CHAPTER 16

Baseless Demand, Fateful Results

ON SEPTEMBER 27, 2004, THE FANNIE MAE BOARD ENTERED INTO a written agreement with OFHEO that addressed a number of the issues raised in the interim report presented to it the week before. The eight-page document included items on accounting, capital, organization, and corporate governance. Among them was the requirement that “[the Fannie Mae] Board shall direct the appointment of a chief risk officer, to be independent of other corporate responsibilities and to have duties crafted in consultation with OFHEO.”

Adding a Chief Risk Officer Adds Risk

The appointment of a chief risk officer echoed a recommendation OFHEO had made for Freddie Mac. In its special examination of that company, OFHEO claimed that “certain problems at Freddie Mac can be attributed to imbalances of power within the structure of the Enterprise.” OFHEO believed that an independent chief risk officer reporting directly to Freddie Mac’s CEO would have “the stature to deal effectively with the business units” and for that reason recommended one.

Stature and imbalances of power were not issues with the risk management functions at Fannie Mae. During his chairmanship, Raines had carefully configured Fannie Mae’s organization to create a balance between the company’s marketing, affordable housing, and risk management objectives that, if anything, put a thumb on the scale on the risk management side. Raines’s organizational structure had all operational and customer-oriented activities reporting to him through one of his two vice chairmen, Dan Mudd, who carried the title of chief operating officer. All financial risk-related activities reported to Raines through his other vice chairman, me. I had the formal title of chief financial officer but also served informally as the company’s chief risk officer.

In this configuration, Raines had strong and capable advocates for Fannie Mae’s business volume and affordable housing objectives in Mudd and his staff, and strong and capable advocates for our financial and risk management objectives in my staff and me. In title, Mudd and I were equals. The thumb went on the scale in the Risk Policy Committee. One of the purposes of Risk Policy was to “serve as [the] primary forum for raising and resolving all issues relating to the extent to which business unit activities or strategies are achieving defined corporate risk management objectives.” I chaired that committee. For any judgment I made there to be altered or overturned, Mudd or his officers had to appeal it to Raines, who as chairman and CEO had ultimate responsibility for finding the right balance among our competing objectives. It was a sound and workable structure, one that, as Raines put it, “made it harder to make bad decisions.”

The interim OFHEO report had noted the variety of responsibilities I had and then stated, in bold print, “The combination of these responsibilities does not provide the independence necessary for an effective Chief Risk Officer function.” That was all the report said on the subject. It cited no shortcomings of our risk management processes and made no recommendations for their improvement; indeed the special examination focused exclusively on accounting and internal control issues and did not address risk management at all. OFHEO simply asserted that Fannie Mae’s risk management organization was not effective, and in the September 27 agreement, the board consented to change it in the manner OFHEO directed, including by appointing an independent chief risk officer.

As it happened, early in 2004 I had seriously considered adding a chief risk officer (CRO) position when our chief credit officer, Adolfo Marzol, informed me in February that he wished to step down from his job later on in the year. I saw his impending move as an opportunity to investigate incorporating a CRO into our financial risk organization, and I worked with Marzol and the head of Fannie Mae’s portfolio business, Peter Niculescu, to try to devise a CRO job description and organizational structure that would be practical at Fannie Mae. I was not successful. The problem I encountered was that the best organizational models for managing credit risk and interest risk were opposites. In the credit guaranty business, credit risk assessment was most effective when it was done independently of the product acquisition function. In the portfolio business, risk assessment and portfolio decisions—whether for asset acquisition, funding, or rebalancing—took place interactively and simultaneously; they could not be separated functionally, so it made little sense to separate them organizationally. The contrasting models of risk management for Fannie Mae’s two businesses made it almost impossible to design a CRO organization that did not create more coordination and integration challenges than it added benefits. I gave up on the idea.

When Marzol left his chief credit officer job in August 2004, I kept the mortgage portfolio business management structure as it was and created the position of senior vice president−credit finance as a replacement for the chief credit officer. I put Credit Policy’s research, modeling, loan performance analysis, and finance functions in the new Credit Finance group and reorganized them, and I moved Credit Policy’s transactions-related functions into the business units. I asked a senior officer of the Credit Policy department to take the SVP−credit finance position on an interim basis, while I conducted a national search for the best person to fill it.

One month later, I was back looking at the chief risk officer model again—this time with a number of other people and in response to OFHEO’s directive that we implement it whether it suited Fannie Mae or not. Our board of directors had created a Compliance Committee to manage and report on all of the undertakings in our OFHEO agreement, and that committee had contracted with Mercer Consulting to help “develop for Fannie Mae a blueprint for creating a gold standard finance and risk management organization that will also be responsive to recent OFHEO guidance.” The Compliance Committee formed an advisory group that included former Comptroller of the Currency Gene Ludwig and former SEC Chairman Richard Breeden as outside experts, along with Raines and me as experts on Fannie Mae, to work with Mercer on this task.

For as long as Raines and I remained at the company, the “preferred option” in the Mercer project was for the chief risk officer to have lead responsibility for both financial and operational risk management. Under this option, the head of Credit Finance would have reported to the CRO, and other credit risk-related duties and interactions would have remained essentially as they were, pending changes by the CRO, once hired, at his or her discretion. This produced minimal disruption to the credit risk management organization and business processes we had just put in place—and were relying on for protection in the high-risk market environment we faced—and I thought it was as good a result as we were likely to obtain.

Upon Raines’s departure, Dan Mudd was named interim chief executive officer. (The board elected him CEO in June 2005.) Steve Ashley, an outside board member and former mortgage banker, was named nonexecutive chairman. Raines had been heavily involved in financial risk issues throughout his Fannie Mae career, and I had been the company’s top risk management executive for close to 20 years. But in January 2005, both of us were gone. It was up to Mudd and Ashley to implement OFHEO’s directive to add a CRO to the company’s risk functions, and the way in which they did so drew more on the customer orientation they brought from their old jobs than on the risk management orientation required in their new ones.

Barely a month after Raines and I left, in February 2005, the head of the Mercer project informed the members of the Compliance Committee that the CRO now “would have an oversight role, rather than a controlling role over individual transactions.” The functions of all the groups within the CRO organization were changed from “management” to “oversight,” and lead responsibility for “identifying, measuring, and managing key risks” in the credit guaranty business was moved from groups independent of the business to executives within the business. With these changes, a discipline that had existed since the Maxwell years—where an independent credit officer could exercise “terminal authority” over decisions made by marketing executives—disappeared. The chief risk officer and his or her staff could set broad policies for interest rate and credit risk taking and observe and report to the CEO and the board on the risks taken by business unit management, but they would have no decision-making authorities themselves.

The changes in credit risk accountability under Mudd quickly led to the dismantling of the credit risk management organization and business processes put together under Raines. The Credit Finance Department—which contained groups and personnel with complementary skill sets and responsibilities and was designed to work as a unit—was split up and dispersed throughout the company. With Credit Finance gone, the search to find an SVP−credit finance (whose job description included the responsibility for “ensuring that all mortgage credit risk borne by the company is properly assessed, graded, and valued”) was suspended and the job eliminated. The SVP−credit finance had been the successor position to the chief credit officer, but a new chief credit officer was not appointed either. The Risk Policy Committee, which under Raines had the ability to limit business-unit risk taking, was replaced by a succession of management and board committees with only advisory and oversight authorities. And with neither a Credit Finance group nor a Risk Policy Committee to enforce them, the corporate financial disciplines adopted by the board in 2003—which had been quantitative, specific, binding on the company, and subject to third-party review—were replaced in September 2006 by a set of corporate risk tolerance principles, which were qualitative, vague, nonbinding, and of insufficient substance to warrant any sort of review at all.

At the time of the OFHEO report, Fannie Mae bore almost a trillion dollars of interest rate risk and over two trillion dollars of credit risk. We had been building and refining our interest rate and credit risk management capabilities to world-class levels since the beginning of the Maxwell era. It is beyond ironic that this 20-year arc of progress was being reversed because of an action by Fannie Mae’s “safety and soundness” regulator. Armando Falcon had only the most superficial knowledge of how Fannie Mae’s financial risk management operations were set up and operated, and he had no idea at all of what was required to make them successful. His demand that the company revamp its risk management organization to add a chief risk officer had a purely political motive—to enhance the impression he wished to create that Fannie Mae was out of control and required OFHEO intervention to right it. That the new CRO would have “duties crafted in consultation with OFHEO” was an empty promise. OFHEO stood mutely by as their mandated CRO position was stripped of any actual authority over Fannie Mae’s risk taking and as the company’s existing credit risk management processes and disciplines were replaced by ones any credible regulator immediately would have recognized as markedly inferior.

Fannie Mae Loses Its Way

In the final year of Raines’s chairmanship, Fannie Mae was losing business to the private-label market both because of pricing and because of our unwillingness to purchase or guarantee many of the riskier loan types and features that were being put into private-label securities. Adherence to our underwriting and pricing disciplines had outsized impacts on the business we did with two companies that previously had been our biggest customers.

Since the late 1990s, Fannie Mae’s largest single customer, by far, had been Countrywide Financial; from 2000 through the middle of 2003, we had either purchased or guaranteed over 80 percent of their prime conventional loans. By the end of 2004, however, only about 30 percent of Countrywide’s (now much riskier) business was coming to us. The situation was even worse with Washington Mutual (WAMU). In the early 2000s, we had financed virtually all of WAMU’s prime conventional loans, but when WAMU switched the bulk of their production to pay-option ARMs—which we would not buy or guarantee—our business with them dropped off to next to nothing.

Fannie Mae maintained its credit discipline in the initial months after Raines and I left, with the consequence that their total book of business shrank by a little over 1 percent during the first half of 2005. But executives were growing restless about their continued loss of market share, and they were being pressured by their largest customers to be more accommodative. A company can make two types of credit mistake: accepting loans that turn out to be bad, and rejecting loans that turn out to be good. To many at Fannie Mae, it began to appear as if they might not have the balance right between the two. They were losing business to the private-label market at an alarming rate, and in each of the five years Dan Mudd had been at the company, their credit losses had been minuscule—less than one basis point of total mortgages and MBS.

Fannie Mae’s risk appetite had been the primary topic of the company’s 2003 strategic retreat, and at that time we had elected to scale back our risk taking and impose stricter disciplines on ourselves. In 2005, however, Fannie Mae had new top leadership and a different management group. They decided to do their own risk appetite assessment at their next strategic retreat in June. By the time of the June retreat, the restructuring of Fannie Mae’s risk organization had been completed, and its “enhanced corporate risk framework” included “delegating to the business units primary responsibility for the management of the day-to-day risks inherent in the activities of the business unit.” As a practical matter, that meant it would be the head of Fannie Mae’s single-family mortgage business, Tom Lund, rather than the interim chief risk officer, who would be responsible for doing the analysis for and leading the discussion on the company’s credit risk alternatives.

Lund prepared a presentation in which he reviewed the changes in mortgage product mix and risk characteristics over the past two years. “The risk in the environment has accelerated dramatically,” he observed. He told his colleagues, “We are at a strategic crossroad” at which “[w]e face two stark choices.” Lund labeled these choices “Stay the Course” and “Meet the Market Where the Market Is.” To stay the course, he explained, the company would “maintain our strong credit discipline” and “protect the quality of our book.” To meet the market, they would “participate in volume and revenue opportunity/current growth areas” and “accept higher risk and higher volatility of earnings.”

Lund’s list of “potential implications” for the two alternative strategies reflected his 10-year background on the marketing and product acquisition side of the company: all five of the implications he identified for staying the course were negative, whereas he had an equal mix of positive and negative implications for meeting the market. That left little doubt as to what the company ultimately would do. But it wouldn’t happen immediately. Lund noted, “Realistically, we are not in a position to ‘meet the market’ today.” He recommended that the company “stay the course” for the moment, while at the same time dedicating resources to what he called “underground” efforts to develop the capabilities and infrastructure to assess and acquire “higher risk alternative mortgage products” and subprime loans.

Having determined two years earlier that it was worth sacrificing some business and potential revenue to maintain Fannie Mae’s financial strength, now in 2005, in a vastly more threatening credit environment, the company was concluding the opposite: it was a better choice to sacrifice financial strength for more business. The difference had everything to do with who was making the assessment. In 2005 Fannie Mae no longer had a chief credit officer, and their interim chief risk officer had been shunted to the sidelines. The head of the single-family business, Tom Lund, was being asked to balance the credit and marketing perspectives of his business himself. I knew Lund well and had great respect for him. He was conservative by instinct, and he knew credit, but not in the depth required to stay out of trouble in as treacherous an environment as Fannie Mae had found itself. Lund had been given a task by his leadership that he simply was not equipped to perform, even drawing on the credit analytic resources still in the company and available to him. He would do as well as he knew how, but he was in an impossible position.

The 2006 objectives submitted to the Fannie Mae board in January included the explicit goal of increasing the company’s share of new conventional conforming mortgage originations financed to 35 percent, with no attached credit conditions. The Financial Crisis Inquiry Commission (FCIC) reported that at the same board meeting, Fannie Mae’s chief business officer Rob Levin “proposed a strategic initiative to ‘increase our penetration into subprime.’” In June 2006, Fannie Mae hired Enrico Dallavecchia to be their permanent chief risk officer. Introducing him at the company’s strategic retreat that month, board chairman Ashley said, “We have to think differently and creatively about risk, about compliance, and about controls,” and then he made his expectations for the CRO unmistakable by adding, “Enrico Dallavecchia was not brought onboard to be a business dampener.” Fannie Mae’s new credit posture was summarized succinctly in a memo communicating the results of the June retreat: “Single-family’s strategy is to say ‘yes’ to our customers by increasing purchases of subprime and Alt-A loans.” (Alt-A, or “Alternative-A,” loans were mortgages with reduced or no documentation of the income or the assets of the borrower.) The memo omitted one crucial fact. Fannie Mae would be taking the credit risk on these loans, which neither their customers nor private-label securities issuers were doing themselves.

To have any hope of success, a risk-taking company choosing to compete with entities not taking risk absolutely must have its own independent view of what those risks are worth. But in 2006, Fannie Mae no longer did. By then management had convinced itself that the combination of a shrinking market share and extremely low credit losses meant their credit risk evaluation tools were unreliable. Credit staff who knew that the low loan losses were attributable to sharply rising home prices rather than faulty model predictions—and that their credit models were looking ahead to a time when home prices might fall—were too junior in the new organizational hierarchy for their views to be accorded much weight. Wrongly mistrustful of their credit analytics, Fannie Mae’s leadership concluded they could protect themselves against the increased risks of the subprime and Alt-A loans they intended to acquire by drawing a line at what they thought were the worst products and features in the private-label securities market and accepting the rest. For a company with more than $2 trillion in credit exposure, that approach was woefully naive. And while it might have stood a chance of working in an earlier period, at the height of a housing bubble and with the toxic set of mortgage products and risks then prevalent, it was doomed at the outset.

Private-label securities issuance continued to exceed the combined issuance of Fannie Mae, Freddie Mac, and Ginnie Mae MBS in 2005 and 2006. With the GSEs’ credit standards remaining irrelevant and with financial regulators on the sidelines, the rating agencies were the only potential disciplinarians of lenders’ underwriting practices. Unfortunately, the rating agencies’ risk assessment process encouraged, rather than penalized, high-risk lending.

The riskiest mortgage types—such as interest-only or pay-option ARMs—and the most aggressive types of risk layering had been in the market only since mid-2003. There were no available data on the performance of these products and risk characteristics during past national or regional downturns, because they didn’t exist then. Between June 2003 and June 2006, average U.S home prices rose by more than 40 percent. Literally any mortgage type or risk combination will perform well in a housing bubble. So when the rating agencies put high-risk loans and features into their rating models, none had much impact on the default probabilities the models produced, and the rating agencies as a consequence did not require much additional credit subordination to protect against them.

The rating agencies did have extensive historical data on credit scores, and during the 2004 to 2006 period, credit scores became by far the most important determinants of private-label ratings. Lenders quickly figured that out. The average credit score for private-label securities issued between 2004 and 2006 was some 10 points higher than for similar securities issued earlier in the decade, but nearly all of the other risk attributes—product type, documentation, investor properties, and the presence of “piggy-back” or simultaneous second mortgages—were markedly worse. (This was eerily similar to what had occurred with manufactured housing securities in the 1990s: giving the rating agencies what they were looking for, then slipping in risks they couldn’t properly evaluate.) Because the rating agencies were not charging remotely accurate risk premiums, lenders found that the most profitable mortgages to put into private-label securities were the riskiest ones, for which they could charge the highest interest rates. Perversely, this gave them an incentive to find even less qualified borrowers willing to pay even higher rates. So-called NINJA (No Income, No Job, or Assets) loans flourished in this environment, and the housing bubble continued to inflate.

It is extraordinarily difficult for any company to maintain risk management discipline in the midst of a speculative bubble. Pressures from customers and shareholders to stay in the game are intense, and while the bubble is in progress and everyone is making money, being on the sidelines seems to all the world to be the wrong decision. I often have wondered how Fannie Mae would have dealt with those pressures had Raines and I remained at the company. That, of course, is impossible to know. Yet I do believe, to a virtual certainty, that because of the risk monitoring systems and disciplines we had developed and put in place, Fannie Mae would not have failed.

The history of finance is replete with instances of companies failing because their business producers overrode the objections of their risk managers. The lure of immediate volume-related income is very hard to resist when the only restraint is the possibility of distant risk-related losses. For that reason, the best companies do not rely on judgment alone; they supplement their judgment with organizational checks and balances and business processes that help management avoid mistakes. That was one of the purposes of our 2003 risk disciplines.

In 2004 we were acutely aware of the problem the rating agencies and private-label issuers had wished away: that the new risky loan types and layered-risk combinations that were flooding the market had been subjected only to environments in which home prices had risen rapidly. Our response was to set dollar exposure limits for categories of loans for which we had determined that “pricing reliability is substantially uncertain,” and then to have the Credit Finance group closely track these loans and risk types and conduct analyses on them to try to draw from the data that did exist information about their probable performance under more adverse conditions. Unless and until we gained sufficient confidence in our ability to predict that performance, we would maintain our exposure limits. For loans we did believe we could assess and price, our 2003 risk disciplines required that the present value of any shortfall between the guaranty fees we charged and our model-generated fees be added immediately to capital.

As mortgage credit quality continued to worsen in 2005 and 2006, and home prices rose ever higher, a larger and larger percentage of our lenders’ new loans would have fallen short of our loss predictability standards. Any proposal to continue to purchase or guarantee these loans—let alone to begin acquiring even riskier ones—would have come to the Risk Policy Committee for approval and would have been subjected to a full risk analysis by Credit Finance. Under the 2003 disciplines, a decision to take on more risk or to accept more performance uncertainty, had one been made, automatically would have required a compensating increase in capital. There would have been similar capital constraints on our pricing. In 2006 Fannie Mae was having to price some of their credit guarantees more than 25 basis points below the model-generated fee to win back market share; adherence to the risk disciplines would have required the addition of so much capital to offset the fee reductions as to make those transactions uneconomic.

But neither the monitoring systems nor the risk disciplines survived Raines’s and my departures and the OFHEO-mandated restructuring of Fannie Mae’s risk organization. And instead of cutting back on its risk taking, the company did the opposite, at the worst possible time. Fueled by the torrent of cheap mortgage credit funneled into the market by private-label securities issuers over the previous three years, by the summer of 2006 new home sales, existing home sales, and home prices all had been pushed to unsustainably high levels. New and existing home sales actually had peaked in 2005, and home prices were peaking just at the time Fannie Mae was dropping its last vestige of resistance to the lending frenzy and moving aggressively to join it.

Loans from Fannie Mae’s 2006 and 2007 books of business began to default almost immediately. The company reported a $3.6 billion loss for the fourth quarter of 2007, driven by $3 billion in credit-related expenses. It lost another $2.2 billion in the first quarter of 2008. For the first time since early in the Maxwell era, Fannie Mae’s investors and security analysts had reason to be seriously concerned about the company’s financial prospects.