Hi, I'm Nicole, your friendly regulatory compliance counsel. Ncontracts asked me to do a brief video series on Fannie Mae's requirements for business continuity, audit and management controls, and management of vendors and other third-party service providers.

This video covers what to expect from a Fannie Mae audit and what they expect you to have in place for your BCP, your own internal audit and management controls, and your vendor oversight. 

I've mentioned this before, but Fannie Mae conducts regular reviews to evaluate their sellers and servicers compliance with guidelines and assess operational risks. Fannie Mae selects organizations for review on a quarterly and annual basis and provides advanced notice to the organization prior to scheduling the review. The lifecycle of a review runs approximately 110 days from beginning to end reviews are conducted over two days and Fannie Mae will determine whether to meet on site or at your location or via telephone.

The review team usually sends a comprehensive list of required documentation they require. The documents will include but are not limited to, requests for copies of policies, procedures, reports, and loan files. A key component of your review is process evaluation. They also refer to this as testing, which consists of reviews of your policy, procedures, reports, and file-level testing. The objective is Fannie Mae wants to validate a adherence to their requirements and assess your operational capabilities. The process areas review includes a category Fannie Mae calls "organization overview and shared processes." This category consists of five audit areas, enterprise risk management, change management, people management, technology, and business continuity and disaster recovery, and vendor management. So, this is where BCP, internal audits, and vendor management fall into. This one category.

All reviews result in a final assessment report. that includes the findings, applicable corrective actions, any recommendations based on the results of your testing, and you will receive a final report that compiles all this together and gives you your final rating.

There are three final ratings an institution can receive. Acceptable, needs improvement, or unsatisfactory. It goes without saying, you don't want to receive an unsatisfactory rating, and you can almost guarantee yourself receiving one if you don't have concrete BCP and disaster recovery procedures in place, if you don't show that you're testing those procedures, and if you don't have internal audit processing and you have a lack of vendor oversight, if they come and audit you and you don't have that, you can basically, you know, close the door on the casket. So you don't want to get a satisfactory rating. That's one reason why having these plans and procedures in place are so important.

Once you receive your final report, you'll review it, take any corrective actions they ask for, may do an action plan, and begin the remediation process if there's anything for you to remediate.

Some common negative findings cited by Fannie Mae for risk, and self-assessments were business continuity and disaster recovery — that the seller servicer does not maintain a comprehensive written PCP and disaster recovery plan. And that the seller servicer does not regulate test the BCP and disaster recovery plans.