Section 535B.25 - Corporate governance1. A covered institution shall establish and maintain a board of directors that is responsible for oversight of the covered institution. If a government-sponsored enterprise or government national mortgage association has not approved a covered institution to service loans, or has approved an alternative to a board of directors, the covered institution may establish a similar oversight committee for purposes of exercising oversight and fulfilling the responsibilities under subsection 2.2. The board of directors, or a similar oversight committee approved under subsection 1, shall do all of the following: a. Establish a written corporate governance framework that includes appropriate internal controls to monitor and assess compliance with the corporate governance framework.b. Make a copy of the corporate governance framework available to the administrator upon request.c. Monitor and ensure that the covered institution complies with the corporate governance framework and with this subchapter.d. Perform accurate and timely regulatory reporting, including filing the covered institution's mortgage call report.e. Establish internal audit requirements that are appropriate for the size, complexity, and risk profile of the covered institution, and ensure appropriate independence to provide an unbiased evaluation of the covered institution's internal control structure, risk management, and corporate governance. The established internal audit requirements and the results of internal audits shall be made available to the administrator upon request.f. Ensure the covered institution establishes and maintains a risk management program that identifies, measures, monitors, and controls risk commensurate with the covered institution's size and complexity. The risk management program must include appropriate processes and models to measure, monitor, and mitigate financial risks and changes to the covered institution's risk profile and assets being serviced. The risk management program shall address all of the following:(1) The potential that a borrower or counterparty fails to perform on an obligation.(2) The potential that the covered institution is unable to meet the covered institution's obligations as the obligations come due as a result of an inability to liquidate assets or to obtain adequate funding.(3) The potential that the covered institution cannot easily unwind or offset specific exposures.(4) The risk resulting from inadequate or failed internal processes, people, or systems; or from external events.(5) The risk to the covered institution's condition resulting from adverse movements in market rates or prices.(6) The risk of regulatory sanctions, fines, penalties, or losses resulting from the covered institution's failure to comply with applicable laws and rules or other supervisory requirements that apply to the covered institution.(7) The potential that legal proceedings against the covered institution may result in unenforceable contracts, lawsuits, legal sanctions, or adverse judgements that may disrupt or otherwise negatively affect the covered institution's operations or condition.(8) The risk to earnings and capital arising from negative publicity regarding the covered institution's business practices.3. A covered institution shall undergo an annual external audit and shall make the external audit available to the administrator upon request. An external audit shall include, at a minimum, all of the following: a. An evaluation of the company's internal control structure.b. A review of the company's annual financial statements, including the balance sheet, income statement, and cash flows, including notes and supplemental schedules prepared in accordance with generally accepted accounting principles.c. A computation of the company's tangible net worth.d. Validation of the company's mortgage servicing rights valuation and reserve methodology, if applicable.e. Verification the company has adequate fidelity and errors and omissions insurance.f. Testing of the company's controls related to risk management activities, including compliance and stress testing, if applicable.4. A covered institution shall conduct an annual risk management assessment that shall conclude with a formal report to the board of directors, and shall make the risk management assessment available to the administrator upon request. A risk management assessment shall include issue findings and the response or action taken to address each issue. A covered institution shall maintain ongoing documentation of risk management activities and shall include the documentation in the risk management assessment.Added by 2024 Iowa HF 2392,s 11, eff. 7/1/2024.