MICHAEL J. ZAMORSKI
DEPUTY DIRECTOR, DIVISION OF SUPERVISION
CHAIRMAN, FDIC YEAR 2000 OVERSIGHT COMMITTEE
FEDERAL DEPOSIT INSURANCE CORPORATION
FDIC's EFFORTS TO ADDRESS THE YEAR 2000 PROBLEM
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
SUBCOMMITTEE ON FINANCIAL SERVICES AND TECHNOLOGY
UNITED STATES SENATE
10:00 A.M. FEBRUARY 10, 1998
ROOM 538 DIRKSEN SENATE OFFICE BUILDING
Good morning Mr. Chairman and members of the Subcommittee. I appreciate
this opportunity to testify before you today on behalf of the Federal Deposit Insurance Corporation regarding Year 2000 issues. My testimony today will discuss the plans and initiatives of the FDIC for ensuring that FDIC-insured depository institutions and the Corporation's internal computer systems are prepared for the millennial date change. In addition, we appreciate the analysis of the General Accounting Office and I will comment on the FDIC's actions to address their recommendations.
The Year 2000 problem presents extraordinary challenges for financial institution regulators. Unlike our traditional supervisory concerns regarding an institution's financial condition or operations, this problem involves complex technological issues and an uncompromising deadline. Because every financial institution is at risk, the scale of this problem is much different than the problems the FDIC and other financial institution regulators have historically handled.
In addition to being a challenge for financial institution regulators, achieving Year 2000 readiness is an even greater challenge for bank management. Ultimately, achieving Year 2000 readiness is and must be the responsibility of a financial institution's directors and officers. Institution management is the first line of defense against Year 2000 problems because they are in the best position to know an institution's operations, strategies, resources and exposure. The role of financial institution regulators is to ensure that banks are taking appropriate steps to achieve Year 2000 readiness. The FDIC is committed to working with financial institutions and devoting whatever resources are necessary to avoid disruptions to the financial system.
EXTERNAL EFFORTS AND INITIATIVES
The FDIC, in cooperation with the other federal financial institution regulatory agencies and state supervisory authorities, has implemented a number of initiatives to ensure that all FDIC-insured institutions address the Year 2000 problem. These agencies have issued comprehensive project management and business risk guidance to the industry. In addition, these agencies, together with state supervisory authorities, have completed initial assessments of all FDIC-insured depository institutions. The FDIC's initial assessments and on-site reviews indicate that the great majority of FDIC-supervised institutions are taking appropriate action to become Year 2000 ready. We have identified a small percentage of institutions that are not acting as quickly as they should to address the issue and we have intensified our supervisory efforts accordingly. These institutions are receiving heightened supervisory attention to ensure that they take necessary steps to achieve Year 2000 readiness.
In addition to completing initial assessments of the approximately 6,200 financial institutions we supervise, we have completed about 2,000 on-site reviews. We also have completed initial assessments of all 154 data service providers that we are responsible for
reviewing1 and completed 111 on-site reviews as of December 31, 1997. These reviews are intended to confirm the information derived from the initial assessments and to evaluate the status of Year 2000 project management at each institution and data service provider. We will complete all remaining on-site reviews of financial institutions no later than June 30, 1998, and of data service providers by March 31, 1998. The FDIC is committed to monitoring the progress of all FDIC-supervised institutions and data processing servicers semi-annually, and more frequently for institutions and data service providers or software vendors that are not making sufficient progress to become Year 2000 ready.
While we are carefully reviewing institutions' preparations for the Year 2000, most insured institutions use external data processing servicers and software vendors and institutions' readiness will be directly linked to the Year 2000 efforts of these servicers and vendors. Because of institutions' reliance on third parties, the FDIC and other financial institution regulators have intensified their review of these servicers and vendors. By March 31, 1998, a special team of information systems examiners from the federal banking agencies will complete their review of all major data processing servicers and major software vendors used by financial institutions. These agencies are providing the results of the data processing servicer reviews to all insured institutions that are customers of these servicers so that they can use this information, in addition to information obtained through their independent due diligence, to make informed decisions about their servicers' Year 2000 progress. Based on our review of these servicers and vendors, efforts to become Year 2000 ready are well underway.
The FDIC categorizes the status of Year 2000 efforts at financial institutions, data service providers and software vendors as either "Satisfactory," "Needs Improvement," or "Unsatisfactory." The "Satisfactory" category is representative of institutions, data service providers or vendors where performance is acceptable in all key phases of the Year 2000 project management process and indicates project weaknesses are minor in nature and easily corrected within the existing project management framework. The "Needs Improvement" category indicates less than satisfactory performance in any of the key project management phases and project weaknesses that are significant and not easily corrected within the existing project management framework. This category includes some cases where not all of an institution's officers fully understand Year 2000 implications. The "Unsatisfactory" category designates poor or deficient performance in any of the key project management phases. Project weaknesses are serious in nature and unlikely to be corrected within the existing project management framework and executive management and the board of directors do not understand or recognize the impact that the Year 2000 will have on the institution.
It is important to note that the assessment of a financial institution only provides its status at a given point in time. For example, institutions that are currently "Satisfactory" could fall into a lower category if their subsequent testing efforts reveal significant problems. Further, classifying an institution as "Satisfactory" does not guarantee that it will be Year 2000 ready. It does, however, permit regulators to allocate resources to the institutions in need of attention.
Of the approximately 2,000 institutions for which we have completed on-site reviews, 79 percent are classified as "Satisfactory," 19 percent are classified as "Needs Improvement," and 2 percent are classified as "Unsatisfactory." The results of these on-site assessments generally have been more favorable than the findings of our initial assessments, in that financial institution management has intensified their efforts to address Year 2000 issues. Because we have prioritized our on-site reviews to first examine those institutions for which the initial assessment indicated difficulties, it is possible that these percentages could improve as we complete more on-site reviews. As we near completion of the on-site assessments by June 30, we will have a clearer picture of the status of all institutions' Year 2000 compliance efforts.
For institutions classified as "Unsatisfactory" or "Needs Improvement," we are aggressively taking supervisory action, which may range from notifying the institution of deficiencies in its Year 2000 project management by letter, lowering the institution's management component or its composite rating, where appropriate, or instituting informal or formal enforcement actions. To date, the FDIC has taken several supervisory actions and informal or formal enforcement actions against financial institutions and data processing servicers related to Year 2000 problems. Our formal enforcement actions include the issuance of three Cease and Desist orders. Informal actions include the issuance of four Memoranda of Understanding (MOU) and eight institutions, at the FDIC's request, have passed Board Resolutions outlining agreed upon corrective efforts needed to satisfactorily address Year 2000 issues. We also have sent letters to 93 institutions indicating that their Year 2000 initiatives need some form of improvement, and we have placed conditions on several applications because management was not adequately addressing Year 2000 issues. The FDIC also has in process one additional Cease and Desist order, four MOUs, 14 Board Resolutions and 95 more letters to financial institutions. If we do not see prompt improvement in institutions that have been notified of inadequate progress, we will aggressively pursue more stringent supervisory action.
Through the Federal Financial Institutions Examination Council (FFIEC), the FDIC has provided Year 2000 guidance to the industry in two interagency statements issued on May 5 and December 17, 1997. The former identifies requirements for Year 2000 project management. The latter discusses the business risk posed by Year 2000 problems and requirements for financial institutions' boards for managing and overseeing their institutions' Year 2000 project efforts. The FFIEC is in the final stages of completing additional guidance in the areas of testing, vendor management and credit risk. This guidance will be issued as soon as possible, but no later than March 31, 1998.
Training our examiners on Year 2000 issues is essential to ensuring that our examiners can properly evaluate the Year 2000 status of financial institutions. For this reason, the FDIC has provided special Year 2000 training for 1,400 safety and soundness examiners and information systems examiners. We have also trained 600 state examiners. By June, the FDIC will complete additional training materials on the review of an institution's testing and contingency planning efforts in preparation for the next phase of Year 2000 remediation activity. The FDIC is taking the lead on this training for the FFIEC and will make these additional training materials available to the other federal banking agencies and state supervisory authorities.
The FDIC is actively communicating with financial institutions, trade associations and the public about Year 2000 issues. We have provided each FDIC-supervised institution with specific guidance on Year 2000 project management and we have participated in numerous outreach programs with bankers, including conferences and seminars. The FDIC also participates in quarterly meetings with the major trade associations to discuss collaborative strategies to help the industry become Year 2000 ready. We have sponsored a vendor conference to discuss the regulators' expectations of data service providers and vendors and to learn about their concerns, and we are planning another conference for later this Spring. We also are developing a communication strategy to maintain public confidence and to emphasize the FDIC's role in insuring deposits. Through the FFIEC's December 17 interagency statement, we notified financial institution management that their Year 2000 project plans must include a strategy for responding to inquiries from customers and business partners regarding the institution's Year 2000 readiness. Finally, the FDIC is providing Year 2000 information on our external Internet website, including copies of industry guidance we have issued and information on our internal project management efforts.
Although the FDIC's supervisory approach is designed to minimize the potential for disruptions at financial institutions resulting from Year 2000 problems, we recognize that some institutions may encounter problems achieving Year 2000 readiness. The FDIC will, therefore, be ready to intervene should an institution's viability be threatened by an inability to maintain accurate books and records. At this time we do not expect numerous failures, if any. However, we are developing contingency plans to prepare for the possibility of failures. We have made an aggressive start in developing plans that address deposit insurance issues and failed bank resolutions and receiverships in the context of institution failures caused by technological rather than capital deficiencies. Along with the other federal financial institution regulatory agencies, we have repeatedly emphasized to depository institutions that they must prepare their own contingency plans to contain potential damage resulting from the inability to achieve the milestones set out in their formal Year 2000 plans.
INTERNAL ACCOMPLISHMENTS AND INITIATIVES
The FDIC is confident it will complete necessary renovation, validation and implementation of its systems by December 31, 1999. We already have completed an application systems inventory, a high level assessment of our systems and a triage of applications. The FDIC also is conducting an additional detailed program level code assessment on its mission critical systems which will be completed by March 31, 1998. Even though more detailed assessment activity is continuing, we also are conducting renovation and even final testing of many mission critical systems.
Of the FDIC's more than 500 computer application systems and subsystems in use, we have identified 40 systems as mission critical applications. Of these, five systems have been fully tested and determined to be Year 2000 ready, 12 have been assessed and are undergoing testing to validate their readiness, 17 systems have undergone detailed code assessment and are scheduled for renovation, and the remaining six systems are undergoing detailed assessment this month. Once the detailed code assessment is completed we will know whether or not these systems have to be renovated. At this time, we expect to complete renovations and testing within the timeframes in our project plans to achieve Year 2000 readiness.
The FDIC standard for the development of new applications has been a four-digit date field for more than five years. As a result, we believe approximately 75 percent of our systems applications are already Year 2000 compliant. For example, the system capturing the Reports of Condition provided by financial institutions on a quarterly basis to the FDIC has been in a four-digit format for several years. Nevertheless, the FDIC is completing detailed code-level analysis for all systems to ensure that they will be Year 2000 ready. In cases where we have contracted out detailed code level analysis, we are reviewing the contractors' completed work to verify their results. Because we have fewer systems that will require extensive remediation, and because we are conducting assessment, remediation and testing activities simultaneously, we will have all systems renovated by the end of 1998.
FDIC RESPONSE TO GAO FINDINGS AND RECOMMENDATIONS
As we work to address external and internal Year 2000 issues, the FDIC recognizes that we are dealing with issues that are unique in the history of financial institution supervision. Therefore, we welcome the analysis and recommendations of the GAO and other experts regarding ways to improve our efforts to achieve Year 2000 readiness in the financial industry and at the FDIC. The GAO made three specific points with respect to our external efforts and two points relative to our internal project management. I will address each of these points below.
Timing of external project management
The GAO indicates that the FDIC was late starting Year 2000 initiatives and is, therefore, behind the recommended schedule in its assessments of financial institutions' Year 2000 efforts. For example, the FDIC did not complete its initial assessments until the end of December 1997, while both the GAO and Office of Management and Budget (OMB) guidelines call for the assessment phase to be completed by mid-1997. The FDIC agrees that it and other financial institution regulators should have initiated action sooner to address Year 2000 issues in the banking industry. However, we believe that our aggressive efforts over the past year have enabled us to make strong and steady progress in meeting our Year 2000 project milestones.
Initial questionnaire and report tracking
The GAO states that the FFIEC's questionnaire and the FDIC's tracking questionnaire that examiners are required to complete after their on-site assessments lack questions that enable us to precisely identify whether specific project management phases have been completed. We believe that an examiner's judgment is most important in determining the placement of an institution into a particular category based on its project status. The FDIC has a comprehensive tracking system in place that enables us to determine not only the status of the institution with respect to completing its project plan, but also captures examiners' judgment on specific problems that an institution might be encountering. However, the FDIC agrees that the more information we have, the more accurate our assessments of the industry will be. Based on the GAO's comments, the FDIC will discuss the desirability of collecting and tracking additional data with our fellow regulators promptly.
The GAO states that the FDIC and FFIEC have not yet completed guidance for depository institutions on contingency planning, corporate customer readiness (or credit risk), and vendor management. With respect to contingency planning, the GAO Assessment Guide recommends that, for critical systems and activities, contingency planning should begin in the same timeframe as the assessment phase, which has passed. The FDIC agrees that this contingency planning guidance needs to be issued as soon as possible. Although we have discussed contingency planning broadly in earlier guidance provided to the industry, the FDIC will work with the other banking regulators to develop this guidance as early as possible.
The GAO also is concerned about the FDIC's and FFIEC's delay in issuing guidance to institutions on vendor management and corporate customer readiness. While this guidance could have been provided sooner, both of these topics were broadly included in earlier FDIC and FFIEC guidance. More detailed guidance is under development on an interagency basis and will be distributed by March 31, 1998. It should be noted that since the FDIC began disclosing the results of its Year 2000 reviews of data service providers to financial institutions, many financial institutions have increased their attention to vendor management issues. In addition, our examiners address both vendor management and credit risk issues with management of financial institutions during the on-site reviews. The FDIC is committed to working with the FFIEC to provide this information to institutions at the earliest possible date but no later than March 31, 1998. We also have developed guidance on testing, which will be distributed by March 31, 1998.
Timing of the FDIC's internal project management
The GAO states that the FDIC should have completed detailed assessments of its internal systems by September 1997, and recommends that the FDIC complete its detailed assessment activity by March 31, 1998. Although the FDIC has completed a high level assessment that did not indicate any unexpected or significant problems with its systems, we agree with the GAO and are committed to completing the detailed assessment of all mission critical systems no later than March 31. As indicated above, many of these mission critical systems have already received a detailed code assessment and are already undergoing renovation and testing.
Internal contingency plan
The GAO states that the FDIC should have prepared a more formal contingency plan earlier in the process to mitigate risks. We are committed to finalize the FDIC's plan, which addresses contingency planning for its mission critical systems and core business processes, by the end of this month.
In conclusion, the FDIC has established an aggressive program and devoted substantial resources to ensure that depository institutions address the Year 2000 problem. We are monitoring the status of financial institutions, data service providers and software vendors, taking enforcement actions as necessary, and are working with the other federal banking agencies to issue guidance to the industry. We are conducting comprehensive on-site reviews and continuous follow-up action to determine the status of institutions in their Year 2000 project management efforts. In the event that some institutions encounter problems achieving Year 2000 readiness, we have established a comprehensive contingency planning effort that will enable us to meet our deposit insurance responsibility. In addition, we are developing a strategy to communicate the measures that the regulators are taking to ensure that FDIC-insured depository institutions become Year 2000 ready and to remind the public that the FDIC will continue to insure deposits in the event an institution fails due to Year 2000 problems. Finally, our internal project management is proceeding and we are confident our systems will be Year 2000 ready in time.
The FDIC also recognizes that many challenges remain. The GAO has provided us with a number of useful recommendations that we will aggressively integrate into our efforts. The FDIC will continue to work with the GAO and Congress to address the Year 2000 challenge.
This concludes my statement to the Subcommittee. I will be happy to answer any questions.
The FDIC shares responsibility with the member agencies of the Federal Financial Institutions Examination Council (FFIEC) for examining the larger data service providers and software vendors. Typically the responsibility for examining the data service providers and software vendors is rotated on a regular basis.