Skip to Content

Rule

Safety and Soundness Regulation

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Office of Federal Housing Enterprise Oversight, DHUD.

ACTION:

Final rule.

SUMMARY:

The Office of Federal Housing Enterprise Oversight (OFHEO) is issuing a final rule to support increased transparency and public awareness of minimum supervisory standards adopted by OFHEO and applied in overseeing the safety and soundness of the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (collectively, the Enterprises). The final rule's format reflects that used by other federal regulators. The rule delineates supervisory standards in a manner consistent with recent rulings by the United States Supreme Court affecting agency pronouncements. OFHEO will adopt and publish supervisory policy guidance as appendices to the rule as it deems appropriate to illuminate areas of particular interest or potential concern.

EFFECTIVE DATES:

September 30, 2002.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

David W. Roderer, Deputy General Counsel, or Marvin Shaw, Senior Counsel, at (202) 414-3775 (not a toll-free number), Office of General Counsel, Start Printed Page 55692Office of Federal Housing Enterprise Oversight, 1700 G Street NW., Fourth Floor, Washington, DC 20552. The telephone number for the Telecommunications for the Deaf is: (800) 877-8339 (TTD only).

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

The Federal Housing Enterprises Financial Safety and Soundness Act of 1992, Title XIII of Pub. L. No. 102-550 (the Act), empowers OFHEO to take any such action as the Director determines to be appropriate to ensure that the federally sponsored housing enterprises, the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (collectively, the Enterprises), are adequately capitalized and operating safely by, among other things, adopting supervisory policies and standards by regulation or other guidance or process.

On December 19, 2000, OFHEO issued Policy Guidance PG-00-001 setting forth minimum supervisory standards in eight broad areas of particular regulatory interest and potential concern and issued Policy Guidance PG-00-002, that addressed standards for non-mortgage liquidity.[1] One year later, a third policy guidance was adopted that specifically sets out the minimum safety and soundness standards for information systems and security.[2] That policy guidance, entitled “Safety and Soundness Standards for Information,” focused narrowly on safety and soundness concerns with the adequacy of the Enterprises' respective policies and procedures affecting the security of their information systems and integrity of such information, including borrower information maintained by the Enterprises.

The minimum standards set forth in OFHEO's policy guidances are designed to identify key safety and soundness concerns regarding operation and management of an Enterprise, and to ensure that the conduct and practices of the Enterprises reasonably avoid the emergence of problems that might entail serious risks. The minimum standards also reflect the need for internal policies and procedures in particular areas that, if not appropriately addressed by an Enterprise, may warrant supervisory action by OFHEO in order to reduce risks of loss and corresponding capital impairment. The minimum standards set out in such guidances are intended to affect these purposes without dictating how the Enterprises must be operated and managed.

On June 21, 2002, OFHEO published a notice in the Federal Register proposing a rule that would provide the regulatory framework for the adoption and publication of such policy guidance.[3] The format of the proposed regulation, as a formal agency pronouncement delineating the parameters of the supervisory standards applicable to the Enterprise, mirrors that used by the Office of Comptroller of the Currency (OCC) in promulgating safety and soundness standards for national banks [4] pursuant to Section 39 of the Federal Deposit Insurance Act.[5] The OCC used a similar format when it adopted specific supervisory standards applicable to bank information systems.[6]

OFHEO received comments from Freddie Mac, Fannie Mae and the Mortgage Bankers Association of America (MBAA). The commenters generally supported the proposal. Freddie Mac agreed with the purpose of the rule of improving transparency and public awareness of supervisory standards applicable to the Enterprises. In particular, Freddie Mac acknowledged the issuance of guidance is the most effective way to integrate safety and soundness objectives into an ever-changing business environment. Similarly, Fannie Mae supported the purpose of the rule: to enhance transparency and public awareness of these minimum supervisory standards. MBAA noted that the proposal and the specific authorities set forth by OFHEO appear to be reasonable and within the bounds of prudent regulatory practice.

OFHEO analyzed the comments and suggestions for improvement of the proposed rule. Freddie Mac recommended section § 1720.2 be modified with respect to the Director's authority to include the phrase “to the extent such actions are authorized by the Act.” OFHEO agrees with Freddie Mac that the Director may only exercise such authority as is specifically granted, or by implication is necessary to carry out specific grants of authority, in legislation enacted by Congress. Accordingly, OFHEO believes that it is unnecessary to amend the regulatory text in section § 1720.2 to state this principle.

Fannie Mae questioned the need for what they believe are “duplicative reassertions of authority” since OFHEO has asserted its authority in the guidances and in 12 CFR Part 1777. Fannie Mae also requested confirmation of its belief that the rulemaking does not convert OFHEO's policy guidances into rules subject to the Administrative Procedure Act (APA). Finally, Fannie Mae requested that OFHEO solicit input from the Enterprises whenever it develops any supervisory policy guidance.

OFHEO notes that its assertion of statutory authority in this rulemaking as well as in the guidances and Part 1777 reflect common practice among federal agencies in specifying their authority whenever they publish agency rules or other pronouncements. This practice cites the authority of the agency to those coming into contact with an agency pronouncement for the first time. OFHEO agrees that the safety and soundness rule set forth in final form here does not “convert” existing or future guidance into rules subject to the APA. Indeed, this would be contrary to OFHEO's intent and reduce its use of this important and flexible supervisory device.

As explained in the NPR, the final regulation and appended guidances are intended to facilitate the public awareness and enforceability of such standards as official agency pronouncements in a manner consistent with recent United States Supreme Court's rulings.[7]

Nothing in the OFHEO Policy Guidances limits the authority of OFHEO to otherwise address unsafe or unsound conditions or practices, or violations of applicable laws, regulations or supervisory orders, as detailed in section § 1720.1(b).

Regulatory Impact

Executive Order 12866, Regulatory Planning and Review

The regulation is not classified as a significant rule under Executive Order 12866 because it will not result in an annual effect on the economy of $100 million or more or a major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions; or have significant Start Printed Page 55693adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based enterprises to compete with foreign-based enterprises in domestic or foreign markets. Accordingly, no regulatory impact assessment is required and this regulation need not be submitted to the Office of Management and Budget for formal review.

Unfunded Mandates Reform Act of 1995

This rule does not include a Federal mandate that could result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year. As a result, the rule does not warrant the preparation of an assessment statement in accordance with the Unfunded Mandates Reform Act of 1995.

Regulatory Flexibility Act

The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires that a regulation that has a significant economic impact on a substantial number of small entities, small businesses, or small organizations must include an initial regulatory flexibility analysis describing the regulation's impact on small entities. Such an analysis need not be undertaken if the agency has certified that the regulation will not have a significant economic impact on a substantial number of small entities. 5 U.S.C. 605(b). OFHEO has considered the impact of the regulation under the Regulatory Flexibility Act. The General Counsel of OFHEO certifies that the regulation is not likely to have a significant economic impact on a substantial number of small business entities because the regulation only affects the Enterprises, which are not small entities for purposes of the Regulatory Flexibility Act.

Paperwork Reduction Act of 1995

This regulatory action contains no information collection requirement that would require the approval of the Office of Management and Budget pursuant to the Paperwork Reduction Act, 44 U.S.C. 3501-3520.

Start List of Subjects

List of Subjects in 12 CFR Part 1720

End List of Subjects Start Amendment Part

Accordingly, for the reasons set out in the preamble, the Office of Federal Housing Enterprise Oversight is adding part 1720 to subchapter C of 12 CFR chapter XVII to read as follows:

End Amendment Part Start Part

PART 1720—SAFETY AND SOUNDNESS

1720.1
Authority.
1720.2
Safety and soundness standards.
Appendices

Appendix A to Part 1720—Policy Guidance; Minimum Safety and Soundness Requirements

Appendix B to Part 1720—Policy Guidance; Non-Mortgage Liquidity Investments

Appendix C to Part 1720—Policy Guidance; Safety and Soundness Standards for Information

Start Authority

Authority: 12 U.S.C. 4513(a), 4513(b)(1), 4513(b)(5), 4517(a), 4521(a)(2) through (3), 4631, 4632, and 4636.

End Authority
Authority.

(a) Authority. This part is issued by the Office of Federal Housing Enterprise Oversight (OFHEO) pursuant to sections 1313(a), 1313(b)(1), and 1313(b)(5) of the Federal Housing Enterprise Financial Safety and Soundness Act (Act) (12 U.S.C. 4513(a), 4513(b)(1), and 4513(b)(5)). These provisions of the Act authorize OFHEO to take any action deemed appropriate by the Director of OFHEO to ensure that the Federal National Mortgage Association and the Federal Home Loan Mortgage Corporation (the Enterprises) are operated in a safe and sound manner, including by adopting supervisory policies and standards by regulation, guidance, or other process.

(b) Preservation of existing authority. No action by OFHEO undertaken with reference to a policy guidance or this regulation will in any way limit the authority of the Director otherwise to address unsafe or unsound conditions or practices, or other violations of law, rule or regulation. Action with reference to a policy guidance or this regulation may be taken separate from, in conjunction with, or in addition to any other supervisory response, enforcement action, or agency-imposed requirements deemed appropriate by OFHEO. Nothing in this regulation or any guidance issued by OFHEO limits the authority of the Director pursuant to section 1313 of the Act (12 U.S.C. 4513) or any other provision of law, rule or regulation applicable to the Enterprises.

Safety and soundness standards.

Policy guidances as may be adopted from time to time by OFHEO, addressing safety and soundness standards, shall apply to the Enterprises. If OFHEO determines that an Enterprise does not meet a requirement set out in such policy guidance, it may require corrective or remedial actions by the Enterprise, and take such enforcement action as the Director deems to be appropriate.

Appendix A to Part 1720—Policy Guidance; Minimum Safety and Soundness Requirements

A—Background and Introduction

I. Background

II. Introduction

B—Operational and Managerial Requirements

I. Asset underwriting and credit quality.

II. Balance sheet growth and management.

III. Market risk.

IV. Information technology.

V. Internal controls.

VI. Audits.

VII. Information reporting and documentation.

VIII. Board and management responsibilities and function.

IX. Format of policies and procedures.

C—Compliance Plans

I. Notice; submission and review of compliance plan.

II. Failure to submit acceptable plan or to comply with plan.

A—Background and Introduction

I. Background. The Federal Housing Enterprises Safety and Soundness Act of 1992, Title XIII of Pub. L. No. 102-550 (the Act) empowers OFHEO to take any such action as the Director determines to be appropriate to ensure that the federally sponsored housing enterprises, Fannie Mae and Freddie Mac, are, among other things, adequately capitalized and operating safely, including by adopting supervisory policies and standards by regulation or other guidance or process.

i. OFHEO herein sets forth the minimum supervisory requirements used by the agency in reviewing the ensuring, the adequacy of policies and procedures of the Enterprises in the areas of: (1) Asset underwriting and credit quality; (2) balance sheet growth; (3) market risks; (4) information technology; (5) internal controls; (6) audits; (7) information reporting and documentation; and (8) board and management responsibilities and functions. If the agency finds that an Enterprise fails to meet any requirement or standard set forth in this pronouncement, the Director may, among other things, require the Enterprise to submit to the agency and implement an adequate plan to achieve timely compliance with the requirement or standard. If the Enterprise fails to submit such an adequate plan within the time specified by the agency or fails in any material respect to implement the plan, the agency may take additional supervisory action. The Director may at any time prescribe such supervisory actions as deemed appropriate to correct conditions resulting from an unsafe or unsound practice or condition or deficiency in complying with regulatory requirements or standards including, but not limited to, issuance of a notice of charges or order, imposition of civil money penalties, or other remedial actions or sanctions as determined by the Director.

ii. The minimum supervisory requirements and standards identify key safety and Start Printed Page 55694soundness concerns regarding operation and management of an Enterprise, and ensure that action is taken to avoid the emergence of problems that might entail serious risks to an Enterprise. The minimum supervisory requirements of the Policy Guidance also reflect the need for internal policies and procedures in particular areas that, if not appropriately addressed by the Enterprises, may warrant action by OFHEO in order to reduce risks of loss and possible capital impairment. The proposed minimum requirements set forth herein are intended to effect these purposes without dictating how the Enterprises must be operated and managed; moreover, the Policy Guidance does not set out detailed operational and managerial procedures that an Enterprise must have in place. The Policy Guidance is intended to identify the ends that proper operational and management policies and procedures are to achieve, while leaving the means to be devised by each Enterprise as it designs and implements its own policies and procedures. Where OFHEO does specify particular requirements, each Enterprise's management is left with substantial flexibility to fashion and implement them.

iii. The Policy Guidance is not intended to effect a change in OFHEO's policies; the announced minimum requirements reflect the basic underlying criteria OFHEO uses to assess the operations and managerial quality of an Enterprise. OFHEO will determine compliance with the requirements and related standards through examinations of the Enterprises, as well as off-site surveillance means and other interchanges with each Enterprise.

iv. OFHEO routinely undertakes to evaluate an Enterprise's overall policies, in order to determine whether such policies are safe and sound in principle and in practice. OFHEO also evaluates whether procedures are in place to ensure that an Enterprise's overall policies as adopted by the Enterprise's board of directors and management are, in fact, applied in the normal course of business. As reflected in the Policy Guidance, the Enterprises are, at a minimum, expected to adopt appropriate policies and internal guidelines, and to put in place procedures to ensure they are followed as a matter of routine.

v. Nothing in the Policy Guidance in any way limits the authority of OFHEO to otherwise address unsafe or unsound conditions or practices, or violations of applicable law, regulation or supervisory order. Action referencing the Policy Guidance may be taken separate from, in conjunction with or in addition to any other enforcement action available to OFHEO. Compliance with the Policy Guidance in general would not preclude a finding by the agency that an Enterprise is otherwise engaged in a specific unsafe or unsound practice or is in an unsafe or unsound condition, or requiring corrective or remedial action with regard to such practice or condition. That is, supervisory action is not precluded against an Enterprise that has not been cited for a deficiency under the Policy Guidance. Conversely, an Enterprise's failure to comply with one of the supervisory requirements set forth in the Policy Guidance may not warrant a formal supervisory response from OFHEO, if the agency determines the matter may be otherwise addressed in a satisfactory manner. For example, OFHEO may require timely submission of a plan to achieve compliance with the particular requirement or standard without taking any other enforcement action.

II. Introduction. i. Authority, purpose, and scope.

a. Authority. This Policy Guidance is issued by the Office of Federal Housing Enterprise Oversight (OFHEO) pursuant to sections 1313(a), 1313(b)(1), 1313(b)(5) and 1371 of the Federal Housing Enterprise Safety and Soundness Act (Act) (12 U.S.C. 4513(a), 4513(b)(1), 4513(b)(5) and 4631). These provisions of the Act authorize OFHEO to take any action deemed appropriate by the Director of OFHEO to ensure that the Federal National Mortgage Association and the Federal Home Loan Mortgage Corporation (the Enterprises) are operated in a safe and sound manner, including by adopting supervisory policies and standards by regulation, guidance, or other process.

b. Purpose and scope. This Policy Guidance sets out certain minimum safety and soundness requirements for the business and operations of the Enterprises, and reiterates agency policies requiring the Enterprises to establish and implement policies and procedures that are sufficient to effectuate compliance with supervisory standards. If OFHEO determines that an Enterprise does not meet the requirements set forth herein, the Director may require the Enterprise to submit and carry out a plan to achieve compliance, or may take other corrective and remedial actions. The requirements enumerated herein are supervisory minimums. In order to satisfy an Enterprise's overarching obligation under the Act to conduct is operations in a safe and sound manner, it may be necessary and appropriate for an Enterprise to take additional measures in these or other areas, as directed by OFHEO through regulation, guidance, order or otherwise as part of the supervisory process.

ii. Preservation of existing authority. Neither this Policy Guidance nor any action by OFHEO to enforce compliance of an Enterprise therewith in any way limits the authority of the Director otherwise to address unsafe or unsound conditions or practices, or other violations of law or other regulation. Action under this Policy Guidance may be taken separate from, in conjunction with, or in addition to any other enforcement action deemed appropriate by OFHEO. Nothing in this Policy Guidance or related guidances limits the authority of the Director pursuant to section 1313 of the Act (12 U.S.C. 4513) or any other provision of law, rule or regulation applicable to the Enterprises.

iii. Definitions. For purposes of this Policy Guidance, except as modified therein or unless the context otherwise requires, the terms used have the same meaning as set forth in section 1303 of the Act (12 U.S.C. 4502).

B—Operational and Managerial Requirements

I. Asset underwriting and credit quality. An Enterprise should establish and implement policies and procedures to adequately assess credit risks before they are assumed, and monitor such risks subsequently to ensure that they conform to the Enterprise's credit risk standards on an individual and an aggregate basis. The Enterprise should:

i. For loans purchased and loans collateralizing securities guaranteed by the Enterprise, adopt and implement prudent underwriting standards and procedures commensurate with the type of loan or loans and the markets in which the loan or loans were made that include consideration of the borrower's and any guarantor's financial condition and ability to repay as well as the type and value of any collateral or credit enhancement;

ii. To the extent the Enterprise's assets are serviced or administered by other entities or are covered by mortgage insurance or other credit enhancements or arrangements, the Enterprise's policies and procedures should recognize the consequences and implications of such contractual arrangements for the Enterprise's credit risk;

iii. Establish and implement policies and procedures to address declining credit quality and to require appropriate corrective action; to establish sufficient reserves; and to deal with defaulted assets so as to minimize losses;

iv. Establish and implement policies and procedures to select and price credit risk to ensure that the Enterprise is appropriately compensated commensurate with the credit risk it assumes and its statutory obligations;

v. Establish and implement policies and procedures that address the prudential selection, management and handling of counterparty credit exposure that arises from engaging in hedging activities and the use derivative instruments; and

vi. Establish and implement policies and procedures to identify, monitor and evaluate its credit exposures on an aggregate basis so as to assess the implications and consequences of matters such as concentration exposure (including geographic as well as product concentrations), to identify and evaluate credit risk trends effectively, and to maintain and revise appropriately its systems and procedures for underwriting, servicing, and monitoring of such exposures and changes to those exposures.

II. Balance sheet growth and management. An Enterprise's balance sheet growth should be prudent and consider:

i. The source, volatility, and use of funds that support balance sheet growth;

ii. Any changes in credit risk or interest rate risk resulting from balance sheet growth;

iii. The effect of balance sheet growth on the Enterprise's capital adequacy; and

iv. The appropriate policies and procedures needed to manage changes in risk that may occur as a result of balance sheet growth.

III. Market risk. An Enterprise should establish and implement policies and procedures that allow for the effective identification, measurement, monitoring, and Start Printed Page 55695management of market risk. The Enterprise should:

i. Establish and implement policies and procedures sufficient to quantify and monitor the interest rate risk of the Enterprise effectively and to model the effect of differing interest rate scenarios on the Enterprise's financial condition and operations;

ii. Develop risk management strategies that respond appropriately to changes in interest rates;

iii. Establish and implement policies and procedures sufficient to quantify and monitor the Enterprise's liquidity effectively, and to identify and anticipate various market environments and their effects on the Enterprises' liquidity; and

iv. Establish and maintain an effective contingency plan for liquidity under varying scenarios.

IV. Information technology. An Enterprise should establish and implement policies and procedures to ensure that its computing resources, proprietary and nonpublic information and data are:

i. Protected from access by unauthorized users, and otherwise protected by appropriate security measures;

ii. Reliable, accurate and available at all times as needed for its business operations, including an ability to effect timely recovery and resume operations after a reasonably foreseeable adverse event; and

iii. Designed to ensure adequate support of business operations.

V. Internal controls. An Enterprise should maintain and implement internal controls appropriate to the nature, scope and risk of its business activities that, at a minimum, provide for:

i. An organizational structure and assignment of responsibility for management, employees, consultants and contractors, that provide for accountability and controls, including adherence to policies and procedures;

ii. A control framework commensurate with the Enterprise's risks;

iii. Policies and procedures adequate to safeguard and to manage assets; and

iv. Compliance with applicable laws, regulations and policies.

VI. Audits. An Enterprise should establish and implement internal and external audit programs appropriate to the nature and scope of its business activities that, at minimum, provide for:

i. Adequate monitoring of internal controls through an audit function appropriate to the Enterprise's size, structure and scope of operations;

ii. Independence of the audit function;

iii. Qualified professionals and management for the conduct and review of audit functions;

iv. Adequate testing and review of audited areas together with adequate documentation of findings and of any recommendations and corrective actions; and

v. Verification and review of measures and actions undertaken to address identified material weaknesses.

VII. Information reporting and documentation. An Enterprise should establish and implement policies and procedures for generating and retaining reports and documents that:

i. Enable the Enterprise's board of directors (including appropriate committees) to make informed decisions and to exercise its oversight function, by providing all such relevant information of an appropriate level of detail as necessary;

ii. Enable the Enterprise's managers to make informed business decisions and to assess risks for all aspects of the Enterprise's business on an ongoing basis, by providing sufficient relevant information of an appropriate level of detail as necessary;

iii. Ensure decision-makers have appropriate and necessary information about particular transactions and business operations;

iv. Enable the Enterprise to administer and supervise all assets, liabilities, commitments and other financial obligations appropriately;

v. Enable the Enterprise to enforce legal claims against borrowers, counterparties and other obligors; and

vi. Ensure timely and complete submissions of reports of financial condition and operations, as well as annual and other periodic reports and special reports to OFHEO whenever requested or required by OFHEO.

VIII. Board and management responsibilities and function. An Enterprise's board of directors shall ensure that the board (including appropriate committees) works with executive management to establish the Enterprise's strategies and goals in an informed manner, and that the Enterprise's executive managers and other managers, as appropriate, implement such strategies, by ensuring at a minimum that:

i. The board (including appropriate committees) oversees the development of the Enterprise's strategies in key areas and exercises oversight necessary to ensure that management sets policies and controls to implement such strategies effectively;

ii. The board (including appropriate committees) hires qualified executive management, and exercises oversight to hold management accountable for meeting the Enterprise's goals and objectives;

iii. The board (including appropriate committees) is provided with accurate information about the operations and financial condition of the Enterprise in a timely fashion, and sufficient to enable the board to effect its oversight duties and responsibilities;

iv. Management of the Enterprise sets policies and controls to ensure the Enterprise's strategies are implemented effectively, and that the Enterprise's organization structure and assignment of responsibilities provide clear accountability and controls; and

v. Management of the Enterprise establishes and maintains an effective risk management framework, including review of such framework to monitor its effectiveness and taking appropriate action to correct any weaknesses.

IX. Format of policies and procedures. i. Generally, the policies of an Enterprise contemplated by this Policy Guidance should be in writing and in such form and detail as appropriate in light of their intended purpose, nature, and potential consequences for the operations and financial condition of the Enterprise, and approved by the board of directors (including appropriate committees) or such responsible officer or officers as designated by the board.

ii. The policies and procedures of an Enterprise contemplated by this Policy Guidance should be provided to OFHEO at such time and in such format as OFHEO directs.

C—Compliance Plans

I. Notice; submission and review of compliance plans. i. Determination. The Director of OFHEO may, based upon a report of examination, or other supervisory information however acquired, determine that an Enterprise has failed or is likely to fail to satisfy the minimum supervisory requirements or standards set forth in part B of this appendix.

ii. Request for compliance plan. If the Director determines pursuant to paragraph C.I.i of thiis appendix that an Enterprise has failed or is likely to fail to satisfy a supervisory requirement or standard, OFHEO may require the submission of a written compliance plan.

iii. Schedule for filing compliance plan. An Enterprise may be required to file a written compliance plan with OFHEO within thirty days of receiving a written request for a compliance plan pursuant to paragraph C.I.ii of this appendix.

iv. Contents of plan. A required compliance plan should include, subject to additional direction by OFHEO, a detailed description of the steps the Enterprise will take to correct a deficiency and any condition resulting therefrom and the time within which such steps will be undertaken and fully implemented.

v. Review of compliance plans. If the compliance plan submitted under this section is deemed to be inadequate or incomplete, OFHEO may provide written notice of such inadequacy or deficiencies thereof to the Enterprise OFHEO or seek additional information from the Enterprise regarding the plan.

vi. Amendment of compliance plan. An Enterprise that has filed a required compliance plan to which no objection has been raised by OFHEO may, after prior written notice to and approval by the Director, amend the plan to reflect changes in circumstance, policies and procedures.

II. Failure to submit acceptable plan or to comply with plan. If an Enterprise does not submit an adequate and complete plan as required by the agency within the time specified by OFHEO or does not implement such an adequate and complete plan, the Director may require the Enterprise to correct any deficiency and may require additional corrective or remedial actions by the Enterprise as deemed to be appropriate pursuant to the Act, including sections 1371 (12 U.S.C. 4631), 1372 (12 U.S.C. 4632), and 1376 (12 U.S.C. 4636).

Appendix B to Part 1720—Policy Guidance; Non-Mortgage Liquidity Investments

A—Purpose

B—Activities Covered

C—Standards for Non-mortgage Liquidity Investment Activities Start Printed Page 55696

D—Disclosure of Non-mortgage Liquidity Investment Activities

E—Summary

A—Purpose

1. Fannie Mae and Freddie Mac (the Enterprises) were chartered by Congress as government-sponsored enterprises with public missions. They perform an important role in the United States mortgage market by gathering funds and purchasing mortgages from mortgage originators and guaranteeing mortgage-backed securities. In chartering the Enterprises, Congress charged the Enterprises with: (1) providing stability to mortgage markets; (2) responding to the changing capital markets; (3) assisting the secondary markets including the support of these markets for affordable housing; and (4) promoting access to credit throughout the country by increasing liquidity and improving distribution of investment capital for residential mortgage finance. These functions require the Enterprises, as principals in the secondary mortgage market, to serve as bedrock in providing liquidity to the U.S. housing finance system.

2. For the Enterprises effectively to perform their public purposes, they must be financially sound and liquid. As the Enterprises' financial safety and soundness regulator, OFHEO conducts its regulatory programs to ensure these companies adhere to safety and soundness standards. In addition, OFHEO interprets this to include heightening the positive effect of market discipline on the Enterprises by encouraging quality disclosures, appropriate accounting standards, and state-of-the-art risk management further strengthens their safety and soundness. More specifically, OFHEO conducts comprehensive safety and soundness examinations and requires the Enterprises to adhere to regulatory capital requirements. In conducting its regulatory programs, OFHEO applies a series of safety and soundness standards to assess the Enterprises' liquidity management, including their investments in non-mortgage liquidity assets. It is appropriate to issue initial guidance that addresses the safety and soundness standards OFHEO uses to evaluate Enterprise investment activities in non-mortgage liquidity assets.

3. Further, it should be noted that the Secretary of HUD, who has general regulatory power over the Enterprises and who is required to make such rules and regulations as necessary to ensure that the purposes of the GSE's respective Charter Acts are accomplished, has issued an Advanced Notice of Proposed Rulemaking on possible substantive and/or procedural rules governing the GSEs' non-mortgage investment activities. Accordingly, the GSEs may be subject to regulations in this area through future HUD actions, in addition to this initial guidance.

B—Activities Covered

1. The Enterprises must maintain sufficient liquidity to meet both known and unexpected payment demands on borrowings and mortgage securities, for operations and to purchase mortgage assets. Liquidity management is the process by which the Enterprises manage the use and availability of various funding sources to meet current and future needs. Liquidity must be closely managed on a daily basis.

2. The Enterprises manage liquidity through three primary channels: securitizations, issuance of debt and conversion of liquid assets into cash. It is through careful management within and among the three channels, that the Enterprises can effectively meet demands and remain safe and sound under all market conditions. This Guidance specifically addresses “non-mortgage liquidity investments” which are conducted within the liquidity channel whereby the Enterprises are able to convert their own assets into cash.

3. There are various types of investments that may be appropriate for non-mortgage liquidity holdings. Appropriate non-mortgage liquidity investments are characterized by both creditworthiness and low price volatility. Even though an investment may be creditworthy, if the holding is subject to undue price volatility (e.g. common stock), the investment is inappropriate for inclusion in the non-mortgage liquidity portfolio since the investment may not be readily converted into cash without substantial loss.

4. For the purposes of this Guidance, the types of assets listed below are generally considered to be appropriate non-mortgage liquidity investments. This list is subject to revision over time as new asset types are introduced and/or market activities change. The presence of an asset on the list does not mean that OFHEO will necessarily consider any and all Enterprise investments in these assets to be safe and sound, especially if they fail to meet appropriate credit quality, maturity and diversification objectives:

a. Debt issued by the United States Treasury,

b. Debt issued by U.S. Government Agencies,

c. General obligation debt issued by states and municipal authorities,

d. Revenue obligations issued by states and municipal authorities,

e. Corporate debt instruments,

f. Money market instruments,

g. Non-mortgage asset-backed securities, and

h. Reverse repurchase agreements.

5. This Guidance does not address investments in mortgage-backed securities, mortgage revenue bonds, or other investments secured by housing (including commercial mortgage-backed securities with a significant housing component) since these assets are not principally held for liquidity purposes. Also, upon implementation of FAS 133, this Guidance is not intended to address the use of derivative instruments. For activities not covered in this Guidance on non-mortgage liquidity investments, there should be no inferences drawn about OFHEO's views.

C—Standards for Non-Mortgage Liquidity Investment Activities

To ensure there are sufficient funds available to the mortgage market, the Enterprise must actively manage liquidity across all three channels. OFHEO assesses the safety and soundness of non-mortgage liquidity investment activities against five criteria. The five criteria and details about each of the criteria are:

  • Prudent investment policies and procedures that guide the Enterprise's process;
  • Quality management information that ensures timely performance measures and governance data;
  • Safe & sound investment holdings and investment culture;
  • Quality controls and personnel administering and governing the process; and
  • Independent testing of the process to assure compliance.

1. Prudent Investment Policies and Procedures That Guide the Enterprise's Process

a. The Enterprise must have a comprehensive written investment policy that clearly expresses the goals for the non-mortgage liquidity investment activities. The Board of Directors and management must evaluate the effectiveness of non-mortgage liquidity investments in meeting the goals set out in the policy; and management must evaluate activities against the procedures and limitations in the policy. At a minimum, the policy should cover:

i. The purpose of the non-mortgage liquidity investment holdings;

ii. The institutional goal(s) for the non-mortgage liquidity investment holdings;

iii. The authorized instruments and activities;

iv. The internal control standards;

v. The limits structure;

vi. The performance standards and measures; and

vii. The reporting requirements.

b. The policy should clearly document the purpose for non-mortgage liquidity investment holdings. Management should install a series of procedures and controls that produce behaviors and performance that are consistent with the defined purpose for the non-mortgage liquidity investment activities.

c. The policy should establish the primary goals for the non-mortgage liquidity investment activities. For an Enterprise, some primary goals should be to augment liquidity and to generate a rate of return that is reasonable in light of the purpose of such investments. The emphasis placed on individual goals may vary based upon institutional differences. However, non-mortgage liquidity investments made with a goal of maximizing earnings or maximizing arbitrage opportunities would be inconsistent with this Guidance for the maintenance of an Enterprise's liquidity portfolio.

d. The policy should clearly define the authorized investment vehicles and establish guidelines for the introduction of new types of investment vehicles.

e. The Enterprise's procedures should include a framework of controls that provide an appropriate separation of duties and responsibilities. There should be responsibility assigned for an independent review of non-mortgage liquidity investments by a designated unit, such as audit or an independent risk oversight group. Start Printed Page 55697

f. The Enterprise should adopt a limit structure to promote diversification in the non-mortgage liquidity investment portfolio and emphasizes strategies for risk mitigation. Additionally, there should be limits for the aggregate size of the non-mortgage liquidity investment portfolio.

g. The Enterprise should adopt measures to evaluate performance against the policy and its objectives.

h. The Enterprise should adopt internal reporting requirements that quantify performance, document exceptions, and serve as a basis for communicating information about activities involving non-mortgage liquidity assets.

i. The Enterprise should periodically evaluate the adequacy and content of its public disclosure for non-mortgage investment liquidity activities.

2. Quality Management Information That Ensures Timely Performance Measures and Governance Data

a. The Enterprise must maintain systems that adequately identify, measure and report the nature and level of exposure associated with their non-mortgage liquidity investments. Management must remain appropriately informed about the activity in non-mortgage liquidity investments. Also, the Board of Directors should periodically be provided a summary of non-mortgage liquidity investment activities. At a minimum, management's reports to the Board should:

i. Summarize non-mortgage investment activity since the last report;

ii. Identify and explain any material changes or trends in the non-mortgage liquidity investment portfolio risk and returns; and

iii. Report and explain exceptions to the policy or risk guidelines for liquidity investments.

b. Meaningful changes in portfolio volume and spreads from period to period should be identified and explained to the Board in terms of why they occurred (e.g., changes in portfolio composition, changes in funding costs, etc.). In overseeing the day-to-day management of non-mortgage liquidity investment activities, management should consider the discrete risks associated with the non-mortgage liquidity investment portfolio as well as the exposure of this portfolio within the context of risks across the entire Enterprise. This includes assessing the non-mortgage liquidity investment portfolio's sensitivity to changes in interest rates, expressed in terms of net interest income sensitivity and portfolio value sensitivity.

3. Safe and Sound Investment Holdings and Investment Culture

a. The Enterprise should implement and enforce policies and/or procedures for non-mortgage liquidity investments. Management should establish limits and procedures in a manner that is consistent with the Board's sanctioned goals and risk appetite. Certain risk-limits for non-mortgage liquidity investments may be expressed in terms of how they affect the Enterprise's overall risk-profile, such as those pertaining to interest-rate sensitivity. Other risk limits may be more appropriately expressed in terms of individual portfolios and instruments. In addition, limits restricting the size-range and scope of the non-mortgage liquidity investment activities should be established.

b. The limits and procedures should delineate the acceptable investment instruments, acceptable markets, acceptable counterparties, along with unacceptable investment or portfolio activities. The Enterprise should maintain sufficient documentation to demonstrate due diligence in adhering to policies, procedures, limits and guidelines.

c. At a minimum, limits should be established and reviewed annually, for:

i. Credit threshold guidelines: Credit quality is a compelling factor for liquidity investments. Since liquidity investments should be able to be readily converted into cash without substantial exposure to losses, investments should be insulated from price vulnerabilities that are associated with creditworthiness. The most effective means of insulating against price exposure from credit quality concerns is to invest in high-quality instruments and the debt obligations of high-quality issuers. The Enterprise should establish thresholds identifying the minimum credit standards of any security eligible for purchase. Where these standards involve credit ratings, the ratings should come from a nationally recognized rating organization. Procedures should be included that determine the steps to be taken by management if an instrument's credit rating falls below the minimum threshold before maturity.

ii. Maturity guidelines: Because the maturity of an investment significantly affects its exposure to credit risk and price volatility, longer maturity instruments have limited suitability as liquidity investments. The Enterprise should establish the maximum maturity allowable for non-mortgage liquidity investments. It would be appropriate to have different maturity limits for certain types of instruments. For example, management may wish to establish shorter maturity limits for fixed-coupon instruments than for adjustable-rate securities. Management may have different maturity limits for bullet securities and amortizing structures. It would be appropriate to establish a maturity matrix based upon an instrument's credit rating at the time of purchase.

iii. Diversification and concentration guidelines: Credit concentrations can increase credit risk. Accordingly, the Enterprise should establish guidelines that limit investments in the securities of any single issuer. Such limits may be established as a percentage limit (e.g., as a percentage of capital) or as an absolute dollar amount. To enhance portfolio liquidity, there should also be a limit on the percentage of any particular issue held by the Enterprise.

4. Quality Controls and Personnel Administering and Governing the Process

a. The Enterprise should maintain a comprehensive set of controls to enforce the appropriate separation of duties and responsibilities. These controls should translate into clear procedures for routine operations. At a minimum, the internal control program for non-mortgage liquidity investment activities should include procedures for the following: portfolio valuation, personnel, settlement, physical control and documentation, conflict of interest, and accounting.

i. Portfolio valuation procedures. Portfolio valuation procedures should require pricing that is independent of the investment portfolio managers. Pricing securities provides an indication of the market depth and liquidity for individual instruments, and is an important process for providing data to the risk management function, particularly within a framework of estimating market value sensitivity. Pricing is particularly important for securities that are classified as “available-for-sale” for accounting purposes.

ii. Personnel guidelines. Personnel guidelines should require competent and experienced staff be responsible for conducting transactions and managing the non-mortgage investment portfolio. There should be clear guidance regarding the roles and responsibilities of individuals involved with the non-mortgage liquidity portfolio.

iii. Settlement practices. Procedures should cover standard settlement practices for the various types of non-mortgage liquidity investments in the Enterprise's portfolio. Inadequate understanding of standard settlement practices, coupled with poor internal controls, could result in unnecessary costs or losses.

iv. Control and documentation. Procedures covering control and documentation should be comprehensive and consistent with the evolving better practices in the marketplace. The procedures should include, for example, standards for: processing and controlling purchased instruments, safeguarding investment documentation and reviewing trade tickets and confirmations.

v. Conflict of interest. Conflict of interest guidelines should govern all Enterprise personnel authorized to purchase or sell non-mortgage liquidity investments. These guidelines should ensure that all directors, officers and employees act in the Enterprise's best interest. Conflict of interest guidelines should address employee relationships with authorized broker/dealers. Guidelines should also address personnel accepting gifts and travel expenses from broker/dealers.

vi. Accounting. Accounting practices should be evaluated to determine the level of compliance with GAAP standards.

5. Independent Testing and Review of the Process to Assure Compliance

a. An independent review of non-mortgage liquidity investment activities should be conducted periodically to ensure:

i. The accuracy and integrity of information provided to the Board, management and other oversight bodies;

ii. The adherence to policy, procedures, limits and guidelines;

iii. The timeliness, accuracy and usefulness of non-mortgage investment reports;

iv. The adequacy of personnel resources and capabilities; and

v. The non-mortgage liquidity investment activities remain appropriate in the context of the marketplace and the external environment. Start Printed Page 55698

b. This review may be conducted by a risk oversight unit or internal audit department, or any party that is independent of the routine risk-taking decisions and should be commensurate with the level of review of other primary Enterprise activities. Independent review findings for non-mortgage liquidity investments should be reported to the Board directly or through one of its committees. The Board should consider the independent review when reaffirming policies, and should address any issues raised.

D—Disclosure of Non-Mortgage Liquidity Investment Activities

1. Sound risk management practices include thorough disclosures about the Enterprise's risks and further regulators' efforts to increase financial transparency for regulated financial companies. Quality disclosures about risks and risk management can be an effective deterrent to excessive risk-taking. Three essential elements needed to promote market discipline for non-mortgage liquidity investments are (1) type of issuer and security, (2) maturity, and (3) credit quality or rating. Accordingly, quality disclosure for a portfolio of non-mortgage liquidity investments should include a detailed categorization of the portfolio with respect to each of these elements and cross-categorization, so that (for example) the quantity of any longer-maturity, lower-credit-quality assets is clearly identified. Information about fair values; yields; and narrative discussions of objectives, risk management policies, and controls can also promote transparency of risk and should be included. Such disclosures should be made quarterly, and they should be made using average balances so that average risks can be assessed—not just the risks on a given date.

2. Over the next few quarters, OFHEO will discuss more specifically with the Enterprise how these disclosures will meet the expectations expressed in this guidance. An example of a disclosure format that may be used by the Enterprise is available on the OFHEO Web site at http://www.ofheo.gov. However, the Enterprise may disclose the risks in its non-mortgage liquidity investment activities, consistent with the expectations expressed in this guidance, using a format of its choice.

E—Summary

This Guidance sets forth OFHEO's process for evaluating the safety and soundness of liquidity non-mortgage investment activities. OFHEO remains committed to ensuring the Enterprises remain financially sound, have appropriate control environments, and engage only in financially sound business and investment activities. OFHEO's examiners have been instructed to incorporate this evaluation process into their ongoing safety and soundness examinations. Examiners will evaluate and test the Enterprise's non-mortgage liquidity investment processes and activities to ensure they are in compliance with this guidance.

Appendix C to Part 1720—Policy Guidance; Safety and Soundness Standards for Information

A—Introduction

1. Scope.

2. Preservation of Existing Authority.

3. Definitions.

B—Safety and Soundness Standards for Information

1. Information Security Program.

2. Objectives.

C—Development and Implementation of Information Security Program

1. Involve the Board of Directors.

2. Assess Risk.

3. Manage and Control Risk.

4. Oversee Service Provider Arrangements.

5. Adjust the Program.

6. Report to the Board.

7. Implementation.

A—Introduction

The Policy Guidance on Safety and Soundness Standards for Information sets forth standards pursuant to section 1313 of the Federal Housing Enterprise Safety and Soundness Act (12 U.S.C. 4513). The Guidance addresses standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of information.

1. Scope. The Guidance applies to information maintained by or on behalf of the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (collectively, the Enterprises).

2. Preservation of Existing Authority. Nothing in the Guidance in any way limits the authority of OFHEO to otherwise address unsafe or unsound conditions or practices or violations of applicable law, regulation or supervisory order. Action referencing the Policy Guidance may be taken separate from, in conjunction with or in addition to any other enforcement action available to OFHEO. Compliance with the Policy Guidance in general would not preclude a finding by the agency that an Enterprise is otherwise engaged in a specific unsafe or unsound practice or is in an unsafe or unsound condition, or requiring corrective or remedial action with regard to such practice or condition. That is, supervisory action is not precluded against an Enterprise that has not been cited for a deficiency under the Policy Guidance. Conversely, an Enterprise's failure to comply with one of the supervisory requirements set forth in the Policy Guidance may not warrant a formal supervisory response from OFHEO, if the agency determines the matter may be otherwise addressed in a satisfactory manner. For example, OFHEO may require the submission of a plan to achieve compliance with the particular requirement or standard without taking any other enforcement action.

3. Definitions. For purposes of the Guidance, the following definitions apply:

a. Information means any record of an Enterprise, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of an Enterprise;

b. Information security program means the administrative, technical, or physical safeguards used by an Enterprise to access, collect, process, store, use, transmit, dispose of, or otherwise handle information;

c. Information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of information;

d. Service provider means any person or entity, including any third party vendor, that maintains, processes or otherwise is permitted access to information through its provision of services directly or indirectly to an Enterprise.

B—Safety and Soundness Standards For Information

1. Information Security Program. Each Enterprise shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the nature and scope of its activities. While all parts of the Enterprise are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

2. Objectives. An Enterprise's information security program shall be designed to:

a. Ensure the security and confidentiality of information;

b. Protect against any anticipated threats or hazards to the security or integrity of such information; and

c. Protect against unauthorized access to or use of such information.

C—Development and Implementation of Information Security Program

1. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each Enterprise shall:

a. Approve the Enterprise's written information security program; and

b. Oversee the development, implementation, and maintenance of the Enterprise's information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

2. Assess Risk. Each Enterprise shall:

a. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of information or information systems;

b. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of nonpublic information; and

c. Assess the sufficiency of policies, procedures, information systems, and other arrangements in place to control risks.

3. Manage and Control Risk. Each Enterprise shall:

a. Design its information security program to manage and control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the Enterprise's activities. Each Enterprise should consider whether the following security measures are appropriate for the Enterprise and, if so, adopt those measures the Enterprise concludes are appropriate: Start Printed Page 55699

i. Access controls over information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing information to unauthorized individuals who may seek to obtain this information through fraudulent means;

ii. Access restrictions at physical locations containing information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;

iii. Encryption of electronic information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;

iv. Procedures designed to ensure that information system modifications are consistent with the Enterprise's information security program;

v. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to information;

vi. Monitoring systems and procedures to detect actual and attempted attacks on or intrusion into information systems;

vii. Response programs that specify actions to be taken when the Enterprise suspects or detects that unauthorized individuals have gained access to information systems, including appropriate reports to regulatory and law enforcement agencies; and

viii. Measures to protect against destruction, loss or damage of information due to potential environmental hazards, such as fire and water damage or technological failures.

b. Train staff to implement the Enterprise's information security program; and

c. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the Enterprise's risk assessment. Tests should be conducted or reviewed by independent third parties or staff that are independent of those that develop or maintain the security programs.

4. Oversee Service Provider Arrangements. Each Enterprise shall:

a. Exercise appropriate due diligence in selecting its service providers;

b. Require its service providers by contract to implement appropriate measures designed to meet the objectives of the Guidance; and

c. Where indicated by the Enterprise's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by section 9(b). As part of this monitoring, an Enterprise should review audits, summaries of test results, or other equivalent evaluations of its service providers.

5. Adjust the Program. Each Enterprise shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its information, internal or external threats to information, and the Enterprise's own changing business arrangements, such as acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

6. Report to the Board. Each Enterprise shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the Enterprise's compliance with the Guidance. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program.

7. Implementation. a. Each Enterprise should implement an information security program pursuant to the Guidance.

b. Until January 1, 2004, a contract that an Enterprise has entered into with a service provider to perform services for it or functions on its behalf satisfies the provisions of section 9, even if the contract does not include a requirement that the servicer maintain the security and confidentiality of information, as long as the Enterprise entered into the contract on or before the effective date.

End Part Start Signature

Dated: August 20, 2002.

Armando Falcon, Jr.,

Director, Office of Federal Housing Enterprise Oversight.

End Signature End Supplemental Information

Footnotes

1.  OFHEO Policy Guidance PG-00-001, Minimum Safety and Soundness Requirements (Dec. 19, 2000) and Policy Guidance PG-00-002, Non-mortgage Liquidity Investments (December 19, 2000) (available on OFHEO's web site at http://www.ofheo.gov).

Back to Citation

2.  OFHEO Policy Guidance PG-01-001, Safety and Soundness Standards for Information (Dec. 19, 2001) (available on OFHEO's web site at http://www.ofheo.gov).

Back to Citation

3.  67 FR 42200 (June 21, 2002).

Back to Citation

4.  For the OCC, these regulations appear at 12 CFR Part 30, Appendix A: “Interagency Guidelines Establishing Standards for Safety and Soundness”; see also, for the Board of Governors of the Federal Reserve System at 12 CFR Part 263; and for the Federal Deposit Insurance Corporation at 12 CFR 308, subpart R; and for the Office of Thrift Supervision at 12 CFR Part 570.

Back to Citation

6.  See, Appendix B of 12 CFR Part 30.

Back to Citation

7.  See United States v. Mead Corp., 533 U.S. 218 (2001), and Christensen v. Harris County, 529 U.S. 576 (2000).

Back to Citation

[FR Doc. 02-21780 Filed 8-29-02; 8:45 am]

BILLING CODE 4220-01-U