Banking and Finance Law Daily FHFA describes business recovery plans required for its agencies
Wednesday, May 8, 2019

FHFA describes business recovery plans required for its agencies

Richard A. Roth, J.D.

The FHFA has replaced its 2002 disaster recovery planning guidance with a new Advisory Bulletin that tells the GSEs, Office of Finance, and Federal Home Loan Banks how they are expected to prepare for business disruptions from a broad variety of sources, both natural and nefarious.

The Federal Housing Finance Agency has issued a new Advisory Bulletin, “Business Resiliency Management,” that outlines for Fannie Mae, Freddie Mac, the Federal Home Loan Banks, and the Office of Finance how the agency wants them to create programs that will enable them to carry out critical functions in the event of a business disruption. According to the FHFA, such a program must have three elements: a business continuity plan, a disaster recovery plan, and a crisis management plan (AB 2019-01).

The FHFA notes that “natural disasters, pandemics, and cyberattacks” all can cause harm to a financial institution's ability to perform necessary functions.

Plans. Business continuity plans (BCPs) are to be written plans explaining how institutions will “recover, resume, and maintain business functions and their underlying processes at acceptable predefined levels” after a disruption. Disaster recovery plans (DRPs) are the process for recovering and resuming an institution's information technology infrastructure, business applications, and data services. Crisis management plans (CMPs) outline the institution's responses to a disruption, including activating its BCP and DRP.

Program requirements. In general, an institution's program should align with its enterprise-wide risk management program, the FHFA begins. The program should be based on “a cyclical, process-oriented approach” that includes:

  • risk assessment and business impact analysis;
  • risk mitigation;
  • testing; and
  • risk monitoring.

An institution's board of directors is to review and approve the program annually and oversee management's implementation of the program. Senior management is to execute the plan.

Program development. The first step in developing a plan is a risk analysis, according to the FHFA. This includes performing a business impact analysis that prioritizes the institution's business and functions and identifies technical assets that must be recovered. This analysis helps the institution designate the maximum tolerable level of data loss and the maximum permissible downtime.

Determining these parameters allows the institution to create recovery solutions that meet its needs, the FHFA says. The guidance offers suggestions on the effectiveness of several recovery strategies.

MainStory: TopStory BankingFinance FedTracker GovernmentSponsoredEnterprises Mortgages

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Banking and Finance Law Daily

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More