|
The Federal Financial Institutions Examination Council (FFIEC) on May 5, 1997, issued the attached press release and interagency statement providing guidance on the scope of the activities necessary for insured financial institutions to make all information-processing systems capable of recognizing dates in the Year 2000 and beyond. The attached statement updates the FFIEC's statement "The Effect of Year 2000 on Computer Systems," issued in June 1996, and it reflects the federal agencies' concerns about the industry's readiness for the Year 2000. The statement outlines the agencies' supervisory strategy to ensure an orderly transition into the next century. Financial institutions should be well into the "assessment" phase of their Year 2000 project management plan. As noted in the statement, mission-critical systems should be identified and priorities set for Year 2000 work by the end of the third quarter of 1997. For mission-critical applications, the agencies strongly recommend that programming changes be largely completed and testing well underway by December 31, 1998. This time line for testing critical applications has been accelerated since the June 1996 interagency statement to ensure that system interdependencies are not disrupted. Reprogramming for other applications should also be completed by December 31, 1998, to allow a full year for testing and adjustments. The statement discusses three Year 2000-related issues requiring management attention:
risks posed by exchanging data with external parties, and the potential effect of Year 2000 noncompliance on corporate borrowers. Other operational issues related to Year 2000 planning are also highlighted. The FDIC and state banking authorities will review the conversion efforts of all FDIC-supervised banks in 1997, using the attached examiner questionnaire and examination procedures or similar tools. Meanwhile, management is encouraged to use these examination tools to assess the adequacy of its own efforts in addressing Year 2000 issues. If you foresee significant problems meeting the target time lines in this guidance, please notify your Division of Supervision regional office. The attached interagency statement and related information on Year 2000 issues are available on the Internet via the World Wide Web at
For more information, please contact your Division of Supervision Regional Office.
Attachments: (below)
Distribution: FDIC-Supervised Banks (Commercial and Savings) NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, N.W., Room 100, Washington, D.C. 20434 (800-276-6003 or (703) 562-2200). Electronic versions are available at: /banknews/fils/ Attachment: Federal Financial Institutions Examination Council Press Release
Federal Bank Regulators Outline Year 2000 Project Management Goals The Federal Financial Institutions Examination Council's Task Force on Supervision today issued an Interagency Statement for the banking industry and federal examiners, intended to focus their attention on the critical issues financial institutions need to address quickly to resolve Year 2000 computer problems and avoid major service disruptions. The FFIEC Task Force first alerted the industry to the Year 2000 problem in June 1996, and recommended that institutions perform risk assessments and plan a strategy to address vulnerable systems. Today's Statement outlines a project management process that strongly encourages federally insured depository institutions to complete an inventory of core computer functions and set priorities for Year 2000 goals by September 30, 1997. Banks are expected to largely complete programming changes, and have testing well underway for mission critical systems by December 31, 1998. In an appendix to the Statement, the Task Force included an examiner questionnaire to help regulatory agencies conduct assessments of financial institution planning efforts, which are expected to be completed shortly. Based on the results of these assessments, regulators will prioritize supervisory reviews, using examination procedures contained in a second appendix to the Statement. The regulators expect to complete examinations of conversion efforts by mid-1998. Federal financial regulators are concerned that systemic disruptions and potential failures could result if computers used by financial institutions cannot properly read date-sensitive information when the calender year changes to 2000. For this reason, an institution's reprogramming planning should include consideration of the vendors whose products and services a financial institution uses; the other banks, clearing houses and customers with whom it exchanges data electronically; and, corporate borrowers, whose creditworthiness might be diminished by significant service disruptions. In a statement today, the Task Force said, "The Year 2000 presents a number of very difficult challenges for the financial services industry, which relies heavily on effective computer communications between banks, external data networks and data processing centers, and their customers. The Interagency Statement adopted today emphasizes the important issues that banks, thrifts and credit unions need to address right now to meet critical deadlines in preparation for the Year 2000." The Interagency Statement outlines five management phases necessary to complete a computer conversion program: awareness, assessment, renovation, validation, and implementation. During the final stage, systems should be certified as compliant and accepted by business users. Federal regulators intend to work closely with institutions that face unusual difficulties. The Interagency Statement is attached. Attachment: Federal Financial Institutions Examination Council YEAR 2000 PROJECT MANAGEMENT AWARENESS May 5, 1997
Purpose: This Interagency Statement is intended to emphasize the need to make all information processing systems Year 2000 compliant and identify specific concerns that should be considered in managing a conversion program. The FFIEC first alerted the industry in June 1996 of the Year 2000 problem. At that time, we recommended that financial institutions perform a risk assessment of their processing systems and begin developing an action plan to address vulnerable systems. This Interagency Statement expands on those topics and stresses a number of areas which may need special attention. It also describes the supervisory strategy that the federal banking agencies will pursue in monitoring Year 2000 conversion efforts of financial institutions, as well as third-party data processing servicers, and software suppliers servicing insured financial institutions. The Year 2000 poses serious challenges to the industry. Many experts believe that even the most prepared organizations may encounter some implementation problems. The federal banking agencies want to ensure that financial institutions avoid major disruptions and will work with the industry to reach that goal. They will implement a supervisory plan designed to: heighten awareness of the Year 2000 problem within the industry; perform an assessment of the planning efforts of financial institutions for Year 2000; conduct a supervisory review of all institutions for Year 2000 preparedness; and work with institutions that face difficulties. The agencies will undertake follow-up activities to ensure institutions focus on problem areas and take appropriate supervisory action if they are unable to encourage a financial institution to devote adequate attention to achieving Year 2000 compliance. This Statement has four major parts: an outline of the Year 2000 project management process; identification of three external risk issues that the Year 2000 conversion plan should consider; other operational issues that may be relevant to an institution's Year 2000 planning; and a description of the federal banking agencies' supervisory strategy. Year 2000 Project Management: The Year 2000 problem presents a number of difficult challenges to financial institution management. Information systems are often complex and have been developed over many years through a variety of computer languages and hardware platforms. For many financial institutions, correction of those problems will be costly and complex. A lack of skilled mainframe programmers and system experts compounds the problem. Year 2000 conversion projects will require executive management sponsorship and an effective project management process. The project management process begins with an awareness of the issue and an assessment of the extent of Year 2000 problems within financial institution systems. This includes identification of affected applications and databases. Mission critical applications should be identified and priorities set for Year 2000 work by the end of the third quarter of 1997. Financial institutions and service providers should be well into this phase of the project. Code enhancements and revisions, hardware upgrades, and other associated changes follow the assessment phase and should be largely completed by December 31, 1998. Since the 1996 Interagency Statement, it has become clear that testing mission critical system interdependencies, particularly those with external systems, will be time consuming and could take up to at least one year in more complex data processing environments. Accordingly, for mission critical applications, the federal banking agencies strongly encourage the industry to assure that programming changes are largely completed and that testing be well underway by December 31, 1998. This is a change from the June 1996 Interagency Statement due to the importance of fully testing connectivity between major servicers and other financial institutions. Year 2000 project management processes are expected to be more formalized in financial institutions with complex systems or which rely on in-house application development. In all financial institutions, regardless of size or complexity, strong leadership, effective communication, and accountability are necessary to ensure that Year 2000 initiatives will be successful. The following describes the discovery, planning, and implementation process in managing an institution's conversion program:
Assessment Phase - Assess the size and complexity of the problem and detail the magnitude of the effort necessary to address Year 2000 issues. This phase must identify all hardware, software, networks, automated teller machines, other various processing platforms, and customer and vendor interdependencies affected by the Year 2000 date change. The assessment must go beyond information systems and include environmental systems that are dependent on embedded microchips, such as security systems, elevators and vaults. Management also must evaluate the Year 2000 effect on other strategic business initiatives. The assessment should consider the potential effect that mergers and acquisitions, major system development, corporate alliances, and system interdependencies will have on existing systems and/or the potential Year 2000 issues that may arise from acquired systems. The financial institution or vendor should also identify resource needs, establish time frames and sequencing of Year 2000 efforts. Resource needs include appropriately skilled personnel, contractors, vendor support, budget allocations, and hardware capacity. This phase should clearly identify corporate accountability throughout the project, and policies should define reporting, monitoring, and notification requirements. Finally, contingency plans should be developed to cover unforeseen obstacles during the renovation and validation phases and include plans to deal with lesser priority systems that would be fixed later in the renovation phase. Renovation Phase - This phase includes code enhancements, hardware and software upgrades, system replacements, vendor certification, and other associated changes. Work should be prioritized based on information gathered during the assessment phase. For institutions relying on outside servicers or third-party software providers, ongoing discussions and monitoring of vendor progress are necessary. Validation Phase - Testing is a multifaceted process that is critical to the Year 2000 project and inherent in each phase of the project management plan. This process includes the testing of incremental changes to hardware and software components. In addition to testing upgraded components, connections with other systems must be verified, and all changes should be accepted by internal and external users. Management should establish controls to assure the effective and timely completion of all hardware and software testing prior to final implementation. As with the renovation phase, financial institutions should be in ongoing discussions with their vendors on the success of their validation efforts. Implementation Phase - In this phase, systems should be certified as Year 2000 compliant and be accepted by the business users. For any system failing certification, the business effect must be assessed clearly and the organization's Year 2000 contingency plans should be implemented. Any potentially noncompliant mission-critical system should be brought to the attention of executive management immediately for resolution. In addition, this phase must ensure that any new systems or subsequent changes to verified systems are compliant with Year 2000 requirements. External Issues: Our discussions with Year 2000 experts, bankers, and field examiners indicate some financial institutions have not yet considered all the implications of the Year 2000 problem or lack conformance to time critical dates. More specifically, management should begin immediately to consider the following areas in its project planning process:
Alternate service or software providers should be considered if vendor solutions or time frames are inadequate. If purchased products or services belong to larger, integrated systems, financial institutions' testing and certification processes will have to be fully coordinated with their vendor's Year 2000 testing. Management must also ensure that vendors have the capacity (both financial and personnel) to complete the project and are willing to certify Year 2000 compliance. Data Exchange - The Year 2000 problem also poses a risk to the quality of information that institutions exchange with other firms. Large volumes of date sensitive data are transferred electronically between financial institutions, their customers, and their regulators. Institutions will need to know how methods of data exchange differ among financial institutions, across vendors, and between other institutions. Therefore, Year 2000 planning should allow sufficient time to assess the effect that Year 2000 solutions will have on data transfers. The project plan should also include testing and verification, as appropriate, of data exchanges with clearing associations, governmental entities, customers and international financial institutions. Corporate Customers - Many corporate customers (borrowers) depend on computer systems that must be Year 2000 compliant. Corporate customers, who have not considered Year 2000 issues, may experience a disruption in business, resulting in potentially significant financial difficulties that could affect their creditworthiness. Financial institutions should develop processes to periodically assess large corporate customer Year 2000 efforts and may consider writing Year 2000 compliance into their loan documentation. Loan and credit review officers should consider in their credit analysis of large corporate customers whether the borrower's Year 2000 conversion efforts are sufficient to avoid significant disruptions to operations. Other Year 2000 Operating Issues: The following issues should also be considered in addressing Year 2000 planning:
Cost and Monitoring - As the Year 2000 approaches and the urgency of fixing problems increases, the costs of obtaining/retaining qualified staff to address the problems will undoubtedly rise, perhaps significantly. Some experts believe that the limited availability of technical support will be a major obstacle to making systems Year 2000 compliant. Knowledge of market conditions for skilled programmers and developing programs to retain key personnel may be necessary to ensure that adequate resources are available throughout the project's life. Mergers and Acquisitions (M&As) - The extent of Year 2000 conversion efforts will bear directly on corporate M&As' strategies since conversions resulting from M&As will compete for project managers and technical resources. Acquisition strategies should include the institution's Year 2000 assessment to the extent possible. Remote Locations - Remote or overseas operations also need to devote attention to Year 2000 issues. In particular, management information systems for businesses that run semi-autonomously from the head office must be included in the financial institution's system inventory and plans. To the extent that such systems serve as critical controls for business operations, they could expose the financial institution to significant undetected vulnerabilities. Appropriate staff members throughout the organization must be aware of the risks associated with the Year 2000 issue and how they might be affected. Contracts - Legal issues may arise from the lack of specificity in contract terms dealing with Year 2000 issues. Financial institutions should modify existing contracts which do not specifically address Year 2000 compliance by the vendor. Otherwise, conflicts may result regarding the commitment and responsibility to assure Year 2000 compliance. Current and future purchases should require Year 2000 certification. If contract changes or modifications are refused, then the institution should consider replacing the service or product. Leap Year - All Year 2000 plans need to address the leap year - February 29, 2000 - issue. All date and calculation routines need to be reviewed to ensure that leap year calculations are Year 2000 certified. Supervisory Strategy: The federal banking agencies plan to conduct a supervisory review of all financial institutions' Year 2000 conversion efforts by mid-1998. They will soon complete an assessment of financial institutions' Year 2000 planning efforts. The appropriate regulatory agency may use the examiner questionnaire in Appendix A, or a similar tool, to help conduct this assessment. Financial institutions will be provided with specific instructions from your agency about this part of their supervisory strategy. The agencies will use the results of their assessment to prioritize on-site examinations and will target first those institutions that have not actively begun a Year 2000 conversion program. The federal banking agencies will utilize uniform examination procedures to facilitate Year 2000 examinations (Appendix B). Management is encouraged to use these examination tools to perform internal reviews or self-evaluations in connection with their own efforts to address the Year 2000 problem. Examiners will work with institutions that encounter significant problems addressing Year 2000 issues. Focusing on financial institutions alone will not prevent Year 2000 disruptions. The federal banking agencies will work cooperatively to ensure that supervisory reviews include data processing service providers and third-party software vendors who provide services to federally insured financial institutions. This effort will include vendors who are a part of the Multiregional Data Processing Servicer program and the Shared Application Software Review program. Appendix A Year 2000 Examiner Questionnaire Introduction This questionnaire is designed to capture macro-level information on Year 2000 preparations from financial institutions and their information systems vendors. The information will help examiners prioritize their Year 2000 reviews. The questions are presented in a "yes - no" answer format. However, examiners may also ask open-ended questions to develop a thorough understanding of the institution's/vendor's Year 2000 capabilities. Capability 1. Are the institution's/vendor's information processing (hardware and software) and delivery (telecommunications) systems capable and ready to handle Year 2000 processing? Overall Plan 2. Does the institution/vendor have a Year 2000 problem resolution process that includes these basic phases:
Assessment of complexity. Renovation. Validation. Implementation. 3. Has the institution/vendor prioritized internally and externally maintained systems (hardware, software, and operating systems)? 4. Has the institution considered the impact of the Year 2000 on internal, environmental systems that are dependent on embedded microchips, such as vaults, security and alarm systems, elevators, telephones, FAX machines, and HVAC (heating, ventilation, and air conditioning)? Resource Implications 5. Has the institution/vendor established a budget for the year 2000 effort? 6. Has the institution/vendor determined whether it has sufficient resources (hardware, people, and dollars) necessary to ensure Year 2000 processing capabilities? Sponsorship/Monitoring 7. Has the institution/vendor assigned overall responsibility for the Year 2000 effort to a senior manager? 8. Has the institution/vendor established project target dates and deliverables for the Year 2000 effort? 9. Does the process include regular reporting to and monitoring by senior management? Timing 10. Does the institution's/vendor's Year 2000 plan call for the renovation of all mission critical systems to be largely completed by December 31, 1998? 11. Will the institution's/vendor's testing for Year 2000 renovations be well under way, for mission critical applications, by December 31, 1998? Appendix B Year 2000 Examination Procedures Introduction The following examination procedures are for general use in all federally supervised financial institutions and data centers that service these financial institutions. The examination procedures will help the examiner to determine if the institution has addressed the Year 2000 problems inherent in many computer software and hardware systems. The examination procedures are designed to focus on the state of Year 2000 preparedness of each examined institution. The Tier I section represents general procedures designed for all institutions. Examinations of small institutions, particularly those that have purchased or leased their hardware and/or software systems from an external vendor, normally will stop at the end of the Tier I examination procedures. The examiner will then proceed to the examination conclusions section. The Tier II section includes more rigorous and detailed examination procedures designed for larger institutions, particularly those with in-house software development capabilities. In these environments, examiners normally will use both the Tier I and Tier II examination procedures, as appropriate. Examination Objectives 1. To determine whether the organization has an effective plan for identifying, renovating, testing, and implementing solutions for Year 2000 processing. 2. To assess the effect of Year 2000 efforts on the organization's strategic and operating plans. 3. To determine whether the organization has effectively coordinated Year 2000 processing capabilities with its customers, vendors, and payment systems partners. 4. To assess the soundness of internal controls for the Year 2000 process. 5. To identify whether further corrective action may be necessary to assure an appropriate level of attention to Year 2000 processing capabilities. Examination Planning and Control 1. Determine the organization's source of information systems (IS) support for hardware (mainframe, mid-range, networks, personal computers) and related applications and operating system software. Note whether information systems processing is provided internally, externally, or a combination of both. 2. Review previous examination, audit, or consultant findings relative to Year 2000 issues. 3. Review management's responses to any significant Year 2000 findings. 4. Review responses to the Year 2000 Examiner Questionnaire. 5. Review the supervisory strategy and scope memorandum prepared for this organization relative to Year 2000 issues. 6. Determine the scope of the Year 2000 examination based on findings from the previous steps and discussions with the examiner-in-charge (EIC). Select from the following examination procedures the steps necessary to meet the examination objectives. Note: Examinations do not require completion of all steps. Tier I Procedures 1. Determine whether the organization's board of Directors and senior management are aware of and understand the risks and complexities of the Year 2000 issue by:
2. Determine whether management has developed a plan to ensure that the organization's computer systems are Year 2000 compliant. 3. Determine whether the organization's Year 2000 assessment includes computer controlled systems, such as telecommunications systems, ATMs, audio response systems, and other environmental systems with embedded microchips, such as vaults, security and alarm systems, elevators, telephones, FAX machines, and HVAC. 4. Determine whether the institution's management conducts continuing communications with its vendor(s) and/or servicer(s) to determine their progress toward implementing Year 2000 solutions. 5. Determine whether the organization has:
6. Determine whether management has assessed the financial and operational capabilities of its hardware and software vendors to provide Year 2000 processing capabilities. Note the results of this assessment. 7. Determine the status of the institution's Year 2000 project, including any anticipated barriers and how management plans to address them. 8. If it is evident that the institution's or vendor's/servicer's systems are not fully Year 2000 compliant, determine:
9. Determine whether management has discussed the effect of the Year 2000 issue with its large corporate borrowing customers to ensure the customers' ability to meet financial and informational obligations to the institution. 10. Determine whether the organization has assessed the effect of Year 2000 processing capabilities, as applicable, with its payment systems providers, including:
11. Determine whether management has employed internal or external audit functions to assess the soundness of internal controls associated with the Year 2000 effort. 12. Determine whether management is aware of or contemplates any litigation related to the Year 2000 issue. Generally, examinations of small financial institutions and those that rely on data service providers should proceed to the Examination Conclusions section. Tier II Procedures Audit 1. Assess internal and external audit personnel's independence and involvement in reviewing the organization's Year 2000 efforts. 2. Review audit plans and budgets through 1999 and determine whether they identify specific audit resources necessary to address Year 2000 issues. Determine whether these plans are based on a formal inventory of all critical systems affected by Year 2000 issues. Also, determine the adequacy of audit resources allocated to Year 2000 issues. 3. Determine whether audit is actively involved in Year 2000 efforts to assess and monitor the effectiveness of the project management process and whether audit management communicates this information to the board of Directors. 4. Review Year 2000 project audit reports and determine the adequacy of their scope and the timeliness and completeness of management responses. Also assess the appropriateness of audit follow-up on actions taken in response to Year 2000 project audit findings. Management 5. Based on discussions with management and reviews of the minutes of committees established to address Year 2000 issues, evaluate the completeness of the project management process to assure the institution's computer systems are Year 2000 compliant. Note whether management has:
6. Determine whether management considered the availability of adequate resources for the Year 2000 initiative by identifying:
7. Determine whether the organization has persons or access to persons that have sufficient technical expertise to make all hardware/software systems Year 2000 compliant, and:
8. Determine how the board of Directors and senior management are kept informed on the progress of Year 2000 efforts, particularly of any problems encountered during the validation and implementation phases. 9. Determine whether the board of Directors and/or senior management have established clear lines of authority and responsibility for the Year 2000 effort. 10. Determine whether Year 2000 project teams receive sufficient support from the board of Directors and senior management. 11. Review, as applicable, the selection process for any Year 2000 service provider(s) and whether the process appears adequate. 12. Evaluate the adequacy of the institution's Year 2000 conversion management process. Systems and Programming 13. Determine whether the organization has assessed the ability of its computer systems to handle any needed software changes. If so, describe. 14. Determine the method(s) the organization uses or will use to resolve Year 2000 date calculations (e.g., conversion to four position year fields, windowing and others). 15. Evaluate whether the organization has/will devote(d) appropriate time to testing and error checking of all software changes. 16. Determined the programming languages and tools that the institution will use. 17. Identify whether a common application development platform is required. 18. Describe how the organization will maintain sound internal controls over the software change process for Year 2000 issues. 19. Determine whether the organization is coordinating modification and testing activities with vendors, servicers, and organizations with whom critical data is received or sent. Computer Operations 20. Review management's assessment of the anticipated additional systems resources required specifically for operating systems, telecommunications (including ATM) networks, and security software, to handle Year 2000 processing. Describe the results of the assessment. 21. Evaluate the organization's Year 2000 assessment of the adequacy of computer resources for testing Year 2000 changes while performing day-to-day processing activities. 22. Describe management's assessment of the effect of any changes in operating practices resulting from the Year 2000 effort. 23. Determine whether any interim work procedures are required as part of the Year 2000 effort. 24. Review and describe the organization's assessment of the impact of Year 2000 efforts on business continuity/recovery planning. 25. Determine whether the organization compromised sound internal controls over operations as a result of addressing Year 2000 issues. Examination Conclusions 26. Prepare examination report comments noting:
27. Prepare recommendations, as appropriate, for the EIC and/or other appropriate supervisors on any additional actions necessary to ensure the organization's safety and soundness associated with its Year 2000 processing capabilities. 28. Summarize the Year 2000 plan's strengths and weaknesses and describe the extent of the organization's Year 2000 readiness. 29. Discuss conclusions with the appropriate level of management and document responses. |