Compendium of Open Recommendations - Federal Housing Finance Agency Office of Inspector General
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Federal Housing Finance Agency Office of Inspector General Compendium of Open Recommendations September 1, 2021
TABLE OF CONTENTS ................................................................ ABBREVIATIONS ........................................................................................................................ 3 INTRODUCTION .......................................................................................................................... 4 Tracking of OIG Recommendations ......................................................................................... 4 Validation Testing ..................................................................................................................... 5 OPEN RECOMMENDATIONS .................................................................................................... 6 CLOSED UNIMPLEMENTED RECOMMENDATIONS .......................................................... 29 OIG • September 1, 2021 2
ABBREVIATIONS ....................................................................... DER Division of Enterprise Regulation Enterprises Fannie Mae and Freddie Mac FHFA Federal Housing Finance Agency MRA Matter Requiring Attention OIG Federal Housing Finance Agency Office of Inspector General PII Personally Identifiable Information ROE Report of Examination OIG • September 1, 2021 3
INTRODUCTION ........................................................................ Since the Federal Housing Finance Agency (FHFA) Office of Inspector General (OIG) began operations in October 2010, we have made more than 525 recommendations1 to improve efficiency and effectiveness and reduce fraud, waste, and abuse at FHFA and at the government-sponsored enterprises for which the Agency acts as conservator and regulator, Fannie Mae and Freddie Mac (the Enterprises), and at the Federal Home Loan Banks for which the Agency acts as regulator. As required under the Inspector General Act of 1978, as amended, we provide information on open and closed recommendations in each semiannual report to the Congress.2 To maintain the focus on opportunities for improvement that our recommendations identify, OIG publishes on its website a monthly report setting forth all open recommendations from our audits, evaluations, and other studies.3 For additional information on any recommendation, please click on the hyperlinked report number to access its underlying report. This compendium is comprehensive as of September 1, 2021. Because FHFA serves a unique role as both conservator and regulator of the Enterprises, OIG’s responsibilities necessarily include oversight of FHFA’s actions in both of these roles, in order to determine whether the Agency is fulfilling its statutory duties and responsibilities and safeguarding the taxpayers’ resources. Our oversight role also reaches the Enterprises— recipients of $191.5 billion in taxpayer monies—to ensure that they are satisfying their obligations under the authority delegated to them in the conservatorships. Through oversight, transparent reporting of results, and robust enforcement, OIG seeks to be a voice for, and protect the interest of, those who have funded Treasury’s investment in the Enterprises—the American taxpayers. Tracking of OIG Recommendations Our recommendations, like those of other inspectors general, are primarily made in written reports issued by our Offices of Audits, Evaluations, and Compliance. We report the facts, as found, and recommend actions to address any shortcomings we identify in FHFA’s exercise of its statutory duties and responsibilities or by one or both Enterprises, in connection with their execution of responsibilities delegated to them by FHFA, as conservator. FHFA is provided an opportunity to provide a written response to OIG recommendations. FHFA’s 1 Includes public and non-public recommendations. 2 OIG’s semiannual reports are available at www.fhfaoig.gov/Reports/Semiannual. 3 This report does not include recommendations under consideration for work that is in progress. OIG • September 1, 2021 4
determinations whether to agree with OIG’s recommendations are included in our published reports. Once FHFA has accepted an OIG recommendation, it reports to us on its efforts to implement the “corrective action” that is intended to respond to the recommendation. When FHFA believes that its implementation efforts are well underway or that implementation is complete, FHFA provides that information to us, along with corroborating documents, and we rely on those materials in determining whether to close recommendations. If the Agency rejects a recommendation or conclusively refuses to implement an acceptable corrective action, then we will close the recommendation and report it separately in this compendium. Validation Testing OIG typically relies on materials and representations from the Agency to close its recommendations and may close some recommendations based on the Agency’s representations as to the corrective actions it has taken. Accordingly, we are not always able to assess, at the time of closure, whether the implementation actions by FHFA meet the letter and spirit of the agreed-upon recommendation, nor can we determine, at closure, the longer- term impact of the recommendation. To better assess both the implementation and impact of OIG recommendations, we concluded that validation testing is needed. Such testing, and disclosure of results of that testing, provides greater accountability and adds value to FHFA and the American taxpayers it serves. Because our Offices of Audits and Evaluations historically had not conducted extensive corrective action verification testing, we created the Office of Compliance and Special Projects. The primary operational role of that office is to examine closed recommendations to assess independently FHFA’s implementation of the corrective actions it represented to OIG that it intended to take, as well as the impact of those actions, and to publish reports of its validation testing in “compliance reviews.” These compliance reviews enable our stakeholders to assess the impact of OIG’s recommendations, as well as the efficacy of the Agency’s implementation of those recommendations. Compliance reviews enhance OIG’s ability to stimulate positive change in critical areas and promote economy, efficiency, and effectiveness at FHFA. Any open recommendations contained in published compliance reviews are included in this compendium. OIG • September 1, 2021 5
OPEN RECOMMENDATIONS ..................................................... Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Open Recommendations Conservatorship Conflicts of Interest FHFA should direct FHFA employees to Improved oversight Corporate monitor the review and resolution of Senior Governance: Executive Officer disclosures of potential, Review and actual, or apparent conflicts of interest to Resolution of ensure that revised Board committee Conflicts of Interest charter(s) and management policies and Involving Fannie procedures are being followed. Mae’s Senior Executive Officers Highlight the Need for Closer Attention to Governance Issues by FHFA (EVL-2018-001, January 31, 2018)4 FHFA, as conservator, should determine the Improved oversight Corporate appropriate disciplinary action against the Governance: Chief Executive Officer for his non- Fannie Mae Senior disclosure and untimely disclosure of Executive Officers conflict of interest matters. and Ethics Officials Again Failed to Follow Requirements for Disclosure and Resolution of Conflicts of Interest, Prompting the Need for FHFA Direction (EVL- 2021-001, March 15, 2021) 4 This recommendation is being held open pending the completion of a related 2021 FHFA planned supervisory activity in response to the second recommendation of EVL-2021-001, and OIG’s assessment of that supervisory activity. OIG • September 1, 2021 6
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA, as conservator, should provide timely Improved oversight Corporate instruction to the Fannie Mae Board Governance: regarding Fannie Mae Office of Compliance Fannie Mae Senior and Ethics’ authority to interpret Chief Executive Officers Executive Officer mitigation plans where and Ethics Officials new facts are presented. Again Failed to Follow Requirements for Disclosure and Resolution of Conflicts of Interest, Prompting the Need for FHFA Direction (EVL- 2021-001, March 15, 2021) In accordance with Recommendation 2, Improved oversight Corporate FHFA, as conservator, should direct the Governance: Fannie Mae Board and/or management to Fannie Mae Senior amend and clarify the appropriate conflict Executive Officers of interest governance documents to and Ethics Officials identify all instances in which Fannie Mae Again Failed to Office of Compliance and Ethics is required Follow to submit conflict of interest matters Requirements for involving the Chief Executive Officer to the Disclosure and Fannie Mae Board of Directors’ Nominating Resolution of and Corporate Governance Committee for Conflicts of its resolution. Interest, Prompting the Need for FHFA Direction (EVL- 2021-001, March 15, 2021) OIG • September 1, 2021 7
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Supervision Examiner Capacity FHFA should develop a process that links Improved supervision Update on FHFA’s annual Enterprise examination plans with Efforts to core team resource requirements. Strengthen its Capacity to Examine the Enterprises (EVL-2014-002, December 19, 2013) and Despite Prior Commitments, FHFA Has Not Implemented a Systematic Workforce Planning Process to Determine Whether Enough Qualified Examiners are Available to Assess the Safety and Soundness of Fannie Mae and Freddie Mac (AUD- 2020-004, February 25, 2020) OIG • September 1, 2021 8
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should establish a strategy to ensure Improved supervision Update on FHFA’s that the necessary resources are in place to Efforts to ensure timely and effective Enterprise Strengthen its examination oversight. Capacity to Examine the Enterprises (EVL-2014-002, December 19, 2013) and Despite Prior Commitments, FHFA Has Not Implemented a Systematic Workforce Planning Process to Determine Whether Enough Qualified Examiners are Available to Assess the Safety and Soundness of Fannie Mae and Freddie Mac (AUD- 2020-004, February 25, 2020) FHFA should assess whether the Division of Improved supervision FHFA Failed to Enterprise Regulation (DER) has a sufficient Complete Non-MRA complement of qualified examiners to Supervisory conduct and complete those examinations Activities Related to rated by DER to be of high-priority within Cybersecurity Risks each supervisory cycle and address the at Fannie Mae resource constraints that have adversely Planned for the affected DER’s ability to carry out its risk- 2016 Examination based supervisory plans. Cycle (AUD-2017- 010, September 27, 2017) OIG • September 1, 2021 9
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should assess whether DER has a Improved supervision FHFA’s Targeted sufficient complement of qualified Examinations of examiners to conduct and complete those Freddie Mac: Just examinations rated by DER to be of high- Over Half of the priority within each supervisory cycle and Targeted address the resource constraints that have Examinations adversely affected DER’s ability to carry out Planned for 2012 its risk-based supervisory plans. through 2015 Were Completed (AUD- 2016-007, September 30, 2016); FHFA’s Targeted Examinations of Fannie Mae: Less than Half of the Targeted Examinations Planned for 2012 through 2015 Were Completed and No Examinations Planned for 2015 Were Completed Before the Report of Examination Issued (AUD-2016- 006, September 30, 2016) OIG • September 1, 2021 10
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should direct DER to develop and Improved supervision Despite Prior implement a systematic workforce planning Commitments, process within 12 months that aligns with FHFA Has Not Office of Personnel Management guidance Implemented a and best practices and is fully documented Systematic in writing. That process should include: Workforce Planning • Identifying the current examination Process to skills and competencies of its Determine Whether examiners; Enough Qualified Examiners are • Forecasting the optimal staffing levels and competencies needed to meet its Available to Assess supervisory needs; the Safety and Soundness of • Evaluating whether a gap exists Fannie Mae and between skills that its workforce may Freddie Mac (AUD- currently need but does not possess; 2020-004, and February 25, • Addressing that gap. 2020)5 5 FHFA represented that its Agency-wide “Organizational Optimization Blueprint” project would address the spirit of this recommendation. FHFA committed to providing OIG certain deliverables by October 30, 2020. Instead, those deliverables were provided on March 9, 2021. In its Annual Performance Plan for FY 2021, FHFA assigned the task of “an action plan to address improvement opportunities identified in FHFA’s optimization study to further the development of a world-class supervision program” to FHFA’s Chief Operating Officer, with a target due date of June 30, 2021. OIG • September 1, 2021 11
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should direct DER to develop and Improved supervision Despite FHFA’s implement a systematic workforce planning Recognition of process within 12 months that aligns with Significant Risks Office of Personnel Management guidance Associated with and best practices and is fully documented. Fannie Mae’s and That process should include: Freddie Mac’s • Identifying the appropriate number of High-Risk Models, Enterprise high-risk models to be its Examination of examined each year through targeted Those Models Over examinations; a Six Year Period • Identifying the current examination Has Been Neither skills and competencies of examiners Rigorous nor Timely engaged in supervisory activities of (EVL-2020-001, high-risk models; March 25, 2020)6 • Forecasting the optimal staffing levels and competencies of examiners necessary to complete the identified number of targeted examinations of high-risk models planned for each examination cycle; • Evaluating whether a gap exists between skills required to conduct supervision of high-risk models that its examiners currently need but do not possess; and • Addressing that gap. Based on the results of its workforce Improved supervision Despite FHFA’s analysis, FHFA should conduct a written Recognition of assessment of whether DER’s current Significant Risks budget for its supervision of high-risk Associated with models is sufficient. Fannie Mae’s and Freddie Mac’s High-Risk Models, its Examination of Those Models Over a Six Year Period Has Been Neither Rigorous nor Timely (EVL-2020-001, March 25, 2020) 6 See prior footnote. OIG • September 1, 2021 12
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Accreditation of FHFA should determine the causes of the Improved quality OIG’s Compliance Examiners shortfalls in the Housing Finance Examiner Review of FHFA’s Commission Program that we have Implementation of identified, and implement a strategy to Its Housing Finance ensure the program fulfills its central Examiner objective of producing commissioned Commission examiners who are qualified to lead major Program risk sections of government-sponsored (COM-2015-001, enterprise examinations. July 29, 2015) and FHFA’s Housing Finance Examiner Commissioning Program: $7.7 Million and Four Years into the Program, the Agency has Fewer Commissioned Examiners (COM- 2018-006, September 6, 2018)7 Risk Assessments FHFA should reinforce, through training and Improved supervision FHFA Failed to supervision of DER personnel, the Complete Non-MRA requirements established by FHFA, and Supervisory reinforced by DER guidance, for the risk Activities Related to assessment and supervisory planning Cybersecurity Risks process. Specifically: at Fannie Mae a. Ensure that the annual supervisory Planned for the strategy identifies significant risks and 2016 Examination supervisory concerns and explains how Cycle (AUD-2017- the planned supervisory activities to be 010, September conducted during the examination 27, 2017); FHFA cycle address the most significant Did Not Complete risks in the operational risk All Planned assessment. (Applies to AUD-2017- Supervisory 010 and AUD-2017-011) Activities Related to b. Ensure that supervisory activities Cybersecurity Risks planned during an examination cycle at Freddie Mac for to address the most significant risks in the 2016 the operational risk assessment are Examination Cycle completed within the examination (AUD-2017-011, cycle. (Applies to AUD-2017-010) September 27, 2017) 7 OIG has twice determined that the Housing Finance Examiner Commission Program was not on track to produce commissioned examiners. This recommendation is open pending FHFA actions to assess and address the Program’s shortfalls, and OIG’s assessment of those corrective actions. OIG • September 1, 2021 13
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Going forward, FHFA should ensure a risk Improved supervision FHFA’s Failure to assessment for Common Securitization Include the Solutions, LLC is prepared and approved Financial Crimes annually in accordance with DER and Model requirements. Components in its CSS Risk Assessment Is Inconsistent with a Risk-Based Approach to Supervision (AUD- 2021-005, March 23, 2021) FHFA should include all required Improved supervision FHFA’s Failure to components, including the Financial Crimes Include the and Model components, when preparing the Financial Crimes annual risk assessment for Common and Model Securitization Solutions, LLC. Components in its CSS Risk Assessment Is Inconsistent with a Risk-Based Approach to Supervision (AUD- 2021-005, March 23, 2021) Assessing FHFA should ensure that Freddie Mac Improved remediation FHFA Failed to Remediation of takes, or has taken, remedial action to of deficiencies Ensure Freddie Deficiencies address the deficiency underlying the Mac’s Remedial matter requiring attention (MRA) regarding Plans for a the need to implement a process to verify Cybersecurity MRA and monitor [certain matters]. Addressed All Deficiencies; as Allowed by its Standard, FHFA Closed the MRA after Independently Determining the Enterprise Completed its Planned Remedial Actions (AUD-2018- 008, March 28, 2018)8 8 This recommendation is being held open pending OIG’s assessment of a supervisory activity that FHFA completed during the 2020 examination cycle related to the underlying deficiency of the MRA discussed in this report. OIG • September 1, 2021 14
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should require DER, upon acceptance Improved remediation FHFA’s Inconsistent of an Enterprise’s remediation plan, to of deficiencies Practices in estimate the date by which it expects to Assessing confirm internal audit’s validation, and to Enterprise enter that date into a dedicated field in the Remediation of MRA tracking system. [Closed in Serious September 2017; reopened upon results of Deficiencies and compliance testing.] Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the Enterprises (EVL-2016-007, July 14, 2016) and Compliance Review of the Timeliness of FHFA’s Assessments of the Enterprises’ Remediation Closure Packages for a Matter Requiring Attention (COM-2020-001, February 21, 2020) Supervisory FHFA should determine the appropriate Improved supervision More than Eight Oversight threshold or criteria for charging off Years After Issuing delinquent single-family loans at the its Advisory Enterprises and communicate that Bulletin, FHFA Has threshold or criteria through revised or new Not Held the Agency guidance. Enterprises to its Expectations on Charging off Delinquent Loans or Communicated New Expectations (EVL-2020-003, September 10, 2020) OIG • September 1, 2021 15
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should assess the Enterprises’ Improved supervision More than Eight implementation of the revised or new Years After Issuing Agency guidance to ensure that the its Advisory Enterprises’ practices comport with FHFA’s Bulletin, FHFA Has supervisory expectations. Not Held the Enterprises to its Expectations on Charging off Delinquent Loans or Communicated New Expectations (EVL-2020-003, September 10, 2020) FHFA should ensure that the Office of Improved supervision Weaknesses in Housing and Regulatory Policy (a) develops FHFA’s Monitoring and issues written guidance to the of the Enterprises’ Enterprises on the data elements to be 97% LTV Mortgage reported regularly for FHFA’s monitoring of Programs May the 97% LTV mortgage programs and (b) Hinder FHFA’s establishes quality control procedures to Ability to Timely ensure that information reported by the Identify, Analyze, Enterprises is reliable and conforms to the and Respond to requirements of the written guidance. Risks Related to Achieving the Programs’ Objectives (AUD-2020-014, September 29, 2020) FHFA should clarify and reinforce the Office Improved supervision Weaknesses in of Housing and Regulatory Policy’s guidance FHFA’s Monitoring regarding the frequency of 97% LTV of the Enterprises’ mortgage program monitoring dashboard 97% LTV Mortgage preparation to Office of Housing and Programs May Regulatory Policy staff and ensure that the Hinder FHFA’s monitoring dashboards are prepared and Ability to Timely reviewed in accordance with that guidance. Identify, Analyze, and Respond to Risks Related to Achieving the Programs’ Objectives (AUD-2020-014, September 29, 2020) OIG • September 1, 2021 16
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Examiner FHFA should assess whether Fannie Mae’s Improved supervisory FHFA Examiners’ Assessment and remediation of its [redacted] is sufficient. oversight Lack of Escalation of Assessment and Shortcomings Escalation of Shortcomings Identified by an Enterprise in its Servicer Fraud Risk Management Framework Limited the Agency’s Supervisory Oversight (EVL- 2020-002, August 27, 2020) Examination FHFA should reinforce the requirement to Improved supervision FHFA Completed Guidance examiners in charge and examination Most of its Planned managers that changes to an examination Ongoing Monitoring plan must be risk-based – changes in Activities for Fannie Enterprise business operations or risk Mae and CSS for exposures – and that resource constraints 2019; However, are not accepted reasons for such changes. FHFA Failed to Follow its Requirements When it Changed Examination Plans for Non-Risk-Based Reasons and Failed to Obtain Deputy Director Approval (AUD-2020-011, September 9, 2020) OIG • September 1, 2021 17
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should reinforce the requirement that Improved supervision FHFA Completed any revisions to an examination plan must Most of its Planned be approved in writing by the Deputy Ongoing Monitoring Director. Activities for Fannie Mae and CSS for 2019; However, FHFA Failed to Follow its Requirements When it Changed Examination Plans for Non-Risk-Based Reasons and Failed to Obtain Deputy Director Approval (AUD-2020-011, September 9, 2020) FHFA should define the term “supervisory Improved supervision FHFA’s Failure to concern” as it is used in FHFA’s corporate Define and Clearly governance regulation. Communicate “Supervisory Concerns” Hinders the Enterprise Boards’ Ability to Execute Their Oversight Obligations Under FHFA’s Corporate Governance Regulation and Renders the Regulation Ineffective as a Supervisory Tool (EVL-2021-003, March 30, 2021) OIG • September 1, 2021 18
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should develop examination guidance Improved supervision FHFA’s Failure to that explains how supervisory concerns Define and Clearly should be described and categorized in the Communicate Reports of Examination, establishes DER’s “Supervisory expectations for timely and appropriate Concerns” Hinders remediation for each such concerns, and the Enterprise prescribes how such concerns should be Boards’ Ability to monitored until they are fully remediated. Execute Their Oversight Obligations Under FHFA’s Corporate Governance Regulation and Renders the Regulation Ineffective as a Supervisory Tool (EVL-2021-003, March 30, 2021) Examination FHFA should revise the Division of Federal Improved quality FHFA Conducted Workpapers Home Loan Bank Regulation’s quality control BSA/AML Program control procedures to specifically require Examinations of 10 that all examination workpapers supporting of 11 Federal examination findings, conclusions, and Home Loan Banks ratings directly prepared by the examiner-in- During 2016-2018 charge be reviewed by an individual who did in Accordance with not participate in the examination. [Closed its Guidelines, But in October 2019; reopened upon results of Failed to Support a compliance testing.] Conclusion in the Report of Examination for the Other Bank (AUD- 2019-008, July 10, 2019) and Compliance Review of DBR’s Quality Control for Examination Work Performed by Examiners-in- Charge (COM- 2021-007, August 25, 2021) OIG • September 1, 2021 19
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Quality Control FHFA’s Office of Minority and Women Improved quality Compliance Review Reviews Inclusion should ensure that quality control of FHFA’s Office of reviews are performed before issuing Minority and diversity and inclusion examination findings Women Inclusion to a regulated entity, as required by (COM-2019-005, Supervision Directive 2017-01. June 24, 2019) Counterparties and Third Parties FHFA should ensure that DER uses its full Improved supervision Despite FHFA’s range of available examination activities, Acknowledgement including targeted examinations and when that Enterprise appropriate, enhanced risk monitoring, to Reliance on Third- provide comprehensive assessments of Parties Represents known areas of high risk, like Fannie Mae’s a Significant reliance on third-party vendors. Operational Risk, No Targeted Examinations of Fannie Mae’s Third- Party Risk Management Program Were Completed Over a Seven-Year Period (AUD-2021-007, March 29, 2021) Information Technology Information FHFA should comply with Financial Stability Improved risk FHFA Should Map Technology Risk Oversight Council recommendations to management Its Supervisory Examinations address the gaps, as prioritized, to reflect Standards for and incorporate appropriate elements of Cyber Risk the National Institute of Standards and Management to Technology Framework. Appropriate Elements of the NIST Framework (EVL-2016-003, March 28, 2016)9 9 OIG is reviewing additional documentation provided by FHFA during this reporting period to assess whether the Agency has adequately addressed this recommendation. OIG • September 1, 2021 20
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should comply with Financial Stability Improved risk FHFA Should Map Oversight Council recommendations to management Its Supervisory revise existing regulatory guidance to reflect Standards for and incorporate appropriate elements of Cyber Risk the National Institute of Standards and Management to Technology framework in a manner that Appropriate achieves consistency with other federal Elements of the financial regulators. NIST Framework (EVL-2016-003, March 28, 2016)10 Privacy Information FHFA should determine privacy controls that Improved protection of Audit of the Federal and Data Protection are information system-specific, and/or privacy information Housing Finance hybrid controls. Agency’s 2019 Privacy Program (AUD-2019-009, August 28, 2019) FHFA should document privacy controls Improved protection of Audit of the Federal within each system’s system security plan privacy information Housing Finance or system-specific privacy plan, clearly Agency’s 2019 identifying whether controls are program Privacy Program level, common, information system-specific, (AUD-2019-009, or hybrid. August 28, 2019) FHFA should update the privacy impact Improved protection of Audit of the Federal assessments using the privacy impact privacy information Housing Finance assessments template for Affordable Agency’s 2021 Housing Project, Federal Human Resources Privacy Program Navigator, and Suspended Counterparty (AUD-2021-011, System. August 11, 2021) FHFA should ensure privacy impact Improved protection of Audit of the Federal assessments are conducted timely using privacy information Housing Finance the privacy impact assessments template in Agency’s 2021 accordance with the FHFA Privacy Program Privacy Program Plan (i.e., before a new system is (AUD-2021-011, developed, after a significant change to a August 11, 2021) system, or within three years of the privacy impact assessments). 10 See prior footnote. OIG • September 1, 2021 21
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should update the Privacy Continuous Improved protection of Audit of the Federal Monitoring Strategy to ensure that it privacy information Housing Finance reflects the FHFA’s current privacy control Agency’s 2021 assessment process in accordance with Privacy Program Office of Management and Budget Circular (AUD-2021-011, A-130. August 11, 2021) FHFA should develop and implement Improved protection of Audit of the Federal Privacy Control Assessment plans, that privacy information Housing Finance include all required elements. Agency’s 2021 Privacy Program (AUD-2021-011, August 11, 2021) FHFA should ensure Privacy Control Improved protection of Audit of the Federal Assessments are performed for all systems privacy information Housing Finance that collect PII. Agency’s 2021 Privacy Program (AUD-2021-011, August 11, 2021) FHFA Information Because information in this report could be Improved information Audit of the Federal Technology Security used to circumvent FHFA’s internal controls, security Housing Finance and Availability it has not been released publicly. Agency’s Information Security Program Fiscal Year 2019 (AUD-2020-001, October 25, 2019) Because information in this report could be Improved information Audit of the Federal used to circumvent FHFA’s internal controls, security Housing Finance it has not been released publicly. Agency’s Information Security Program Fiscal Year 2020 (AUD-2021-001, October 20, 2020) Because information in this report could be Improved information Audit of the Federal used to circumvent FHFA’s internal controls, security Housing Finance it has not been released publicly. Agency’s Information Security Program Fiscal Year 2020 (AUD-2021-001, October 20, 2020) OIG • September 1, 2021 22
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Because information in this report could be Improved information Audit of the Federal used to circumvent FHFA’s internal controls, security Housing Finance it has not been released publicly. Agency’s Information Security Program Fiscal Year 2020 (AUD-2021-001, October 20, 2020) Because information in this report could be Improved information Audit of the Federal used to circumvent FHFA’s internal controls, security Housing Finance it has not been released publicly. Agency’s Information Security Program Fiscal Year 2020 (AUD-2021-001, October 20, 2020) Because information in this report could be Improved information Audit of the Federal used to circumvent FHFA’s internal controls, security Housing Finance it has not been released publicly. Agency’s Information Security Program Fiscal Year 2020 (AUD-2021-001, October 20, 2020) Because information in this report could be Improved information Audit of the Federal used to circumvent FHFA’s internal controls, security Housing Finance it has not been released publicly. Agency’s Information Security Program Fiscal Year 2020 (AUD-2021-001, October 20, 2020) Because information in this report could be Improved information Audit of the Federal used to circumvent FHFA’s internal controls, security Housing Finance it has not been released publicly. Agency’s Information Security Program Fiscal Year 2020 (AUD-2021-001, October 20, 2020) OIG • September 1, 2021 23
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should ensure that outdated Improved information 2019 Internal [redacted] and [redacted] protocols in security Penetration Test of FHFA’s systems are disabled or upgraded in FHFA’s Network a timely manner in accordance with and Systems (AUD- National Institute of Standards and 2019-014, Technology directives. September 24, 2019) FHFA should modify existing cloud-based Improved information FHFA Failed to General Support System Tool contracts to security Follow its Cloud- include the required IT security provisions Based Computing and ensure future cloud-based General Requirements Support System Tool contracts include all when it Did Not required provisions. Validate the Implementation of Minimum Security Requirements for Cloud-Based Tools and Did Not Include Required IT Security Provisions in Some of its Cloud Service Contracts (AUD- 2020-013, September 17, 2020) FHFA should implement multifactor Improved information Audit of an FHFA authentication for [redacted] for security Sensitive Employment Matters Tracking System Employment- database servers. Related Case Tracking System: FHFA Followed its Access Control Standard, But its System Is Adversely Impacted by Two Security Control Weaknesses (AUD- 2021-006, March 29, 2021) OIG • September 1, 2021 24
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should send Employment Matters Improved information Audit of an FHFA Tracking System [redacted] for correlation security Sensitive and analysis. Employment- Related Case Tracking System: FHFA Followed its Access Control Standard, But its System Is Adversely Impacted by Two Security Control Weaknesses (AUD- 2021-006, March 29, 2021) Agency Operations Oversight of FHFA FHFA should develop written procedures for Improved management FHFA Should Name Workforce Matters carrying out the functions of the Office of of a statutory function an Ombudsman the Ombudsman, to include procedures for and Document the documenting that all incoming complaints Office of the and appeals are tracked, considered, and Ombudsman’s appropriately resolved. In developing these Procedures (AUD- procedures, the guidance published by the 2019-011, Coalition of Federal Ombudsmen should be September 16, taken into consideration. 2019) Management of FHFA should include all National Archives Improved records FHFA Needs to Agency Records and Records Administration-required management Strengthen content topics in annual records Controls Over its management training provided to FHFA Records employees and contractor employees. Management Program to Comply with OMB and NARA Requirements (AUD-2020-008, March 26, 2020) OIG • September 1, 2021 25
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Enterprise Risk Going forward, FHFA should ensure Annual Improved risk FHFA Followed Management Risk Profiles include all significant risk management OMB Guidance in response action items designed to reduce Implementing its identified risks, such as FHFA’s Enterprise Risk organizational optimization Blueprint Management project, along with identifying the owners of Program But its those risk response action items and target 2020 Risk Profile completion dates. Failed to Identify a Significant Action Underway to Address Acknowledged Supervision Risk (AUD-2021-004, March 17, 2021) FHFA should develop written policies and Improved risk FHFA Followed procedures for its Enterprise Risk management OMB Guidance in Management program. Implementing its Enterprise Risk Management Program But its 2020 Risk Profile Failed to Identify a Significant Action Underway to Address Acknowledged Supervision Risk (AUD-2021-004, March 17, 2021) OIG • September 1, 2021 26
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Policies for FHFA should reinforce FHFA’s program Improved internal FHFA Did Not Monetary Awards, policies and procedures through a reminder controls Always Follow its Recruitment to FHFA supervisors and senior officials Policies for Bonuses, and involved in initiating, reviewing, and Monetary Awards, Retention approving monetary awards, recruitment Recruitment Allowances bonuses, and retention allowances to: Bonuses, and • Obtain the requisite concurrence Retention from the supervisors of record and Allowances during second-level supervisors, when Fiscal Years 2019 applicable, for monetary awards, and 2020; FHFA’s • Ensure documentation supporting Excellence Awards recruitment bonuses for non- Were Not Included executive, mission-critical positions in Agency Policy cite how the positions were (AUD-2021-008, recruitment challenges, and June 17, 2021) • Ensure documentation supporting retention allowances cite that non- executive employees were offered non-FHFA employment or applied for retirement. FHFA should ensure that the Excellence Improved internal FHFA Did Not Awards program is included in the planned controls Always Follow its revision to the FHFA Awards Policy before Policies for such awards are made again. Monetary Awards, Recruitment Bonuses, and Retention Allowances during Fiscal Years 2019 and 2020; FHFA’s Excellence Awards Were Not Included in Agency Policy (AUD-2021-008, June 17, 2021) OIG • September 1, 2021 27
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Data Quality FHFA should complete in an expedited Improved data quality FHFA Lacked manner, its evaluation and development Documentation of activities related to FHFA Information its Validation of Quality Guidelines in response to M-19-15, Data Used to the Office of Management and Budget’s Produce the Third Memorandum on Improving Implementation Quarter 2020 of the Information Quality Act, and update Seasonally the Guidelines, as deemed necessary. Adjusted, Expanded-Data FHFA HPI and Failed to Timely Review its Information Quality Guidelines (AUD- 2021-010, July 22, 2021) OIG • September 1, 2021 28
CLOSED UNIMPLEMENTED RECOMMENDATIONS ..................... The Inspector General Act of 1978 does not authorize any federal inspector general to compel its respective agency to adopt new policies or processes or take personnel actions to correct shortcomings found in their audits, evaluations, and investigations. Rather, the Act empowers inspectors general to recommend remedial actions to correct such shortcomings, and the affected agency determines whether or not to accept the recommendations. We believe it is important to be transparent and distinguish between recommendations that have been closed in light of appropriate movement toward implementation and recommendations that have been closed in light of FHFA’s refusal to take any action. For those recommendations closed due to rejection by FHFA, we continue to stand by our findings and believe that the Agency should have undertaken the recommended actions. The recommendations listed below represent those that have been closed following FHFA’s rejection and were not implemented. Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Closed Unimplemented Recommendations Conservatorship Oversight of FHFA should develop a strategy to enhance Improved oversight Compliance Review Enterprise Executive the Executive Compensation Branch’s of FHFA’s Oversight Compensation capacity to review the reasonableness and of Enterprise justification of the Enterprises’ annual Executive proposals to compensate their executives Compensation based on Corporate Scorecard Based on performance. To this end, FHFA should Corporate ensure that: the Enterprises submit Scorecard proposals containing information sufficient Performance (COM- to facilitate a comprehensive review by the 2016-002, March Executive Compensation Branch; the 17, 2016) Executive Compensation Branch tests and verifies the information in the Enterprises’ proposals, perhaps on a randomized basis; and the Executive Compensation Branch follows up with the Enterprises to resolve any proposals that do not appear to be reasonable and justified. OIG • September 1, 2021 29
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should develop a policy under which it Improved oversight Compliance Review is required to notify OIG within 10 days of its of FHFA’s Oversight decision not to fully implement, of Enterprise substantially alter, or abandon a corrective Executive action that served as the basis for OIG’s Compensation decision to close a recommendation. Based on Corporate Scorecard Performance (COM- 2016-002, March 17, 2016) FHFA should re-assess the appropriateness Improved governance FHFA’s Approval of of the annual compensation package of Senior Executive $3.6 million to the Fannie Mae President Succession with consideration paid to the following Planning at Fannie factors: the congressional intent behind the Mae Acted to statutory cap on compensation; Fannie Circumvent the Mae’s continued conservatorship status Congressionally and the burdens imposed on the taxpayers Mandated Cap on from that status; and the 10-year practice CEO Compensation at Fannie Mae where one individual (EVL-2019-001, executed the responsibilities of both the March 26, 2019) Chief Executive Officer and President positions, with annual compensation capped at $600,000 since 2015. FHFA should re-assess the appropriateness Improved governance FHFA’s Approval of of the annual compensation package of Senior Executive $3.25 million to the Freddie Mac President Succession with consideration paid to the following Planning at Freddie factors: the congressional intent behind the Mac Acted to statutory cap on compensation; Freddie Circumvent the Mac’s continued conservatorship status Congressionally and the burdens imposed on the taxpayers Mandated Cap on from that status; the 10-year practice at CEO Compensation Freddie Mac where one individual executed (EVL-2019-002, the Chief Executive Officer responsibilities March 26, 2019) with annual compensation capped at $600,000 since 2015; and the temporary nature of the position of President, in light of FHFA’s representation that Candidate A will leave Freddie Mac if he is not selected for the Chief Executive Officer position. OIG • September 1, 2021 30
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Oversight of FHFA’s Division of Housing Mission and Improved servicing FHFA’s Oversight Servicing Alignment Goals Deputy Director should establish an compliance and of the Servicing Initiative ongoing process to evaluate servicers’ minimized losses Alignment Initiative Servicing Alignment Initiative compliance (EVL-2014-003, and the effectiveness of the Enterprises’ February 12, 2014) remediation efforts. FHFA’s Division of Housing Mission and Improved servicing FHFA’s Oversight Goals Deputy Director should direct the compliance and of the Servicing Enterprises to provide routinely their minimized losses Alignment Initiative internal reports and reviews for the Division (EVL-2014-003, of Housing Mission and Goals’ assessment. February 12, 2014) FHFA’s Division of Housing Mission and Improved servicing FHFA’s Oversight Goals Deputy Director should regularly compliance and of the Servicing review Servicing Alignment Initiative-related minimized losses Alignment Initiative guidelines for enhancements or revisions, (EVL-2014-003, as necessary, based on servicers’ actual February 12, 2014) versus expected performance. Oversight of Fannie FHFA should ensure that it has adequate Improved oversight Management Alert: Mae Headquarters internal staff, outside contractors, or both, Need for Increased Consolidation and who have the professional expertise and Oversight by FHFA, Relocation experience in commercial construction to as Conservator of oversee the build-out plans and associated Fannie Mae, of the budget(s), as Fannie Mae continues to Projected Costs revise and refine them. Associated with Fannie Mae’s Headquarters Consolidation and Relocation Project (COM-2016-004, June 16, 2016) FHFA should direct Fannie Mae to provide Improved oversight Management Alert: regular updates and formal budgetary Need for Increased reports to the Division of Conservatorship Oversight by FHFA, (now known as the Division of Resolutions) as Conservator of for its review and for FHFA approval through Fannie Mae, of the the design and construction of Fannie Projected Costs Mae’s leased space in Midtown Center. Associated with Fannie Mae’s Headquarters Consolidation and Relocation Project (COM-2016-004, June 16, 2016) OIG • September 1, 2021 31
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Oversight of Fannie To reduce the waste from Option C (the Reduced waste Consolidation and Mae Northern option Fannie Mae selected for its future Relocation of Virginia operations in Northern Virginia), FHFA, Fannie Mae’s Consolidation and consistent with its duties as conservator, Northern Virginia Relocation should cause Fannie Mae to calculate the Workforce (OIG- net present value for a Status Quo Option, 2018-004, and calculate the costs associated with September 6, terminating the lease with Boston 2018) Properties. To reduce the waste from Option C, FHFA, Reduced waste Consolidation and consistent with its duties as conservator, Relocation of should direct Fannie Mae to terminate the Fannie Mae’s lease, cancel the sale of the three owned Northern Virginia buildings, and implement the Status Quo Workforce (OIG- Option, should the net present value for a 2018-004, Status Quo Option and the termination September 6, costs be lower than the adjusted net 2018) present value for Option C. Conflicts of Interest Take appropriate action to address conflicts Improved oversight Administrative of interest issue involving an entity within Investigation into FHFA’s oversight authority. Public release Anonymous Hotline by OIG of certain information in the Complaints Management Alert and accompanying Concerning expert report is prohibited by the Privacy Act Timeliness and of 1974 (Pub.L. 93–579, 88 Stat. 1896, Completeness of enacted December 31, 1974, 5 U.S.C. § Disclosures 552a). Regarding a Potential Conflict of Interest by a Senior Executive Officer of an Enterprise (OIG- 2017-004, March 23, 2017) OIG • September 1, 2021 32
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Take appropriate action to address conflicts Improved oversight Administrative of interest issue involving an entity within Investigation into FHFA’s oversight authority. Public release Anonymous Hotline by OIG of certain information in the Complaints Management Alert and accompanying Concerning expert report is prohibited by the Privacy Act Timeliness and of 1974 (Pub.L. 93–579, 88 Stat. 1896, Completeness of enacted December 31, 1974, 5 U.S.C. § Disclosures 552a). Regarding a Potential Conflict of Interest by a Senior Executive Officer of an Enterprise (OIG- 2017-004, March 23, 2017) Supervision Examination DER should adopt a comprehensive Improved efficiency Evaluation of the Recordkeeping examination workpaper index and Division of Practices standardize electronic workpaper folder Enterprise structures and naming conventions Regulation’s 2013 between the two Core Teams. In addition, Examination FHFA and DER should upgrade Records: recordkeeping practices as necessary to Successes and enhance the identification and retrieval of Opportunities (EVL- critical workpapers. 2015-001, October 6, 2014) Examination FHFA should establish and communicate Improved supervision Five Years After Guidance clear expectations for use of revised and Issuance, Many new examination modules by DER Examination examiners. Modules Remain in Field Test; FHFA Should Establish Timelines and Processes to Ensure Timely Revision of Examiner Guidance (EVL-2019-003, September 10, 2019) OIG • September 1, 2021 33
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date Oversight of FHFA should review FHFA’s existing Improved remediation FHFA’s Examiners Enterprise requirements, guidance, and processes of deficiencies Did Not Meet Remediation of regarding MRAs against the requirements, Requirements and Deficiencies guidance, and processes adopted by the Guidance for Office of the Comptroller of the Currency, Oversight of an the Board of Governors of the Federal Enterprise’s Reserve System, and other federal financial Remediation of regulators including, but not limited to, Serious content of an MRA; standards for proposed Deficiencies (EVL- remediation plans; approval authority for 2016-004, March proposed remediation plans; real-time 29, 2016) assessments at regular intervals of the effectiveness and timeliness of an Enterprise’s MRA remediation efforts; final assessment of the effectiveness and timeliness of an Enterprise’s MRA remediation efforts; and required documentation for examiner oversight of MRA remediation. Based on the results of the review in Improved remediation FHFA’s Examiners recommendation 1, FHFA should assess of deficiencies Did Not Meet whether any of the existing requirements, Requirements and guidance, and processes adopted by FHFA Guidance for should be enhanced, and make such Oversight of an enhancements. Enterprise’s Remediation of Serious Deficiencies (EVL- 2016-004, March 29, 2016) Communication of FHFA should revise its supervision guidance Improved Board FHFA’s Supervisory Deficiencies to to require DER to provide the Chair of the oversight Standards for Enterprise Boards Audit Committee of an Enterprise Board Communication of with each plan submitted by Enterprise Serious management to remediate an MRA with Deficiencies to associated timetables and the response by Enterprise Boards DER. and for Board Oversight of Management’s Remediation Efforts are Inadequate (EVL- 2016-005, March 31, 2016) OIG • September 1, 2021 34
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should revise its supervision guidance Improved supervision FHFA’s Supervisory to require DER to provide the Chair of the Standards for Audit Committee of an Enterprise Board Communication of with each conclusion letter setting forth an Serious MRA. Deficiencies to Enterprise Boards and for Board Oversight of Management’s Remediation Efforts are Inadequate (EVL- 2016-005, March 31, 2016) FHFA should direct DER to develop detailed Improved Board FHFA Failed to guidance and promulgate that guidance to oversight Consistently Deliver each Enterprise’s board of directors that Timely Reports of explains: Examination to the • The purpose for DER’s annual Enterprise Boards presentation to each Enterprise board and Obtain Written of directors on the ROE results, Responses from conclusions, and supervisory concerns the Boards and the opportunity for directors to ask Regarding questions and discuss ROE Remediation of examination conclusions and Supervisory supervisory concerns at that Concerns Identified presentation; and in those Reports (EVL-2016-009, • The requirement that each Enterprise board of directors submit a written July 14, 2016) response to the annual ROE to DER and the expected level of detail regarding ongoing and contemplated remediation in that written response. OIG • September 1, 2021 35
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should direct the Enterprises’ boards Improved Board FHFA Failed to to amend their charters to require review by oversight Consistently Deliver each director of each annual ROE and Timely Reports of review and approval of the written response Examination to the to DER in response to each annual ROE. Enterprise Boards and Obtain Written Responses from the Boards Regarding Remediation of Supervisory Concerns Identified in those Reports (EVL-2016-009, July 14, 2016) Assessing FHFA should ensure that the underlying Improved remediation FHFA’s Inconsistent Remediation of remediation documents, including the of deficiencies Practices in Deficiencies Procedures Document, are readily available Assessing by direct link or other means, through DER’s Enterprise MRA tracking system(s). Remediation of Serious Deficiencies and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the Enterprises (EVL-2016-007, July 14, 2016) FHFA should require DER to track interim Improved remediation FHFA’s Inconsistent milestones and to independently assess of deficiencies Practices in and document the timeliness and adequacy Assessing of Enterprise remediation of MRAs on a Enterprise regular basis. Remediation of Serious Deficiencies and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the Enterprises (EVL-2016-007, July 14, 2016) OIG • September 1, 2021 36
Specific Risk to be Report Name and Recommendation Expected Impact Mitigated Date FHFA should require the Enterprises to Improved remediation FHFA’s Inconsistent provide, in their remediation plans, the of deficiencies Practices in target date in which their internal audit Assessing departments expect to validate Enterprise management’s remediation of MRAs, and Remediation of require examiners to enter that date into a Serious dedicated field in the MRA tracking system. Deficiencies and Weaknesses in its Tracking Systems Limit the Effectiveness of FHFA’s Supervision of the Enterprises (EVL-2016-007, July 14, 2016) FHFA should periodically conclude, based Improved remediation FHFA Requires the upon sufficient examination work, on the of deficiencies Enterprises’ overall effectiveness of the Internal Audit Internal Audit functions at Fannie Mae and Freddie Mac. Functions to Validate Remediation of Serious Deficiencies but Provides No Guidance and Imposes No Preconditions on Examiners’ Use of that Validation Work (EVL-2018- 002, March 28, 2018) OIG • September 1, 2021 37
You can also read