Question

1. In assessing interest rate risk for MBS, what two important factors distinguishing the concepts of “Average Life” from “Duration” and define each. In addition, a “high-risk mortgage security” is a CMO tranche or pass through that, at the time of purchase or at subsequent testing dates, meets any one of 3 tests. What are the tests as laid out by FFIEC?

Answer 1

Average life

In the case of an MBS , the average life represents the average length of time required for the associated borrowers to repay the loan debt.

Duration

The duration includes the effects of bond prices, coupon rates and principal repayment rates on mortgage securities. For an investor, the duration number is an accurate estimate of how much the value of the MBS portfolio will change with a 1 percent change in market interest rates.

Tests laid out by FFIEC

1.Self-assessments

Periodic self-assessments typically should be performed by the organizational unit being assessed. Self-assessments capture subjective opinions on the achievement of objectives.

Although they may provide valuable information related to perceived changes in the level of risk and effectiveness of controls, they are affected by the breadth and depth of the assessor’s knowledge, the completeness and reliability of information used to complete the assessment, and the assessor’s biases. Self-assessment frequency should be a function of the level of assurance needed by the institution, determined by the risk management process. Results from self-assessments can be informative to the overall test and evaluation process. Management should use the results to help strengthen the organizational units information security.

2.Penetration Test

​​​​​​ A penetration test subjects a system to real world attacks selected and conducted by the testers. A penetration test ttargets systems and users to identify weaknesses in business processes and technical controls. The test mimics a threat source’s search for and exploitation of vulnerabilities to demonstrate a potential for loss. Some tests focus on only a subset of the institution’s systems and may not accurately simulate a determined threat actor. There are many types of penetration tests and management should determine the level and types of tests employed to ensure effective and comprehensive coverage. The frequency and scope of penetration test should be a function of the level of assurance needed by the institution and determined by the risk assessment process. The test can be performed internally by independent groups, organizational unit, or by an independent third party. Management should determine level of independence required of the test.

3.Vulnerability Assessments

It is a process that defines, identifies, and classifies the vulnerabilities in a computer, network, or communications infrastructure. Technical vulnerabilities can be identified through the use of scanners and other tools. Scanners search for known vulnerabilities or for known vulnerability classes. They also can search for compliance with approved configurations.Scanners identify vulnerabilities by inspecting network traffic or hosts. When inspecting hosts, they may require agents to be placed on hosts with high-level access. If host agents are required, the security over the use of credentials in the scan should be a prime consideration for management.Similar to penetration testing, the frequency of the performance of vulnerability assessments should be determined by the risk management process. Scanners and other tools can be run continuously, generating metrics that are reported and acted upon continuously. Vulnerability assessments can be performed internally or by external testers, but they are often run as part of internal testing processes.