In April 2024, HUD OIG met with HUD OCIO to discuss progress and requirements for closure of this recommendation. In addition, OIG reviewed this recommendation as part of the annual FY 2024 FISMA evaluation in April 2024 and learned from HUD OCIO that that there would be a procedure update that would implement the ingestion and monitoring of all inbound and outbound traffic. The OIG requested to be provided with these procedures when finalized and evidence of implementation on May 1, 2024.

Corrective Action Taken

HUD OCIO updated its Cybersecurity Incident Response Plan and developed more detection and protection mechanisms to monitor network traffic in its IT environment. These mechanisms include anti-malware agents, data loss prevention, endpoint detection and response, firewalls, and intrusion detection and prevention systems. HUD’s SOC also developed standard operating procedures and playbooks for abnormal traffic alerts triggered by the above tools that are posted internally for SOC personnel to utilize. Addressing this recommendation resulted in improvement of HUD’s networking monitoring process by enhancing visibility into network traffic. It also increased HUD’s incident response program capabilities by ensuring that HUD has a plan to monitor traffic and better detect and respond to security incidents. As part of our regular Federal Information Security Act of 2014 (FISMA) assessments, HUD OIG will continue to assess HUD’s incident response effectiveness and threat detection to ensure HUD addresses new and evolving threats.

Ensure that its staff determines whether a child under 6 years of age resides in an exempted development. If a child is determined to reside in an exempted development take appropriate actions in accordance with its internal policies

Corrective Action Taken

The Office of Field Operations (OFO) updated the Lead-Based Paint Response Tracker’s Standard Protocol and Roles and Responsibilities to identify the roles and responsibilities of HUD’s headquarters and field office level staff in ensuring PHAs’ compliance with the Lead Safe Housing Rule (LSHR). The protocol provides that the OFO field office staff work directly with PHAs to resolve issues of noncompliance with the LSHR and other Lead-based paint (LBP) guidance by responding to or escalating questions/issues to the headquarters team, directing PHAs to available training and resources on HUD.gov or HUD Exchange, and working with PHAs to obtain sufficient documentation to close an LBP case in the LBP tracker promptly. In regards to a child under 6 years of age residing in an exempted development, staff from the field offices must upload supporting documentation determining whether a pregnant lady or child six years old or younger lives in the development, collect missing information, if applicable, coordinate with OFO team to close cases in the LBP response tracker, indicate in the LBP response tracker if the PHA has provided the documents or if the property is exempt and upload supporting documents.

Require lenders to obtain the borrowers’ consent to verify the existence of delinquent Federal taxes with the IRS during loan origination and deny any applicant with delinquent Federal tax debt and no payment plan or a noncompliant payment plan or an applicant refusing to provide consent from receiving FHA insurance to put at least $6.1 billion to better use by avoiding potential future costs to the FHA insurance fund.

Status

The Office of Single Family Housing will need additional tax information to complete the planned action. In July 2024, Single Family Housing proposed closing the recommendation with no action because the primary action discussed would require Congressional authorization, and another option discussed would place an undue burden on borrowers and lenders and was not practical. OIG disagreed with the request. Single Family maintains that without an automated solution from the Internal Revenue Service (IRS), it is not practical for individual borrowers and/or lenders to manually check tax status with the IRS. However, OIG’s position is that action is required since delinquent tax debtors are ineligible for FHA loans under existing FHA and Office of Management and Budget (OMB) guidelines.

Analysis

To fully address this recommendation, HUD will need to provide evidence that it established a method of borrower consent to verify the existence of delinquent federal taxes.

Implementation of this rule should result in HUD putting $6.1 billion to better use.

Implement a change to regulations at 24 CFR Part 203 to require curtailment of preforeclosure interest and other costs that are caused by lender servicing delays, resulting in $413,513,975 in funds to be put to better use. This should include updating or seeking statutory authority to update HUD’s regulations as necessary and coordinating with HUD’s Office of Finance and Budget, well before any changes go through departmental clearance, to ensure that planned curtailment requirements can be consistently enforced through the claims process.

Status

FHA reported that the audit recommendation cannot be closed without the publication of the FHA Maximum Claim Rule. The proposed changes have been on HUD’s regulatory agenda since Spring 2020 but, as of February 2025, the Office of Single Family Housing does not have an estimated publication date.

Analysis

To fully address this recommendation, HUD must provide evidence that it has published and adopted the rule.

Implementation of this rule should result in HUD putting $413 million to better use.

Develop a method for using the Do Not Pay portal during the underwriting process to identify delinquent child support and delinquent Federal debt to prevent future FHA loans to ineligible borrowers to put $1.9 billion to better use.

Status

The Office of Housing has approved prioritization of funding for Integration between the Treasury’s Do Not Pay portal and HUD’s Computerized Homes Underwriting Reporting System (CHUMS). Funding was allocated to the CHUMS IT contractor on January 26, 2024, to integrate Treasury’s Do Not Pay system with CHUMS, and the IT development project was kicked off the week of February 5, 2024. As of February 2025, the Office of Single Family Housing reported that it is in the process of completing the necessary documentation and systems connection with the Do Not Pay portal. Single Family plans to submit an update on the system interface project or request another extension in March 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has implemented applicant screening against the Do Not Pay portal to identify delinquent child support and delinquent federal debt to prevent future FHA loans from going to ineligible borrowers.

Implementation of this rule should result in HUD putting $1.9 billion to better use.

Enforce the requirement for all HUD web applications and services to be approved by the CIO and ensure OCIO reviews and approves all IT contracts and services agreements dealing with creation or support of web applications or services.

Corrective Action Taken

In January 2023, HUD's Office of the Chief Information Officer developed and released a Web Applications Directive to all HUD program offices. This directive described how web applications are defined, approved, inventoried, and maintained, including processes for tracking, and monitoring such applications.

Issue a change to regulations at 24 CFR Part 203, which would avoid unnecessary costs to the FHA insurance fund, allowing an estimated $2.23 billion to be put to better use. These changes include (1) a maximum period for filing insurance claims and (2) disallowance of expenses incurred beyond established timeframes.

Status

The Federal Housing Administration (FHA) reported that the recommendation cannot be closed out without the publication of the FHA Maximum Claim Rule. The proposed changes have been on HUD’s regulatory agenda since Spring 2020 but, as of February 2025, the Office of Single Family Housing does not have an estimated publication date.

Analysis

To fully address this recommendation, HUD must publish the FHA Maximum Claim Rule. Implementation of this rule should result in HUD putting $2.23 billion to better use.

Update selection rules for CAIVRS to provide for complete reporting of all ineligible borrowers to put $9.5 million to better use.

Status

In 2020, HUD suspended reporting delinquencies and defaults to the Credit Alert Verification Reporting System (CAIVRS) because these debts are owed to the lender and are not delinquent Federal debt. A debt is not delinquent until a payment is past due to HUD for a deficiency judgment against the borrower in connection with an FHA claim. Rather than add the missing borrowers to CAIVRS, HUD determined it would remove default and claim data from the system and use it to exclusively identify borrowers with delinquent Federal debt. This will resolve the issue of incomplete reporting of delinquent federal debts greater than 3 years old. As of early June 2024, the Office of Single Family Housing stated that it was on target to complete its action plan by June 28, 2024.

Analysis

To fully address this recommendation, HUD must provide evidence that it removed default and claim data from CAIVRS.

Implementation of this recommendation should result in HUD putting $9.5 million to better use.