The FDIC, the Office of the Comptroller of the Currency, the Federal Reserve System and the Office of Thrift Supervision adopted a three-tier rating system to measure a financial institution's degree of compliance with the guidance set forth in the May 5, 1997, FFIEC statement entitled "Year 2000 Project Management Awareness" (Interagency Statement) and subsequent related guidance. The agencies categorize a financial institution's Year 2000 readiness efforts as "Satisfactory," "Needs Improvement," or "Unsatisfactory." The rating categories are summarized below:
Satisfactory: Year 2000 efforts of financial institutions and independent data centers are considered "Satisfactory" if they exhibit acceptable performance in all key phases of the Year 2000 project management process as set forth in the May 5, 1997, FFIEC Interagency Statement on the Year 2000 and subsequent guidance documents. Performance is satisfactory when project weaknesses are minor and can be readily corrected within the existing project management framework. The institution's remediation progress to date meets or nearly meets expectations laid out in its Year 2000 project plan. Senior management and the board recognize and understand Year 2000 risk, are active in overseeing institutional corrective efforts, and have ensured that the necessary resources are available to address this risk area.
Needs Improvement: Year 2000 efforts of financial institutions and independent data centers are evaluated as "Needs Improvement" if they exhibit less than satisfactory performance in any of the key phases of the Year 2000 project management processes. Project weaknesses are evident, even if deficiencies are correctable within the existing project management framework. The institution's remediation progress to date is behind the schedule laid out in its Year 2000 project plan. Senior management or the board is not fully aware of the status of Year 2000 corrective efforts, may not have committed sufficient financial or human resources to address this risk, or may not fully understand Year 2000 implications.
Unsatisfactory: Year 2000 efforts of financial institutions and data centers are "Unsatisfactory" if they exhibit poor performance in any of the key phases of the Year 2000 project management process. Project weaknesses are serious in nature and are not easily corrected within the existing project management framework. The institution's remediation progress to date is seriously behind the schedule laid out in its Year 2000 project plan. Senior management and the board do not understand or recognize the impact that the Year 2000 will have on the institution. Management or board commitment is limited or their oversight activities are not evident.
Ongoing Supervisory Strategy
The FFIEC has issued seven interagency statements that provide a comprehensive framework of guidance for the management of a Year 2000 readiness project. The FDIC's initial assessment process was designed to identify the risk associated with an institution's failure to adequately address the issues presented in these guidance papers. Going forward, the FDIC's supervisory efforts will focus on the renovation, validation and implementation phases of the Year 2000 management process. Particular attention will be given to the institution's testing efforts and to the development of prudent contingency plans.
The FDIC expects financial institutions to meet the dates identified in the guidance papers, principally key testing milestones and deadlines associated with customer impact assessments. Examination staff will review the Year 2000 activities of its supervised institutions to ensure that the following key milestones in the Year 2000 testing process are met:
June 30, 1998
Institutions should complete the development of their written testing strategies and plans.
September 1, 1998
Institutions processing in-house and service providers should have commenced testing of internal mission-critical systems, including those programmed in-house and those purchased from software vendors.
December 31, 1998
Testing of internal mission-critical systems should be substantially complete. Service providers should be ready to test with customers.
March 31, 1999
Testing by institutions relying on service providers for mission-critical systems should be substantially complete. External testing with material other third parties (customers, other financial institutions, business partners, payment system providers, etc.) should have begun.
June 30, 1999
Testing of mission-critical systems should be complete and implementation should be substantially complete.
Examination staff also will assess the efforts of FDIC-supervised financial institutions to develop and implement procedures to determine and control the risks associated with their customers' Year 2000 readiness. Institutions are expected to implement a due diligence process that identifies, assesses and establishes controls for the Year 2000 risk posed by funds takers, funds providers, and capital market and asset management counterparties by June 30, 1998. The assessment of these customers' Year 2000 preparedness should be substantially completed by September 30, 1998.
The FFIEC is developing an examination work program designed to facilitate the thorough review and analysis of an institution's testing program and contingency planning process.
This document will be made available to insured financial institutions once it is finalized.
The FDIC will continue to review the efforts of all FDIC-supervised banks and employ appropriate supervisory responses to ensure these entities address Year 2000 readiness. Because of the critical nature of testing and contingency planning, the FDIC will take increasingly stronger action against financial institutions that are assessed "Needs Improvement" or "Unsatisfactory." The FDIC has prepared standard language for Year 2000 readiness purposes so that corrective programs and enforcement actions can be processed quickly. Financial institutions exhibiting less than satisfactory progress in attaining Year 2000 readiness will be closely reviewed and can expect contacts from examination staff at least once per quarter.
A financial institution's failure to appropriately address Year 2000 readiness problems may result in denials of applications filed pursuant to the Federal Deposit Insurance Act and civil money penalties. In addition, a less than satisfactory assessment may result in reductions in an insured institution's "Management" component or its composite rating. A less than satisfactory assessment could also result in a decline in an institution's Supervisory Subgroup assignment, resulting in an increase in the deposit insurance premiums paid by the institution.
Nationwide Outreach Efforts
The FDIC is coordinating a nationwide outreach program in cooperation with the FFIEC member agencies. These one-day seminars are directed at groups of financial institutions and will be organized through state and local trade associations. The seminars will focus primarily on testing and contingency planning and will be held throughout the summer. Financial institutions are encouraged to participate to enhance their knowledge of these two areas. The dates, locations, and a contact telephone number for the seminars will be posted on the FDIC's Web site at www.fdic.gov.