Freddie Mac (FMCC) Risk Analysis

In response to the COVID-19 pandemic, Freddie Mac has taken several steps to support the mortgage market, such as forbearance for Freddie Mac-owned mortgages and other measures to assist homeowners, renters, multifamily property owners, lenders, and sellers. For additional information on our relief efforts, see MD&A - Introduction - COVID-19 Pandemic Response Efforts. These actions may not be successful and may negatively affect our financial condition and results of operations, perhaps significantly. Borrowers that obtain forbearance may be unable to resume making payments on their mortgage loans at the end of the forbearance period, which could result in losses. We expect serious delinquency rates and the volume of loss mitigation activity to remain elevated as a result of the pandemic and our forbearance programs, and we expect to advance significant amounts to cover principal and interest payments to security holders for loans in forbearance in the coming months. The pandemic and forbearance programs have caused a significant increase in our allowance for credit losses. Estimates of expected credit losses are subject to significant uncertainty and may increase in the future depending on the depth and severity of the economic downturn caused by the pandemic. The government has taken several actions to provide relief to those negatively affected by COVID-19, such as direct payments and federal unemployment insurance. In addition, the Federal Reserve has supported the financial markets, including by purchasing Freddie Mac mortgage-related securities. If the Federal Reserve discontinued or lessened this support, it could negatively affect our financial position and results of operations. For additional information on federal government relief efforts, see MD&A - Introduction - COVID-19 Pandemic Response Efforts. Current and future government relief efforts taken in response to the COVID-19 pandemic may provide insufficient support for the economy and the housing market. Our credit risk and market risk levels have increased as a result of the COVID-19 pandemic, and may increase further depending on the duration and severity of the pandemic. For example: n Our mortgage credit risk level is heightened, as a result of increased forbearance, modifications, and defaults due to the COVID-19 pandemic. These trends have adversely affected our results of operations through increased expected credit losses and are expected to continue. Payment defaults on mortgages could result in accelerated prepayments of certain of our securities as a result of our repurchase practices relating to seriously delinquent mortgages and mortgage modifications, foreclosures, and workouts. n Our ability to transfer single-family credit risk was, and may in the future be, negatively affected by adverse market conditions resulting from the COVID-19 pandemic. n We generally fund our obligations to advance principal and interest to security holders for loans in forbearance and our purchase of delinquent and modified loans from our securities trusts through debt issuances. Depending on the extent of forbearance and delinquencies as a result of the COVID-19 pandemic, it is possible that we may not be able to meet our contractual obligations as a result of the aggregate indebtedness limit and mortgage-related investments portfolio limit under the Purchase Agreement, without breaching limits or obtaining the prior written consent of Treasury and FHFA to increase these limits. n Increased market instability and uncertainty associated with the volume of loans we may purchase from trusts may adversely affect our ability to hedge, and demand for Freddie Mac securities, other than from the Federal Reserve, may decrease substantially. Our operational risk level has increased as a result of the COVID-19 pandemic. Freddie Mac has instituted temporary operational changes, such as shifting to remote work for the majority of our employees. While we have not experienced material impacts to operations, it is possible that certain procedures we have in place to monitor our employees may not be effective, or any significant technological or infrastructure-related disruptions during this period of remote work could adversely affect our ability to conduct normal business operations. The COVID-19 pandemic has presented potential risks to staffing, such as stress on our workforce as a result of home schooling, caring for themselves and loved ones, and potential burnout, and it is possible that key employees or a significant number of employees may be adversely affected by the virus. In addition, model risk levels are heightened. There is an increased degree of uncertainty concerning key inputs into our financial cash flows, such as projections of mortgage interest rates, house prices, credit defaults, negative yields, prepayments, and interest rates, and we expect our models to face significant challenges in accurately forecasting these inputs. We are attempting to mitigate this increased risk by applying model overlays and adjustments, where deemed appropriate, but these adjustments have an element of subjectivity, and are based upon difficult and complex judgments. Actual results could differ from our estimates, and the use of different judgments and assumptions related to these estimates could have a material impact on our consolidated financial statements. For additional information on operational risk, see MD&A - Risk Management - Operational Risk.

Our business is highly dependent on the talents and efforts of our employees. We face competition, particularly from the financial services and technology industries, for qualified talent. If we are unable to attract and retain talent, we increase our risk of operational failures. Restrictions on employee compensation have been and may be imposed on us, while we remain in conservatorship, by Congress, FHFA, or Treasury. For example, FHFA as Conservator has the authority to approve the terms and amount of our executive compensation and may require us to make changes to our executive and employee compensation programs. For example, FHFA has imposed limits on executive and employee compensation and has required prior approval of certain compensation arrangements. Such limitations on our executive and employee compensation structure, as well as the ongoing conservatorship and uncertainty about our future, could have an adverse effect on our ability to attract and retain talent. Leadership departures, such as the recent departure of our former CEO, or a combination of such departures at approximately the same time, could materially adversely affect our business, results of operations, and financial condition. For example, turnover in key positions and challenges in integrating new leaders could harm our ability to manage our business effectively and successfully implement current strategic initiatives and could adversely affect our financial performance.

Our use of third-parties, including service providers, sellers, servicers and other financial counterparties, exposes us to the risk of failures in their risk and control environments. We outsource certain key functions to these external parties, including some that are critical to financial reporting (including our use of hedge accounting), valuations, our mortgage-related investment activity, loan underwriting, loan servicing, and UMBS issuance and administration (i.e., CSS). We may enter into other key outsourcing relationships in the future and continue to expand our existing reliance on public cloud services. If one or more of these key external parties were not able to perform their functions for a period of time, perform them at an acceptable service level or handle increased volumes, or if one of them experiences a disruption in its own business or technology from any cause, our business operations could be constrained, disrupted, or otherwise negatively affected. Our use of third-parties also exposes us to other harm, such as breach of our data, fraud or damage to our reputation if one or more of these third parties fails to maintain adequate risk and control environments. Our ability to monitor the activities or performance of third-parties may be constrained, which may make it difficult for us to assess and manage the risks associated with these relationships.

Our operations rely on the secure, accurate, and timely receipt, processing, storage, and transmission of confidential and other information in our systems and networks and with counterparties, service providers, and financial institutions. Information risks for companies like ours have significantly increased in recent years, in part because of the proliferation of new technologies, the use of the internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists, and other external parties, including foreign state-sponsored actors. There have been several highly publicized cases involving financial services companies, consumer-based companies, and other organizations reporting the unauthorized disclosure of client, customer, or other confidential information, as well as cyberattacks involving the dissemination, theft, or destruction of corporate information, intellectual property, cash, or other valuable assets. There have also been several highly publicized cases where hackers have requested "ransom" payments in exchange for not disclosing customer information or for not making the targets' computer systems unavailable. In addition, there have been cases where hackers have misled company personnel into making unauthorized transfers of funds to the hackers' accounts. Like many companies and government entities, from time to time we have been, and likely will continue to be, the target of attempted cyberattacks, including malware, denial-of-service, and phishing, as part of an effort to disrupt operations, potentially test cybersecurity capabilities, or obtain confidential, proprietary, or other information. We could also be adversely affected by cyberattacks that target the infrastructure of the internet, as such attacks could cause widespread unavailability of websites and degrade website performance. Our risk and exposure to these matters remain heightened because of, among other things, the evolving nature of these threats, our role in the financial services industry, the outsourcing of some of our business operations, and the current global economic and political environment. Because we are interconnected with and dependent on third-party vendors, exchanges, clearinghouses, fiscal and paying agents, and other financial institutions, we could be adversely affected if any of them is subject to a successful cyberattack or other information security event. Third parties with which we do business may also be sources of cybersecurity or other technology risks. We routinely transmit and receive personal, confidential, and proprietary information by electronic means. This information could be subject to interception, misuse, or mishandling. Our exposure to these risks could increase as a result of our migration of core systems and applications to a third-party cloud environment. Although we devote significant resources to protecting our critical assets and provide employee awareness training about phishing, malware, and other cyber risks, these measures may not provide effective security. Our computer systems, software, end point devices, and networks may be vulnerable to cyberattack, unauthorized access, supply chain disruptions, computer viruses or other malicious code, or other attempts to harm them or misuse or steal information. We routinely identify cyber threats as well as vulnerabilities in our systems and work to address them, but these efforts may be insufficient. Breaches of our security measures may result from employee error or misconduct. Outside parties may attempt to induce employees, customers, counterparties, service providers, financial institutions, or other users of our systems to disclose sensitive information in order to gain access to our systems and the information they contain. We may not be able to anticipate, detect, or recognize threats to our systems and assets, or implement effective preventative measures against security breaches, especially because the techniques used change frequently or are not recognized until launched. A cyberattack could occur and persist for an extended period of time without detection. We expect that any investigation of a cyberattack would take time, during which we would not necessarily know the extent of the harm or how best to remediate it. Although to date we have not experienced any cyberattacks resulting in significant impacts to the company, our cybersecurity risk management program may not prevent cyberattacks from having significant impacts in the future. We have obtained insurance coverage relating to cybersecurity risks, but this insurance may not be sufficient to provide adequate loss coverage. The occurrence of one or more cyberattacks could result in thefts of important assets (such as cash or source code) or the unauthorized disclosure, misuse, or corruption of confidential and other information (including information about our borrowers, our customers, or our counterparties) or could otherwise cause interruptions or malfunctions in our operations or the operations of our customers or counterparties. This could result in significant losses or reputational damage, adversely affect our relationships with our customers and counterparties, negatively affect our competitive position, or otherwise harm our business. We could also face regulatory and other legal action, including for any failure to provide timely disclosure concerning, or appropriately to limit trading in our securities following, an attack. We might be required to expend significant additional resources to modify our internal controls and other protective measures or to investigate and remediate vulnerabilities or other exposures, and we might be subject to litigation and financial losses that are not fully insured. In addition, customers, counterparties, financial intermediaries, and governmental organizations may not be adequately protecting the information that we share with them. As a result, a cyberattack on their systems and networks, or a breach of their security measures, may result in harm to our business and business relationships.

Operational risk is elevated due to the volume, complexity, and pace of change across the company. We face significant levels of operational risk due to a variety of factors, including the size and complexity of our business operations, the amount of change to our core systems required to keep pace with market demands, regulatory requirements, and business initiatives, and the ever-changing cybersecurity landscape. Shortcomings or failures in our internal processes, people, or systems, or those of third parties with which we interact, could lead to impairment of our liquidity, disruption of our business (e.g., issuing mortgage and/or debt securities), incorrect payments to investors in our securities, errors in our financial statements, liability to customers or investors, further legislative or regulatory intervention, reputational damage, and financial and economic loss. Our business is highly dependent on our ability to process a large number of transactions on a daily basis and manage and analyze significant amounts of information, much of which is provided by third parties. This information may be incorrect, or we may fail to properly manage or analyze it. The transactions we process are complex and are subject to various legal, accounting, tax, and regulatory standards, which can change rapidly in response to external events, such as the implementation of government-mandated programs and changes in market conditions. Our financial, accounting, data processing, or other operating systems and facilities may contain design flaws or may fail to operate properly, adversely affecting our ability to process these transactions, including our ability to compile and process legally required information. We have certain systems that require manual support and intervention, which may lead to heightened risk of system failures. The inability of our systems to accommodate an increasing volume of transactions or new types of transactions or products could constrain our ability to pursue new business initiatives or improve existing business activities. Our technological connections with our customers, counterparties, service providers, and other financial institutions continue to increase, which increases our risk exposure with respect to an operational failure of their infrastructure systems. We have developed, and expect to continue to develop, software tools for use by our customers in the customers' loan production and other processes. These tools may fail to operate properly, which could disrupt our or our customers' business and adversely affect our relationships with our customers. We continue to increase our use of a third-party cloud infrastructure platform for both customer-facing applications as well as internal-use applications. If we do not implement changes to this platform in a well-managed, secure, and effective manner, we may experience unplanned service disruption or unplanned costs which may harm our business and operating results. In addition, our cloud infrastructure providers, or other service providers, could experience system breakdowns or failures, outages, downtime, cyber-attacks, adverse changes to financial condition, bankruptcy, or other adverse conditions, which could have a material adverse effect on our business and reputation. Thus, our plans to increase the amount of our infrastructure that we outsource to the cloud or to other third parties may increase our risk exposure We face increased operational risk due to the magnitude and complexity of the new initiatives we are undertaking, including our efforts to help build a better housing finance system. Some of these initiatives require significant changes to our operational systems. In some cases, the changes must be implemented within a short period of time. Our legacy systems may create increased operational risk for these new initiatives. Internal corporate reorganizations may also increase our operational risk, particularly during the period of implementation. We also face significant risks related to CSS and the operation and continued development of the CSP. We rely on CSS and the CSP (which is owned and operated by CSS) for the operation of many of our single-family securitization activities. Our business activities would be adversely affected and the market for Freddie Mac securities would be disrupted if the CSP were to fail or otherwise become unavailable to us or if CSS were unable to perform its obligations to us, including as a result of an operational failure by Fannie Mae. In the event of a CSS operational failure, we may be unable to issue certain new single-family mortgage-related securities, and investors in mortgage-related securities hosted on the CSS platform may experience payment delays. Any measures we could take to mitigate these risks might not be sufficient to prevent our business from being harmed. We update our internal systems and processes on a regular basis, including to improve existing processes and respond to market and regulatory developments. We could be adversely affected if CSS and/or the CSP are unable to make any necessary corresponding changes to their systems and processes in a timely manner. CSS could adopt or prioritize strategies that could adversely affect its ability to perform its obligations to us. Amendments to the CSS LLC agreement in January 2020 reduced Freddie Mac's and Fannie Mae's ability to control CSS Board decisions, even after conservatorship, including decisions about strategy, business operations, and funding. Our employees could act improperly for their own or third-party gain and cause unexpected losses or reputational damage. While we have processes and systems in place designed to prevent and detect fraud, these processes may not be successful. Most of our key business activities are conducted in the Washington D.C. metropolitan area and represent a concentrated risk of people, technology, and facilities. As a result, an infrastructure disruption in or around our offices or affecting the power grid, such as from a terrorist event, active shooter, or natural disaster, could significantly adversely affect our ability to conduct normal business operations. Any measures we take to mitigate this risk may not be sufficient to respond to the full range of events that may occur or allow us to resume normal business operations in a timely manner.