Part 2: What to Expect from a Fannie Mae Audit
Breaking down the regulatory requirements of Fannie Mae risk management priorities.
Hi, I'm Nicole, your friendly regulatory compliance counsel. Ncontracts asked me to do a brief video series on Fannie Mae's requirements for business continuity, audit and management controls, and management of vendors and other third-party service providers.
This video covers what to expect from a Fannie Mae audit and what they expect you to have in place for your BCP, your own internal audit and management controls, and your vendor oversight.
I've mentioned this before, but Fannie Mae conducts regular reviews to evaluate their sellers and servicers compliance with guidelines and assess operational risks. Fannie Mae selects organizations for review on a quarterly and annual basis and provides advanced notice to the organization prior to scheduling the review. The lifecycle of a review runs approximately 110 days from beginning to end reviews are conducted over two days and Fannie Mae will determine whether to meet on site or at your location or via telephone.
The review team usually sends a comprehensive list of required documentation they require. The documents will include but are not limited to, requests for copies of policies, procedures, reports, and loan files. A key component of your review is process evaluation. They also refer to this as testing, which consists of reviews of your policy, procedures, reports, and file-level testing. The objective is Fannie Mae wants to validate a adherence to their requirements and assess your operational capabilities. The process areas review includes a category Fannie Mae calls "organization overview and shared processes." This category consists of five audit areas, enterprise risk management, change management, people management, technology, and business continuity and disaster recovery, and vendor management. So, this is where BCP, internal audits, and vendor management fall into. This one category.
All reviews result in a final assessment report. that includes the findings, applicable corrective actions, any recommendations based on the results of your testing, and you will receive a final report that compiles all this together and gives you your final rating.
There are three final ratings an institution can receive. Acceptable, needs improvement, or unsatisfactory. It goes without saying, you don't want to receive an unsatisfactory rating, and you can almost guarantee yourself receiving one if you don't have concrete BCP and disaster recovery procedures in place, if you don't show that you're testing those procedures, and if you don't have internal audit processing and you have a lack of vendor oversight, if they come and audit you and you don't have that, you can basically, you know, close the door on the casket. So you don't want to get a satisfactory rating. That's one reason why having these plans and procedures in place are so important.
Once you receive your final report, you'll review it, take any corrective actions they ask for, may do an action plan, and begin the remediation process if there's anything for you to remediate.
Some common negative findings cited by Fannie Mae for risk, and self-assessments were business continuity and disaster recovery — that the seller servicer does not maintain a comprehensive written PCP and disaster recovery plan. And that the seller servicer does not regulate test the BCP and disaster recovery plans.
Subscribe to the Nsight Blog to get notified of new webinars!
Millions of risks. Multiple solutions.
One trusted source.
“I’ve gotten back weeks of productivity that I can use in other areas within our business. It’s a big timesaver. The cool thing about it is what work I do in there actually transfers through all the other modules we own and use.”
“We already had strong risk management in place. We didn’t need a system to teach us that. We needed a system that could work with our existing approach. For us, it was all about automation and customization.”
“When you pick a partner yes, there’s software and what it brings to the table, but also what resources do they have as far as knowledge as far as subject matter experts and professional services that you can leverage to strengthen your team and your position and do so in a way that lets you run as lean as you need to for your organization.”
“My advice for financial institutions thinking about Ncontracts is to go ahead and do it. It’s one of the best softwares that we have used, and it’s all encompassing. It gets all departments together on one system.”
Ncommunity
Case Study
First Financial Bank
Nrisk
Case Study
Montecito Bank & Trust
Nvendor
Case Study
$800+ Million Credit Union
Nvendor
Case Study
CBC Federal Credit Union
$16 Billion Bank Relieves the Burden of CRA Data Analytics with Ncommunity
- Heather Montgomery, First Financial bank Community Development Analyst
Learn how Ncontracts helps First Financial:
- Configure risk assessments
- Optimize the risk appetite/risk mitigation practices
- Reduce internal costs and time through collaboration
- Manage the vendor lifecycle
Efficient, Customizable Risk Management
- James Jefferson, Chief Risk Officer, Montecito Bank & Trust
Learn how Ncontracts helps Montecito Bank:
- Hold fewer meetings
- See risk in real time
- Ease exam prep
- Minimize headcount
- Simplify reporting
Showing Examiners the Work
Nvendor Is This Internal Audit Director’s Scalable Secret Weapon for Vendor Management
"This is the fifth financial institution I’ve used Nvendor at since 2010…Nvendor is seamless, customizable, and scalable. If I’m going to build a vendor management program, this is what I need. quot;
- Internal Audit Director, $800+ Million Credit Union
Learn how Ncontracts helps this credit union:
- Increase vendor visibility
- Improve reporting
- Save thousands by eliminating unwanted autorenewals
- Prevent a repeat regulatory writeup
- Decrease management workload
Showing Examiners the Work
"Being able to create all the reporting with the same data across the different modules within the Ncontracts suite makes the whole experience so much easier for me to administer and present to the board and executive leadership team."
- Tim Rademaker, VP of Enterprise Risk Management
Learn how Ncontracts helps CBC:
- Spend dramatically less time on reporting
- Reduce full-time headcount
- Cut down on administrative tasks
- Improve business case analysis
- Create risk management culture