Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Require lenders to obtain the borrowers’ consent to verify the existence of delinquent Federal taxes with the IRS during loan origination and deny any applicant with delinquent Federal tax debt and no payment plan or a noncompliant payment plan or an applicant refusing to provide consent from receiving FHA insurance to put at least $6.1 billion to better use by avoiding potential future costs to the FHA insurance fund.

Status

To fully address this recommendation, HUD will need to provide evidence that it established a method of borrower consent to verify the existence of delinquent federal taxes including, but not limited to one of the options OIG provided, which were (1) lenders obtaining the borrowers' consent to obtain their tax records directly from the IRS or (2) borrowers accessing their own tax information and submitting it to the lenders.

Implementation of this rule should result in HUD putting $6.1 billion to better use.

Analysis

To fully address this recommendation, HUD will need to provide evidence that it established a method of borrower consent to verify the existence of delinquent federal taxes including, but not limited to one of the options OIG provided, which were (1) lenders obtaining the borrowers' consent to obtain their tax records directly from the IRS or (2) borrowers accessing their own tax information and submitting it to the lenders.

Implementation of this rule should result in HUD putting $6.1 billion to better use.

Require lenders to obtain the borrowers’ consent to verify the existence of delinquent Federal taxes with the IRS during loan origination and deny any applicant with delinquent Federal tax debt and no payment plan or a noncompliant payment plan or an applicant refusing to provide consent from receiving FHA insurance to put at least $6.1 billion to better use by avoiding potential future costs to the FHA insurance fund.

Status

To fully address this recommendation, HUD will need to provide evidence that it established a method of borrower consent to verify the existence of delinquent federal taxes including, but not limited to one of the options OIG provided, which were (1) lenders obtaining the borrowers' consent to obtain their tax records directly from the IRS or (2) borrowers accessing their own tax information and submitting it to the lenders.

Implementation of this rule should result in HUD putting $6.1 billion to better use.

Analysis

To fully address this recommendation, HUD will need to provide evidence that it established a method of borrower consent to verify the existence of delinquent federal taxes including, but not limited to one of the options OIG provided, which were (1) lenders obtaining the borrowers' consent to obtain their tax records directly from the IRS or (2) borrowers accessing their own tax information and submitting it to the lenders.

Implementation of this rule should result in HUD putting $6.1 billion to better use.

Implement a change to regulations at 24 CFR Part 203 to require curtailment of preforeclosure interest and other costs that are caused by lender servicing delays, resulting in $413,513,975 in funds to be put to better use. This should include updating or seeking statutory authority to update HUD’s regulations as necessary and coordinating with HUD’s Office of Finance and Budget, well before any changes go through departmental clearance, to ensure that planned curtailment requirements can be consistently enforced through the claims process.

Status

FHA reported that the audit recommendation cannot be closed without the publication of the FHA Maximum Claim Rule. The proposed changes have been on HUD’s regulatory agenda since Spring 2020 but, as of July 2025, the Office of Single Family Housing does not have an estimated publication date.

Analysis

To fully address this recommendation, HUD must provide evidence that it has published and adopted the rule.

Implementation of this rule should result in HUD putting $413 million to better use.

Develop a method for using the Do Not Pay portal during the underwriting process to identify delinquent child support and delinquent Federal debt to prevent future FHA loans to ineligible borrowers to put $1.9 billion to better use.

Status

The Office of Housing has approved prioritization of funding for Integration between the Treasury’s Do Not Pay portal and HUD’s Computerized Homes Underwriting Reporting System (CHUMS). Funding was allocated to the CHUMS IT contractor on January 26, 2024, to integrate Treasury’s Do Not Pay system with CHUMS, and the IT development project was kicked off the week of February 5, 2024. As of July 2025, the CHUMS Memorandum of Understanding (MOU) and Interconnection Security Agreement (ISA) with DNP is fully signed. However, the System of Records Notice (SORN) is under review with OMB. HUD's Office of Privacy is in the process of reaching out to OMB to request comments or permission to publish. The anticipated completion date of the CHUMS interface with DNP is December 31, 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has implemented applicant screening against the Do Not Pay portal to identify delinquent child support and delinquent federal debt to prevent future FHA loans from going to ineligible borrowers.

Implementation of this rule should result in HUD putting $1.9 billion to better use.

Issue a change to regulations at 24 CFR Part 203, which would avoid unnecessary costs to the FHA insurance fund, allowing an estimated $2.23 billion to be put to better use. These changes include (1) a maximum period for filing insurance claims and (2) disallowance of expenses incurred beyond established timeframes.

Status

The Federal Housing Administration (FHA) reported that the recommendation cannot be closed out without the publication of the FHA Maximum Claim Rule. The proposed changes have been on HUD’s regulatory agenda since Spring 2020 but, as of July 2025, the Office of Single Family Housing does not have an estimated publication date.

Analysis

To fully address this recommendation, HUD must publish the FHA Maximum Claim Rule. Implementation of this rule should result in HUD putting $2.23 billion to better use.

Update selection rules for CAIVRS to provide for complete reporting of all ineligible borrowers to put $9.5 million to better use.

Status

In 2020, HUD suspended reporting delinquencies and defaults to the Credit Alert Verification Reporting System (CAIVRS) because these debts are owed to the lender and are not delinquent federal debt. A debt is not delinquent until payment is overdue to HUD for a deficiency judgment against the borrower in connection with an FHA claim. Rather than add the missing borrowers to CAIVRS, the Office of Single Family Housing directed HUD’s National Servicing Center to cease including borrower creditworthiness information in CAIVRS and to solely use the system to report deficiency judgments until the delinquent debt is resolved. HUD provided the Interface Control Document showing what data is sent to CAIVRS related to deficiency judgments.

As of July 2025, OIG is seeking clarification on HUD's implementation and closure of the recommendation because it is not clear whether all deficiency judgments are now being reported in CAIVRS until resolved. HUD OIG disagrees with the closure of this recommendation until HUD provides evidence that the system updates have been implemented and that they provide complete reporting of all ineligible borrowers.

Analysis

To fully address this recommendation, HUD must provide evidence that all deficiency judgments are reported in CAIVRS until resolved.

Implementation of this recommendation should result in HUD putting $9.5 million to better use.