; Scenarios should include increasing and decreasing parallel and nonparallel interest rate shocks of varying magnitudes as well as an instantaneous and gradual steepening and flattening of the yield curve.&#160; The regulated entity should also consider changes in prepayment speeds for mortgage-related instruments, volatility for securities impacted by interest rate volatility, and relevant interest rate spreads for different securities.&#160; The scenarios should identify the main exposures within a regulated entity's interest rate risk profile.&#160; A regulated entity could perform analysis to identify which assumptions or inputs cause the largest impact. </p><p>A regulated entity should perform periodic stress testing of interest rate risk management positions. &#160;The stress scenarios should include interest rate shocks and shifts in the economic environment that are of a magnitude such that it tests the effectiveness of the interest rate risk management of the regulated entity.&#160; These stress scenarios should vary over time.&#160; The regulated entity should include scenarios conducted for its annual strategic business plan or annual stress testing as applicable. </p><p style="text-align&#58;left;">The regulated entity should give special consideration to financial instruments or markets where it has significant concentrations, financial instruments in which a regulated entity's position may be more difficult to unwind or hedge during periods of market stress, and complex financial instruments with embedded options that may be more difficult to evaluate in stressful scenarios.</p><p style="text-align&#58;left;">If management or the board finds the results from the scenario analysis or stress testing unacceptable, management should determine a course of action and may need to modify, rebalance, or hedge so that performance would be acceptable under the identified scenarios.&#160; The board and senior management should periodically review the design of the stress tests to ensure that they capture conditions where the regulated entity is most vulnerable.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Monitoring and Reporting</em></p></blockquote><p>A regulated entity should routinely monitor and report interest rate risk exposures using scenario analysis to business unit managers, senior management, and the board at a level appropriate for each.&#160; The interest rate risk reports should be accurate, informative, and timely.&#160; The reports should show adherence to approved interest rate risk policies and limits and any exceptions or breaches of limits and policies. The reports should identify and explain limit breaches. </p><p>The interest rate risk reports should reflect and show trends in measures used to evaluate interest rate risk management objectives.&#160; Reports should show the market value of the regulated entity's assets, liabilities, and off-balance sheet exposures, including derivatives, under a range of scenarios.&#160; With respect to earnings, reports should show net income over a specified time horizon under various scenarios. &#160;Reports should also include backtesting results to compare past forecasts, or risk estimates, with actual results. &#160;&#160;</p><p>Interest rate risk reports should identify any changes to risk models and model assumptions, describe the rationale for the changes, and analyze their impact on risk measures and risk limits.&#160; Interest rate risk reports should also note any management, ad hoc, or “on top&quot; adjustments to interest rate risk models, the reason for the adjustment, and the start and expected end date for the use of the adjustment.&#160; </p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p> <em>Model Risk Management Guidance, </em>Federal Housing Finance Agency, Advisory Bulletin AB-2013-07, November 20, 2013.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency, Advisory Bulletin AB-2016-05, October 7, 2016.</p><p>Appendix to 12 CFR Part 1236 - Prudential Management and Operating Standards.&#160; </p><p>12 CFR Part 1239 – Responsibilities of Board of Directors, Corporate Practices, and Corporate Governance.&#160; </p><p>________________________<br></p><p> <a name="1">[1]</a> 12 CFR 1239.11(c)(5)&#160;&#160; </p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58;&#160;<a href="mailto&#58;SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>​<br> 9/28/2018 6:35:25 PMHome / Supervision & Regulation / Advisory Bulletins / Interest Rate Risk Management Advisory Bulletin AB 2018-09: INTEREST RATE RISK MANAGEMENT The AB is organized as follows 3851https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Federal Home Loan Bank Liquidity Guidance25695FHL Banks8/27/2018 4:00:00 AMAB 2018-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-07</strong><br></p><p> <strong>FEDERAL HOME LOAN BANK LIQUIDITY GUIDANCE</strong><br></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p><p>This advisory bulletin (AB) communicates the Federal Housing Finance Agency’s (FHFA) guidance for maintaining sufficient amounts of liquidity<a href="#1">[1]</a> that will enable Federal Home Loan Banks (FHLBanks) to provide advances and fund letters of credit for members during a sustained capital markets disruption.&#160; Although this guidance sets expectations for how FHLBanks may best measure and maintain sufficient liquidity, the FHLBanks should also use liquidity metrics that are commensurate with their funds management strategies and that provide a comprehensive assessment of their liquidity risk to ensure that sufficient funds are available at a reasonable cost to meet potential demands.<br></p><p>Contemporaneously with the issuance of this AB, the Division of Federal Home Loan Bank Regulation (DBR) is issuing a supervisory letter to the FHLBanks that identifies the initial thresholds for the various measures of liquidity described herein.&#160; DBR will periodically assess conditions in the financial markets to determine whether they warrant revisions to those thresholds.&#160; DBR will issue supervisory letters to notify the FHLBanks of any subsequent revisions that it believes to be appropriate in light of any material changes in market conditions, and will provide an appropriate notice period for the FHLBanks to make appropriate adjustments to their liquidity management practices.<br></p><p>This guidance rescinds the March 6, 2009 Liquidity Supervisory Letter as of March 31, 2019, but does not supplant existing regulations that pertain to liquidity at the FHLBanks.<a href="#2">[2]</a></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Background</em></strong><br></p><p>Liquidity risk is the risk that a financial institution will be unable to meet its financial obligations in a timely and cost-efficient manner.&#160; Strong liquidity risk management enables a FHLBank to be financially sound, so that it may continue to perform its mission, while limiting and controlling shortfalls in cash.&#160; This AB describes key elements of a strong liquidity management program, including cash flow measurement, funding gaps, stress testing, and a contingency funding plan (CFP).<br></p><p>FHFA has adopted a series of prudential management and operations standards (PMOS) for the FHLBanks and the Enterprises, one of which addresses the adequacy of an entity’s liquidity and reserves.<a href="#3">[3]</a> A FHLBank’s failure to meet any of the prudential standards may invoke the remediation provisions of the PMOS statute,<a href="#4">[4]</a> and may also constitute an unsafe and unsound practice that would provide grounds for FHFA to invoke its other administrative enforcement powers.<a href="#5">[5]</a> This AB complements the provisions of Standard 5, which describes the FHFA’s general expectations for an effective liquidity risk management framework.&#160; More specifically, Standard 5 provides that a FHLBank should articulate an appropriate liquidity risk tolerance; establish a process for identifying, measuring, and controlling its liquidity position and liquidity risk exposures; and develop a funding strategy that includes diverse sources of funding.&#160; In addition, Standard 5 states that FHLBanks should conduct regular stress tests to identify sources of potential liquidity strain, and should establish a CFP.&#160; Of most relevance to this AB, Standard 5 states that a regulated entity should maintain adequate reserves of liquid assets, including marketable securities that can be liquidated to meet unexpected needs.&#160; The management of liquidity risk is also an element of an entity’s overall risk management process that is addressed by Standard 8 of the PMOS, which describes the responsibilities of boards of directors and senior management and the need for the FHLBanks to establish risk management practices that measure, monitor, and control liquidity, market, credit, and operational risks.&#160; Management of liquidity risk should also be addressed as an element of a regulated entity’s enterprise-wide risk management program that is required by FHFA regulations.<a href="#6">[6]</a></p><p>The principal sources of funding for the FHLBanks are the global capital markets, into which the FHLBanks issue their consolidated obligations (COs), on which they are all jointly and severally liable.&#160; Because the FHLBanks are government-sponsored enterprises (GSEs), they can issue debt at lower interest rates (controlling for tenor) than can their members.&#160; Though the FHLBanks have that funding advantage over their members, their GSE status makes them ineligible to borrow from the Federal Reserve Bank’s discount window, nor do they have daylight overdraft privileges at a Federal Reserve Bank, both of which funding sources are generally available to depository institution members.&#160; Consequently, during periods of disruption or duress in the capital markets, systemic or otherwise, or in the FHLBanks' operating environment, it is essential that the FHLBanks have established adequate reserves of liquidity to ensure their ability to continue funding advances and letters of credit for their members, as provided in Standard 5 of the PMOS.&#160; This AB is intended to provide guidance to assist the FHLBanks in maintaining a level of liquid assets that is consistent with the expectations of Standard 5.<br></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Guidance</em></strong><br></p><p>This AB sets out FHFA’s supervisory expectations with respect to what may constitute an adequate amount of liquidity for purposes of meeting the PMOS.&#160; A FHLBank maintaining a liquidity position at or above the levels described in this bulletin will be presumed to be operating with “adequate reserves of liquid assets” as that term is used in the PMOS.<a href="#7">[7]</a>&#160; Notwithstanding that presumption, FHFA will assess the adequacy of each FHLBank’s liquid assets and its liquidity risk management program as part of each annual examination, and will take any appropriate supervisory or enforcement action if it determines that a particular FHLBank’s liquidity reserves or risk management program are deficient in any material respect.</p><p>The guidance below is intended to provide some reasonable assurance that the FHLBanks will be able to conduct their normal business operations – providing advances and standby letters of credit (SLOCs) to their members – for a specified period of time without access to the capital markets.&#160; As is the case with guidance adopted by other banking regulators, this AB addresses the level of on-balance sheet liquid assets and funding imbalances, as described in the provisions below relating to base case liquidity and funding gap limits, respectively.&#160; As part of the base case liquidity measure, the guidance also includes a separate provision to address liquidity risk associated with a FHLBank’s off-balance sheet commitments arising from its issuance of SLOCs.<br></p><p>I.&#160; <em>Base Case Liquidity</em><br></p><p> <em>Cash Flow Measurement</em><br></p><p>Positive cash flow is important to maintaining an adequate liquidity position, as having sufficient positive cash flow will better enable a FHLBank to withstand a sustained capital markets disruption that impedes or limits its ability to issue COs.&#160; DBR believes each FHLBank should be able to maintain a positive cash balance during a projected period of time (measurement period) without access to the capital markets for COs or other unsecured funding sources.<a href="#8">[8]</a> Under the 2009 Liquidity Supervisory Letter, the FHLBanks assume a 5-day period without access to the capital markets, but they also assume that certain large members would not renew their advances during that period.&#160; The federal banking regulators; however, allow those large depository institutions to assume that they will renew 75 percent of their FHLBank advances.<a href="#9">[9]</a>&#160; &#160;This suggests that the assumptions underlying the 2009 Liquidity Supervisory Letter may not be sufficient to cover the FHLBanks’ actual liquidity risk associated with those large members’ advances.&#160; Furthermore, a FHLBank is expected to be a liquidity provider by offering to make advances to all members, even in times of market disruption.<a href="#10">[10]</a></p><p>To address those additional risks, FHFA believes that the FHLBanks should maintain larger liquidity positions to allow them to meet their operational needs over a longer period of time without access to the capital markets.&#160; Such liquidity reserves are especially important for the FHLBanks because they do not have access to any material off-balance sheet liquidity sources on which they could rely during market disruptions, such as the Federal Reserve Discount Window or the Government Sponsored Credit Facility that expired in December 2009.<a href="#11">[11]</a> FHFA believes that a reasonable measurement period of days without access to the capital markets generally would be between 10 and 30 calendar days, depending on market conditions.&#160; As noted previously, DBR is issuing a supervisory letter to the FHLBanks identifying the number of days for the initial measurement period.<br></p><p>FHFA believes that a prudent measure for assessing the adequacy of a FHLBank’s liquidity position is whether it has sufficient positive cash balances to cover its expected funding needs over the specified number of days in the measurement period.&#160; Determining the positive cash balances is largely a function of a FHLBank’s cash inflows and outflows.&#160; In order to ensure that there is consistency in how each FHLBank calculates its cash balance liquidity positions, FHFA has developed a series of assumptions regarding cash inflows and cash outflows that each FHLBank should use in establishing its Base Case liquidity position.&#160; The initial cash flow assumptions are also described in the supervisory letter that DBR is providing to the FHLBanks.&#160; Accordingly, each FHLBank, on a daily basis, should project forward (for the duration of the measurement period) and maintain positive cash balances net of cumulative daily cash flows, assuming the renewal of all maturing advances, according to the following formula&#58;<a href="#12">[12]</a></p><p style="text-align&#58;center;"> <img src="/SupervisionRegulation/AdvisoryBulletins/PublishingImages/Pages/Federal-Home-Loan-Bank-Liquidity-Guidance/Formula-1.PNG" alt="Formula-1.PNG" style="margin&#58;5px;width&#58;700px;height&#58;102px;" />&#160;</p><p> <em>Standby Letters of Credit Measurement&#160;</em></p><p>The FHLBanks have experienced significant growth in SLOCs, which they issue at the request of their members for the benefit of third parties.&#160; Beneficiaries can draw against the SLOC by presenting a demand to the FHLBank.&#160; SLOCs totaled $149.4 billion at year-end 2017, up materially from $29.2 billion at year-end 2007.&#160; Much of the growth in SLOCs has occurred over the past five years as depository institution members have used the product to optimize their liquidity.<a href="#13">[13]</a> The substantial growth in this off-balance sheet product has created a greater risk to the FHLBanks.&#160; Specifically, there is now greater possibility that beneficiaries will demand more payments under their SLOCs in a short period of time, which creates a potential liquidity exposure for the FHLBanks.&#160; Consequently, any measure of an adequate level of liquidity should include some amount to cover that potential exposure.&#160; To ensure that a FHLBank will have adequate funds available to support its SLOC commitments, FHFA believes that it should maintain a liquidity reserve of between 1 percent and 20 percent of its outstanding SLOC commitments.<a href="#14">[14]</a> The supervisory letter that DBR is providing to the FHLBanks also identifies the initial percentage that FHFA believes would provide adequate liquidity for these instruments in light of current market conditions.<br><br>II.&#160; <em>Funding Gaps</em><br></p><p>Funding gap metrics measure the difference between a FHLBank’s assets and liabilities that are scheduled to mature during a specified period, and are typically expressed as a percentage of the FHLBank’s total assets.<a href="#15">[15]</a> Operating within appropriate funding gap limits reduces large structural imbalances, which provides for more stable asset and liability balance sheet structures.&#160; Furthermore, maintaining appropriate funding gap limits reduces the amount of liquidity transformation and pro-cyclical funding behavior.&#160; By maintaining prudent funding gap limits for three-month and one-year time horizons, the FHLBanks may reduce the liquidity risks associated with a mismatch in their contractual asset and liability maturities, including an undue reliance on short-term debt funding, which increases their debt rollover risk.&#160; Depending on conditions in the financial markets, FHFA believes that maintaining funding gap limits within the range of negative 10 percent to negative 20 percent for the three-month horizon, and negative 25 percent to negative 35 percent for the one-year horizon, would provide reasonable assurance that a FHLBank would have adequate liquidity to address the risks associated with possible asset and liability maturity mismatches.&#160; The supervisory letter that DBR is providing to the FHLBanks also identifies the initial percentages within those ranges that FHFA believes would be appropriate in light of current market conditions.<br></p><p>In order to ensure that there is consistency in the way in which the FHLBanks calculate their funding gap ratios for FHFA’s supervisory purposes, FHFA has developed a formula, set out below, that each FHLBank should use to calculate its funding gap ratios.&#160; When measuring their funding gaps, the FHLBanks should do so as of calendar month-end, using the average ratio for the most recent three month-ends.<a href="#16">[16]</a></p><p style="text-align&#58;center;"> <img src="/SupervisionRegulation/AdvisoryBulletins/PublishingImages/Pages/Federal-Home-Loan-Bank-Liquidity-Guidance/Formula-2.PNG" alt="Formula-2.PNG" style="margin&#58;5px;width&#58;700px;height&#58;97px;" />&#160;</p><p>III.&#160; <em>Counter-Cyclical Liquidity Supervisory Approach</em><br></p><p>The financial crisis demonstrated that financial intermediaries should maintain prudent levels of liquidity to protect against unexpected disruptions in funding.&#160; During periods of prolonged market stress, a FHLBank may need to use the liquidity that it established during a non-stress period.&#160; To that end, the DBR Deputy Director may, based on ongoing monitoring of market conditions, reduce the measurement period under the base case liquidity provision or increase the negative funding gap thresholds through a supervisory letter to the FHLBanks.&#160; Any such actions will be guided by what is necessary to preserve the safety and soundness of the FHLBanks, even if that entails allowing the FHLBanks to maintain liquidity positions outside of the ranges described herein.&#160; In addition, if a FHLBank experiences a prolonged funding event, it promptly should inform the Deputy Director of its need to reduce its liquidity holdings or increase its negative funding gaps.&#160; At a minimum, any such notice should describe the source of the funding stress, the expected duration of event, and how and when the FHLBank expects to restore its liquidity positions.<br></p><p>FHFA recognizes that a FHLBank infrequently may need to draw upon its liquid assets to function as a liquidity provider for its members during short-term market disruptions or other short-term events that impair access to funding.<a href="#17">[17]</a> Accordingly, this Advisory Bulletin does not preclude a FHLBank from temporarily decreasing its liquidity position, in a safe and sound manner, below the levels described herein, as necessary for providing unanticipated extensions of advances to members or draws on letters of credit to beneficiaries.<a href="#18">[18]</a>&#160; In such instances, the FHLBank should notify its examiner-in-charge of the cause of any temporary liquidity shortfall, anticipated duration of the temporary shortfall, and when and how a FHLBank expects to restore its liquidity back to the identified level set forth in FHFA’s separate supervisory letter.&#160; DBR will evaluate any such temporary liquidity shortfall as part of the FHLBank’s annual examination.<br></p><p>IV.&#160; <em>Liquidity Stress Testing</em><br></p><p>Liquidity stress testing allows the assessment of vulnerabilities to FHLBank-specific, entity-specific, and market-wide exposures across a range of time horizons.&#160; Stress test results may identify sources of potential liquidity strain that can be mitigated by appropriate liquidity risk management strategies.&#160; A FHLBank may use results of stress tests to adjust its liquidity management policies and procedures, positions and practices, and to develop effective contingency plans.&#160; The PMOS states that regulated entities should conduct stress tests on a regular basis and use the results to keep their liquidity risk exposures within the bounds of their established risk tolerances, as well as to adjust the elements of their risk management programs.&#160; To allow FHFA to assess each FHLBank’s alignment with this provision of the PMOS, the FHLBanks should report the results of this stress test to the FHFA annually, using financial data as of June 30 of each year.&#160; FHLBanks that conduct liquidity stress tests more frequently than annually should continue to do so, but need not report those additional results to FHFA.&#160; FHFA will review results of all stress tests as part of the liquidity framework assessment during examinations.<br></p><p>V.&#160; <em>Contingency Funding Plan&#160;</em><br></p><p>The PMOS provide that a regulated entity should have a formal CFP that establishes strategies for addressing liquidity shortfalls in emergencies, and that is tested periodically.&#160; The CFP should represent management’s best estimate of balance sheet changes that may result from a liquidity event based on stress testing and scenario analysis and should be integrated into a FHLBank’s overall liquidity risk management.&#160; A CFP should establish plans, courses of action, clear lines of responsibility, and escalation procedures to ensure liquidity sources are sufficient to fund normal operations during potential temporary, intermediate-term, and long-term liquidity disruptions.<br></p><p>FHFA expects an effective CFP to clearly specify the roles and responsibilities, including the authority to invoke the CFP, identify alternates for key roles, and include realistic action plans to execute the various elements of the plan for given levels of stress.&#160; A CFP should establish more frequent and more detailed internal liquidity risk reporting as the stress situation intensifies.&#160; The CFP should recognize the need to coordinate actions and information flows with other FHLBanks and the Office of Finance and address scenarios where debt issuance is constrained.&#160; A CFP should be regularly updated to reflect changes in market or business conditions.<br></p><p>FHFA expects each FHLBank to test periodically its CFP to assess its reliability and operational soundness under stress conditions.&#160; Testing should evaluate whether roles and responsibilities are up-to-date and appropriate; whether legal and operational documents are up-to-date and appropriate; whether the FHLBank can transfer cash and collateral where and when needed; and whether the FHLBank can draw on contingent liquidity lines when needed.&#160;&#160;<br></p><p>VI.&#160; <em>Core Mission Adjustments</em><br></p><p>FHFA previously issued an AB that provides guidance about how it will assess each FHLBank’s core mission achievement.&#160; That bulletin uses a ratio of a FHLBank’s “primary mission assets” to its outstanding consolidated obligations as the measure of its mission achievement.<a href="#19">[19]</a>&#160; To prevent a FHLBank that has invested in high quality U.S. Treasury securities for liquidity purposes from being penalized under the core mission achievement guidance for having made those investments, FHFA has determined that it would be appropriate to exclude those securities when measuring a FHLBank’s core mission achievement.&#160; Accordingly, a FHLBank may adjust its core mission achievement measure, as defined in AB 2015-05, by deducting from the denominator of the Primary Core Mission Asset ratio the annual average par value of its U.S. Treasury Securities that are held in a Trading account or Available-for-Sale account, as reported in FHFA’s Call Report System.<br></p><p>VII.&#160; <em>Transition Period and Dates</em></p><p>The Deputy Director is issuing a supervisory letter to accompany this AB that sets out the initial measures for each of the liquidity metrics described in the AB, along with the dates as of which FHFA will begin assessing the adequacy of each FHLBank’s liquidity position in the manner described in the AB.&#160; The supervisory letter includes phased-in measures for the cash flow component of the Base Case Liquidity provisions.&#160; Absent a market event that requires a countercyclical use of liquidity, the initial measurement period will begin on March 31, 2019, and full measurement period will begin on December 31, 2019.&#160; For the SLOC component of the Base Case Liquidity provisions, the date is March 31, 2019.&#160; For funding gap measures, FHFA will begin using those measures on December 31, 2018.<br></p><p>VIII.&#160; <em>Reporting</em><br></p><p>DBR will develop new reporting requirements for each of the liquidity measures described in this AB well in advance of the above dates.<a href="#20">[20]</a>&#160; DBR intends to monitor each FHLBank’s liquidity position through their submission of periodic reports, as well as through the examination process.</p><p>IX.&#160; <em>Reservation of Authority</em><br>Nothing in this Advisory Bulletin limits the authority of FHFA under any other provision of law or regulation to take supervisory or enforcement action, including action to address unsafe or unsound practices or conditions, deficient liquidity levels, or violations of law.<br></p><p> <br> </p><p> <strong>Related Regulations and Advisory Bulletins</strong><br>12 USC § 1431(g) – Reserve Requirement for Member Deposits&#160;<br></p><p>12 CFR Part 1236 – Prudential Management and Operations Standards</p><p>12 CFR Part 1266.5 – Terms and Conditions for Advances</p><p>12 CFR Part 1270.2 – Authorized Liabilities</p><p>12 CFR Part 1270.3(b) – Investment Coverage of Member Deposits</p><p>12 CFR Part 1270.10(b) – Liquidity Certification</p><p>Advisory Bulletin – AB 2015-AB-05, <em>FHLBank Core Mission Achievement</em>, July 15, 2015<br></p><p>​<br></p><hr /><p> <a name="1">[1]</a> For purposes of this bulletin, ”liquidity” includes non-advance cash inflows during the measurement period plus certain high quality liquid assets (Treasury securities with remaining maturities of 10 years or less held in the Trading Account or Available-for-Sale accounting categories, and that are uncommitted and unencumbered).</p><p> <a name="2">[2]</a> The regulatory provisions addressing FHLBank liquidity are located at 12 CFR 1236, Appendix, Standard 5 (Liquidity and Reserves) and 12 CFR 1270.3 (reserves for deposits from members).</p><p> <a name="3">[3]</a> 12 CFR part 1236, Appendix, Standard 5</p><p> <a name="4">[4]</a> 12 USC 4513b, 12 CFR 1236.4.5</p><p> <a name="5">[5]</a> 12 CFR 1236.3(d)</p><p> <a name="6">[6]</a> 12 CFR 1239.11(a) (requirement for a board-approved risk management program).</p><p> <a name="7">[7]</a> 12 CFR part 1236, Appendix, Standard 5.</p><p> <a name="8">[8]</a> Other unsecured borrowing sources would be limited to member deposits and federal funds purchased. See 12 CFR 1270.2 (authorized Bank liabilities).</p><p> <a name="9">[9]</a> 12 CFR 249.32(j)(1)(iii). Under these Liquidity Coverage Ratio risk measurement standards (LCR), depository members subject to LCR are only required to provide liquidity coverage of 25 percent of their secured borrowings from U.S. government-sponsored entities that are assigned a risk weight of 20 percent, such as FHLBank advances.</p><p> <a name="10">[10]</a> FHFA regulations require that the FHLBanks offer to provide advances to all members with maturities of up to ten years, and allow them to make advances with longer maturities, in both cases consistent with the safe and sound operation of the FHLBank. 12 CFR 1266.5(a). Both the statute and regulations recognize a FHLBank’s right to decline to make an advance to a particular member for reasons of safety and soundness. 12 USC 1429; 12 CFR 1266.4(a).</p><p> <a name="11">[11]</a> The U.S. Treasury Department established the Government Sponsored Enterprise Credit Facility on September 7, 2008 as a back-up credit line for emergency use by Fannie Mae, Freddie Mac, or the FHLBanks. A fact sheet describing the facility can be located at <a href="https&#58;//www.treasury.gov/press-center/press-releases/Documents/gsecf_factsheet_090708.pdf">https&#58;//www.treasury.gov/press-center/press-releases/Documents/gsecf_factsheet_090708.pdf​</a>.</p><p> <a name="12">[12]</a> Renewing advances is a simplifying assumption for the advances book of business given that the maturities of most advances are short-term and advances have steadily grown since 2012 (after contracting for several years after the financial crisis). The assumption is based on the premise that FHLBanks should continue to provide advances during a period of impeded CO market access.</p><p> <a name="13">[13]</a> A frequent use of SLOCs by depository members is to secure public unit deposits, which then allows the members to use their highly-rated securities to meet their own liquidity requirements rather than pledge them as collateral for the public unit deposits.</p><p> <a name="14">[14]</a> For a variable balance letter of credit, the gross commitment should be used as the notional amount outstanding.</p><p> <a name="15">[15]</a> A FHLBank may include estimates for expected cash inflows, including anticipated prepayments, from mortgage assets as part of assets in the funding gap ratio numerator. Mortgage cash flow estimates should be consistent with estimates the FHLBank uses for its market risk measures. For purposes of calculating funding gap measures, Banks may include U.S. Treasury Securities meeting the definition of HQLA held in a Trading account as short-term (T+1) assets. All other U.S. Treasury Securities should be reported in funding gap measures at their maturity.</p><p> <a name="16">[16]</a> For example, Funding Gap = [Funding Gap current month-end (T<span style="font-size&#58;smaller;vertical-align&#58;sub;">0</span>​) + Funding Gap month-end (T<span style="font-size&#58;smaller;vertical-align&#58;sub;">-1</span>) + Funding Gap month-end (T-2)] divided by 3.</p><p> <a name="17">[17]</a> The use of liquidity also is anticipated during operational events such as natural disasters, cyber disruptions, etc.</p><p> <a name="18">[18]</a> Force majeure events may also cause a temporary decrease in a FHLBank’s liquidity position.</p><p> <a name="19">[19]</a> Advisory Bulletin – AB 2015-AB-05, <em>FHLBank Core Mission Achievement</em>, July 15, 2015.</p><p> <a name="20">[20]</a> Currently FHLBanks provide liquidity data as specified in SDR-2008-03, which will be revised or rescinded when the new reporting requirements are established.​​<br></p><p>&#160;</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Contact <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov​</a> if you have questions.<br></p></td></tr></tbody></table>​<br>8/27/2018 4:00:14 PMHome / Supervision & Regulation / Advisory Bulletins / Federal Home Loan Bank Liquidity Guidance Advisory Bulletin This advisory bulletin (AB) communicates the Federal Housing 5631https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2020 Federal Housing Finance Agency