Banking and Finance Law Daily FHFA Inspector General reports on Enterprises’ monitoring of third-party cloud service providers
News
Thursday, August 13, 2020

FHFA Inspector General reports on Enterprises’ monitoring of third-party cloud service providers

By Nicole D. Prysby, J.D.

The white paper examines the monitoring procedures used by Fannie Mae and Freddie Mac.

The Federal Housing Finance Agency Inspector General (FHFA IG) has issued a white paper examining monitoring procedures used by Fannie Mae and Freddie Mac for third-party cloud service providers. Previously, the FHFA IG found that the FHFA lacked the authority to regulate parties that provide services to the Enterprises and identified third-party oversight as a top risk. The Aug. 12, 2020, white paper (WPR-2020-005), which is the latest in a series of reports examining risk management at the Enterprises, looks at the Enterprises’ monitoring procedures for third-party cloud service providers, pursuant to a 2018 FHFA Advisory Bulletin, "Oversight of Third-Party Provider Relationships," which provided guidance to Fannie Mae and Freddie Mac on assessing and managing risks associated with third-party provider relationships (see Banking and Finance Law Daily, Oct. 1, 2018).

Previously, in the fall of 2019, the FHFA IG identified four management and performance issues that could affect the FHFA’s ability to do its job. One of those issues was the FHFA’s oversight of cybersecurity at the Enterprises (see Banking and Finance Law Daily, Nov. 1, 2019). In March 2020, The FHFA IG released a white paper examining Fannie Mae and Freddie Mac’s third-party risk management programs for the first two phases of the risk management life cycle—risk assessment and due diligence in third-party provider selection—for financial technology companies. That white paper, "Enterprise Third-Party Relationships: Risk Assessment and Due Diligence in Vendor Selection," found that the FHFA lacked the authority to regulate parties that provide services to the Enterprises and identified third-party oversight as a top risk (see Banking and Finance Law Daily, March 13, 2020).

Fannie Mae. Fannie Mae’s internal Third-Party Risk Management Standard (TPRM Standard) establishes the framework for its approach to managing third-party risk. The risk profile assesses third parties as a risk of high, medium, low, or not applicable. The highest-risk third-parties are assigned to risk category one and the lowest-risk third-parties are assigned to risk category five. Fannie Mae focuses most of its risk management activities in the top two risk categories. About half of Fannie Mae’s cloud providers fall into one of the top two risk categories. There are two groups responsible for monitoring its cloud service providers; Procurement monitors the risk and controls, and the business unit that procures the cloud services monitors performance and Service Level Agreements.

A monitoring activity may involve reviews and tests to verify the cloud service provider’s operational controls. For such cases, Procurement may request verification of a current independent audit and that no significant operational deficiencies were noted in that audit. Certain cloud providers may also be referred to Fannie Mae’s information security group for re-assessments of whether the appropriate cloud and security controls are maintained. Procurement is responsible for documenting findings identified during monitoring, action plans to remediate the findings, status of remediation, and evidence of remediation. Under the TPRM Standard, risk profiles and monitoring procedures for cloud providers in the top two risk categories are required to be updated on at least an annual basis. The TPRM Standard also includes a requirement that the standard be reviewed and approved on an annual basis.

Freddie Mac. Freddie Mac’s Enterprise Operations and Technology Risk team manages the Vendor Risk Standard, which establishes high-level, minimum requirements for how Enterprise divisions should manage risk with third-party suppliers, including cloud providers. Freddie Mac is currently undergoing an enterprise-wide transition of its third-party program. The Information Technology division serves as the first line for managing cloud service provider relationships. Currently, specific monitoring procedures for cloud providers follow a decentralized model in which a designated "contract owner" establishes procedures at a contract level. As part of the Enterprise’s third-party program transformation, Freddie Mac is transitioning its monitoring procedures from contract-based to division level.

Freddie Mac assesses risk with cloud providers on a high, medium, or low basis. In general, the contract owner establishes and monitors the cloud provider’s service-level agreements based on the assessed risk. Cloud providers are "reassessed on a periodic basis." The contract owner is also responsible for identifying, remediating, monitoring, and reporting issues concerning the cloud service provider. The contract owner must execute these activities in accordance with Freddie Mac’s Issue Management Standard. Enterprise Operations and Technology Risk is responsible for escalating issues that exceed the Enterprise’s risk limits.

Companies: Fannie Mae; Freddie Mac

MainStory: TopStory CyberPrivacyFeed Enforcement FinancialStability FinTech GCNNews GovernmentSponsoredEnterprises Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.