CONCERNING INSTITUTION DUE DILIGENCE
IN CONNECTION WITH
SERVICE PROVIDER AND SOFTWARE VENDOR YEAR 2000 READINESS
To: The Board of Directors and Chief Executive Officer of all federally supervised financial institutions, service providers, software vendors, senior management of each FFIEC agency, and all examining personnel.
The Federal Financial Institutions Examination Council (FFIEC) has issued several statements on the Year 2000 problem. These interagency statements address key phases of the Year 2000 project management process and the specific responsibilities of senior management and the board of Directors to address business risks associated with the Year 2000 problem. Nearly all financial institutions in the United States rely on service providers and software vendors to operate mission-critical systems, and thus nearly all should work closely to ensure services and products are Year 2000 ready.
The purpose of this guidance is to ensure that senior management and the boards of Directors of financial institutions establish a due diligence process for determining the ability of its service providers and software vendors to become Year 2000 ready, establishing appropriate and effective remediation programs, establishing testing to the extent possible, and developing effective contingency plans in the event service providers and software vendors are not Year 2000 ready.
Management of financial institutions should establish a comprehensive Year 2000 due diligence process with its service providers and software vendors. The due diligence process should enable management to:
Identify and assess the mission-critical services and products provided by service providers and software vendors;
Identify and articulate the obligations of the service provider or software vendor and the institution for achieving Year 2000 readiness;
Establish a process for testing remediated services and products in the institution's own environment to the extent possible;
Adopt contingency plans for each mission-critical service and product; and
Establish monitoring procedures to verify that the service provider or software vendor is taking appropriate action to achieve Year 2000 readiness.
FFIEC Expectations and Efforts
In the May 1997 Interagency Statement, the FFIEC advised all financial institutions to identify service provider or software vendor interdependencies as part of its assessment phase. The FFIEC recommended that a Year 2000 readiness team and oversight committee, formed by the board of Directors in consultation with senior management, be assigned the responsibility for identifying all systems, application software, and supporting equipment that are date dependent. Institutions should have completed their assessments by September 30, 1997. The Interagency Statement also addressed the importance of assessing mission-critical systems first because the failure of mission-critical services and products could have a significant adverse impact on the institution's operations and financial condition. Each system and application should be assessed based on the importance of the system and application to the institution's continuing operation and the costs and time required to implement alternative solutions.
The FFIEC recognizes that service providers and software vendors may not be able or may be unwilling to correct Year 2000-related problems for a variety of reasons. Developers of software and equipment may no longer be in business or they may no longer support the application or operating system. Source code may not be available for remediation and the systems and hardware equipment may have components that are no longer manufactured. In addition, a software provider that sells a large variety and volume of programs might provide only general instructions for reconfiguring a product to the user because of the high cost associated with changing each product. Alternately, a service provider may assume total responsibility for the renovation of its operating systems, software applications, and hardware because its systems are maintained internally. However, the FFIEC believes it is important that financial institutions obtain sufficient information to determine if their mission-critical service providers and software vendors will be able to successfully deliver Year 2000 ready products and services. This guidance assists financial institutions with managing their relationship with service providers and software vendors as their Year 2000 project management plan is implemented.
The FFIEC will support financial institutions in their efforts to meet the expectations addressed in this guidance. The FFIEC agencies will provide to the serviced institutions information on the level of preparedness of their service providers that the agencies inspect. In addition, the FFIEC agencies are encouraging software vendors to provide as much information as possible on their remediation and testing efforts to their client financial institutions. The FFIEC also plans to participate in industry-sponsored events to exchange information on software vendors and the due diligence process and post information on its Internet web site (www.ffiec.gov).
Due to the pivotal role played by service providers and software vendors in an institution's operations, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the National Credit Union Administration have augmented their examination of service providers to include focused Year 2000 reviews. Although the agencies will not certify service providers or software vendors as Year 2000 compliant as a result of these reviews, the agencies will forward the results of service provider Year 2000 readiness examinations to the serviced institutions that use these service providers. The agencies also will examine software vendors that agree to periodic inspections. In those cases where the software vendor consents, the results of Year 2000 readiness examinations will be forwarded to client institutions.
The examination reports of service providers and software vendors should not be viewed as a substitute for independent due diligence of your service provider's and software vendor's Year 2000 readiness. The examination reports should not limit a financial institution's efforts to obtain information directly from the service provider and software vendors. The information contained in an examination report reflects the Year 2000 readiness of a service provider and software vendor as of a particular point in time. When reviewing these reports, institutions should be aware that circumstances may have changed since the review was conducted and follow up with the service provider and software vendor may be necessary.
Financial institutions may find it beneficial to join forces with other financial institutions in similar circumstances and coordinate group efforts to evaluate the performance and testing methodologies of service providers and software vendors, to participate in testing efforts to the extent possible, and to evaluate contingency plans. By working through user groups, financial institutions can gather and disseminate information on the efforts of service providers and software vendors, testing methodologies, contingency plans and monitoring techniques. User groups also can be useful to encourage uncooperative service providers and software vendors to provide more prompt and effective service to client institutions.
Responsibilities of Financial Institutions with Respect to Service Providers and Software Vendors
The management of a financial institution is responsible for determining the ability of its service providers and software vendors to address Year 2000 readiness, for establishing appropriate and effective testing and remediation programs, and for developing effective contingency plans in the event providers are not Year 2000 ready. Financial institutions should contact service providers and software vendors to determine what is needed to make the product or service Year 2000 ready. Management also should assess whether the service provider or software vendor has the capacity and expertise to complete the task. Service providers and software vendors should make full and accurate disclosures to their client financial institutions concerning the state of their remediation efforts.
Management should request the following information for all mission-critical products provided by service providers and software vendors:
Information on Year 2000 project plans, including the scope of the effort, a summary of resource commitments, dates when remediation and testing will begin and end, and dates when Year 2000 products and services will be delivered to the financial institution.
Plans to discontinue or extensively modify existing services and products.
Ongoing updates on the service providers' and software vendors' progress in meeting timetables of their Year 2000 project plans.
Estimates of product and support costs to be incurred by the financial institutions required for remediation and testing.
Contingency plans of service providers or software vendors in the event their project plans fail.
Financial institutions should thoroughly investigate the legal ramifications of renovating software vendor code because there is considerable legal risk in renovating software vendor-supplied code. For example, code modifications could render warranties and maintenance agreements null and void. However, financial institutions may need to make critical decisions that balance the consequences of these legal risks with business necessity. Financial institutions may also need to determine whether they can terminate their current service contracts and at what cost.
The failure of service providers and software vendors to meet these expectations could pose a risk to the safety and soundness of an institution and in such circumstances, institutions may need to terminate their relationship with the service provider or software vendor.
Testing for changes to the services and products will play a critical role in the Year 2000 process. Financial institutions should test, to the extent possible, service provider and software vendor provided products and services in the institution's own environment. The FFIEC expects service providers and software vendors to fully cooperate with financial institutions in testing. Management should not rely solely on the stated commitment of a service provider or software vendor to test but request that the scope be defined, objectives listed, and testing approaches and scenarios be developed. Testing schedules should be supplied by service providers and software vendors. In addition, the institution's testing strategy should include a testing scenario to simulate and measure the impact of a Year 2000-related disaster on normal operations.
The FFIEC will provide guidance on testing in an upcoming release.
Financial institutions should develop contingency plans for each mission-critical service and product. Contingency plans should describe how the financial institution will resume normal business operations if remediated systems do not perform as planned either before or after the century date change. They should establish "trigger dates" for changing service providers and software vendors to allow sufficient time to achieve Year 2000 readiness. Management of financial institutions, in consultation with the institution's legal counsel, should identify any legal remedies or resolutions available to the institution in the event products are not able to handle Year 2000 date processing. Institutions should consult with business partners that have interconnected systems, user groups, and third-party service providers.
If service providers and software vendors refuse or are unable to participate in Year 2000 readiness efforts or if commitments to migrate software or replace or repair equipment cannot be made by the "trigger date," the institution should pursue an alternate means of achieving Year 2000 readiness. In either of these cases, the institution should consider contracting with other service providers and software vendors to provide either remediation or replacement of a product or service. Difficulties of this nature should be reported to the financial institution's primary federal regulatory agency.
The FFIEC will provide detailed guidance on contingency planning in an upcoming release. However, that portion of a financial institution's Year 2000 contingency plan pertaining to service providers and software vendors should be tailored to the needs and complexity of the institution and should incorporate the following components:
A risk assessment that identifies potential disruptions and the effects such disruptions will have on business operations should a service provider or software vendor be unable to operate in a Year 2000 compliant environment. The plan should determine the probability of occurrence and define controls to minimize, eliminate or respond to disruptions.
An analysis of strategies and resources available to restore system or business operations.
A recovery program that identifies participants (both external and internal) and the processes and equipment needed for the institution to function at an adequate level. The program should ensure that all participants are aware of their roles and are adequately trained.
A comprehensive schedule of the remediation program of the service provider or software vendor that includes a trigger date. Institutions should assure themselves that adequate time is available should their internal test results require additional remediation efforts.
The development and implementation of contingency plans should be subject to the scrutiny of senior management and the board of Directors. Institution management should periodically review both its contingency and remediation plans. These reviews should address the impact that any changes made to a renovation plan might have on contingency plans. Additionally, the institution should ensure that an independent party review these plans. Finally, the institution's senior management and the board of Directors should review and approve all material changes to their plans.
Monitor Service Provider and Software Vendor Performance
Management of financial institutions should monitor the efforts of service providers and software vendors. The monitoring process should include frequent communication and documentation of all communication. Since the institution cannot rely solely on the proposed actions of service providers and software vendors, management should contact each mission-critical service provider and software vendor quarterly, at a minimum, to monitor its progress during the remediation and testing phases. The institution should maintain documentation for all of its communications.
Many service providers and software vendors maintain web sites on the Internet with information about the Year 2000 readiness of their services and products. In addition, the FFIEC Year 2000 web site (www.ffiec.gov/Y2K/) includes links to other federal government web sites in which listings of various service provider and software vendor statements are maintained. To the extent that a financial institution relies on information from a web site, a paper copy of the information should be kept on file, and the web site periodically checked to determine if information has been updated.
The FFIEC expects management and the boards of Directors of financial institutions to establish a comprehensive Year 2000 due diligence process with its service providers and software vendors. Management of each financial institution is responsible for ensuring that its service providers and software vendors take adequate steps to address Year 2000 problems. Financial institutions should establish contingency plans to ensure that management has alternative options for all mission-critical systems in the event service providers and software vendors are not able to meet key target dates. Management should test services and products in the institution's own environment to the extent possible.