![]() |
![]() |
![]() |
![]() |
![]() |
Home > News & Events > Inactive Financial
Institution Letters |
![]() |
|
![]() |
![]() |
Inactive Financial Institution Letters |
|
FIL-50-97 |
||||||||||||
The Federal Financial Institutions Examination Council (FFIEC) on
May 5, 1997, issued the attached press release and interagency
statement providing guidance on the scope of the activities
necessary for insured financial institutions to make all
information-processing systems capable of recognizing dates in
the Year 2000 and beyond.
The attached statement updates the FFIEC's statement "The Effect
of Year 2000 on Computer Systems," issued in June 1996, and it
reflects the federal agencies' concerns about the industry's
readiness for the Year 2000. The statement outlines the
agencies' supervisory strategy to ensure an orderly transition
into the next century.
Financial institutions should be well into the "assessment" phase
of their Year 2000 project management plan. As noted in the
statement, mission-critical systems should be identified and
priorities set for Year 2000 work by the end of the third quarter
of 1997. For mission-critical applications, the agencies
strongly recommend that programming changes be largely completed
and testing well underway by December 31, 1998. This time line
for testing critical applications has been accelerated since the
June 1996 interagency statement to ensure that system
interdependencies are not disrupted. Reprogramming for other
applications should also be completed by December 31, 1998, to
allow a full year for testing and adjustments.
The statement discusses three Year 2000-related issues requiring
management attention:
Other operational issues related to Year 2000 planning are also
highlighted.
The FDIC and state banking authorities will review the conversion
efforts of all FDIC-supervised banks in 1997, using the attached
examiner questionnaire and examination procedures or similar
tools. Meanwhile, management is encouraged to use these
examination tools to assess the adequacy of its own efforts in
addressing Year 2000 issues. If you foresee significant problems
meeting the target time lines in this guidance, please notify
your Division of Supervision regional office.
The attached interagency statement and related information on
Year 2000 issues are available on the Internet via the World Wide
Web at
For more information, please contact your Division of Supervision
Regional Office.
Attachments: (below)
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be
obtained through the FDIC's Public Information Center, 801 17th
Street, N.W., Room 100, Washington, D.C. 20434 (800-276-6003 or
(703) 562-2200). Electronic versions are available at:
/banknews/fils/
The Federal Financial Institutions Examination Council's
Task Force on Supervision today issued an Interagency Statement
for the banking industry and federal examiners, intended to focus
their attention on the critical issues financial institutions
need to address quickly to resolve Year 2000 computer problems
and avoid major service disruptions.
The FFIEC Task Force first alerted the industry to the Year
2000 problem in June 1996, and recommended that institutions
perform risk assessments and plan a strategy to address
vulnerable systems.
Today's Statement outlines a project management process
that strongly encourages federally insured depository
institutions to complete an inventory of core computer functions
and set priorities for Year 2000 goals by September 30, 1997.
Banks are expected to largely complete programming changes, and
have testing well underway for mission critical systems by
December 31, 1998.
In an appendix to the Statement, the Task Force included an
examiner questionnaire to help regulatory agencies conduct
assessments of financial institution planning efforts, which are
expected to be completed shortly. Based on the results of these
assessments, regulators will prioritize supervisory reviews,
using examination procedures contained in a second appendix to
the Statement. The regulators expect to complete examinations of
conversion efforts by mid-1998.
Federal financial regulators are concerned that systemic
disruptions and potential failures could result if computers used
by financial institutions cannot properly read date-sensitive
information when the calender year changes to 2000. For this
reason, an institution's reprogramming planning should include
consideration of the vendors whose products and services a
financial institution uses; the other banks, clearing houses and
customers with whom it exchanges data electronically; and,
corporate borrowers, whose creditworthiness might be diminished
by significant service disruptions.
In a statement today, the Task Force said, "The Year 2000
presents a number of very difficult challenges for the financial
services industry, which relies heavily on effective computer
communications between banks, external data networks and data
processing centers, and their customers. The Interagency
Statement adopted today emphasizes the important issues that
banks, thrifts and credit unions need to address right now to
meet critical deadlines in preparation for the Year 2000."
The Interagency Statement outlines five management phases
necessary to complete a computer conversion program: awareness,
assessment, renovation, validation, and implementation. During
the final stage, systems should be certified as compliant and
accepted by business users. Federal regulators intend to work
closely with institutions that face unusual difficulties.
May 5, 1997
Purpose:
This Interagency Statement is intended to emphasize the need to make all
information processing systems Year 2000 compliant and identify specific
concerns that should be considered in managing a conversion program. The
FFIEC first alerted the industry in June 1996 of the Year 2000 problem.
At that time, we recommended that financial institutions perform a risk
assessment of their processing systems and begin developing an action plan
to address vulnerable systems. This Interagency Statement expands on
those topics and stresses a number of areas which may need special
attention. It also describes the supervisory strategy that the federal
banking agencies will pursue in monitoring Year 2000 conversion efforts of
financial institutions, as well as third-party data processing servicers,
and software suppliers servicing insured financial institutions.
The Year 2000 poses serious challenges to the industry. Many experts
believe that even the most prepared organizations may encounter some
implementation problems. The federal banking agencies want to ensure that
financial institutions avoid major disruptions and will work with the
industry to reach that goal. They will implement a supervisory plan
designed to: heighten awareness of the Year 2000 problem within the
industry; perform an assessment of the planning efforts of financial
institutions for Year 2000; conduct a supervisory review of all
institutions for Year 2000 preparedness; and work with institutions that
face difficulties. The agencies will undertake follow-up activities to
ensure institutions focus on problem areas and take appropriate
supervisory action if they are unable to encourage a financial institution
to devote adequate attention to achieving Year 2000 compliance.
This Statement has four major parts: an outline of the Year 2000 project
management process; identification of three external risk issues that the
Year 2000 conversion plan should consider; other operational issues that
may be relevant to an institution's Year 2000 planning; and a description
of the federal banking agencies' supervisory strategy.
Year 2000 Project Management:
The Year 2000 problem presents a number of difficult challenges to
financial institution management. Information systems are often complex
and have been developed over many years through a variety of computer
languages and hardware platforms. For many financial institutions,
correction of those problems will be costly and complex. A lack of
skilled mainframe programmers and system experts compounds the problem.
Year 2000 conversion projects will require executive management
sponsorship and an effective project management process. The project
management process begins with an awareness of the issue and an assessment
of the extent of Year 2000 problems within financial institution systems.
This includes identification of affected applications and databases.
Mission critical applications should be identified and priorities set for
Year 2000 work by the end of the third quarter of 1997. Financial
institutions and service providers should be well into this phase of the
project. Code enhancements and revisions, hardware upgrades, and other
associated changes follow the assessment phase and should be largely
completed by December 31, 1998.
Since the 1996 Interagency Statement, it has become clear that testing
mission critical system interdependencies, particularly those with
external systems, will be time consuming and could take up to at least one
year in more complex data processing environments. Accordingly, for
mission critical applications, the federal banking agencies strongly
encourage the industry to assure that programming changes are largely
completed and that testing be well underway by December 31, 1998. This is
a change from the June 1996 Interagency Statement due to the importance of
fully testing connectivity between major servicers and other financial
institutions.
Year 2000 project management processes are expected to be more formalized
in financial institutions with complex systems or which rely on in-house
application development. In all financial institutions, regardless of
size or complexity, strong leadership, effective communication, and
accountability are necessary to ensure that Year 2000 initiatives will be
successful. The following describes the discovery, planning, and
implementation process in managing an institution's conversion program:
Assessment Phase - Assess the size and complexity of the problem and
detail the magnitude of the effort necessary to address Year 2000
issues. This phase must identify all hardware, software, networks,
automated teller machines, other various processing platforms, and
customer and vendor interdependencies affected by the Year 2000 date
change. The assessment must go beyond information systems and
include environmental systems that are dependent on embedded
microchips, such as security systems, elevators and vaults.
Management also must evaluate the Year 2000 effect on other
strategic business initiatives. The assessment should consider the
potential effect that mergers and acquisitions, major system
development, corporate alliances, and system interdependencies will
have on existing systems and/or the potential Year 2000 issues that
may arise from acquired systems.
The financial institution or vendor should also identify resource
needs, establish time frames and sequencing of Year 2000 efforts.
Resource needs include appropriately skilled personnel, contractors,
vendor support, budget allocations, and hardware capacity. This
phase should clearly identify corporate accountability throughout
the project, and policies should define reporting, monitoring, and
notification requirements. Finally, contingency plans should be
developed to cover unforeseen obstacles during the renovation and
validation phases and include plans to deal with lesser priority
systems that would be fixed later in the renovation phase.
Renovation Phase - This phase includes code enhancements, hardware
and software upgrades, system replacements, vendor certification,
and other associated changes. Work should be prioritized based on
information gathered during the assessment phase. For institutions
relying on outside servicers or third-party software providers,
ongoing discussions and monitoring of vendor progress are necessary.
Validation Phase - Testing is a multifaceted process that is
critical to the Year 2000 project and inherent in each phase of the
project management plan. This process includes the testing of
incremental changes to hardware and software components. In
addition to testing upgraded components, connections with other
systems must be verified, and all changes should be accepted by
internal and external users. Management should establish controls
to assure the effective and timely completion of all hardware and
software testing prior to final implementation. As with the
renovation phase, financial institutions should be in ongoing
discussions with their vendors on the success of their validation
efforts.
Implementation Phase - In this phase, systems should be certified as
Year 2000 compliant and be accepted by the business users. For any
system failing certification, the business effect must be assessed
clearly and the organization's Year 2000 contingency plans should be
implemented. Any potentially noncompliant mission-critical system
should be brought to the attention of executive management
immediately for resolution. In addition, this phase must ensure
that any new systems or subsequent changes to verified systems are
compliant with Year 2000 requirements.
External Issues:
Our discussions with Year 2000 experts, bankers, and field examiners
indicate some financial institutions have not yet considered all the
implications of the Year 2000 problem or lack conformance to time critical
dates. More specifically, management should begin immediately to consider
the following areas in its project planning process:
Alternate service or software providers should be considered if
vendor solutions or time frames are inadequate. If purchased
products or services belong to larger, integrated systems, financial
institutions' testing and certification processes will have to be
fully coordinated with their vendor's Year 2000 testing. Management
must also ensure that vendors have the capacity (both financial and
personnel) to complete the project and are willing to certify Year
2000 compliance.
Data Exchange - The Year 2000 problem also poses a risk to the
quality of information that institutions exchange with other firms.
Large volumes of date sensitive data are transferred electronically
between financial institutions, their customers, and their
regulators. Institutions will need to know how methods of data
exchange differ among financial institutions, across vendors, and
between other institutions. Therefore, Year 2000 planning should
allow sufficient time to assess the effect that Year 2000 solutions
will have on data transfers. The project plan should also include
testing and verification, as appropriate, of data exchanges with
clearing associations, governmental entities, customers and
international financial institutions.
Corporate Customers - Many corporate customers (borrowers) depend on
computer systems that must be Year 2000 compliant. Corporate
customers, who have not considered Year 2000 issues, may experience
a disruption in business, resulting in potentially significant
financial difficulties that could affect their creditworthiness.
Financial institutions should develop processes to periodically
assess large corporate customer Year 2000 efforts and may consider
writing Year 2000 compliance into their loan documentation. Loan
and credit review officers should consider in their credit analysis
of large corporate customers whether the borrower's Year 2000
conversion efforts are sufficient to avoid significant disruptions
to operations.
Other Year 2000 Operating Issues:
The following issues should also be considered in addressing Year 2000
planning:
Cost and Monitoring - As the Year 2000 approaches and the urgency
of fixing problems increases, the costs of obtaining/retaining
qualified staff to address the problems will undoubtedly rise,
perhaps significantly. Some experts believe that the limited
availability of technical support will be a major obstacle to making
systems Year 2000 compliant. Knowledge of market conditions for
skilled programmers and developing programs to retain key personnel
may be necessary to ensure that adequate resources are available
throughout the project's life.
Mergers and Acquisitions (M&As) - The extent of Year 2000 conversion
efforts will bear directly on corporate M&As' strategies since
conversions resulting from M&As will compete for project managers
and technical resources. Acquisition strategies should include the
institution's Year 2000 assessment to the extent possible.
Remote Locations - Remote or overseas operations also need to devote
attention to Year 2000 issues. In particular, management
information systems for businesses that run semi-autonomously from
the head office must be included in the financial institution's
system inventory and plans. To the extent that such systems serve
as critical controls for business operations, they could expose the
financial institution to significant undetected vulnerabilities.
Appropriate staff members throughout the organization must be aware
of the risks associated with the Year 2000 issue and how they might
be affected.
Contracts - Legal issues may arise from the lack of specificity in
contract terms dealing with Year 2000 issues. Financial
institutions should modify existing contracts which do not
specifically address Year 2000 compliance by the vendor. Otherwise,
conflicts may result regarding the commitment and responsibility to
assure Year 2000 compliance. Current and future purchases should
require Year 2000 certification. If contract changes or
modifications are refused, then the institution should consider
replacing the service or product.
Leap Year - All Year 2000 plans need to address the leap year -
February 29, 2000 - issue. All date and calculation routines need
to be reviewed to ensure that leap year calculations are Year 2000
certified.
Supervisory Strategy:
The federal banking agencies plan to conduct a supervisory review of all
financial institutions' Year 2000 conversion efforts by mid-1998. They
will soon complete an assessment of financial institutions' Year 2000
planning efforts. The appropriate regulatory agency may use the examiner
questionnaire in Appendix A, or a similar tool, to help conduct this
assessment. Financial institutions will be provided with specific
instructions from your agency about this part of their supervisory
strategy. The agencies will use the results of their assessment to
prioritize on-site examinations and will target first those institutions
that have not actively begun a Year 2000 conversion program.
The federal banking agencies will utilize uniform examination procedures
to facilitate Year 2000 examinations (Appendix B). Management is
encouraged to use these examination tools to perform internal reviews or
self-evaluations in connection with their own efforts to address the Year
2000 problem. Examiners will work with institutions that encounter
significant problems addressing Year 2000 issues.
Focusing on financial institutions alone will not prevent Year 2000
disruptions. The federal banking agencies will work cooperatively to
ensure that supervisory reviews include data processing service providers
and third-party software vendors who provide services to federally insured
financial institutions. This effort will include vendors who are a part
of the Multiregional Data Processing Servicer program and the Shared
Application Software Review program.
Introduction
This questionnaire is designed to capture macro-level information on Year
2000 preparations from financial institutions and their information
systems vendors. The information will help examiners prioritize their
Year 2000 reviews. The questions are presented in a "yes - no" answer
format. However, examiners may also ask open-ended questions to develop a
thorough understanding of the institution's/vendor's Year 2000
capabilities.
Capability
1. Are the institution's/vendor's information processing (hardware and
software) and delivery (telecommunications) systems capable and
ready to handle Year 2000 processing?
Overall Plan
2. Does the institution/vendor have a Year 2000 problem resolution
process that includes these basic phases:
Assessment of complexity.
Renovation.
Validation.
Implementation.
3. Has the institution/vendor prioritized internally and externally
maintained systems (hardware, software, and operating systems)?
4. Has the institution considered the impact of the Year 2000 on
internal, environmental systems that are dependent on embedded
microchips, such as vaults, security and alarm systems, elevators,
telephones, FAX machines, and HVAC (heating, ventilation, and air
conditioning)?
Resource Implications
5. Has the institution/vendor established a budget for the year 2000
effort?
6. Has the institution/vendor determined whether it has sufficient
resources (hardware, people, and dollars) necessary to ensure Year
2000 processing capabilities?
Sponsorship/Monitoring
7. Has the institution/vendor assigned overall responsibility for the
Year 2000 effort to a senior manager?
8. Has the institution/vendor established project target dates and
deliverables for the Year 2000 effort?
9. Does the process include regular reporting to and monitoring by
senior management?
Timing
10. Does the institution's/vendor's Year 2000 plan call for the
renovation of all mission critical systems to be largely completed
by December 31, 1998?
11. Will the institution's/vendor's testing for Year 2000 renovations be
well under way, for mission critical applications, by December 31,
1998?
Introduction
The following examination procedures are for general use in all federally
supervised financial institutions and data centers that service these
financial institutions. The examination procedures will help the examiner
to determine if the institution has addressed the Year 2000 problems
inherent in many computer software and hardware systems. The examination
procedures are designed to focus on the state of Year 2000 preparedness of
each examined institution.
The Tier I section represents general procedures designed for all
institutions. Examinations of small institutions, particularly those
that have purchased or leased their hardware and/or software systems from
an external vendor, normally will stop at the end of the Tier I
examination procedures. The examiner will then proceed to the examination
conclusions section. The Tier II section includes more rigorous and
detailed examination procedures designed for larger institutions,
particularly those with in-house software development capabilities. In
these environments, examiners normally will use both the Tier I and Tier
II examination procedures, as appropriate.
Examination Objectives
1. To determine whether the organization has an effective plan for
identifying, renovating, testing, and implementing solutions for Year
2000 processing.
2. To assess the effect of Year 2000 efforts on the organization's
strategic and operating plans.
3. To determine whether the organization has effectively coordinated Year
2000 processing capabilities with its customers, vendors, and payment
systems partners.
4. To assess the soundness of internal controls for the Year 2000
process.
5. To identify whether further corrective action may be necessary to
assure an appropriate level of attention to Year 2000 processing
capabilities.
Examination Planning and Control
1. Determine the organization's source of information systems (IS)
support for hardware (mainframe, mid-range, networks, personal
computers) and related applications and operating system software.
Note whether information systems processing is provided internally,
externally, or a combination of both.
2. Review previous examination, audit, or consultant findings relative to
Year 2000 issues.
3. Review management's responses to any significant Year 2000 findings.
4. Review responses to the Year 2000 Examiner Questionnaire.
5. Review the supervisory strategy and scope memorandum prepared for this
organization relative to Year 2000 issues.
6. Determine the scope of the Year 2000 examination based on findings
from the previous steps and discussions with the examiner-in-charge
(EIC).
Select from the following examination procedures the steps necessary to
meet the examination objectives. Note: Examinations do not require
completion of all steps.
Tier I Procedures
1. Determine whether the organization's board of Directors and senior
management are aware of and understand the risks and complexities of
the Year 2000 issue by:
2. Determine whether management has developed a plan to ensure that the
organization's computer systems are Year 2000 compliant.
3. Determine whether the organization's Year 2000 assessment includes
computer controlled systems, such as telecommunications systems, ATMs,
audio response systems, and other environmental systems with embedded
microchips, such as vaults, security and alarm systems, elevators,
telephones, FAX machines, and HVAC.
4. Determine whether the institution's management conducts continuing
communications with its vendor(s) and/or servicer(s) to determine
their progress toward implementing Year 2000 solutions.
5. Determine whether the organization has:
6. Determine whether management has assessed the financial and
operational capabilities of its hardware and software vendors to
provide Year 2000 processing capabilities. Note the results of this
assessment.
7. Determine the status of the institution's Year 2000 project, including
any anticipated barriers and how management plans to address them.
8. If it is evident that the institution's or vendor's/servicer's systems
are not fully Year 2000 compliant, determine:
9. Determine whether management has discussed the effect of the Year 2000
issue with its large corporate borrowing customers to ensure the
customers' ability to meet financial and informational obligations to
the institution.
10. Determine whether the organization has assessed the effect of Year
2000 processing capabilities, as applicable, with its payment
systems providers, including:
11. Determine whether management has employed internal or external
audit functions to assess the soundness of internal controls
associated with the Year 2000 effort.
12. Determine whether management is aware of or contemplates any
litigation related to the Year 2000 issue.
Generally, examinations of small financial institutions and those that
rely on data service providers should proceed to the Examination
Conclusions section.
Tier II Procedures
Audit
1. Assess internal and external audit personnel's independence and
involvement in reviewing the organization's Year 2000 efforts.
2. Review audit plans and budgets through 1999 and determine whether
they identify specific audit resources necessary to address Year
2000 issues. Determine whether these plans are based on a formal
inventory of all critical systems affected by Year 2000 issues.
Also, determine the adequacy of audit resources allocated to Year
2000 issues.
3. Determine whether audit is actively involved in Year 2000 efforts to
assess and monitor the effectiveness of the project management process
and whether audit management communicates this information to the
board of Directors.
4. Review Year 2000 project audit reports and determine the adequacy of
their scope and the timeliness and completeness of management
responses. Also assess the appropriateness of audit follow-up on
actions taken in response to Year 2000 project audit findings.
Management
5. Based on discussions with management and reviews of the minutes of
committees established to address Year 2000 issues, evaluate the
completeness of the project management process to assure the
institution's computer systems are Year 2000 compliant. Note whether
management has:
6. Determine whether management considered the availability of adequate
resources for the Year 2000 initiative by identifying:
7. Determine whether the organization has persons or access to persons
that have sufficient technical expertise to make all hardware/software
systems Year 2000 compliant, and:
8. Determine how the board of Directors and senior management are kept
informed on the progress of Year 2000 efforts, particularly of any
problems encountered during the validation and implementation phases.
9. Determine whether the board of Directors and/or senior management have
established clear lines of authority and responsibility for the Year
2000 effort.
10. Determine whether Year 2000 project teams receive sufficient
support from the board of Directors and senior management.
11. Review, as applicable, the selection process for any Year 2000
service provider(s) and whether the process appears adequate.
12. Evaluate the adequacy of the institution's Year 2000 conversion
management process.
Systems and Programming
13. Determine whether the organization has assessed the ability of its
computer systems to handle any needed software changes. If so,
describe.
14. Determine the method(s) the organization uses or will use to
resolve Year 2000 date calculations (e.g., conversion to four
position year fields, windowing and others).
15. Evaluate whether the organization has/will devote(d) appropriate
time to testing and error checking of all software changes.
16. Determined the programming languages and tools that the institution
will use.
17. Identify whether a common application development platform is
required.
18. Describe how the organization will maintain sound internal controls
over the software change process for Year 2000 issues.
19. Determine whether the organization is coordinating modification and
testing activities with vendors, servicers, and organizations with
whom critical data is received or sent.
Computer Operations
20. Review management's assessment of the anticipated additional
systems resources required specifically for operating systems,
telecommunications (including ATM) networks, and security software,
to handle Year 2000 processing. Describe the results of the
assessment.
21. Evaluate the organization's Year 2000 assessment of the adequacy of
computer resources for testing Year 2000 changes while performing
day-to-day processing activities.
22. Describe management's assessment of the effect of any changes in
operating practices resulting from the Year 2000 effort.
23. Determine whether any interim work procedures are required as part
of the Year 2000 effort.
24. Review and describe the organization's assessment of the impact of
Year 2000 efforts on business continuity/recovery planning.
25. Determine whether the organization compromised sound internal
controls over operations as a result of addressing Year 2000
issues.
Examination Conclusions
26. Prepare examination report comments noting:
27. Prepare recommendations, as appropriate, for the EIC and/or other
appropriate supervisors on any additional actions necessary to
ensure the organization's safety and soundness associated with its
Year 2000 processing capabilities.
28. Summarize the Year 2000 plan's strengths and weaknesses and
describe the extent of the organization's Year 2000 readiness.
29. Discuss conclusions with the appropriate level of management and
document responses.
|
Last Updated 07/16/1999 | communications@fdic.gov |