Interagency Guidance on FFIEC Year 2000
Contingency Planning Policy
The Federal Financial Institutions Examination Council (FFIEC) has issued the attached statement to supplement the May 1998 interagency statement on Year 2000 readiness contingency planning. The attached document addresses common questions about the May 1998 interagency statement, "Guidance Concerning Contingency Planning in Connection with Year 2000 Readiness," focusing on requests for further clarification of that statement.
The Federal Deposit Insurance Corporation (FDIC) considers business resumption contingency planning an essential component of adequate preparation for Year 2000 readiness. Despite reasonable internal remediation, testing, and implementation efforts, each financial institution must consider the potential impact of disruptions from within and from third-party business partners and infrastructure providers. Failure to plan appropriately for these disruptions could affect the viability of a financial institution.
The interagency statement establishes June 30, 1999, as the date by which the four phases of the Year 2000 business resumption contingency plan are to be substantially complete. Those phases are:
establishing organizational planning guidelines that define the business continuity planning strategy,
completing a business impact analysis in which the financial institution assesses the potential impact of mission-critical system failures on the core business processes,
developing a business resumption contingency plan, and
designing a method of validation so the business resumption contingency
plans can be tested for effectiveness and viability.
Given the relative importance and timeliness of contingency planning, the FDIC will expect all FDIC-supervised institutions to complete phase one (organizational planning guidelines) and phase two (business impact analysis) no later than March 31, 1999. Documentation of each institution's planning process will be subject to review by FDIC examiners. While due dates have been established for the four phases, management should be aware that contingency planning is a process. Changes in the financial institution's Year 2000 project or its operations should prompt a review and possible revision of the business continuity plan.
The FDIC acknowledges that each financial institution is unique and that the institution's management is in the best position to judge what contingency strategies are appropriate. This decision should be made after considering the size of the institution, the complexity of its operation, and an acceptable level of business risk exposure. The answers provided in the attached statement address contingency planning issues in general terms. Please direct institution-specific queries to your Division of Supervision Regional Office.
The FDIC and state banking authorities will continue to review the Year 2000-related efforts of all FDIC-supervised banks. An institution's failure to appropriately address Year 2000 readiness issues may result in supervisory action, including formal and informal enforcement actions, denials of applications filed pursuant to the Federal Deposit Insurance Act, civil money penalties, reductions in the institution's management component or composite ratings, and increased risk-related premiums.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial
institution letters may be obtained through the FDIC's Public
Information Center, 801 17th Street, NW, Room 100, Washington, DC
20434 (800-276-6003 or (703) 562-2200).