Compendium of Open Recommendations - Federal Housing Finance Agency Office of Inspector General

Page created by Rafael Christensen
 
CONTINUE READING
Federal Housing Finance Agency
      Office of Inspector General

   Compendium of
Open Recommendations

          April 1, 2021
TABLE OF CONTENTS ................................................................

ABBREVIATIONS ........................................................................................................................ 3
INTRODUCTION .......................................................................................................................... 4
     Tracking of OIG Recommendations ......................................................................................... 4
     Validation Testing ..................................................................................................................... 5
OPEN RECOMMENDATIONS .................................................................................................... 6
CLOSED UNIMPLEMENTED RECOMMENDATIONS .......................................................... 30

                                                         OIG • April 1, 2021                                                                 2
ABBREVIATIONS .......................................................................

DER                Division of Enterprise Regulation

Enterprises        Fannie Mae and Freddie Mac

FHFA               Federal Housing Finance Agency

MRA                Matter Requiring Attention

OIG                Federal Housing Finance Agency Office of Inspector General

PII                Personally Identifiable Information

ROE                Report of Examination

                                   OIG • April 1, 2021                              3
INTRODUCTION ........................................................................

Since the Federal Housing Finance Agency (FHFA) Office of Inspector General (OIG) began
operations in October 2010, we have made more than 500 recommendations1 to improve
efficiency and effectiveness and reduce fraud, waste, and abuse at FHFA and at the
government-sponsored enterprises for which the Agency acts as conservator and regulator,
Fannie Mae and Freddie Mac (the Enterprises), and at the Federal Home Loan Banks for
which the Agency acts as regulator. As required under the Inspector General Act of 1978, as
amended, we provide information on open and closed recommendations in each semiannual
report to the Congress.2

To maintain the focus on opportunities for improvement that our recommendations identify,
OIG publishes on its website a monthly report setting forth all open recommendations from
our audits, evaluations, and other studies.3 For additional information on any
recommendation, please click on the hyperlinked report number to access its underlying
report. This compendium is comprehensive as of April 1, 2021.

Because FHFA serves a unique role as both conservator and regulator of the Enterprises,
OIG’s responsibilities necessarily include oversight of FHFA’s actions in both of these roles,
in order to determine whether the Agency is fulfilling its statutory duties and responsibilities
and safeguarding the taxpayers’ resources. Our oversight role also reaches the Enterprises—
recipients of $191.5 billion in taxpayer monies—to ensure that they are satisfying their
obligations under the authority delegated to them in the conservatorships. Through oversight,
transparent reporting of results, and robust enforcement, OIG seeks to be a voice for, and
protect the interest of, those who have funded Treasury’s investment in the Enterprises—the
American taxpayers.

Tracking of OIG Recommendations
Our recommendations, like those of other inspectors general, are primarily made in written
reports issued by our Offices of Audits, Evaluations, and Compliance. We report the facts,
as found, and recommend actions to address any shortcomings we identify in FHFA’s
exercise of its statutory duties and responsibilities or by one or both Enterprises, in connection
with their execution of responsibilities delegated to them by FHFA, as conservator. FHFA is
provided an opportunity to provide a written response to OIG recommendations. FHFA’s

1
    Includes public and non-public recommendations.
2
    OIG’s semiannual reports are available at www.fhfaoig.gov/Reports/Semiannual.
3
    This report does not include recommendations under consideration for work that is in progress.

                                                 OIG • April 1, 2021                                 4
determinations whether to agree with OIG’s recommendations are included in our published
reports. Once FHFA has accepted an OIG recommendation, it reports to us on its efforts to
implement the “corrective action” that is intended to respond to the recommendation. When
FHFA believes that its implementation efforts are well underway or that implementation is
complete, FHFA provides that information to us, along with corroborating documents, and we
rely on those materials in determining whether to close recommendations. If the Agency
rejects a recommendation or conclusively refuses to implement an acceptable corrective
action, then we will close the recommendation and report it separately in this compendium.

Validation Testing
OIG typically relies on materials and representations from the Agency to close its
recommendations and may close some recommendations based on the Agency’s
representations as to the corrective actions it has taken. Accordingly, we are not always able
to assess, at the time of closure, whether the implementation actions by FHFA meet the letter
and spirit of the agreed-upon recommendation, nor can we determine, at closure, the longer-
term impact of the recommendation. To better assess both the implementation and impact of
OIG recommendations, we concluded that validation testing is needed. Such testing, and
disclosure of results of that testing, provides greater accountability and adds value to FHFA
and the American taxpayers it serves.

Because our Offices of Audits and Evaluations historically had not conducted extensive
corrective action verification testing, we created the Office of Compliance and Special
Projects. The primary operational role of that office is to examine closed recommendations to
assess independently FHFA’s implementation of the corrective actions it represented to OIG
that it intended to take, as well as the impact of those actions, and to publish reports of its
validation testing in “compliance reviews.” These compliance reviews enable our
stakeholders to assess the impact of OIG’s recommendations, as well as the efficacy of the
Agency’s implementation of those recommendations. Compliance reviews enhance OIG’s
ability to stimulate positive change in critical areas and promote economy, efficiency, and
effectiveness at FHFA.

Any open recommendations contained in published compliance reviews are included in this
compendium.

                                       OIG • April 1, 2021                                        5
OPEN RECOMMENDATIONS .....................................................

Specific Risk to be                                                                             Report Name and
                                     Recommendation                       Expected Impact
    Mitigated                                                                                         Date
                                               Open Recommendations
                                                   Conservatorship
Conflicts of Interest   FHFA should direct FHFA employees to           Improved oversight     Corporate
                        monitor the review and resolution of Senior                           Governance:
                        Executive Officer disclosures of potential,                           Review and
                        actual, or apparent conflicts of interest to                          Resolution of
                        ensure that revised Board committee                                   Conflicts of Interest
                        charter(s) and management policies and                                Involving Fannie
                        procedures are being followed.                                        Mae’s Senior
                                                                                              Executive Officers
                                                                                              Highlight the Need
                                                                                              for Closer Attention
                                                                                              to Governance
                                                                                              Issues by FHFA
                                                                                              (EVL-2018-001,
                                                                                              January 31, 2018)4

  4
   This recommendation is being held open pending the completion of a related 2020 FHFA planned supervisory
  activity, and OIG’s assessment of that supervisory activity.

                                                OIG • April 1, 2021                                           6
Specific Risk to be                                                                        Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                     Date
                      FHFA, as conservator, should direct Freddie    Improved oversight   Management Alert:
                      Mac to revise its policies and procedures to                        Need for Increased
                      align with the responsibilities assigned to                         Oversight by FHFA,
                      the Nominating and Governance Committee                             as Conservator, to
                      and facilitate the Nominating and                                   Ensure that Freddie
                      Governance Committee’s execution of its                             Mac’s Policies and
                      responsibilities. [Closed in July 2018;                             Procedures for
                      reopened upon results of compliance                                 Resolution of
                      testing.]                                                           Executive Officer
                                                                                          Conflicts of Interest
                                                                                          Align with the
                                                                                          Responsibilities of
                                                                                          the Nominating
                                                                                          and Governance
                                                                                          Committee of the
                                                                                          Freddie Mac Board
                                                                                          of Directors (OIG-
                                                                                          2017-005,
                                                                                          September 27,
                                                                                          2017) and Freddie
                                                                                          Mac Management
                                                                                          Failed to Adopt and
                                                                                          Implement
                                                                                          Conflicts of Interest
                                                                                          Policies Which
                                                                                          Aligned Fully with
                                                                                          FHFA’s Directive on
                                                                                          Senior Executive
                                                                                          Officers’ Conflicts
                                                                                          of Interest, and
                                                                                          With the Charter for
                                                                                          the Freddie Mac
                                                                                          Board’s
                                                                                          Nominating and
                                                                                          Governance
                                                                                          Committee (COM-
                                                                                          2020-006, August
                                                                                          26, 2020)

                                              OIG • April 1, 2021                                         7
Specific Risk to be                                                                       Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                    Date
                      FHFA, as conservator, should determine the    Improved oversight   Corporate
                      appropriate disciplinary action against the                        Governance:
                      Chief Executive Officer for his non-                               Fannie Mae Senior
                      disclosure and untimely disclosure of                              Executive Officers
                      conflict of interest matters.                                      and Ethics Officials
                                                                                         Again Failed to
                                                                                         Follow
                                                                                         Requirements for
                                                                                         Disclosure and
                                                                                         Resolution of
                                                                                         Conflicts of
                                                                                         Interest, Prompting
                                                                                         the Need for FHFA
                                                                                         Direction (EVL-
                                                                                         2021-001, March
                                                                                         15, 2021)

                      FHFA, as conservator, should provide timely   Improved oversight   Corporate
                      instruction to the Fannie Mae Board                                Governance:
                      regarding Fannie Mae Office of Compliance                          Fannie Mae Senior
                      and Ethics’ authority to interpret Chief                           Executive Officers
                      Executive Officer mitigation plans where                           and Ethics Officials
                      new facts are presented.                                           Again Failed to
                                                                                         Follow
                                                                                         Requirements for
                                                                                         Disclosure and
                                                                                         Resolution of
                                                                                         Conflicts of
                                                                                         Interest, Prompting
                                                                                         the Need for FHFA
                                                                                         Direction (EVL-
                                                                                         2021-001, March
                                                                                         15, 2021)

                                              OIG • April 1, 2021                                        8
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
                      In accordance with Recommendation 2,           Improved oversight     Corporate
                      FHFA, as conservator, should direct the                               Governance:
                      Fannie Mae Board and/or management to                                 Fannie Mae Senior
                      amend and clarify the appropriate conflict                            Executive Officers
                      of interest governance documents to                                   and Ethics Officials
                      identify all instances in which Fannie Mae                            Again Failed to
                      Office of Compliance and Ethics is required                           Follow
                      to submit conflict of interest matters                                Requirements for
                      involving the Chief Executive Officer to the                          Disclosure and
                      Fannie Mae Board of Directors’ Nominating                             Resolution of
                      and Corporate Governance Committee for                                Conflicts of
                      its resolution.                                                       Interest, Prompting
                                                                                            the Need for FHFA
                                                                                            Direction (EVL-
                                                                                            2021-001, March
                                                                                            15, 2021)

                                                   Supervision
Examiner Capacity     FHFA should develop a process that links       Improved supervision   Update on FHFA’s
                      annual Enterprise examination plans with                              Efforts to
                      core team resource requirements.                                      Strengthen its
                                                                                            Capacity to Examine
                                                                                            the Enterprises
                                                                                            (EVL-2014-002,
                                                                                            December 19,
                                                                                            2013) and Despite
                                                                                            Prior
                                                                                            Commitments,
                                                                                            FHFA Has Not
                                                                                            Implemented a
                                                                                            Systematic
                                                                                            Workforce Planning
                                                                                            Process to
                                                                                            Determine Whether
                                                                                            Enough Qualified
                                                                                            Examiners are
                                                                                            Available to Assess
                                                                                            the Safety and
                                                                                            Soundness of
                                                                                            Fannie Mae and
                                                                                            Freddie Mac (AUD-
                                                                                            2020-004,
                                                                                            February 25, 2020)

                                              OIG • April 1, 2021                                           9
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
                      FHFA should establish a strategy to ensure      Improved supervision   Update on FHFA’s
                      that the necessary resources are in place to                           Efforts to
                      ensure timely and effective Enterprise                                 Strengthen its
                      examination oversight.                                                 Capacity to
                                                                                             Examine the
                                                                                             Enterprises
                                                                                             (EVL-2014-002,
                                                                                             December 19,
                                                                                             2013) and Despite
                                                                                             Prior
                                                                                             Commitments,
                                                                                             FHFA Has Not
                                                                                             Implemented a
                                                                                             Systematic
                                                                                             Workforce Planning
                                                                                             Process to
                                                                                             Determine Whether
                                                                                             Enough Qualified
                                                                                             Examiners are
                                                                                             Available to Assess
                                                                                             the Safety and
                                                                                             Soundness of
                                                                                             Fannie Mae and
                                                                                             Freddie Mac (AUD-
                                                                                             2020-004,
                                                                                             February 25, 2020)

                      FHFA should assess whether the Division of      Improved supervision   FHFA Failed to
                      Enterprise Regulation (DER) has a sufficient                           Complete Non-MRA
                      complement of qualified examiners to                                   Supervisory
                      conduct and complete those examinations                                Activities Related to
                      rated by DER to be of high-priority within                             Cybersecurity Risks
                      each supervisory cycle and address the                                 at Fannie Mae
                      resource constraints that have adversely                               Planned for the
                      affected DER’s ability to carry out its risk-                          2016 Examination
                      based supervisory plans.                                               Cycle (AUD-2017-
                                                                                             010, September
                                                                                             27, 2017)

                                               OIG • April 1, 2021                                         10
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
                      FHFA should assess whether DER has a            Improved supervision   FHFA’s Targeted
                      sufficient complement of qualified                                     Examinations of
                      examiners to conduct and complete those                                Freddie Mac: Just
                      examinations rated by DER to be of high-                               Over Half of the
                      priority within each supervisory cycle and                             Targeted
                      address the resource constraints that have                             Examinations
                      adversely affected DER’s ability to carry out                          Planned for 2012
                      its risk-based supervisory plans.                                      through 2015 Were
                                                                                             Completed (AUD-
                                                                                             2016-007,
                                                                                             September 30,
                                                                                             2016); FHFA’s
                                                                                             Targeted
                                                                                             Examinations of
                                                                                             Fannie Mae: Less
                                                                                             than Half of the
                                                                                             Targeted
                                                                                             Examinations
                                                                                             Planned for 2012
                                                                                             through 2015 Were
                                                                                             Completed and No
                                                                                             Examinations
                                                                                             Planned for 2015
                                                                                             Were Completed
                                                                                             Before the Report
                                                                                             of Examination
                                                                                             Issued (AUD-2016-
                                                                                             006, September
                                                                                             30, 2016)

                                               OIG • April 1, 2021                                      11
Specific Risk to be                                                                                Report Name and
                                   Recommendation                         Expected Impact
    Mitigated                                                                                             Date
                      FHFA should direct DER to develop and           Improved supervision        Despite Prior
                      implement a systematic workforce planning                                   Commitments,
                      process within 12 months that aligns with                                   FHFA Has Not
                      Office of Personnel Management guidance                                     Implemented a
                      and best practices and is fully documented                                  Systematic
                      in writing. That process should include:                                    Workforce Planning
                       • Identifying the current examination                                      Process to
                            skills and competencies of its                                        Determine Whether
                            examiners;                                                            Enough Qualified
                                                                                                  Examiners are
                       • Forecasting the optimal staffing levels
                            and competencies needed to meet its                                   Available to Assess
                            supervisory needs;                                                    the Safety and
                                                                                                  Soundness of
                       • Evaluating whether a gap exists                                          Fannie Mae and
                            between skills that its workforce may                                 Freddie Mac (AUD-
                            currently need but does not possess;                                  2020-004,
                            and                                                                   February 25,
                       • Addressing that gap.                                                     2020)5

 5
   In its management response to this audit, FHFA stated it would assess the report’s recommendation and provide a
 response by June 30, 2020. On September 22, 2020, we reposted this report with an Addendum that provides
 FHFA’s June 30, 2020, response and related communications. In summary, FHFA has planned an alternative
 approach that meets the intent of the recommendation. Implementation of this alternative approach may also
 address the open, unimplemented recommendations related to the sufficiency of DER’s examiner workforce in
 EVL-2014-002, AUD-2016-006, AUD-2016-007, AUD-2017-010, and EVL-2020-001.

                                               OIG • April 1, 2021                                              12
Specific Risk to be                                                                                 Report Name and
                                        Recommendation                        Expected Impact
    Mitigated                                                                                             Date
                           FHFA should direct DER to develop and           Improved supervision   Despite FHFA’s
                           implement a systematic workforce planning                              Recognition of
                           process within 12 months that aligns with                              Significant Risks
                           Office of Personnel Management guidance                                Associated with
                           and best practices and is fully documented.                            Fannie Mae’s and
                           That process should include:                                           Freddie Mac’s
                            • Identifying the appropriate number of                               High-Risk Models,
                                Enterprise high-risk models to be                                 its Examination of
                                examined each year through targeted                               Those Models Over
                                examinations;                                                     a Six Year Period
                            • Identifying the current examination                                 Has Been Neither
                                skills and competencies of examiners                              Rigorous nor Timely
                                engaged in supervisory activities of                              (EVL-2020-001,
                                high-risk models;                                                 March 25, 2020)6
                            • Forecasting the optimal staffing levels
                                and competencies of examiners
                                necessary to complete the identified
                                number of targeted examinations of
                                high-risk models planned for each
                                examination cycle;
                            • Evaluating whether a gap exists
                                between skills required to conduct
                                supervision of high-risk models that its
                                examiners currently need but do not
                                possess; and
                            • Addressing that gap.

                           Based on the results of its workforce           Improved supervision   Despite FHFA’s
                           analysis, FHFA should conduct a written                                Recognition of
                           assessment of whether DER’s current                                    Significant Risks
                           budget for its supervision of high-risk                                Associated with
                           models is sufficient.                                                  Fannie Mae’s and
                                                                                                  Freddie Mac’s
                                                                                                  High-Risk Models,
                                                                                                  its Examination of
                                                                                                  Those Models Over
                                                                                                  a Six Year Period
                                                                                                  Has Been Neither
                                                                                                  Rigorous nor Timely
                                                                                                  (EVL-2020-001,
                                                                                                  March 25, 2020)7

 6
   In its management response to this evaluation, FHFA stated it would assess the report’s recommendations and
 provide a response by June 30, 2020. On September 22, 2020, we reposted this report with an Addendum that
 provides FHFA’s June 30, 2020, response and related communications. In summary, FHFA has planned an
 alternative approach that is generally responsive to the recommendations.
 7
     See prior footnote.

                                                    OIG • April 1, 2021                                          13
Specific Risk to be                                                                             Report Name and
                                   Recommendation                         Expected Impact
    Mitigated                                                                                         Date
 Accreditation of     FHFA should determine the causes of the          Improved quality       OIG’s Compliance
   Examiners          shortfalls in the Housing Finance Examiner                              Review of FHFA’s
                      Commission Program that we have                                         Implementation of
                      identified, and implement a strategy to                                 Its Housing Finance
                      ensure the program fulfills its central                                 Examiner
                      objective of producing commissioned                                     Commission
                      examiners who are qualified to lead major                               Program
                      risk sections of government-sponsored                                   (COM-2015-001,
                      enterprise examinations.                                                July 29, 2015) and
                                                                                              FHFA’s Housing
                                                                                              Finance Examiner
                                                                                              Commissioning
                                                                                              Program: $7.7
                                                                                              Million and Four
                                                                                              Years into the
                                                                                              Program, the
                                                                                              Agency has Fewer
                                                                                              Commissioned
                                                                                              Examiners (COM-
                                                                                              2018-006,
                                                                                              September 6,
                                                                                              2018)8

Risk Assessments      FHFA should reinforce, through training and      Improved supervision   FHFA Failed to
                      supervision of DER personnel, the                                       Complete Non-MRA
                      requirements established by FHFA, and                                   Supervisory
                      reinforced by DER guidance, for the risk                                Activities Related to
                      assessment and supervisory planning                                     Cybersecurity Risks
                      process. Specifically:                                                  at Fannie Mae
                       a. Ensure that the annual supervisory                                  Planned for the
                           strategy identifies significant risks and                          2016 Examination
                           supervisory concerns and explains how                              Cycle (AUD-2017-
                           the planned supervisory activities to be                           010, September
                           conducted during the examination                                   27, 2017); FHFA
                           cycle address the most significant                                 Did Not Complete
                           risks in the operational risk                                      All Planned
                           assessment. (Applies to AUD-2017-                                  Supervisory
                           010 and AUD-2017-011)                                              Activities Related to
                       b. Ensure that supervisory activities                                  Cybersecurity Risks
                           planned during an examination cycle                                at Freddie Mac for
                           to address the most significant risks in                           the 2016
                           the operational risk assessment are                                Examination Cycle
                           completed within the examination                                   (AUD-2017-011,
                           cycle. (Applies to AUD-2017-010)                                   September 27,
                                                                                              2017)

 8
   OIG has twice determined that the Housing Finance Examiner Commission Program was not on track to produce
 commissioned examiners. This recommendation is open pending FHFA actions to assess and address the Program’s
 shortfalls, and OIG’s assessment of those corrective actions.

                                               OIG • April 1, 2021                                          14
Specific Risk to be                                                                        Report Name and
                                  Recommendation                      Expected Impact
    Mitigated                                                                                    Date
                      Going forward, FHFA should ensure a risk     Improved supervision   FHFA’s Failure to
                      assessment for Common Securitization                                Include the
                      Solutions, LLC is prepared and approved                             Financial Crimes
                      annually in accordance with DER                                     and Model
                      requirements.                                                       Components in its
                                                                                          CSS Risk
                                                                                          Assessment Is
                                                                                          Inconsistent with a
                                                                                          Risk-Based
                                                                                          Approach to
                                                                                          Supervision (AUD-
                                                                                          2021-005, March
                                                                                          23, 2021)

                      FHFA should include all required             Improved supervision   FHFA’s Failure to
                      components, including the Financial Crimes                          Include the
                      and Model components, when preparing the                            Financial Crimes
                      annual risk assessment for Common                                   and Model
                      Securitization Solutions, LLC.                                      Components in its
                                                                                          CSS Risk
                                                                                          Assessment Is
                                                                                          Inconsistent with a
                                                                                          Risk-Based
                                                                                          Approach to
                                                                                          Supervision (AUD-
                                                                                          2021-005, March
                                                                                          23, 2021)

                                             OIG • April 1, 2021                                       15
Specific Risk to be                                                                                  Report Name and
                                    Recommendation                          Expected Impact
    Mitigated                                                                                               Date
   Assessing          FHFA should ensure that Freddie Mac               Improved remediation        FHFA Failed to
 Remediation of       takes, or has taken, remedial action to           of deficiencies             Ensure Freddie
  Deficiencies        address the deficiency underlying the                                         Mac’s Remedial
                      matter requiring attention (MRA) regarding                                    Plans for a
                      the need to implement a process to verify                                     Cybersecurity MRA
                      and monitor [certain matters].                                                Addressed All
                                                                                                    Deficiencies; as
                                                                                                    Allowed by its
                                                                                                    Standard, FHFA
                                                                                                    Closed the MRA
                                                                                                    after Independently
                                                                                                    Determining the
                                                                                                    Enterprise
                                                                                                    Completed its
                                                                                                    Planned Remedial
                                                                                                    Actions (AUD-2018-
                                                                                                    008, March 28,
                                                                                                    2018)9

                      FHFA should require DER, upon acceptance          Improved remediation        FHFA’s Inconsistent
                      of an Enterprise’s remediation plan, to           of deficiencies             Practices in
                      estimate the date by which it expects to                                      Assessing
                      confirm internal audit’s validation, and to                                   Enterprise
                      enter that date into a dedicated field in the                                 Remediation of
                      MRA tracking system. [Closed in                                               Serious
                      September 2017; reopened upon results of                                      Deficiencies and
                      compliance testing.]                                                          Weaknesses in its
                                                                                                    Tracking Systems
                                                                                                    Limit the
                                                                                                    Effectiveness of
                                                                                                    FHFA’s Supervision
                                                                                                    of the Enterprises
                                                                                                    (EVL-2016-007,
                                                                                                    July 14, 2016) and
                                                                                                    Compliance Review
                                                                                                    of the Timeliness of
                                                                                                    FHFA’s
                                                                                                    Assessments of the
                                                                                                    Enterprises’
                                                                                                    Remediation
                                                                                                    Closure Packages
                                                                                                    for a Matter
                                                                                                    Requiring Attention
                                                                                                    (COM-2020-001,
                                                                                                    February 21, 2020)

 9
   This recommendation is being held open pending the completion of a 2020 FHFA planned supervisory activity
 related to the underlying deficiency of the MRA that was the subject of this report, and OIG’s assessment of that
 supervisory activity.

                                                OIG • April 1, 2021                                                  16
Specific Risk to be                                                                           Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
   Supervisory        FHFA should determine the appropriate          Improved supervision   More than Eight
    Oversight         threshold or criteria for charging off                                Years After Issuing
                      delinquent single-family loans at the                                 its Advisory
                      Enterprises and communicate that                                      Bulletin, FHFA Has
                      threshold or criteria through revised or new                          Not Held the
                      Agency guidance.                                                      Enterprises to its
                                                                                            Expectations on
                                                                                            Charging off
                                                                                            Delinquent Loans
                                                                                            or Communicated
                                                                                            New Expectations
                                                                                            (EVL-2020-003,
                                                                                            September 10,
                                                                                            2020)

                      FHFA should assess the Enterprises’            Improved supervision   More than Eight
                      implementation of the revised or new                                  Years After Issuing
                      Agency guidance to ensure that the                                    its Advisory
                      Enterprises’ practices comport with FHFA’s                            Bulletin, FHFA Has
                      supervisory expectations.                                             Not Held the
                                                                                            Enterprises to its
                                                                                            Expectations on
                                                                                            Charging off
                                                                                            Delinquent Loans
                                                                                            or Communicated
                                                                                            New Expectations
                                                                                            (EVL-2020-003,
                                                                                            September 10,
                                                                                            2020)

                      FHFA should ensure that the Office of          Improved supervision   Weaknesses in
                      Housing and Regulatory Policy (a) develops                            FHFA’s Monitoring
                      and issues written guidance to the                                    of the Enterprises’
                      Enterprises on the data elements to be                                97% LTV Mortgage
                      reported regularly for FHFA’s monitoring of                           Programs May
                      the 97% LTV mortgage programs and (b)                                 Hinder FHFA’s
                      establishes quality control procedures to                             Ability to Timely
                      ensure that information reported by the                               Identify, Analyze,
                      Enterprises is reliable and conforms to the                           and Respond to
                      requirements of the written guidance.                                 Risks Related to
                                                                                            Achieving the
                                                                                            Programs’
                                                                                            Objectives
                                                                                            (AUD-2020-014,
                                                                                            September 29,
                                                                                            2020)

                                              OIG • April 1, 2021                                         17
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                        Date
                      FHFA should clarify and reinforce the Office   Improved supervision   Weaknesses in
                      of Housing and Regulatory Policy’s guidance                           FHFA’s Monitoring
                      regarding the frequency of 97% LTV                                    of the Enterprises’
                      mortgage program monitoring dashboard                                 97% LTV Mortgage
                      preparation to Office of Housing and                                  Programs May
                      Regulatory Policy staff and ensure that the                           Hinder FHFA’s
                      monitoring dashboards are prepared and                                Ability to Timely
                      reviewed in accordance with that guidance.                            Identify, Analyze,
                                                                                            and Respond to
                                                                                            Risks Related to
                                                                                            Achieving the
                                                                                            Programs’
                                                                                            Objectives
                                                                                            (AUD-2020-014,
                                                                                            September 29,
                                                                                            2020)

                      FHFA should ensure that DER uses its full      Improved supervision   Despite FHFA’s
                      range of available examination activities,                            Acknowledgement
                      including targeted examinations and when                              that Enterprise
                      appropriate, enhanced risk monitoring, to                             Reliance on Third-
                      provide comprehensive assessments of                                  Parties Represents
                      known areas of high risk, like Fannie Mae’s                           a Significant
                      reliance on third-party vendors.                                      Operational Risk,
                                                                                            No Targeted
                                                                                            Examinations of
                                                                                            Fannie Mae’s Third-
                                                                                            Party Risk
                                                                                            Management
                                                                                            Program Were
                                                                                            Completed Over a
                                                                                            Seven-Year Period
                                                                                            (AUD-2021-007,
                                                                                            March 29, 2021)

   Examiner           FHFA should assess whether Fannie Mae’s        Improved supervisory   FHFA Examiners’
Assessment and        remediation of its [redacted] is sufficient.   oversight              Lack of
 Escalation of                                                                              Assessment and
 Shortcomings                                                                               Escalation of
                                                                                            Shortcomings
                                                                                            Identified by an
                                                                                            Enterprise in its
                                                                                            Servicer Fraud Risk
                                                                                            Management
                                                                                            Framework Limited
                                                                                            the Agency’s
                                                                                            Supervisory
                                                                                            Oversight (EVL-
                                                                                            2020-002, August
                                                                                            27, 2020)

                                               OIG • April 1, 2021                                       18
Specific Risk to be                                                                         Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                       Date
                      FHFA should set clear expectations in         Improved supervisory   FHFA Examiners’
                      supervisory guidance for prompt escalation    oversight              Lack of
                      within DER by examiners of information                               Assessment and
                      regarding deficient practices at an                                  Escalation of
                      Enterprise for a determination of whether                            Shortcomings
                      such practices warrant additional                                    Identified by an
                      supervisory attention and/or should be the                           Enterprise in its
                      subject of an adverse examination finding.                           Servicer Fraud Risk
                                                                                           Management
                                                                                           Framework Limited
                                                                                           the Agency’s
                                                                                           Supervisory
                                                                                           Oversight (EVL-
                                                                                           2020-002, August
                                                                                           27, 2020)

                      FHFA should reinforce in examiner training    Improved supervisory   FHFA Examiners’
                      and the annual performance appraisal          oversight              Lack of
                      process its expectations for collaboration                           Assessment and
                      among examiners, communication of                                    Escalation of
                      potential deficient practices to DER                                 Shortcomings
                      managers, and documentation of support                               Identified by an
                      for conclusions.                                                     Enterprise in its
                                                                                           Servicer Fraud Risk
                                                                                           Management
                                                                                           Framework Limited
                                                                                           the Agency’s
                                                                                           Supervisory
                                                                                           Oversight (EVL-
                                                                                           2020-002, August
                                                                                           27, 2020)

   Examination        FHFA should establish and communicate         Improved supervision   Five Years After
    Guidance          clear expectations for use of revised and                            Issuance, Many
                      new examination modules by DER                                       Examination
                      examiners.                                                           Modules Remain in
                                                                                           Field Test; FHFA
                                                                                           Should Establish
                                                                                           Timelines and
                                                                                           Processes to
                                                                                           Ensure Timely
                                                                                           Revision of
                                                                                           Examiner Guidance
                                                                                           (EVL-2019-003,
                                                                                           September 10,
                                                                                           2019)

                                              OIG • April 1, 2021                                       19
Specific Risk to be                                                                        Report Name and
                                  Recommendation                      Expected Impact
    Mitigated                                                                                      Date
                      FHFA should reinforce the requirement to     Improved supervision   FHFA Completed
                      examiners in charge and examination                                 Most of its Planned
                      managers that changes to an examination                             Ongoing Monitoring
                      plan must be risk-based – changes in                                Activities for Fannie
                      Enterprise business operations or risk                              Mae and CSS for
                      exposures – and that resource constraints                           2019; However,
                      are not accepted reasons for such changes.                          FHFA Failed to
                                                                                          Follow its
                                                                                          Requirements
                                                                                          When it Changed
                                                                                          Examination Plans
                                                                                          for Non-Risk-Based
                                                                                          Reasons and Failed
                                                                                          to Obtain Deputy
                                                                                          Director Approval
                                                                                          (AUD-2020-011,
                                                                                          September 9,
                                                                                          2020)

                      FHFA should reinforce the requirement that   Improved supervision   FHFA Completed
                      any revisions to an examination plan must                           Most of its Planned
                      be approved in writing by the Deputy                                Ongoing Monitoring
                      Director.                                                           Activities for Fannie
                                                                                          Mae and CSS for
                                                                                          2019; However,
                                                                                          FHFA Failed to
                                                                                          Follow its
                                                                                          Requirements
                                                                                          When it Changed
                                                                                          Examination Plans
                                                                                          for Non-Risk-Based
                                                                                          Reasons and Failed
                                                                                          to Obtain Deputy
                                                                                          Director Approval
                                                                                          (AUD-2020-011,
                                                                                          September 9,
                                                                                          2020)

                                             OIG • April 1, 2021                                        20
Specific Risk to be                                                                         Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                      Date
                      FHFA should define the term “supervisory      Improved supervision   FHFA’s Failure to
                      concern” as it is used in FHFA’s corporate                           Define and Clearly
                      governance regulation.                                               Communicate
                                                                                           “Supervisory
                                                                                           Concerns” Hinders
                                                                                           the Enterprise
                                                                                           Boards’ Ability to
                                                                                           Execute Their
                                                                                           Oversight
                                                                                           Obligations Under
                                                                                           FHFA’s Corporate
                                                                                           Governance
                                                                                           Regulation and
                                                                                           Renders the
                                                                                           Regulation
                                                                                           Ineffective as a
                                                                                           Supervisory Tool
                                                                                           (EVL-2021-003,
                                                                                           March 30, 2021)

                      FHFA should develop examination guidance      Improved supervision   FHFA’s Failure to
                      that explains how supervisory concerns                               Define and Clearly
                      should be described and categorized in the                           Communicate
                      Reports of Examination, establishes DER’s                            “Supervisory
                      expectations for timely and appropriate                              Concerns” Hinders
                      remediation for each such concerns, and                              the Enterprise
                      prescribes how such concerns should be                               Boards’ Ability to
                      monitored until they are fully remediated.                           Execute Their
                                                                                           Oversight
                                                                                           Obligations Under
                                                                                           FHFA’s Corporate
                                                                                           Governance
                                                                                           Regulation and
                                                                                           Renders the
                                                                                           Regulation
                                                                                           Ineffective as a
                                                                                           Supervisory Tool
                                                                                           (EVL-2021-003,
                                                                                           March 30, 2021)

                                              OIG • April 1, 2021                                       21
Specific Risk to be                                                                             Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                           Date
    Effective         FHFA should require examiners to                Improved examinations    FHFA Should
  Cybersecurity       document their assessment of the design of                               Improve its
    Controls          the Federal Home Loan Banks’ vulnerability                               Examinations of
  Examinations        scans and penetration tests as part of their                             the Effectiveness of
                      assessment of the operational                                            the Federal Home
                      effectiveness of such controls. [Closed in                               Loan Banks’ Cyber
                      February 2017; reopened upon results of                                  Risk Management
                      compliance testing.]                                                     Programs by
                                                                                               Including an
                                                                                               Assessment of the
                                                                                               Design of Critical
                                                                                               Internal Controls
                                                                                               (AUD-2016-001,
                                                                                               February 29, 2016)
                                                                                               and Compliance
                                                                                               Review of DBR’s
                                                                                               Examinations of
                                                                                               Critical
                                                                                               Cybersecurity
                                                                                               Controls at the
                                                                                               Federal Home Loan
                                                                                               Banks (COM-2019-
                                                                                               004, May 7, 2019)

 Quality Control      FHFA’s Office of Minority and Women             Improved quality         Compliance Review
   Reviews            Inclusion should ensure that quality control                             of FHFA’s Office of
                      reviews are performed before issuing                                     Minority and
                      diversity and inclusion examination findings                             Women Inclusion
                      to a regulated entity, as required by                                    (COM-2019-005,
                      Supervision Directive 2017-01.                                           June 24, 2019)

                                             Information Technology
   Information        FHFA should comply with Financial Stability     Improved risk            FHFA Should Map
 Technology Risk      Oversight Council recommendations to            management               Its Supervisory
  Examinations        address the gaps, as prioritized, to reflect                             Standards for
                      and incorporate appropriate elements of                                  Cyber Risk
                      the National Institute of Standards and                                  Management to
                      Technology Framework.                                                    Appropriate
                                                                                               Elements of the
                                                                                               NIST Framework
                                                                                               (EVL-2016-003,
                                                                                               March 28, 2016)10

 10
    FHFA revised its supervisory guidance related to information security and risk management in March 2020. OIG
 is reviewing the revised guidance to assess whether FHFA has adequately addressed this recommendation.

                                              OIG • April 1, 2021                                            22
Specific Risk to be                                                                                      Report Name and
                                          Recommendation                         Expected Impact
    Mitigated                                                                                                  Date
                             FHFA should comply with Financial Stability      Improved risk            FHFA Should Map
                             Oversight Council recommendations to             management               Its Supervisory
                             revise existing regulatory guidance to reflect                            Standards for
                             and incorporate appropriate elements of                                   Cyber Risk
                             the National Institute of Standards and                                   Management to
                             Technology framework in a manner that                                     Appropriate
                             achieves consistency with other federal                                   Elements of the
                             financial regulators.                                                     NIST Framework
                                                                                                       (EVL-2016-003,
                                                                                                       March 28, 2016)11

Privacy Information          FHFA should determine privacy controls that      Improved protection of   Audit of the Federal
and Data Protection          are information system-specific, and/or          privacy information      Housing Finance
                             hybrid controls.                                                          Agency’s 2019
                                                                                                       Privacy Program
                                                                                                       (AUD-2019-009,
                                                                                                       August 28, 2019)

                             FHFA should document privacy controls            Improved protection of   Audit of the Federal
                             within each system’s system security plan        privacy information      Housing Finance
                             or system-specific privacy plan, clearly                                  Agency’s 2019
                             identifying whether controls are program                                  Privacy Program
                             level, common, information system-specific,                               (AUD-2019-009,
                             or hybrid.                                                                August 28, 2019)

 FHFA Information            Because information in this report could be      Improved information     Audit of the Federal
Technology Security          used to circumvent FHFA’s internal controls,     security                 Housing Finance
  and Availability           it has not been released publicly.                                        Agency’s
                                                                                                       Information
                                                                                                       Security Program
                                                                                                       Fiscal Year 2019
                                                                                                       (AUD-2020-001,
                                                                                                       October 25, 2019)

                             Because information in this report could be      Improved information     Audit of the Federal
                             used to circumvent FHFA’s internal controls,     security                 Housing Finance
                             it has not been released publicly.                                        Agency’s
                                                                                                       Information
                                                                                                       Security Program
                                                                                                       Fiscal Year 2020
                                                                                                       (AUD-2021-001,
                                                                                                       October 20, 2020)

  11
       See prior footnote.

                                                      OIG • April 1, 2021                                            23
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                                              OIG • April 1, 2021                                         24
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      FHFA should ensure that outdated               Improved information   2019 Internal
                      [redacted] and [redacted] protocols in         security               Penetration Test of
                      FHFA’s systems are disabled or upgraded in                            FHFA’s Network
                      a timely manner in accordance with                                    and Systems (AUD-
                      National Institute of Standards and                                   2019-014,
                      Technology directives.                                                September 24,
                                                                                            2019)

                      FHFA should validate the implementation of     Improved information   FHFA Failed to
                      minimum security requirements for all          security               Follow its Cloud-
                      existing cloud-based General Support                                  Based Computing
                      System Tools and ensure to do the same for                            Requirements
                      future cloud-based General Support System                             when it Did Not
                      Tools.                                                                Validate the
                                                                                            Implementation of
                                                                                            Minimum Security
                                                                                            Requirements for
                                                                                            Cloud-Based Tools
                                                                                            and Did Not Include
                                                                                            Required IT
                                                                                            Security Provisions
                                                                                            in Some of its
                                                                                            Cloud Service
                                                                                            Contracts (AUD-
                                                                                            2020-013,
                                                                                            September 17,
                                                                                            2020)

                                              OIG • April 1, 2021                                         25
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
                      FHFA should modify existing cloud-based        Improved information   FHFA Failed to
                      General Support System Tool contracts to       security               Follow its Cloud-
                      include the required IT security provisions                           Based Computing
                      and ensure future cloud-based General                                 Requirements
                      Support System Tool contracts include all                             when it Did Not
                      required provisions.                                                  Validate the
                                                                                            Implementation of
                                                                                            Minimum Security
                                                                                            Requirements for
                                                                                            Cloud-Based Tools
                                                                                            and Did Not Include
                                                                                            Required IT
                                                                                            Security Provisions
                                                                                            in Some of its
                                                                                            Cloud Service
                                                                                            Contracts (AUD-
                                                                                            2020-013,
                                                                                            September 17,
                                                                                            2020)

                      FHFA should reinforce the requirements in      Improved information   FHFA Failed to
                      the Information System Characterization        security               Follow its Cloud-
                      Methodology to Office of Technology and                               Based Computing
                      Information Management Security staff.                                Requirements
                                                                                            when it Did Not
                                                                                            Validate the
                                                                                            Implementation of
                                                                                            Minimum Security
                                                                                            Requirements for
                                                                                            Cloud-Based Tools
                                                                                            and Did Not Include
                                                                                            Required IT
                                                                                            Security Provisions
                                                                                            in Some of its
                                                                                            Cloud Service
                                                                                            Contracts (AUD-
                                                                                            2020-013,
                                                                                            September 17,
                                                                                            2020)

                                               OIG • April 1, 2021                                       26
Specific Risk to be                                                                            Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                         Date
                      FHFA should implement multifactor             Improved information      Audit of an FHFA
                      authentication for [redacted] for             security                  Sensitive
                      Employment Matters Tracking System                                      Employment-
                      database servers.                                                       Related Case
                                                                                              Tracking System:
                                                                                              FHFA Followed its
                                                                                              Access Control
                                                                                              Standard, But its
                                                                                              System Is Adversely
                                                                                              Impacted by Two
                                                                                              Security Control
                                                                                              Weaknesses (AUD-
                                                                                              2021-006, March
                                                                                              29, 2021)

                      FHFA should send Employment Matters           Improved information      Audit of an FHFA
                      Tracking System [redacted] for correlation    security                  Sensitive
                      and analysis.                                                           Employment-
                                                                                              Related Case
                                                                                              Tracking System:
                                                                                              FHFA Followed its
                                                                                              Access Control
                                                                                              Standard, But its
                                                                                              System Is Adversely
                                                                                              Impacted by Two
                                                                                              Security Control
                                                                                              Weaknesses (AUD-
                                                                                              2021-006, March
                                                                                              29, 2021)

                                               Agency Operations
Oversight of FHFA     FHFA should develop written procedures for    Improved management       FHFA Should Name
Workforce Matters     carrying out the functions of the Office of   of a statutory function   an Ombudsman
                      the Ombudsman, to include procedures for                                and Document the
                      documenting that all incoming complaints                                Office of the
                      and appeals are tracked, considered, and                                Ombudsman’s
                      appropriately resolved. In developing these                             Procedures (AUD-
                      procedures, the guidance published by the                               2019-011,
                      Coalition of Federal Ombudsmen should be                                September 16,
                      taken into consideration.                                               2019)

                                              OIG • April 1, 2021                                          27
Specific Risk to be                                                                          Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                       Date
 Management of        FHFA should update FHFA’s                       Prevent improper     For Fiscal Year
Agency Resources      Reimbursements and Stipends Policy 113          payments             2019, FHFA Did
                      to align with management’s intent and                                Not Always Follow
                      practice.                                                            its Policy for
                                                                                           Employee
                                                                                           Reimbursements
                                                                                           and Stipends;
                                                                                           FHFA’s Practice for
                                                                                           Calculating
                                                                                           Employee Travel
                                                                                           Stipends Was Not
                                                                                           Stated in its Policy
                                                                                           Nor Consistently
                                                                                           Followed (AUD-
                                                                                           2020-007, March
                                                                                           26, 2020)

 Management of        FHFA should include all National Archives       Improved records     FHFA Needs to
 Agency Records       and Records Administration-required             management           Strengthen
                      content topics in annual records                                     Controls Over its
                      management training provided to FHFA                                 Records
                      employees and contractor employees.                                  Management
                                                                                           Program to Comply
                                                                                           with OMB and
                                                                                           NARA
                                                                                           Requirements
                                                                                           (AUD-2020-008,
                                                                                           March 26, 2020)

 Enterprise Risk      Going forward, FHFA should ensure Annual        Improved risk        FHFA Followed
  Management          Risk Profiles include all significant risk      management           OMB Guidance in
                      response action items designed to reduce                             Implementing its
                      identified risks, such as FHFA’s                                     Enterprise Risk
                      organizational optimization Blueprint                                Management
                      project, along with identifying the owners of                        Program But its
                      those risk response action items and target                          2020 Risk Profile
                      completion dates.                                                    Failed to Identify a
                                                                                           Significant Action
                                                                                           Underway to
                                                                                           Address
                                                                                           Acknowledged
                                                                                           Supervision Risk
                                                                                           (AUD-2021-004,
                                                                                           March 17, 2021)

                                               OIG • April 1, 2021                                       28
Specific Risk to be                                                                      Report Name and
                                  Recommendation                      Expected Impact
    Mitigated                                                                                   Date
                      FHFA should develop written policies and     Improved risk        FHFA Followed
                      procedures for its Enterprise Risk           management           OMB Guidance in
                      Management program.                                               Implementing its
                                                                                        Enterprise Risk
                                                                                        Management
                                                                                        Program But its
                                                                                        2020 Risk Profile
                                                                                        Failed to Identify a
                                                                                        Significant Action
                                                                                        Underway to
                                                                                        Address
                                                                                        Acknowledged
                                                                                        Supervision Risk
                                                                                        (AUD-2021-004,
                                                                                        March 17, 2021)

                                             OIG • April 1, 2021                                      29
CLOSED UNIMPLEMENTED RECOMMENDATIONS .....................

  The Inspector General Act of 1978 does not authorize any federal inspector general to compel
  its respective agency to adopt new policies or processes or take personnel actions to correct
  shortcomings found in their audits, evaluations, and investigations. Rather, the Act empowers
  inspectors general to recommend remedial actions to correct such shortcomings, and the
  affected agency determines whether or not to accept the recommendations.

  We believe it is important to be transparent and distinguish between recommendations
  that have been closed in light of appropriate movement toward implementation and
  recommendations that have been closed in light of FHFA’s refusal to take any action.
  For those recommendations closed due to rejection by FHFA, we continue to stand by our
  findings and believe that the Agency should have undertaken the recommended actions.

  The recommendations listed below represent those that have been closed following FHFA’s
  rejection and were not implemented.

Specific Risk to be                                                                        Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                    Date
                                   Closed Unimplemented Recommendations
Property Inspection   FHFA should direct the Enterprises to          Improved quality     FHFA Oversight of
  Quality Controls    establish uniform pre-foreclosure inspection                        Enterprise Controls
                      quality standards and quality control                               Over Pre-
                      processes for inspectors.                                           Foreclosure
                                                                                          Property
                                                                                          Inspections (AUD-
                                                                                          2014-012, March
                                                                                          25, 2014)

    Improperly        FHFA should direct Fannie Mae to obtain a      Improved accuracy    FHFA Oversight of
   Reimbursed         refund from servicers for improperly                                Fannie Mae’s
Property Inspection   reimbursed property inspection claims,                              Reimbursement
      Claims          resulting in estimated funds put to better                          Process for Pre-
                      use of $5,015,505.                                                  Foreclosure
                                                                                          Property
                                                                                          Inspections (AUD-
                                                                                          2014-005, January
                                                                                          15, 2014)

                                              OIG • April 1, 2021                                      30
Specific Risk to be                                                                           Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
 Seller/Servicer      FHFA should promptly quantify the potential    Improved oversight      FHFA Oversight of
Resolution of Aged    benefit of implementing a repurchase late                              Enterprise
   Repurchase         fee program at Fannie Mae, and then                                    Handling of Aged
    Demands           determine whether the potential cost                                   Repurchase
                      of from $500,000 to $5.4 million still                                 Demands
                      outweighs the potential benefit.                                       (AUD-2014-009,
                                                                                             February 12, 2014)

   Oversight of       FHFA should perform a comprehensive            Improved framework      FHFA’s
    Enterprise        analysis to assess whether financial risks     management              Representation
Implementation of     associated with the new representation and                             and Warranty
Representation and    warranty framework, including with regard                              Framework (AUD-
     Warranty         to sunset periods, are appropriately                                   2014-016,
   Framework          balanced between the Enterprises and                                   September 17,
                      sellers. This analysis should be based on                              2014)
                      consistent transactional data across both
                      Enterprises, identify potential costs
                      and benefits to the Enterprises, and
                      document consideration of the Agency’s
                      objectives.

  Seller/Servicer     FHFA should direct Fannie Mae and Freddie      Improved compliance     FHFA’s Oversight of
 Compliance with      Mac to assess the cost/benefit of a risk-                              Risks Associated
    Guidance          based approach to requiring their sellers                              with the
                      and servicers to provide independent, third-                           Enterprises Relying
                      party attestation reports on compliance with                           on Counterparties
                      Enterprise origination and servicing                                   to Comply with
                      guidance.                                                              Selling and
                                                                                             Servicing
                                                                                             Guidelines (AUD-
                                                                                             2014-018,
                                                                                             September 26,
                                                                                             2014)

Collection of Funds   FHFA should publish Fannie Mae’s               Improved transparency   Evaluation of
  from Servicers      reduction targets and overpayment findings.                            Fannie Mae’s
                                                                                             Servicer
                                                                                             Reimbursement
                                                                                             Operations for
                                                                                             Delinquency
                                                                                             Expenses (EVL-
                                                                                             2013-012,
                                                                                             September 18,
                                                                                             2013)

                                              OIG • April 1, 2021                                         31
Specific Risk to be                                                                             Report Name and
                                     Recommendation                         Expected Impact
    Mitigated                                                                                          Date
  Examination          DER should adopt a comprehensive                  Improved efficiency   Evaluation of the
 Recordkeeping         examination workpaper index and                                         Division of
    Practices          standardize electronic workpaper folder                                 Enterprise
                       structures and naming conventions                                       Regulation’s 2013
                       between the two Core Teams. In addition,                                Examination
                       FHFA and DER should upgrade                                             Records:
                       recordkeeping practices as necessary to                                 Successes and
                       enhance the identification and retrieval of                             Opportunities (EVL-
                       critical workpapers.                                                    2015-001, October
                                                                                               6, 2014)

    Oversight of       FHFA should develop a strategy to enhance         Improved oversight    Compliance Review
Enterprise Executive   the Executive Compensation Branch’s                                     of FHFA’s Oversight
  Compensation         capacity to review the reasonableness and                               of Enterprise
                       justification of the Enterprises’ annual                                Executive
                       proposals to compensate their executives                                Compensation
                       based on Corporate Scorecard                                            Based on
                       performance. To this end, FHFA should                                   Corporate
                       ensure that: the Enterprises submit                                     Scorecard
                       proposals containing information sufficient                             Performance (COM-
                       to facilitate a comprehensive review by the                             2016-002, March
                       Executive Compensation Branch; the                                      17, 2016)
                       Executive Compensation Branch tests and
                       verifies the information in the Enterprises’
                       proposals, perhaps on a randomized basis;
                       and the Executive Compensation Branch
                       follows up with the Enterprises to resolve
                       any proposals that do not appear to be
                       reasonable and justified.

                       FHFA should develop a policy under which it       Improved oversight    Compliance Review
                       is required to notify OIG within 10 days of its                         of FHFA’s Oversight
                       decision not to fully implement,                                        of Enterprise
                       substantially alter, or abandon a corrective                            Executive
                       action that served as the basis for OIG’s                               Compensation
                       decision to close a recommendation.                                     Based on
                                                                                               Corporate
                                                                                               Scorecard
                                                                                               Performance (COM-
                                                                                               2016-002, March
                                                                                               17, 2016)

                                                 OIG • April 1, 2021                                        32
Specific Risk to be                                                                          Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                      Date
                      FHFA should re-assess the appropriateness       Improved governance   FHFA’s Approval of
                      of the annual compensation package of                                 Senior Executive
                      $3.6 million to the Fannie Mae President                              Succession
                      with consideration paid to the following                              Planning at Fannie
                      factors: the congressional intent behind the                          Mae Acted to
                      statutory cap on compensation; Fannie                                 Circumvent the
                      Mae’s continued conservatorship status                                Congressionally
                      and the burdens imposed on the taxpayers                              Mandated Cap on
                      from that status; and the 10-year practice                            CEO Compensation
                      at Fannie Mae where one individual                                    (EVL-2019-001,
                      executed the responsibilities of both the                             March 26, 2019)
                      Chief Executive Officer and President
                      positions, with annual compensation
                      capped at $600,000 since 2015.

                      FHFA should re-assess the appropriateness       Improved governance   FHFA’s Approval of
                      of the annual compensation package of                                 Senior Executive
                      $3.25 million to the Freddie Mac President                            Succession
                      with consideration paid to the following                              Planning at Freddie
                      factors: the congressional intent behind the                          Mac Acted to
                      statutory cap on compensation; Freddie                                Circumvent the
                      Mac’s continued conservatorship status                                Congressionally
                      and the burdens imposed on the taxpayers                              Mandated Cap on
                      from that status; the 10-year practice at                             CEO Compensation
                      Freddie Mac where one individual executed                             (EVL-2019-002,
                      the Chief Executive Officer responsibilities                          March 26, 2019)
                      with annual compensation capped at
                      $600,000 since 2015; and the temporary
                      nature of the position of President, in light
                      of FHFA’s representation that Candidate A
                      will leave Freddie Mac if he is not selected
                      for the Chief Executive Officer position.

   Oversight of       FHFA’s Division of Housing Mission and          Improved servicing    FHFA’s Oversight
Servicing Alignment   Goals Deputy Director should establish an       compliance and        of the Servicing
      Initiative      ongoing process to evaluate servicers’          minimized losses      Alignment Initiative
                      Servicing Alignment Initiative compliance                             (EVL-2014-003,
                      and the effectiveness of the Enterprises’                             February 12, 2014)
                      remediation efforts.

                      FHFA’s Division of Housing Mission and          Improved servicing    FHFA’s Oversight
                      Goals Deputy Director should direct the         compliance and        of the Servicing
                      Enterprises to provide routinely their          minimized losses      Alignment Initiative
                      internal reports and reviews for the Division                         (EVL-2014-003,
                      of Housing Mission and Goals’ assessment.                             February 12, 2014)

                                               OIG • April 1, 2021                                        33
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
                      FHFA’s Division of Housing Mission and          Improved servicing     FHFA’s Oversight
                      Goals Deputy Director should regularly          compliance and         of the Servicing
                      review Servicing Alignment Initiative-related   minimized losses       Alignment Initiative
                      guidelines for enhancements or revisions,                              (EVL-2014-003,
                      as necessary, based on servicers’ actual                               February 12, 2014)
                      versus expected performance.

  Oversight of        FHFA should review FHFA’s existing              Improved remediation   FHFA’s Examiners
   Enterprise         requirements, guidance, and processes           of deficiencies        Did Not Meet
 Remediation of       regarding MRAs against the requirements,                               Requirements and
  Deficiencies        guidance, and processes adopted by the                                 Guidance for
                      Office of the Comptroller of the Currency,                             Oversight of an
                      the Board of Governors of the Federal                                  Enterprise’s
                      Reserve System, and other federal financial                            Remediation of
                      regulators including, but not limited to,                              Serious
                      content of an MRA; standards for proposed                              Deficiencies (EVL-
                      remediation plans; approval authority for                              2016-004, March
                      proposed remediation plans; real-time                                  29, 2016)
                      assessments at regular intervals of the
                      effectiveness and timeliness of an
                      Enterprise’s MRA remediation efforts; final
                      assessment of the effectiveness and
                      timeliness of an Enterprise’s MRA
                      remediation efforts; and required
                      documentation for examiner oversight of
                      MRA remediation.

                      Based on the results of the review in           Improved remediation   FHFA’s Examiners
                      recommendation 1, FHFA should assess            of deficiencies        Did Not Meet
                      whether any of the existing requirements,                              Requirements and
                      guidance, and processes adopted by FHFA                                Guidance for
                      should be enhanced, and make such                                      Oversight of an
                      enhancements.                                                          Enterprise’s
                                                                                             Remediation of
                                                                                             Serious
                                                                                             Deficiencies (EVL-
                                                                                             2016-004, March
                                                                                             29, 2016)

                                               OIG • April 1, 2021                                         34
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
Communication of      FHFA should revise its supervision guidance     Improved Board         FHFA’s Supervisory
 Deficiencies to      to require DER to provide the Chair of the      oversight              Standards for
Enterprise Boards     Audit Committee of an Enterprise Board                                 Communication of
                      with each plan submitted by Enterprise                                 Serious
                      management to remediate an MRA with                                    Deficiencies to
                      associated timetables and the response by                              Enterprise Boards
                      DER.                                                                   and for Board
                                                                                             Oversight of
                                                                                             Management’s
                                                                                             Remediation
                                                                                             Efforts are
                                                                                             Inadequate (EVL-
                                                                                             2016-005, March
                                                                                             31, 2016)

                      FHFA should revise its supervision guidance     Improved supervision   FHFA’s Supervisory
                      to require DER to provide the Chair of the                             Standards for
                      Audit Committee of an Enterprise Board                                 Communication of
                      with each conclusion letter setting forth an                           Serious
                      MRA.                                                                   Deficiencies to
                                                                                             Enterprise Boards
                                                                                             and for Board
                                                                                             Oversight of
                                                                                             Management’s
                                                                                             Remediation
                                                                                             Efforts are
                                                                                             Inadequate (EVL-
                                                                                             2016-005, March
                                                                                             31, 2016)

                      FHFA should direct DER to develop detailed      Improved Board         FHFA Failed to
                      guidance and promulgate that guidance to        oversight              Consistently Deliver
                      each Enterprise’s board of directors that                              Timely Reports of
                      explains:                                                              Examination to the
                       • The purpose for DER’s annual                                        Enterprise Boards
                           presentation to each Enterprise board                             and Obtain Written
                           of directors on the ROE results,                                  Responses from
                           conclusions, and supervisory concerns                             the Boards
                           and the opportunity for directors to ask                          Regarding
                           questions and discuss ROE                                         Remediation of
                           examination conclusions and                                       Supervisory
                           supervisory concerns at that                                      Concerns Identified
                           presentation; and                                                 in those Reports
                                                                                             (EVL-2016-009,
                       • The requirement that each Enterprise
                           board of directors submit a written                               July 14, 2016)
                           response to the annual ROE to DER
                           and the expected level of detail
                           regarding ongoing and contemplated
                           remediation in that written response.

                                              OIG • April 1, 2021                                          35
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
                      FHFA should direct the Enterprises’ boards     Improved Board         FHFA Failed to
                      to amend their charters to require review by   oversight              Consistently Deliver
                      each director of each annual ROE and                                  Timely Reports of
                      review and approval of the written response                           Examination to the
                      to DER in response to each annual ROE.                                Enterprise Boards
                                                                                            and Obtain Written
                                                                                            Responses from
                                                                                            the Boards
                                                                                            Regarding
                                                                                            Remediation of
                                                                                            Supervisory
                                                                                            Concerns Identified
                                                                                            in those Reports
                                                                                            (EVL-2016-009,
                                                                                            July 14, 2016)

   Assessing          FHFA should ensure that the underlying         Improved remediation   FHFA’s Inconsistent
 Remediation of       remediation documents, including the           of deficiencies        Practices in
  Deficiencies        Procedures Document, are readily available                            Assessing
                      by direct link or other means, through DER’s                          Enterprise
                      MRA tracking system(s).                                               Remediation of
                                                                                            Serious
                                                                                            Deficiencies and
                                                                                            Weaknesses in its
                                                                                            Tracking Systems
                                                                                            Limit the
                                                                                            Effectiveness of
                                                                                            FHFA’s Supervision
                                                                                            of the Enterprises
                                                                                            (EVL-2016-007,
                                                                                            July 14, 2016)

                      FHFA should require DER to track interim       Improved remediation   FHFA’s Inconsistent
                      milestones and to independently assess         of deficiencies        Practices in
                      and document the timeliness and adequacy                              Assessing
                      of Enterprise remediation of MRAs on a                                Enterprise
                      regular basis.                                                        Remediation of
                                                                                            Serious
                                                                                            Deficiencies and
                                                                                            Weaknesses in its
                                                                                            Tracking Systems
                                                                                            Limit the
                                                                                            Effectiveness of
                                                                                            FHFA’s Supervision
                                                                                            of the Enterprises
                                                                                            (EVL-2016-007,
                                                                                            July 14, 2016)

                                              OIG • April 1, 2021                                         36
Specific Risk to be                                                                         Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                      Date
                      FHFA should require the Enterprises to        Improved remediation   FHFA’s Inconsistent
                      provide, in their remediation plans, the      of deficiencies        Practices in
                      target date in which their internal audit                            Assessing
                      departments expect to validate                                       Enterprise
                      management’s remediation of MRAs, and                                Remediation of
                      require examiners to enter that date into a                          Serious
                      dedicated field in the MRA tracking system.                          Deficiencies and
                                                                                           Weaknesses in its
                                                                                           Tracking Systems
                                                                                           Limit the
                                                                                           Effectiveness of
                                                                                           FHFA’s Supervision
                                                                                           of the Enterprises
                                                                                           (EVL-2016-007,
                                                                                           July 14, 2016)

                      FHFA should periodically conclude, based      Improved remediation   FHFA Requires the
                      upon sufficient examination work, on the      of deficiencies        Enterprises’
                      overall effectiveness of the Internal Audit                          Internal Audit
                      functions at Fannie Mae and Freddie Mac.                             Functions to
                                                                                           Validate
                                                                                           Remediation of
                                                                                           Serious
                                                                                           Deficiencies but
                                                                                           Provides No
                                                                                           Guidance and
                                                                                           Imposes No
                                                                                           Preconditions on
                                                                                           Examiners’ Use of
                                                                                           that Validation
                                                                                           Work (EVL-2018-
                                                                                           002, March 28,
                                                                                           2018)

                                              OIG • April 1, 2021                                       37
Specific Risk to be                                                                            Report Name and
                                   Recommendation                         Expected Impact
    Mitigated                                                                                         Date
                      FHFA should direct that examiners can use        Improved remediation   FHFA Requires the
                      Internal Audit work to assess the adequacy       of deficiencies        Enterprises’
                      of MRA remediation only if FHFA has                                     Internal Audit
                      concluded that the Internal Audit function is                           Functions to
                      effective overall.                                                      Validate
                                                                                              Remediation of
                                                                                              Serious
                                                                                              Deficiencies but
                                                                                              Provides No
                                                                                              Guidance and
                                                                                              Imposes No
                                                                                              Preconditions on
                                                                                              Examiners’ Use of
                                                                                              that Validation
                                                                                              Work (EVL-2018-
                                                                                              002, March 28,
                                                                                              2018)

 Identification of    FHFA should direct DER to revise its             Improved Board         FHFA’s Failure to
 Deficiencies and     guidance to require ROEs to focus the            oversight              Consistently
Their Root Causes     boards’ attention of the most critical and                              Identify Specific
                      time-sensitive supervisory concerns through                             Deficiencies and
                      (1) the prioritization of examination findings                          Their Root Causes
                      and conclusions and (2) identification of                               in Its Reports of
                      deficiencies and MRAs in the ROE and                                    Examination
                      discussion of their root causes.                                        Constrains the
                                                                                              Ability of the
                                                                                              Enterprise Boards
                                                                                              to Exercise
                                                                                              Effective Oversight
                                                                                              of Management’s
                                                                                              Remediation of
                                                                                              Supervisory
                                                                                              Concerns (EVL-
                                                                                              2016-008, July 14,
                                                                                              2016)

Oversight of Fannie   FHFA should ensure that it has adequate          Improved oversight     Management Alert:
Mae Headquarters      internal staff, outside contractors, or both,                           Need for Increased
Consolidation and     who have the professional expertise and                                 Oversight by FHFA,
    Relocation        experience in commercial construction to                                as Conservator of
                      oversee the build-out plans and associated                              Fannie Mae, of the
                      budget(s), as Fannie Mae continues to                                   Projected Costs
                      revise and refine them.                                                 Associated with
                                                                                              Fannie Mae’s
                                                                                              Headquarters
                                                                                              Consolidation and
                                                                                              Relocation Project
                                                                                              (COM-2016-004,
                                                                                              June 16, 2016)

                                               OIG • April 1, 2021                                         38
You can also read