Compendium of Open Recommendations - Federal Housing Finance Agency Office of Inspector General

 
CONTINUE READING
Federal Housing Finance Agency
      Office of Inspector General

   Compendium of
Open Recommendations

       September 1, 2021
TABLE OF CONTENTS ................................................................

ABBREVIATIONS ........................................................................................................................ 3
INTRODUCTION .......................................................................................................................... 4
     Tracking of OIG Recommendations ......................................................................................... 4
     Validation Testing ..................................................................................................................... 5
OPEN RECOMMENDATIONS .................................................................................................... 6
CLOSED UNIMPLEMENTED RECOMMENDATIONS .......................................................... 29

                                                     OIG • September 1, 2021                                                                 2
ABBREVIATIONS .......................................................................

DER                Division of Enterprise Regulation

Enterprises        Fannie Mae and Freddie Mac

FHFA               Federal Housing Finance Agency

MRA                Matter Requiring Attention

OIG                Federal Housing Finance Agency Office of Inspector General

PII                Personally Identifiable Information

ROE                Report of Examination

                                OIG • September 1, 2021                             3
INTRODUCTION ........................................................................

Since the Federal Housing Finance Agency (FHFA) Office of Inspector General (OIG) began
operations in October 2010, we have made more than 525 recommendations1 to improve
efficiency and effectiveness and reduce fraud, waste, and abuse at FHFA and at the
government-sponsored enterprises for which the Agency acts as conservator and regulator,
Fannie Mae and Freddie Mac (the Enterprises), and at the Federal Home Loan Banks for
which the Agency acts as regulator. As required under the Inspector General Act of 1978, as
amended, we provide information on open and closed recommendations in each semiannual
report to the Congress.2

To maintain the focus on opportunities for improvement that our recommendations identify,
OIG publishes on its website a monthly report setting forth all open recommendations from
our audits, evaluations, and other studies.3 For additional information on any
recommendation, please click on the hyperlinked report number to access its underlying
report. This compendium is comprehensive as of September 1, 2021.

Because FHFA serves a unique role as both conservator and regulator of the Enterprises,
OIG’s responsibilities necessarily include oversight of FHFA’s actions in both of these roles,
in order to determine whether the Agency is fulfilling its statutory duties and responsibilities
and safeguarding the taxpayers’ resources. Our oversight role also reaches the Enterprises—
recipients of $191.5 billion in taxpayer monies—to ensure that they are satisfying their
obligations under the authority delegated to them in the conservatorships. Through oversight,
transparent reporting of results, and robust enforcement, OIG seeks to be a voice for, and
protect the interest of, those who have funded Treasury’s investment in the Enterprises—the
American taxpayers.

Tracking of OIG Recommendations
Our recommendations, like those of other inspectors general, are primarily made in written
reports issued by our Offices of Audits, Evaluations, and Compliance. We report the facts,
as found, and recommend actions to address any shortcomings we identify in FHFA’s
exercise of its statutory duties and responsibilities or by one or both Enterprises, in connection
with their execution of responsibilities delegated to them by FHFA, as conservator. FHFA is
provided an opportunity to provide a written response to OIG recommendations. FHFA’s

1
    Includes public and non-public recommendations.
2
    OIG’s semiannual reports are available at www.fhfaoig.gov/Reports/Semiannual.
3
    This report does not include recommendations under consideration for work that is in progress.

                                             OIG • September 1, 2021                                 4
determinations whether to agree with OIG’s recommendations are included in our published
reports. Once FHFA has accepted an OIG recommendation, it reports to us on its efforts to
implement the “corrective action” that is intended to respond to the recommendation. When
FHFA believes that its implementation efforts are well underway or that implementation is
complete, FHFA provides that information to us, along with corroborating documents, and we
rely on those materials in determining whether to close recommendations. If the Agency
rejects a recommendation or conclusively refuses to implement an acceptable corrective
action, then we will close the recommendation and report it separately in this compendium.

Validation Testing
OIG typically relies on materials and representations from the Agency to close its
recommendations and may close some recommendations based on the Agency’s
representations as to the corrective actions it has taken. Accordingly, we are not always able
to assess, at the time of closure, whether the implementation actions by FHFA meet the letter
and spirit of the agreed-upon recommendation, nor can we determine, at closure, the longer-
term impact of the recommendation. To better assess both the implementation and impact of
OIG recommendations, we concluded that validation testing is needed. Such testing, and
disclosure of results of that testing, provides greater accountability and adds value to FHFA
and the American taxpayers it serves.

Because our Offices of Audits and Evaluations historically had not conducted extensive
corrective action verification testing, we created the Office of Compliance and Special
Projects. The primary operational role of that office is to examine closed recommendations to
assess independently FHFA’s implementation of the corrective actions it represented to OIG
that it intended to take, as well as the impact of those actions, and to publish reports of its
validation testing in “compliance reviews.” These compliance reviews enable our
stakeholders to assess the impact of OIG’s recommendations, as well as the efficacy of the
Agency’s implementation of those recommendations. Compliance reviews enhance OIG’s
ability to stimulate positive change in critical areas and promote economy, efficiency, and
effectiveness at FHFA.

Any open recommendations contained in published compliance reviews are included in this
compendium.

                                    OIG • September 1, 2021                                       5
OPEN RECOMMENDATIONS .....................................................

Specific Risk to be                                                                              Report Name and
                                     Recommendation                       Expected Impact
    Mitigated                                                                                          Date
                                               Open Recommendations
                                                   Conservatorship
Conflicts of Interest   FHFA should direct FHFA employees to           Improved oversight       Corporate
                        monitor the review and resolution of Senior                             Governance:
                        Executive Officer disclosures of potential,                             Review and
                        actual, or apparent conflicts of interest to                            Resolution of
                        ensure that revised Board committee                                     Conflicts of Interest
                        charter(s) and management policies and                                  Involving Fannie
                        procedures are being followed.                                          Mae’s Senior
                                                                                                Executive Officers
                                                                                                Highlight the Need
                                                                                                for Closer Attention
                                                                                                to Governance
                                                                                                Issues by FHFA
                                                                                                (EVL-2018-001,
                                                                                                January 31, 2018)4

                        FHFA, as conservator, should determine the     Improved oversight       Corporate
                        appropriate disciplinary action against the                             Governance:
                        Chief Executive Officer for his non-                                    Fannie Mae Senior
                        disclosure and untimely disclosure of                                   Executive Officers
                        conflict of interest matters.                                           and Ethics Officials
                                                                                                Again Failed to
                                                                                                Follow
                                                                                                Requirements for
                                                                                                Disclosure and
                                                                                                Resolution of
                                                                                                Conflicts of
                                                                                                Interest, Prompting
                                                                                                the Need for FHFA
                                                                                                Direction (EVL-
                                                                                                2021-001, March
                                                                                                15, 2021)

  4
   This recommendation is being held open pending the completion of a related 2021 FHFA planned supervisory
  activity in response to the second recommendation of EVL-2021-001, and OIG’s assessment of that supervisory
  activity.

                                             OIG • September 1, 2021                                            6
Specific Risk to be                                                                        Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                     Date
                      FHFA, as conservator, should provide timely    Improved oversight   Corporate
                      instruction to the Fannie Mae Board                                 Governance:
                      regarding Fannie Mae Office of Compliance                           Fannie Mae Senior
                      and Ethics’ authority to interpret Chief                            Executive Officers
                      Executive Officer mitigation plans where                            and Ethics Officials
                      new facts are presented.                                            Again Failed to
                                                                                          Follow
                                                                                          Requirements for
                                                                                          Disclosure and
                                                                                          Resolution of
                                                                                          Conflicts of
                                                                                          Interest, Prompting
                                                                                          the Need for FHFA
                                                                                          Direction (EVL-
                                                                                          2021-001, March
                                                                                          15, 2021)

                      In accordance with Recommendation 2,           Improved oversight   Corporate
                      FHFA, as conservator, should direct the                             Governance:
                      Fannie Mae Board and/or management to                               Fannie Mae Senior
                      amend and clarify the appropriate conflict                          Executive Officers
                      of interest governance documents to                                 and Ethics Officials
                      identify all instances in which Fannie Mae                          Again Failed to
                      Office of Compliance and Ethics is required                         Follow
                      to submit conflict of interest matters                              Requirements for
                      involving the Chief Executive Officer to the                        Disclosure and
                      Fannie Mae Board of Directors’ Nominating                           Resolution of
                      and Corporate Governance Committee for                              Conflicts of
                      its resolution.                                                     Interest, Prompting
                                                                                          the Need for FHFA
                                                                                          Direction (EVL-
                                                                                          2021-001, March
                                                                                          15, 2021)

                                           OIG • September 1, 2021                                        7
Specific Risk to be                                                                      Report Name and
                                  Recommendation                    Expected Impact
    Mitigated                                                                                  Date
                                                  Supervision
Examiner Capacity     FHFA should develop a process that links   Improved supervision   Update on FHFA’s
                      annual Enterprise examination plans with                          Efforts to
                      core team resource requirements.                                  Strengthen its
                                                                                        Capacity to Examine
                                                                                        the Enterprises
                                                                                        (EVL-2014-002,
                                                                                        December 19,
                                                                                        2013) and Despite
                                                                                        Prior
                                                                                        Commitments,
                                                                                        FHFA Has Not
                                                                                        Implemented a
                                                                                        Systematic
                                                                                        Workforce Planning
                                                                                        Process to
                                                                                        Determine Whether
                                                                                        Enough Qualified
                                                                                        Examiners are
                                                                                        Available to Assess
                                                                                        the Safety and
                                                                                        Soundness of
                                                                                        Fannie Mae and
                                                                                        Freddie Mac (AUD-
                                                                                        2020-004,
                                                                                        February 25, 2020)

                                          OIG • September 1, 2021                                     8
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
                      FHFA should establish a strategy to ensure      Improved supervision   Update on FHFA’s
                      that the necessary resources are in place to                           Efforts to
                      ensure timely and effective Enterprise                                 Strengthen its
                      examination oversight.                                                 Capacity to
                                                                                             Examine the
                                                                                             Enterprises
                                                                                             (EVL-2014-002,
                                                                                             December 19,
                                                                                             2013) and Despite
                                                                                             Prior
                                                                                             Commitments,
                                                                                             FHFA Has Not
                                                                                             Implemented a
                                                                                             Systematic
                                                                                             Workforce Planning
                                                                                             Process to
                                                                                             Determine Whether
                                                                                             Enough Qualified
                                                                                             Examiners are
                                                                                             Available to Assess
                                                                                             the Safety and
                                                                                             Soundness of
                                                                                             Fannie Mae and
                                                                                             Freddie Mac (AUD-
                                                                                             2020-004,
                                                                                             February 25, 2020)

                      FHFA should assess whether the Division of      Improved supervision   FHFA Failed to
                      Enterprise Regulation (DER) has a sufficient                           Complete Non-MRA
                      complement of qualified examiners to                                   Supervisory
                      conduct and complete those examinations                                Activities Related to
                      rated by DER to be of high-priority within                             Cybersecurity Risks
                      each supervisory cycle and address the                                 at Fannie Mae
                      resource constraints that have adversely                               Planned for the
                      affected DER’s ability to carry out its risk-                          2016 Examination
                      based supervisory plans.                                               Cycle (AUD-2017-
                                                                                             010, September
                                                                                             27, 2017)

                                           OIG • September 1, 2021                                           9
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
                      FHFA should assess whether DER has a            Improved supervision   FHFA’s Targeted
                      sufficient complement of qualified                                     Examinations of
                      examiners to conduct and complete those                                Freddie Mac: Just
                      examinations rated by DER to be of high-                               Over Half of the
                      priority within each supervisory cycle and                             Targeted
                      address the resource constraints that have                             Examinations
                      adversely affected DER’s ability to carry out                          Planned for 2012
                      its risk-based supervisory plans.                                      through 2015 Were
                                                                                             Completed (AUD-
                                                                                             2016-007,
                                                                                             September 30,
                                                                                             2016); FHFA’s
                                                                                             Targeted
                                                                                             Examinations of
                                                                                             Fannie Mae: Less
                                                                                             than Half of the
                                                                                             Targeted
                                                                                             Examinations
                                                                                             Planned for 2012
                                                                                             through 2015 Were
                                                                                             Completed and No
                                                                                             Examinations
                                                                                             Planned for 2015
                                                                                             Were Completed
                                                                                             Before the Report
                                                                                             of Examination
                                                                                             Issued (AUD-2016-
                                                                                             006, September
                                                                                             30, 2016)

                                           OIG • September 1, 2021                                      10
Specific Risk to be                                                                                 Report Name and
                                    Recommendation                         Expected Impact
    Mitigated                                                                                              Date
                      FHFA should direct DER to develop and            Improved supervision        Despite Prior
                      implement a systematic workforce planning                                    Commitments,
                      process within 12 months that aligns with                                    FHFA Has Not
                      Office of Personnel Management guidance                                      Implemented a
                      and best practices and is fully documented                                   Systematic
                      in writing. That process should include:                                     Workforce Planning
                       • Identifying the current examination                                       Process to
                            skills and competencies of its                                         Determine Whether
                            examiners;                                                             Enough Qualified
                                                                                                   Examiners are
                       • Forecasting the optimal staffing levels
                            and competencies needed to meet its                                    Available to Assess
                            supervisory needs;                                                     the Safety and
                                                                                                   Soundness of
                       • Evaluating whether a gap exists                                           Fannie Mae and
                            between skills that its workforce may                                  Freddie Mac (AUD-
                            currently need but does not possess;                                   2020-004,
                            and                                                                    February 25,
                       • Addressing that gap.                                                      2020)5

 5
   FHFA represented that its Agency-wide “Organizational Optimization Blueprint” project would address the spirit
 of this recommendation. FHFA committed to providing OIG certain deliverables by October 30, 2020. Instead,
 those deliverables were provided on March 9, 2021. In its Annual Performance Plan for FY 2021, FHFA assigned
 the task of “an action plan to address improvement opportunities identified in FHFA’s optimization study to further
 the development of a world-class supervision program” to FHFA’s Chief Operating Officer, with a target due date
 of June 30, 2021.

                                            OIG • September 1, 2021                                               11
Specific Risk to be                                                                                 Report Name and
                                        Recommendation                        Expected Impact
    Mitigated                                                                                             Date
                           FHFA should direct DER to develop and           Improved supervision   Despite FHFA’s
                           implement a systematic workforce planning                              Recognition of
                           process within 12 months that aligns with                              Significant Risks
                           Office of Personnel Management guidance                                Associated with
                           and best practices and is fully documented.                            Fannie Mae’s and
                           That process should include:                                           Freddie Mac’s
                            • Identifying the appropriate number of                               High-Risk Models,
                                Enterprise high-risk models to be                                 its Examination of
                                examined each year through targeted                               Those Models Over
                                examinations;                                                     a Six Year Period
                            • Identifying the current examination                                 Has Been Neither
                                skills and competencies of examiners                              Rigorous nor Timely
                                engaged in supervisory activities of                              (EVL-2020-001,
                                high-risk models;                                                 March 25, 2020)6
                            • Forecasting the optimal staffing levels
                                and competencies of examiners
                                necessary to complete the identified
                                number of targeted examinations of
                                high-risk models planned for each
                                examination cycle;
                            • Evaluating whether a gap exists
                                between skills required to conduct
                                supervision of high-risk models that its
                                examiners currently need but do not
                                possess; and
                            • Addressing that gap.

                           Based on the results of its workforce           Improved supervision   Despite FHFA’s
                           analysis, FHFA should conduct a written                                Recognition of
                           assessment of whether DER’s current                                    Significant Risks
                           budget for its supervision of high-risk                                Associated with
                           models is sufficient.                                                  Fannie Mae’s and
                                                                                                  Freddie Mac’s
                                                                                                  High-Risk Models,
                                                                                                  its Examination of
                                                                                                  Those Models Over
                                                                                                  a Six Year Period
                                                                                                  Has Been Neither
                                                                                                  Rigorous nor Timely
                                                                                                  (EVL-2020-001,
                                                                                                  March 25, 2020)

 6
     See prior footnote.

                                                OIG • September 1, 2021                                        12
Specific Risk to be                                                                             Report Name and
                                   Recommendation                         Expected Impact
    Mitigated                                                                                         Date
 Accreditation of     FHFA should determine the causes of the          Improved quality       OIG’s Compliance
   Examiners          shortfalls in the Housing Finance Examiner                              Review of FHFA’s
                      Commission Program that we have                                         Implementation of
                      identified, and implement a strategy to                                 Its Housing Finance
                      ensure the program fulfills its central                                 Examiner
                      objective of producing commissioned                                     Commission
                      examiners who are qualified to lead major                               Program
                      risk sections of government-sponsored                                   (COM-2015-001,
                      enterprise examinations.                                                July 29, 2015) and
                                                                                              FHFA’s Housing
                                                                                              Finance Examiner
                                                                                              Commissioning
                                                                                              Program: $7.7
                                                                                              Million and Four
                                                                                              Years into the
                                                                                              Program, the
                                                                                              Agency has Fewer
                                                                                              Commissioned
                                                                                              Examiners (COM-
                                                                                              2018-006,
                                                                                              September 6,
                                                                                              2018)7

Risk Assessments      FHFA should reinforce, through training and      Improved supervision   FHFA Failed to
                      supervision of DER personnel, the                                       Complete Non-MRA
                      requirements established by FHFA, and                                   Supervisory
                      reinforced by DER guidance, for the risk                                Activities Related to
                      assessment and supervisory planning                                     Cybersecurity Risks
                      process. Specifically:                                                  at Fannie Mae
                       a. Ensure that the annual supervisory                                  Planned for the
                           strategy identifies significant risks and                          2016 Examination
                           supervisory concerns and explains how                              Cycle (AUD-2017-
                           the planned supervisory activities to be                           010, September
                           conducted during the examination                                   27, 2017); FHFA
                           cycle address the most significant                                 Did Not Complete
                           risks in the operational risk                                      All Planned
                           assessment. (Applies to AUD-2017-                                  Supervisory
                           010 and AUD-2017-011)                                              Activities Related to
                       b. Ensure that supervisory activities                                  Cybersecurity Risks
                           planned during an examination cycle                                at Freddie Mac for
                           to address the most significant risks in                           the 2016
                           the operational risk assessment are                                Examination Cycle
                           completed within the examination                                   (AUD-2017-011,
                           cycle. (Applies to AUD-2017-010)                                   September 27,
                                                                                              2017)

 7
   OIG has twice determined that the Housing Finance Examiner Commission Program was not on track to produce
 commissioned examiners. This recommendation is open pending FHFA actions to assess and address the Program’s
 shortfalls, and OIG’s assessment of those corrective actions.

                                           OIG • September 1, 2021                                          13
Specific Risk to be                                                                            Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                        Date
                      Going forward, FHFA should ensure a risk     Improved supervision       FHFA’s Failure to
                      assessment for Common Securitization                                    Include the
                      Solutions, LLC is prepared and approved                                 Financial Crimes
                      annually in accordance with DER                                         and Model
                      requirements.                                                           Components in its
                                                                                              CSS Risk
                                                                                              Assessment Is
                                                                                              Inconsistent with a
                                                                                              Risk-Based
                                                                                              Approach to
                                                                                              Supervision (AUD-
                                                                                              2021-005, March
                                                                                              23, 2021)

                      FHFA should include all required             Improved supervision       FHFA’s Failure to
                      components, including the Financial Crimes                              Include the
                      and Model components, when preparing the                                Financial Crimes
                      annual risk assessment for Common                                       and Model
                      Securitization Solutions, LLC.                                          Components in its
                                                                                              CSS Risk
                                                                                              Assessment Is
                                                                                              Inconsistent with a
                                                                                              Risk-Based
                                                                                              Approach to
                                                                                              Supervision (AUD-
                                                                                              2021-005, March
                                                                                              23, 2021)

   Assessing          FHFA should ensure that Freddie Mac          Improved remediation       FHFA Failed to
 Remediation of       takes, or has taken, remedial action to      of deficiencies            Ensure Freddie
  Deficiencies        address the deficiency underlying the                                   Mac’s Remedial
                      matter requiring attention (MRA) regarding                              Plans for a
                      the need to implement a process to verify                               Cybersecurity MRA
                      and monitor [certain matters].                                          Addressed All
                                                                                              Deficiencies; as
                                                                                              Allowed by its
                                                                                              Standard, FHFA
                                                                                              Closed the MRA
                                                                                              after Independently
                                                                                              Determining the
                                                                                              Enterprise
                                                                                              Completed its
                                                                                              Planned Remedial
                                                                                              Actions (AUD-2018-
                                                                                              008, March 28,
                                                                                              2018)8

 8
  This recommendation is being held open pending OIG’s assessment of a supervisory activity that FHFA completed
 during the 2020 examination cycle related to the underlying deficiency of the MRA discussed in this report.

                                          OIG • September 1, 2021                                          14
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
                      FHFA should require DER, upon acceptance        Improved remediation   FHFA’s Inconsistent
                      of an Enterprise’s remediation plan, to         of deficiencies        Practices in
                      estimate the date by which it expects to                               Assessing
                      confirm internal audit’s validation, and to                            Enterprise
                      enter that date into a dedicated field in the                          Remediation of
                      MRA tracking system. [Closed in                                        Serious
                      September 2017; reopened upon results of                               Deficiencies and
                      compliance testing.]                                                   Weaknesses in its
                                                                                             Tracking Systems
                                                                                             Limit the
                                                                                             Effectiveness of
                                                                                             FHFA’s Supervision
                                                                                             of the Enterprises
                                                                                             (EVL-2016-007,
                                                                                             July 14, 2016) and
                                                                                             Compliance Review
                                                                                             of the Timeliness of
                                                                                             FHFA’s
                                                                                             Assessments of the
                                                                                             Enterprises’
                                                                                             Remediation
                                                                                             Closure Packages
                                                                                             for a Matter
                                                                                             Requiring Attention
                                                                                             (COM-2020-001,
                                                                                             February 21, 2020)

   Supervisory        FHFA should determine the appropriate           Improved supervision   More than Eight
    Oversight         threshold or criteria for charging off                                 Years After Issuing
                      delinquent single-family loans at the                                  its Advisory
                      Enterprises and communicate that                                       Bulletin, FHFA Has
                      threshold or criteria through revised or new                           Not Held the
                      Agency guidance.                                                       Enterprises to its
                                                                                             Expectations on
                                                                                             Charging off
                                                                                             Delinquent Loans
                                                                                             or Communicated
                                                                                             New Expectations
                                                                                             (EVL-2020-003,
                                                                                             September 10,
                                                                                             2020)

                                           OIG • September 1, 2021                                         15
Specific Risk to be                                                                           Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
                      FHFA should assess the Enterprises’            Improved supervision   More than Eight
                      implementation of the revised or new                                  Years After Issuing
                      Agency guidance to ensure that the                                    its Advisory
                      Enterprises’ practices comport with FHFA’s                            Bulletin, FHFA Has
                      supervisory expectations.                                             Not Held the
                                                                                            Enterprises to its
                                                                                            Expectations on
                                                                                            Charging off
                                                                                            Delinquent Loans
                                                                                            or Communicated
                                                                                            New Expectations
                                                                                            (EVL-2020-003,
                                                                                            September 10,
                                                                                            2020)

                      FHFA should ensure that the Office of          Improved supervision   Weaknesses in
                      Housing and Regulatory Policy (a) develops                            FHFA’s Monitoring
                      and issues written guidance to the                                    of the Enterprises’
                      Enterprises on the data elements to be                                97% LTV Mortgage
                      reported regularly for FHFA’s monitoring of                           Programs May
                      the 97% LTV mortgage programs and (b)                                 Hinder FHFA’s
                      establishes quality control procedures to                             Ability to Timely
                      ensure that information reported by the                               Identify, Analyze,
                      Enterprises is reliable and conforms to the                           and Respond to
                      requirements of the written guidance.                                 Risks Related to
                                                                                            Achieving the
                                                                                            Programs’
                                                                                            Objectives
                                                                                            (AUD-2020-014,
                                                                                            September 29,
                                                                                            2020)

                      FHFA should clarify and reinforce the Office   Improved supervision   Weaknesses in
                      of Housing and Regulatory Policy’s guidance                           FHFA’s Monitoring
                      regarding the frequency of 97% LTV                                    of the Enterprises’
                      mortgage program monitoring dashboard                                 97% LTV Mortgage
                      preparation to Office of Housing and                                  Programs May
                      Regulatory Policy staff and ensure that the                           Hinder FHFA’s
                      monitoring dashboards are prepared and                                Ability to Timely
                      reviewed in accordance with that guidance.                            Identify, Analyze,
                                                                                            and Respond to
                                                                                            Risks Related to
                                                                                            Achieving the
                                                                                            Programs’
                                                                                            Objectives
                                                                                            (AUD-2020-014,
                                                                                            September 29,
                                                                                            2020)

                                           OIG • September 1, 2021                                        16
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                        Date
    Examiner          FHFA should assess whether Fannie Mae’s        Improved supervisory   FHFA Examiners’
 Assessment and       remediation of its [redacted] is sufficient.   oversight              Lack of
  Escalation of                                                                             Assessment and
  Shortcomings                                                                              Escalation of
                                                                                            Shortcomings
                                                                                            Identified by an
                                                                                            Enterprise in its
                                                                                            Servicer Fraud Risk
                                                                                            Management
                                                                                            Framework Limited
                                                                                            the Agency’s
                                                                                            Supervisory
                                                                                            Oversight (EVL-
                                                                                            2020-002, August
                                                                                            27, 2020)

   Examination        FHFA should reinforce the requirement to       Improved supervision   FHFA Completed
    Guidance          examiners in charge and examination                                   Most of its Planned
                      managers that changes to an examination                               Ongoing Monitoring
                      plan must be risk-based – changes in                                  Activities for Fannie
                      Enterprise business operations or risk                                Mae and CSS for
                      exposures – and that resource constraints                             2019; However,
                      are not accepted reasons for such changes.                            FHFA Failed to
                                                                                            Follow its
                                                                                            Requirements
                                                                                            When it Changed
                                                                                            Examination Plans
                                                                                            for Non-Risk-Based
                                                                                            Reasons and Failed
                                                                                            to Obtain Deputy
                                                                                            Director Approval
                                                                                            (AUD-2020-011,
                                                                                            September 9,
                                                                                            2020)

                                           OIG • September 1, 2021                                        17
Specific Risk to be                                                                        Report Name and
                                   Recommendation                     Expected Impact
    Mitigated                                                                                      Date
                      FHFA should reinforce the requirement that   Improved supervision   FHFA Completed
                      any revisions to an examination plan must                           Most of its Planned
                      be approved in writing by the Deputy                                Ongoing Monitoring
                      Director.                                                           Activities for Fannie
                                                                                          Mae and CSS for
                                                                                          2019; However,
                                                                                          FHFA Failed to
                                                                                          Follow its
                                                                                          Requirements
                                                                                          When it Changed
                                                                                          Examination Plans
                                                                                          for Non-Risk-Based
                                                                                          Reasons and Failed
                                                                                          to Obtain Deputy
                                                                                          Director Approval
                                                                                          (AUD-2020-011,
                                                                                          September 9,
                                                                                          2020)

                      FHFA should define the term “supervisory     Improved supervision   FHFA’s Failure to
                      concern” as it is used in FHFA’s corporate                          Define and Clearly
                      governance regulation.                                              Communicate
                                                                                          “Supervisory
                                                                                          Concerns” Hinders
                                                                                          the Enterprise
                                                                                          Boards’ Ability to
                                                                                          Execute Their
                                                                                          Oversight
                                                                                          Obligations Under
                                                                                          FHFA’s Corporate
                                                                                          Governance
                                                                                          Regulation and
                                                                                          Renders the
                                                                                          Regulation
                                                                                          Ineffective as a
                                                                                          Supervisory Tool
                                                                                          (EVL-2021-003,
                                                                                          March 30, 2021)

                                           OIG • September 1, 2021                                      18
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
                      FHFA should develop examination guidance        Improved supervision   FHFA’s Failure to
                      that explains how supervisory concerns                                 Define and Clearly
                      should be described and categorized in the                             Communicate
                      Reports of Examination, establishes DER’s                              “Supervisory
                      expectations for timely and appropriate                                Concerns” Hinders
                      remediation for each such concerns, and                                the Enterprise
                      prescribes how such concerns should be                                 Boards’ Ability to
                      monitored until they are fully remediated.                             Execute Their
                                                                                             Oversight
                                                                                             Obligations Under
                                                                                             FHFA’s Corporate
                                                                                             Governance
                                                                                             Regulation and
                                                                                             Renders the
                                                                                             Regulation
                                                                                             Ineffective as a
                                                                                             Supervisory Tool
                                                                                             (EVL-2021-003,
                                                                                             March 30, 2021)

   Examination        FHFA should revise the Division of Federal      Improved quality       FHFA Conducted
   Workpapers         Home Loan Bank Regulation’s quality             control                BSA/AML Program
                      control procedures to specifically require                             Examinations of 10
                      that all examination workpapers supporting                             of 11 Federal
                      examination findings, conclusions, and                                 Home Loan Banks
                      ratings directly prepared by the examiner-in-                          During 2016-2018
                      charge be reviewed by an individual who did                            in Accordance with
                      not participate in the examination. [Closed                            its Guidelines, But
                      in October 2019; reopened upon results of                              Failed to Support a
                      compliance testing.]                                                   Conclusion in the
                                                                                             Report of
                                                                                             Examination for the
                                                                                             Other Bank (AUD-
                                                                                             2019-008, July 10,
                                                                                             2019) and
                                                                                             Compliance Review
                                                                                             of DBR’s Quality
                                                                                             Control for
                                                                                             Examination Work
                                                                                             Performed by
                                                                                             Examiners-in-
                                                                                             Charge (COM-
                                                                                             2021-007, August
                                                                                             25, 2021)

                                           OIG • September 1, 2021                                        19
Specific Risk to be                                                                              Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                          Date
 Quality Control      FHFA’s Office of Minority and Women             Improved quality          Compliance Review
    Reviews           Inclusion should ensure that quality control                              of FHFA’s Office of
                      reviews are performed before issuing                                      Minority and
                      diversity and inclusion examination findings                              Women Inclusion
                      to a regulated entity, as required by                                     (COM-2019-005,
                      Supervision Directive 2017-01.                                            June 24, 2019)

                                         Counterparties and Third Parties
                      FHFA should ensure that DER uses its full       Improved supervision      Despite FHFA’s
                      range of available examination activities,                                Acknowledgement
                      including targeted examinations and when                                  that Enterprise
                      appropriate, enhanced risk monitoring, to                                 Reliance on Third-
                      provide comprehensive assessments of                                      Parties Represents
                      known areas of high risk, like Fannie Mae’s                               a Significant
                      reliance on third-party vendors.                                          Operational Risk,
                                                                                                No Targeted
                                                                                                Examinations of
                                                                                                Fannie Mae’s Third-
                                                                                                Party Risk
                                                                                                Management
                                                                                                Program Were
                                                                                                Completed Over a
                                                                                                Seven-Year Period
                                                                                                (AUD-2021-007,
                                                                                                March 29, 2021)

                                             Information Technology
   Information        FHFA should comply with Financial Stability     Improved risk             FHFA Should Map
 Technology Risk      Oversight Council recommendations to            management                Its Supervisory
  Examinations        address the gaps, as prioritized, to reflect                              Standards for
                      and incorporate appropriate elements of                                   Cyber Risk
                      the National Institute of Standards and                                   Management to
                      Technology Framework.                                                     Appropriate
                                                                                                Elements of the
                                                                                                NIST Framework
                                                                                                (EVL-2016-003,
                                                                                                March 28, 2016)9

 9
  OIG is reviewing additional documentation provided by FHFA during this reporting period to assess whether the
 Agency has adequately addressed this recommendation.

                                           OIG • September 1, 2021                                            20
Specific Risk to be                                                                                      Report Name and
                                          Recommendation                         Expected Impact
    Mitigated                                                                                                  Date
                             FHFA should comply with Financial Stability      Improved risk            FHFA Should Map
                             Oversight Council recommendations to             management               Its Supervisory
                             revise existing regulatory guidance to reflect                            Standards for
                             and incorporate appropriate elements of                                   Cyber Risk
                             the National Institute of Standards and                                   Management to
                             Technology framework in a manner that                                     Appropriate
                             achieves consistency with other federal                                   Elements of the
                             financial regulators.                                                     NIST Framework
                                                                                                       (EVL-2016-003,
                                                                                                       March 28, 2016)10

Privacy Information          FHFA should determine privacy controls that      Improved protection of   Audit of the Federal
and Data Protection          are information system-specific, and/or          privacy information      Housing Finance
                             hybrid controls.                                                          Agency’s 2019
                                                                                                       Privacy Program
                                                                                                       (AUD-2019-009,
                                                                                                       August 28, 2019)

                             FHFA should document privacy controls            Improved protection of   Audit of the Federal
                             within each system’s system security plan        privacy information      Housing Finance
                             or system-specific privacy plan, clearly                                  Agency’s 2019
                             identifying whether controls are program                                  Privacy Program
                             level, common, information system-specific,                               (AUD-2019-009,
                             or hybrid.                                                                August 28, 2019)

                             FHFA should update the privacy impact            Improved protection of   Audit of the Federal
                             assessments using the privacy impact             privacy information      Housing Finance
                             assessments template for Affordable                                       Agency’s 2021
                             Housing Project, Federal Human Resources                                  Privacy Program
                             Navigator, and Suspended Counterparty                                     (AUD-2021-011,
                             System.                                                                   August 11, 2021)

                             FHFA should ensure privacy impact                Improved protection of   Audit of the Federal
                             assessments are conducted timely using           privacy information      Housing Finance
                             the privacy impact assessments template in                                Agency’s 2021
                             accordance with the FHFA Privacy Program                                  Privacy Program
                             Plan (i.e., before a new system is                                        (AUD-2021-011,
                             developed, after a significant change to a                                August 11, 2021)
                             system, or within three years of the privacy
                             impact assessments).

  10
       See prior footnote.

                                                   OIG • September 1, 2021                                           21
Specific Risk to be                                                                            Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                         Date
                      FHFA should update the Privacy Continuous      Improved protection of   Audit of the Federal
                      Monitoring Strategy to ensure that it          privacy information      Housing Finance
                      reflects the FHFA’s current privacy control                             Agency’s 2021
                      assessment process in accordance with                                   Privacy Program
                      Office of Management and Budget Circular                                (AUD-2021-011,
                      A-130.                                                                  August 11, 2021)

                      FHFA should develop and implement              Improved protection of   Audit of the Federal
                      Privacy Control Assessment plans, that         privacy information      Housing Finance
                      include all required elements.                                          Agency’s 2021
                                                                                              Privacy Program
                                                                                              (AUD-2021-011,
                                                                                              August 11, 2021)

                      FHFA should ensure Privacy Control             Improved protection of   Audit of the Federal
                      Assessments are performed for all systems      privacy information      Housing Finance
                      that collect PII.                                                       Agency’s 2021
                                                                                              Privacy Program
                                                                                              (AUD-2021-011,
                                                                                              August 11, 2021)

 FHFA Information     Because information in this report could be    Improved information     Audit of the Federal
Technology Security   used to circumvent FHFA’s internal controls,   security                 Housing Finance
  and Availability    it has not been released publicly.                                      Agency’s
                                                                                              Information
                                                                                              Security Program
                                                                                              Fiscal Year 2019
                                                                                              (AUD-2020-001,
                                                                                              October 25, 2019)

                      Because information in this report could be    Improved information     Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security                 Housing Finance
                      it has not been released publicly.                                      Agency’s
                                                                                              Information
                                                                                              Security Program
                                                                                              Fiscal Year 2020
                                                                                              (AUD-2021-001,
                                                                                              October 20, 2020)

                      Because information in this report could be    Improved information     Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security                 Housing Finance
                      it has not been released publicly.                                      Agency’s
                                                                                              Information
                                                                                              Security Program
                                                                                              Fiscal Year 2020
                                                                                              (AUD-2021-001,
                                                                                              October 20, 2020)

                                           OIG • September 1, 2021                                          22
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                      Because information in this report could be    Improved information   Audit of the Federal
                      used to circumvent FHFA’s internal controls,   security               Housing Finance
                      it has not been released publicly.                                    Agency’s
                                                                                            Information
                                                                                            Security Program
                                                                                            Fiscal Year 2020
                                                                                            (AUD-2021-001,
                                                                                            October 20, 2020)

                                           OIG • September 1, 2021                                        23
Specific Risk to be                                                                         Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                     Date
                      FHFA should ensure that outdated              Improved information   2019 Internal
                      [redacted] and [redacted] protocols in        security               Penetration Test of
                      FHFA’s systems are disabled or upgraded in                           FHFA’s Network
                      a timely manner in accordance with                                   and Systems (AUD-
                      National Institute of Standards and                                  2019-014,
                      Technology directives.                                               September 24,
                                                                                           2019)

                      FHFA should modify existing cloud-based       Improved information   FHFA Failed to
                      General Support System Tool contracts to      security               Follow its Cloud-
                      include the required IT security provisions                          Based Computing
                      and ensure future cloud-based General                                Requirements
                      Support System Tool contracts include all                            when it Did Not
                      required provisions.                                                 Validate the
                                                                                           Implementation of
                                                                                           Minimum Security
                                                                                           Requirements for
                                                                                           Cloud-Based Tools
                                                                                           and Did Not Include
                                                                                           Required IT
                                                                                           Security Provisions
                                                                                           in Some of its
                                                                                           Cloud Service
                                                                                           Contracts (AUD-
                                                                                           2020-013,
                                                                                           September 17,
                                                                                           2020)

                      FHFA should implement multifactor             Improved information   Audit of an FHFA
                      authentication for [redacted] for             security               Sensitive
                      Employment Matters Tracking System                                   Employment-
                      database servers.                                                    Related Case
                                                                                           Tracking System:
                                                                                           FHFA Followed its
                                                                                           Access Control
                                                                                           Standard, But its
                                                                                           System Is Adversely
                                                                                           Impacted by Two
                                                                                           Security Control
                                                                                           Weaknesses (AUD-
                                                                                           2021-006, March
                                                                                           29, 2021)

                                           OIG • September 1, 2021                                      24
Specific Risk to be                                                                            Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                         Date
                      FHFA should send Employment Matters           Improved information      Audit of an FHFA
                      Tracking System [redacted] for correlation    security                  Sensitive
                      and analysis.                                                           Employment-
                                                                                              Related Case
                                                                                              Tracking System:
                                                                                              FHFA Followed its
                                                                                              Access Control
                                                                                              Standard, But its
                                                                                              System Is Adversely
                                                                                              Impacted by Two
                                                                                              Security Control
                                                                                              Weaknesses (AUD-
                                                                                              2021-006, March
                                                                                              29, 2021)

                                               Agency Operations
Oversight of FHFA     FHFA should develop written procedures for    Improved management       FHFA Should Name
Workforce Matters     carrying out the functions of the Office of   of a statutory function   an Ombudsman
                      the Ombudsman, to include procedures for                                and Document the
                      documenting that all incoming complaints                                Office of the
                      and appeals are tracked, considered, and                                Ombudsman’s
                      appropriately resolved. In developing these                             Procedures (AUD-
                      procedures, the guidance published by the                               2019-011,
                      Coalition of Federal Ombudsmen should be                                September 16,
                      taken into consideration.                                               2019)

 Management of        FHFA should include all National Archives     Improved records          FHFA Needs to
 Agency Records       and Records Administration-required           management                Strengthen
                      content topics in annual records                                        Controls Over its
                      management training provided to FHFA                                    Records
                      employees and contractor employees.                                     Management
                                                                                              Program to Comply
                                                                                              with OMB and
                                                                                              NARA
                                                                                              Requirements
                                                                                              (AUD-2020-008,
                                                                                              March 26, 2020)

                                           OIG • September 1, 2021                                         25
Specific Risk to be                                                                         Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                      Date
 Enterprise Risk      Going forward, FHFA should ensure Annual        Improved risk        FHFA Followed
  Management          Risk Profiles include all significant risk      management           OMB Guidance in
                      response action items designed to reduce                             Implementing its
                      identified risks, such as FHFA’s                                     Enterprise Risk
                      organizational optimization Blueprint                                Management
                      project, along with identifying the owners of                        Program But its
                      those risk response action items and target                          2020 Risk Profile
                      completion dates.                                                    Failed to Identify a
                                                                                           Significant Action
                                                                                           Underway to
                                                                                           Address
                                                                                           Acknowledged
                                                                                           Supervision Risk
                                                                                           (AUD-2021-004,
                                                                                           March 17, 2021)

                      FHFA should develop written policies and        Improved risk        FHFA Followed
                      procedures for its Enterprise Risk              management           OMB Guidance in
                      Management program.                                                  Implementing its
                                                                                           Enterprise Risk
                                                                                           Management
                                                                                           Program But its
                                                                                           2020 Risk Profile
                                                                                           Failed to Identify a
                                                                                           Significant Action
                                                                                           Underway to
                                                                                           Address
                                                                                           Acknowledged
                                                                                           Supervision Risk
                                                                                           (AUD-2021-004,
                                                                                           March 17, 2021)

                                           OIG • September 1, 2021                                       26
Specific Risk to be                                                                          Report Name and
                                   Recommendation                         Expected Impact
    Mitigated                                                                                       Date
   Policies for       FHFA should reinforce FHFA’s program             Improved internal    FHFA Did Not
Monetary Awards,      policies and procedures through a reminder       controls             Always Follow its
  Recruitment         to FHFA supervisors and senior officials                              Policies for
  Bonuses, and        involved in initiating, reviewing, and                                Monetary Awards,
    Retention         approving monetary awards, recruitment                                Recruitment
   Allowances         bonuses, and retention allowances to:                                 Bonuses, and
                           • Obtain the requisite concurrence                               Retention
                               from the supervisors of record and                           Allowances during
                               second-level supervisors, when                               Fiscal Years 2019
                               applicable, for monetary awards,                             and 2020; FHFA’s
                           • Ensure documentation supporting                                Excellence Awards
                               recruitment bonuses for non-                                 Were Not Included
                               executive, mission-critical positions                        in Agency Policy
                               cite how the positions were                                  (AUD-2021-008,
                               recruitment challenges, and                                  June 17, 2021)
                           • Ensure documentation supporting
                               retention allowances cite that non-
                               executive employees were offered
                               non-FHFA employment or applied
                               for retirement.

                      FHFA should ensure that the Excellence           Improved internal    FHFA Did Not
                      Awards program is included in the planned        controls             Always Follow its
                      revision to the FHFA Awards Policy before                             Policies for
                      such awards are made again.                                           Monetary Awards,
                                                                                            Recruitment
                                                                                            Bonuses, and
                                                                                            Retention
                                                                                            Allowances during
                                                                                            Fiscal Years 2019
                                                                                            and 2020; FHFA’s
                                                                                            Excellence Awards
                                                                                            Were Not Included
                                                                                            in Agency Policy
                                                                                            (AUD-2021-008,
                                                                                            June 17, 2021)

                                            OIG • September 1, 2021                                     27
Specific Risk to be                                                                          Report Name and
                                  Recommendation                      Expected Impact
    Mitigated                                                                                       Date
  Data Quality        FHFA should complete in an expedited         Improved data quality   FHFA Lacked
                      manner, its evaluation and development                               Documentation of
                      activities related to FHFA Information                               its Validation of
                      Quality Guidelines in response to M-19-15,                           Data Used to
                      the Office of Management and Budget’s                                Produce the Third
                      Memorandum on Improving Implementation                               Quarter 2020
                      of the Information Quality Act, and update                           Seasonally
                      the Guidelines, as deemed necessary.                                 Adjusted,
                                                                                           Expanded-Data
                                                                                           FHFA HPI and
                                                                                           Failed to Timely
                                                                                           Review its
                                                                                           Information Quality
                                                                                           Guidelines (AUD-
                                                                                           2021-010, July 22,
                                                                                           2021)

                                          OIG • September 1, 2021                                       28
CLOSED UNIMPLEMENTED RECOMMENDATIONS .....................

  The Inspector General Act of 1978 does not authorize any federal inspector general to compel
  its respective agency to adopt new policies or processes or take personnel actions to correct
  shortcomings found in their audits, evaluations, and investigations. Rather, the Act empowers
  inspectors general to recommend remedial actions to correct such shortcomings, and the
  affected agency determines whether or not to accept the recommendations.

  We believe it is important to be transparent and distinguish between recommendations
  that have been closed in light of appropriate movement toward implementation and
  recommendations that have been closed in light of FHFA’s refusal to take any action.
  For those recommendations closed due to rejection by FHFA, we continue to stand by our
  findings and believe that the Agency should have undertaken the recommended actions.

  The recommendations listed below represent those that have been closed following FHFA’s
  rejection and were not implemented.

Specific Risk to be                                                                         Report Name and
                                    Recommendation                       Expected Impact
    Mitigated                                                                                     Date
                                    Closed Unimplemented Recommendations
                                                  Conservatorship
    Oversight of       FHFA should develop a strategy to enhance      Improved oversight   Compliance Review
Enterprise Executive   the Executive Compensation Branch’s                                 of FHFA’s Oversight
  Compensation         capacity to review the reasonableness and                           of Enterprise
                       justification of the Enterprises’ annual                            Executive
                       proposals to compensate their executives                            Compensation
                       based on Corporate Scorecard                                        Based on
                       performance. To this end, FHFA should                               Corporate
                       ensure that: the Enterprises submit                                 Scorecard
                       proposals containing information sufficient                         Performance (COM-
                       to facilitate a comprehensive review by the                         2016-002, March
                       Executive Compensation Branch; the                                  17, 2016)
                       Executive Compensation Branch tests and
                       verifies the information in the Enterprises’
                       proposals, perhaps on a randomized basis;
                       and the Executive Compensation Branch
                       follows up with the Enterprises to resolve
                       any proposals that do not appear to be
                       reasonable and justified.

                                            OIG • September 1, 2021                                     29
Specific Risk to be                                                                            Report Name and
                                    Recommendation                         Expected Impact
    Mitigated                                                                                         Date
                      FHFA should develop a policy under which it       Improved oversight    Compliance Review
                      is required to notify OIG within 10 days of its                         of FHFA’s Oversight
                      decision not to fully implement,                                        of Enterprise
                      substantially alter, or abandon a corrective                            Executive
                      action that served as the basis for OIG’s                               Compensation
                      decision to close a recommendation.                                     Based on
                                                                                              Corporate
                                                                                              Scorecard
                                                                                              Performance (COM-
                                                                                              2016-002, March
                                                                                              17, 2016)

                      FHFA should re-assess the appropriateness         Improved governance   FHFA’s Approval of
                      of the annual compensation package of                                   Senior Executive
                      $3.6 million to the Fannie Mae President                                Succession
                      with consideration paid to the following                                Planning at Fannie
                      factors: the congressional intent behind the                            Mae Acted to
                      statutory cap on compensation; Fannie                                   Circumvent the
                      Mae’s continued conservatorship status                                  Congressionally
                      and the burdens imposed on the taxpayers                                Mandated Cap on
                      from that status; and the 10-year practice                              CEO Compensation
                      at Fannie Mae where one individual                                      (EVL-2019-001,
                      executed the responsibilities of both the                               March 26, 2019)
                      Chief Executive Officer and President
                      positions, with annual compensation
                      capped at $600,000 since 2015.

                      FHFA should re-assess the appropriateness         Improved governance   FHFA’s Approval of
                      of the annual compensation package of                                   Senior Executive
                      $3.25 million to the Freddie Mac President                              Succession
                      with consideration paid to the following                                Planning at Freddie
                      factors: the congressional intent behind the                            Mac Acted to
                      statutory cap on compensation; Freddie                                  Circumvent the
                      Mac’s continued conservatorship status                                  Congressionally
                      and the burdens imposed on the taxpayers                                Mandated Cap on
                      from that status; the 10-year practice at                               CEO Compensation
                      Freddie Mac where one individual executed                               (EVL-2019-002,
                      the Chief Executive Officer responsibilities                            March 26, 2019)
                      with annual compensation capped at
                      $600,000 since 2015; and the temporary
                      nature of the position of President, in light
                      of FHFA’s representation that Candidate A
                      will leave Freddie Mac if he is not selected
                      for the Chief Executive Officer position.

                                            OIG • September 1, 2021                                        30
Specific Risk to be                                                                         Report Name and
                                   Recommendation                        Expected Impact
     Mitigated                                                                                     Date
   Oversight of       FHFA’s Division of Housing Mission and          Improved servicing   FHFA’s Oversight
Servicing Alignment   Goals Deputy Director should establish an       compliance and       of the Servicing
      Initiative      ongoing process to evaluate servicers’          minimized losses     Alignment Initiative
                      Servicing Alignment Initiative compliance                            (EVL-2014-003,
                      and the effectiveness of the Enterprises’                            February 12, 2014)
                      remediation efforts.

                      FHFA’s Division of Housing Mission and          Improved servicing   FHFA’s Oversight
                      Goals Deputy Director should direct the         compliance and       of the Servicing
                      Enterprises to provide routinely their          minimized losses     Alignment Initiative
                      internal reports and reviews for the Division                        (EVL-2014-003,
                      of Housing Mission and Goals’ assessment.                            February 12, 2014)

                      FHFA’s Division of Housing Mission and          Improved servicing   FHFA’s Oversight
                      Goals Deputy Director should regularly          compliance and       of the Servicing
                      review Servicing Alignment Initiative-related   minimized losses     Alignment Initiative
                      guidelines for enhancements or revisions,                            (EVL-2014-003,
                      as necessary, based on servicers’ actual                             February 12, 2014)
                      versus expected performance.

Oversight of Fannie   FHFA should ensure that it has adequate         Improved oversight   Management Alert:
Mae Headquarters      internal staff, outside contractors, or both,                        Need for Increased
Consolidation and     who have the professional expertise and                              Oversight by FHFA,
    Relocation        experience in commercial construction to                             as Conservator of
                      oversee the build-out plans and associated                           Fannie Mae, of the
                      budget(s), as Fannie Mae continues to                                Projected Costs
                      revise and refine them.                                              Associated with
                                                                                           Fannie Mae’s
                                                                                           Headquarters
                                                                                           Consolidation and
                                                                                           Relocation Project
                                                                                           (COM-2016-004,
                                                                                           June 16, 2016)

                      FHFA should direct Fannie Mae to provide        Improved oversight   Management Alert:
                      regular updates and formal budgetary                                 Need for Increased
                      reports to the Division of Conservatorship                           Oversight by FHFA,
                      (now known as the Division of Resolutions)                           as Conservator of
                      for its review and for FHFA approval through                         Fannie Mae, of the
                      the design and construction of Fannie                                Projected Costs
                      Mae’s leased space in Midtown Center.                                Associated with
                                                                                           Fannie Mae’s
                                                                                           Headquarters
                                                                                           Consolidation and
                                                                                           Relocation Project
                                                                                           (COM-2016-004,
                                                                                           June 16, 2016)

                                            OIG • September 1, 2021                                      31
Specific Risk to be                                                                            Report Name and
                                     Recommendation                         Expected Impact
    Mitigated                                                                                        Date
Oversight of Fannie     To reduce the waste from Option C (the           Reduced waste        Consolidation and
  Mae Northern          option Fannie Mae selected for its future                             Relocation of
      Virginia          operations in Northern Virginia), FHFA,                               Fannie Mae’s
Consolidation and       consistent with its duties as conservator,                            Northern Virginia
    Relocation          should cause Fannie Mae to calculate the                              Workforce (OIG-
                        net present value for a Status Quo Option,                            2018-004,
                        and calculate the costs associated with                               September 6,
                        terminating the lease with Boston                                     2018)
                        Properties.

                        To reduce the waste from Option C, FHFA,         Reduced waste        Consolidation and
                        consistent with its duties as conservator,                            Relocation of
                        should direct Fannie Mae to terminate the                             Fannie Mae’s
                        lease, cancel the sale of the three owned                             Northern Virginia
                        buildings, and implement the Status Quo                               Workforce (OIG-
                        Option, should the net present value for a                            2018-004,
                        Status Quo Option and the termination                                 September 6,
                        costs be lower than the adjusted net                                  2018)
                        present value for Option C.

Conflicts of Interest   Take appropriate action to address conflicts     Improved oversight   Administrative
                        of interest issue involving an entity within                          Investigation into
                        FHFA’s oversight authority. Public release                            Anonymous Hotline
                        by OIG of certain information in the                                  Complaints
                        Management Alert and accompanying                                     Concerning
                        expert report is prohibited by the Privacy Act                        Timeliness and
                        of 1974 (Pub.L. 93–579, 88 Stat. 1896,                                Completeness of
                        enacted December 31, 1974, 5 U.S.C. §                                 Disclosures
                        552a).                                                                Regarding a
                                                                                              Potential Conflict of
                                                                                              Interest by a Senior
                                                                                              Executive Officer of
                                                                                              an Enterprise (OIG-
                                                                                              2017-004, March
                                                                                              23, 2017)

                                              OIG • September 1, 2021                                       32
Specific Risk to be                                                                            Report Name and
                                   Recommendation                         Expected Impact
    Mitigated                                                                                         Date
                      Take appropriate action to address conflicts     Improved oversight     Administrative
                      of interest issue involving an entity within                            Investigation into
                      FHFA’s oversight authority. Public release                              Anonymous Hotline
                      by OIG of certain information in the                                    Complaints
                      Management Alert and accompanying                                       Concerning
                      expert report is prohibited by the Privacy Act                          Timeliness and
                      of 1974 (Pub.L. 93–579, 88 Stat. 1896,                                  Completeness of
                      enacted December 31, 1974, 5 U.S.C. §                                   Disclosures
                      552a).                                                                  Regarding a
                                                                                              Potential Conflict of
                                                                                              Interest by a Senior
                                                                                              Executive Officer of
                                                                                              an Enterprise (OIG-
                                                                                              2017-004, March
                                                                                              23, 2017)

                                                    Supervision
  Examination         DER should adopt a comprehensive                 Improved efficiency    Evaluation of the
 Recordkeeping        examination workpaper index and                                         Division of
   Practices          standardize electronic workpaper folder                                 Enterprise
                      structures and naming conventions                                       Regulation’s 2013
                      between the two Core Teams. In addition,                                Examination
                      FHFA and DER should upgrade                                             Records:
                      recordkeeping practices as necessary to                                 Successes and
                      enhance the identification and retrieval of                             Opportunities (EVL-
                      critical workpapers.                                                    2015-001, October
                                                                                              6, 2014)

   Examination        FHFA should establish and communicate            Improved supervision   Five Years After
    Guidance          clear expectations for use of revised and                               Issuance, Many
                      new examination modules by DER                                          Examination
                      examiners.                                                              Modules Remain in
                                                                                              Field Test; FHFA
                                                                                              Should Establish
                                                                                              Timelines and
                                                                                              Processes to
                                                                                              Ensure Timely
                                                                                              Revision of
                                                                                              Examiner Guidance
                                                                                              (EVL-2019-003,
                                                                                              September 10,
                                                                                              2019)

                                            OIG • September 1, 2021                                         33
Specific Risk to be                                                                         Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                     Date
  Oversight of        FHFA should review FHFA’s existing            Improved remediation   FHFA’s Examiners
   Enterprise         requirements, guidance, and processes         of deficiencies        Did Not Meet
 Remediation of       regarding MRAs against the requirements,                             Requirements and
  Deficiencies        guidance, and processes adopted by the                               Guidance for
                      Office of the Comptroller of the Currency,                           Oversight of an
                      the Board of Governors of the Federal                                Enterprise’s
                      Reserve System, and other federal financial                          Remediation of
                      regulators including, but not limited to,                            Serious
                      content of an MRA; standards for proposed                            Deficiencies (EVL-
                      remediation plans; approval authority for                            2016-004, March
                      proposed remediation plans; real-time                                29, 2016)
                      assessments at regular intervals of the
                      effectiveness and timeliness of an
                      Enterprise’s MRA remediation efforts; final
                      assessment of the effectiveness and
                      timeliness of an Enterprise’s MRA
                      remediation efforts; and required
                      documentation for examiner oversight of
                      MRA remediation.

                      Based on the results of the review in         Improved remediation   FHFA’s Examiners
                      recommendation 1, FHFA should assess          of deficiencies        Did Not Meet
                      whether any of the existing requirements,                            Requirements and
                      guidance, and processes adopted by FHFA                              Guidance for
                      should be enhanced, and make such                                    Oversight of an
                      enhancements.                                                        Enterprise’s
                                                                                           Remediation of
                                                                                           Serious
                                                                                           Deficiencies (EVL-
                                                                                           2016-004, March
                                                                                           29, 2016)

Communication of      FHFA should revise its supervision guidance   Improved Board         FHFA’s Supervisory
 Deficiencies to      to require DER to provide the Chair of the    oversight              Standards for
Enterprise Boards     Audit Committee of an Enterprise Board                               Communication of
                      with each plan submitted by Enterprise                               Serious
                      management to remediate an MRA with                                  Deficiencies to
                      associated timetables and the response by                            Enterprise Boards
                      DER.                                                                 and for Board
                                                                                           Oversight of
                                                                                           Management’s
                                                                                           Remediation
                                                                                           Efforts are
                                                                                           Inadequate (EVL-
                                                                                           2016-005, March
                                                                                           31, 2016)

                                          OIG • September 1, 2021                                       34
Specific Risk to be                                                                           Report Name and
                                   Recommendation                        Expected Impact
    Mitigated                                                                                        Date
                      FHFA should revise its supervision guidance     Improved supervision   FHFA’s Supervisory
                      to require DER to provide the Chair of the                             Standards for
                      Audit Committee of an Enterprise Board                                 Communication of
                      with each conclusion letter setting forth an                           Serious
                      MRA.                                                                   Deficiencies to
                                                                                             Enterprise Boards
                                                                                             and for Board
                                                                                             Oversight of
                                                                                             Management’s
                                                                                             Remediation
                                                                                             Efforts are
                                                                                             Inadequate (EVL-
                                                                                             2016-005, March
                                                                                             31, 2016)

                      FHFA should direct DER to develop detailed      Improved Board         FHFA Failed to
                      guidance and promulgate that guidance to        oversight              Consistently Deliver
                      each Enterprise’s board of directors that                              Timely Reports of
                      explains:                                                              Examination to the
                       • The purpose for DER’s annual                                        Enterprise Boards
                           presentation to each Enterprise board                             and Obtain Written
                           of directors on the ROE results,                                  Responses from
                           conclusions, and supervisory concerns                             the Boards
                           and the opportunity for directors to ask                          Regarding
                           questions and discuss ROE                                         Remediation of
                           examination conclusions and                                       Supervisory
                           supervisory concerns at that                                      Concerns Identified
                           presentation; and                                                 in those Reports
                                                                                             (EVL-2016-009,
                       • The requirement that each Enterprise
                           board of directors submit a written                               July 14, 2016)
                           response to the annual ROE to DER
                           and the expected level of detail
                           regarding ongoing and contemplated
                           remediation in that written response.

                                           OIG • September 1, 2021                                         35
Specific Risk to be                                                                          Report Name and
                                   Recommendation                       Expected Impact
    Mitigated                                                                                       Date
                      FHFA should direct the Enterprises’ boards     Improved Board         FHFA Failed to
                      to amend their charters to require review by   oversight              Consistently Deliver
                      each director of each annual ROE and                                  Timely Reports of
                      review and approval of the written response                           Examination to the
                      to DER in response to each annual ROE.                                Enterprise Boards
                                                                                            and Obtain Written
                                                                                            Responses from
                                                                                            the Boards
                                                                                            Regarding
                                                                                            Remediation of
                                                                                            Supervisory
                                                                                            Concerns Identified
                                                                                            in those Reports
                                                                                            (EVL-2016-009,
                                                                                            July 14, 2016)

   Assessing          FHFA should ensure that the underlying         Improved remediation   FHFA’s Inconsistent
 Remediation of       remediation documents, including the           of deficiencies        Practices in
  Deficiencies        Procedures Document, are readily available                            Assessing
                      by direct link or other means, through DER’s                          Enterprise
                      MRA tracking system(s).                                               Remediation of
                                                                                            Serious
                                                                                            Deficiencies and
                                                                                            Weaknesses in its
                                                                                            Tracking Systems
                                                                                            Limit the
                                                                                            Effectiveness of
                                                                                            FHFA’s Supervision
                                                                                            of the Enterprises
                                                                                            (EVL-2016-007,
                                                                                            July 14, 2016)

                      FHFA should require DER to track interim       Improved remediation   FHFA’s Inconsistent
                      milestones and to independently assess         of deficiencies        Practices in
                      and document the timeliness and adequacy                              Assessing
                      of Enterprise remediation of MRAs on a                                Enterprise
                      regular basis.                                                        Remediation of
                                                                                            Serious
                                                                                            Deficiencies and
                                                                                            Weaknesses in its
                                                                                            Tracking Systems
                                                                                            Limit the
                                                                                            Effectiveness of
                                                                                            FHFA’s Supervision
                                                                                            of the Enterprises
                                                                                            (EVL-2016-007,
                                                                                            July 14, 2016)

                                           OIG • September 1, 2021                                        36
Specific Risk to be                                                                         Report Name and
                                   Recommendation                      Expected Impact
    Mitigated                                                                                      Date
                      FHFA should require the Enterprises to        Improved remediation   FHFA’s Inconsistent
                      provide, in their remediation plans, the      of deficiencies        Practices in
                      target date in which their internal audit                            Assessing
                      departments expect to validate                                       Enterprise
                      management’s remediation of MRAs, and                                Remediation of
                      require examiners to enter that date into a                          Serious
                      dedicated field in the MRA tracking system.                          Deficiencies and
                                                                                           Weaknesses in its
                                                                                           Tracking Systems
                                                                                           Limit the
                                                                                           Effectiveness of
                                                                                           FHFA’s Supervision
                                                                                           of the Enterprises
                                                                                           (EVL-2016-007,
                                                                                           July 14, 2016)

                      FHFA should periodically conclude, based      Improved remediation   FHFA Requires the
                      upon sufficient examination work, on the      of deficiencies        Enterprises’
                      overall effectiveness of the Internal Audit                          Internal Audit
                      functions at Fannie Mae and Freddie Mac.                             Functions to
                                                                                           Validate
                                                                                           Remediation of
                                                                                           Serious
                                                                                           Deficiencies but
                                                                                           Provides No
                                                                                           Guidance and
                                                                                           Imposes No
                                                                                           Preconditions on
                                                                                           Examiners’ Use of
                                                                                           that Validation
                                                                                           Work (EVL-2018-
                                                                                           002, March 28,
                                                                                           2018)

                                           OIG • September 1, 2021                                      37
You can also read