12 C.F.R. Appendix A to Part 1720—Policy Guidance; Minimum Safety and Soundness Requirements
Title 12 - Banks and Banking
A—Background and Introduction I. Background II. Introduction B—Operational and Managerial Requirements I. Asset underwriting and credit quality. II. Balance sheet growth and management. III. Market risk. IV. Information technology. V. Internal controls. VI. Audits. VII. Information reporting and documentation. VIII. Board and management responsibilities and function. IX. Format of policies and procedures. C—Compliance Plans I. Notice; submission and review of compliance plan. II. Failure to submit acceptable plan or to comply with plan. A—Background and Introduction I. Background. The Federal Housing Enterprises Safety and Soundness Act of 1992, Title XIII of Pub. L. No. 102–550 (the Act) empowers OFHEO to take any such action as the Director determines to be appropriate to ensure that the federally sponsored housing enterprises, Fannie Mae and Freddie Mac, are, among other things, adequately capitalized and operating safely, including by adopting supervisory policies and standards by regulation or other guidance or process. i. OFHEO herein sets forth the minimum supervisory requirements used by the agency in reviewing the ensuring, the adequacy of policies and procedures of the Enterprises in the areas of: (1) Asset underwriting and credit quality; (2) balance sheet growth; (3) market risks; (4) information technology; (5) internal controls; (6) audits; (7) information reporting and documentation; and (8) board and management responsibilities and functions. If the agency finds that an Enterprise fails to meet any requirement or standard set forth in this pronouncement, the Director may, among other things, require the Enterprise to submit to the agency and implement an adequate plan to achieve timely compliance with the requirement or standard. If the Enterprise fails to submit such an adequate plan within the time specified by the agency or fails in any material respect to implement the plan, the agency may take additional supervisory action. The Director may at any time prescribe such supervisory actions as deemed appropriate to correct conditions resulting from an unsafe or unsound practice or condition or deficiency in complying with regulatory requirements or standards including, but not limited to, issuance of a notice of charges or order, imposition of civil money penalties, or other remedial actions or sanctions as determined by the Director. ii. The minimum supervisory requirements and standards identify key safety and soundness concerns regarding operation and management of an Enterprise, and ensure that action is taken to avoid the emergence of problems that might entail serious risks to an Enterprise. The minimum supervisory requirements of the Policy Guidance also reflect the need for internal policies and procedures in particular areas that, if not appropriately addressed by the Enterprises, may warrant action by OFHEO in order to reduce risks of loss and possible capital impairment. The proposed minimum requirements set forth herein are intended to effect these purposes without dictating how the Enterprises must be operated and managed; moreover, the Policy Guidance does not set out detailed operational and managerial procedures that an Enterprise must have in place. The Policy Guidance is intended to identify the ends that proper operational and management policies and procedures are to achieve, while leaving the means to be devised by each Enterprise as it designs and implements its own policies and procedures. Where OFHEO does specify particular requirements, each Enterprise's management is left with substantial flexibility to fashion and implement them. iii. The Policy Guidance is not intended to effect a change in OFHEO's policies; the announced minimum requirements reflect the basic underlying criteria OFHEO uses to assess the operations and managerial quality of an Enterprise. OFHEO will determine compliance with the requirements and related standards through examinations of the Enterprises, as well as off-site surveillance means and other interchanges with each Enterprise. iv. OFHEO routinely undertakes to evaluate an Enterprise's overall policies, in order to determine whether such policies are safe and sound in principle and in practice. OFHEO also evaluates whether procedures are in place to ensure that an Enterprise's overall policies as adopted by the Enterprise's board of directors and management are, in fact, applied in the normal course of business. As reflected in the Policy Guidance, the Enterprises are, at a minimum, expected to adopt appropriate policies and internal guidelines, and to put in place procedures to ensure they are followed as a matter of routine. v. Nothing in the Policy Guidance in any way limits the authority of OFHEO to otherwise address unsafe or unsound conditions or practices, or violations of applicable law, regulation or supervisory order. Action referencing the Policy Guidance may be taken separate from, in conjunction with or in addition to any other enforcement action available to OFHEO. Compliance with the Policy Guidance in general would not preclude a finding by the agency that an Enterprise is otherwise engaged in a specific unsafe or unsound practice or is in an unsafe or unsound condition, or requiring corrective or remedial action with regard to such practice or condition. That is, supervisory action is not precluded against an Enterprise that has not been cited for a deficiency under the Policy Guidance. Conversely, an Enterprise's failure to comply with one of the supervisory requirements set forth in the Policy Guidance may not warrant a formal supervisory response from OFHEO, if the agency determines the matter may be otherwise addressed in a satisfactory manner. For example, OFHEO may require timely submission of a plan to achieve compliance with the particular requirement or standard without taking any other enforcement action. II. Introduction. i. Authority, purpose, and scope. a. Authority. This Policy Guidance is issued by the Office of Federal Housing Enterprise Oversight (OFHEO) pursuant to sections 1313(a), 1313(b)(1), 1313(b)(5) and 1371 of the Federal Housing Enterprise Safety and Soundness Act (Act) (12 U.S.C. 4513(a), 4513(b)(1), 4513(b)(5) and 4631). These provisions of the Act authorize OFHEO to take any action deemed appropriate by the Director of OFHEO to ensure that the Federal National Mortgage Association and the Federal Home Loan Mortgage Corporation (the Enterprises) are operated in a safe and sound manner, including by adopting supervisory policies and standards by regulation, guidance, or other process. b. Purpose and scope. This Policy Guidance sets out certain minimum safety and soundness requirements for the business and operations of the Enterprises, and reiterates agency policies requiring the Enterprises to establish and implement policies and procedures that are sufficient to effectuate compliance with supervisory standards. If OFHEO determines that an Enterprise does not meet the requirements set forth herein, the Director may require the Enterprise to submit and carry out a plan to achieve compliance, or may take other corrective and remedial actions. The requirements enumerated herein are supervisory minimums. In order to satisfy an Enterprise's overarching obligation under the Act to conduct is operations in a safe and sound manner, it may be necessary and appropriate for an Enterprise to take additional measures in these or other areas, as directed by OFHEO through regulation, guidance, order or otherwise as part of the supervisory process. ii. Preservation of existing authority. Neither this Policy Guidance nor any action by OFHEO to enforce compliance of an Enterprise therewith in any way limits the authority of the Director otherwise to address unsafe or unsound conditions or practices, or other violations of law or other regulation. Action under this Policy Guidance may be taken separate from, in conjunction with, or in addition to any other enforcement action deemed appropriate by OFHEO. Nothing in this Policy Guidance or related guidances limits the authority of the Director pursuant to section 1313 of the Act (12 U.S.C. 4513) or any other provision of law, rule or regulation applicable to the Enterprises. iii. Definitions. For purposes of this Policy Guidance, except as modified therein or unless the context otherwise requires, the terms used have the same meaning as set forth in section 1303 of the Act (12 U.S.C. 4502). B—Operational and Managerial Requirements I. Asset underwriting and credit quality. An Enterprise should establish and implement policies and procedures to adequately assess credit risks before they are assumed, and monitor such risks subsequently to ensure that they conform to the Enterprise's credit risk standards on an individual and an aggregate basis. The Enterprise should: i. For loans purchased and loans collateralizing securities guaranteed by the Enterprise, adopt and implement prudent underwriting standards and procedures commensurate with the type of loan or loans and the markets in which the loan or loans were made that include consideration of the borrower's and any guarantor's financial condition and ability to repay as well as the type and value of any collateral or credit enhancement; ii. To the extent the Enterprise's assets are serviced or administered by other entities or are covered by mortgage insurance or other credit enhancements or arrangements, the Enterprise's policies and procedures should recognize the consequences and implications of such contractual arrangements for the Enterprise's credit risk; iii. Establish and implement policies and procedures to address declining credit quality and to require appropriate corrective action; to establish sufficient reserves; and to deal with defaulted assets so as to minimize losses; iv. Establish and implement policies and procedures to select and price credit risk to ensure that the Enterprise is appropriately compensated commensurate with the credit risk it assumes and its statutory obligations; v. Establish and implement policies and procedures that address the prudential selection, management and handling of counterparty credit exposure that arises from engaging in hedging activities and the use derivative instruments; and vi. Establish and implement policies and procedures to identify, monitor and evaluate its credit exposures on an aggregate basis so as to assess the implications and consequences of matters such as concentration exposure (including geographic as well as product concentrations), to identify and evaluate credit risk trends effectively, and to maintain and revise appropriately its systems and procedures for underwriting, servicing, and monitoring of such exposures and changes to those exposures. II. Balance sheet growth and management. An Enterprise's balance sheet growth should be prudent and consider: i. The source, volatility, and use of funds that support balance sheet growth; ii. Any changes in credit risk or interest rate risk resulting from balance sheet growth; iii. The effect of balance sheet growth on the Enterprise's capital adequacy; and iv. The appropriate policies and procedures needed to manage changes in risk that may occur as a result of balance sheet growth. III. Market risk. An Enterprise should establish and implement policies and procedures that allow for the effective identification, measurement, monitoring, and management of market risk. The Enterprise should: i. Establish and implement policies and procedures sufficient to quantify and monitor the interest rate risk of the Enterprise effectively and to model the effect of differing interest rate scenarios on the Enterprise's financial condition and operations; ii. Develop risk management strategies that respond appropriately to changes in interest rates; iii. Establish and implement policies and procedures sufficient to quantify and monitor the Enterprise's liquidity effectively, and to identify and anticipate various market environments and their effects on the Enterprises' liquidity; and iv. Establish and maintain an effective contingency plan for liquidity under varying scenarios. IV. Information technology. An Enterprise should establish and implement policies and procedures to ensure that its computing resources, proprietary and nonpublic information and data are: i. Protected from access by unauthorized users, and otherwise protected by appropriate security measures; ii. Reliable, accurate and available at all times as needed for its business operations, including an ability to effect timely recovery and resume operations after a reasonably foreseeable adverse event; and iii. Designed to ensure adequate support of business operations. V. Internal controls. An Enterprise should maintain and implement internal controls appropriate to the nature, scope and risk of its business activities that, at a minimum, provide for: i. An organizational structure and assignment of responsibility for management, employees, consultants and contractors, that provide for accountability and controls, including adherence to policies and procedures; ii. A control framework commensurate with the Enterprise's risks; iii. Policies and procedures adequate to safeguard and to manage assets; and iv. Compliance with applicable laws, regulations and policies. VI. Audits. An Enterprise should establish and implement internal and external audit programs appropriate to the nature and scope of its business activities that, at minimum, provide for: i. Adequate monitoring of internal controls through an audit function appropriate to the Enterprise's size, structure and scope of operations; ii. Independence of the audit function; iii. Qualified professionals and management for the conduct and review of audit functions; iv. Adequate testing and review of audited areas together with adequate documentation of findings and of any recommendations and corrective actions; and v. Verification and review of measures and actions undertaken to address identified material weaknesses. VII. Information reporting and documentation. An Enterprise should establish and implement policies and procedures for generating and retaining reports and documents that: i. Enable the Enterprise's board of directors (including appropriate committees) to make informed decisions and to exercise its oversight function, by providing all such relevant information of an appropriate level of detail as necessary; ii. Enable the Enterprise's managers to make informed business decisions and to assess risks for all aspects of the Enterprise's business on an ongoing basis, by providing sufficient relevant information of an appropriate level of detail as necessary; iii. Ensure decision-makers have appropriate and necessary information about particular transactions and business operations; iv. Enable the Enterprise to administer and supervise all assets, liabilities, commitments and other financial obligations appropriately; v. Enable the Enterprise to enforce legal claims against borrowers, counterparties and other obligors; and vi. Ensure timely and complete submissions of reports of financial condition and operations, as well as annual and other periodic reports and special reports to OFHEO whenever requested or required by OFHEO. VIII. Board and management responsibilities and function. An Enterprise's board of directors shall ensure that the board (including appropriate committees) works with executive management to establish the Enterprise's strategies and goals in an informed manner, and that the Enterprise's executive managers and other managers, as appropriate, implement such strategies, by ensuring at a minimum that: i. The board (including appropriate committees) oversees the development of the Enterprise's strategies in key areas and exercises oversight necessary to ensure that management sets policies and controls to implement such strategies effectively; ii. The board (including appropriate committees) hires qualified executive management, and exercises oversight to hold management accountable for meeting the Enterprise's goals and objectives; iii. The board (including appropriate committees) is provided with accurate information about the operations and financial condition of the Enterprise in a timely fashion, and sufficient to enable the board to effect its oversight duties and responsibilities; iv. Management of the Enterprise sets policies and controls to ensure the Enterprise's strategies are implemented effectively, and that the Enterprise's organization structure and assignment of responsibilities provide clear accountability and controls; and v. Management of the Enterprise establishes and maintains an effective risk management framework, including review of such framework to monitor its effectiveness and taking appropriate action to correct any weaknesses. IX. Format of policies and procedures. i. Generally, the policies of an Enterprise contemplated by this Policy Guidance should be in writing and in such form and detail as appropriate in light of their intended purpose, nature, and potential consequences for the operations and financial condition of the Enterprise, and approved by the board of directors (including appropriate committees) or such responsible officer or officers as designated by the board. ii. The policies and procedures of an Enterprise contemplated by this Policy Guidance should be provided to OFHEO at such time and in such format as OFHEO directs. C—Compliance Plans I. Notice; submission and review of compliance plans. i. Determination. The Director of OFHEO may, based upon a report of examination, or other supervisory information however acquired, determine that an Enterprise has failed or is likely to fail to satisfy the minimum supervisory requirements or standards set forth in part B of this appendix. ii. Request for compliance plan. If the Director determines pursuant to paragraph C.I.i of thiis appendix that an Enterprise has failed or is likely to fail to satisfy a supervisory requirement or standard, OFHEO may require the submission of a written compliance plan. iii. Schedule for filing compliance plan. An Enterprise may be required to file a written compliance plan with OFHEO within thirty days of receiving a written request for a compliance plan pursuant to paragraph C.I.ii of this appendix. iv. Contents of plan. A required compliance plan should include, subject to additional direction by OFHEO, a detailed description of the steps the Enterprise will take to correct a deficiency and any condition resulting therefrom and the time within which such steps will be undertaken and fully implemented. v. Review of compliance plans. If the compliance plan submitted under this section is deemed to be inadequate or incomplete, OFHEO may provide written notice of such inadequacy or deficiencies thereof to the Enterprise OFHEO or seek additional information from the Enterprise regarding the plan. vi. Amendment of compliance plan. An Enterprise that has filed a required compliance plan to which no objection has been raised by OFHEO may, after prior written notice to and approval by the Director, amend the plan to reflect changes in circumstance, policies and procedures. II. Failure to submit acceptable plan or to comply with plan. If an Enterprise does not submit an adequate and complete plan as required by the agency within the time specified by OFHEO or does not implement such an adequate and complete plan, the Director may require the Enterprise to correct any deficiency and may require additional corrective or remedial actions by the Enterprise as deemed to be appropriate pursuant to the Act, including sections 1371 (12 U.S.C. 4631), 1372 (12 U.S.C. 4632), and 1376 (12 U.S.C. 4636).
Title 12: Banks and Banking
PART 1720—SAFETY AND SOUNDNESS
Appendix A to Part 1720—Policy Guidance; Minimum Safety and Soundness Requirements
