[Federal Register Volume 67, Number 169 (Friday, August 30, 2002)]
[Rules and Regulations]
[Pages 55691-55699]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-21780]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

Office of Federal Housing Enterprise Oversight

12 CFR Part 1720

RIN 2550-AA22


Safety and Soundness Regulation

AGENCY: Office of Federal Housing Enterprise Oversight, DHUD.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Office of Federal Housing Enterprise Oversight (OFHEO) is 
issuing a final rule to support increased transparency and public 
awareness of minimum supervisory standards adopted by OFHEO and applied 
in overseeing the safety and soundness of the Federal National Mortgage 
Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation 
(Freddie Mac) (collectively, the Enterprises). The final rule's format 
reflects that used by other federal regulators. The rule delineates 
supervisory standards in a manner consistent with recent rulings by the 
United States Supreme Court affecting agency pronouncements. OFHEO will 
adopt and publish supervisory policy guidance as appendices to the rule 
as it deems appropriate to illuminate areas of particular interest or 
potential concern.

EFFECTIVE DATES: September 30, 2002.

FOR FURTHER INFORMATION CONTACT: David W. Roderer, Deputy General 
Counsel, or Marvin Shaw, Senior Counsel, at (202) 414-3775 (not a toll-
free number), Office of General Counsel,

[[Page 55692]]

Office of Federal Housing Enterprise Oversight, 1700 G Street NW., 
Fourth Floor, Washington, DC 20552. The telephone number for the 
Telecommunications for the Deaf is: (800) 877-8339 (TTD only).

SUPPLEMENTARY INFORMATION: The Federal Housing Enterprises Financial 
Safety and Soundness Act of 1992, Title XIII of Pub. L. No. 102-550 
(the Act), empowers OFHEO to take any such action as the Director 
determines to be appropriate to ensure that the federally sponsored 
housing enterprises, the Federal National Mortgage Association (Fannie 
Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) 
(collectively, the Enterprises), are adequately capitalized and 
operating safely by, among other things, adopting supervisory policies 
and standards by regulation or other guidance or process.
    On December 19, 2000, OFHEO issued Policy Guidance PG-00-001 
setting forth minimum supervisory standards in eight broad areas of 
particular regulatory interest and potential concern and issued Policy 
Guidance PG-00-002, that addressed standards for non-mortgage 
liquidity.\1\ One year later, a third policy guidance was adopted that 
specifically sets out the minimum safety and soundness standards for 
information systems and security.\2\ That policy guidance, entitled 
``Safety and Soundness Standards for Information,'' focused narrowly on 
safety and soundness concerns with the adequacy of the Enterprises' 
respective policies and procedures affecting the security of their 
information systems and integrity of such information, including 
borrower information maintained by the Enterprises.
---------------------------------------------------------------------------

    \1\ OFHEO Policy Guidance PG-00-001, Minimum Safety and 
Soundness Requirements (Dec. 19, 2000) and Policy Guidance PG-00-
002, Non-mortgage Liquidity Investments (December 19, 2000) 
(available on OFHEO's web site at http://www.ofheo.gov).
    \2\ OFHEO Policy Guidance PG-01-001, Safety and Soundness 
Standards for Information (Dec. 19, 2001) (available on OFHEO's web 
site at http://www.ofheo.gov).
---------------------------------------------------------------------------

    The minimum standards set forth in OFHEO's policy guidances are 
designed to identify key safety and soundness concerns regarding 
operation and management of an Enterprise, and to ensure that the 
conduct and practices of the Enterprises reasonably avoid the emergence 
of problems that might entail serious risks. The minimum standards also 
reflect the need for internal policies and procedures in particular 
areas that, if not appropriately addressed by an Enterprise, may 
warrant supervisory action by OFHEO in order to reduce risks of loss 
and corresponding capital impairment. The minimum standards set out in 
such guidances are intended to affect these purposes without dictating 
how the Enterprises must be operated and managed.
    On June 21, 2002, OFHEO published a notice in the Federal Register 
proposing a rule that would provide the regulatory framework for the 
adoption and publication of such policy guidance.\3\ The format of the 
proposed regulation, as a formal agency pronouncement delineating the 
parameters of the supervisory standards applicable to the Enterprise, 
mirrors that used by the Office of Comptroller of the Currency (OCC) in 
promulgating safety and soundness standards for national banks \4\ 
pursuant to Section 39 of the Federal Deposit Insurance Act.\5\ The OCC 
used a similar format when it adopted specific supervisory standards 
applicable to bank information systems.\6\
---------------------------------------------------------------------------

    \3\ 67 FR 42200 (June 21, 2002).
    \4\ For the OCC, these regulations appear at 12 CFR Part 30, 
Appendix A: ``Interagency Guidelines Establishing Standards for 
Safety and Soundness''; see also, for the Board of Governors of the 
Federal Reserve System at 12 CFR Part 263; and for the Federal 
Deposit Insurance Corporation at 12 CFR 308, subpart R; and for the 
Office of Thrift Supervision at 12 CFR Part 570.
    \5\ 12 U.S.C. 1381p-1.
    \6\ See, Appendix B of 12 CFR Part 30.
---------------------------------------------------------------------------

    OFHEO received comments from Freddie Mac, Fannie Mae and the 
Mortgage Bankers Association of America (MBAA). The commenters 
generally supported the proposal. Freddie Mac agreed with the purpose 
of the rule of improving transparency and public awareness of 
supervisory standards applicable to the Enterprises. In particular, 
Freddie Mac acknowledged the issuance of guidance is the most effective 
way to integrate safety and soundness objectives into an ever-changing 
business environment. Similarly, Fannie Mae supported the purpose of 
the rule: to enhance transparency and public awareness of these minimum 
supervisory standards. MBAA noted that the proposal and the specific 
authorities set forth by OFHEO appear to be reasonable and within the 
bounds of prudent regulatory practice.
    OFHEO analyzed the comments and suggestions for improvement of the 
proposed rule. Freddie Mac recommended section Sec. 1720.2 be modified 
with respect to the Director's authority to include the phrase ``to the 
extent such actions are authorized by the Act.'' OFHEO agrees with 
Freddie Mac that the Director may only exercise such authority as is 
specifically granted, or by implication is necessary to carry out 
specific grants of authority, in legislation enacted by Congress. 
Accordingly, OFHEO believes that it is unnecessary to amend the 
regulatory text in section Sec. 1720.2 to state this principle.
    Fannie Mae questioned the need for what they believe are 
``duplicative reassertions of authority'' since OFHEO has asserted its 
authority in the guidances and in 12 CFR Part 1777. Fannie Mae also 
requested confirmation of its belief that the rulemaking does not 
convert OFHEO's policy guidances into rules subject to the 
Administrative Procedure Act (APA). Finally, Fannie Mae requested that 
OFHEO solicit input from the Enterprises whenever it develops any 
supervisory policy guidance.
    OFHEO notes that its assertion of statutory authority in this 
rulemaking as well as in the guidances and Part 1777 reflect common 
practice among federal agencies in specifying their authority whenever 
they publish agency rules or other pronouncements. This practice cites 
the authority of the agency to those coming into contact with an agency 
pronouncement for the first time. OFHEO agrees that the safety and 
soundness rule set forth in final form here does not ``convert'' 
existing or future guidance into rules subject to the APA. Indeed, this 
would be contrary to OFHEO's intent and reduce its use of this 
important and flexible supervisory device.
    As explained in the NPR, the final regulation and appended 
guidances are intended to facilitate the public awareness and 
enforceability of such standards as official agency pronouncements in a 
manner consistent with recent United States Supreme Court's rulings.\7\
---------------------------------------------------------------------------

    \7\ See United States v. Mead Corp., 533 U.S. 218 (2001), and 
Christensen v. Harris County, 529 U.S. 576 (2000).
---------------------------------------------------------------------------

    Nothing in the OFHEO Policy Guidances limits the authority of OFHEO 
to otherwise address unsafe or unsound conditions or practices, or 
violations of applicable laws, regulations or supervisory orders, as 
detailed in section Sec. 1720.1(b).

Regulatory Impact

Executive Order 12866, Regulatory Planning and Review

    The regulation is not classified as a significant rule under 
Executive Order 12866 because it will not result in an annual effect on 
the economy of $100 million or more or a major increase in costs or 
prices for consumers, individual industries, Federal, State, or local 
government agencies, or geographic regions; or have significant

[[Page 55693]]

adverse effects on competition, employment, investment, productivity, 
innovation, or on the ability of United States-based enterprises to 
compete with foreign-based enterprises in domestic or foreign markets. 
Accordingly, no regulatory impact assessment is required and this 
regulation need not be submitted to the Office of Management and Budget 
for formal review.

Unfunded Mandates Reform Act of 1995

    This rule does not include a Federal mandate that could result in 
the expenditure by State, local, and tribal governments, in the 
aggregate, or by the private sector, of $100,000,000 or more (adjusted 
annually for inflation) in any one year. As a result, the rule does not 
warrant the preparation of an assessment statement in accordance with 
the Unfunded Mandates Reform Act of 1995.

Regulatory Flexibility Act

    The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires that 
a regulation that has a significant economic impact on a substantial 
number of small entities, small businesses, or small organizations must 
include an initial regulatory flexibility analysis describing the 
regulation's impact on small entities. Such an analysis need not be 
undertaken if the agency has certified that the regulation will not 
have a significant economic impact on a substantial number of small 
entities. 5 U.S.C. 605(b). OFHEO has considered the impact of the 
regulation under the Regulatory Flexibility Act. The General Counsel of 
OFHEO certifies that the regulation is not likely to have a significant 
economic impact on a substantial number of small business entities 
because the regulation only affects the Enterprises, which are not 
small entities for purposes of the Regulatory Flexibility Act.

Paperwork Reduction Act of 1995

    This regulatory action contains no information collection 
requirement that would require the approval of the Office of Management 
and Budget pursuant to the Paperwork Reduction Act, 44 U.S.C. 3501-
3520.

List of Subjects in 12 CFR Part 1720

    Administrative practice and procedure, Mortgages.


    Accordingly, for the reasons set out in the preamble, the Office of 
Federal Housing Enterprise Oversight is adding part 1720 to subchapter 
C of 12 CFR chapter XVII to read as follows:

PART 1720--SAFETY AND SOUNDNESS

Sec.
1720.1  Authority.
1720.2  Safety and soundness standards.

Appendices

Appendix A to Part 1720--Policy Guidance; Minimum Safety and 
Soundness Requirements
Appendix B to Part 1720--Policy Guidance; Non-Mortgage Liquidity 
Investments
Appendix C to Part 1720--Policy Guidance; Safety and Soundness 
Standards for Information

    Authority: 12 U.S.C. 4513(a), 4513(b)(1), 4513(b)(5), 4517(a), 
4521(a)(2) through (3), 4631, 4632, and 4636.


Sec. 1720.1  Authority.

    (a) Authority. This part is issued by the Office of Federal Housing 
Enterprise Oversight (OFHEO) pursuant to sections 1313(a), 1313(b)(1), 
and 1313(b)(5) of the Federal Housing Enterprise Financial Safety and 
Soundness Act (Act) (12 U.S.C. 4513(a), 4513(b)(1), and 4513(b)(5)). 
These provisions of the Act authorize OFHEO to take any action deemed 
appropriate by the Director of OFHEO to ensure that the Federal 
National Mortgage Association and the Federal Home Loan Mortgage 
Corporation (the Enterprises) are operated in a safe and sound manner, 
including by adopting supervisory policies and standards by regulation, 
guidance, or other process.
    (b) Preservation of existing authority. No action by OFHEO 
undertaken with reference to a policy guidance or this regulation will 
in any way limit the authority of the Director otherwise to address 
unsafe or unsound conditions or practices, or other violations of law, 
rule or regulation. Action with reference to a policy guidance or this 
regulation may be taken separate from, in conjunction with, or in 
addition to any other supervisory response, enforcement action, or 
agency-imposed requirements deemed appropriate by OFHEO. Nothing in 
this regulation or any guidance issued by OFHEO limits the authority of 
the Director pursuant to section 1313 of the Act (12 U.S.C. 4513) or 
any other provision of law, rule or regulation applicable to the 
Enterprises.


Sec. 1720.2  Safety and soundness standards.

    Policy guidances as may be adopted from time to time by OFHEO, 
addressing safety and soundness standards, shall apply to the 
Enterprises. If OFHEO determines that an Enterprise does not meet a 
requirement set out in such policy guidance, it may require corrective 
or remedial actions by the Enterprise, and take such enforcement action 
as the Director deems to be appropriate.

Appendix A to Part 1720--Policy Guidance; Minimum Safety and Soundness 
Requirements

A--Background and Introduction

I. Background
II. Introduction

B--Operational and Managerial Requirements

I. Asset underwriting and credit quality.
II. Balance sheet growth and management.
III. Market risk.
IV. Information technology.
V. Internal controls.
VI. Audits.
VII. Information reporting and documentation.
VIII. Board and management responsibilities and function.
IX. Format of policies and procedures.

C--Compliance Plans

I. Notice; submission and review of compliance plan.
II. Failure to submit acceptable plan or to comply with plan.

A--Background and Introduction

    I. Background. The Federal Housing Enterprises Safety and 
Soundness Act of 1992, Title XIII of Pub. L. No. 102-550 (the Act) 
empowers OFHEO to take any such action as the Director determines to 
be appropriate to ensure that the federally sponsored housing 
enterprises, Fannie Mae and Freddie Mac, are, among other things, 
adequately capitalized and operating safely, including by adopting 
supervisory policies and standards by regulation or other guidance 
or process.
    i. OFHEO herein sets forth the minimum supervisory requirements 
used by the agency in reviewing the ensuring, the adequacy of 
policies and procedures of the Enterprises in the areas of: (1) 
Asset underwriting and credit quality; (2) balance sheet growth; (3) 
market risks; (4) information technology; (5) internal controls; (6) 
audits; (7) information reporting and documentation; and (8) board 
and management responsibilities and functions. If the agency finds 
that an Enterprise fails to meet any requirement or standard set 
forth in this pronouncement, the Director may, among other things, 
require the Enterprise to submit to the agency and implement an 
adequate plan to achieve timely compliance with the requirement or 
standard. If the Enterprise fails to submit such an adequate plan 
within the time specified by the agency or fails in any material 
respect to implement the plan, the agency may take additional 
supervisory action. The Director may at any time prescribe such 
supervisory actions as deemed appropriate to correct conditions 
resulting from an unsafe or unsound practice or condition or 
deficiency in complying with regulatory requirements or standards 
including, but not limited to, issuance of a notice of charges or 
order, imposition of civil money penalties, or other remedial 
actions or sanctions as determined by the Director.
    ii. The minimum supervisory requirements and standards identify 
key safety and

[[Page 55694]]

soundness concerns regarding operation and management of an 
Enterprise, and ensure that action is taken to avoid the emergence 
of problems that might entail serious risks to an Enterprise. The 
minimum supervisory requirements of the Policy Guidance also reflect 
the need for internal policies and procedures in particular areas 
that, if not appropriately addressed by the Enterprises, may warrant 
action by OFHEO in order to reduce risks of loss and possible 
capital impairment. The proposed minimum requirements set forth 
herein are intended to effect these purposes without dictating how 
the Enterprises must be operated and managed; moreover, the Policy 
Guidance does not set out detailed operational and managerial 
procedures that an Enterprise must have in place. The Policy 
Guidance is intended to identify the ends that proper operational 
and management policies and procedures are to achieve, while leaving 
the means to be devised by each Enterprise as it designs and 
implements its own policies and procedures. Where OFHEO does specify 
particular requirements, each Enterprise's management is left with 
substantial flexibility to fashion and implement them.
    iii. The Policy Guidance is not intended to effect a change in 
OFHEO's policies; the announced minimum requirements reflect the 
basic underlying criteria OFHEO uses to assess the operations and 
managerial quality of an Enterprise. OFHEO will determine compliance 
with the requirements and related standards through examinations of 
the Enterprises, as well as off-site surveillance means and other 
interchanges with each Enterprise.
    iv. OFHEO routinely undertakes to evaluate an Enterprise's 
overall policies, in order to determine whether such policies are 
safe and sound in principle and in practice. OFHEO also evaluates 
whether procedures are in place to ensure that an Enterprise's 
overall policies as adopted by the Enterprise's board of directors 
and management are, in fact, applied in the normal course of 
business. As reflected in the Policy Guidance, the Enterprises are, 
at a minimum, expected to adopt appropriate policies and internal 
guidelines, and to put in place procedures to ensure they are 
followed as a matter of routine.
    v. Nothing in the Policy Guidance in any way limits the 
authority of OFHEO to otherwise address unsafe or unsound conditions 
or practices, or violations of applicable law, regulation or 
supervisory order. Action referencing the Policy Guidance may be 
taken separate from, in conjunction with or in addition to any other 
enforcement action available to OFHEO. Compliance with the Policy 
Guidance in general would not preclude a finding by the agency that 
an Enterprise is otherwise engaged in a specific unsafe or unsound 
practice or is in an unsafe or unsound condition, or requiring 
corrective or remedial action with regard to such practice or 
condition. That is, supervisory action is not precluded against an 
Enterprise that has not been cited for a deficiency under the Policy 
Guidance. Conversely, an Enterprise's failure to comply with one of 
the supervisory requirements set forth in the Policy Guidance may 
not warrant a formal supervisory response from OFHEO, if the agency 
determines the matter may be otherwise addressed in a satisfactory 
manner. For example, OFHEO may require timely submission of a plan 
to achieve compliance with the particular requirement or standard 
without taking any other enforcement action.
    II. Introduction. i. Authority, purpose, and scope.
    a. Authority. This Policy Guidance is issued by the Office of 
Federal Housing Enterprise Oversight (OFHEO) pursuant to sections 
1313(a), 1313(b)(1), 1313(b)(5) and 1371 of the Federal Housing 
Enterprise Safety and Soundness Act (Act) (12 U.S.C. 4513(a), 
4513(b)(1), 4513(b)(5) and 4631). These provisions of the Act 
authorize OFHEO to take any action deemed appropriate by the 
Director of OFHEO to ensure that the Federal National Mortgage 
Association and the Federal Home Loan Mortgage Corporation (the 
Enterprises) are operated in a safe and sound manner, including by 
adopting supervisory policies and standards by regulation, guidance, 
or other process.
    b. Purpose and scope. This Policy Guidance sets out certain 
minimum safety and soundness requirements for the business and 
operations of the Enterprises, and reiterates agency policies 
requiring the Enterprises to establish and implement policies and 
procedures that are sufficient to effectuate compliance with 
supervisory standards. If OFHEO determines that an Enterprise does 
not meet the requirements set forth herein, the Director may require 
the Enterprise to submit and carry out a plan to achieve compliance, 
or may take other corrective and remedial actions. The requirements 
enumerated herein are supervisory minimums. In order to satisfy an 
Enterprise's overarching obligation under the Act to conduct is 
operations in a safe and sound manner, it may be necessary and 
appropriate for an Enterprise to take additional measures in these 
or other areas, as directed by OFHEO through regulation, guidance, 
order or otherwise as part of the supervisory process.
    ii. Preservation of existing authority. Neither this Policy 
Guidance nor any action by OFHEO to enforce compliance of an 
Enterprise therewith in any way limits the authority of the Director 
otherwise to address unsafe or unsound conditions or practices, or 
other violations of law or other regulation. Action under this 
Policy Guidance may be taken separate from, in conjunction with, or 
in addition to any other enforcement action deemed appropriate by 
OFHEO. Nothing in this Policy Guidance or related guidances limits 
the authority of the Director pursuant to section 1313 of the Act 
(12 U.S.C. 4513) or any other provision of law, rule or regulation 
applicable to the Enterprises.
    iii. Definitions. For purposes of this Policy Guidance, except 
as modified therein or unless the context otherwise requires, the 
terms used have the same meaning as set forth in section 1303 of the 
Act (12 U.S.C. 4502).

B--Operational and Managerial Requirements

    I. Asset underwriting and credit quality. An Enterprise should 
establish and implement policies and procedures to adequately assess 
credit risks before they are assumed, and monitor such risks 
subsequently to ensure that they conform to the Enterprise's credit 
risk standards on an individual and an aggregate basis. The 
Enterprise should:
    i. For loans purchased and loans collateralizing securities 
guaranteed by the Enterprise, adopt and implement prudent 
underwriting standards and procedures commensurate with the type of 
loan or loans and the markets in which the loan or loans were made 
that include consideration of the borrower's and any guarantor's 
financial condition and ability to repay as well as the type and 
value of any collateral or credit enhancement;
    ii. To the extent the Enterprise's assets are serviced or 
administered by other entities or are covered by mortgage insurance 
or other credit enhancements or arrangements, the Enterprise's 
policies and procedures should recognize the consequences and 
implications of such contractual arrangements for the Enterprise's 
credit risk;
    iii. Establish and implement policies and procedures to address 
declining credit quality and to require appropriate corrective 
action; to establish sufficient reserves; and to deal with defaulted 
assets so as to minimize losses;
    iv. Establish and implement policies and procedures to select 
and price credit risk to ensure that the Enterprise is appropriately 
compensated commensurate with the credit risk it assumes and its 
statutory obligations;
    v. Establish and implement policies and procedures that address 
the prudential selection, management and handling of counterparty 
credit exposure that arises from engaging in hedging activities and 
the use derivative instruments; and
    vi. Establish and implement policies and procedures to identify, 
monitor and evaluate its credit exposures on an aggregate basis so 
as to assess the implications and consequences of matters such as 
concentration exposure (including geographic as well as product 
concentrations), to identify and evaluate credit risk trends 
effectively, and to maintain and revise appropriately its systems 
and procedures for underwriting, servicing, and monitoring of such 
exposures and changes to those exposures.
    II. Balance sheet growth and management. An Enterprise's balance 
sheet growth should be prudent and consider:
    i. The source, volatility, and use of funds that support balance 
sheet growth;
    ii. Any changes in credit risk or interest rate risk resulting 
from balance sheet growth;
    iii. The effect of balance sheet growth on the Enterprise's 
capital adequacy; and
    iv. The appropriate policies and procedures needed to manage 
changes in risk that may occur as a result of balance sheet growth.
    III. Market risk. An Enterprise should establish and implement 
policies and procedures that allow for the effective identification, 
measurement, monitoring, and

[[Page 55695]]

management of market risk. The Enterprise should:
    i. Establish and implement policies and procedures sufficient to 
quantify and monitor the interest rate risk of the Enterprise 
effectively and to model the effect of differing interest rate 
scenarios on the Enterprise's financial condition and operations;
    ii. Develop risk management strategies that respond 
appropriately to changes in interest rates;
    iii. Establish and implement policies and procedures sufficient 
to quantify and monitor the Enterprise's liquidity effectively, and 
to identify and anticipate various market environments and their 
effects on the Enterprises' liquidity; and
    iv. Establish and maintain an effective contingency plan for 
liquidity under varying scenarios.
    IV. Information technology. An Enterprise should establish and 
implement policies and procedures to ensure that its computing 
resources, proprietary and nonpublic information and data are:
    i. Protected from access by unauthorized users, and otherwise 
protected by appropriate security measures;
    ii. Reliable, accurate and available at all times as needed for 
its business operations, including an ability to effect timely 
recovery and resume operations after a reasonably foreseeable 
adverse event; and
    iii. Designed to ensure adequate support of business operations.
    V. Internal controls. An Enterprise should maintain and 
implement internal controls appropriate to the nature, scope and 
risk of its business activities that, at a minimum, provide for:
    i. An organizational structure and assignment of responsibility 
for management, employees, consultants and contractors, that provide 
for accountability and controls, including adherence to policies and 
procedures;
    ii. A control framework commensurate with the Enterprise's 
risks;
    iii. Policies and procedures adequate to safeguard and to manage 
assets; and
    iv. Compliance with applicable laws, regulations and policies.
    VI. Audits. An Enterprise should establish and implement 
internal and external audit programs appropriate to the nature and 
scope of its business activities that, at minimum, provide for:
    i. Adequate monitoring of internal controls through an audit 
function appropriate to the Enterprise's size, structure and scope 
of operations;
    ii. Independence of the audit function;
    iii. Qualified professionals and management for the conduct and 
review of audit functions;
    iv. Adequate testing and review of audited areas together with 
adequate documentation of findings and of any recommendations and 
corrective actions; and
    v. Verification and review of measures and actions undertaken to 
address identified material weaknesses.
    VII. Information reporting and documentation. An Enterprise 
should establish and implement policies and procedures for 
generating and retaining reports and documents that:
    i. Enable the Enterprise's board of directors (including 
appropriate committees) to make informed decisions and to exercise 
its oversight function, by providing all such relevant information 
of an appropriate level of detail as necessary;
    ii. Enable the Enterprise's managers to make informed business 
decisions and to assess risks for all aspects of the Enterprise's 
business on an ongoing basis, by providing sufficient relevant 
information of an appropriate level of detail as necessary;
    iii. Ensure decision-makers have appropriate and necessary 
information about particular transactions and business operations;
    iv. Enable the Enterprise to administer and supervise all 
assets, liabilities, commitments and other financial obligations 
appropriately;
    v. Enable the Enterprise to enforce legal claims against 
borrowers, counterparties and other obligors; and
    vi. Ensure timely and complete submissions of reports of 
financial condition and operations, as well as annual and other 
periodic reports and special reports to OFHEO whenever requested or 
required by OFHEO.
    VIII. Board and management responsibilities and function. An 
Enterprise's board of directors shall ensure that the board 
(including appropriate committees) works with executive management 
to establish the Enterprise's strategies and goals in an informed 
manner, and that the Enterprise's executive managers and other 
managers, as appropriate, implement such strategies, by ensuring at 
a minimum that:
    i. The board (including appropriate committees) oversees the 
development of the Enterprise's strategies in key areas and 
exercises oversight necessary to ensure that management sets 
policies and controls to implement such strategies effectively;
    ii. The board (including appropriate committees) hires qualified 
executive management, and exercises oversight to hold management 
accountable for meeting the Enterprise's goals and objectives;
    iii. The board (including appropriate committees) is provided 
with accurate information about the operations and financial 
condition of the Enterprise in a timely fashion, and sufficient to 
enable the board to effect its oversight duties and 
responsibilities;
    iv. Management of the Enterprise sets policies and controls to 
ensure the Enterprise's strategies are implemented effectively, and 
that the Enterprise's organization structure and assignment of 
responsibilities provide clear accountability and controls; and
    v. Management of the Enterprise establishes and maintains an 
effective risk management framework, including review of such 
framework to monitor its effectiveness and taking appropriate action 
to correct any weaknesses.
    IX. Format of policies and procedures. i. Generally, the 
policies of an Enterprise contemplated by this Policy Guidance 
should be in writing and in such form and detail as appropriate in 
light of their intended purpose, nature, and potential consequences 
for the operations and financial condition of the Enterprise, and 
approved by the board of directors (including appropriate 
committees) or such responsible officer or officers as designated by 
the board.
    ii. The policies and procedures of an Enterprise contemplated by 
this Policy Guidance should be provided to OFHEO at such time and in 
such format as OFHEO directs.

C--Compliance Plans

    I. Notice; submission and review of compliance plans. i. 
Determination. The Director of OFHEO may, based upon a report of 
examination, or other supervisory information however acquired, 
determine that an Enterprise has failed or is likely to fail to 
satisfy the minimum supervisory requirements or standards set forth 
in part B of this appendix.
    ii. Request for compliance plan. If the Director determines 
pursuant to paragraph C.I.i of thiis appendix that an Enterprise has 
failed or is likely to fail to satisfy a supervisory requirement or 
standard, OFHEO may require the submission of a written compliance 
plan.
    iii. Schedule for filing compliance plan. An Enterprise may be 
required to file a written compliance plan with OFHEO within thirty 
days of receiving a written request for a compliance plan pursuant 
to paragraph C.I.ii of this appendix.
    iv. Contents of plan. A required compliance plan should include, 
subject to additional direction by OFHEO, a detailed description of 
the steps the Enterprise will take to correct a deficiency and any 
condition resulting therefrom and the time within which such steps 
will be undertaken and fully implemented.
    v. Review of compliance plans. If the compliance plan submitted 
under this section is deemed to be inadequate or incomplete, OFHEO 
may provide written notice of such inadequacy or deficiencies 
thereof to the Enterprise OFHEO or seek additional information from 
the Enterprise regarding the plan.
    vi. Amendment of compliance plan. An Enterprise that has filed a 
required compliance plan to which no objection has been raised by 
OFHEO may, after prior written notice to and approval by the 
Director, amend the plan to reflect changes in circumstance, 
policies and procedures.
    II. Failure to submit acceptable plan or to comply with plan. If 
an Enterprise does not submit an adequate and complete plan as 
required by the agency within the time specified by OFHEO or does 
not implement such an adequate and complete plan, the Director may 
require the Enterprise to correct any deficiency and may require 
additional corrective or remedial actions by the Enterprise as 
deemed to be appropriate pursuant to the Act, including sections 
1371 (12 U.S.C. 4631), 1372 (12 U.S.C. 4632), and 1376 (12 U.S.C. 
4636).

Appendix B to Part 1720--Policy Guidance; Non-Mortgage Liquidity 
Investments

A--Purpose
B--Activities Covered
C--Standards for Non-mortgage Liquidity Investment Activities

[[Page 55696]]

D--Disclosure of Non-mortgage Liquidity Investment Activities
E--Summary

A--Purpose

    1. Fannie Mae and Freddie Mac (the Enterprises) were chartered 
by Congress as government-sponsored enterprises with public 
missions. They perform an important role in the United States 
mortgage market by gathering funds and purchasing mortgages from 
mortgage originators and guaranteeing mortgage-backed securities. In 
chartering the Enterprises, Congress charged the Enterprises with: 
(1) providing stability to mortgage markets; (2) responding to the 
changing capital markets; (3) assisting the secondary markets 
including the support of these markets for affordable housing; and 
(4) promoting access to credit throughout the country by increasing 
liquidity and improving distribution of investment capital for 
residential mortgage finance. These functions require the 
Enterprises, as principals in the secondary mortgage market, to 
serve as bedrock in providing liquidity to the U.S. housing finance 
system.
    2. For the Enterprises effectively to perform their public 
purposes, they must be financially sound and liquid. As the 
Enterprises' financial safety and soundness regulator, OFHEO 
conducts its regulatory programs to ensure these companies adhere to 
safety and soundness standards. In addition, OFHEO interprets this 
to include heightening the positive effect of market discipline on 
the Enterprises by encouraging quality disclosures, appropriate 
accounting standards, and state-of-the-art risk management further 
strengthens their safety and soundness. More specifically, OFHEO 
conducts comprehensive safety and soundness examinations and 
requires the Enterprises to adhere to regulatory capital 
requirements. In conducting its regulatory programs, OFHEO applies a 
series of safety and soundness standards to assess the Enterprises' 
liquidity management, including their investments in non-mortgage 
liquidity assets. It is appropriate to issue initial guidance that 
addresses the safety and soundness standards OFHEO uses to evaluate 
Enterprise investment activities in non-mortgage liquidity assets.
    3. Further, it should be noted that the Secretary of HUD, who 
has general regulatory power over the Enterprises and who is 
required to make such rules and regulations as necessary to ensure 
that the purposes of the GSE's respective Charter Acts are 
accomplished, has issued an Advanced Notice of Proposed Rulemaking 
on possible substantive and/or procedural rules governing the GSEs' 
non-mortgage investment activities. Accordingly, the GSEs may be 
subject to regulations in this area through future HUD actions, in 
addition to this initial guidance.

B--Activities Covered

    1. The Enterprises must maintain sufficient liquidity to meet 
both known and unexpected payment demands on borrowings and mortgage 
securities, for operations and to purchase mortgage assets. 
Liquidity management is the process by which the Enterprises manage 
the use and availability of various funding sources to meet current 
and future needs. Liquidity must be closely managed on a daily 
basis.
    2. The Enterprises manage liquidity through three primary 
channels: securitizations, issuance of debt and conversion of liquid 
assets into cash. It is through careful management within and among 
the three channels, that the Enterprises can effectively meet 
demands and remain safe and sound under all market conditions. This 
Guidance specifically addresses ``non-mortgage liquidity 
investments'' which are conducted within the liquidity channel 
whereby the Enterprises are able to convert their own assets into 
cash.
    3. There are various types of investments that may be 
appropriate for non-mortgage liquidity holdings. Appropriate non-
mortgage liquidity investments are characterized by both 
creditworthiness and low price volatility. Even though an investment 
may be creditworthy, if the holding is subject to undue price 
volatility (e.g. common stock), the investment is inappropriate for 
inclusion in the non-mortgage liquidity portfolio since the 
investment may not be readily converted into cash without 
substantial loss.
    4. For the purposes of this Guidance, the types of assets listed 
below are generally considered to be appropriate non-mortgage 
liquidity investments. This list is subject to revision over time as 
new asset types are introduced and/or market activities change. The 
presence of an asset on the list does not mean that OFHEO will 
necessarily consider any and all Enterprise investments in these 
assets to be safe and sound, especially if they fail to meet 
appropriate credit quality, maturity and diversification objectives:
    a. Debt issued by the United States Treasury,
    b. Debt issued by U.S. Government Agencies,
    c. General obligation debt issued by states and municipal 
authorities,
    d. Revenue obligations issued by states and municipal 
authorities,
    e. Corporate debt instruments,
    f. Money market instruments,
    g. Non-mortgage asset-backed securities, and
    h. Reverse repurchase agreements.
    5. This Guidance does not address investments in mortgage-backed 
securities, mortgage revenue bonds, or other investments secured by 
housing (including commercial mortgage-backed securities with a 
significant housing component) since these assets are not 
principally held for liquidity purposes. Also, upon implementation 
of FAS 133, this Guidance is not intended to address the use of 
derivative instruments. For activities not covered in this Guidance 
on non-mortgage liquidity investments, there should be no inferences 
drawn about OFHEO's views.

C--Standards for Non-Mortgage Liquidity Investment Activities

    To ensure there are sufficient funds available to the mortgage 
market, the Enterprise must actively manage liquidity across all 
three channels. OFHEO assesses the safety and soundness of non-
mortgage liquidity investment activities against five criteria. The 
five criteria and details about each of the criteria are:
     Prudent investment policies and procedures that guide 
the Enterprise's process;
     Quality management information that ensures timely 
performance measures and governance data;
     Safe & sound investment holdings and investment 
culture;
     Quality controls and personnel administering and 
governing the process; and
     Independent testing of the process to assure 
compliance.

1. Prudent Investment Policies and Procedures That Guide the 
Enterprise's Process

    a. The Enterprise must have a comprehensive written investment 
policy that clearly expresses the goals for the non-mortgage 
liquidity investment activities. The Board of Directors and 
management must evaluate the effectiveness of non-mortgage liquidity 
investments in meeting the goals set out in the policy; and 
management must evaluate activities against the procedures and 
limitations in the policy. At a minimum, the policy should cover:
    i. The purpose of the non-mortgage liquidity investment 
holdings;
    ii. The institutional goal(s) for the non-mortgage liquidity 
investment holdings;
    iii. The authorized instruments and activities;
    iv. The internal control standards;
    v. The limits structure;
    vi. The performance standards and measures; and
    vii. The reporting requirements.
    b. The policy should clearly document the purpose for non-
mortgage liquidity investment holdings. Management should install a 
series of procedures and controls that produce behaviors and 
performance that are consistent with the defined purpose for the 
non-mortgage liquidity investment activities.
    c. The policy should establish the primary goals for the non-
mortgage liquidity investment activities. For an Enterprise, some 
primary goals should be to augment liquidity and to generate a rate 
of return that is reasonable in light of the purpose of such 
investments. The emphasis placed on individual goals may vary based 
upon institutional differences. However, non-mortgage liquidity 
investments made with a goal of maximizing earnings or maximizing 
arbitrage opportunities would be inconsistent with this Guidance for 
the maintenance of an Enterprise's liquidity portfolio.
    d. The policy should clearly define the authorized investment 
vehicles and establish guidelines for the introduction of new types 
of investment vehicles.
    e. The Enterprise's procedures should include a framework of 
controls that provide an appropriate separation of duties and 
responsibilities. There should be responsibility assigned for an 
independent review of non-mortgage liquidity investments by a 
designated unit, such as audit or an independent risk oversight 
group.

[[Page 55697]]

    f. The Enterprise should adopt a limit structure to promote 
diversification in the non-mortgage liquidity investment portfolio 
and emphasizes strategies for risk mitigation. Additionally, there 
should be limits for the aggregate size of the non-mortgage 
liquidity investment portfolio.
    g. The Enterprise should adopt measures to evaluate performance 
against the policy and its objectives.
    h. The Enterprise should adopt internal reporting requirements 
that quantify performance, document exceptions, and serve as a basis 
for communicating information about activities involving non-
mortgage liquidity assets.
    i. The Enterprise should periodically evaluate the adequacy and 
content of its public disclosure for non-mortgage investment 
liquidity activities.

2. Quality Management Information That Ensures Timely Performance 
Measures and Governance Data

    a. The Enterprise must maintain systems that adequately 
identify, measure and report the nature and level of exposure 
associated with their non-mortgage liquidity investments. Management 
must remain appropriately informed about the activity in non-
mortgage liquidity investments. Also, the Board of Directors should 
periodically be provided a summary of non-mortgage liquidity 
investment activities. At a minimum, management's reports to the 
Board should:
    i. Summarize non-mortgage investment activity since the last 
report;
    ii. Identify and explain any material changes or trends in the 
non-mortgage liquidity investment portfolio risk and returns; and
    iii. Report and explain exceptions to the policy or risk 
guidelines for liquidity investments.
    b. Meaningful changes in portfolio volume and spreads from 
period to period should be identified and explained to the Board in 
terms of why they occurred (e.g., changes in portfolio composition, 
changes in funding costs, etc.). In overseeing the day-to-day 
management of non-mortgage liquidity investment activities, 
management should consider the discrete risks associated with the 
non-mortgage liquidity investment portfolio as well as the exposure 
of this portfolio within the context of risks across the entire 
Enterprise. This includes assessing the non-mortgage liquidity 
investment portfolio's sensitivity to changes in interest rates, 
expressed in terms of net interest income sensitivity and portfolio 
value sensitivity.

3. Safe and Sound Investment Holdings and Investment Culture

    a. The Enterprise should implement and enforce policies and/or 
procedures for non-mortgage liquidity investments. Management should 
establish limits and procedures in a manner that is consistent with 
the Board's sanctioned goals and risk appetite. Certain risk-limits 
for non-mortgage liquidity investments may be expressed in terms of 
how they affect the Enterprise's overall risk-profile, such as those 
pertaining to interest-rate sensitivity. Other risk limits may be 
more appropriately expressed in terms of individual portfolios and 
instruments. In addition, limits restricting the size-range and 
scope of the non-mortgage liquidity investment activities should be 
established.
    b. The limits and procedures should delineate the acceptable 
investment instruments, acceptable markets, acceptable 
counterparties, along with unacceptable investment or portfolio 
activities. The Enterprise should maintain sufficient documentation 
to demonstrate due diligence in adhering to policies, procedures, 
limits and guidelines.
    c. At a minimum, limits should be established and reviewed 
annually, for:
    i. Credit threshold guidelines: Credit quality is a compelling 
factor for liquidity investments. Since liquidity investments should 
be able to be readily converted into cash without substantial 
exposure to losses, investments should be insulated from price 
vulnerabilities that are associated with creditworthiness. The most 
effective means of insulating against price exposure from credit 
quality concerns is to invest in high-quality instruments and the 
debt obligations of high-quality issuers. The Enterprise should 
establish thresholds identifying the minimum credit standards of any 
security eligible for purchase. Where these standards involve credit 
ratings, the ratings should come from a nationally recognized rating 
organization. Procedures should be included that determine the steps 
to be taken by management if an instrument's credit rating falls 
below the minimum threshold before maturity.
    ii. Maturity guidelines: Because the maturity of an investment 
significantly affects its exposure to credit risk and price 
volatility, longer maturity instruments have limited suitability as 
liquidity investments. The Enterprise should establish the maximum 
maturity allowable for non-mortgage liquidity investments. It would 
be appropriate to have different maturity limits for certain types 
of instruments. For example, management may wish to establish 
shorter maturity limits for fixed-coupon instruments than for 
adjustable-rate securities. Management may have different maturity 
limits for bullet securities and amortizing structures. It would be 
appropriate to establish a maturity matrix based upon an 
instrument's credit rating at the time of purchase.
    iii. Diversification and concentration guidelines: Credit 
concentrations can increase credit risk. Accordingly, the Enterprise 
should establish guidelines that limit investments in the securities 
of any single issuer. Such limits may be established as a percentage 
limit (e.g., as a percentage of capital) or as an absolute dollar 
amount. To enhance portfolio liquidity, there should also be a limit 
on the percentage of any particular issue held by the Enterprise.

4. Quality Controls and Personnel Administering and Governing the 
Process

    a. The Enterprise should maintain a comprehensive set of 
controls to enforce the appropriate separation of duties and 
responsibilities. These controls should translate into clear 
procedures for routine operations. At a minimum, the internal 
control program for non-mortgage liquidity investment activities 
should include procedures for the following: portfolio valuation, 
personnel, settlement, physical control and documentation, conflict 
of interest, and accounting.
    i. Portfolio valuation procedures. Portfolio valuation 
procedures should require pricing that is independent of the 
investment portfolio managers. Pricing securities provides an 
indication of the market depth and liquidity for individual 
instruments, and is an important process for providing data to the 
risk management function, particularly within a framework of 
estimating market value sensitivity. Pricing is particularly 
important for securities that are classified as ``available-for-
sale'' for accounting purposes.
    ii. Personnel guidelines. Personnel guidelines should require 
competent and experienced staff be responsible for conducting 
transactions and managing the non-mortgage investment portfolio. 
There should be clear guidance regarding the roles and 
responsibilities of individuals involved with the non-mortgage 
liquidity portfolio.
    iii. Settlement practices. Procedures should cover standard 
settlement practices for the various types of non-mortgage liquidity 
investments in the Enterprise's portfolio. Inadequate understanding 
of standard settlement practices, coupled with poor internal 
controls, could result in unnecessary costs or losses.
    iv. Control and documentation. Procedures covering control and 
documentation should be comprehensive and consistent with the 
evolving better practices in the marketplace. The procedures should 
include, for example, standards for: processing and controlling 
purchased instruments, safeguarding investment documentation and 
reviewing trade tickets and confirmations.
    v. Conflict of interest. Conflict of interest guidelines should 
govern all Enterprise personnel authorized to purchase or sell non-
mortgage liquidity investments. These guidelines should ensure that 
all directors, officers and employees act in the Enterprise's best 
interest. Conflict of interest guidelines should address employee 
relationships with authorized broker/dealers. Guidelines should also 
address personnel accepting gifts and travel expenses from broker/
dealers.
    vi. Accounting. Accounting practices should be evaluated to 
determine the level of compliance with GAAP standards.

5. Independent Testing and Review of the Process to Assure Compliance

    a. An independent review of non-mortgage liquidity investment 
activities should be conducted periodically to ensure:
    i. The accuracy and integrity of information provided to the 
Board, management and other oversight bodies;
    ii. The adherence to policy, procedures, limits and guidelines;
    iii. The timeliness, accuracy and usefulness of non-mortgage 
investment reports;
    iv. The adequacy of personnel resources and capabilities; and
    v. The non-mortgage liquidity investment activities remain 
appropriate in the context of the marketplace and the external 
environment.

[[Page 55698]]

    b. This review may be conducted by a risk oversight unit or 
internal audit department, or any party that is independent of the 
routine risk-taking decisions and should be commensurate with the 
level of review of other primary Enterprise activities. Independent 
review findings for non-mortgage liquidity investments should be 
reported to the Board directly or through one of its committees. The 
Board should consider the independent review when reaffirming 
policies, and should address any issues raised.

D--Disclosure of Non-Mortgage Liquidity Investment Activities

    1. Sound risk management practices include thorough disclosures 
about the Enterprise's risks and further regulators' efforts to 
increase financial transparency for regulated financial companies. 
Quality disclosures about risks and risk management can be an 
effective deterrent to excessive risk-taking. Three essential 
elements needed to promote market discipline for non-mortgage 
liquidity investments are (1) type of issuer and security, (2) 
maturity, and (3) credit quality or rating. Accordingly, quality 
disclosure for a portfolio of non-mortgage liquidity investments 
should include a detailed categorization of the portfolio with 
respect to each of these elements and cross-categorization, so that 
(for example) the quantity of any longer-maturity, lower-credit-
quality assets is clearly identified. Information about fair values; 
yields; and narrative discussions of objectives, risk management 
policies, and controls can also promote transparency of risk and 
should be included. Such disclosures should be made quarterly, and 
they should be made using average balances so that average risks can 
be assessed--not just the risks on a given date.
    2. Over the next few quarters, OFHEO will discuss more 
specifically with the Enterprise how these disclosures will meet the 
expectations expressed in this guidance. An example of a disclosure 
format that may be used by the Enterprise is available on the OFHEO 
Web site at http://www.ofheo.gov. However, the Enterprise may 
disclose the risks in its non-mortgage liquidity investment 
activities, consistent with the expectations expressed in this 
guidance, using a format of its choice.

E--Summary

    This Guidance sets forth OFHEO's process for evaluating the 
safety and soundness of liquidity non-mortgage investment 
activities. OFHEO remains committed to ensuring the Enterprises 
remain financially sound, have appropriate control environments, and 
engage only in financially sound business and investment activities. 
OFHEO's examiners have been instructed to incorporate this 
evaluation process into their ongoing safety and soundness 
examinations. Examiners will evaluate and test the Enterprise's non-
mortgage liquidity investment processes and activities to ensure 
they are in compliance with this guidance.

Appendix C to Part 1720--Policy Guidance; Safety and Soundness 
Standards for Information

A--Introduction

1. Scope.
2. Preservation of Existing Authority.
3. Definitions.

B--Safety and Soundness Standards for Information

1. Information Security Program.
2. Objectives.

C--Development and Implementation of Information Security Program

1. Involve the Board of Directors.
2. Assess Risk.
3. Manage and Control Risk.
4. Oversee Service Provider Arrangements.
5. Adjust the Program.
6. Report to the Board.
7. Implementation.

A--Introduction

    The Policy Guidance on Safety and Soundness Standards for 
Information sets forth standards pursuant to section 1313 of the 
Federal Housing Enterprise Safety and Soundness Act (12 U.S.C. 
4513). The Guidance addresses standards for developing and 
implementing administrative, technical, and physical safeguards to 
protect the security, confidentiality, and integrity of information.
    1. Scope. The Guidance applies to information maintained by or 
on behalf of the Federal National Mortgage Association (Fannie Mae) 
and the Federal Home Loan Mortgage Corporation (Freddie Mac) 
(collectively, the Enterprises).
    2. Preservation of Existing Authority. Nothing in the Guidance 
in any way limits the authority of OFHEO to otherwise address unsafe 
or unsound conditions or practices or violations of applicable law, 
regulation or supervisory order. Action referencing the Policy 
Guidance may be taken separate from, in conjunction with or in 
addition to any other enforcement action available to OFHEO. 
Compliance with the Policy Guidance in general would not preclude a 
finding by the agency that an Enterprise is otherwise engaged in a 
specific unsafe or unsound practice or is in an unsafe or unsound 
condition, or requiring corrective or remedial action with regard to 
such practice or condition. That is, supervisory action is not 
precluded against an Enterprise that has not been cited for a 
deficiency under the Policy Guidance. Conversely, an Enterprise's 
failure to comply with one of the supervisory requirements set forth 
in the Policy Guidance may not warrant a formal supervisory response 
from OFHEO, if the agency determines the matter may be otherwise 
addressed in a satisfactory manner. For example, OFHEO may require 
the submission of a plan to achieve compliance with the particular 
requirement or standard without taking any other enforcement action.
    3. Definitions. For purposes of the Guidance, the following 
definitions apply:
    a. Information means any record of an Enterprise, whether in 
paper, electronic, or other form, that is handled or maintained by 
or on behalf of an Enterprise;
    b. Information security program means the administrative, 
technical, or physical safeguards used by an Enterprise to access, 
collect, process, store, use, transmit, dispose of, or otherwise 
handle information;
    c. Information systems means any methods used to access, 
collect, store, use, transmit, protect, or dispose of information;
    d. Service provider means any person or entity, including any 
third party vendor, that maintains, processes or otherwise is 
permitted access to information through its provision of services 
directly or indirectly to an Enterprise.

B--Safety and Soundness Standards For Information

    1. Information Security Program. Each Enterprise shall implement 
a comprehensive written information security program that includes 
administrative, technical, and physical safeguards appropriate to 
the nature and scope of its activities. While all parts of the 
Enterprise are not required to implement a uniform set of policies, 
all elements of the information security program must be 
coordinated.
    2. Objectives. An Enterprise's information security program 
shall be designed to:
    a. Ensure the security and confidentiality of information;
    b. Protect against any anticipated threats or hazards to the 
security or integrity of such information; and
    c. Protect against unauthorized access to or use of such 
information.

C--Development and Implementation of Information Security Program

    1. Involve the Board of Directors. The board of directors or an 
appropriate committee of the board of each Enterprise shall:
    a. Approve the Enterprise's written information security 
program; and
    b. Oversee the development, implementation, and maintenance of 
the Enterprise's information security program, including assigning 
specific responsibility for its implementation and reviewing reports 
from management.
    2. Assess Risk. Each Enterprise shall:
    a. Identify reasonably foreseeable internal and external threats 
that could result in unauthorized disclosure, misuse, alteration, or 
destruction of information or information systems;
    b. Assess the likelihood and potential damage of these threats, 
taking into consideration the sensitivity of nonpublic information; 
and
    c. Assess the sufficiency of policies, procedures, information 
systems, and other arrangements in place to control risks.
    3. Manage and Control Risk. Each Enterprise shall:
    a. Design its information security program to manage and control 
the identified risks, commensurate with the sensitivity of the 
information as well as the complexity and scope of the Enterprise's 
activities. Each Enterprise should consider whether the following 
security measures are appropriate for the Enterprise and, if so, 
adopt those measures the Enterprise concludes are appropriate:

[[Page 55699]]

    i. Access controls over information systems, including controls 
to authenticate and permit access only to authorized individuals and 
controls to prevent employees from providing information to 
unauthorized individuals who may seek to obtain this information 
through fraudulent means;
    ii. Access restrictions at physical locations containing 
information, such as buildings, computer facilities, and records 
storage facilities to permit access only to authorized individuals;
    iii. Encryption of electronic information, including while in 
transit or in storage on networks or systems to which unauthorized 
individuals may have access;
    iv. Procedures designed to ensure that information system 
modifications are consistent with the Enterprise's information 
security program;
    v. Dual control procedures, segregation of duties, and employee 
background checks for employees with responsibilities for or access 
to information;
    vi. Monitoring systems and procedures to detect actual and 
attempted attacks on or intrusion into information systems;
    vii. Response programs that specify actions to be taken when the 
Enterprise suspects or detects that unauthorized individuals have 
gained access to information systems, including appropriate reports 
to regulatory and law enforcement agencies; and
    viii. Measures to protect against destruction, loss or damage of 
information due to potential environmental hazards, such as fire and 
water damage or technological failures.
    b. Train staff to implement the Enterprise's information 
security program; and
    c. Regularly test the key controls, systems and procedures of 
the information security program. The frequency and nature of such 
tests should be determined by the Enterprise's risk assessment. 
Tests should be conducted or reviewed by independent third parties 
or staff that are independent of those that develop or maintain the 
security programs.
    4. Oversee Service Provider Arrangements. Each Enterprise shall:
    a. Exercise appropriate due diligence in selecting its service 
providers;
    b. Require its service providers by contract to implement 
appropriate measures designed to meet the objectives of the 
Guidance; and
    c. Where indicated by the Enterprise's risk assessment, monitor 
its service providers to confirm that they have satisfied their 
obligations as required by section 9(b). As part of this monitoring, 
an Enterprise should review audits, summaries of test results, or 
other equivalent evaluations of its service providers.
    5. Adjust the Program. Each Enterprise shall monitor, evaluate, 
and adjust, as appropriate, the information security program in 
light of any relevant changes in technology, the sensitivity of its 
information, internal or external threats to information, and the 
Enterprise's own changing business arrangements, such as 
acquisitions, alliances and joint ventures, outsourcing 
arrangements, and changes to information systems.
    6. Report to the Board. Each Enterprise shall report to its 
board or an appropriate committee of the board at least annually. 
This report should describe the overall status of the information 
security program and the Enterprise's compliance with the Guidance. 
The reports should discuss material matters related to its program, 
addressing issues such as: risk assessment; risk management and 
control decisions; service provider arrangements; results of 
testing; security breaches or violations and management's responses; 
and recommendations for changes in the information security program.
    7. Implementation. a. Each Enterprise should implement an 
information security program pursuant to the Guidance.
    b. Until January 1, 2004, a contract that an Enterprise has 
entered into with a service provider to perform services for it or 
functions on its behalf satisfies the provisions of section 9, even 
if the contract does not include a requirement that the servicer 
maintain the security and confidentiality of information, as long as 
the Enterprise entered into the contract on or before the effective 
date.

    Dated: August 20, 2002.
Armando Falcon, Jr.,
Director, Office of Federal Housing Enterprise Oversight.
[FR Doc. 02-21780 Filed 8-29-02; 8:45 am]
BILLING CODE 4220-01-U