High Risk at Fannie and Freddie

FHFA Director Watt

The Federal Housing Finance Agency released its 2014 Report to Congress. It summarizes many interim reports and press releases that were released over the previous year, many of which have been covered by REFinBlog as they came out. I was struck, however, by the passages about the operational risk that Fannie and Freddie face.  I have been concerned with operational risk at Fannie and Freddie for some time, as the two enterprises have languished in conservatorship limbo for far too long.

The Report of the Annual Examination of Fannie Mae states that

The level of operational risk remains high and largely reflects the risk posed by execution of Fannie Mae’s strategic plan to replace its existing information technology infrastructure. Management has made significant progress in stabilizing the current information technology environment, with improvements in the change management process and reductions in production outages. Further, progress was made in establishing an out-of-region data center that is a critical component for supporting information systems and providing for business continuity in the event of a disaster. As Fannie Mae implements this plan, however, the level of operational risk will remain elevated. Risks associated with the execution, deployment, and integration with the CSP [Common Securitization Platform] and the move to a Single Security, while addressing ongoing IT infrastructure issues, will also introduce a significant level of inherent operational risk to the organization. Effective project management will be critical to mitigate the operational risk arising from these efforts.(14, emphasis added)

The Report of the Annual Examination of Freddie Mac indicates that Freddie faces somewhat different operational risks:

Operational risk, including risks associated with information technology systems, remains a concern primarily because of resource requirements and operational complexities of major strategic initiatives (including integration with the CSP), developing information security and privacy protection capabilities, and heightened risk during the transition to the new risk management structure.

Information security is one of the primary operational risks Freddie Mac faces given the proliferation of cyber crimes and the high probability of new cyber attacks targeted at large organizations. Freddie Mac’s operational framework is highly complex. Information security within the Enterprise is more important than ever given the pervasiveness of cyber-related threats. In addition to external threats, Freddie Mac faces other challenges that may continue to elevate operational risk and increase the likelihood of significant operational incidents and losses. (17, emphasis added)

While neither of these passages is terrifying — as in, here-is-the-next-trigger-for-a-bailout terrifying — they do make me pause and ask whether the GSEs in their current form are up to the challenge of handling this period of “heightened risk.”

Those in Congress who are impeding GSE reform are on notice that Fannie and Freddie face high levels of operational risk. If the next crisis results from that risk, it is on them.