[Federal Register Volume 67, Number 169 (Friday, August 30, 2002)]
[Rules and Regulations]
[Pages 55691-55699]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-21780]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT
Office of Federal Housing Enterprise Oversight
12 CFR Part 1720
RIN 2550-AA22
Safety and Soundness Regulation
AGENCY: Office of Federal Housing Enterprise Oversight, DHUD.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Office of Federal Housing Enterprise Oversight (OFHEO) is
issuing a final rule to support increased transparency and public
awareness of minimum supervisory standards adopted by OFHEO and applied
in overseeing the safety and soundness of the Federal National Mortgage
Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation
(Freddie Mac) (collectively, the Enterprises). The final rule's format
reflects that used by other federal regulators. The rule delineates
supervisory standards in a manner consistent with recent rulings by the
United States Supreme Court affecting agency pronouncements. OFHEO will
adopt and publish supervisory policy guidance as appendices to the rule
as it deems appropriate to illuminate areas of particular interest or
potential concern.
EFFECTIVE DATES: September 30, 2002.
FOR FURTHER INFORMATION CONTACT: David W. Roderer, Deputy General
Counsel, or Marvin Shaw, Senior Counsel, at (202) 414-3775 (not a toll-
free number), Office of General Counsel,
[[Page 55692]]
Office of Federal Housing Enterprise Oversight, 1700 G Street NW.,
Fourth Floor, Washington, DC 20552. The telephone number for the
Telecommunications for the Deaf is: (800) 877-8339 (TTD only).
SUPPLEMENTARY INFORMATION: The Federal Housing Enterprises Financial
Safety and Soundness Act of 1992, Title XIII of Pub. L. No. 102-550
(the Act), empowers OFHEO to take any such action as the Director
determines to be appropriate to ensure that the federally sponsored
housing enterprises, the Federal National Mortgage Association (Fannie
Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac)
(collectively, the Enterprises), are adequately capitalized and
operating safely by, among other things, adopting supervisory policies
and standards by regulation or other guidance or process.
On December 19, 2000, OFHEO issued Policy Guidance PG-00-001
setting forth minimum supervisory standards in eight broad areas of
particular regulatory interest and potential concern and issued Policy
Guidance PG-00-002, that addressed standards for non-mortgage
liquidity.\1\ One year later, a third policy guidance was adopted that
specifically sets out the minimum safety and soundness standards for
information systems and security.\2\ That policy guidance, entitled
``Safety and Soundness Standards for Information,'' focused narrowly on
safety and soundness concerns with the adequacy of the Enterprises'
respective policies and procedures affecting the security of their
information systems and integrity of such information, including
borrower information maintained by the Enterprises.
---------------------------------------------------------------------------
\1\ OFHEO Policy Guidance PG-00-001, Minimum Safety and
Soundness Requirements (Dec. 19, 2000) and Policy Guidance PG-00-
002, Non-mortgage Liquidity Investments (December 19, 2000)
(available on OFHEO's web site at http://www.ofheo.gov).
\2\ OFHEO Policy Guidance PG-01-001, Safety and Soundness
Standards for Information (Dec. 19, 2001) (available on OFHEO's web
site at http://www.ofheo.gov).
---------------------------------------------------------------------------
The minimum standards set forth in OFHEO's policy guidances are
designed to identify key safety and soundness concerns regarding
operation and management of an Enterprise, and to ensure that the
conduct and practices of the Enterprises reasonably avoid the emergence
of problems that might entail serious risks. The minimum standards also
reflect the need for internal policies and procedures in particular
areas that, if not appropriately addressed by an Enterprise, may
warrant supervisory action by OFHEO in order to reduce risks of loss
and corresponding capital impairment. The minimum standards set out in
such guidances are intended to affect these purposes without dictating
how the Enterprises must be operated and managed.
On June 21, 2002, OFHEO published a notice in the Federal Register
proposing a rule that would provide the regulatory framework for the
adoption and publication of such policy guidance.\3\ The format of the
proposed regulation, as a formal agency pronouncement delineating the
parameters of the supervisory standards applicable to the Enterprise,
mirrors that used by the Office of Comptroller of the Currency (OCC) in
promulgating safety and soundness standards for national banks \4\
pursuant to Section 39 of the Federal Deposit Insurance Act.\5\ The OCC
used a similar format when it adopted specific supervisory standards
applicable to bank information systems.\6\
---------------------------------------------------------------------------
\3\ 67 FR 42200 (June 21, 2002).
\4\ For the OCC, these regulations appear at 12 CFR Part 30,
Appendix A: ``Interagency Guidelines Establishing Standards for
Safety and Soundness''; see also, for the Board of Governors of the
Federal Reserve System at 12 CFR Part 263; and for the Federal
Deposit Insurance Corporation at 12 CFR 308, subpart R; and for the
Office of Thrift Supervision at 12 CFR Part 570.
\5\ 12 U.S.C. 1381p-1.
\6\ See, Appendix B of 12 CFR Part 30.
---------------------------------------------------------------------------
OFHEO received comments from Freddie Mac, Fannie Mae and the
Mortgage Bankers Association of America (MBAA). The commenters
generally supported the proposal. Freddie Mac agreed with the purpose
of the rule of improving transparency and public awareness of
supervisory standards applicable to the Enterprises. In particular,
Freddie Mac acknowledged the issuance of guidance is the most effective
way to integrate safety and soundness objectives into an ever-changing
business environment. Similarly, Fannie Mae supported the purpose of
the rule: to enhance transparency and public awareness of these minimum
supervisory standards. MBAA noted that the proposal and the specific
authorities set forth by OFHEO appear to be reasonable and within the
bounds of prudent regulatory practice.
OFHEO analyzed the comments and suggestions for improvement of the
proposed rule. Freddie Mac recommended section Sec. 1720.2 be modified
with respect to the Director's authority to include the phrase ``to the
extent such actions are authorized by the Act.'' OFHEO agrees with
Freddie Mac that the Director may only exercise such authority as is
specifically granted, or by implication is necessary to carry out
specific grants of authority, in legislation enacted by Congress.
Accordingly, OFHEO believes that it is unnecessary to amend the
regulatory text in section Sec. 1720.2 to state this principle.
Fannie Mae questioned the need for what they believe are
``duplicative reassertions of authority'' since OFHEO has asserted its
authority in the guidances and in 12 CFR Part 1777. Fannie Mae also
requested confirmation of its belief that the rulemaking does not
convert OFHEO's policy guidances into rules subject to the
Administrative Procedure Act (APA). Finally, Fannie Mae requested that
OFHEO solicit input from the Enterprises whenever it develops any
supervisory policy guidance.
OFHEO notes that its assertion of statutory authority in this
rulemaking as well as in the guidances and Part 1777 reflect common
practice among federal agencies in specifying their authority whenever
they publish agency rules or other pronouncements. This practice cites
the authority of the agency to those coming into contact with an agency
pronouncement for the first time. OFHEO agrees that the safety and
soundness rule set forth in final form here does not ``convert''
existing or future guidance into rules subject to the APA. Indeed, this
would be contrary to OFHEO's intent and reduce its use of this
important and flexible supervisory device.
As explained in the NPR, the final regulation and appended
guidances are intended to facilitate the public awareness and
enforceability of such standards as official agency pronouncements in a
manner consistent with recent United States Supreme Court's rulings.\7\
---------------------------------------------------------------------------
\7\ See United States v. Mead Corp., 533 U.S. 218 (2001), and
Christensen v. Harris County, 529 U.S. 576 (2000).
---------------------------------------------------------------------------
Nothing in the OFHEO Policy Guidances limits the authority of OFHEO
to otherwise address unsafe or unsound conditions or practices, or
violations of applicable laws, regulations or supervisory orders, as
detailed in section Sec. 1720.1(b).
Regulatory Impact
Executive Order 12866, Regulatory Planning and Review
The regulation is not classified as a significant rule under
Executive Order 12866 because it will not result in an annual effect on
the economy of $100 million or more or a major increase in costs or
prices for consumers, individual industries, Federal, State, or local
government agencies, or geographic regions; or have significant
[[Page 55693]]
adverse effects on competition, employment, investment, productivity,
innovation, or on the ability of United States-based enterprises to
compete with foreign-based enterprises in domestic or foreign markets.
Accordingly, no regulatory impact assessment is required and this
regulation need not be submitted to the Office of Management and Budget
for formal review.
Unfunded Mandates Reform Act of 1995
This rule does not include a Federal mandate that could result in
the expenditure by State, local, and tribal governments, in the
aggregate, or by the private sector, of $100,000,000 or more (adjusted
annually for inflation) in any one year. As a result, the rule does not
warrant the preparation of an assessment statement in accordance with
the Unfunded Mandates Reform Act of 1995.
Regulatory Flexibility Act
The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires that
a regulation that has a significant economic impact on a substantial
number of small entities, small businesses, or small organizations must
include an initial regulatory flexibility analysis describing the
regulation's impact on small entities. Such an analysis need not be
undertaken if the agency has certified that the regulation will not
have a significant economic impact on a substantial number of small
entities. 5 U.S.C. 605(b). OFHEO has considered the impact of the
regulation under the Regulatory Flexibility Act. The General Counsel of
OFHEO certifies that the regulation is not likely to have a significant
economic impact on a substantial number of small business entities
because the regulation only affects the Enterprises, which are not
small entities for purposes of the Regulatory Flexibility Act.
Paperwork Reduction Act of 1995
This regulatory action contains no information collection
requirement that would require the approval of the Office of Management
and Budget pursuant to the Paperwork Reduction Act, 44 U.S.C. 3501-
3520.
List of Subjects in 12 CFR Part 1720
Administrative practice and procedure, Mortgages.
Accordingly, for the reasons set out in the preamble, the Office of
Federal Housing Enterprise Oversight is adding part 1720 to subchapter
C of 12 CFR chapter XVII to read as follows:
PART 1720--SAFETY AND SOUNDNESS
Sec.
1720.1 Authority.
1720.2 Safety and soundness standards.
Appendices
Appendix A to Part 1720--Policy Guidance; Minimum Safety and
Soundness Requirements
Appendix B to Part 1720--Policy Guidance; Non-Mortgage Liquidity
Investments
Appendix C to Part 1720--Policy Guidance; Safety and Soundness
Standards for Information
Authority: 12 U.S.C. 4513(a), 4513(b)(1), 4513(b)(5), 4517(a),
4521(a)(2) through (3), 4631, 4632, and 4636.
Sec. 1720.1 Authority.
(a) Authority. This part is issued by the Office of Federal Housing
Enterprise Oversight (OFHEO) pursuant to sections 1313(a), 1313(b)(1),
and 1313(b)(5) of the Federal Housing Enterprise Financial Safety and
Soundness Act (Act) (12 U.S.C. 4513(a), 4513(b)(1), and 4513(b)(5)).
These provisions of the Act authorize OFHEO to take any action deemed
appropriate by the Director of OFHEO to ensure that the Federal
National Mortgage Association and the Federal Home Loan Mortgage
Corporation (the Enterprises) are operated in a safe and sound manner,
including by adopting supervisory policies and standards by regulation,
guidance, or other process.
(b) Preservation of existing authority. No action by OFHEO
undertaken with reference to a policy guidance or this regulation will
in any way limit the authority of the Director otherwise to address
unsafe or unsound conditions or practices, or other violations of law,
rule or regulation. Action with reference to a policy guidance or this
regulation may be taken separate from, in conjunction with, or in
addition to any other supervisory response, enforcement action, or
agency-imposed requirements deemed appropriate by OFHEO. Nothing in
this regulation or any guidance issued by OFHEO limits the authority of
the Director pursuant to section 1313 of the Act (12 U.S.C. 4513) or
any other provision of law, rule or regulation applicable to the
Enterprises.
Sec. 1720.2 Safety and soundness standards.
Policy guidances as may be adopted from time to time by OFHEO,
addressing safety and soundness standards, shall apply to the
Enterprises. If OFHEO determines that an Enterprise does not meet a
requirement set out in such policy guidance, it may require corrective
or remedial actions by the Enterprise, and take such enforcement action
as the Director deems to be appropriate.
Appendix A to Part 1720--Policy Guidance; Minimum Safety and Soundness
Requirements
A--Background and Introduction
I. Background
II. Introduction
B--Operational and Managerial Requirements
I. Asset underwriting and credit quality.
II. Balance sheet growth and management.
III. Market risk.
IV. Information technology.
V. Internal controls.
VI. Audits.
VII. Information reporting and documentation.
VIII. Board and management responsibilities and function.
IX. Format of policies and procedures.
C--Compliance Plans
I. Notice; submission and review of compliance plan.
II. Failure to submit acceptable plan or to comply with plan.
A--Background and Introduction
I. Background. The Federal Housing Enterprises Safety and
Soundness Act of 1992, Title XIII of Pub. L. No. 102-550 (the Act)
empowers OFHEO to take any such action as the Director determines to
be appropriate to ensure that the federally sponsored housing
enterprises, Fannie Mae and Freddie Mac, are, among other things,
adequately capitalized and operating safely, including by adopting
supervisory policies and standards by regulation or other guidance
or process.
i. OFHEO herein sets forth the minimum supervisory requirements
used by the agency in reviewing the ensuring, the adequacy of
policies and procedures of the Enterprises in the areas of: (1)
Asset underwriting and credit quality; (2) balance sheet growth; (3)
market risks; (4) information technology; (5) internal controls; (6)
audits; (7) information reporting and documentation; and (8) board
and management responsibilities and functions. If the agency finds
that an Enterprise fails to meet any requirement or standard set
forth in this pronouncement, the Director may, among other things,
require the Enterprise to submit to the agency and implement an
adequate plan to achieve timely compliance with the requirement or
standard. If the Enterprise fails to submit such an adequate plan
within the time specified by the agency or fails in any material
respect to implement the plan, the agency may take additional
supervisory action. The Director may at any time prescribe such
supervisory actions as deemed appropriate to correct conditions
resulting from an unsafe or unsound practice or condition or
deficiency in complying with regulatory requirements or standards
including, but not limited to, issuance of a notice of charges or
order, imposition of civil money penalties, or other remedial
actions or sanctions as determined by the Director.
ii. The minimum supervisory requirements and standards identify
key safety and
[[Page 55694]]
soundness concerns regarding operation and management of an
Enterprise, and ensure that action is taken to avoid the emergence
of problems that might entail serious risks to an Enterprise. The
minimum supervisory requirements of the Policy Guidance also reflect
the need for internal policies and procedures in particular areas
that, if not appropriately addressed by the Enterprises, may warrant
action by OFHEO in order to reduce risks of loss and possible
capital impairment. The proposed minimum requirements set forth
herein are intended to effect these purposes without dictating how
the Enterprises must be operated and managed; moreover, the Policy
Guidance does not set out detailed operational and managerial
procedures that an Enterprise must have in place. The Policy
Guidance is intended to identify the ends that proper operational
and management policies and procedures are to achieve, while leaving
the means to be devised by each Enterprise as it designs and
implements its own policies and procedures. Where OFHEO does specify
particular requirements, each Enterprise's management is left with
substantial flexibility to fashion and implement them.
iii. The Policy Guidance is not intended to effect a change in
OFHEO's policies; the announced minimum requirements reflect the
basic underlying criteria OFHEO uses to assess the operations and
managerial quality of an Enterprise. OFHEO will determine compliance
with the requirements and related standards through examinations of
the Enterprises, as well as off-site surveillance means and other
interchanges with each Enterprise.
iv. OFHEO routinely undertakes to evaluate an Enterprise's
overall policies, in order to determine whether such policies are
safe and sound in principle and in practice. OFHEO also evaluates
whether procedures are in place to ensure that an Enterprise's
overall policies as adopted by the Enterprise's board of directors
and management are, in fact, applied in the normal course of
business. As reflected in the Policy Guidance, the Enterprises are,
at a minimum, expected to adopt appropriate policies and internal
guidelines, and to put in place procedures to ensure they are
followed as a matter of routine.
v. Nothing in the Policy Guidance in any way limits the
authority of OFHEO to otherwise address unsafe or unsound conditions
or practices, or violations of applicable law, regulation or
supervisory order. Action referencing the Policy Guidance may be
taken separate from, in conjunction with or in addition to any other
enforcement action available to OFHEO. Compliance with the Policy
Guidance in general would not preclude a finding by the agency that
an Enterprise is otherwise engaged in a specific unsafe or unsound
practice or is in an unsafe or unsound condition, or requiring
corrective or remedial action with regard to such practice or
condition. That is, supervisory action is not precluded against an
Enterprise that has not been cited for a deficiency under the Policy
Guidance. Conversely, an Enterprise's failure to comply with one of
the supervisory requirements set forth in the Policy Guidance may
not warrant a formal supervisory response from OFHEO, if the agency
determines the matter may be otherwise addressed in a satisfactory
manner. For example, OFHEO may require timely submission of a plan
to achieve compliance with the particular requirement or standard
without taking any other enforcement action.
II. Introduction. i. Authority, purpose, and scope.
a. Authority. This Policy Guidance is issued by the Office of
Federal Housing Enterprise Oversight (OFHEO) pursuant to sections
1313(a), 1313(b)(1), 1313(b)(5) and 1371 of the Federal Housing
Enterprise Safety and Soundness Act (Act) (12 U.S.C. 4513(a),
4513(b)(1), 4513(b)(5) and 4631). These provisions of the Act
authorize OFHEO to take any action deemed appropriate by the
Director of OFHEO to ensure that the Federal National Mortgage
Association and the Federal Home Loan Mortgage Corporation (the
Enterprises) are operated in a safe and sound manner, including by
adopting supervisory policies and standards by regulation, guidance,
or other process.
b. Purpose and scope. This Policy Guidance sets out certain
minimum safety and soundness requirements for the business and
operations of the Enterprises, and reiterates agency policies
requiring the Enterprises to establish and implement policies and
procedures that are sufficient to effectuate compliance with
supervisory standards. If OFHEO determines that an Enterprise does
not meet the requirements set forth herein, the Director may require
the Enterprise to submit and carry out a plan to achieve compliance,
or may take other corrective and remedial actions. The requirements
enumerated herein are supervisory minimums. In order to satisfy an
Enterprise's overarching obligation under the Act to conduct is
operations in a safe and sound manner, it may be necessary and
appropriate for an Enterprise to take additional measures in these
or other areas, as directed by OFHEO through regulation, guidance,
order or otherwise as part of the supervisory process.
ii. Preservation of existing authority. Neither this Policy
Guidance nor any action by OFHEO to enforce compliance of an
Enterprise therewith in any way limits the authority of the Director
otherwise to address unsafe or unsound conditions or practices, or
other violations of law or other regulation. Action under this
Policy Guidance may be taken separate from, in conjunction with, or
in addition to any other enforcement action deemed appropriate by
OFHEO. Nothing in this Policy Guidance or related guidances limits
the authority of the Director pursuant to section 1313 of the Act
(12 U.S.C. 4513) or any other provision of law, rule or regulation
applicable to the Enterprises.
iii. Definitions. For purposes of this Policy Guidance, except
as modified therein or unless the context otherwise requires, the
terms used have the same meaning as set forth in section 1303 of the
Act (12 U.S.C. 4502).
B--Operational and Managerial Requirements
I. Asset underwriting and credit quality. An Enterprise should
establish and implement policies and procedures to adequately assess
credit risks before they are assumed, and monitor such risks
subsequently to ensure that they conform to the Enterprise's credit
risk standards on an individual and an aggregate basis. The
Enterprise should:
i. For loans purchased and loans collateralizing securities
guaranteed by the Enterprise, adopt and implement prudent
underwriting standards and procedures commensurate with the type of
loan or loans and the markets in which the loan or loans were made
that include consideration of the borrower's and any guarantor's
financial condition and ability to repay as well as the type and
value of any collateral or credit enhancement;
ii. To the extent the Enterprise's assets are serviced or
administered by other entities or are covered by mortgage insurance
or other credit enhancements or arrangements, the Enterprise's
policies and procedures should recognize the consequences and
implications of such contractual arrangements for the Enterprise's
credit risk;
iii. Establish and implement policies and procedures to address
declining credit quality and to require appropriate corrective
action; to establish sufficient reserves; and to deal with defaulted
assets so as to minimize losses;
iv. Establish and implement policies and procedures to select
and price credit risk to ensure that the Enterprise is appropriately
compensated commensurate with the credit risk it assumes and its
statutory obligations;
v. Establish and implement policies and procedures that address
the prudential selection, management and handling of counterparty
credit exposure that arises from engaging in hedging activities and
the use derivative instruments; and
vi. Establish and implement policies and procedures to identify,
monitor and evaluate its credit exposures on an aggregate basis so
as to assess the implications and consequences of matters such as
concentration exposure (including geographic as well as product
concentrations), to identify and evaluate credit risk trends
effectively, and to maintain and revise appropriately its systems
and procedures for underwriting, servicing, and monitoring of such
exposures and changes to those exposures.
II. Balance sheet growth and management. An Enterprise's balance
sheet growth should be prudent and consider:
i. The source, volatility, and use of funds that support balance
sheet growth;
ii. Any changes in credit risk or interest rate risk resulting
from balance sheet growth;
iii. The effect of balance sheet growth on the Enterprise's
capital adequacy; and
iv. The appropriate policies and procedures needed to manage
changes in risk that may occur as a result of balance sheet growth.
III. Market risk. An Enterprise should establish and implement
policies and procedures that allow for the effective identification,
measurement, monitoring, and
[[Page 55695]]
management of market risk. The Enterprise should:
i. Establish and implement policies and procedures sufficient to
quantify and monitor the interest rate risk of the Enterprise
effectively and to model the effect of differing interest rate
scenarios on the Enterprise's financial condition and operations;
ii. Develop risk management strategies that respond
appropriately to changes in interest rates;
iii. Establish and implement policies and procedures sufficient
to quantify and monitor the Enterprise's liquidity effectively, and
to identify and anticipate various market environments and their
effects on the Enterprises' liquidity; and
iv. Establish and maintain an effective contingency plan for
liquidity under varying scenarios.
IV. Information technology. An Enterprise should establish and
implement policies and procedures to ensure that its computing
resources, proprietary and nonpublic information and data are:
i. Protected from access by unauthorized users, and otherwise
protected by appropriate security measures;
ii. Reliable, accurate and available at all times as needed for
its business operations, including an ability to effect timely
recovery and resume operations after a reasonably foreseeable
adverse event; and
iii. Designed to ensure adequate support of business operations.
V. Internal controls. An Enterprise should maintain and
implement internal controls appropriate to the nature, scope and
risk of its business activities that, at a minimum, provide for:
i. An organizational structure and assignment of responsibility
for management, employees, consultants and contractors, that provide
for accountability and controls, including adherence to policies and
procedures;
ii. A control framework commensurate with the Enterprise's
risks;
iii. Policies and procedures adequate to safeguard and to manage
assets; and
iv. Compliance with applicable laws, regulations and policies.
VI. Audits. An Enterprise should establish and implement
internal and external audit programs appropriate to the nature and
scope of its business activities that, at minimum, provide for:
i. Adequate monitoring of internal controls through an audit
function appropriate to the Enterprise's size, structure and scope
of operations;
ii. Independence of the audit function;
iii. Qualified professionals and management for the conduct and
review of audit functions;
iv. Adequate testing and review of audited areas together with
adequate documentation of findings and of any recommendations and
corrective actions; and
v. Verification and review of measures and actions undertaken to
address identified material weaknesses.
VII. Information reporting and documentation. An Enterprise
should establish and implement policies and procedures for
generating and retaining reports and documents that:
i. Enable the Enterprise's board of directors (including
appropriate committees) to make informed decisions and to exercise
its oversight function, by providing all such relevant information
of an appropriate level of detail as necessary;
ii. Enable the Enterprise's managers to make informed business
decisions and to assess risks for all aspects of the Enterprise's
business on an ongoing basis, by providing sufficient relevant
information of an appropriate level of detail as necessary;
iii. Ensure decision-makers have appropriate and necessary
information about particular transactions and business operations;
iv. Enable the Enterprise to administer and supervise all
assets, liabilities, commitments and other financial obligations
appropriately;
v. Enable the Enterprise to enforce legal claims against
borrowers, counterparties and other obligors; and
vi. Ensure timely and complete submissions of reports of
financial condition and operations, as well as annual and other
periodic reports and special reports to OFHEO whenever requested or
required by OFHEO.
VIII. Board and management responsibilities and function. An
Enterprise's board of directors shall ensure that the board
(including appropriate committees) works with executive management
to establish the Enterprise's strategies and goals in an informed
manner, and that the Enterprise's executive managers and other
managers, as appropriate, implement such strategies, by ensuring at
a minimum that:
i. The board (including appropriate committees) oversees the
development of the Enterprise's strategies in key areas and
exercises oversight necessary to ensure that management sets
policies and controls to implement such strategies effectively;
ii. The board (including appropriate committees) hires qualified
executive management, and exercises oversight to hold management
accountable for meeting the Enterprise's goals and objectives;
iii. The board (including appropriate committees) is provided
with accurate information about the operations and financial
condition of the Enterprise in a timely fashion, and sufficient to
enable the board to effect its oversight duties and
responsibilities;
iv. Management of the Enterprise sets policies and controls to
ensure the Enterprise's strategies are implemented effectively, and
that the Enterprise's organization structure and assignment of
responsibilities provide clear accountability and controls; and
v. Management of the Enterprise establishes and maintains an
effective risk management framework, including review of such
framework to monitor its effectiveness and taking appropriate action
to correct any weaknesses.
IX. Format of policies and procedures. i. Generally, the
policies of an Enterprise contemplated by this Policy Guidance
should be in writing and in such form and detail as appropriate in
light of their intended purpose, nature, and potential consequences
for the operations and financial condition of the Enterprise, and
approved by the board of directors (including appropriate
committees) or such responsible officer or officers as designated by
the board.
ii. The policies and procedures of an Enterprise contemplated by
this Policy Guidance should be provided to OFHEO at such time and in
such format as OFHEO directs.
C--Compliance Plans
I. Notice; submission and review of compliance plans. i.
Determination. The Director of OFHEO may, based upon a report of
examination, or other supervisory information however acquired,
determine that an Enterprise has failed or is likely to fail to
satisfy the minimum supervisory requirements or standards set forth
in part B of this appendix.
ii. Request for compliance plan. If the Director determines
pursuant to paragraph C.I.i of thiis appendix that an Enterprise has
failed or is likely to fail to satisfy a supervisory requirement or
standard, OFHEO may require the submission of a written compliance
plan.
iii. Schedule for filing compliance plan. An Enterprise may be
required to file a written compliance plan with OFHEO within thirty
days of receiving a written request for a compliance plan pursuant
to paragraph C.I.ii of this appendix.
iv. Contents of plan. A required compliance plan should include,
subject to additional direction by OFHEO, a detailed description of
the steps the Enterprise will take to correct a deficiency and any
condition resulting therefrom and the time within which such steps
will be undertaken and fully implemented.
v. Review of compliance plans. If the compliance plan submitted
under this section is deemed to be inadequate or incomplete, OFHEO
may provide written notice of such inadequacy or deficiencies
thereof to the Enterprise OFHEO or seek additional information from
the Enterprise regarding the plan.
vi. Amendment of compliance plan. An Enterprise that has filed a
required compliance plan to which no objection has been raised by
OFHEO may, after prior written notice to and approval by the
Director, amend the plan to reflect changes in circumstance,
policies and procedures.
II. Failure to submit acceptable plan or to comply with plan. If
an Enterprise does not submit an adequate and complete plan as
required by the agency within the time specified by OFHEO or does
not implement such an adequate and complete plan, the Director may
require the Enterprise to correct any deficiency and may require
additional corrective or remedial actions by the Enterprise as
deemed to be appropriate pursuant to the Act, including sections
1371 (12 U.S.C. 4631), 1372 (12 U.S.C. 4632), and 1376 (12 U.S.C.
4636).
Appendix B to Part 1720--Policy Guidance; Non-Mortgage Liquidity
Investments
A--Purpose
B--Activities Covered
C--Standards for Non-mortgage Liquidity Investment Activities
[[Page 55696]]
D--Disclosure of Non-mortgage Liquidity Investment Activities
E--Summary
A--Purpose
1. Fannie Mae and Freddie Mac (the Enterprises) were chartered
by Congress as government-sponsored enterprises with public
missions. They perform an important role in the United States
mortgage market by gathering funds and purchasing mortgages from
mortgage originators and guaranteeing mortgage-backed securities. In
chartering the Enterprises, Congress charged the Enterprises with:
(1) providing stability to mortgage markets; (2) responding to the
changing capital markets; (3) assisting the secondary markets
including the support of these markets for affordable housing; and
(4) promoting access to credit throughout the country by increasing
liquidity and improving distribution of investment capital for
residential mortgage finance. These functions require the
Enterprises, as principals in the secondary mortgage market, to
serve as bedrock in providing liquidity to the U.S. housing finance
system.
2. For the Enterprises effectively to perform their public
purposes, they must be financially sound and liquid. As the
Enterprises' financial safety and soundness regulator, OFHEO
conducts its regulatory programs to ensure these companies adhere to
safety and soundness standards. In addition, OFHEO interprets this
to include heightening the positive effect of market discipline on
the Enterprises by encouraging quality disclosures, appropriate
accounting standards, and state-of-the-art risk management further
strengthens their safety and soundness. More specifically, OFHEO
conducts comprehensive safety and soundness examinations and
requires the Enterprises to adhere to regulatory capital
requirements. In conducting its regulatory programs, OFHEO applies a
series of safety and soundness standards to assess the Enterprises'
liquidity management, including their investments in non-mortgage
liquidity assets. It is appropriate to issue initial guidance that
addresses the safety and soundness standards OFHEO uses to evaluate
Enterprise investment activities in non-mortgage liquidity assets.
3. Further, it should be noted that the Secretary of HUD, who
has general regulatory power over the Enterprises and who is
required to make such rules and regulations as necessary to ensure
that the purposes of the GSE's respective Charter Acts are
accomplished, has issued an Advanced Notice of Proposed Rulemaking
on possible substantive and/or procedural rules governing the GSEs'
non-mortgage investment activities. Accordingly, the GSEs may be
subject to regulations in this area through future HUD actions, in
addition to this initial guidance.
B--Activities Covered
1. The Enterprises must maintain sufficient liquidity to meet
both known and unexpected payment demands on borrowings and mortgage
securities, for operations and to purchase mortgage assets.
Liquidity management is the process by which the Enterprises manage
the use and availability of various funding sources to meet current
and future needs. Liquidity must be closely managed on a daily
basis.
2. The Enterprises manage liquidity through three primary
channels: securitizations, issuance of debt and conversion of liquid
assets into cash. It is through careful management within and among
the three channels, that the Enterprises can effectively meet
demands and remain safe and sound under all market conditions. This
Guidance specifically addresses ``non-mortgage liquidity
investments'' which are conducted within the liquidity channel
whereby the Enterprises are able to convert their own assets into
cash.
3. There are various types of investments that may be
appropriate for non-mortgage liquidity holdings. Appropriate non-
mortgage liquidity investments are characterized by both
creditworthiness and low price volatility. Even though an investment
may be creditworthy, if the holding is subject to undue price
volatility (e.g. common stock), the investment is inappropriate for
inclusion in the non-mortgage liquidity portfolio since the
investment may not be readily converted into cash without
substantial loss.
4. For the purposes of this Guidance, the types of assets listed
below are generally considered to be appropriate non-mortgage
liquidity investments. This list is subject to revision over time as
new asset types are introduced and/or market activities change. The
presence of an asset on the list does not mean that OFHEO will
necessarily consider any and all Enterprise investments in these
assets to be safe and sound, especially if they fail to meet
appropriate credit quality, maturity and diversification objectives:
a. Debt issued by the United States Treasury,
b. Debt issued by U.S. Government Agencies,
c. General obligation debt issued by states and municipal
authorities,
d. Revenue obligations issued by states and municipal
authorities,
e. Corporate debt instruments,
f. Money market instruments,
g. Non-mortgage asset-backed securities, and
h. Reverse repurchase agreements.
5. This Guidance does not address investments in mortgage-backed
securities, mortgage revenue bonds, or other investments secured by
housing (including commercial mortgage-backed securities with a
significant housing component) since these assets are not
principally held for liquidity purposes. Also, upon implementation
of FAS 133, this Guidance is not intended to address the use of
derivative instruments. For activities not covered in this Guidance
on non-mortgage liquidity investments, there should be no inferences
drawn about OFHEO's views.
C--Standards for Non-Mortgage Liquidity Investment Activities
To ensure there are sufficient funds available to the mortgage
market, the Enterprise must actively manage liquidity across all
three channels. OFHEO assesses the safety and soundness of non-
mortgage liquidity investment activities against five criteria. The
five criteria and details about each of the criteria are:
Prudent investment policies and procedures that guide
the Enterprise's process;
Quality management information that ensures timely
performance measures and governance data;
Safe & sound investment holdings and investment
culture;
Quality controls and personnel administering and
governing the process; and
Independent testing of the process to assure
compliance.
1. Prudent Investment Policies and Procedures That Guide the
Enterprise's Process
a. The Enterprise must have a comprehensive written investment
policy that clearly expresses the goals for the non-mortgage
liquidity investment activities. The Board of Directors and
management must evaluate the effectiveness of non-mortgage liquidity
investments in meeting the goals set out in the policy; and
management must evaluate activities against the procedures and
limitations in the policy. At a minimum, the policy should cover:
i. The purpose of the non-mortgage liquidity investment
holdings;
ii. The institutional goal(s) for the non-mortgage liquidity
investment holdings;
iii. The authorized instruments and activities;
iv. The internal control standards;
v. The limits structure;
vi. The performance standards and measures; and
vii. The reporting requirements.
b. The policy should clearly document the purpose for non-
mortgage liquidity investment holdings. Management should install a
series of procedures and controls that produce behaviors and
performance that are consistent with the defined purpose for the
non-mortgage liquidity investment activities.
c. The policy should establish the primary goals for the non-
mortgage liquidity investment activities. For an Enterprise, some
primary goals should be to augment liquidity and to generate a rate
of return that is reasonable in light of the purpose of such
investments. The emphasis placed on individual goals may vary based
upon institutional differences. However, non-mortgage liquidity
investments made with a goal of maximizing earnings or maximizing
arbitrage opportunities would be inconsistent with this Guidance for
the maintenance of an Enterprise's liquidity portfolio.
d. The policy should clearly define the authorized investment
vehicles and establish guidelines for the introduction of new types
of investment vehicles.
e. The Enterprise's procedures should include a framework of
controls that provide an appropriate separation of duties and
responsibilities. There should be responsibility assigned for an
independent review of non-mortgage liquidity investments by a
designated unit, such as audit or an independent risk oversight
group.
[[Page 55697]]
f. The Enterprise should adopt a limit structure to promote
diversification in the non-mortgage liquidity investment portfolio
and emphasizes strategies for risk mitigation. Additionally, there
should be limits for the aggregate size of the non-mortgage
liquidity investment portfolio.
g. The Enterprise should adopt measures to evaluate performance
against the policy and its objectives.
h. The Enterprise should adopt internal reporting requirements
that quantify performance, document exceptions, and serve as a basis
for communicating information about activities involving non-
mortgage liquidity assets.
i. The Enterprise should periodically evaluate the adequacy and
content of its public disclosure for non-mortgage investment
liquidity activities.
2. Quality Management Information That Ensures Timely Performance
Measures and Governance Data
a. The Enterprise must maintain systems that adequately
identify, measure and report the nature and level of exposure
associated with their non-mortgage liquidity investments. Management
must remain appropriately informed about the activity in non-
mortgage liquidity investments. Also, the Board of Directors should
periodically be provided a summary of non-mortgage liquidity
investment activities. At a minimum, management's reports to the
Board should:
i. Summarize non-mortgage investment activity since the last
report;
ii. Identify and explain any material changes or trends in the
non-mortgage liquidity investment portfolio risk and returns; and
iii. Report and explain exceptions to the policy or risk
guidelines for liquidity investments.
b. Meaningful changes in portfolio volume and spreads from
period to period should be identified and explained to the Board in
terms of why they occurred (e.g., changes in portfolio composition,
changes in funding costs, etc.). In overseeing the day-to-day
management of non-mortgage liquidity investment activities,
management should consider the discrete risks associated with the
non-mortgage liquidity investment portfolio as well as the exposure
of this portfolio within the context of risks across the entire
Enterprise. This includes assessing the non-mortgage liquidity
investment portfolio's sensitivity to changes in interest rates,
expressed in terms of net interest income sensitivity and portfolio
value sensitivity.
3. Safe and Sound Investment Holdings and Investment Culture
a. The Enterprise should implement and enforce policies and/or
procedures for non-mortgage liquidity investments. Management should
establish limits and procedures in a manner that is consistent with
the Board's sanctioned goals and risk appetite. Certain risk-limits
for non-mortgage liquidity investments may be expressed in terms of
how they affect the Enterprise's overall risk-profile, such as those
pertaining to interest-rate sensitivity. Other risk limits may be
more appropriately expressed in terms of individual portfolios and
instruments. In addition, limits restricting the size-range and
scope of the non-mortgage liquidity investment activities should be
established.
b. The limits and procedures should delineate the acceptable
investment instruments, acceptable markets, acceptable
counterparties, along with unacceptable investment or portfolio
activities. The Enterprise should maintain sufficient documentation
to demonstrate due diligence in adhering to policies, procedures,
limits and guidelines.
c. At a minimum, limits should be established and reviewed
annually, for:
i. Credit threshold guidelines: Credit quality is a compelling
factor for liquidity investments. Since liquidity investments should
be able to be readily converted into cash without substantial
exposure to losses, investments should be insulated from price
vulnerabilities that are associated with creditworthiness. The most
effective means of insulating against price exposure from credit
quality concerns is to invest in high-quality instruments and the
debt obligations of high-quality issuers. The Enterprise should
establish thresholds identifying the minimum credit standards of any
security eligible for purchase. Where these standards involve credit
ratings, the ratings should come from a nationally recognized rating
organization. Procedures should be included that determine the steps
to be taken by management if an instrument's credit rating falls
below the minimum threshold before maturity.
ii. Maturity guidelines: Because the maturity of an investment
significantly affects its exposure to credit risk and price
volatility, longer maturity instruments have limited suitability as
liquidity investments. The Enterprise should establish the maximum
maturity allowable for non-mortgage liquidity investments. It would
be appropriate to have different maturity limits for certain types
of instruments. For example, management may wish to establish
shorter maturity limits for fixed-coupon instruments than for
adjustable-rate securities. Management may have different maturity
limits for bullet securities and amortizing structures. It would be
appropriate to establish a maturity matrix based upon an
instrument's credit rating at the time of purchase.
iii. Diversification and concentration guidelines: Credit
concentrations can increase credit risk. Accordingly, the Enterprise
should establish guidelines that limit investments in the securities
of any single issuer. Such limits may be established as a percentage
limit (e.g., as a percentage of capital) or as an absolute dollar
amount. To enhance portfolio liquidity, there should also be a limit
on the percentage of any particular issue held by the Enterprise.
4. Quality Controls and Personnel Administering and Governing the
Process
a. The Enterprise should maintain a comprehensive set of
controls to enforce the appropriate separation of duties and
responsibilities. These controls should translate into clear
procedures for routine operations. At a minimum, the internal
control program for non-mortgage liquidity investment activities
should include procedures for the following: portfolio valuation,
personnel, settlement, physical control and documentation, conflict
of interest, and accounting.
i. Portfolio valuation procedures. Portfolio valuation
procedures should require pricing that is independent of the
investment portfolio managers. Pricing securities provides an
indication of the market depth and liquidity for individual
instruments, and is an important process for providing data to the
risk management function, particularly within a framework of
estimating market value sensitivity. Pricing is particularly
important for securities that are classified as ``available-for-
sale'' for accounting purposes.
ii. Personnel guidelines. Personnel guidelines should require
competent and experienced staff be responsible for conducting
transactions and managing the non-mortgage investment portfolio.
There should be clear guidance regarding the roles and
responsibilities of individuals involved with the non-mortgage
liquidity portfolio.
iii. Settlement practices. Procedures should cover standard
settlement practices for the various types of non-mortgage liquidity
investments in the Enterprise's portfolio. Inadequate understanding
of standard settlement practices, coupled with poor internal
controls, could result in unnecessary costs or losses.
iv. Control and documentation. Procedures covering control and
documentation should be comprehensive and consistent with the
evolving better practices in the marketplace. The procedures should
include, for example, standards for: processing and controlling
purchased instruments, safeguarding investment documentation and
reviewing trade tickets and confirmations.
v. Conflict of interest. Conflict of interest guidelines should
govern all Enterprise personnel authorized to purchase or sell non-
mortgage liquidity investments. These guidelines should ensure that
all directors, officers and employees act in the Enterprise's best
interest. Conflict of interest guidelines should address employee
relationships with authorized broker/dealers. Guidelines should also
address personnel accepting gifts and travel expenses from broker/
dealers.
vi. Accounting. Accounting practices should be evaluated to
determine the level of compliance with GAAP standards.
5. Independent Testing and Review of the Process to Assure Compliance
a. An independent review of non-mortgage liquidity investment
activities should be conducted periodically to ensure:
i. The accuracy and integrity of information provided to the
Board, management and other oversight bodies;
ii. The adherence to policy, procedures, limits and guidelines;
iii. The timeliness, accuracy and usefulness of non-mortgage
investment reports;
iv. The adequacy of personnel resources and capabilities; and
v. The non-mortgage liquidity investment activities remain
appropriate in the context of the marketplace and the external
environment.
[[Page 55698]]
b. This review may be conducted by a risk oversight unit or
internal audit department, or any party that is independent of the
routine risk-taking decisions and should be commensurate with the
level of review of other primary Enterprise activities. Independent
review findings for non-mortgage liquidity investments should be
reported to the Board directly or through one of its committees. The
Board should consider the independent review when reaffirming
policies, and should address any issues raised.
D--Disclosure of Non-Mortgage Liquidity Investment Activities
1. Sound risk management practices include thorough disclosures
about the Enterprise's risks and further regulators' efforts to
increase financial transparency for regulated financial companies.
Quality disclosures about risks and risk management can be an
effective deterrent to excessive risk-taking. Three essential
elements needed to promote market discipline for non-mortgage
liquidity investments are (1) type of issuer and security, (2)
maturity, and (3) credit quality or rating. Accordingly, quality
disclosure for a portfolio of non-mortgage liquidity investments
should include a detailed categorization of the portfolio with
respect to each of these elements and cross-categorization, so that
(for example) the quantity of any longer-maturity, lower-credit-
quality assets is clearly identified. Information about fair values;
yields; and narrative discussions of objectives, risk management
policies, and controls can also promote transparency of risk and
should be included. Such disclosures should be made quarterly, and
they should be made using average balances so that average risks can
be assessed--not just the risks on a given date.
2. Over the next few quarters, OFHEO will discuss more
specifically with the Enterprise how these disclosures will meet the
expectations expressed in this guidance. An example of a disclosure
format that may be used by the Enterprise is available on the OFHEO
Web site at http://www.ofheo.gov. However, the Enterprise may
disclose the risks in its non-mortgage liquidity investment
activities, consistent with the expectations expressed in this
guidance, using a format of its choice.
E--Summary
This Guidance sets forth OFHEO's process for evaluating the
safety and soundness of liquidity non-mortgage investment
activities. OFHEO remains committed to ensuring the Enterprises
remain financially sound, have appropriate control environments, and
engage only in financially sound business and investment activities.
OFHEO's examiners have been instructed to incorporate this
evaluation process into their ongoing safety and soundness
examinations. Examiners will evaluate and test the Enterprise's non-
mortgage liquidity investment processes and activities to ensure
they are in compliance with this guidance.
Appendix C to Part 1720--Policy Guidance; Safety and Soundness
Standards for Information
A--Introduction
1. Scope.
2. Preservation of Existing Authority.
3. Definitions.
B--Safety and Soundness Standards for Information
1. Information Security Program.
2. Objectives.
C--Development and Implementation of Information Security Program
1. Involve the Board of Directors.
2. Assess Risk.
3. Manage and Control Risk.
4. Oversee Service Provider Arrangements.
5. Adjust the Program.
6. Report to the Board.
7. Implementation.
A--Introduction
The Policy Guidance on Safety and Soundness Standards for
Information sets forth standards pursuant to section 1313 of the
Federal Housing Enterprise Safety and Soundness Act (12 U.S.C.
4513). The Guidance addresses standards for developing and
implementing administrative, technical, and physical safeguards to
protect the security, confidentiality, and integrity of information.
1. Scope. The Guidance applies to information maintained by or
on behalf of the Federal National Mortgage Association (Fannie Mae)
and the Federal Home Loan Mortgage Corporation (Freddie Mac)
(collectively, the Enterprises).
2. Preservation of Existing Authority. Nothing in the Guidance
in any way limits the authority of OFHEO to otherwise address unsafe
or unsound conditions or practices or violations of applicable law,
regulation or supervisory order. Action referencing the Policy
Guidance may be taken separate from, in conjunction with or in
addition to any other enforcement action available to OFHEO.
Compliance with the Policy Guidance in general would not preclude a
finding by the agency that an Enterprise is otherwise engaged in a
specific unsafe or unsound practice or is in an unsafe or unsound
condition, or requiring corrective or remedial action with regard to
such practice or condition. That is, supervisory action is not
precluded against an Enterprise that has not been cited for a
deficiency under the Policy Guidance. Conversely, an Enterprise's
failure to comply with one of the supervisory requirements set forth
in the Policy Guidance may not warrant a formal supervisory response
from OFHEO, if the agency determines the matter may be otherwise
addressed in a satisfactory manner. For example, OFHEO may require
the submission of a plan to achieve compliance with the particular
requirement or standard without taking any other enforcement action.
3. Definitions. For purposes of the Guidance, the following
definitions apply:
a. Information means any record of an Enterprise, whether in
paper, electronic, or other form, that is handled or maintained by
or on behalf of an Enterprise;
b. Information security program means the administrative,
technical, or physical safeguards used by an Enterprise to access,
collect, process, store, use, transmit, dispose of, or otherwise
handle information;
c. Information systems means any methods used to access,
collect, store, use, transmit, protect, or dispose of information;
d. Service provider means any person or entity, including any
third party vendor, that maintains, processes or otherwise is
permitted access to information through its provision of services
directly or indirectly to an Enterprise.
B--Safety and Soundness Standards For Information
1. Information Security Program. Each Enterprise shall implement
a comprehensive written information security program that includes
administrative, technical, and physical safeguards appropriate to
the nature and scope of its activities. While all parts of the
Enterprise are not required to implement a uniform set of policies,
all elements of the information security program must be
coordinated.
2. Objectives. An Enterprise's information security program
shall be designed to:
a. Ensure the security and confidentiality of information;
b. Protect against any anticipated threats or hazards to the
security or integrity of such information; and
c. Protect against unauthorized access to or use of such
information.
C--Development and Implementation of Information Security Program
1. Involve the Board of Directors. The board of directors or an
appropriate committee of the board of each Enterprise shall:
a. Approve the Enterprise's written information security
program; and
b. Oversee the development, implementation, and maintenance of
the Enterprise's information security program, including assigning
specific responsibility for its implementation and reviewing reports
from management.
2. Assess Risk. Each Enterprise shall:
a. Identify reasonably foreseeable internal and external threats
that could result in unauthorized disclosure, misuse, alteration, or
destruction of information or information systems;
b. Assess the likelihood and potential damage of these threats,
taking into consideration the sensitivity of nonpublic information;
and
c. Assess the sufficiency of policies, procedures, information
systems, and other arrangements in place to control risks.
3. Manage and Control Risk. Each Enterprise shall:
a. Design its information security program to manage and control
the identified risks, commensurate with the sensitivity of the
information as well as the complexity and scope of the Enterprise's
activities. Each Enterprise should consider whether the following
security measures are appropriate for the Enterprise and, if so,
adopt those measures the Enterprise concludes are appropriate:
[[Page 55699]]
i. Access controls over information systems, including controls
to authenticate and permit access only to authorized individuals and
controls to prevent employees from providing information to
unauthorized individuals who may seek to obtain this information
through fraudulent means;
ii. Access restrictions at physical locations containing
information, such as buildings, computer facilities, and records
storage facilities to permit access only to authorized individuals;
iii. Encryption of electronic information, including while in
transit or in storage on networks or systems to which unauthorized
individuals may have access;
iv. Procedures designed to ensure that information system
modifications are consistent with the Enterprise's information
security program;
v. Dual control procedures, segregation of duties, and employee
background checks for employees with responsibilities for or access
to information;
vi. Monitoring systems and procedures to detect actual and
attempted attacks on or intrusion into information systems;
vii. Response programs that specify actions to be taken when the
Enterprise suspects or detects that unauthorized individuals have
gained access to information systems, including appropriate reports
to regulatory and law enforcement agencies; and
viii. Measures to protect against destruction, loss or damage of
information due to potential environmental hazards, such as fire and
water damage or technological failures.
b. Train staff to implement the Enterprise's information
security program; and
c. Regularly test the key controls, systems and procedures of
the information security program. The frequency and nature of such
tests should be determined by the Enterprise's risk assessment.
Tests should be conducted or reviewed by independent third parties
or staff that are independent of those that develop or maintain the
security programs.
4. Oversee Service Provider Arrangements. Each Enterprise shall:
a. Exercise appropriate due diligence in selecting its service
providers;
b. Require its service providers by contract to implement
appropriate measures designed to meet the objectives of the
Guidance; and
c. Where indicated by the Enterprise's risk assessment, monitor
its service providers to confirm that they have satisfied their
obligations as required by section 9(b). As part of this monitoring,
an Enterprise should review audits, summaries of test results, or
other equivalent evaluations of its service providers.
5. Adjust the Program. Each Enterprise shall monitor, evaluate,
and adjust, as appropriate, the information security program in
light of any relevant changes in technology, the sensitivity of its
information, internal or external threats to information, and the
Enterprise's own changing business arrangements, such as
acquisitions, alliances and joint ventures, outsourcing
arrangements, and changes to information systems.
6. Report to the Board. Each Enterprise shall report to its
board or an appropriate committee of the board at least annually.
This report should describe the overall status of the information
security program and the Enterprise's compliance with the Guidance.
The reports should discuss material matters related to its program,
addressing issues such as: risk assessment; risk management and
control decisions; service provider arrangements; results of
testing; security breaches or violations and management's responses;
and recommendations for changes in the information security program.
7. Implementation. a. Each Enterprise should implement an
information security program pursuant to the Guidance.
b. Until January 1, 2004, a contract that an Enterprise has
entered into with a service provider to perform services for it or
functions on its behalf satisfies the provisions of section 9, even
if the contract does not include a requirement that the servicer
maintain the security and confidentiality of information, as long as
the Enterprise entered into the contract on or before the effective
date.
Dated: August 20, 2002.
Armando Falcon, Jr.,
Director, Office of Federal Housing Enterprise Oversight.
[FR Doc. 02-21780 Filed 8-29-02; 8:45 am]
BILLING CODE 4220-01-U