Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, August 16, 2018

FHFA releases advisory bulletins on cloud computing, seller/servicer relationships

By Nicole D. Prysby, J.D.

The Federal Housing Finance Agency (FHFA) has released two advisory bulletins, one related to cloud-computing risk management and the other related to the oversight of multifamily seller/servicer relationships.

The cloud-computing bulletin (AB 2018-04: "Cloud Computing Risk Management") provides guidance to Fannie Mae, Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (collectively, the regulated entities) on assessing and managing risks associated with third-party cloud providers. The FHFA expects each regulated entity to appropriately manage its cloud computing risks as part of its enterprise-wide risk management program. An evaluation of the level of risk should include the classification of the data hosted at the cloud provider, the criticality of the services provided, service and deployment models used, and other risks associated with engaging a third-party cloud provider. It may be a stand-alone risk management program or be subsumed into another program. The key requirements for the program are:

  • Governance. The Board of Directors and senior management should provide oversight and ensure periodic updates to policies, based on the regulated entity’s planned cloud usage.
  • Third-party cloud provider management. Regulated entities should perform a due diligence assessment providers, institute service agreements, and provide ongoing monitoring.
  • Information security. The classification of the data should drive the security requirements for cloud data. Regulated entities should update incident response plans to cover incidents arising from use of cloud providers.
  • Business continuity cloud provider management. Using a cloud provider for disaster recovery does not relieve the regulated entity of its business continuity responsibilities; testing of a business continuity plan should include the cloud services and regulated entities should consider the risk of using the same cloud provider for multiple critical services.

The second advisory bulletin (AB 2018-05: "Oversight of Multifamily Seller/Servicer Relationships") communicates to the Enterprises the FHFA’s supervisory expectations to maintain the safety and soundness of their operations by effectively managing multifamily Seller/Servicer relationships. Multifamily loans have more complicated servicing requirements than single family loans and are originated and serviced through a limited network of Seller/Servicers. A risk management framework that includes risks related to the multifamily Seller/Services is necessary to ensure compliance with Enterprise guidelines. The risk management framework for multifamily Seller/Servicers should include:

  • Selection. The Enterprises should perform due diligence based on financial risk factors, operational risk factors, and legal/compliance/reputation risk factors.
  • Ongoing monitoring. Seller/Servicers should be subject to ongoing monitoring, taking into account loan volume and other factors specific to each Seller/Servicer’s risk profile.
  • Corrective action. Each Enterprise should have a process for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer.

Companies: Fannie Mae; Freddie Mac

MainStory: TopStory CyberPrivacyFeed FinancialStability GovernmentSponsoredEnterprises Loans Mortgages Privacy

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.