Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Federal deposit insurance"

    11 publications with a total of 52 open recommendations including 2 priority recommendations
    Director: J. Lawrence Malenich
    Phone: (202) 512-9399

    7 open recommendations
    Recommendation: To help ensure that agencies' civil monetary penalties are adjusted timely and keep pace with inflation, the Acting Administrator of the General Services Administration (GSA) should publish the initial catch-up inflation adjustment in the Federal Register.

    Agency: General Services Administration
    Status: Open

    Comments: GSA agreed with our recommendation and stated that it is developing a comprehensive plan to address the recommendation. GSA also stated that its projected time frame for publishing the catch-up inflation adjustment ruling is the end of October 2017, after completing the review and concurrence process.
    Recommendation: To help ensure that agencies' civil monetary penalties are adjusted timely and keep pace with inflation, the Acting Chairman of the National Transportation Safety Board (NTSB) should publish the initial catch-up inflation adjustment in the Federal Register.

    Agency: National Transportation Safety Board
    Status: Open

    Comments: In an e-mail commenting on our draft report, the Governmental Affairs Liaison at NTSB stated that NTSB plans to publish the initial catch-up inflation adjustment in October 2017.
    Recommendation: To help ensure that agencies' civil monetary penalties are adjusted timely and keep pace with inflation, the Secretary of Agriculture (USDA) should publish the initial catch-up inflation adjustment in the Federal Register.

    Agency: Department of Agriculture
    Status: Open

    Comments: In response to our request for comments on our draft report and recommendation to USDA, the Attorney-Advisor in the Office of General Counsel at USDA stated in an e-mail that USDA did not have any comments.
    Recommendation: To help ensure timely and complete reporting of agencies' civil monetary penalty information in agency financial reports (AFR) and to provide the Office of Management and Budget (OMB) and other decision makers with the information needed to help ensure the effectiveness of civil monetary penalties in enforcing statutes and preventing violations, the Chairman of the Federal Election Commission (FEC) should publish civil monetary penalties within its jurisdiction, including any penalty adjustments, in FEC's 2017 AFR.

    Agency: Federal Election Commission
    Status: Open

    Comments: In response to our request for comments on our draft report and recommendation to FEB, the Director of Congressional, Legislative and Intergovernmental Affairs at FEC stated in an e-mail that FEC had no comments.
    Recommendation: To help ensure timely and complete reporting of agencies' civil monetary penalty information in agency financial reports (AFR) and to provide the Office of Management and Budget (OMB) and other decision makers with the information needed to help ensure the effectiveness of civil monetary penalties in enforcing statutes and preventing violations, the Acting Chairman of the Federal Maritime Commission (FMC) should publish civil monetary penalties within its jurisdiction, including any penalty adjustments, in FMC's 2017 AFR.

    Agency: Federal Maritime Commission
    Status: Open

    Comments: In responding to our draft report, FMC stated that it plans to publish updates to its civil monetary penalty information in its 2017 performance and accountability report.
    Recommendation: To help ensure timely and complete reporting of agencies' civil monetary penalty information in agency financial reports (AFR) and to provide the Office of Management and Budget (OMB) and other decision makers with the information needed to help ensure the effectiveness of civil monetary penalties in enforcing statutes and preventing violations, the Chairman of the National Indian Gaming Commission (NIGC) should publish civil monetary penalties within its jurisdiction, including any penalty adjustments, in the Department of the Interior's 2017 AFR.

    Agency: National Indian Gaming Commission
    Status: Open

    Comments: In response to our request for comments on our draft report, NIGC stated that it generally agreed with our recommendation. In addition, NIGC stated that as an independent federal regulatory agency within the Department of the Interior (DOI), NIGC and DOI have developed procedures to ensure that the required civil monetary penalty information will be reported to DOI for its annual agency financial report starting with fiscal year 2017.
    Recommendation: To help ensure timely and complete reporting of agencies' civil monetary penalty information in agency financial reports (AFR) and to provide the Office of Management and Budget (OMB) and other decision makers with the information needed to help ensure the effectiveness of civil monetary penalties in enforcing statutes and preventing violations, the Director of OMB should clarify its guidance related to civil monetary penalty inflation adjustment information that agencies are required to report in the AFRs.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: In response to our request for comment, OMB staff stated that they generally agreed with our recommendation.
    Director: Nick Marinos
    Phone: (202) 512-9342

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer to update the procedure for granting access to the key financial application, to include responsibilities and steps for ensuring that the access privileges granted have been approved by the users' supervisor.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Paula M. Rascona
    Phone: (202) 512-9816

    2 open recommendations
    including 2 priority recommendations
    Recommendation: The Director of OMB and the Secretary of the Treasury should establish mechanisms to assess the results of independent audits and reviews of agencies' compliance with the DATA Act requirements, including those of agency OIGs, to help inform full implementation of the act's requirements across government.

    Agency: Department of the Treasury
    Status: Open
    Priority recommendation

    Comments: Treasury stated it will establish mechanisms to assess the results of independent audits and reviews of agencies' compliance with the DATA Act requirements, including those of agency OIGs. Treasury also stated these mechanisms will inform Treasury's efforts on whether and how to tailor its future outreach efforts to help agencies meet their DATA Act requirements. We will continue to assess Treasury's efforts to address this recommendation as IGs plan to issue their required reports in November 2017.
    Recommendation: The Director of OMB and the Secretary of the Treasury should establish mechanisms to assess the results of independent audits and reviews of agencies' compliance with the DATA Act requirements, including those of agency OIGs, to help inform full implementation of the act's requirements across government.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open
    Priority recommendation

    Comments: OMB stated that it reviewed available IG readiness review reports in its assessment of agency implementation efforts, and it also relied on other, more up-to-date sources of information from agencies including data obtained from one-on-one meetings and agency self-assessments. We will continue to assess OMB's efforts to address this recommendation as IGs plan to issue their required reports in November 2017.
    Director: Alicia Puente Cackley
    Phone: (202) 512-8678

    3 open recommendations
    Recommendation: To help state credit union supervisors and privately insured credit unions better interpret Regulation I and inform consumers when an institution is not federally insured, CFPB should issue guidance to clarify whether drive-through windows require disclosures.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help state credit union supervisors and privately insured credit unions better interpret Regulation I and inform consumers when an institution is not federally insured, CFPB should issue guidance to describe what constitutes clear and conspicuous disclosure, including minimum signage dimensions and font size for disclosures.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help state credit union supervisors and privately insured credit unions better interpret Regulation I and inform consumers when an institution is not federally insured, CFPB should issue guidance to explain and provide examples of which communications are advertising.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Lawrance L. Evans, Jr.
    Phone: (202) 512-8678

    17 open recommendations
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help improve the consistency of federal banking regulators' stress test requirements and help ensure that institutions overseen by different regulators receive consistent regulatory treatment, the heads of the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency should harmonize their agencies' approach to granting extensions and exemptions from stress test requirements.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help provide stronger incentives for companies to perform company-run stress tests in a manner consistent with Federal Reserve goals, the Federal Reserve should remove company-run stress tests from the CCAR quantitative assessment.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should publicly disclose additional information that would allow for a better understanding of the methodology for completing qualitative assessments, such as the role of ratings and rankings and the extent to which they affect final determination decisions.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should, for future determinations to object or conditionally not object to a company's capital plan on qualitative grounds, disclose additional information about the reasons for the determinations.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should publicly disclose, on a periodic basis, information on capital planning practices observed during CCAR qualitative assessments, including practices the Federal Reserve considers stronger or leading practices.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase transparency and improve CCAR effectiveness, the Federal Reserve should improve policies for official responses to CCAR companies by establishing procedures for notifying companies about time frames relating to Federal Reserve responses to company inquiries.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by establishing a process to facilitate proactive consideration of levels of severity that may fall outside U.S. postwar historical experience.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To strengthen the scenario design process, the Federal Reserve should assess--and adjust as necessary--the overall level of severity of its severely adverse scenario by expanding consideration of the trade-offs associated with different degrees of severity.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve understanding of the range of potential crises against which the banking system would be resilient and the outcomes that might result from different scenarios, the Federal Reserve should assess whether a single severe supervisory scenario is sufficient to inform CCAR decisions and promote the resilience of the banking system. Such an assessment could include conducting sensitivity analysis involving multiple severe supervisory scenarios--potentially using CCAR data for a cycle that is already complete, to avoid concerns about tailoring the scenario to achieve a particular outcome.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help ensure that Federal Reserve stress tests do not amplify future economic cycles, the Federal Reserve should develop a process to test its proposed severely adverse scenario for procyclicality annually before finalizing and publicly releasing the supervisory scenarios.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should apply its model development principles to the combined system of models used in the supervisory stress tests.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should create an appropriate set of system-level model documentation, including an overview of how component models interact and key assumptions made in the design of model interactions.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to test and document the sensitivity and uncertainty of the model system's output--the post-stress capital ratios used to make CCAR quantitative assessment determinations--including, at a minimum, the cumulative uncertainty surrounding the capital ratios and their sensitivity to key model parameters, specifications, and assumptions from across the system of models.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process to communicate information about the range and sources of uncertainty surrounding the post-stress capital ratio estimates to the Board during CCAR deliberations.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To improve the Federal Reserve's ability to manage model risk and ensure that decisions based on supervisory stress test results are informed by an understanding of model risk, the Federal Reserve should design and implement a process for the Board and senior staff to articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.

    Agency: Federal Reserve System
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Yvonne D. Jones
    Phone: (202) 512-6806

    1 open recommendations
    Recommendation: To help agencies determine the value of their telework programs, the Director of OPM, working with the Chief Human Capital Officers Council, should provide clarifying guidance on options for developing supporting data for benefits and costs associated with agency telework programs. For example, the guidance could identify potential data sources, such as the data generated in response to requirements under the Office of Management and Budget (OMB) Reduce the Footprint Memorandum 2015-01 and Executive Order 13693.

    Agency: Office of Personnel Management
    Status: Open

    Comments: OPM concurred with the recommendation and its work-life policy office will work with the Chief Human Capital Officers (CHCO) Council to further agency efforts to determine the value of their telework programs. OPM stated that they will develop clarifying guidance for agencies with CHCO input and host a CHCO Academy session focused on evaluating the costs and benefits of telework programs. This guidance will review basic principles of cost-benefit analysis, highlight common costs and benefits, and identify potential data sources in areas such as real estate costs, energy use, commuting costs, and employee productivity.
    Director: David J. Wise
    Phone: (202) 512-2834

    2 open recommendations
    Recommendation: To increase the completeness of information on the federal government's real property holdings and improve the coordination among federal entities that lease real property, the Deputy Director of the OMB--as chair of the FRPC--should establish efficient methods for including data from non-FRPC member entities in the FRPP.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To increase the completeness of information on the federal government's real property holdings and improve the coordination among federal entities that lease real property, the Deputy Director of the OMB--as chair of the FRPC--should establish efficient methods for increasing collaboration between FRPC member and non-member entities, including sharing leading real-property management practices.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Gregory C. Wilshusen
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To help improve the corporation's implementation of its information security program, the Chairman of FDIC should direct the Chief Information Officer develop and implement a policy that requires monitoring changes to critical files for the platforms identified during the audit.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: According to officials in FDIC's Division of Information Technology, the corporation plans to implement a new solution in 2017 to enable security personnel to identify users making file system changes. Subsequent to FDIC implementing a new solution, we plan to validate FDIC's actions.
    Director: Lawrance Evans, Jr.
    Phone: (202) 512-8678

    6 open recommendations
    Recommendation: Congress should consider whether additional changes to the financial regulatory structure are needed to reduce or better manage fragmentation and overlap in the oversight of financial institutions and activities to improve (1) the efficiency and effectiveness of oversight; (2) the consistency of consumer and investor protections; and (3) the consistency of financial oversight for similar institutions, products, risks, and services. For example, Congress could consider consolidating the number of federal agencies involved in overseeing the safety and soundness of depository institutions, combining the entities involved in overseeing the securities and derivatives markets, transferring the remaining prudential regulators' consumer protection authorities over large depository institutions to the Consumer Financial Protection Bureau, and the optimal role for the federal government in insurance regulation, among other considerations.

    Agency: Congress
    Status: Open

    Comments: One bill has been introduced in the 115th Congress that would change the financial regulatory structure to address fragmented and overlapping regulatory authorities among agencies, as GAO suggested in February 2016. H.R. 594 was introduced on January 20, 2017, and calls for the functions of the Commodity Futures Trading Commission and the Securities and Exchange Commission to be combined in a single independent regulatory commission. Such an action could help to address fragmentation and overlap between the two agencies, and reduce opportunities for inefficiencies in the regulatory process and inconsistencies in how regulators conduct oversight activities over similar types of institutions, products, and risks.
    Recommendation: Congress should consider whether legislative changes are necessary to align FSOC's authorities with its mission to respond to systemic risks. Congress could do so by making changes to FSOC's mission, its authorities, or both, or to the missions and authorities of one or more of the FSOC member agencies to support a stronger link between the responsibility and capacity to respond to systemic risks. In doing so, Congress could solicit information from FSOC on the effective scope of its collective designation authorities, including any gaps.

    Agency: Congress
    Status: Open

    Comments: No legislative action identified. As of March 1, 2017, no legislation had been introduced that would align FSOC's authorities with its mission to respond to systemic risks, as GAO suggested in February 2016. Without such legislative changes, FSOC may lack the tools it needs to comprehensively address systemic risks that may emerge, and a gap will continue to exist in the post Dodd-Frank Wall Street Reform and Consumer Protection Act mechanisms for the mitigation of systemic risks.
    Recommendation: To help regulators address regulatory fragmentation and improve FSOC's ability to identify emerging systemic risks, as OFR develops and refines its financial stability monitoring tools, it should work with FSOC to determine ways in which to fully and regularly incorporate current and future monitors and assessments into Systemic Risk Committee deliberations, including, where relevant, those that present disaggregated or otherwise confidential supervisory information.

    Agency: Department of the Treasury: Financial Stability Oversight Council: Office of Financial Research
    Status: Open

    Comments: At the FSOC Systemic Risk Committee meeting held in December 2016, Treasury indicated that Office of Financial Research staff presented on the agency's Financial Stability Report. Officials indicated that they provided an assessment on potential financial stability risks, including macroeconomic, market, credit, funding and liquidity, and contagion risks. Systemic Risk Committee meeting attendees were able to compare and contrast these with the results from the Federal Reserve's systemic risk monitoring activities, which were also presented at the meeting. Office of Financial Research officials stated that there was general consensus at the meeting that these discussions were useful and that they should continue. GAO does not believe that this action is consistent with the intent of if February 2016 recommendation to fully and regularly incorporate current and future monitors and assessments into FSOC's Systemic Risk Committee deliberations. While GAO encourages sharing this type of information, the Office of Financial Research's Financial Stability Report is a publicly-available report. The intent of GAO's recommendation was to encourage the agency to fully incorporate all of its monitors into Systemic Risk Committee discussions, including its Financial Stability Monitor--its benchmark tool for assessing risks across the financial system. In addition, in its February 2016 report, GAO encouraged the agency to seek ways in which monitors that present disaggregated or otherwise confidential supervisory information can be incorporated in committee discussions. Without sharing such monitors and information, the Systemic Risk Committee may identify and advance the analysis of only a subset of systemic risks in a timely manner and may identify others too late or miss others altogether. The Financial CHOICE Act of 2016 was introduced in the 114th Congress. The act called for the Office of Financial Research to be eliminated. It was not passed before the end of the 114th Congress.
    Recommendation: To help regulators address regulatory fragmentation and improve FSOC's ability to identify emerging systemic risks, the Federal Reserve should work with FSOC to regularly incorporate the comprehensive results of its systemic risk monitoring activities into Systemic Risk Committee deliberations.

    Agency: Federal Reserve System
    Status: Open

    Comments: As of March 1, 2017, Federal Reserve officials indicated that they provided a presentation to FSOC's Systemic Risk Committee in December 2016, which included comprehensive results from its systemic risk monitoring activities. This action appears to be consistent with GAO's February 2016 recommendation, but the documentation provided by the Federal Reserve did not provide sufficient evidence that the agency has regularly incorporated these results into Systemic Risk Committee meetings. GAO will continue to monitor the Federal Reserve's participation in Systemic Risk Committee meetings to ensure that the agency continues to provide both regular and comprehensive results to the committee. Without better access to systemic risk monitoring tools and other outputs, the Systemic Risk Committee may identify and advance the analysis of only a subset of systemic risks in a timely manner and may identify others too late or miss others altogether.
    Recommendation: To more efficiently and effectively monitor the financial system for systemic risks and reduce the risk of unnecessary duplication, OFR and the Federal Reserve should jointly articulate individual and common goals for their systemic risk monitoring activities, including a plan to monitor progress toward articulated goals, and formalize regular strategic and technical discussions around their activities and outputs to support those goals.

    Agency: Department of the Treasury: Financial Stability Oversight Council: Office of Financial Research
    Status: Open

    Comments: As of March 1, 2017, the Federal Reserve and the Office of Financial Research had coordinated to organize semi-annual meetings to jointly discuss views from their respective monitoring of the financial system for risks; but these meetings had not yet taken place. The first of these meetings is to be held in May 2017 following the agencies' respective systemic risk exercises. Initiating these discussions addresses part of GAO's February 2016 recommendation. GAO plans to review documentation from these meetings in 2017 to further assess if the agencies will use these meetings to jointly articulate individual and common goals, including developing a plan to monitor progress toward the goals. Fully addressing GAO's recommendation could help to ensure comprehensiveness in systemic risk surveillance and reduced risk of duplication. On September 9, 2016, the Financial CHOICE Act of 2016 was introduced. It called for the Office of Financial Research to be eliminated. The legislation did not pass before the 114th Congress ended.
    Recommendation: To more efficiently and effectively monitor the financial system for systemic risks and reduce the risk of unnecessary duplication, OFR and the Federal Reserve should jointly articulate individual and common goals for their systemic risk monitoring activities, including a plan to monitor progress toward articulated goals, and formalize regular strategic and technical discussions around their activities and outputs to support those goals.

    Agency: Federal Reserve System
    Status: Open

    Comments: As of March 1, 2017, the Federal Reserve and the Office of Financial Research had coordinated to organize semi-annual meetings to jointly discuss views from their respective monitoring of the financial system for risks; but these meetings had not yet taken place. The first of these meetings is to be held in May 2017 following the agencies' respective systemic risk exercises. Initiating these discussions addresses part of GAO's February 2016 recommendation. GAO plans to review documentation from these meetings in 2017 to further assess if the agencies will use these meetings to jointly articulate individual and common goals, including developing a plan to monitor progress toward the goals. Fully addressing GAO's recommendation could help to ensure comprehensiveness in systemic risk surveillance and reduced risk of duplication. On September 9, 2016, the Financial CHOICE Act of 2016 was introduced. It called for the Office of Financial Research to be eliminated. The legislation did not pass before the 114th Congress ended.
    Director: Lawrance Evans
    Phone: (202) 512-8678

    4 open recommendations
    Recommendation: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

    Agency: Congress
    Status: Open

    Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of October 2016, Congress had not granted NCUA such authority.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: In July 2015, we recommended that the Office of the Comptroller of the Currency (OCC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In September 2015, OCC stated that it is taking two actions to respond to our recommendation. First, the agency is integrating the Cybersecurity Assessment Tool (Tool), developed by OCC and other federal financial institution regulators, into OCC's ongoing IT examinations of national banks and federal savings associations. Officials believe that the Tool will provide OCC with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across OCC-supervised institutions. Also, officials believe that data gathered in this process will allow OCC to monitor industry trends and identify new or emerging weaknesses where additional guidance or supervisory actions may be needed. Furthermore, the Tool will help OCC allocate examiner resources and better target examiner training. OCC began integrating the Tool in selected examinations in December 2015. Second, OCC stated that it enhanced its guidance and procedures for examiners to identify and aggregate supervisory concerns into matters requiring attention (MRAs), which are the mechanism OCC uses to communicate supervisory concerns to bank management and directors. OCC believes that the enhancements will facilitate systemic categorization of supervisory concerns that strengthen recording, monitoring, and analyzing of volumes and trends across bank portfolios. Also, the enhanced guidance discusses the relationship between MRAs, interagency ratings, OCC's risk assessment system, and enforcement actions. OCC believes that these process enhancements combined with the integration of the Tool, will improve its ability to assess information security practices at medium and small institutions. We will continue to monitor OCC's progress in implementing the Tool and the resulting trend analyses that the Tool is intended to facilitate.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: Federal Reserve System
    Status: Open

    Comments: In July 2015, we recommended that the Board of Governors of the Federal Reserve System (Board) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. As of October 2016, the Board had not provided an update on its efforts to address this recommendation.
    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency: National Credit Union Administration
    Status: Open

    Comments: In July 2015, we recommended that the National Credit Union Administration (NCUA) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In July 2016, NCUA told us that it and the other federal financial institution regulators issued the Cybersecurity Assessment Tool (Tool) in June 2015 to provide a comprehensive method for institutions to benchmark their cybersecurity programs. Officials believe that the Tool will allow examiners to consistently and methodically look at credit union risks and trends, as well as collect detailed information on the risks and mitigating controls employed by credit unions. When the Tool is fully implemented, officials expect to be able to aggregate risk indicators and program gaps across the credit union industry to improve resource deployment and enhance cybersecurity supervisory oversight. NCUA plans to begin pilot testing the Tool in late 2016 with program integration targeted for July 2017. We will continue to monitor NCUA's progress with this program and revisit our recommendation in July 2017.
    Director: Mathew J. Scirè
    Phone: (202) 512-8678

    8 open recommendations
    Recommendation: To enhance the effectiveness of its preparations for conducting a retrospective review of its QM regulations, CFPB should complete its plan. The plan should identify what outcomes CFPB will examine to measure the effects of the regulations and the specific metrics, baselines, and analytical methods to be used. Furthermore, to account for and help mitigate the limitations of existing data and the uncertain availability of enhanced datasets, CFPB should include in its plan alternate metrics, baselines, and analytical methods that could be used if data were to remain unavailable.

    Agency: Consumer Financial Protection Bureau
    Status: Open

    Comments: In January 2017, CFPB staff noted that the Bureau produced a high-level research plan in November 2016 and organized a research team for the ATR-QM Assessment. CFPB staff stated that they are working to identify the outcomes CFPB will examine to measure the effects of the regulations, including the specific metrics, baselines, and analytical methods to be used. CFPB staff noted that they have also begun analyzing the data the Bureau has on-hand, planning for the collection of additional data, and drafting a Federal Register notice request for information regarding the plan.
    Recommendation: To enhance the effectiveness of its preparations for conducting a retrospective review of its QM regulations, HUD should develop a plan that identifies the metrics, baselines, and analytical methods to be used. Furthermore, to account for and help mitigate the limitations of existing data and the uncertain availability of enhanced datasets, HUD should include in its plan alternate metrics, baselines, and analytical methods that could be used data were to remain unavailable.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In February 2017, HUD noted that it does not currently collect data on the annual percentage rate (APR) for each loan that would allow for a perfect comparison to the average prime offer rate. According to HUD, its Office of Housing has on its long-term list of systems priorities to collect specific information from the Uniform Closing Data that could be used to conduct such a comparison. However, HUD stated that it has not received adequate funding to meet these systems enhancements. According to HUD, it is considering the feasibility and potential utility of alternative data sources or the use of a proxy in an appropriate methodology. For instance, whether it may be possible to approximate the APR based upon the note rate and information on closing costs that is collected in the current data system, or alternatively, whether the APR could be obtained or approximated through matching Home Mortgage Disclosure Act data for FHA loans.
    Recommendation: To enhance the effectiveness of their preparations for conducting a retrospective review of the QRM regulations, the agencies responsible for the QRM regulations--Federal Deposit Insurance Corporation, Federal Housing Finance Agency, Board of Governors of the Federal Reserve System, HUD, Office of the Comptroller of the Currency, and Securities and Exchange Commission--should develop a plan that identifies the metrics, baselines, and analytical methods to be used and specify the roles and responsibilities of each agency in the review process. Furthermore, to account for and help mitigate limitations of existing data and the uncertain availability of enhanced datasets, the six agencies should include in their plan alternate metrics, baselines, and analytical methods that could be used if data were to remain unavailable.

    Agency: Federal Housing Finance Agency
    Status: Open

    Comments: In January 2017, FHFA informed GAO that SEC had shared its draft plan with the other participating agencies and there was an interagency call to discuss the plan on December 20, 2016. FHFA confirmed that there was an interagency call on that date to discuss the QRM review. FHFA noted that it was developing its own plan, and anticipated that the plan would be completed by June 30, 2017. Depending on changes in the structure of the mortgage market, FHFA stated that it will further update the plan as the agency approaches the start of the official QRM definition review in 2019. As with the 2014 final rule, FHFA staff expected that FHFA's participation will focus on the analysis of Fannie Mae and Freddie Mac residential mortgage data.
    Recommendation: To enhance the effectiveness of their preparations for conducting a retrospective review of the QRM regulations, the agencies responsible for the QRM regulations--Federal Deposit Insurance Corporation, Federal Housing Finance Agency, Board of Governors of the Federal Reserve System, HUD, Office of the Comptroller of the Currency, and Securities and Exchange Commission--should develop a plan that identifies the metrics, baselines, and analytical methods to be used and specify the roles and responsibilities of each agency in the review process. Furthermore, to account for and help mitigate limitations of existing data and the uncertain availability of enhanced datasets, the six agencies should include in their plan alternate metrics, baselines, and analytical methods that could be used if data were to remain unavailable.

    Agency: Department of Housing and Urban Development
    Status: Open

    Comments: In February 2017, HUD stated that it has engaged in preliminary discussions both internally and with the other five partner agencies to the 2014 QRM Joint Regulation: OCC, the Federal Reserve Board, FDIC, FHFA and SEC. Based on GAO's recommendations, HUD stated that it has also conducted initial reviews of existing and potential methodologies and data sources that may inform the review. HUD also noted that as a fundamental matter, FHA insured mortgages are only securitized through the Government National Mortgage Association (GNMA). Both FHA and GNMA have extensive underlying requirements regarding both mortgage terms and conditions as well as requirements related to the securitization of those mortgages. According to HUD, its retrospective review of the QRM rule, in terms of any impact on FHA single family insurance programs, will take into account the existing underlying FHA and GNMA statutes and regulations that already govern those programs.
    Recommendation: To enhance the effectiveness of their preparations for conducting a retrospective review of the QRM regulations, the agencies responsible for the QRM regulations--Federal Deposit Insurance Corporation, Federal Housing Finance Agency, Board of Governors of the Federal Reserve System, HUD, Office of the Comptroller of the Currency, and Securities and Exchange Commission--should develop a plan that identifies the metrics, baselines, and analytical methods to be used and specify the roles and responsibilities of each agency in the review process. Furthermore, to account for and help mitigate limitations of existing data and the uncertain availability of enhanced datasets, the six agencies should include in their plan alternate metrics, baselines, and analytical methods that could be used if data were to remain unavailable.

    Agency: Department of the Treasury: Office of the Comptroller of the Currency
    Status: Open

    Comments: In its comment letter on the draft report, OCC indicated that it planned to take GAO's recommendation into account as it monitored mortgage market conditions and prepared for upcoming QRM reviews. OCC stated that it planned to periodically meet with the other agencies to discuss the implications of any trends it observes and coordinate on studies to better focus and support its evaluation of the review factors.
    Recommendation: To enhance the effectiveness of their preparations for conducting a retrospective review of the QRM regulations, the agencies responsible for the QRM regulations--Federal Deposit Insurance Corporation, Federal Housing Finance Agency, Board of Governors of the Federal Reserve System, HUD, Office of the Comptroller of the Currency, and Securities and Exchange Commission--should develop a plan that identifies the metrics, baselines, and analytical methods to be used and specify the roles and responsibilities of each agency in the review process. Furthermore, to account for and help mitigate limitations of existing data and the uncertain availability of enhanced datasets, the six agencies should include in their plan alternate metrics, baselines, and analytical methods that could be used if data were to remain unavailable.

    Agency: Federal Deposit Insurance Corporation
    Status: Open

    Comments: In February 2017, FDIC indicated that it developed a plan that outlines the baseline, data, metrics, and analytical methods that it plans to utilize in the QRM definition review. According to FDIC, the plan also outlines FDIC's commitment to working collaboratively with the other agencies. As a baseline, FDIC plans to use the data, metrics, and analytical methods used in the final rulemaking process as outlined in the Supplementary Information to the credit risk retention (CRR) regulation as well as data and analytical methods that the FDIC currently uses to monitor the mortgage and securitization markets and economy on an ongoing basis. FDIC stated that it continues to plan to coordinate with the other agencies on the QRM definition review by allocating responsibilities based on expertise, data, and other resources within each agency as the agencies did in the CRR rulemaking process.
    Recommendation: To enhance the effectiveness of their preparations for conducting a retrospective review of the QRM regulations, the agencies responsible for the QRM regulations--Federal Deposit Insurance Corporation, Federal Housing Finance Agency, Board of Governors of the Federal Reserve System, HUD, Office of the Comptroller of the Currency, and Securities and Exchange Commission--should develop a plan that identifies the metrics, baselines, and analytical methods to be used and specify the roles and responsibilities of each agency in the review process. Furthermore, to account for and help mitigate limitations of existing data and the uncertain availability of enhanced datasets, the six agencies should include in their plan alternate metrics, baselines, and analytical methods that could be used if data were to remain unavailable.

    Agency: Federal Reserve System: Board of Governors
    Status: Open

    Comments: In January 2017, the Federal Reserve Board stated that it has an ongoing program to monitor the mortgage and securitization markets as part of its monetary policy, regulatory, and financial stability responsibilities. According to the Federal Reserve, Board staff are continuously researching new data sources, analytical methods, and metrics as part of that program. The Federal Reserve also noted that Board staff with responsibility for implementing this recommendation continue to meet with their counterparts at other agencies.
    Recommendation: To enhance the effectiveness of their preparations for conducting a retrospective review of the QRM regulations, the agencies responsible for the QRM regulations--Federal Deposit Insurance Corporation, Federal Housing Finance Agency, Board of Governors of the Federal Reserve System, HUD, Office of the Comptroller of the Currency, and Securities and Exchange Commission--should develop a plan that identifies the metrics, baselines, and analytical methods to be used and specify the roles and responsibilities of each agency in the review process. Furthermore, to account for and help mitigate limitations of existing data and the uncertain availability of enhanced datasets, the six agencies should include in their plan alternate metrics, baselines, and analytical methods that could be used if data were to remain unavailable.

    Agency: United States Securities and Exchange Commission
    Status: Open

    Comments: In January 2017, SEC staff stated that they had developed a preliminary review plan for the QRM rule in December 2016. SEC staff noted that although the review plan describes several proposed analytical approaches, the precise analytical approach to review the mortgage market conditions and the definition of QRM will depend on future data availability, future mortgage market conditions, and the role of Fannie Mae, Freddie Mac, and other participants in those markets at that time. To prepare for this review, SEC staff noted that they intend to meet on a periodic basis with the staff of the other agencies to share the results of the analyses discussed above, understand the analyses being performed by the other agencies, and discuss what additional data or analyses may be helpful. As part of these discussions, SEC staff stated that the agencies will likely divide responsibilities for conducting the review according to agency expertise and resources, consistent with each agency's statutory authority and role.