Banking and Finance Law Daily FHFA releases advisory bulletins on cloud computing, seller/servicer relationships
Thursday, August 16, 2018

FHFA releases advisory bulletins on cloud computing, seller/servicer relationships

By Nicole D. Prysby, J.D.

The Federal Housing Finance Agency (FHFA) has released two advisory bulletins, one related to cloud-computing risk management and the other related to the oversight of multifamily seller/servicer relationships.

The cloud-computing bulletin (AB 2018-04: "Cloud Computing Risk Management") provides guidance to Fannie Mae, Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (collectively, the regulated entities) on assessing and managing risks associated with third-party cloud providers. The FHFA expects each regulated entity to appropriately manage its cloud computing risks as part of its enterprise-wide risk management program. An evaluation of the level of risk should include the classification of the data hosted at the cloud provider, the criticality of the services provided, service and deployment models used, and other risks associated with engaging a third-party cloud provider. It may be a stand-alone risk management program or be subsumed into another program. The key requirements for the program are:

  • Governance. The Board of Directors and senior management should provide oversight and ensure periodic updates to policies, based on the regulated entity’s planned cloud usage.
  • Third-party cloud provider management. Regulated entities should perform a due diligence assessment providers, institute service agreements, and provide ongoing monitoring.
  • Information security. The classification of the data should drive the security requirements for cloud data. Regulated entities should update incident response plans to cover incidents arising from use of cloud providers.
  • Business continuity cloud provider management. Using a cloud provider for disaster recovery does not relieve the regulated entity of its business continuity responsibilities; testing of a business continuity plan should include the cloud services and regulated entities should consider the risk of using the same cloud provider for multiple critical services.

The second advisory bulletin (AB 2018-05: "Oversight of Multifamily Seller/Servicer Relationships") communicates to the Enterprises the FHFA’s supervisory expectations to maintain the safety and soundness of their operations by effectively managing multifamily Seller/Servicer relationships. Multifamily loans have more complicated servicing requirements than single family loans and are originated and serviced through a limited network of Seller/Servicers. A risk management framework that includes risks related to the multifamily Seller/Services is necessary to ensure compliance with Enterprise guidelines. The risk management framework for multifamily Seller/Servicers should include:

  • Selection. The Enterprises should perform due diligence based on financial risk factors, operational risk factors, and legal/compliance/reputation risk factors.
  • Ongoing monitoring. Seller/Servicers should be subject to ongoing monitoring, taking into account loan volume and other factors specific to each Seller/Servicer’s risk profile.
  • Corrective action. Each Enterprise should have a process for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer.

Companies: Fannie Mae; Freddie Mac

MainStory: TopStory CyberPrivacyFeed FinancialStability GovernmentSponsoredEnterprises Loans Mortgages Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.