Tag Archives: information security

High Risk at Fannie and Freddie

Posted on by

FHFA Director Watt

The Federal Housing Finance Agency released its 2014 Report to Congress. It summarizes many interim reports and press releases that were released over the previous year, many of which have been covered by REFinBlog as they came out. I was struck, however, by the passages about the operational risk that Fannie and Freddie face.  I have been concerned with operational risk at Fannie and Freddie for some time, as the two enterprises have languished in conservatorship limbo for far too long.

The Report of the Annual Examination of Fannie Mae states that

The level of operational risk remains high and largely reflects the risk posed by execution of Fannie Mae’s strategic plan to replace its existing information technology infrastructure. Management has made significant progress in stabilizing the current information technology environment, with improvements in the change management process and reductions in production outages. Further, progress was made in establishing an out-of-region data center that is a critical component for supporting information systems and providing for business continuity in the event of a disaster. As Fannie Mae implements this plan, however, the level of operational risk will remain elevated. Risks associated with the execution, deployment, and integration with the CSP [Common Securitization Platform] and the move to a Single Security, while addressing ongoing IT infrastructure issues, will also introduce a significant level of inherent operational risk to the organization. Effective project management will be critical to mitigate the operational risk arising from these efforts.(14, emphasis added)

The Report of the Annual Examination of Freddie Mac indicates that Freddie faces somewhat different operational risks:

Operational risk, including risks associated with information technology systems, remains a concern primarily because of resource requirements and operational complexities of major strategic initiatives (including integration with the CSP), developing information security and privacy protection capabilities, and heightened risk during the transition to the new risk management structure.

Information security is one of the primary operational risks Freddie Mac faces given the proliferation of cyber crimes and the high probability of new cyber attacks targeted at large organizations. Freddie Mac’s operational framework is highly complex. Information security within the Enterprise is more important than ever given the pervasiveness of cyber-related threats. In addition to external threats, Freddie Mac faces other challenges that may continue to elevate operational risk and increase the likelihood of significant operational incidents and losses. (17, emphasis added)

While neither of these passages is terrifying — as in, here-is-the-next-trigger-for-a-bailout terrifying — they do make me pause and ask whether the GSEs in their current form are up to the challenge of handling this period of “heightened risk.”

Those in Congress who are impeding GSE reform are on notice that Fannie and Freddie face high levels of operational risk. If the next crisis results from that risk, it is on them.

What Is To Be Done with Mortgage Servicers?

Posted on by

The Office of the Comptroller of the Currency has found that EverBank; HSBC Bank USA, N.A.; JPMorgan Chase Bank, N.A.; Santander Bank, National Association; U.S. Bank National Association; and Wells Fargo Bank, N.A. have not met all of the requirements of consent orders they had entered into because of deficiencies in how they dealt with foreclosure servicing. The details of these deficiencies are pretty bad.

The OCC recently issued amended consent orders with these banks. The amended orders restrict certain business activities that they conduct. The restrictions include limitations on:

  • acquisition of residential mortgage servicing or residential mortgage servicing rights (does not apply to servicing associated with new originations or refinancings by the banks or contracts for new originations by the banks);
  • new contracts for the bank to perform residential mortgage servicing for other parties;
  • outsourcing or sub-servicing of new residential mortgage servicing activities to other parties;
  • off-shoring new residential mortgage servicing activities; and
  • new appointments of senior officers responsible for residential mortgage servicing or residential mortgage servicing risk management and compliance.

HSBC had the most deficiencies of the six:  it did not make 45 of the 98 changes it had agreed to over the last few years. I was particularly interested in the portion of the consent orders that relate to MERS. The HSBC consent order states:

(1) The Bank shall implement its Revised Action Plan and ensure appropriate controls and oversight of the Bank’s activities with respect to the Mortgage Electronic Registration System (“MERS”) and compliance with MERSCORPS’s membership rules, terms, and conditions (“MERS Requirements”), include, at a minimum:

(a) processes to ensure that all mortgage assignments and endorsements with respect to mortgage loans serviced or owned by the Bank out of MERS’ name are executed only by a certifying officer authorized by MERS and approved by the Bank;

(b) processes to ensure that all other actions that may be taken by MERS certifying officers (with respect to mortgage loans serviced or owned by the Bank) are executed by a certifying officer authorized by MERS and approved by the Bank;

(c) processes to ensure that the Bank maintains up-to-date corporate resolutions from MERS for all Bank employees and third-parties who are certifying officers authorized by MERS, and up-to-date lists of MERS certifying officers;

(d) processes to ensure compliance with all MERS Requirements and with the requirements of the MERS Corporate Resolution Management System (“CRMS”);

(e) processes to ensure the accuracy and reliability of data reported to MERSCORP and MERS, including monthly system-to-system reconciliations for all MERS mandatory reporting fields, and daily capture of all rejects/warnings reports associated with registrations, transfers, and status updates on open-item aging reports. Unresolved items must be maintained on open-item aging reports and tracked until resolution. The Bank shall determine and report whether the foreclosures for loans serviced by the Bank that are currently pending in MERS’ name are accurate and how many are listed in error, and describe how and by when the data on the MERSCORP system will be corrected; and

(f) an appropriate MERS quality assurance workplan, which clearly describes all tests, test frequency, sampling methods, responsible parties, and the expected process for open- item follow-up, and includes an annual independent test of the control structure of the system-to- system reconciliation process, the reject/warning error correction process, and adherence to the Bank’s MERS Plan.

(2) The Bank shall include MERS and MERSCORP in its third-party vendor management process, which shall include a detailed analysis of potential vulnerabilities, including information security, business continuity, and vendor viability assessments.

These should all be easy enough for a financial institution to achieve as they relate to basic corporate practices (e.g., properly certifying officers); basic data management practices (e.g., system-to-system reconciliations); and basic third-party vendor practices (e.g., analyzing potential vulnerabilities of vendors).

It is hard to imagine why these well-funded and well-staffed enterprises are having such a hard time fixing their servicing operations. We often talk about governments as being too poorly run to handle reform of complex operations, but it appears that large banks face the same kinds of problems.

I am not sure what the takeaway is in terms of reform, but it does seem that homeowners need protection from companies that can’t reform themselves while they are under stringent consent orders with their primary regulator for years and years.