AGENCY:

Federal Housing Finance Agency.

ACTION:

Final rule.

SUMMARY:

The Federal Housing Finance Agency (FHFA) is amending its prudential management and operations standards rule (rule) to clarify that procedural requirements for corrective plans apply to prudential management and operations standards (Standards) established as regulations as well as guidelines, and to make the Office of Finance of the Federal Home Loan Bank System (OF) subject to the rule and some of the existing Standards in the appendix to the rule.

DATES:

This rule is effective February 20, 2024.

FOR FURTHER INFORMATION CONTACT:

Clinton Jones, General Counsel, (202) 649–3006, Clinton.Jones@fhfa.gov; or Francisco Medina, Assistant General Counsel, (202) 649–3076, Francisco.Medina@fhfa.gov. These are not toll-free numbers. The mailing address is: Federal Housing Finance Agency, 400 Seventh Street SW, Washington, DC 20219. For TTY/TRS users with hearing and speech disabilities, dial 711 and ask to be connected to any of the contact numbers above.

SUPPLEMENTARY INFORMATION:

I. Introduction

A. Background

The Federal Housing Enterprises Financial Safety and Soundness Act (the Safety and Soundness Act) requires the Director of FHFA to establish Standards that address ten subjects relating to the management and operation of the regulated entities, authorizes the Director to establish other Standards in addition to those on the ten listed subjects, and authorizes the Director to establish Standards by regulation or guideline.^[1] The Safety and Soundness Act also addresses FHFA corrective actions if a regulated entity fails to comply with a Standard and requires FHFA to establish some procedures for corrective actions by regulation.^[2] FHFA currently implements these requirements through a procedural rule, 12 CFR part 1236, and Standards that FHFA has established as guidelines set forth in an appendix to the rule, as well as Standards established as regulations or as parts of regulations.^[3]

The current rule and initial Standards, all of which were established as guidelines, were promulgated in 2012. Because FHFA did not then identify any regulations as Standards, the current rule addresses only Standards established as guidelines, which could imply that Standards FHFA has since established as regulations are not covered by the rule's procedures. Neither the current rule nor any Standards apply to OF.

B. Overview of Proposed Amendments to the Rule

On May 4, 2023, FHFA proposed to amend part 1236 to reflect the scope of FHFA's statutory authority to establish Standards as regulations as well as guidelines, and to clarify that the rule's procedural aspects related to corrective actions that may result from failure to comply with a Standard apply equally to Standards established as guidelines or as regulations.^[4] FHFA also proposed to follow a notice-and-comment process to establish Standards as guidelines or to make material modifications of such Standards, and reaffirmed its intention to locate Standards established as guidelines in the appendix to the rule.

FHFA further proposed to amend the rule and the appendix to part 1236 so that OF would be subject to the rule and certain Standards. The Standards FHFA proposed to apply to OF are the General Responsibilities of the Board of Directors and Senior Management, and Standards 1, 2, 8, and 10. Standard 1 addresses “Internal Controls and Information Systems.” Standard 2 addresses “Independence and Adequacy of Internal Audit Systems.” Standard 8 addresses “Overall Risk Management Processes.” Standard 10 addresses “Maintenance of Adequate Records.”

Consistent with the foregoing changes, FHFA also proposed to revise and clarify definitions and make conforming changes to part 1236 and its appendix.

II. Discussion of Comments and Agency Response

A. Overview of Comments Received

FHFA received two comments on its proposed amendments to the rule: one from the Council of Federal Home Loan Banks (Council) and one from the Federal Home Loan Mortgage Corporation (Freddie Mac). The Council commented on the proposed amendments to apply the rule and identified Standards to OF and on the applicability of notice-and-comment rulemaking to the establishment of Standards by guideline. Freddie Mac also commented on the applicability of notice-and-comment rulemaking to the revision or revocation of Standards that had been established by guideline. After carefully reviewing and considering the comments, FHFA has determined to issue the final rule as it was proposed.

B. Applying the Rule and Identified Standards to OF

The Council observed that OF is not a “regulated entity” as defined in the Safety and Soundness Act and is therefore not explicitly subject to section 4513b, which applies to regulated entities. The Council nonetheless noted that FHFA has express general regulatory authority over OF under 12 U.S.C. 4511(b)(2), as FHFA also noted in its proposal, which provides a statutory basis for FHFA to apply the rule and identified Standards to OF. The Council suggested FHFA clarify its authority regarding OF in the rule. FHFA observes that the rule's authority provision already references 12 U.S.C. 4511; on that basis, further clarification of FHFA's authority is not necessary.

The Council asked that FHFA identify the specific purposes of section 4513b Start Printed Page 3538 that would be served by subjecting OF to the rule and Standards. As the Council noted in its letter, however, OF “is an integral component of the FHLBank System.” OF is the fiscal agent for the Federal Home Loan Bank System, through which the Banks issue consolidated obligations of the System in the public capital markets. OF's role and the activities OF performs for the Banks require OF to have appropriate governance, adequate internal controls and information systems, appropriate risk management, and adequate records maintenance. For those reasons, applying the rule and identified Standards to OF would further the purposes of section 4513b in the same manner that subjecting the Banks to the rule and Standards does.

The Council also requested that FHFA specify “the matters that are not relevant” to OF for purposes of compliance with the identified Standards and raised concerns about potential conflicts between existing regulations and the Standards in the appendix. FHFA notes that its proposal particularly specified the Standards and portions of Standards that would apply to OF; in other words, the proposed amendments specified the matters that are relevant to OF. Moreover, the current version of the rule and the proposed amendments to the rule both specify that in the case of a conflict between a Standard and a regulation, “the regulation shall control.” ^[5]

Finally, the Council requested that FHFA establish an implementation timeframe for OF to comply with the rule and identified Standards. FHFA expects that the interim between publication of the final rule and its effective date will provide OF sufficient time either to come into compliance with the identified Standards or to engage with appropriate FHFA supervision staff on a reasonable timeframe to come into compliance with an identified Standard.

C. Notice-and-Comment Procedures and Standards Established by Guidelines

The Council and Freddie Mac both offered comments on the applicability of notice-and-comment rulemaking to Standards established by guidelines. The current version of the rule provides that the Director may “modify, revoke, or add to the Standards” established by guidelines “by order or notice,” ^[6] consistent with FHFA's authority to issue guidance without going through notice-and-comment rulemaking.^[7]

Based on FHFA's past practice of establishing Standards as guidelines and because FHFA has determined to continue locating all Standards established as guidelines in the appendix to the rule, which would require a Federal Register notice, FHFA proposed amending the rule to require FHFA to provide public notice of and seek public comment on any Standard it planned to establish as a guideline or any material modification to any Standard established as a guideline.^[8] FHFA proposed to retain the right to revoke any Standard established as a guideline at any time by order or notice, as provided in the current version of the rule.

The Council noted that guidance setting forth FHFA's supervisory expectations is not subject to the notice-and-comment rulemaking requirements of the Administrative Procedure Act (APA) and expressed its appreciation for FHFA's proposal to use a notice-and-comment process for Standards FHFA planned to establish by guideline. The Council asked FHFA to clarify whether it would use existing or new advisory bulletins to establish Standards without going through notice-and-comment.

As FHFA explained in the preamble to the proposed amendments, the rule as amended will now require FHFA to establish Standards that are guidelines through a Federal Register notice-and-comment process and to locate all Standards established as guidelines in the appendix to part 1236.^[9] Those procedural requirements would preclude FHFA from using existing or new advisory bulletins to establish Standards as guidelines (although they would permit FHFA to re-cast an advisory bulletin as a Standard following a notice-and-comment process).

Freddie Mac requested that FHFA revoke or modify Standards established as guidelines through a notice-and-comment process in the same way that FHFA proposed to establish such Standards. Freddie Mac suggested that Standards established through the notice-and-comment process are “legislative rules” subject to the APA even if they were established as guidelines; thus, such Standards must be modified or revoked in accordance with procedures for “legislative rules.”

Without opining on whether Standards established as guidelines, using a notice-and-comment process, are “legislative rules,” FHFA has already committed to using a notice-and-comment process when establishing a Standard as a guideline and making any material modification to such a Standard. As it did when promulgating the rule, FHFA again observes that section 4513b authorizes and distinguishes between Standards established as regulations and as guidelines and that the APA does not require guidance to be promulgated through a notice-and-comment process. As a practical matter, however, FHFA also observes that removing a Standard from the appendix to the rule will require a Federal Register notice, which creates the opportunity to request public comment on revocation. FHFA anticipates requesting public comment on revocation in appropriate circumstances, balancing the public interest in application of the Standard and considering other relevant, applicable, regulatory requirements or guidance, with more immediate reduction of any burden imposed by a Standard (or a provision of a Standard) that FHFA has determined is unnecessary.

III. Differences Between Banks and Enterprises

Section 1313(f) of the Safety and Soundness Act (12 U.S.C. 4513(f)), as amended by section 1201 of the Housing and Economic Recovery Act of 2008, requires the Director, when promulgating regulations relating to the Banks, to consider the differences between the Banks and the Enterprises with respect to the Banks' cooperative ownership structure; mission of providing liquidity to members; affordable housing and community development mission; capital structure; and joint and several liability. The Director may also consider any other Start Printed Page 3539 differences that are deemed appropriate. In preparing this final rule, the Director considered the differences between the Banks (including OF) and the Enterprises as they relate to the above factors and determined that the rule is appropriate.

IV. Regulatory Analyses

A. Paperwork Reduction Act

The final rule does not contain any information collection requirement that would require the approval of the Office of Management and Budget (OMB) under the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). Therefore, FHFA has not submitted any information to OMB for review.

B. Regulatory Flexibility Act

The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires that a regulation that has a significant economic impact on a substantial number of small entities, small businesses, or small organizations must include an initial regulatory flexibility analysis describing the regulation's impact on small entities. Such an analysis need not be undertaken if the agency has certified that the regulation will not have a significant economic impact on a substantial number of small entities. 5 U.S.C. 605(b). FHFA has considered the impact of the final rule under the Regulatory Flexibility Act and FHFA certifies that this final rule will not have a significant economic impact on a substantial number of small entities because the regulation applies only to the regulated entities and OF, which are not small entities for purposes of the Regulatory Flexibility Act.

C. Congressional Review Act

In accordance with the Congressional Review Act (5 U.S.C. 801 et seq.), FHFA has determined that this final rule is not a major rule and has verified this determination with the Office of Information and Regulatory Affairs of OMB.

List of Subjects in 12 CFR Part 1236

• Administrative practice and procedure
• Federal home loan banks
• Government-sponsored enterprises
• Office of Finance
• Prudential Management and Operations Standards
• Reporting and recordkeeping requirements

Accordingly, for the reasons stated in the Preamble, FHFA amends part 1236 of chapter XII of title 12 of the Code of Federal Regulations as follows:

PART 1236—PRUDENTIAL MANAGEMENT AND OPERATIONS STANDARDS

1. The authority citation for part 1236 continues to read as follows:

Authority: 12 U.S.C. 4511, 4513(a) and (f), 4513b, and 4526.

2. Revise § 1236.1 to read as follows:

3. Revise § 1236.2 introductory text, remove the definition of “Standards”, and add the definition of “Standard(s)” to read as follows:

4. Revise § 1236.3 to read as follows:

5. Revise § 1236.4 to read as follows:

6. Amend § 1236.5 by revising the introductory text to paragraph (a), paragraph (a)(6), the introductory text to paragraph (c)(1), paragraphs (c)(1)(i), (c)(2) through (4), paragraph (d), and the introductory text to paragraph (e) to read as follows:

7. Amend the appendix to part 1236 by:

a. Revising the introductory text to the appendix;

b. Revising the introductory text and paragraphs 1 through 8 and 10 under the undesignated heading “General Responsibilities of the Board of Directors and Senior Management”;

c. In Standard 1, revising paragraphs 1, 4 through 14, and 16;

d. In Standard 2, revising paragraphs 1, 3, 5 through 7, and 11;

e. In Standard 8, revising paragraphs 1 through 3 and 7 through 12; and Start Printed Page 3541

f. Revising Standard 10.

The revisions read as follows:

Appendix to Part 1236—Prudential Management and Operations Standards

The following provisions constitute the prudential management and operations standards established as guidelines pursuant to 12 U.S.C. 4513b(a). The General Responsibilities of the Board of Directors and Standards 1, 2, 8, and 10 apply to the Office of Finance as appropriate.

General Responsibilities of the Board of Directors and Senior Management

The following provisions address the general responsibilities of the boards of directors and senior management of the regulated entities as they relate to the matters addressed by each of the Standards, and the general responsibilities of the board of directors and senior management of the Office of Finance to the extent a particular Standard is applicable to the Office of Finance. The descriptions are not a comprehensive listing of the responsibilities of either the boards or senior management, each of whom have additional duties and responsibilities to those described in these Standards.

Responsibilities of the Board of Directors

1. With respect to the subject matter addressed by each applicable Standard, the board of directors of each regulated entity and of the Office of Finance is responsible for adopting business strategies and policies that are appropriate for the particular subject matter. The board should review all such strategies and policies periodically. It should review and approve all major strategies and policies at least annually and make any revisions that are necessary to ensure that such strategies and policies remain consistent with the overall business plan of the entity or the Office of Finance.

2. The board of directors is responsible for overseeing management of the regulated entity or the Office of Finance, which includes ensuring that management includes personnel who are appropriately trained and competent to oversee the operation of the regulated entity and the Office of Finance as it relates to the functions and requirements addressed by each applicable Standard, and that management implements the policies set forth by the board.

3. The board of directors is responsible for remaining informed about the operations and condition of the regulated entity or the Office of Finance, including operating consistently with the applicable Standards, and senior management's implementation of the strategies and policies established by the board of directors.

4. The board of directors must remain sufficiently informed about the nature and level of the regulated overall risk exposures of the entity or the Office of Finance, including, as applicable, market, credit, operational, and counterparty risk, so that it can understand the possible short- and long-term effects of those exposures on the financial health of the regulated entity, including the possible short- and long-term consequences, as applicable, to earnings, liquidity, and economic value. The board of directors should: establish the risk tolerances of the regulated entity or the Office of Finance and provide management with clear guidance regarding the level of acceptable risks; review the entire risk management framework of the regulated entity or the Office of Finance, including policies and entity-wide risk limits at least annually; oversee the adequacy of the actions taken by senior management to identify, measure, manage, and control the risk exposures of the regulated entity or the Office of Finance; and ensure that management takes appropriate corrective measures whenever risk limit violations or breaches occur.

Responsibilities of Senior Management

5. With respect to the subject matter addressed by each applicable Standard, senior management is responsible for developing the policies, procedures and practices that are necessary to implement the business strategies and policies adopted by the board of directors. Senior management should ensure that such items are clearly written, sufficiently detailed, and are followed by all personnel. Senior management also should ensure that the regulated entity or the Office of Finance has personnel who are appropriately trained and competent to carry out their respective functions and that all delegated responsibilities are performed.

6. Senior management should ensure that the regulated entity or the Office of Finance has adequate resources, systems, and controls available to execute effectively the business strategies, policies, and procedures of the entity or the Office of Finance, including operating consistently with each of the applicable Standards.

7. Senior management should provide the board of directors with periodic reports relating to the condition and performance of the regulated entity or the Office of Finance, including the subject matter addressed by each of the applicable Standards, that are sufficiently detailed to allow the board of directors to remain fully informed about the business of the regulated entity or the Office of Finance.

8. Senior management should regularly review and discuss with the board of directors information regarding the risk exposures of the regulated entity or the Office of Finance that is sufficient in detail and timeliness to permit the board of directors to understand and assess the performance of management in identifying and managing the various risks to which the regulated entity or the Office of Finance is exposed.

Responsibilities of the Board of Directors and Senior Management

10. The board of directors and senior management should ensure that the overall risk profile of the regulated entity or the Office of Finance is aligned with its mission objectives.

Standard 1—Internal Controls and Information Systems

Responsibilities of the Board of Directors

1. Regarding internal controls and information systems, the board of directors of each regulated entity and the Office of Finance should adopt appropriate policies, ensure personnel are appropriately trained and competent, approve and periodically review overall business strategies, approve the organizational structure, and assess the adequacy of senior management's oversight of this function.

Framework

4. Each regulated entity and the Office of Finance should have an adequate and effective system of internal controls, which should include a board approved organizational structure that clearly assigns responsibilities, authority, and reporting relationships, and establishes an appropriate segregation of duties that ensures that personnel are not assigned conflicting responsibilities.

5. Each regulated entity and the Office of Finance should establish appropriate internal control policies and should monitor the adequacy and effectiveness of its internal controls and information systems on an ongoing basis through a formal self-assessment process.

6. Each regulated entity and the Office of Finance should have an organizational culture that emphasizes and demonstrates to personnel at all levels the importance of internal controls.

7. Each regulated entity and the Office of Finance should address promptly any violations, findings, weaknesses, deficiencies, and other issues in need of remediation relating to the internal control systems.

Risk Recognition and Assessment

8. Each regulated entity and the Office of Finance should have an effective risk assessment process that ensures that management recognizes and continually assesses all material risks, including credit risk, market risk, interest rate risk, liquidity risk, and operational risk.

Control Activities and Segregation of Duties

9. Each regulated entity and the Office of Finance should have an effective internal control system that defines control activities at every business level.

10. The control activities of each regulated entity and the Office of Finance should include:

a. Board of directors and senior management reviews of progress toward goals and objectives;

b. Appropriate activity controls for each business unit;

c. Physical controls to protect property and other assets and limit access to property and systems;

d. Procedures for monitoring compliance with exposure limits and follow-up on non-compliance;

e. A system of approvals and authorizations for transactions over certain limits; and

f. A system for verification and reconciliation of transactions.

Information and Communication

11. Each regulated entity and the Office of Finance should have information systems Start Printed Page 3542 that provide relevant, accurate and timely information and data.

12. Each regulated entity and the Office of Finance should have secure information systems that are supported by adequate contingency arrangements.

13. Each regulated entity and the Office of Finance should have effective channels of communication to ensure that all personnel understand and adhere to policies and procedures affecting their duties and responsibilities.

Monitoring Activities and Correcting Deficiencies

14. Each regulated entity and the Office of Finance should monitor the overall effectiveness of its internal controls and key risks on an ongoing basis and ensure that business units and internal and external audit conduct periodic evaluations.

Applicable Laws, Regulations, and Policies

16. Each regulated entity and the Office of Finance should comply with all applicable laws, regulations, and supervisory guidance ( e.g., advisory bulletins) governing internal controls and information systems.

Standard 2—Independence and Adequacy of Internal Audit Systems

Audit Committee

1. The board of directors of each regulated entity and the Office of Finance should have an audit committee that exercises proper oversight and adopts appropriate policies and procedures designed to ensure the independence of the internal audit function. The audit committee should ensure that the internal audit department includes personnel who are appropriately trained and competent to oversee the internal audit function.

3. The audit committee of the board of directors is responsible for monitoring and evaluating the effectiveness of the internal audit function of each regulated entity and the Office of Finance.

Internal Audit Function

5. Each regulated entity and the Office of Finance should have an internal audit function that provides for adequate testing of the system of internal controls.

6. Each regulated entity and the Office of Finance should have an independent and objective internal audit department that reports directly to the audit committee of the board of directors.

7. The internal audit department of each regulated entity and the Office of Finance should be adequately staffed with properly trained and competent personnel.

Applicable Laws, Regulations, and Policies

11. Each regulated entity and the Office of Finance should comply with applicable laws, regulations, and supervisory guidance ( e.g., advisory bulletins) governing the independence and adequacy of internal audit systems.

Standard 8—Overall Risk Management Processes

Responsibilities of the Board of Directors

1. Regarding overall risk management processes, the board of directors is responsible for overseeing the process, ensuring senior management are appropriately trained and competent, ensuring processes are in place to identify, manage, monitor and control risk exposures (this function may be delegated to a board appointed committee), approving all major risk limits, and ensuring incentive compensation measures for senior management capture a full range of risks to the regulated entity or the Office of Finance.

Responsibilities of the Board and Senior Management

2. Regarding overall risk management processes, the board of directors and senior management should establish and sustain a culture that promotes effective risk management. This culture includes timely, accurate and informative risk reports, alignment of the overall risk profile of the regulated entity or the Office of Finance with its mission objectives, and the annual review of comprehensive self-assessments of material risks.

Independent Risk Management Function

3. A regulated entity or the Office of Finance should have an independent risk management function, or unit, with responsibility for risk measurement and risk monitoring, including monitoring and enforcement of risk limits.

Risk Measurement, Monitoring, and Control

7. Each regulated entity and the Office of Finance should measure, monitor, and control its overall risk exposures, reviewing, as applicable, market, credit, liquidity, and operational risk exposures on both a business unit (or business segment) and enterprise-wide basis.

8. Each regulated entity and the Office of Finance should have the risk management systems to generate, at an appropriate frequency, the information needed to manage risk. As applicable, such systems should include systems for market, credit, operational, and liquidity risk analysis, asset and liability management, regulatory reporting, and performance measurement.

9. Each regulated entity and the Office of Finance should have a comprehensive set of risk limits and monitoring procedures to ensure that risk exposures remain within established risk limits, and a mechanism for reporting violations and breaches of risk limits to senior management and the board of directors.

10. Each regulated entity and the Office of Finance should ensure that it has sufficient controls around risk measurement models to ensure the completeness, accuracy, and timeliness of risk information.

11. Each regulated entity and the Office of Finance should have adequate and well-tested disaster recovery and business resumption plans for all major systems and have remote facilitates to limit the impact of disruptive events.

Applicable Laws, Regulations, and Policies

12. As applicable, each regulated entity and the Office of Finance should comply with all applicable laws, regulations, and supervisory guidance ( e.g., advisory bulletins) governing the management of risk.

Standard 10—Maintenance of Adequate Records

1. Each regulated entity and the Office of Finance should maintain financial records in compliance with Generally Accepted Accounting Principles (GAAP), FHFA guidelines, and applicable laws and regulations.

2. Each regulated entity and the Office of Finance should ensure that assets are safeguarded and financial and operational information is timely and reliable.

3. Each regulated entity and the Office of Finance should have a records retention program consistent with laws and corporate policies, including accounting policies, as well as personnel that are appropriately trained and competent to oversee and implement the records management plan.

4. Each regulated entity and the Office of Finance, with oversight from its board of directors, should conduct a review and approval of the records retention program and records retention schedule for all types of records at least once every two years.

5. Each regulated entity and the Office of Finance should ensure that reporting errors are detected and corrected in a timely manner.

6. Each regulated entity and the Office of Finance should comply with all applicable laws, regulations, and supervisory guidance ( e.g., advisory bulletins) governing the maintenance of adequate records.

Footnotes