Year 2000 Business Risk

The Federal Financial Institutions Examination Council (FFIEC) has issued the attached interagency statement to provide guidance to the industry on safety and soundness risk posed by the Year 2000 problem.

The statement supplements the FFIEC's statement "Year 2000 Project Management Awareness" issued May 5, 1997. It is intended to:

• Highlight the critical nature of the Year 2000 problem and discuss the corporate-wide implications for an insured financial institution.

• Emphasize the importance of senior management and board of Directors participation in the resolution and oversight process, and encourage those parties to provide sufficient resources to resolve Year 2000 problems.

• Require a formal project plan that includes quarterly status reports from management to the board of Directors.

The FFIEC statement clarifies the guidance relating to certification from vendors that products and services are Year 2000 compliant. Formal vendor certification is not required. Financial institutions should communicate with their vendors and conduct due diligence and appropriate internal testing.

The Federal banking agencies have expanded their review of data processing servicers to focus on Year 2000 issues. Affected institutions supervised by the FDIC will be notified of the results of the reviews. Although the FDIC will inform serviced institutions of significant weaknesses, neither the FDIC nor the other Federal regulators will certify a servicer as Year 2000 compliant. Institutions are expected to solicit, from the servicer, information sufficient to form an independent conclusion of the servicer's Year 2000 readiness.

The FDIC, along with the other Federal banking agencies and state banking authorities, will monitor the progress of each financial institution. The FDIC will conduct an on-site review of Year 2000 compliance at each institution it supervises prior to June 30, 1998. The review will assess:

• The institution's progress in establishing, implementing, and monitoring a Year 2000 plan.

• Efforts to monitor the progress of data servicers, software providers, and other vendors.

• The impact of the Year 2000 problem on credit risk.

An institution's failure to appropriately address Year 2000 problems may result in supervisory action. Supervisory actions may include formal or informal enforcement actions, the denial of applications filed pursuant to Sections 18 and 24, among others, of the Federal Deposit Insurance Act, civil money penalties, and a reduction in the management component rating or the institution's composite rating.

The attached interagency statement and related information on Year 2000 issues are available on the Internet via the World Wide Web at

New, Events & FOIA or http://www.ffiec.gov

For further information, please contact your Division of Supervision Regional Office.

Additional guidance from the FFIEC on credit risk, vendor management, and testing will be made available over the next few months.

Attachments: FFIEC Interagency Statement

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC, 20434 (800-276-6003 or (703) 562-2200). Electronic versions are available at /banknews/fils.

Reports to the board, for institutions that are responsible for the renovation of their own mission critical applications ¹ , should also be tailored to the complexity of its applications and should provide information that:

• Identifies the total number of applications inventoried during the assessment phase and details the number of mission critical applications in each stage of the five step project management process outlined in the Interagency Statement.

• Informs the board about the progress being made to complete the renovation, testing and implementation of mission critical applications.

• Identifies the number of mission critical applications grouped by the intended resolution strategy (e.g., repair, install vendor upgrade, eliminate/retire, outsource, test only).

• Summarizes the results of internal and external testing.

Board minutes should reflect, as appropriate, any material action taken by the board to address Year 2000 issues or concerns. Board reporting should be available for review by examiners during onsite and offsite supervisory activities.

Clarification of Certification Requirement:

The Interagency Statement suggested that financial institutions obtain certification from their vendors when products and services are Year 2000 compliant. However, the regulatory agencies recognize that certification alone is not sufficient to provide adequate assurance that a product will operate properly in the unique environments of the many user financial institutions. Only a comprehensive test of all internal and external systems and system interdependencies by each user financial institution will ensure that they will function properly together. Therefore, formal certification is not required. Instead, financial institutions should (a) communicate with their vendors and conduct due diligence inquiries concerning Year 2000 readiness and also (b) implement their own appropriate internal testing or verification processes pertaining to these vendor products and services to ensure that their systems and data function properly together. They should monitor closely their vendor's progress in meeting target deadlines. The vendor's plan should allow adequate time for user testing in a Year 2000 environment. Topics that should be addressed with vendors include:

• Dates that products will be Year 2000 ready and available for testing.

• Products that will not be Year 2000 ready, or will no longer be supported.

• Methods used to renovate the product or the system to address Year 2000 (e.g., field expansion, windowing).

• The pivot year, if the windowing method is used. ²

• Any efforts that require coordination between the institution, its vendor and any other parties involved in external testing.

• Vendor guidance on user testing of products.

Financial institutions should develop contingency plans for all vendors that service mission critical applications and establish a trigger date for implementing alternative solutions should the vendor not complete its conversion efforts on time. These plans should consider the institution's own level of preparedness as well as that of their service providers. Contingency plans should be reviewed at least quarterly and adjusted, if necessary, to reflect current circumstances.

In establishing relevant trigger dates, management should have a thorough understanding of the complex interrelationships between its systems and those of its vendors. An institution also should consider the time necessary to convert the existing system to one that is ready for the Year 2000, the staff training time needed to implement an alternative system, and the availability of alternative systems. If, after a thorough analysis, it appears that the institution's Year 2000 conversions, or those of its vendors, will not be completed on time, management should be ready to implement its contingency plans. If success is in doubt for complex applications, it may be necessary to begin implementation of the contingency plan while continuing to work on the desired solution. Additionally, it may be necessary to begin renovation on an existing system, if timely implementation of a replacement system is not assured.

For in-house developed applications, the contingency plan should identify how the institution will transition to an alternate system or to an external vendor. For institutions that rely on vendors, the contingency plan should identify alternative suppliers and outline migration plans. In addition, time frames for Year 2000 contingency plans should be consistent with the time frames set forth in the Interagency Statement. The statement establishes December 31, 1998, as the date that institutions will have completed programming changes and have testing well underway for mission-critical systems.

Project Planning and Management:

The Year 2000 problem requires extensive project planning to ensure proper allocations of resources, and to ensure management accountability. The project plan should be formally adopted, enterprise-wide in scope, and contain clearly defined objectives and deadlines. The project plan, at a minimum, should include the following:

• The tasks to be accomplished throughout the term of the project.

• Resource requirements and individuals assigned responsibility for various phases of the project.

• Specific dates for completion of key elements of the project.

• Strategy for responding to inquiries from customers and business partners regarding the institution's Year 2000 readiness.

Senior management should actively manage resources to ensure that the project remains on schedule. Management should implement processes that monitor the Year 2000 efforts of its vendors, business partners, counter parties, and major loan customers.

The regulatory agencies are concerned that many financial institutions and service providers will underestimate the costs of Year 2000 projects, especially those costs associated with the testing phase. As the Year 2000 approaches, the demand for technical resources will likely rise and the supply of these resources is expected to diminish, thereby increasing costs. Financial institutions must exercise appropriate due diligence in their budget planning to ensure that they have sufficient financial and human resources to complete their Year 2000 plans in a timely manner.

Given the nature and extent of the Year 2000 challenge, management may need to adjust resources throughout the life of the project. If adjustments are needed, management must redefine the project's scope, and, if appropriate, change the priorities of other data processing projects.

Industry Coordination:

The FFIEC member agencies strongly encourage financial institutions and their trade organizations to work collectively to address issues pertaining to the Year 2000. Effective industry cooperation can help reduce costs. By working together, financial institutions can share ideas, influence vendors, develop best management practices, and maintain their competitiveness with other industries. Financial institutions should consider enlisting industry associations and accounting firms for guidance. If the industry is to be successful in meeting the problems posed by the Year 2000, financial institutions will have to work cooperatively to share effective practices, common testing methodologies and other non-proprietary information.

² Windowing for the Year 2000 involves the establishment of a "pivot year." Dates that are greater than or equal to the pivot year are interpreted to be 19xx. Dates that are less than the pivot year are interpreted to be 20xx.