ANDREW C. HOVE, JR.
FEDERAL DEPOSIT INSURANCE CORPORATION
THE YEAR 2000 PROBLEM
COMMITTEE ON BANKING AND FINANCIAL SERVICES
UNITED STATES HOUSE OF REPRESENTATIVES
2:00 PM, NOVEMBER 4, 1997
ROOM 2128 RAYBURN HOUSE OFFICE BUILDING
I would like to thank the Committee for the opportunity to provide a written statement for the record on behalf of the Federal Deposit Insurance Corporation regarding the "Year 2000 problem" and its implications for the safety and soundness of the nation's financial system. My statement will discuss Year 2000 issues as they relate to the banking industry, and the FDIC's supervisory strategy, concerns and initiatives as primary Federal regulator for approximately 6,200 financial institutions. I will discuss the FDIC's contingency planning from the standpoint of our role as both supervisor and insurer, and FDIC initiatives for meeting the Year 2000 computer challenge internally.
YEAR 2000 ISSUES AND THE BANKING INDUSTRY
The potential for problems related to the inability of computer systems to accurately recognize dates beyond 1999 is a significant concern for the financial services industry and financial institution regulators. Financial institutions face vulnerability to the Year 2000 problem in a number of areas, both internally and externally. Internally, data processing systems -- including mainframe, network and personal computers -- may be unable to record and process financial information accurately. Equipment that relies on embedded computer chips to perform date driven functions, such as automated teller machines, telephone switchboards, vault locks, security systems, elevators, heating, ventilation and air conditioning systems, may also malfunction. Externally, data exchanges with business partners outside the financial institution may be disrupted and credit quality issues could arise as borrowers deal with these same vulnerabilities. Finally, corrupt data creates the potential for fraud against the industry and its customers.
To manage both internal and external Year 2000 efforts at the FDIC, I established an oversight committee comprised of senior executives from key divisions and offices. This oversight committee provides general management direction and feedback to FDIC staff participating in various working groups such as interdivisional contingency planning groups and interagency working groups. To coordinate our external efforts, we have appointed a project manager responsible for coordinating all activities related to the industry's Year 2000 remediation process. To handle the FDIC's internal efforts, we established a separate project office within our Division of Information Resources Management.
We are using a five step framework to ensure that FDIC-supervised institutions and the FDIC achieve readiness for the Year 2000. The five steps are: awareness; assessment; follow-up; enforcement; and failure resolution.
The FDIC and other agencies are working to increase financial institutions' awareness of the importance of remediating systems to achieve Year 2000 readiness. It is critical that each insured institution understand which of its systems may be affected and develop a plan for upgrading or replacing systems that will fail to function properly in the new millennium. Virtually every financial institution will be affected to some degree. Insured institutions that perform the work themselves will incur the expense of upgrading their computer systems and ensuring that they function properly. Institutions that rely on a data processing servicer or bank software vendor must share the responsibility of making sure that all their systems function properly and cannot rely on vague reassurances that the problem will be solved. All banks also are responsible for evaluating all of their systems, including equipment and data exchanges with parties outside the bank, and reviewing how the Year 2000 problem may affect their borrowers.
To improve the industry's awareness, the FDIC, in cooperation with the other Federal depository institution regulatory agencies and state supervisory authorities, has taken steps to highlight the importance of Year 2000 issues. On May 5, 1997, the Federal Financial Institutions Examination Council (FFIEC) issued an updated interagency statement on Year 2000 project management. This statement outlines five project management phases essential to the Year 2000 remediation process: awareness; assessment; renovation; validation and implementation. The statement also includes target dates designed to ensure timely completion of the remediation process. The statement discusses three areas of potential risk that are external to a financial institution's data processing system: vendor reliance; exchanging data electronically with external parties; and lending relationships. Also, the statement presents a general outline of the agencies' supervisory approach which includes on-site Year 2000 supervisory reviews for all insured financial institutions by mid-1998.
Other interagency efforts include hosting an outreach meeting with the major industry trade associations and giving numerous speeches in various industry forums. On an informal basis, we have raised the Year 2000 issue at gatherings with members of several state bankers associations. In addition, we are hosting a vendor conference which will take place on November 10 and are undertaking negotiations with trade groups on a series of additional presentations for early 1998.
To help educate consumers on the Year 2000 issue, the FDIC is developing a public awareness campaign. This campaign will include development of questions for consumers to ask their financial institution regarding Year 2000.
Internally, we have issued regional director memoranda and other guidance to field examiners conducting Year 2000 assessments and supervisory reviews, in addition to an intensive examiner training program. Senior FDIC management also has emphasized the importance of the issue with FDIC examiners at regional conferences and other forums.
In addition to the provisions outlined above, the interagency statement issued by the FFIEC on May 5, 1997, also stated that the regulatory agencies planned to complete an initial assessment of the efforts of financial institutions, data service providers and bank software vendors to address the Year 2000 problem. It should be noted that, in this initial assessment, examiners review whether or not financial institutions, data processing servicers or bank software vendors have processes in place to allow them to achieve Year 2000 compliance. This does not constitute a certification or guarantee of Year 2000 compliance. While an institution's level of awareness and plan for remediation and testing may appear satisfactory during the initial assessment, we want to ensure that institutions do not become complacent or that regulators do not develop a false sense of security. The key to avoiding Year 2000 problems is effective implementation of remediation plans, and ultimately, successful testing. We are using the results of these initial assessments to prioritize on-site supervisory reviews of Year 2000 compliance efforts of all financial institutions, which will be completed with the assistance of State bank regulators by June 30, 1998.
Initial Assessment of FDIC-Supervised Financial Institutions
The FDIC and state authorities have completed initial assessments of 81 percent of the approximately 6,200 state non-member institutions we supervise. We will complete assessments of the remaining 19 percent of institutions by the end of the year. Based on these initial assessments, we estimate that less than one percent of the institutions are experiencing significant problems at this point. We estimate that about 10 percent of institutions present a moderate level of concern, while about 90 percent of FDIC-supervised institutions have processes in place which appear to be sufficient to make mission critical systems compliant by the end of 1999.
Based on the results of our initial assessment, our current primary concerns are: (1) an apparent lack of appreciation by some institutions of the scope and complexity of the Year 2000 problem; (2) the potential risk of over-reliance by a depository institution on third-party data processing servicers or bank software vendors to address the issue; (3) potential risks related to the exchange of electronic data, both domestically and internationally, with customers, correspondents and business partners of depository institutions; and (4) the potential for credit quality exposure from corporate borrowers. I will now discuss each of these concerns and our initiatives to address them.
The results of our initial assessment indicate that institutions are generally aware of the Year 2000 problem. However, senior management and outside directors usually do not possess in-depth technical knowledge. As a result, they may not have the same appreciation of the risks posed by Year 2000 noncompliance. The reviews to date have identified instances where institutions have failed to recognize potential problems with personal computers and environmental control systems.
To address the lack of appreciation of the scope and complexity of the Year 2000 problem, in addition to the awareness efforts outlined above, the regulators are working together to develop additional guidance for the industry on four specific topics. These topics are the business stability risk posed by the Year 2000 problem; vendor management; credit risks from borrowers who may not be Year 2000 compliant; and principles that institutions should follow when testing remediated systems. We anticipate completing this guidance by the end of this year and will provide supplemental training to examiners if needed.
Institutions that are serviced by a third-party or have purchased software may be exposed to significant risk if they adopt a passive approach to addressing Year 2000 problems. The inability or failure of a vendor to modify a financial institution's computer system could potentially leave the institution in the position of having to find an alternate data processing service or software provider on short notice. As the Year 2000 draws closer, the limited availability of alternatives may reduce an institution's options and make the available choices extremely expensive. Personnel resources also may become scarce as the demand for qualified programmers increases.
For banks that are relying on a third party vendor to make their systems Year 2000 compliant, the FDIC is emphasizing that their executive management should take an active role in evaluating the vendor's Year 2000 project management plan. They should monitor closely the vendor's progress in meeting its self-imposed target deadlines for addressing problems in the institution's systems. The vendor's plan should allow ample time for testing, and management should insist on a full test of all the financial institution's systems in a simulated Year 2000 environment as early in 1999 as possible. In addition, potential alternate service or software providers should be identified as part of the institution's Year 2000 planning. As noted above, we are developing more comprehensive guidance to the industry on vendor management issues.
One of the greatest and most complicated risks of the Year 2000 problem is the interdependencies between banks and external parties with which they exchange data electronically, such as other banks (foreign or domestic), clearing houses, correspondent banks and brokerages. The exchange of data on securities and derivatives activities also presents risks. Banks must test the interfaces between their own systems and those with which they exchange data to ensure Year 2000 compatibility. The FDIC and other agencies are working with the Basle Committee as well as coordinating with the Securities and Exchange Commission and Commodity Futures Trading Commission with respect to these issues.
Examiners also have noted the potential for credit quality exposure from corporate borrowers that do not appear to be adequately addressing Year 2000 issues. In our initial assessments and on-site supervisory reviews, we are emphasizing to bankers the importance of addressing credit exposure in their project plans. As discussed above, the depository institution regulators also are developing additional guidance to the industry on this area.
In addition, we are taking Year 2000 issues into consideration for applications we process, particularly applications for deposit insurance and mergers or acquisitions. FDIC staff will be required to make a determination of the status of an applicant's Year 2000 program and, if necessary, the FDIC will require appropriate remedial action as a condition for approving an application.
Initial Assessment of Data Processing Servicers and Bank Software Vendors
The FDIC also is working closely with the other depository institution regulatory agencies to assess the efforts of data processing servicers and bank software providers in resolving Year 2000 problems. Over 90 percent of all FDIC-insured institutions receive data processing support from an independent party external to the bank or have purchased their financial software applications (such as deposit and loan information systems) from a vendor. For the most part, these banks must rely on the data processing servicers or vendors to make their financial software applications Year 2000 compliant. The agencies are currently performing initial assessments at each of the approximately 300 data processing servicers that serve financial institutions including the 16 large multi-regional data processing servicers that have been identified by the agencies as potentially posing a significant and disruptive risk to the financial industry should one or more fail. With respect to bank software providers, the agencies are performing a similar assessment of the 12 major bank software products used by a wide segment of financial institutions. We estimate that these twelve packages are used by 75 percent of the FDIC-supervised financial institutions that purchase bank software applications for their data processing.
We have completed initial assessments at 81 percent of the 147 data processing servicers and vendors assigned to the FDIC for review. Less than one percent of the servicers are experiencing significant problems at this point. Approximately 5 percent of servicers present a moderate level of concern, while we estimate that about 95 percent of servicers have adequate processes in place to make mission critical systems compliant by December 31, 1999. Some of our smaller institutions, however, are having problems obtaining specific information regarding their vendors' Year 2000 remediation efforts and, in particular, their project time lines. Our on-site supervisory reviews of servicers which will be completed by early 1998, will enable us to better evaluate how well the servicers are implementing their processes and meeting their project timelines.
Follow-Up and Enforcement
The FDIC is closely monitoring all insured financial institutions and data processing servicers with particular emphasis on those that are not achieving satisfactory progress in addressing Year 2000 issues. Subsequent to the Year 2000 on-site assessment, we will follow-up with all financial institutions directly supervised by the FDIC at a minimum twice each year. Where appropriate, contact will be more frequent and on-site. The Federal bank regulators have agreed to conduct quarterly follow-up on the 16 multi-regional data processing servicers and the 12 major bank software vendors. Along with the other depository institution regulatory agencies, we will notify the serviced banks on a timely basis if it is determined that certain third-party servicers have not taken sufficient action to achieve Year 2000 compliance. In response, we will expect clear commitments and specific timetables for remediation from the serviced bank. The results of both the assessments and the subsequent supervisory reviews are being shared among the regulators. In cases where satisfactory responses are not forthcoming, we will take supervisory action, including formal enforcement action, if necessary, to ensure that Year 2000 issues are adequately addressed. The FDIC is working closely with the other depository institution agencies to coordinate potential enforcement approaches. There are a variety of enforcement tools we can use, depending on specific circumstances.
Failure Resolution and Contingency Planning
The supervisory approach outlined above is intended to minimize the potential for disruptions at financial institutions as we enter the 21st Century. However, if problems do arise, we are developing contingency plans to handle them. The FDIC is unable to predict, at this time, whether any institutions may fail as a result of the Year 2000 problem, but we will be ready to respond should an institution's viability be threatened by an inability to maintain accurate books and records. In order to be prepared for the possibility of failures, we are analyzing how the FDIC's traditional resolution and receivership methods might be affected by this type of problem and we will develop appropriate methods to address potential failures resulting from the Year 2000 problem. No matter what difficulties financial institutions may encounter, each depositor will remain fully insured up to the statutory limit. Maintaining consumer confidence in the U.S. banking system will be a primary goal of the contingency planning process.
Our contingency planning efforts address a number of issues. For example, we are developing strategies to coordinate with the chartering authorities, including the states, in determining the potential impact of any failures on FDIC resources and the insurance funds. Our contingency planning efforts also include developing strategies to fix corrupt records before closing banks and paying off depositors and reviewing whether we need to develop alternative closure methods to handle Year 2000 problems. We will evaluate the potential impact of systemic disruptions such as infrastructure breakdowns, severe disruption at or failure of a major U.S. financial institution, or a disruption in major overseas markets.
REMEDIATION EFFORTS WITHIN THE AGENCY
The FDIC's internal Year 2000 effort is on schedule. This project has been ongoing for over a year. The project team is using the General Accounting Office Year 2000 Assessment Guide as its model for project planning and management. During the first half of 1997, the FDIC carried out an aggressive awareness phase by using briefings, internal newsletter articles and an internal Internet presence to inform employees of Year 2000 issues and risks.
We began our assessment phase early this year and to date we have virtually completed a detailed inventory of our computer software. The only remaining items to inventory and assess are small, low volume, non-critical items. We are well underway toward developing a detailed code-level assessment and scanning major systems. We also have begun the remediation process, preparing Year 2000 ready test environments to validate remediated code and to test systems which we believe are Year 2000 compliant. The FDIC awarded a contract in August 1997, which will provide significant support for detailed assessment, code renovation, and strong emphasis on testing of code and all hardware and software environments.
The FDIC Year 2000 methodology requires development of contingency plans for systems which may be at risk if they are not remediated on a timely basis. We are developing procedures for such contingency plans, but at this time we do not anticipate that any critical systems will be deemed to be at risk for not being renovated in time. As part of the contingency planning process, we will continually review our progress and develop contingency plans if schedules slip for any critical system.
We estimate that the FDIC's entire internal Year 2000 project (1997-2000) will cost approximately $24 million with about half of that amount budgeted for 1998, when the majority of remediation and testing will occur. We have contracts in place and we anticipate no personnel resource problems at this time.
The FDIC is working with the other Federal depository institution regulatory agencies to monitor the potential risk to the insurance funds posed by the Year 2000 problem. Through the supervisory process, we plan to continue our efforts to raise the level of awareness in the banking industry of the potential dangers of failing to address this issue. Working with the depository institution regulators, we will conduct on-site assessments and closely monitor the status of every FDIC-insured depository institutions as well as their data processing servicers and software providers and take supervisory action as necessary to ensure that every institution is addressing this risk. Finally, we will continue to develop contingency plans to address problems that may arise.