Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

Year 2000 Project Management Awareness

Information Technology / Cybersecurity
May 9, 1997

TO: CHIEF EXECUTIVE OFFICER
SUBJECT: Interagency Statement on Year 2000 Project Management Awareness

The Federal Financial Institutions Examination Council (FFIEC) on May 5, 1997, issued the attached press release and interagency statement providing guidance on the scope of the activities necessary for insured financial institutions to make all information-processing systems capable of recognizing dates in the Year 2000 and beyond.

The attached statement updates the FFIEC's statement "The Effect of Year 2000 on Computer Systems," issued in June 1996, and it reflects the federal agencies' concerns about the industry's readiness for the Year 2000. The statement outlines the agencies' supervisory strategy to ensure an orderly transition into the next century.

Financial institutions should be well into the "assessment" phase of their Year 2000 project management plan. As noted in the statement, mission-critical systems should be identified and priorities set for Year 2000 work by the end of the third quarter of 1997. For mission-critical applications, the agencies strongly recommend that programming changes be largely completed and testing well underway by December 31, 1998. This time line for testing critical applications has been accelerated since the June 1996 interagency statement to ensure that system interdependencies are not disrupted. Reprogramming for other applications should also be completed by December 31, 1998, to allow a full year for testing and adjustments.

The statement discusses three Year 2000-related issues requiring management attention:

    reliance on vendors,
    risks posed by exchanging data with external parties, and
    the potential effect of Year 2000 noncompliance on corporate borrowers.

Other operational issues related to Year 2000 planning are also highlighted.

The FDIC and state banking authorities will review the conversion efforts of all FDIC-supervised banks in 1997, using the attached examiner questionnaire and examination procedures or similar tools. Meanwhile, management is encouraged to use these examination tools to assess the adequacy of its own efforts in addressing Year 2000 issues. If you foresee significant problems meeting the target time lines in this guidance, please notify your Division of Supervision regional office.

The attached interagency statement and related information on Year 2000 issues are available on the Internet via the World Wide Web at

For more information, please contact your Division of Supervision Regional Office.


Nicholas J. Ketcha Jr.
Director

Attachments: (below)
FFIEC Press Release
FFIEC Press Release attachment
Appendix A
Appendix B

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, N.W., Room 100, Washington, D.C. 20434 (800-276-6003 or (703) 562-2200). Electronic versions are available at: /banknews/fils/

Attachment:

Federal Financial Institutions Examination Council Press Release

For immediate release May 5, 1997

Federal Bank Regulators Outline Year 2000 Project Management Goals

The Federal Financial Institutions Examination Council's Task Force on Supervision today issued an Interagency Statement for the banking industry and federal examiners, intended to focus their attention on the critical issues financial institutions need to address quickly to resolve Year 2000 computer problems and avoid major service disruptions.

The FFIEC Task Force first alerted the industry to the Year 2000 problem in June 1996, and recommended that institutions perform risk assessments and plan a strategy to address vulnerable systems.

Today's Statement outlines a project management process that strongly encourages federally insured depository institutions to complete an inventory of core computer functions and set priorities for Year 2000 goals by September 30, 1997. Banks are expected to largely complete programming changes, and have testing well underway for mission critical systems by December 31, 1998.

In an appendix to the Statement, the Task Force included an examiner questionnaire to help regulatory agencies conduct assessments of financial institution planning efforts, which are expected to be completed shortly. Based on the results of these assessments, regulators will prioritize supervisory reviews, using examination procedures contained in a second appendix to the Statement. The regulators expect to complete examinations of conversion efforts by mid-1998.

Federal financial regulators are concerned that systemic disruptions and potential failures could result if computers used by financial institutions cannot properly read date-sensitive information when the calender year changes to 2000. For this reason, an institution's reprogramming planning should include consideration of the vendors whose products and services a financial institution uses; the other banks, clearing houses and customers with whom it exchanges data electronically; and, corporate borrowers, whose creditworthiness might be diminished by significant service disruptions.

In a statement today, the Task Force said, "The Year 2000 presents a number of very difficult challenges for the financial services industry, which relies heavily on effective computer communications between banks, external data networks and data processing centers, and their customers. The Interagency Statement adopted today emphasizes the important issues that banks, thrifts and credit unions need to address right now to meet critical deadlines in preparation for the Year 2000."

The Interagency Statement outlines five management phases necessary to complete a computer conversion program: awareness, assessment, renovation, validation, and implementation. During the final stage, systems should be certified as compliant and accepted by business users. Federal regulators intend to work closely with institutions that face unusual difficulties.

The Interagency Statement is attached.

Attachment:

Federal Financial Institutions Examination Council

YEAR 2000 PROJECT MANAGEMENT AWARENESS
May 5, 1997

To: Chief Executive Officers of all federally supervised financial institutions, providers of data services, senior management of each FFIEC agency, and all examining personnel.

Purpose:

This Interagency Statement is intended to emphasize the need to make all information processing systems Year 2000 compliant and identify specific concerns that should be considered in managing a conversion program. The FFIEC first alerted the industry in June 1996 of the Year 2000 problem. At that time, we recommended that financial institutions perform a risk assessment of their processing systems and begin developing an action plan to address vulnerable systems. This Interagency Statement expands on those topics and stresses a number of areas which may need special attention. It also describes the supervisory strategy that the federal banking agencies will pursue in monitoring Year 2000 conversion efforts of financial institutions, as well as third-party data processing servicers, and software suppliers servicing insured financial institutions.

The Year 2000 poses serious challenges to the industry. Many experts believe that even the most prepared organizations may encounter some implementation problems. The federal banking agencies want to ensure that financial institutions avoid major disruptions and will work with the industry to reach that goal. They will implement a supervisory plan designed to: heighten awareness of the Year 2000 problem within the industry; perform an assessment of the planning efforts of financial institutions for Year 2000; conduct a supervisory review of all institutions for Year 2000 preparedness; and work with institutions that face difficulties. The agencies will undertake follow-up activities to ensure institutions focus on problem areas and take appropriate supervisory action if they are unable to encourage a financial institution to devote adequate attention to achieving Year 2000 compliance.

This Statement has four major parts: an outline of the Year 2000 project management process; identification of three external risk issues that the Year 2000 conversion plan should consider; other operational issues that may be relevant to an institution's Year 2000 planning; and a description of the federal banking agencies' supervisory strategy.

Year 2000 Project Management:

The Year 2000 problem presents a number of difficult challenges to financial institution management. Information systems are often complex and have been developed over many years through a variety of computer languages and hardware platforms. For many financial institutions, correction of those problems will be costly and complex. A lack of skilled mainframe programmers and system experts compounds the problem.

Year 2000 conversion projects will require executive management sponsorship and an effective project management process. The project management process begins with an awareness of the issue and an assessment of the extent of Year 2000 problems within financial institution systems. This includes identification of affected applications and databases. Mission critical applications should be identified and priorities set for Year 2000 work by the end of the third quarter of 1997. Financial institutions and service providers should be well into this phase of the project. Code enhancements and revisions, hardware upgrades, and other associated changes follow the assessment phase and should be largely completed by December 31, 1998.

Since the 1996 Interagency Statement, it has become clear that testing mission critical system interdependencies, particularly those with external systems, will be time consuming and could take up to at least one year in more complex data processing environments. Accordingly, for mission critical applications, the federal banking agencies strongly encourage the industry to assure that programming changes are largely completed and that testing be well underway by December 31, 1998. This is a change from the June 1996 Interagency Statement due to the importance of fully testing connectivity between major servicers and other financial institutions.

Year 2000 project management processes are expected to be more formalized in financial institutions with complex systems or which rely on in-house application development. In all financial institutions, regardless of size or complexity, strong leadership, effective communication, and accountability are necessary to ensure that Year 2000 initiatives will be successful. The following describes the discovery, planning, and implementation process in managing an institution's conversion program:

    Awareness Phase - Define the Year 2000 problem and gain executive level support for the resources necessary to perform compliance work. Establish a Year 2000 program team and develop an overall strategy that encompasses in-house systems, service bureaus for systems that are outsourced, vendors, auditors, customers, and suppliers (including correspondents).

    Assessment Phase - Assess the size and complexity of the problem and detail the magnitude of the effort necessary to address Year 2000 issues. This phase must identify all hardware, software, networks, automated teller machines, other various processing platforms, and customer and vendor interdependencies affected by the Year 2000 date change. The assessment must go beyond information systems and include environmental systems that are dependent on embedded microchips, such as security systems, elevators and vaults.

    Management also must evaluate the Year 2000 effect on other strategic business initiatives. The assessment should consider the potential effect that mergers and acquisitions, major system development, corporate alliances, and system interdependencies will have on existing systems and/or the potential Year 2000 issues that may arise from acquired systems.

    The financial institution or vendor should also identify resource needs, establish time frames and sequencing of Year 2000 efforts. Resource needs include appropriately skilled personnel, contractors, vendor support, budget allocations, and hardware capacity. This phase should clearly identify corporate accountability throughout the project, and policies should define reporting, monitoring, and notification requirements. Finally, contingency plans should be developed to cover unforeseen obstacles during the renovation and validation phases and include plans to deal with lesser priority systems that would be fixed later in the renovation phase.

    Renovation Phase - This phase includes code enhancements, hardware and software upgrades, system replacements, vendor certification, and other associated changes. Work should be prioritized based on information gathered during the assessment phase. For institutions relying on outside servicers or third-party software providers, ongoing discussions and monitoring of vendor progress are necessary.

    Validation Phase - Testing is a multifaceted process that is critical to the Year 2000 project and inherent in each phase of the project management plan. This process includes the testing of incremental changes to hardware and software components. In addition to testing upgraded components, connections with other systems must be verified, and all changes should be accepted by internal and external users. Management should establish controls to assure the effective and timely completion of all hardware and software testing prior to final implementation. As with the renovation phase, financial institutions should be in ongoing discussions with their vendors on the success of their validation efforts.

    Implementation Phase - In this phase, systems should be certified as Year 2000 compliant and be accepted by the business users. For any system failing certification, the business effect must be assessed clearly and the organization's Year 2000 contingency plans should be implemented. Any potentially noncompliant mission-critical system should be brought to the attention of executive management immediately for resolution. In addition, this phase must ensure that any new systems or subsequent changes to verified systems are compliant with Year 2000 requirements.

External Issues:

Our discussions with Year 2000 experts, bankers, and field examiners indicate some financial institutions have not yet considered all the implications of the Year 2000 problem or lack conformance to time critical dates. More specifically, management should begin immediately to consider the following areas in its project planning process:

    Reliance on Vendors - The agencies find that some financial institutions, relying on third-party data processing servicers or purchased applications software, have not taken a proactive approach in ensuring Year 2000 compliance by their vendors. Management should evaluate vendor plans and actively monitor project milestones. Institutions should determine if vendor contract terms can be revised to include Year 2000 covenants. Management should be aware of vendor specific responsibilities and their institution's vulnerability if the vendor cannot meet contractual obligations.

    Alternate service or software providers should be considered if vendor solutions or time frames are inadequate. If purchased products or services belong to larger, integrated systems, financial institutions' testing and certification processes will have to be fully coordinated with their vendor's Year 2000 testing. Management must also ensure that vendors have the capacity (both financial and personnel) to complete the project and are willing to certify Year 2000 compliance.

    Data Exchange - The Year 2000 problem also poses a risk to the quality of information that institutions exchange with other firms. Large volumes of date sensitive data are transferred electronically between financial institutions, their customers, and their regulators. Institutions will need to know how methods of data exchange differ among financial institutions, across vendors, and between other institutions. Therefore, Year 2000 planning should allow sufficient time to assess the effect that Year 2000 solutions will have on data transfers. The project plan should also include testing and verification, as appropriate, of data exchanges with clearing associations, governmental entities, customers and international financial institutions.

    Corporate Customers - Many corporate customers (borrowers) depend on computer systems that must be Year 2000 compliant. Corporate customers, who have not considered Year 2000 issues, may experience a disruption in business, resulting in potentially significant financial difficulties that could affect their creditworthiness. Financial institutions should develop processes to periodically assess large corporate customer Year 2000 efforts and may consider writing Year 2000 compliance into their loan documentation. Loan and credit review officers should consider in their credit analysis of large corporate customers whether the borrower's Year 2000 conversion efforts are sufficient to avoid significant disruptions to operations.

Other Year 2000 Operating Issues:

The following issues should also be considered in addressing Year 2000 planning:

    Replacement vs. Repair - Cost and timing considerations will affect a financial institution's decision to replace or repair strategic systems. Those factors may dictate that some systems will be repaired in the short term and strategically replaced sometime after January 1, 2000. Conversely, it may be more cost effective to accelerate the replacement of strategic systems.

    Cost and Monitoring - As the Year 2000 approaches and the urgency of fixing problems increases, the costs of obtaining/retaining qualified staff to address the problems will undoubtedly rise, perhaps significantly. Some experts believe that the limited availability of technical support will be a major obstacle to making systems Year 2000 compliant. Knowledge of market conditions for skilled programmers and developing programs to retain key personnel may be necessary to ensure that adequate resources are available throughout the project's life.

    Mergers and Acquisitions (M&As) - The extent of Year 2000 conversion efforts will bear directly on corporate M&As' strategies since conversions resulting from M&As will compete for project managers and technical resources. Acquisition strategies should include the institution's Year 2000 assessment to the extent possible.

    Remote Locations - Remote or overseas operations also need to devote attention to Year 2000 issues. In particular, management information systems for businesses that run semi-autonomously from the head office must be included in the financial institution's system inventory and plans. To the extent that such systems serve as critical controls for business operations, they could expose the financial institution to significant undetected vulnerabilities. Appropriate staff members throughout the organization must be aware of the risks associated with the Year 2000 issue and how they might be affected.

    Contracts - Legal issues may arise from the lack of specificity in contract terms dealing with Year 2000 issues. Financial institutions should modify existing contracts which do not specifically address Year 2000 compliance by the vendor. Otherwise, conflicts may result regarding the commitment and responsibility to assure Year 2000 compliance. Current and future purchases should require Year 2000 certification. If contract changes or modifications are refused, then the institution should consider replacing the service or product.

    Leap Year - All Year 2000 plans need to address the leap year - February 29, 2000 - issue. All date and calculation routines need to be reviewed to ensure that leap year calculations are Year 2000 certified.

Supervisory Strategy:

The federal banking agencies plan to conduct a supervisory review of all financial institutions' Year 2000 conversion efforts by mid-1998. They will soon complete an assessment of financial institutions' Year 2000 planning efforts. The appropriate regulatory agency may use the examiner questionnaire in Appendix A, or a similar tool, to help conduct this assessment. Financial institutions will be provided with specific instructions from your agency about this part of their supervisory strategy. The agencies will use the results of their assessment to prioritize on-site examinations and will target first those institutions that have not actively begun a Year 2000 conversion program.

The federal banking agencies will utilize uniform examination procedures to facilitate Year 2000 examinations (Appendix B). Management is encouraged to use these examination tools to perform internal reviews or self-evaluations in connection with their own efforts to address the Year 2000 problem. Examiners will work with institutions that encounter significant problems addressing Year 2000 issues.

Focusing on financial institutions alone will not prevent Year 2000 disruptions. The federal banking agencies will work cooperatively to ensure that supervisory reviews include data processing service providers and third-party software vendors who provide services to federally insured financial institutions. This effort will include vendors who are a part of the Multiregional Data Processing Servicer program and the Shared Application Software Review program.

Appendix A

Year 2000 Examiner Questionnaire

Introduction

This questionnaire is designed to capture macro-level information on Year 2000 preparations from financial institutions and their information systems vendors. The information will help examiners prioritize their Year 2000 reviews. The questions are presented in a "yes - no" answer format. However, examiners may also ask open-ended questions to develop a thorough understanding of the institution's/vendor's Year 2000 capabilities.

Capability

1. Are the institution's/vendor's information processing (hardware and software) and delivery (telecommunications) systems capable and ready to handle Year 2000 processing?

Overall Plan

2. Does the institution/vendor have a Year 2000 problem resolution process that includes these basic phases:

    Awareness of the problem.

    Assessment of complexity.

    Renovation.

    Validation.

    Implementation.

3. Has the institution/vendor prioritized internally and externally maintained systems (hardware, software, and operating systems)?

4. Has the institution considered the impact of the Year 2000 on internal, environmental systems that are dependent on embedded microchips, such as vaults, security and alarm systems, elevators, telephones, FAX machines, and HVAC (heating, ventilation, and air conditioning)?

Resource Implications

5. Has the institution/vendor established a budget for the year 2000 effort?

6. Has the institution/vendor determined whether it has sufficient resources (hardware, people, and dollars) necessary to ensure Year 2000 processing capabilities?

Sponsorship/Monitoring

7. Has the institution/vendor assigned overall responsibility for the Year 2000 effort to a senior manager?

8. Has the institution/vendor established project target dates and deliverables for the Year 2000 effort?

9. Does the process include regular reporting to and monitoring by senior management?

Timing

10. Does the institution's/vendor's Year 2000 plan call for the renovation of all mission critical systems to be largely completed by December 31, 1998?

11. Will the institution's/vendor's testing for Year 2000 renovations be well under way, for mission critical applications, by December 31, 1998?

Appendix B

Year 2000 Examination Procedures

Introduction

The following examination procedures are for general use in all federally supervised financial institutions and data centers that service these financial institutions. The examination procedures will help the examiner to determine if the institution has addressed the Year 2000 problems inherent in many computer software and hardware systems. The examination procedures are designed to focus on the state of Year 2000 preparedness of each examined institution.

The Tier I section represents general procedures designed for all institutions. Examinations of small institutions, particularly those that have purchased or leased their hardware and/or software systems from an external vendor, normally will stop at the end of the Tier I examination procedures. The examiner will then proceed to the examination conclusions section. The Tier II section includes more rigorous and detailed examination procedures designed for larger institutions, particularly those with in-house software development capabilities. In these environments, examiners normally will use both the Tier I and Tier II examination procedures, as appropriate.

Examination Objectives

1. To determine whether the organization has an effective plan for identifying, renovating, testing, and implementing solutions for Year 2000 processing.

2. To assess the effect of Year 2000 efforts on the organization's strategic and operating plans.

3. To determine whether the organization has effectively coordinated Year 2000 processing capabilities with its customers, vendors, and payment systems partners.

4. To assess the soundness of internal controls for the Year 2000 process.

5. To identify whether further corrective action may be necessary to assure an appropriate level of attention to Year 2000 processing capabilities.

Examination Planning and Control

1. Determine the organization's source of information systems (IS) support for hardware (mainframe, mid-range, networks, personal computers) and related applications and operating system software. Note whether information systems processing is provided internally, externally, or a combination of both.

2. Review previous examination, audit, or consultant findings relative to Year 2000 issues.

3. Review management's responses to any significant Year 2000 findings.

4. Review responses to the Year 2000 Examiner Questionnaire.

5. Review the supervisory strategy and scope memorandum prepared for this organization relative to Year 2000 issues.

6. Determine the scope of the Year 2000 examination based on findings from the previous steps and discussions with the examiner-in-charge (EIC).

Select from the following examination procedures the steps necessary to meet the examination objectives. Note: Examinations do not require completion of all steps.

Tier I Procedures

1. Determine whether the organization's board of Directors and senior management are aware of and understand the risks and complexities of the Year 2000 issue by:

  1. Obtaining and reviewing minutes of board of Directors meetings for discussions of Year 2000 issues.

  2. Obtaining and reviewing minutes of committees established to address Year 2000 issues.

2. Determine whether management has developed a plan to ensure that the organization's computer systems are Year 2000 compliant.

3. Determine whether the organization's Year 2000 assessment includes computer controlled systems, such as telecommunications systems, ATMs, audio response systems, and other environmental systems with embedded microchips, such as vaults, security and alarm systems, elevators, telephones, FAX machines, and HVAC.

4. Determine whether the institution's management conducts continuing communications with its vendor(s) and/or servicer(s) to determine their progress toward implementing Year 2000 solutions.

5. Determine whether the organization has:

  1. Performed a "third party" software contract review to identify risks associated with licensing and maintenance agreement protections for Year 2000 processing.

  2. Reviewed all data processing outsourcing agreements to determine if the vendors have Year 2000 maintenance obligations.

  3. Included Year 2000 leap year considerations in their contract reviews.

  4. Established a process to certify that a vendor(s) and product(s) are Year 2000 compliant. If so, describe.

6. Determine whether management has assessed the financial and operational capabilities of its hardware and software vendors to provide Year 2000 processing capabilities. Note the results of this assessment.

7. Determine the status of the institution's Year 2000 project, including any anticipated barriers and how management plans to address them.

8. If it is evident that the institution's or vendor's/servicer's systems are not fully Year 2000 compliant, determine:

  1. Whether all affected applications will have Year 2000 renovation complete with testing well under way for mission critical systems by December 31, 1998.

  2. The significant applications that will not have Year 2000 renovation complete by December 31, 1998.

  3. Whether management has anticipated the effect to the organization's strategic and operating plans should all systems not be Year 2000 compliant by December 31, 1998.

  4. Management's contingency plans to assure the institution's ongoing operations if the institution's systems will not be Year 2000 compliant by December 31, 1998.

  5. Whether the institution has contingency plans should hardware or software systems not function correctly on January 1, 2000, because of the millennium date change.

9. Determine whether management has discussed the effect of the Year 2000 issue with its large corporate borrowing customers to ensure the customers' ability to meet financial and informational obligations to the institution.

10. Determine whether the organization has assessed the effect of Year 2000 processing capabilities, as applicable, with its payment systems providers, including:

  1. Wire transfer systems.
  2. Automated clearing houses.
  3. Check clearing providers.
  4. Credit card merchant and issuing systems.
  5. Automated teller machine networks.
  6. Electronic data interchange systems.
  7. Electronic benefits transfer systems.

11. Determine whether management has employed internal or external audit functions to assess the soundness of internal controls associated with the Year 2000 effort.

12. Determine whether management is aware of or contemplates any litigation related to the Year 2000 issue.

Generally, examinations of small financial institutions and those that rely on data service providers should proceed to the Examination Conclusions section.

Tier II Procedures

Audit

1. Assess internal and external audit personnel's independence and involvement in reviewing the organization's Year 2000 efforts.

2. Review audit plans and budgets through 1999 and determine whether they identify specific audit resources necessary to address Year 2000 issues. Determine whether these plans are based on a formal inventory of all critical systems affected by Year 2000 issues. Also, determine the adequacy of audit resources allocated to Year 2000 issues.

3. Determine whether audit is actively involved in Year 2000 efforts to assess and monitor the effectiveness of the project management process and whether audit management communicates this information to the board of Directors.

4. Review Year 2000 project audit reports and determine the adequacy of their scope and the timeliness and completeness of management responses. Also assess the appropriateness of audit follow-up on actions taken in response to Year 2000 project audit findings.

Management

5. Based on discussions with management and reviews of the minutes of committees established to address Year 2000 issues, evaluate the completeness of the project management process to assure the institution's computer systems are Year 2000 compliant. Note whether management has:

  1. Inventoried all hardware and software systems, including international locations.

  2. Identified hardware and software systems that require modifications for Year 2000 processing.

  3. . Evaluated various alternatives for dealing with Year 2000 processing issues.

  4. Prioritized software and hardware systems to ensure that the most critical applications are addressed first.

  5. Considered all software systems, including core banking, investments, fiduciary, management information, retail delivery, and operating systems.

  6. Considered the effect of Year 2000 issues on mergers/acquisitions.

  7. Reviewed and approved milestones to ensure the timely completion of Year 2000 efforts.

  8. Developed a testing strategy for Year 2000 modifications.

  9. Ensured that any new systems are Year 2000 compliant.

  10. Addressed the establishment and review of an effective system of internal controls over the Year 2000 effort.

  11. Determined the groupings of systems for conversion.

  12. Considered the role of the quality assurance function.

  13. Determined the role of end users.

  14. Determined the need for a configuration management plan.

  15. Required thorough project management techniques, including periodic senior management and board project updates.

6. Determine whether management considered the availability of adequate resources for the Year 2000 initiative by identifying:

  1. The type of technical expertise that will be needed.

  2. The amount of time needed for corrective action.

  3. The type and amount of financial resources that will be needed and whether the organization has sufficient financial resources to make all hardware (mainframe, mid-range, networks, personal computers) and related application and operating system software Year 2000 compliant.

  4. Whether any other resources are required.

  5. The effect of the Year 2000 project on earnings, capital, and liquidity and whether the assessment appears reasonable.

7. Determine whether the organization has persons or access to persons that have sufficient technical expertise to make all hardware/software systems Year 2000 compliant, and:

  1. If outside resources will be used, whether these resources are under contract.

  2. If not, what assurances management has that these resources will be available, when needed.

8. Determine how the board of Directors and senior management are kept informed on the progress of Year 2000 efforts, particularly of any problems encountered during the validation and implementation phases.

9. Determine whether the board of Directors and/or senior management have established clear lines of authority and responsibility for the Year 2000 effort.

10. Determine whether Year 2000 project teams receive sufficient support from the board of Directors and senior management.

11. Review, as applicable, the selection process for any Year 2000 service provider(s) and whether the process appears adequate.

12. Evaluate the adequacy of the institution's Year 2000 conversion management process.

Systems and Programming

13. Determine whether the organization has assessed the ability of its computer systems to handle any needed software changes. If so, describe.

14. Determine the method(s) the organization uses or will use to resolve Year 2000 date calculations (e.g., conversion to four position year fields, windowing and others).

15. Evaluate whether the organization has/will devote(d) appropriate time to testing and error checking of all software changes.

16. Determined the programming languages and tools that the institution will use.

17. Identify whether a common application development platform is required.

18. Describe how the organization will maintain sound internal controls over the software change process for Year 2000 issues.

19. Determine whether the organization is coordinating modification and testing activities with vendors, servicers, and organizations with whom critical data is received or sent.

Computer Operations

20. Review management's assessment of the anticipated additional systems resources required specifically for operating systems, telecommunications (including ATM) networks, and security software, to handle Year 2000 processing. Describe the results of the assessment.

21. Evaluate the organization's Year 2000 assessment of the adequacy of computer resources for testing Year 2000 changes while performing day-to-day processing activities.

22. Describe management's assessment of the effect of any changes in operating practices resulting from the Year 2000 effort.

23. Determine whether any interim work procedures are required as part of the Year 2000 effort.

24. Review and describe the organization's assessment of the impact of Year 2000 efforts on business continuity/recovery planning.

25. Determine whether the organization compromised sound internal controls over operations as a result of addressing Year 2000 issues.

Examination Conclusions

26. Prepare examination report comments noting:

  1. The computer system's Year 2000 processing capability.

  2. Management's effectiveness in managing the Year 2000 process, including an assessment of the adequacy of resources devoted to Year 2000 problems.

  3. The adequacy of the organization's plans for identifying, correcting, testing, and implementing solutions for Year 2000 processing.

  4. The date methodologies selected to provide Year 2000 processing (in situations with in-house programming capabilities).

  5. The status of the organization's plan and the capability to complete necessary changes with testing well underway for mission critical systems by December 31, 1998.

  6. Management's effectiveness in coordinating Year 2000 processing capabilities with its hardware and software vendors, corporate borrowing customers, and payment systems providers.

  7. The effect of the Year 2000 effort on the organization's strategic and operating plans, including earnings, capital, and liquidity.

  8. The effectiveness of the audit function and its assessment of internal controls for the Year 2000 process.

27. Prepare recommendations, as appropriate, for the EIC and/or other appropriate supervisors on any additional actions necessary to ensure the organization's safety and soundness associated with its Year 2000 processing capabilities.

28. Summarize the Year 2000 plan's strengths and weaknesses and describe the extent of the organization's Year 2000 readiness.

29. Discuss conclusions with the appropriate level of management and document responses.


FIL-50-97

Last Updated: May 9, 1997