[[Page 66699]] _______________________________________________________________________
Part II
_______________________________________________________________________
Department of the Treasury
Office of the Comptroller of the Currency
_______________________________________________________________________
Federal Reserve System
_______________________________________________________________________
Federal Deposit Insurance Corporation
_______________________________________________________________________
Department of the Treasury
Office of Thrift Supervision
_______________________________________________________________________
12 CFR Part 30, et al.
Interagency Guidelines Establishing Year 2000 Standards for Safety and
Soundness; Final Rule
Safety and Soundness Standards; Final Rule
[[Page 66700]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 30
[Docket No. 99-16]
RIN 1557-AB67
FEDERAL RESERVE SYSTEM
12 CFR Part 208
[Docket No. R-1017]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 364
RIN 3064-AC18
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 570
[Docket No. 99-35]
RIN 1550-AB27
Interagency Guidelines Establishing Year 2000 Standards for
Safety and Soundness
AGENCIES: Office of the Comptroller of the Currency, Treasury; Board of
Governors of the Federal Reserve System; Federal Deposit Insurance
Corporation; and Office of Thrift Supervision, Treasury.
ACTION: Final uniform guidelines.
-----------------------------------------------------------------------
SUMMARY: The Office of the Comptroller of the Currency (OCC), the Board
of Governors of the Federal Reserve System (Board), the Federal Deposit
Insurance Corporation (FDIC), and the Office of Thrift Supervision
(OTS) (collectively, the Agencies) are adopting in final form the
interim guidelines establishing Year 2000 safety and soundness
standards for insured depository institutions published by the Agencies
on October 15, 1998, and in effect since that date. This issuance of
final guidelines (Guidelines), pursuant to section 39 of the Federal
Deposit Insurance Act (FDI Act), is a technical action of the Agencies,
which remain confident that, based on their reviews, insured depository
institutions are appropriately preparing for the Year 2000.
EFFECTIVE DATE: The final Guidelines are effective November 29, 1999.
FOR FURTHER INFORMATION CONTACT: OCC: Mark L. O'Dell, Director, Year
2000 Bank Supervision Policy (202) 874-2340; Brian McCormally,
Assistant Director, Enforcement and Compliance (202) 874-4800; Karl
Betz, Attorney, Legislative and Regulatory Activities (202) 874-5090;
or Stuart E. Feldstein, Assistant Director, Legislative and Regulatory
Activities (202) 874-5090, Office of the Comptroller of the Currency,
250 E Street, SW, Washington, DC 20219.
Board of Governors: Angela Desmond, Special Counsel, Division of
Banking Supervision and Regulation (202) 452-3497; or Nancy Oakes,
Counsel, Division of Banking Supervision and Regulation (202) 452-2743.
For the hearing impaired only, Telecommunication Device for Deaf (TDD),
Diane Jenkins (202) 452-3544, Board of Governors of the Federal Reserve
System, 20th and C Streets, NW, Washington DC 20551.
FDIC: Frank Hartigan, Year 2000 Project Manager, Division of
Supervision (202) 898-6867; Sandy Comenetz, Year 2000 Project Manager,
Legal Division (202) 898-3582; Richard Bogue, Counsel, Legal Division
(202) 898-3726; or Nancy Chase Burton, Counsel, Legal Division (202)
898-6533, Federal Deposit Insurance Corporation, 550 17th Street, NW,
Washington, DC 20429.
OTS: Dorothy Van Cleave, National Year 2000 Coordinator (202) 906-
7380; Stephen E. Hart, Assistant Chief Counsel, Office of Enforcement,
Office of Chief Counsel (202) 906-7204; or Timothy P. Leary, Counsel
(Banking & Finance), Regulations and Legislation Division, Office of
Chief Counsel (202) 906-7170, Office of Thrift Supervision, 1700 G
Street, NW, Washington, DC 20552.
SUPPLEMENTARY INFORMATION:
Background
The Agencies today are issuing Guidelines establishing Year 2000
standards for safety and soundness pursuant to section 39 of the FDI
Act. 12 U.S.C. 1831p-1. Section 39 requires the Agencies to establish
operational and managerial standards either in the form of a regulation
or guidelines for insured depository institutions relating to, among
other things, internal controls, information systems, and internal
audit systems. Section 39 also authorizes the Agencies to prescribe
operational and managerial standards as they determine to be
appropriate, and to require institutions that fail to meet such
standards to submit corrective action plans.<SUP>1</SUP>
---------------------------------------------------------------------------
\1\ Standards issued under section 39 may take the form of
regulations or guidelines. If an agency determines that an insured
depository institution fails to meet any standard established by
regulation, then, by the terms of the statute, the agency must
require the institution to submit an acceptable plan to achieve
compliance with the standard. If an agency determines that an
insured depository institution fails to meet any standard
established by guideline, the agency may require the institution to
submit an acceptable compliance plan.
---------------------------------------------------------------------------
On October 15, 1998, the Agencies requested comment on joint
interim guidelines establishing Year 2000 standards for safety and
soundness. 63 FR 55480. After careful review of the comments received,
the Agencies adopt the interim guidelines with only minor technical
changes, discussed in the following.
The Guidelines are distilled from--and are intended to be
consistent with--key principles contained in several FFIEC guidance
papers <SUP>2</SUP> on important aspects of Year 2000 readiness. Among
other things, the Guidelines describe certain essential steps that
insured depository institutions must take at the awareness, assessment,
renovation, validation (testing), and implementation phases of their
efforts to achieve Year 2000 readiness. The Guidelines, for instance,
establish standards for management and boards of directors in
developing and managing Year 2000 project plans, validating remediation
efforts, and planning for contingencies. The Guidelines do not replace
or supplant the FFIEC guidance, which will continue to apply to all
entities regulated or examined by the Agencies. Insured depository
institutions also should refer to the FFIEC guidance.<SUP>3</SUP>
---------------------------------------------------------------------------
\2\ Additional Questions and Answers Concerning Year 2000
Business Resumption Contingency Planning (May 6, 1999); Year 2000
Customer Communication Outline (February 17, 1999); Questions and
Answers Concerning Year 2000 Contingency Planning (December 11,
1998); Guidance Concerning Fiduciary Services and Year 2000
Readiness (September 2, 1998); Questions and Answers Concerning
FFIEC Year 2000 Policy (August 31, 1998); Guidance Concerning
Contingency Planning in Connection with Year 2000 Readiness (May 13,
1998); Guidance on Year 2000 Customer Awareness Programs (May 13,
1998); Guidance Concerning Testing for Year 2000 Readiness (April
10, 1998); Guidance Concerning the Year 2000 Impact on Customers
(March 17, 1998); Guidance Concerning Institution Due Diligence in
Connection with Service Provider and Software Vendor Year 2000
Readiness (March 17, 1998); Safety and Soundness Guidelines
Concerning the Year 2000 Business Risk (December 17, 1997); Year
2000 Project Management Awareness (May 5, 1997); and The Effect of
Year 2000 on Computer Systems (June 1996) [collectively, the FFIEC
guidance].
\3\ The standards in the Guidelines are described in mandatory
terms in order to clarify the specific actions insured depository
institutions are expected to take to achieve Year 2000 readiness.
Nevertheless, as explained in the following, an Agency will decide
whether to require corrective action under section 39 for an
institution's noncompliance with these standards based on the
circumstances of the particular case.
---------------------------------------------------------------------------
The Agencies will use the existing rules regarding safety and
soundness standards to require submission of
[[Page 66701]]
compliance plans by institutions that fail to comply with the
Guidelines. Under those rules, an insured depository institution must
file a compliance plan within 30 days of a request to do so from an
appropriate Federal banking agency, unless a different date is
prescribed by the agency. Within 30 days of the compliance plan's
receipt, the agency must provide written notice to the insured
depository institution of whether the compliance plan has been approved
or if additional information is required.
An insured depository institution that fails to submit an
acceptable compliance plan within the time allowed or fails in any
material respect to implement an accepted compliance plan will be
subject to supervisory action, including an agency order directing the
institution to correct the deficiency. The agency order is directly
enforceable in Federal district court; there is no requirement for a
prior administrative adjudication. See 12 U.S.C. 1818(i)(1). A
violation of such an order can serve as the basis for assessing civil
money penalties and other enforcement remedies. See 12 U.S.C.
1818(i)(2). Section 39 also describes certain supervisory actions that
an agency may take, and in certain cases must take, until the
deficiency is corrected.
Description of the Guidelines and Comments Received
In response to the interim guidelines, the Agencies received nine
comments. The commenters include three depository institutions, three
trade associations, one state banking regulator, and two individuals.
The commenters supported the interim guidelines. Several commenters,
however, suggested modifications to the interim guidelines. A
discussion of these comments and changes to the interim guidelines
follows.
Definitions (I.B.)
The Guidelines define certain key terms to help clarify the types
of actions insured depository institutions are expected to undertake.
For example, the Guidelines define the terms ``external system,''
``internal system,'' ``external third party supplier,'' ``other
material third party,'' ``renovation,'' and ``remediation contingency
plan.'' The Agencies received no comments on these definitions and are
adopting them without any changes.
The Guidelines also define the key term ``mission-critical
system.'' The interim guidelines defined a mission-critical system as
``an application or system that is vital to the successful continuance
of a core business activity.'' The Agencies made one clarifying change
to this definition in the Guidelines so that it covers ``an application
or system that is vital to the successful continuance of a core
business activity or process.'' The FFIEC guidance interchangeably uses
the terms core business activity, core business process, or core
business function in the context of discussing a mission-critical
system. The Agencies find that these terms are synonymous and,
therefore, may be used interchangeably for purposes of defining a
mission-critical system.
Under the Guidelines, applications or systems interfacing with
designated mission-critical systems and software products also may be
mission-critical. Two commenters suggested that the Agencies revise the
definition of a mission-critical system to clarify further the types of
interfacing applications and software products that may be mission-
critical. The first commenter urged the Agencies to consider an
application that interfaces with a mission-critical system to be
mission-critical only if the application's failure would prevent the
continuance of the core business activity supported by such mission-
critical system. The second commenter requested additional guidance on
what systems and applications, particularly software products, are
mission-critical and suggested that the definition contrast mission-
critical systems with non-mission-critical systems.
To address these concerns, the Agencies emphasize that the question
whether a specific system or application qualifies as ``mission-
critical'' depends on whether it is ``vital to the successful
continuance of a core business activity or process.'' Since it is
conceivable that a system or application that is mission-critical for
one insured depository institution may not be mission-critical for
another, neither the FFIEC guidance nor the Guidelines provide
illustrative examples of mission-critical systems. The FFIEC guidance,
however, further describes core business activities or processes. As
stated in the FFIEC guidance, a core business activity or process means
a task or group of tasks that must be performed together to ensure that
an insured depository institution continues to be viable. A core
business activity or process is generally defined along functional
lines. For example, the deposit function, lending function, payments
function, and investment function are examples of a core business
activity or process.
Likewise, an application or system that interfaces with a
designated mission-critical system also qualifies as mission-critical
if it is vital to the successful continuance of a core-business
activity or process. Specific mission-critical systems may be
components of a number of core business activities or processes and may
serve as interfaces between and among the operations of core business
activities or processes. For example, the deposit taking function is a
core business activity or process that could depend on various
interfacing mission-critical systems, such as the automated clearing
house (ACH), proof, and deposit systems.<SUP>4</SUP>
---------------------------------------------------------------------------
\4\ See FFIEC Questions and Answers Concerning Year 2000
Contingency Planning (December 11, 1998) (discussing how core
business processes relate to mission-critical systems).
---------------------------------------------------------------------------
The Guidelines also define ``business resumption contingency plan''
as a plan that ``describes how mission-critical systems of the insured
depository institution will continue to operate if there are system
failures * * *'' One commenter requested the Agencies to revise this
definition to focus on the resumption of core business activities in
the event of Year 2000-related system failures. As noted above, the
term ``mission-critical system'' covers those systems and applications
that are vital to the successful continuance of a core business
activity or process. Accordingly, the Agencies find that the definition
of a business resumption contingency plan, as stated in the interim
guidelines, already focuses only on the resumption of systems vital to
the successful continuance of a core business activity or process and,
therefore, no change to the Guidelines is necessary.
Finally, the Agencies made minor, but clarifying changes to the
definitions of ``business resumption contingency plan'' and ``Year 2000
ready or readiness.'' The interim guidelines inadvertently used the
conjunction or instead of and in these two definitions, and this has
been corrected in the final Guidelines.
Review of Mission-Critical Systems for Year 2000 Readiness (II.A.)
The Guidelines specify that an insured depository institution's
initial review of mission-critical systems for Year 2000 readiness
should provide the basis for establishing priorities and deadlines and
for identifying and allocating available resources. The development and
implementation of a written due diligence process to monitor and
evaluate Year 2000 efforts by third party service providers and
software vendors is a critical component of an institution's initial
assessment. The
[[Page 66702]]
Guidelines also require each insured depository institution to develop
and adopt a written project plan that addresses each phase of the
planning process. However, an insured depository institution that has
already developed and adopted an adequate written project plan, or
other plans and procedures for achieving Year 2000 readiness, need not
prepare a new, separate project plan, or other plans and procedures,
just to satisfy the Guidelines. Plans and procedures already adopted
may suffice if they have been reviewed and deemed acceptable under the
Guidelines by the appropriate Agency. The Agencies did not receive any
comments on these provisions and, therefore, adopt them without any
changes.
Renovation of Internal and External Mission-Critical Systems (II.B. and
II.C.)
The Guidelines distinguish between renovation of systems controlled
by the insured depository institution (internal mission-critical
systems) and those controlled by a third party (external mission-
critical systems). Renovation of internal mission-critical systems must
be completed in sufficient time for testing to be substantially
complete by December 31, 1998.
Insured depository institutions relying on systems controlled and
renovated by external third party suppliers must determine the ability
of their service providers and software vendors to address Year 2000
readiness for external mission-critical systems that are not Year 2000
ready and to establish programs that allow testing and remediation to
be substantially completed by March 31, 1999. Insured depository
institutions also must develop in writing an ongoing due diligence
process to monitor and evaluate the efforts of external third party
suppliers to achieve Year 2000 readiness. As part of this process, the
institutions must maintain written documentation of their
communications with external third party suppliers regarding the third
party suppliers' efforts to achieve Year 2000 readiness and review the
institution's contractual arrangements with third party suppliers to
determine the parties' respective rights and obligations to achieve
Year 2000 readiness. In response to one commenter's concerns, the
Agencies clarify that the Guidelines require the institution to review
only those contracts pertaining to external mission-critical systems.
Testing of Mission-Critical Systems (II.D.)
The Agencies consider testing to be a critical process in achieving
Year 2000 readiness. Failure of an insured depository institution to
perform adequate testing of mission-critical systems poses a risk to
the safe and sound operation of the institution. Failure to conduct
thorough testing may mask serious remediation problems. Failure to
properly identify or correct those problems could threaten the safety
and soundness of the institution. The Guidelines reflect the Agencies'
expectations on the timing and scope of required testing.
One commenter raised concerns about the inability of an institution
to meet the internal testing deadline because of extended delays by
software vendors in producing software that is Year 2000 ready.
Software products may be either internal or external systems, depending
on whether the insured depository institution has control over the
renovation. For example, in ``turnkey'' situations, where an
institution has purchased software from a vendor and does all the data
processing in-house or where it has a software license from a vendor
and does all the data processing in-house, these are ``internal''
systems. Under the Guidelines, the purchase or license arrangement is
deemed to give the institution responsibility for renovation, even
though the software vendor must perform the actual renovation.
Therefore, these situations were subject to the testing deadline for
``internal'' systems, which was December 31, 1998.
Contingency Planning (II.E. and II.F.)
Another essential component of achieving Year 2000 readiness
addressed in the Guidelines is the development and implementation of
effective contingency plans for Year 2000 technology failures. The
Guidelines require an insured depository institution to design
contingency plans appropriate for the institution's technological
systems and operating structure that describe how the institution will
mitigate the risks associated with the failure of systems (the business
resumption contingency plan) and, as applicable, the failure to
complete renovation, testing, or implementation of its mission-critical
systems (the remediation contingency plan).
As noted in recent FFIEC guidance, contingency planning is a
dynamic process. An effective contingency plan may become inadequate at
a later date if the institution does not revise the plan to address
current needs. Accordingly, each insured depository institution must
continue to update the contingency plans it has developed and
implemented, as needed, to ensure that the plans remain effective. For
example, some institutions rated less than satisfactory after June 1999
may need to establish plans that address obtaining alternative sources
of service, transitioning to a new service provider, discontinuing the
provision of certain bank services, and/or creating standardized backup
programs for their deposit and loan accounts.
Customer Risk (II.G.)
The Guidelines require insured depository institutions to implement
a due diligence process that identifies customers posing material Year
2000 risks, evaluates their Year 2000 preparedness, assesses their Year
2000 risk, and implements appropriate risk controls. The Agencies
received no comments on this section and, therefore, adopt this section
without any changes.
Involvement of the Board of Directors and Management (II.H.)
The Guidelines require the board of directors and management to be
involved in all stages of the institution's efforts to achieve Year
2000 readiness. Management and the board of directors together must be
actively involved in efforts to plan, allocate resources, and monitor
progress towards attaining Year 2000 readiness. Management must provide
to the board of directors written status reports at least quarterly or
as otherwise required to keep the board of directors fully informed of
the institution's Year 2000 efforts.
One commenter noted that the Guidelines are inconsistent with the
FFIEC guidance in that they impose on the board of directors an
inappropriate management function and a greater burden than would exist
under accepted notions of corporate governance. The Agencies do not
intend to alter traditional notions of corporate responsibility of the
board of directors. The FFIEC guidance, as reflected in the Guidelines,
emphasizes that Year 2000 issues present an enterprise-wide challenge,
necessitating the active involvement of both senior management and the
board of directors in overseeing the insured depository institution's
internal Year 2000 efforts and monitoring its business risks. As stated
in the FFIEC guidance, however, senior management continues to be
responsible for the day-to-day management of the project. In order to
erase any confusion on this point, however, the Agencies deleted the
word ``managing'' from
[[Page 66703]]
section H.1. of the Guidelines. The Guidelines now require only that
the board of directors and management ``be actively involved in efforts
to plan, allocate resources, and monitor progress towards attaining
Year 2000 readiness.''
Another commenter noted that management, in the past, generally
provided oral status reports to the board of directors documented in
the minutes. The commenter requested clarification whether this
practice would satisfy the requirement for written status reports. The
Agencies recognize that practices for documenting management's status
updates to the board of directors varied from institution to
institution. To ensure consistency in documenting an institution's
progress in attaining Year 2000 readiness, however, the Agencies will
require management to provide to the board of directors written status
reports. Therefore, the Agencies are adopting this section without any
changes.
Section 39 Remedies
The Guidelines enable the Agencies to use the streamlined
compliance and enforcement mechanisms provided by section 39 to
address, in appropriate circumstances, Year 2000 readiness-related
safety and soundness concerns in insured depository institutions.
Section 39 remedies for insured depository institutions allow the
Agencies to move promptly in situations where immediate supervisory
action is essential for safety and soundness reasons.
Nonetheless, issuance of a safety and soundness order pursuant to
section 39 may not be the most appropriate remedy in every case where
an insured depository institution fails to comply with the Guidelines.
It is for this reason the Agencies have chosen to proceed by guideline,
within the meaning of section 39, rather than by regulation. As is the
case with respect to the Agencies' 1995 safety and soundness
guidelines, the Agencies also wish to preserve their discretion to
require supervisory actions different from those prescribed by section
39 with respect to the Guidelines if a different action is warranted by
the facts and circumstances of a particular situation.
The Guidelines do not limit the authority of an Agency to address
unsafe or unsound practices or conditions, violations of law, or other
practices, or to adopt appropriate remedies to achieve compliance with
the Guidelines, including requiring actions by dates that are different
from those set forth in the Guidelines. Actions under section 39 and
the Guidelines may be taken independently of, in conjunction with, or
in addition to, other appropriate enforcement actions.
The Agencies note that by law the Guidelines apply only to insured
depository institutions, not to all financial institutions supervised
by the Agencies, such as bank holding companies and U.S. offices of
foreign banking organizations. The Agencies will continue to examine
and inspect all financial institutions that they supervise for
compliance with the FFIEC guidance and may use their authority under
section 8 of the FDI Act if these institutions fail to comply with the
FFIEC guidance.
Effective Date
The Agencies find good cause for issuing the Guidelines effective
immediately. Cf. 5 U.S.C. 553(d) (good cause exception to APA
requirement for a 30 day delayed effective date for final rule); 12
U.S.C. 4802(b)(1) (good cause exception to the CDRIA requirement that
the Federal banking agencies make rules effective on the first day of a
calendar quarter which begins on or after the date on which the
regulations are published in final form). Making the Guidelines
effective immediately is essential for ensuring that the Agencies can
properly and timely address the Year 2000 problem and that insured
depository institutions can achieve Year 2000 readiness in the
relatively short time remaining before Year 2000 problems may begin to
occur. The Agencies note that Congress has recently underscored the
importance and urgency of ensuring Year 2000 readiness in the financial
services sector by passing the Examination Parity and Year 2000
Readiness for Financial Institutions Act, Public Law 105-164, sec. 2,
112 Stat. 32, 32 (1998). Congress expressly found that the Year 2000
problem poses a serious challenge to the American economy, including
the Nation's banking and financial services industries, and that
Federal financial regulatory agencies must have sufficient examination
authority to ensure that the safety and soundness of the Nation's
financial institutions will not be at risk. Under these circumstances,
the Agencies conclude that they have good cause for issuing the
Guidelines with an immediate effective date.
Regulatory Flexibility Act Analysis
The Regulatory Flexibility Act (RFA) does not apply to a rule for
which an agency is not required to publish a notice of proposed
rulemaking. 5 U.S.C. 603. In issuing the interim guidelines, the
Agencies concluded, for good cause, that they are not required to
publish a notice of proposed rulemaking. Accordingly, they issued the
interim guidelines without prior notice and comment to be effective
immediately. Since the RFA does not apply to a rule for which an agency
is not required to publish a notice of proposed rulemaking, the
Agencies also conclude that the RFA does not require a regulatory
flexibility analysis of these joint final guidelines.
Nonetheless, the Agencies considered the likely economic impact of
the Guidelines on small entities and believe that the Guidelines do not
have a significant impact on a substantial number of small entities.
The potential inability of computers to correctly recognize certain
dates in 1999 and on and after January 1, 2000, compels all
institutions, including small institutions, to formulate appropriate
and timely management responses. The Guidelines provide a procedural
framework for formulating that response and reiterate the Agencies'
expectations, distilled from existing FFIEC guidance, regarding
appropriate business practices for achieving Year 2000 readiness. For
example, as indicated earlier in this preamble, plans and procedures
that institutions have already developed to achieve Year 2000 readiness
can satisfy the Guidelines if they have been reviewed and deemed
acceptable by the appropriate Agency. The Agencies requested comments
on the impact of the Guidelines on small entities and received no
comments.
Paperwork Reduction Act
These Guidelines contain no continuing information collections that
must be approved by the Office of Management and Budget (OMB).
Executive Order 12866
The OCC and OTS have determined that the Guidelines are not a
significant regulatory action under Executive Order 12866.
OCC and OTS: Unfunded Mandates Reform Act Analysis
The Unfunded Mandates Reform Act of 1995 (UMA), Public Law 104-4,
applies only when an agency is required to promulgate a general notice
of proposed rulemaking or to a final rule for which a general notice of
proposed rulemaking was published. 2 U.S.C. 1532. As noted above, the
Agencies did not publish a general notice of proposed rulemaking when
they, for good cause, issued the interim guidelines with an immediate
effective date. Accordingly, the OCC and OTS conclude that the UMA does
not require an unfunded mandates analysis of the Guidelines.
[[Page 66704]]
Moreover, the OCC and OTS believe that the Guidelines will not
result in expenditures by State, local, and tribal governments, or by
the private sector, of more than $100 million in any one year.
Accordingly, neither the OCC nor the OTS has prepared a budgetary
impact statement or specifically addressed the regulatory alternatives
considered.
Text of Uniform Final Guidelines (All Agencies)
The text of the Agencies' uniform final guidelines appears below:
Appendix ____ To Part ____ Interagency Guidelines Establishing Year
2000 Standards for Safety and Soundness
Table of Contents
I. Introduction
A. Preservation of existing authority
B. Definitions
II. Year 2000 Standards for Safety and Soundness
A. Review of mission-critical systems for Year 2000 readiness
B. Renovation of internal mission-critical systems
C. Renovation of external mission-critical systems
D. Testing of mission-critical systems
E. Business resumption contingency planning
F. Remediation contingency planning
G. Customer risk
H. Involvement of the board of directors and management
I. Introduction
The Interagency Guidelines Establishing Year 2000 Standards for
Safety and Soundness (Guidelines) set forth safety and soundness
standards pursuant to section 39 of the Federal Deposit Insurance
Act (section 39) (12 U.S.C. 1831p-1) that are applicable to an
insured depository institution's efforts to achieve Year 2000
readiness. The Guidelines, which also interpret the general
standards in the Interagency Guidelines Establishing Standards for
Safety and Soundness adopted in 1995, apply to all insured
depository institutions.
A. Preservation of Existing Authority
Neither section 39 nor the Guidelines in any way limits the
authority of the Federal banking agencies to address unsafe or
unsound practices, violations of law, unsafe or unsound conditions,
or other practices. The Federal banking agencies, in their sole
discretion, may take appropriate actions so that insured depository
institutions will be able to successfully continue business
operations after January 1, 2000, including on a case-by-case basis
requiring actions by dates that are later than the key dates set
forth in the Guidelines. Action under section 39 and the Guidelines
may be taken independently of, in conjunction with, or in addition
to any other action, including enforcement action, available to the
Federal banking agencies.
B. Definitions
1. In general. For purposes of the Guidelines the following
definitions apply:
a. Business resumption contingency plan means a plan that
describes how mission-critical systems of the insured depository
institution will continue to operate in the event there are system
failures in processing, calculating, comparing, or sequencing date
or time data from, into, or between the 20th and 21st centuries; and
the years 1999 and 2000; and with regard to leap year calculations.
b. External system means a system the renovation of which is not
controlled by the insured depository institution, including systems
provided by service providers and any interfaces with external third
party suppliers and other material third parties.
c. External third party supplier means a service provider or
software vendor that supplies services or products to insured
depository institutions.
d. Internal system means a system the renovation of which is
controlled by the insured depository institution, including
software, operating systems, mainframe computers, personal
computers, readers/sorters, and proof machines. An internal system
also may include a system controlled by the insured depository
institution with embedded integrated circuits (e.g., heating and
cooling systems, vaults, communications, security systems, and
elevators).
e. Mission-critical system means an application or system that
is vital to the successful continuance of a core business activity
or process. An application or system may be mission-critical if it
interfaces with a designated mission-critical system. Software
products also may be mission-critical.
f. Other material third party means a third party, other than an
external third party supplier, to whom an insured depository
institution transmits data or from whom an insured depository
institution receives data, including business partners (e.g., credit
bureaus), other insured depository institutions, payment system
providers, clearinghouses, customers, and utilities.
g. Remediation contingency plan means a plan that describes how
the insured depository institution will mitigate the risks
associated with the failure to successfully complete renovation,
testing, or implementation of its mission-critical systems.
h. Renovation means code enhancements, hardware and software
upgrades, system replacements, and other associated changes that
ensure that the insured depository institution's mission-critical
systems and applications are Year 2000 ready.
i. Year 2000 ready or readiness with respect to a system or
application means a system or application accurately processes,
calculates, compares, or sequences date or time data from, into, or
between the 20th and 21st centuries; and the years 1999 and 2000;
and with regard to leap year calculations.
II. Year 2000 Standards for Safety and Soundness
A. Review of Mission-Critical Systems For Year 2000 Readiness.
Each insured depository institution shall in writing:
1. Identify all internal and external mission-critical systems
that are not Year 2000 ready;
2. Establish priorities for accomplishing work and allocating
resources to renovating internal mission-critical systems;
3. Identify the resource requirements and individuals assigned
to the Year 2000 project on internal mission-critical systems;
4. Establish reasonable deadlines for commencing and completing
the renovation of such internal mission-critical systems;
5. Develop and adopt a project plan that addresses the insured
depository institution's Year 2000 renovation, testing, contingency
planning, and management oversight process; and
6. Develop a due diligence process to monitor and evaluate the
efforts of external third party suppliers to achieve Year 2000
readiness.
B. Renovation of Internal Mission-Critical Systems. Each insured
depository institution shall commence renovation of all internal
mission-critical systems that are not Year 2000 ready in sufficient
time that testing of the renovation can be substantially completed
by December 31, 1998.
C. Renovation of External Mission-Critical Systems. Each insured
depository institution shall:
1. Determine the ability of external third party suppliers to
renovate external mission-critical systems that are not Year 2000
ready and to complete the renovation in sufficient time to
substantially complete testing by March 31, 1999;
2. Maintain written documentation of all its communications with
external third party suppliers regarding their ability to renovate
timely and effectively external mission-critical systems that are
not Year 2000 ready; and
3. Develop in writing an ongoing due diligence process to
monitor and evaluate the efforts of external third party suppliers
to achieve Year 2000 readiness, including:
a. monitoring the efforts of external third party suppliers to
achieve Year 2000 readiness on at least a quarterly basis and
documenting communications with these suppliers; and
b. reviewing the insured depository institution's contractual
arrangements with external third party suppliers to determine the
parties' rights and obligations to achieve Year 2000 readiness.
D. Testing of Mission-Critical Systems. Each insured depository
institution shall:
1. Develop and implement an effective written testing plan for
both internal and external systems. Such a plan shall include the
testing environment, testing methodology, testing schedules, budget
projections, participants to be involved in testing, and the
critical dates to be tested to achieve Year 2000 readiness;
2. Verify the adequacy of the testing process and validate the
results of the tests with the assistance of the project manager
responsible for Year 2000 readiness, the owner of the system tested,
and an objective independent party (such as an auditor, a
consultant, or a qualified individual from within or outside of the
insured depository institution who is independent of the process
under review);
[[Page 66705]]
3. Substantially complete testing of internal mission-critical
systems by December 31, 1998;
4. Commence testing of external mission-critical systems by
January 1, 1999;
5. Substantially complete testing of external mission-critical
systems by March 31, 1999;
6. Commence testing with other material third parties by March
31, 1999; and
7. Complete testing of all mission-critical systems by June 30,
1999.
E. Business Resumption Contingency Planning. Each insured
depository institution shall develop and implement an effective
written business resumption contingency plan that, at a minimum:
1. Defines scenarios for mission-critical systems failing to
achieve Year 2000 readiness;
2. Evaluates options and selects a reasonable contingency
strategy for those systems;
3. Provides for the periodic testing of the business resumption
contingency plan; and
4. Provides for independent testing of the business resumption
contingency plan by an objective independent party, such as an
auditor, consultant, or qualified individual from another area of
the insured depository institution who was not involved in the
formulation of the business resumption contingency plan.
F. Remediation Contingency Planning. Each insured depository
institution that has failed to successfully complete renovation,
testing, and implementation of a mission-critical system, or is in
the process of remediation and is not on schedule with the key dates
in section II.D., shall develop and implement an effective written
remediation contingency plan that, at a minimum:
1. Outlines the alternatives available if remediation efforts
are not successful, including the availability of alternative
external third party suppliers, and selects a reasonable contingency
strategy; and
2. Establishes trigger dates for activating the remediation
contingency plan, taking into account the time necessary to convert
to alternative external third party suppliers or to complete any
other selected strategy.
G. Customer Risk. Each insured depository institution shall
develop and implement a written due diligence process that:
1. Identifies customers, including fund providers, fund takers,
and capital market/asset management counterparties, that represent
material risk exposure to the institution;
2. Evaluates their Year 2000 preparedness;
3. Assesses their existing and potential Year 2000 risk to the
institution; and
4. Implements appropriate risk controls, including controls for
underwriting risk, to manage and mitigate their Year 2000 risk to
the institution.
H. Involvement of the Board of Directors and Management.
1. During all stages of the renovation, testing, and contingency
planning process, the board of directors and management of each
insured depository institution shall:
a. be actively involved in efforts to plan, allocate resources,
and monitor progress towards attaining Year 2000 readiness;
b. oversee the efforts of the insured depository institution to
achieve Year 2000 readiness and allocate sufficient resources to
resolve problems relating to the institution's Year 2000 readiness;
and
c. evaluate the Year 2000 risk associated with any strategic
business initiatives contemplated by the insured depository
institution, including mergers and acquisitions, major systems
development, corporate alliances, and system interdependencies.
2. In addition, the board of directors, at a minimum, shall
require from management, and management shall provide to the board
of directors, written status reports, at least quarterly and as
otherwise appropriate to keep the directorate fully informed, of the
insured depository institution's efforts in achieving Year 2000
readiness. Such written status reports shall, at a minimum, include:
a. The overall progress of the insured depository institution's
efforts in achieving Year 2000 readiness;
b. The insured depository institution's interim progress in
renovating, validating, and contingency planning measured against
the insured depository institution's Year 2000 project plan as
adopted under section II.A.5. of appendix B;
c. The status of efforts by key external third party suppliers
and other material third parties in achieving Year 2000 readiness;
d. The results of the testing process;
e. The status of contingency planning efforts; and
f. The status of the ongoing assessment of customer risk.
[End of text of Uniform Interagency Guidelines]
List of Subjects
12 CFR Part 30
Administrative practice and procedure, National banks, Reporting
and recordkeeping requirements, Safety and soundness.
12 CFR Part 208
Accounting, Agriculture, Banks, banking, Confidential business
information, Crime, Currency, Federal Reserve System, Mortgages,
Reporting and recordkeeping requirements, Safety and soundness,
Securities.
12 CFR Part 364
Administrative practice and procedure, Bank deposit insurance,
Banks, banking, Reporting and recordkeeping requirements, Safety and
soundness.
12 CFR Part 570
Accounting, Administrative practice and procedure, Bank deposit
insurance, Holding companies, Reporting and recordkeeping requirements,
Savings associations, Safety and soundness.
Adoption of Uniform Interagency Final Guidelines
The agency specific adoptions of the uniform interagency final
guidelines, which appear at the end of the common preamble, are set
forth below.
Office of the Comptroller of the Currency
12 CFR CHAPTER I
Authority and Issuance
For the reasons set forth in the common preamble, part 30 of
chapter I of title 12 of the Code of Federal Regulations is amended as
follows:
PART 30--SAFETY AND SOUNDNESS STANDARDS
1. The authority citation for part 30 continues to read as follows:
Authority: 12 U.S.C. 93a, 1818, 1831p-1, 3102(b).
2. Appendix B to part 30 is revised to read as set forth at the end
of the common preamble:
Appendix B to Part 30--Interagency Guidelines Establishing Year
2000 Standards for Safety and Soundness
Dated: October 12, 1999.
John D. Hawke, Jr.,
Comptroller of the Currency.
Federal Reserve System
12 CFR CHAPTER II
Authority and Issuance
For the reasons set forth in the common preamble, part 208 of
chapter II of title 12 of the Code of Federal Regulations is amended as
follows:
PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL
RESERVE SYSTEM (REGULATION H)
1. The authority citation for 12 CFR Part 208 continues to read as
follows:
Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a,
371d, 461, 481-486, 601, 611, 1814, 1816, 1818, 1823(j), 1828(o),
1831o, 1831p-1, 1831r-1, 1835a, 1882, 2901-2907, 3105, 3310, 3331-
3351, and 3906-3909, 15 U.S.C. 78b, 781(b), 781(g), 781(i), 78o-
4(c)(5), 78q, 78q-1, and 78w; 31 U.S.C. 5318; 42 U.S.C. 4012a,
4104a, 4104b, 4106, and 4128.
2. The interim rule redesignating Appendix D to 12 CFR part 208 as
Appendix D-1 to 12 CFR part 208 published at 63 FR 55480 on October 15,
1998, is adopted as final.
3. Appendix D-2 to part 208 is revised to read as set forth at the
end of the common preamble:
[[Page 66706]]
Appendix D-2 to Part 208--Interagency Guidelines Establishing Year
2000 Standards for Safety and Soundness
By Order of the Board of Governors of the Federal Reserve
System.
Dated: October 22, 1999.
Robert deV. Frierson,
Associate Secretary of the Board.
Federal Deposit Insurance Corporation
12 CFR CHAPTER III
Authority and Issuance
For the reasons set forth in the common preamble, part 364 of
chapter III of title 12 of the Code of Federal Regulations is amended
as follows:
PART 364--STANDARDS FOR SAFETY AND SOUNDNESS
1. The authority citation for 12 CFR part 364 continues to read as
follows:
Authority: 12 U.S.C. 1819 (Tenth), 1831p-1.
2. Appendix B to part 364 is revised to read as set forth at the
end of the common preamble:
Appendix B to Part 364--Interagency Guidelines Establishing Year
2000 Standards for Safety and Soundness
By Order of the Board of Directors.
Dated at Washington, DC, this 8th Day of November, 1999.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
Office of Thrift Supervision
12 CFR CHAPTER V
Authority and Issuance
For the reasons set forth in the common preamble, part 570 of
chapter V of title 12 of the Code of Federal Regulations is amended as
follows:
PART 570--SUBMISSION AND REVIEW OF SAFETY AND SOUNDNESS COMPLIANCE
PLANS AND ISSUANCE OF ORDERS TO CORRECT SAFETY AND SOUNDNESS
DEFICIENCIES
1. The authority citation for part 570 continues to read as
follows:
Authority: 12 U.S.C. 1831p-1.
2. Appendix B to part 570 is revised to read as set forth at the
end of the common preamble:
Appendix B to Part 570--Interagency Guidelines Establishing Year
2000 Standards for Safety and Soundness
Dated: October 15, 1999.
Ellen Seidman,
Director.
[FR Doc. 99-30284 Filed 11-26-99; 8:45 am]
BILLING CODE 4810-33-U; 6210-01-U; 6714-01-U; 6720-01-U
______________________________________________________________________
