Home > News & Events > Speeches and Testimony




Speeches and Testimony

FDIC Inspector General

Testimony

Before the Committee on Banking and
Financial Services

U.S. House of Representatives

September 17, 1998

Mr. Chairman and Members of the Committee, I am pleased to be here today to discuss the Federal Deposit Insurance Corporation's (FDIC) progress in addressing the Year 2000 challenge. I would like to note that, while I am speaking about FDIC Office of Inspector General (OIG) work, my counterparts at the Department of the Treasury, the Board of Governors of the Federal Reserve, and the National Credit Union Administration have submitted their statements for the record. The upcoming Year 2000 date change is a challenge that all financial regulatory agencies are addressing. As such, the management officials and Offices of Inspector General of our respective agencies have been working together to aggressively address the risks posed by this unprecedented technological challenge. My remarks will touch upon some of the common Year 2000 issues that the financial regulatory agencies are addressing related to the institutions they oversee. My principal focus, however, will be on FDIC's Y2K activities-internally and with respect to the institutions that it supervises, the work of my office to help ensure the success of the Corporation's efforts, and the tasks that remain as we approach the millennium.

Y2K POSES SIGNIFICANT CHALLENGES FOR FDIC AND OTHER FINANCIAL INSTITUTION REGULATORY AGENCIES

FDIC, independently and in cooperation with the other members of the Federal Financial Institutions Examination Council (FFIEC), must overcome the technological difficulties posed by the Year 2000 date change. In addition to addressing the issues impacting their internal operations, the agencies must effectively oversee the efforts of financial institutions in addressing Y2K concerns. FDIC's role as insurer of deposits presents additional issues that must be addressed in an air of uncertainty and unbending time constraints. As a result, FDIC has established Y2K as the number one safety and soundness issue facing financial institutions.

FDIC and its fellow FFIEC members have worked closely and diligently in addressing Y2K issues impacting financial institutions. These agencies have structured their Y2K efforts based on guidance published by the U.S. General Accounting Office (GAO) and the Office of Management and Budget (OMB). The guidance establishes a five-phased approach for addressing the Y2K situation-awareness, assessment, renovation, validation, and implementation. To promote awareness, FDIC, independently and in conjunction with the FFIEC, conducted awareness briefings, created a Y2K Internet homepage, held seminars, issued guidance to financial institutions, and published an information pamphlet for use by the general public. It is important that the various regulatory agencies adopt a consistent approach when rating the Y2K readiness of the institutions they supervise. To that end, the FFIEC member agencies have developed and presented a common training program for their examiners, adopted a unified examination work program for conducting Y2K examinations, implemented a process for exchanging and tracking information related to examination results, and performed joint examinations of certain large institutions.

For its part, FDIC must work to ensure that its internal operations are sustained following December 31, 1999. FDIC has 370 systems, 39 of which it has identified as mission critical, that are scheduled to continue operating into the year 2000 and beyond. FDIC must correctly renovate, test, and implement these systems. In addition, hardware that is not Y2K-compliant must be replaced, telecommunications equipment must be upgraded, and issues related to sustaining operational support for FDIC's facilities must be addressed. Effective and tested contingency plans must be developed in the event that any of these support systems malfunction. FDIC has implemented an aggressive program to address its internal Y2K challenges and has restructured its milestones in accordance with GAO and OMB guidance.

FDIC must also actively address a number of other issues unique to its role as insurer of deposits as agencies and businesses enter the most critical phases of their Y2K efforts. Specifically, as FDIC examines and assesses the progress of Y2K activities at financial institutions, its main focus will be on the institutions' testing, external data exchanges, and contingency planning efforts. It must also work closely with other financial institution regulatory agencies as they examine institutions whose deposits are insured by FDIC. In addition, FDIC must determine what impact Y2K examination ratings should have on deposit insurance premiums and consider possible enforcement actions and resolution strategies in the event institutions do not adequately prepare for Y2K and experience technological failures.

I can provide this Committee assurance that overall, the Corporation's Year 2000 efforts to date have been well conceived and executed. Additionally, the Corporation has taken appropriate and timely action in response to suggestions the OIG has made.

COOPERATIVE EFFORTS OF REGULATORY OFFICES OF INSPECTOR GENERAL AND INDEPENDENT FDIC OIG EFFORTS AND RESOURCES ARE DIRECTED TOWARD PROVIDING VALUE TO THE FFIEC AND FDIC

Similar to the cooperative approach adopted by the financial regulatory agencies, my office has been working closely with the Offices of Inspector General (OIG) from the Board of Governors of the Federal Reserve, the Department of the Treasury, and the National Credit Union Administration in addressing Y2K issues. Representatives from my office and these OIGs meet frequently to discuss approaches, issues, and solutions. We believe this sharing of ideas is crucial to providing valuable, timely, and effective input to our respective agencies, the FFIEC, and the Congress. Our collaborative efforts have focused on every facet of the Y2K situation, with particular emphasis on consistency in approach to examination ratings. Such consistency is of particular concern to FDIC because the Corporation insures deposits in over 10,000 institutions, some of which fall under the jurisdiction of the other financial regulators.

My office began reviewing Y2K activities in February 1997 and has steadily increased its efforts in this important area. To ensure that our work is timely and benefits the Corporation, we have developed a proactive approach to our Y2K review. As we develop observations regarding the Y2K process, we immediately brief corporate management on our observations and issue periodic advisory memorandums. By conducting our work in this way, we can provide observations and suggestions and at the same time lessen management's burden of formally responding to audit findings and recommendations. Management has been responsive to this approach and has reacted promptly to our observations.

Our Year 2000 work is twofold: we are examining FDIC's internal efforts to ensure its own Year 2000 readiness as well as its efforts to ensure readiness of the financial institutions that it supervises. Our work is designed to determine whether (1) FDIC is following a structured and effective approach in planning, evaluating, and correcting its systems and operations that are affected by the upcoming date change and (2) FDIC's actions, as an independent financial institution regulator and member of the FFIEC, ensure that financial institutions have planned and implemented a structured, effective approach to address Y2K concerns. We are using criteria and objectives published by GAO and OMB in performing our work. For supervisory activities, we are also using guidance and criteria published by the FFIEC.

To address audit objectives related to internal FDIC operations, my office reviewed the Corporation's detailed plans, policies, and procedures for implementing the Y2K program. We interviewed FDIC's Division of Information Resources Management's Y2K program manager and other personnel on the project team, reviewed the 58 contingency plans for FDIC's 39 mission critical applications, contingency procedures for FDIC's mission critical systems, and the business recovery plan for FDIC's data center. We also have performed a preliminary review of documentation supporting renovation activities related to 28 of FDIC's internal application systems.

To address our supervisory or external audit objectives, we evaluated Y2K field examinations for completeness, accuracy, and consistency of approach to ratings; evaluated the criteria used to assign Y2K ratings; and reviewed guidance and the work program for the Corporation's Phase I and Phase II examinations-its initial exams and those planned for October 1998, respectively. We have completed our review of Phase I, which included institutions' Y2K awareness and assessment efforts. We have also attended FFIEC-developed training courses for examiners and seminars for banking officials to assess course effectiveness.

INTERNAL Y2K REVIEW HAS RESULTED IN OBSERVATIONS FOR MANAGEMENT CONSIDERATION

In addition to frequently discussing the results of our work with corporate management, we have issued three advisory memoranda to management detailing our observations regarding FDIC's internal Y2K program. In an August 11, 1997, memorandum, we observed that to foster awareness, the Corporation had effectively communicated the need to address the Y2K problem throughout the Corporation and had implemented an effective strategic plan to ensure corporate-wide compliance by December 31, 1999.

Subsequent to issuing that memorandum, our office began a detailed review of FDIC's implementation of the successive phases of the Y2K program, starting with the assessment phase. Our work in this area followed a GAO review of FDIC's Y2K activities conducted between December 1997 and January 1998. GAO was concerned that FDIC was taking longer to assess its systems than was warranted and recommended that FDIC complete its assessment phase by March 1998. In addition, GAO recommended that FDIC develop contingency plans for its mission critical systems and core business processes and recommended that those plans be developed by the end of February 1998.

In response to GAO's recommendations, FDIC's Acting Chairman established Y2K as the Corporation's number one priority. FDIC proceeded to restructure its Y2K program to meet GAO's recommended Y2K milestones and developed contingency plans for all mission critical systems during March 1998. Our work showed that the Corporation had completed most assessments by March 31, 1998, and all assessments were completed by April 1998.

On May 27, 1998, we issued another memorandum on FDIC's internal Y2K program citing the following issues that warranted management attention:

Y2K Cost Estimates: In the initial stages of our review, FDIC had not determined the total cost of addressing the Y2K situation, internally and in its supervisory role. FDIC's initial focus was on estimating costs of the Corporation's internal Y2K efforts. Based on discussions with our office, FDIC began to collect estimates of the total cost to implement both aspects of its program. After updating its cost estimates for the internal program and including the costs of supervisory efforts, FDIC increased its estimate for addressing the Y2K problem from $24 million to $85 million. Thus, decision makers had a more comprehensive understanding of the true magnitude of the Corporation's Y2K efforts and all associated costs.

Certification: Our review of the Corporation's process for certifying systems as Y2K compliant indicated that the process should be expanded to ensure that all parties involved in renovation and testing agreed that the application was Y2K-compliant. We suggested that FDIC develop a certification process that included certification and sign-off by the Division of Information Resources Management program manager, the client program manager, the independent tester, and the Y2K program manager. After we advised the Y2K program manager of our concerns, he implemented an enhanced and expanded process for certification.

Testing Policies and Procedures: We suggested that testing policies and procedures be finalized as early as possible and that FDIC's configuration management program be strengthened to ensure that the voluminous amount of software changes that will occur as the result of Y2K fixes are properly controlled. FDIC had started testing applications already thought to be Y2K-compliant before fully developing its testing procedures. We suggested that FDIC develop these procedures before further testing was conducted to ensure testing consistency. FDIC agreed and developed and published Y2K testing procedures that we found to be sound and comprehensive. Although FDIC employed effective configuration management processes for mainframe-based applications, similar processes and systems were needed for client-server applications. FDIC management agreed with our suggestion and implemented an effective configuration management program for client-server applications.

On July 29, 1998, we issued another advisory memorandum, citing additional observations for management consideration:

Contingency and Business Continuity Planning: Although the FDIC had developed contingency plans for its 39 mission critical systems, it had not developed a comprehensive business continuity plan to integrate all facets of its core business areas into an overall corporate strategy for dealing with the Y2K problem. An effective plan should define and document information requirements, describe methods and techniques to be used in developing contingency plans, define Y2K failure scenarios, determine the risk and impact on core business processes and the information technology infrastructure, and describe the minimum acceptable level of output needed for the core business processes. We suggested that FDIC's Y2K Oversight Committee develop a corporate-wide business continuity plan using GAO guidelines. The Y2K Oversight Committee Chairman agreed that such a plan should be developed and requested that our office assist in the development by acting as an advisor and reviewing the documents produced. We are currently advising the task group as it develops the business continuity plan.

Further, most of the contingency plans developed for FDIC's mission critical systems did not contain detailed procedures for implementation. The contingency plans did not include specific steps for deployment or implementation schedules. In addition, the alternative processes and systems cited in the plans had not been developed, and testing of the plans had not been scheduled. We suggested that users of the mission critical systems develop more comprehensive contingency plans and that the processes cited in the plans be tested to ensure that they would be ready to implement well before the year 2000. Project management returned the plans to the users with instructions to develop the plans and related procedures in accordance with guidance provided by GAO.

We reviewed the resulting revisions and observed a need for additional improvements. Specifically, some plans identified several approaches that should be considered for continued operations and did not recommend a specific approach. FDIC must first determine which approach is most feasible and then develop related procedures. Further, in many instances, the procedures described in the plans and triggers for implementing the procedures had not been developed or tested. In addition, testing schedules and schedules for disseminating instructions for the contingency procedures had not been developed. We recently communicated these observations to management officials, and they indicated that plans with these deficiencies would be returned to user organizations for correction. Additionally, FDIC has initiated actions to contract for assistance in preparing contingency plans and procedures.

Renovation on Schedule: In its September 4, 1998 quarterly report to House and Senate Banking Committee staffs, FDIC indicated that it had successfully attained its goal of renovating all internal application systems by August 31, 1998. We performed an initial cursory evaluation of a sample of applications certified as renovated. Our initial evaluation confirmed the Corporation's assertion that renovation activities are complete. We will perform a more detailed review of renovations as we continue our Y2K work.

SUPERVISORY OBSERVATIONS HAVE RESULTED IN MANAGEMENT ACTIONS TO IMPROVE Y2K EFFORTS

The OIG has issued two advisory memoranda to management regarding the Corporation's supervisory Y2K efforts in which we made the following observations:

Consistency of Approach to Ratings: We informed management that some institutions were assigned different Y2K ratings even though their examination results were similar. Rating consistency is an important issue because Y2K ratings can impact (1) FDIC's Division of Supervision's (DOS) follow-up actions, (2) the accuracy of information provided to senior management and outside parties, (3) potential enforcement actions, and (4) DOS' success in ensuring the readiness of financial institutions as we approach the year 2000.

DOS assigns each institution a Y2K rating which should reflect the institution's efforts to ensure that it can continue business operations without disruption as the calendar changes from 1999 to 2000. DOS has extensive review processes designed to ensure the accuracy and consistency of these examination ratings. However, the unique and unfamiliar nature of Y2K examinations poses significant challenges for DOS. Currently, DOS procedures call for Y2K ratings to be reviewed by the subject matter expert in each field office, the field office supervisor, the cognizant case manager, and an assistant regional director. In addition to this review process, DOS' Dallas regional office established a working group to ensure that situations warranting issuance of formal or informal supervisory actions receive timely consideration. Part of this process includes review of Y2K ratings. Our work in Dallas did not detect inconsistent or questionable Y2K ratings for examinations reviewed by this working group. Subsequent review work at another DOS regional office did not disclose any rating inconsistencies. We suggested that DOS establish similar working groups at other regional offices to ensure rating consistency and accuracy. Management agreed and stated that similar review processes had been established in all eight regional offices.

Ratings Based on Commitments: We observed that Y2K ratings were not always based on a bank's Y2K efforts at the time of examination but rather on commitments made by the bank to correct noted weaknesses. The institution was given a higher Y2K rating if it committed to responding to recommendations for corrective actions within 30 to 60 days and had a good history of responding to commitments related to safety and soundness examinations. Although we were skeptical of this method for rating banks, the method generally appeared to work well for the assessment phase examinations. However, we believe that ratings for the testing phase examinations should be based solely on the results of examination. We suggested that commitments not be used in the rating process for the testing phase examinations because of the complexity and time sensitivity of this next phase. FDIC officials agreed and stated that commitments would not be used for assigning ratings during the testing phase.

Need for More Detailed Examination Steps: In its February 10, 1998 testimony before a Senate Subcommittee, GAO had expressed concerns regarding the level of detail called for in DOS' initial examination workplan. Before DOS incorporated additional steps into its workplan, we noted some inconsistencies in examination ratings. Therefore, we reaffirmed GAO's recommendation to incorporate additional steps into the workplan to assist examiners in definitively and consistently determining the status of an institution's Y2K efforts. DOS issued additional assessment steps on March 24, 1998 that addressed the concerns of GAO and our office.

Proxy Testing: We expressed concerns regarding the use of proxy testing for banks using service providers. FDIC issued Financial Institution Letter 38-98 on April 10, 1998, which allows a service provider to test a representative sample of institutions that use the particular servicer. The servicer can then share test results with other institutions using that same service provider. We were concerned that many banks, small ones in particular, might not have the expertise to (1) determine whether the proxy test is comparable to their operations, (2) provide input to test scripts to ensure that the tests simulate the way they use the software, and (3) effectively review test results and other documentation from the servicer. Small banks may simply rely on an assurance letter from the servicer. We believe that small banks must either contract with an expert to review their testing or join forces with other banks with similar systems to review tests. We suggested that examiners advise small banks to explore the possibility of joining user groups to increase their knowledge of the Y2K situation, methods and procedures for addressing Y2K concerns, and resources available to assist in ensuring that their servicer-provided systems are Y2K compliant. DOS management officials agreed and indicated that they had provided guidance suggesting that banks form user groups and/or coordinate their testing efforts with other institutions serviced by the same servicer or servicers.

SUBSEQUENT Y2K ACTIVITIES ARE CRITICAL TO THE SUCCESS OF THE PROGRAM

FDIC and its fellow financial institution regulators are now entering the most difficult and important phase of their Y2K efforts, both internally and in their supervisory roles, that is the validation or testing phase. Time is of the essence in accomplishing these responsibilities. As a result, the Corporation has established target dates for the completion of its internal activities and the activities of insured institutions. Internally, FDIC must test the renovation of its systems, make needed corrections, implement the successfully tested systems, and develop and test contingency plans and procedures that may be needed in the event that a system thought to be compliant malfunctions. In addition, the Corporation must replace non-compliant equipment and ensure that data received from outside sources is Y2K compliant. Further, it must ensure that facilities and related support systems are compliant.

We will continue to assess FDIC's progress in testing and implementing its renovated internal application systems. To accomplish this, we are in the process of awarding a contract to augment our staff with contractor personnel who specialize in performing independent verification and validation testing of renovated applications. We will continue to assess FDIC's Y2K business continuity and contingency plans to ensure that the contingency planning process is fully developed and tested. We will also assess management actions regarding infrastructure issues to ensure that FDIC facilities are Y2K compliant and that telecommunication networks will be viable on January 1, 2000 and beyond. Finally, we will continue working with OIGs from other regulatory agencies on data exchange issues involving the agencies themselves, financial institutions, and trading partners.

In its supervisory role, FDIC must accomplish several significant tasks going forward. The Corporation will be examining the status of Y2K testing, external data exchanges, and contingency planning efforts at financial institutions. It must coordinate this work closely with the other financial institution regulators. FDIC must also determine the extent to which Y2K examination ratings should impact deposit insurance premiums, consider enforcement actions if an institution's efforts do not adequately address the Y2K situation, and develop resolution strategies in the event institutions are closed because of technological failures. FDIC and its FFIEC counterparts have been actively planning for these issues for some time and will soon formalize their approaches.

We will continue reviewing FDIC and FFIEC activities related to renovation and validation efforts at financial institutions. We will also continue our review of activities related to ensuring consumer awareness; defining Y2K failures; incorporating the results of Y2K examinations into safety and soundness ratings; and planning for the possible resolution of failed institutions, including estimating the impact on insurance funds. I remain hopeful that the same spirit of cooperation will continue to guide the efforts of the FDIC and the member FFIEC agencies and that collectively, we will meet with success.

Mr. Chairman, this concludes my prepared statement. At this time I would be happy to respond to any questions you or other Members of the Committee.

Last Updated 06/25/1999 communications@fdic.gov