The Federal Housing Finance Agency (FHFA) will increase its oversight of fourth parties – companies that contract with firms doing business with Fannie Mae and Freddie Mac.
The FHFA is also considering beefing up its fourth-party oversight guidance for Fannie Mae and Freddie Mac. To that end, in 2022, it will monitor trends in fourth-party risk management, and evaluate Fannie Mae and Freddie Mac’s exposure to fourth parties, according to a report the FHFA Inspector General issued at the end of June.
The report said that fourth parties are an area of growing concern for both the regulator and the GSEs. Overseeing those fourth parties poses a challenge, however, since in most cases the enterprises do not have a direct relationship with them. There are exceptions for some firms, like Amazon Web Services, because they are both third and fourth parties.
Fourth party relationships pose a greater risk in light of recent cybersecurity breaches, the agency watchdog wrote. For the FHFA, the pandemic “demonstrated the fragility of the supply chain and raised awareness of fourth-party risk,” the report said.
In one cybersecurity breach, an example Fannie Mae also highlighted in a quarterly filing, a foreign threat actor in 2019 infiltrated the networks of a U.S.-based company. A file containing malicious code was later “unwittingly released” to SolarWinds customers, via software updates.
For the FHFA and the government sponsored entities, oversight of fourth parties is difficult not only because of their indirect relationship with the enterprises, but because there are so many of potential fourth parties. The GSEs both focus scrutiny on the fourth parties they believe to be higher-risk, but they often rely on second hand information to make that determination.
Fannie Mae has, and Freddie Mac is developing, a list of “material fourth parties,” including those that have access to confidential information. For Fannie Mae, large subservicers fit that bill, and they also have direct relationships with the enterprises. Fannie Mae said it can monitor subservicers in the same way it monitors servicers.
FHFA and Freddie Mac did not immediately respond to requests for comment. Fannie Mae declined to comment.
Fannie Mae and Freddie Mac both told the FHFA watchdog that they rely on information from third parties about their oversight of fourth parties. The GSEs might not know where a fourth party is located, its controls, or what kind of oversight the third-party provider has, the report said.
But the GSEs do have some oversight mechanisms for fourth parties, through their relationship with third parties. During contract negotiations, for example, the enterprises can include provisions for subcontractor oversight. The GSEs may also conduct due diligence and monitoring of the third-party risk management programs of their third parties.
In some cases, third parties must get enterprise approval before engaging with fourth parties. In Fannie Mae’s standard contract, third parties must inform them of new subcontractors. For subcontractors that provide services that are part of the contract with Fannie Mae, the enterprise can use its authority to “review” the new subcontractors. But GSE approval is not needed for other fourth parties.
Freddie Mac told the FHFA Inspector General that it also reserves the right to approve subcontractors and “material fourth parties,” and requires that third parties notify them of new subcontractors. But Freddie Mac does not seek to approve those fourth parties, according to the report.
The FHFA IG, an agency independent of the FHFA, has been raising awareness about third party risk for years. Last year, the IG found that from 2014 to 2020, FHFA did not conduct any targeted exams of Fannie Mae’s third-party risk management program.
The agency has repeatedly argued for Congress to give it statutory authority to directly examine third-party service providers. In February, the FHFA also floated the idea of examining nonbank servicers in its draft four-year strategic plan. After industry pushback, the language was left out of the final version of the plan.