The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Federal Reserve Bank of Dallas ROBERT D. McTEER, JR. DALLAS, TEXAS 75265-5906 PR ESID ENT AN D C H IE F E X E C U T I V E O F F I C E R April 22, 1998 Notice 98-33 TO: The Chief Executive Officer of each financial institution and others concerned in the Eleventh Federal Reserve District SUBJECT Guidance on Vendor and Customer Y ear 2000 Risk, and Year 2000 Testing DETAILS The Federal Financial Institutions Examination Council (FFIEC) has issued additional guidance for financial institutions on risks they face—from service providers and software vendors and from institutions’ customers—because of the Year 2000 date change. The guidance follows previous FFIEC Year 2000 statements on project management and business risk. The guidance on Year 2000 risk from service providers and software vendors calls for financial institutions to develop a due diligence process for determining the ability of its service providers and software vendors to become Year 2000 ready and establishing effective remediation programs, testing to the extent possible, and effective contingency plans in case the service providers and software vendors are not Year 2000 ready. The customer risk guidance outlines a due diligence process that will help financial institutions identify material customers, evaluate their Year 2000 preparedness, assess their Year 2000 customer risk, and implement controls to manage the risk. The FFIEC has also issued guidance for financial institutions concerning testing for Year 2000 readiness. This guidance emphasizes the role of financial institution boards of directors and management in the important testing phase of Year 2000 preparations. It specifies that financial institutions should develop and implement written testing strategies and plans for internal and external systems, placing priority on the testing of mission-critical systems. It also discusses testing with service providers, software vendors, and other third parties. Finally, the advisory addresses the need for financial institutions to verify the testing process. ATTACHMENTS Copies of the FFIEC’s guidance on service provider and software vendor risk, customer risk, and Year 2000 testing are attached. For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012; Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810. This publication was digitized and made available by the Federal Reserve Bank of Dallas' Historical Library (FedHistory@dal.frb.org) MORE INFORMATION For more information, please contact Ann Worthy at (214) 922-6156. For additional copies of this Bank’s notice, please contact the Public Affairs Department at (214) 922-5254. Sincerely yours, GUIDANCE CONCERNING INSTITUTION DUE DILIGENCE IN CONNECTION WITH SERVICE PROVIDER AND SOFTWARE VENDOR YEAR 2000 READINESS To: The Board of Directors and Chief Executive Officer of all federally supervised financial institutions, service providers, software vendors, senior management of each FFIEC agency, and all examining personnel. Background The Federal Financial Institutions Examination Council (FFIEC) has issued several statements on the Year 2000 problem. These interagency statements address key phases o f the Year 2000 project management process and the specific responsibilities o f senior management and the board of directors to address business risks associated with the Year 2000 problem. Nearly all financial institutions in the United States rely on service providers and software vendors to operate missioncritical systems, and thus nearly all should work closely to ensure services and products are Year 2000 ready. Purpose The purpose of this guidance is to ensure that senior management and the boards of directors of financial institutions establish a due diligence process for determining the ability of its service providers and software vendors to become Year 2000 ready, establishing appropriate and effective remediation programs, establishing testing to the extent possible, and developing effective contingency plans in the event service providers and software vendors are not Year 2000 ready. Summary Management of financial institutions should establish a comprehensive Year 2000 due diligence process with its service providers and software vendors. The due diligence process should enable management to: • Identify and assess the mission-critical services and products provided by service providers and software vendors; • Identify and articulate the obligations of the service provider or software vendor and the institution for achieving Year 2000 readiness; • Establish a process for testing remediated services and products in the institution’s own environment to the extent possible; • Adopt contingency plans for each mission-critical service and product; and • Establish monitoring procedures to verify that the service provider or software vendor is 1 taking appropriate action to achieve Year 2000 readiness. FFIEC Expectations and Efforts In the May 1997 Interagency Statement, the FFIEC advised all financial institutions to identify service provider or software vendor interdependencies as part of its assessment phase. The FFIEC recommended that a Year 2000 readiness team and oversight committee, formed by the board of directors in consultation with senior management, be assigned the responsibility for identifying all systems, application software, and supporting equipment that are date dependent. Institutions should have completed their assessments by September 30,1997. The Interagency Statement also addressed the importance of assessing mission-critical systems first because the failure of missioncritical services and products could have a significant adverse impact on the institution’s operations and financial condition. Each system and application should be assessed based on the importance o f the system and application to the institution's continuing operation and the costs and time required to implement alternative solutions. The FFIEC recognizes that service providers and software vendors may not be able or may be unwilling to correct Year 2000-related problems for a variety of reasons. Developers o f software and equipment may no longer be in business or they may no longer support the application or operating system. Source code may not be available for remediation and the systems and hardware equipment may have components that are no longer manufactured. In addition, a software provider that sells a large variety and volume of programs might provide only general instructions for reconfiguring a product to the user because of the high cost associated with changing each product. Alternately, a service provider may assume total responsibility for the renovation o f its operating systems, software applications, and hardware because its systems are maintained internally. However, the FFIEC believes it is important that financial institutions obtain sufficient information to determine if their mission-critical service providers and software vendors will be able to successfully deliver Year 2000 ready products and services. This guidance assists financial institutions with managing their relationship with service providers and software vendors as their Year 2000 project management plan is implemented. The FFIEC agencies will provide to the serviced institutions information on the level of preparedness o f their service providers that the agencies inspect. In addition, the FFIEC agencies are encouraging software vendors to provide as much information as possible on their remediation and testing efforts to their client financial institutions. The FFIEC also plans to participate in industry-sponsored events to exchange information on software vendors and the due diligence process and post information on its Internet web site (www.ffiec.gov). Due to the pivotal role played by service providers and software vendors in an institution's operations, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller o f the Currency, the Office of Thrift Supervision, and the National Credit Union Administration have augmented their examination o f service providers to include focused Year 2000 reviews. Although the agencies will not certify service providers or software vendors as Year 2000 compliant as a result of these reviews, the agencies will forward the results of service provider Year 2000 readiness examinations to the serviced institutions that use these service providers. The agencies also will examine software vendors that agree to periodic 2 inspections. In those cases where the software vendor consents, the results o f Year 2000 readiness examinations will be forwarded to client institutions. The examination reports o f service providers and software vendors should not be viewed as a substitute for independent due diligence of your service provider’s and software vendor’s Year 2000 readiness. The examination reports should not limit a financial institution’s efforts to obtain information directly from the service provider and software vendors. The information contained in an examination report reflects the Year 2000 readiness of a service provider and software vendor as of a particular point in time. When reviewing these reports, institutions should be aware that circumstances may have changed since the review was conducted and follow up with the service provider and software vendor may be necessary. Financial institutions may find it beneficial to join forces with other financial institutions in similar circumstances and coordinate group efforts to evaluate the performance and testing methodologies o f service providers and software vendors, to participate in testing efforts to the extent possible, and to evaluate contingency plans. By working through user groups, financial institutions can gather and disseminate information on the efforts of service providers and software vendors, testing methodologies, contingency plans and monitoring techniques. User groups also can be useful to encourage uncooperative service providers and software vendors to provide more prompt and effective service to client institutions. Responsibilities of Financial Institutions with Respect to Service Providers and Software Vendors The management o f a financial institution is responsible for determining the ability o f its service providers and software vendors to address Year 2000 readiness, for establishing appropriate and effective testing and remediation programs, and for developing effective contingency plans in the event providers are not Year 2000 ready. Financial institutions should contact service providers and software vendors to determine what is needed to make the product or service Year 2000 ready. Management also should assess whether the service provider or software vendor has the capacity and expertise to complete the task. Service providers and software vendors should make full and accurate disclosures to their client financial institutions concerning the state of their remediation efforts. Management should request the following information for all mission-critical products provided by service providers and software vendors: • Information on Year 2000 project plans, including the scope of the effort, a summary of resource commitments, dates when remediation and testing will begin and end, and dates when Year 2000 products and services will be delivered to the financial institution. • Plans to discontinue or extensively modify existing services and products. • Ongoing updates on the service providers’ and software vendors’ progress in meeting timetables o f their Year 2000 project plans. 3 • Estimates o f product and support costs to be incurred by the financial institutions required for remediation and testing. • Contingency plans of service providers or software vendors in the event their project plans fail. Financial institutions should thoroughly investigate the legal ramifications o f renovating software vendor code because there is considerable legal risk in renovating software vendor-supplied code. For example, code modifications could render warranties and maintenance agreements null and void. However, financial institutions may need to make critical decisions that balance the consequences of these legal risks with business necessity. Financial institutions may also need to determine whether they can terminate their current service contracts and at what cost. The failure o f service providers and software vendors to meet these expectations could pose a risk to the safety and soundness of an institution and in such circumstances, institutions may need to terminate their relationship with the service provider or software vendor. Testing Testing for changes to the services and products will play a critical role in the Year 2000 process. Financial institutions should test, to the extent possible, service provider and software vendor provided products and services in the institution’s own environment. The FFIEC expects service providers and software vendors to fully cooperate with financial institutions in testing. Management should not rely solely on the stated commitment of a service provider or software vendor to test but request that the scope be defined, objectives listed, and testing approaches and scenarios be developed. Testing schedules should be supplied by service providers and software vendors. In addition, the institution’s testing strategy should include a testing scenario to simulate and measure the impact of a Year 2000-related disaster on normal operations. The FFIEC will provide guidance on testing in an upcoming release. Contingency Plans Financial institutions should develop contingency plans for each mission-critical service and product. Contingency plans should describe how the financial institution will resume normal business operations if remediated systems do not perform as planned either before or after the century date change. They should establish “trigger dates” for changing service providers and software vendors to allow sufficient time to achieve Year 2000 readiness. Management o f financial institutions, in consultation with the institution’s legal counsel, should identify any legal remedies or resolutions available to the institution in the event products are not able to handle Year 2000 date processing. Institutions should consult with business partners that have interconnected systems, user groups, and third-party service providers. 4 If service providers and software vendors refuse or are unable to participate in Year 2000 readiness efforts or if commitments to migrate software or replace or repair equipment cannot be made by the “trigger date,” the institution should pursue an alternate means of achieving Year 2000 readiness. In either of these cases, the institution should consider contracting with other service providers and software vendors to provide either remediation or replacement of a product or service. Difficulties of this nature should be reported to the financial institution’s primary federal regulatory agency. The FFIEC will provide detailed guidance on contingency planning in an upcoming release. However, that portion of a financial institution’s Year 2000 contingency plan pertaining to service providers and software vendors should be tailored to the needs and complexity of the institution and should incorporate the following components: • A risk assessment that identifies potential disruptions and the effects such disruptions will have on business operations should a service provider or software vendor be unable to operate in a Year 2000 compliant environment. The plan should determine the probability of occurrence and define controls to minimize, eliminate or respond to disruptions. • An analysis of strategies and resources available to restore system or business operations. • A recovery program that identifies participants (both external and internal) and the processes and equipment needed for the institution to function at an adequate level. The program should ensure that all participants are aware of their roles and are adequately trained. • A comprehensive schedule of the remediation program of the service provider or software vendor that includes a trigger date. Institutions should assure themselves that adequate time is available should their internal test results require additional remediation efforts. The development and implementation of contingency plans should be subject to the scrutiny of senior management and the board of directors. Institution management should periodically review both its contingency and remediation plans. These reviews should address the impact that any changes made to a renovation plan might have on contingency plans. Additionally, the institution should ensure that an independent party review these plans. Finally, the institution's senior management and the board of directors should review and approve all material changes to their plans. Monitor Service Provider and Software Vendor Performance Management o f financial institutions should monitor the efforts of service providers and software vendors. The monitoring process should include frequent communication and documentation of all communication. Since the institution cannot rely solely on the proposed actions of service providers and software vendors, management should contact each mission-critical service provider and software vendor quarterly, at a minimum, to monitor its progress during the remediation and testing phases. The institution should maintain documentation for all of its communications. Many service providers and software vendors maintain web sites on the Internet with information 5 about the Year 2000 readiness of their services and products. In addition, the FFIEC Year 2000 web site (www.ffiec.gov/Y2K/) includes links to other federal government web sites in which listings of various service provider and software vendor statements are maintained. To the extent that a financial institution relies on information from a web site, a paper copy of the information should be kept on file, and the web site periodically checked to determine if information has been updated. Conclusion The FFIEC expects management and the boards of directors of financial institutions to establish a comprehensive Year 2000 due diligence process with its service providers and software vendors. Management of each financial institution is responsible for ensuring that its service providers and software vendors take adequate steps to address Year 2000 problems. Financial institutions should establish contingency plans to ensure that management has alternative options for all missioncritical systems in the event service providers and software vendors are not able to meet key target dates. Management should test services and products in the institution's own environment to the extent possible. 6 GUIDANCE CONCERNING THE YEAR 2000 IMPACT ON CUSTOMERS To: The Boards of Directors and Chief Executive Officers of all federally supervised financial institutions, Department and Division Heads of each FFIEC agency, and all Examining Personnel. BACKGROUND The Federal Financial Institutions Examination Council (FFIEC) has issued three statements providing guidance on the Year 2000 problem. Two interagency statements were issued in June 1996 and May 1997 to address the key phases o f the Year 2000 project management process. The most recent guidance, published in December 1997, outlined the specific responsibilities of senior management and the board of directors to address risks associated with the Year 2000 problem. PURPOSE The purpose of this guidance is to assist financial institutions in developing prudent risk controls to manage the Year 2000-related risks posed by their customers. This guidance describes a variety o f approaches for a financial institution’s senior management and board o f directors to assess the risks arising from the failure or inability of the institution’s customers to address their Year 2000 vulnerabilities. This guidance outlines the due diligence process that financial institutions should adopt to manage their Year 2000-related risks arising from relationships with three broad categories of customers: funds takers, funds providers, and capital market/asset management counterparties. SUMMARY Key points addressed in this guidance include: • A financial institution can face increased credit, liquidity, or counterparty trading risk when its customers encounter Year 2000-related problems. These problems may result from the failure of a customer to properly remediate its own systems and from Year 2000 problems that are not addressed by the customer’s suppliers and clients. By June 30, 1998, senior management should have implemented a due diligence process which identifies, assesses and establishes controls for the Year 2000 risk posed by customers. By September 30,1998, the assessment o f individual customers’ Year 2000 preparedness and the impact on an institution should be substantially completed. • The due diligence process outlined in this guidance focuses on assessing and evaluating the efforts of an institution’s customers to remediate their Year 2000 problems. Year 1 2000 issues related to the institution exchanging data with its customers should be addressed as a part o f the institution’s internal Year 2000 project management program. • The guidance recognizes that each institution must tailor its risk management process to its size, its culture and risk appetite, the complexity of its customers, and its overall Year 2000 risk exposure. The FFIEC understands that these differences will affect the risk management programs developed by financial institutions. However, financial institutions must evaluate, monitor, and control Year 2000-related risks posed by funds providers, funds takers, and capital market/asset management counterparties. • The institution’s due diligence process should identify all customers representing material Year 2000-related risk, evaluate their Year 2000 preparedness, assess the aggregate Year 2000 customer risk to the institution, and develop appropriate risk controls to manage and mitigate Year 2000 customer risk. • Risk management procedures will differ based on a variety of factors, including the institution’s size, risk appetite and culture, the complexity of customers’ information and operating systems, and the level of its own Year 2000 risk exposure. The Year 2000 due diligence processes used by smaller institutions may not be as extensive or formal as those in larger institutions where customers may be more dependent upon information technology. • The attached appendices provide examples o f processes used by financial institutions to manage Year 2000-related customer risk. • An institution’s management should provide quarterly reports to the board of directors that identify material customers who are not effectively addressing Year 2000 problems. The reports should summarize the action taken to manage the resulting risk. OVERVIEW The Year 2000 problem presents many challenges for financial institutions and their customers. The FFIEC recognizes that risk management procedures will vary depending on the institution’s size, its risk appetite and culture, the complexity o f customers’ information and operating systems, and the level of its own Year 2000 risk exposure. For example, customers of small community financial institutions may not depend on computer-based information systems to the same extent as large business customers of large financial institutions. As a result, Year 2000 due diligence processes used by these institutions may not be as extensive or formal as those in institutions whose customers may be more dependent upon information technology. Senior management should oversee the development and implementation of a due diligence process which is tailored to reflect the Year 2000 risk in their institution’s customer base. Three major types o f customers may expose a financial institution to Year 2000-related risks. 2 They include funds takers, funds providers, and capital market/asset management counterparties. • Funds Takers Funds takers include borrowers and bond issuers that borrow or use bank funds. Failure o f fund takers to address Year 2000 problems may increase credit risk to a financial institution through the inability of fund takers to repay their obligations. • Funds Providers Funds providers provide deposits or other sources of funds to a financial institution. Liquidity risk may result if a funds provider experiences a Year 2000-related business disruption or operational failure and is unable to provide funds or fulfill funding commitments to an institution. • Capital Market/Asset Management Counterparties Capital market and asset management counterparties include customers who are active in domestic and global financial markets. Market trading, treasury operations, and fiduciary activities may be adversely affected if a financial institution’s capital market and asset management counterparties are unable to settle transactions due to operational problems caused by the Year 2000 date change. GENERAL RISK CONTROL GUIDELINES By June 30, 1998, financial institutions should establish a process to manage the Year 2000 risks posed by its customers. The process should: (1) identify material customers; (2) evaluate their Year 2000 preparedness; (3) assess their Year 2000 risk to the institution; and (4) implement appropriate controls to manage and mitigate their Year 2000-related risk to the institution. The assessment o f individual customers’ Year 2000 risk and their impact on an institution should be substantially completed by September 30, 1998. Year 2000 issues related to data exchanges between the institution and customers should be addressed as a part o f an institution’s internal Year 2000 project management program. • Identify Material Customers Management should identify customers that represent material risk exposure to the institution, including international customers. Material risk exposure may depend on: ► ► ► ► ► ► ► Size o f the overall relationship; Risk rating of the borrower; Complexity of the borrower’s operating and information technology systems; Customer’s reliance on technology for successful business operations; Collateral exposure for borrowers; Funding volume or credit sensitivity o f funds providers; and Customer’s dependence on third party providers of data processing services or products. 3 • Assess Preparedness of Material Customers The impact of Year 2000 issues on customers will differ widely. Smaller financial institutions may find that most of their material borrowers use either manual systems or depend on commercial software products and services. The evaluation of Year 2000 preparedness for these customers will be less involved and may not require additional risk management oversight. To ensure consistent information and a basis for comparisons among customers, management should address the following. ► ► ► ► Train account officers to perform a basic assessment of Year 2000 risk of customers. Develop a standard set of questions to assess the extent of a customer’s Year 2000 efforts. Appendices A - D contain samples of forms some financial institutions use to evaluate customer Year 2000 preparedness. Financial Institutions are not required to use these forms, although they provide useful examples of methods to evaluate customer preparedness. Update the status of a customer’s Year 2000 efforts periodically, but at least semi annually. For customers that represent significant Year 2000 exposure to the institution, quarterly updates may be necessary. Document Year 2000 assessment conclusions, subsequent discussions, and status updates in the institution’s customer files. • Evaluate Year 2000 Risk to the Institution After identifying all customers representing material Year 2000 risk and evaluating the adequacy o f their Year 2000 programs, management should assess the Year 2000 risk posed to the institution by these customers, individually and collectively. Management should determine whether the level of risk exposure is high, medium, or low. Management also should provide quarterly updates to the board of directors on customers that are not addressing Year 2000 problems effectively and discuss the actions taken by the institution to control the risk. • Develop Appropriate Risk Controls Once the institution has evaluated the magnitude of Year 2000 risk from its customers, management must develop and implement appropriate controls to manage and mitigate the risk. Senior management should be active in developing risk mitigating strategies and ensure that effective procedures are implemented on a timely basis to control risk. SPECIFIC RISK CONTROL GUIDELINES The specific risk controls an institution implements will vary depending on the size of the institution, its risk appetite and culture, the complexity o f customers’ information and operating systems, and its own level o f Year 2000 risk exposure. Different risk management controls may be needed to address unique and material Year 2000 issues that arise from business dealings with 4 different categories o f customer. • Funds Takers An institution’s Year 2000 risk management controls for funds takers should focus on limiting potential credit risk by ensuring that Year 2000 problems do not prevent a borrower or bond issuer from meeting the terms o f its agreements with the institution. Controls to manage an institution’s exposure to its funds takers should address underwriting, documentation, credit administration, and the allowance for loan and lease losses (ALLL). These same factors also should be considered, where appropriate, when evaluating risk posed by an institution’s capital market and asset management counterparties. ► Underwriting During any underwriting process, management should evaluate the extent o f the borrower’s Year 2000 risk. Specifically, management should: Ensure that underwriters are properly trained and have sufficient knowledge to perform a basic assessment o f Year 2000 customer risk. There are a number of resource materials available that will assist in informing lenders of Year 2000 issues. State and national trade associations have prepared materials to assist lenders in understanding customer risk created by the Year 2000. Additional information is available on the Internet and can be located by searching on the words “Year 2000". Evaluate whether Year 2000 issues will materially affect the customer’s cash flows, balance sheet, or supporting collateral values. As a part of the assessment and based on materiality, management should consider the complexity of the customer’s operations; their dependence on service providers or software vendors; the extent o f management oversight of the Year 2000 project; the resources the customer has committed to the project; and the date the customer expects to complete Year 2000 efforts. Control credit maturities or obtain additional collateral, as appropriate, if credit funding is to be continued for high-risk customers. ► Documentation Proper loan documentation provides an effective means to monitor and manage the Year 2000 risk posed by borrowers. Loan documents should reflect the degree o f risk posed by customers. Institutions should consider incorporating some or all o f the following into loan agreements: Representations by borrowers that Year 2000 programs are in place; 5 Representations that borrowers will disclose Year 2000 plans to the lender, provide periodic updates on the borrower’s progress of the Year 2000 program, and provide any assessment o f the borrower’s Year 2000 efforts conducted by a third party; Audits that address Year 2000 issues; Warranties that the borrower will complete the plan; Covenants ensuring that adequate resources are committed to complete the Year 2000 plan; and Default provisions allowing the lender to accelerate the maturity o f the debt for non-compliance with Year 2000 covenants; ► Credit Administration After the initial assessment, ongoing credit administration provides the best opportunity for an institution to manage Year 2000-related customer risk. Periodic credit analyses, which should include an update of the customer’s Year 2000 efforts, can help to monitor a borrower’s Year 2000 efforts. When performing credit analyses, loan officers should determine whether a customer’s Year 2000-related risk merits an adjustment to its internal risk rating. ► ALLL Analysis Management’s review o f the adequacy of loan and lease loss allowances should include Year 2000 customer risk. When Year 2000 issues adversely impact a customer’s creditworthiness, the allowance for loan and lease losses should be adjusted to reflect adequately the increased credit risk. Additionally, management’s analysis of loss inherent in the entire portfolio should reflect Year 2000 risk. Funds Providers Management should consider the potential effect on an institution’s liquidity by assessing the potential for unplanned reductions in the availability of funds from significant funding sources that have not taken appropriate measure to manage their own Year 2000 problems. Management should develop appropriate strategies and contingency plans to deal with this potential problem. ► Risk Assessment of Funds Providers As with funds takers, management should discuss Year 2000 issues with significant funds providers, evaluate their Year 2000 readiness to the extent possible, and assess the Year 2000-related risks posed by the providers. Management should be aware of concentrations - including concentrations in any single currency —from an individual provider or group o f providers that may not be Year 2000 ready. ► Contingency Planning 6 The risk assessment of major funds providers’ Year 2000 readiness should be incorporated into an institution’s liquidity contingency plans. As with other contingency planning processes, management should evaluate its exposure and potential funds needs under several scenarios that incorporate different assumptions about the timing or magnitude of funds providers’ Year 2000-related problems. Institutions with significant funds flows in different currencies may needs separate contingency plans for each major currency. Although the liquidity risks from funds providers’ Year 2000-related problems are similar to other “event risks” that institutions address in their liquidity contingency plans, Year 2000-related liquidity risks differ because the date of this event is known in advance. As a result, institutions may be better able to plan for and mitigate potential liquidity risks. For example, institutions may be able to reduce potential liquidity risks by extending the maturity o f their advances under funding lines sufficiently past January 1,2000, to provide time to assess and evaluate the effect of the Year 2000 on its funds providers. Maintaining close contact with funding sources throughout this potentially difficult period can provide management with timely, market sensitive information and thus allow for more effective liquidity planning. • Capital Market and Asset Management Counterparties The focus of the controls for an institution’s exposure to Year 2000-related problems in capital markets and among counterparties mirror those needed for funds takers and funds providers. Potential Year 2000-related problems with capital market participants range from a counterparty’s failure to complete a securities transaction or derivatives contract settlement to, in extreme cases, the failure o f the counterparty itself. A counterparty failure could lead to the total loss o f the value of the payment or contract. A counterparty’s failure to settle a transaction could cause the institution unexpected liquidity problems, which in turn could result in the failure of a financial institution to deliver dollars or foreign currencies to its counterparties. In addition, Year 2000-related problems among fiduciary counterparties could prevent a financial institution from fulfilling its fiduciary responsibilities to protect and manage assets for fiduciary beneficiaries. A counterparty’s failure to remit bond payments, fund employer pension contributions or settle securities transactions could increase the institution’s fiduciary risk. ► Risk Assessment of Counterparties As part o f a sound due diligence process, management should identify and discuss Year 2000 compliance issues with those counterparties which represent large exposures to the bank itself and to fiduciary account beneficiaries. Financial institutions should evaluate counterparty exposure and develop risk reducing action plans to help manage and control that risk. 7 ► Risk Reduction Plans In cases where institutions are not fully satisfied that their counterparties will be Year 2000 ready, management should establish mitigating controls such as early termination agreements, additional collateral, netting arrangements, and thirdparty payment arrangements or guarantees. In cases where management has a high degree of uncertainty regarding a counterparty’s ability to address its Year 2000 problems, the institution should consider avoiding transactions with settlement risk after January 1,2000. As noted earlier, the interest rate effect of material mismatches of funding, or maturity, should be evaluated as maturity and settlement risk is adjusted. The financial institution should not resume normal transaction activities until the counterparty has demonstrated that it will be prepared for the Year 2000. CONCLUSION Financial institutions face significant internal and external challenges from Year 2000-related risks posed by their customers. The concepts and guidance in this interagency statement are designed to assist institutions in developing appropriate risk controls. The FFIEC recognizes that risk management procedures may vary depending on the institution’s size, its risk appetite and culture, the complexity o f its customers’ information systems, and its own Year 2000 risk exposure. While these differences will affect the risk management practices developed by management, it is essential that financial institutions identify, measure, monitor and control Year 2000-related risks posed by funds providers, funds takers, and capital market/asset management counterparties. Appendices (4) Appendix A Appendix A YEAR 2000 QUESTIONNAIRE FOR CUSTOMERS O F ________________________________ BANK Customer N am e:________________________________ Date:_______ Relationship Manager:___________________________ Please complete the questionnaire based on responses from the customer. If necessary, comment in the space provided or attach additional information to this form. Any "No" answers require appropriate follow-up with the customer on a periodic basis. Please retain a copy of this form in the credit file. Yes 1. Has the company developed a comprehensive plan for Year 2000 compliance? 2. Is someone in the company specifically responsible for managing the Year 2000 plan? 3. Has senior management and the board of directors reviewed and approved the plan? 4. Has the company completely inventoried its software, hardware, and telecommunications? 5. Has the company identified all equipment with date-sensitive operating controls such as elevators, HVAC, security systems, manufacturing equipment, etc.? 6. Has the company verified that vendor-supplied systems will be Year 2000 compliant? 7. Has the company verified Year 2000 compliance of outside data-processing companies and established a testing time frame? 8. Has the company budgeted sufficient resources (both financial and personnel) to accomplish its Year 2000 mission? No N/A 9. Has the plan been reviewed by the company’s outside auditors? 10. Does the company’s plan call for remediation and preliminary testing o f critical systems to be largely completed by 12/31/98? 11. Will the company have contingency plans for mission critical systems in place by 12/31/98? 12. Does the company have any ongoing or long-term contracts that could subject it to liability if it failed to perform as a result of Year 2000 compliance failure? 13. Has the company discussed potential legal ramifications or expenses with its attorney? 14.Has the company discussed potential losses from Year 2000 problems with insurers to determine coverage of any losses? Comments: Appendix B Appendix B YEAR 2000 WORKSHEET The following are issues surrounding Year 2000 that your relationship manager will be discussing with you in the near future. Please note that this worksheet should not be used and is not intended to be used by you to determine whether your company needs to enlist assistance in assessing and addressing your company’s Year 2000 preparedness and/or exposure. For answers and assistance regarding Year 2000 questions, you should contact qualified professionals o f your choice. ISSU E ID E N T IF IC A T IO N Circle ResDonse Y N N/A Y Y Y Y Y N N N N N N/A N/A N/A N/A N/A Y Y Y Y Y Y N N/A Y N N/A Y N N/A • Has your com pany begun its assessment o f the scope o f being Year 2000 compliant? • Are your following systems capable and ready to handle Year 2000 processing? •Information processing (hardware and software) •Delivery (telecommunication and transportation) •M anufacturing (robotics, lighting, heat, water supplies) •Real estate (HVAC, security, card access, elevators) •Support (insurance, license, automatic inventory control) • For each “N o” answer to the last question, which systems need to be modified to handle year 2000 processing? •Information processing •Delivery •M anufacturing •Real estate •Support • Has any vendor o f any o f the above advised that they will not make their system Year 2000 compliant? Please specify. • I f outside data processing service bureaus are used, have they been verified for Year 2000 compliance and a testing time frame established? • Do you have any ongoing or long term contracts that could subject you to liability if you failed to perform as a result o f a Year 2000 compliance failure? S P O N SO R SH IP/M O N IT O R IN G Y N N/A Y Y N N N/A N/A • Has your company assigned overall responsibility for the Year 2000 effort to a senior manager? • Does the process include regular reporting to and monitoring by senior management? • Does the process include regular reporting to and monitoring by the Board? O V E R A L L PLA N • Does your company have a Year 2000 problem resolution process that includes: • Has your company discussed a Year 2000 problem resolution process that includes (Awareness, assessment, renovation, etc.): With Key Suppliers Y Y Y Y Y Y N N N N N N N/A N/A N/A N/A N/A N/A • • • • • • Awareness o f the problem Inventory check list* Assessment o f complexity Remediation Validation/Testing Implementation Yes Yes Yes Yes Yes Yes No No No No No No N/A N/A N/A N/A N/A N/A With Key Customers Yes Yes Yes Yes Yes Yes No No No No No No N/A N/A N/A N/A N/A N/A ♦C om plete list o f equipment, software, etc., that may be affected by the Year 2000 issue Y N N/A • Has your company discussed the Year 2000 issue with its major suppliers, service providers or customers in terms o f any system interfaces that may exist between them? R E SO U R C E ISSUES Y N N/A Y Y Y Y N N/A N N/A N N/A N N/A • Has your company established a budget for the Year 2000 effort (determined how m uch and how the expenditures will be financed)? • Has your company assigned adequate personnel resources to the project? • Has your company discussed potential legal ramifications or expenses with its attorney? • W ill your com pany’s CPA firm help in this task? • Has your company hired a consultant to assist with Year 2000 issues? T IM IN G Y N N/A • Has your company established project target dates and deliverables for the Year 2000 effort? • By what date does your com pany’s Year 2000 plan call for the renovation and testing o f all mission critical systems to be largely completed? Date ________________ • By what date will contingency plans for mission critical systems be in place? D a te ______________ Y ear 2000 C ustom er E valuation Rel M gr/M ail Code: D ate: _____________ C ustom er N am e: O bligor #: _____ Instructions: Complete the evaluation based on responses to the Customer Questionnaire, Customers rated “High ” or “Medium ” require quarterly follow -up until their “Status ” is rated Forward a copy o f completed form s to Loan Administration. Retain a copy o f this form in the Credit File. 1. R ate the com pan y’s sensitivity to Y ear 2000 risk based on the following inform ation ab ou t the co m p an y ’s operations: H igh M edium Low (circle one) M edium H igh a. C ould not conduct its business If it did not have com puters, or b. O p erates in com pu ter-related in du stry, or a. C o m puters only used in financial, accounting, and recordkeeping functions, or Low a. M inim al reliance on com puters to conduct its business b. H as custom ers o r suppliers th a t a re systems im pacted c. H as m ajo r custom ers, suppliers, or vendors w hich m eet (a) o r (b) above. 2. R ate the statu s of the com pany’s Y ear 2000 im plem entation on the following scale (1-6, w ith 1 rep resen tin g most progress to 6 rep resen tin g least progress): 1 2 3 4 5 (circle one) 6 1. H as Y ear 2000 plan w ith budget, im plem entation dates in place • Plan has senior m anagem ent (and B oard) su p p o rt and re g u la r repo rtin g on status. • Plan is evidenced by m aterial progress to w ard testing and im plem entation • Y ear 2000 issues have been discussed w ith inform ation system vendors, key custom ers, and suppliers 2. H as Y ear 2000 plan w ith budget, im plem entation dates in place • Lim ited action tak en on plan im plem entation to date 3. H as p relim in ary Y ear 2000 plan and budget d rafted b u t not finalized and approved • V ery lim ited o r no action taken to date 4. A w are of Y ear 2000 issue and intends to d ra ft a p lan but has not begun 5. Not fully aw are of Y ear 2000 issue 6. No intention of com pleting a Y ear 2000 plan Appendix C Appendix C Millennium Risk Evaluation Yes No I. Awareness A. Is the custom er realistically aware o f and does the custom er understand the Year 2000 or Millennium problem and the potential business and financial risks to which he or she is exposed? B. Has the custom er identified an individual and/or a working group responsible for all functions impacted by Year 2000? □ □ A. Does the customer fully understand how their industry, business, customers and key partners can be affected? Different industries are impacted in very different ways. A casual explanation is probably a warning that the issue has not been explored in depth. A quick glance at the millennium matrix can guide you to complexity levels. B. If an individual has not been selected to lead the program, then a program does not exist. Identify the person. Is this a full time job? Are their skill sets consistent with the task? Name: __________________________________ C. Is the customer relying on: n internal C. Reliance on third parties is not uncommon, but heavy use.of external resources can increase the risk by not having full control at all times. D external resources? II. Vulnerability and Dependency □ □ q q □ □ □ □ □ □ A. Are mainframe or minicomputer applications critical to core business operation, whether in-house or outsourced? B Does the core business operation depend on automated processes, whether delivered on desktop computers or mainfraipes, whether in-house or outsourced? C. Do critical dependencies exist (suppliers, customers) that are vulnerable to Year 2000 disruptions? A.B.C. It is hard to imagine industries where Computers are not critical, functions/operation are not automated, or where critical dependencies do not exist; we are seeking high levels of criticality where alternatives are few and the business functionality is at risk. These questions could be answered through a relationship manager’s own knowledge of the business/industry. III. Assessment A. Has the customer performed an assessment o f the Year 2000 impact on its system and business operations? B. C. Has the customer developed a complete inventory o f all hardware (including mainframes, minicomputers, local and wide area networks and personal computers), firmware, and software (including systems and applications) components for all EDP systems? Has the customer had to provide certifications or disclose millennium status to third parties? —| A. An assessment is the foundation of serious planning and budgeting. The discussion should cover major business segments; for example, inquiring how major balance sheet categories could be negatively impacted by incorrect date calculations could form the basis of determining how deeply the customer has analyzed its condition. Lack of an assessment is a red flag. B. The inventory of hardware, firmware, and software falls out of the assessment and vice versa. If the inventory has not been taken, than a plan and budget cannot be completed. The entire program is suspect. C. Ask about the nature and frequency of inquiries being directed at the borrower, which will mirror the nature of their issues and industry challenges. Can you see a few? Do they klep a log? Millennium Risk Evaluation IV. Current Status Yes No A. At what stage is the customer in his or her Year 2000 project: □ Has not started □ Up to 1/4 complete d Up to Vi complete n Up to 3/4 complete □ More than 3/4 complete A. B. C. Keep in mind that there is a date certain by which this work must be done; it cannot be moved. In discussing the date of completion and the status thereof, determine how much reliance has been placed on third party delivery dates, which are outside of company control. D. Testing is critical to ensure trouble-free operations. B. Does the customer report that he or she is on schedule? □ □ C. Does the customer report that the project will be completed before Year 2000? □ □ D. Will there be time for testing? □ □ V. Budget. Planning and Im p act_____________ A. After some discussion on resources, inventory, pervasiveness of technology; etc., you should be developing an opinion on whether the plot and budget, if they exist, are indeed appropriate and credible. We do not expect you to be technology experts, but reasonably informed on your customers’ efforts to remediate their systems. 1* A. Has the customer developed a credible plan and budget for the Year 2000 project that is properly funded? f. What is the estimated cost? $ __________ 2. Millennium cost as a % of Technology budget? $ __________ 3. Expended to date? $ _________ 4. Over how many years spent? S _________ B. We are asking you to consider the impact of bilure to remediate systems. Is capacity to pay impacted in a way that will affect a risk rating? B. What is the impact to the customer if Year 2000 issues and programs are not successfully completed? No downgrade, or downgrade within pass Green □ categories Downgrade to problem loan status Yellow □ Risk of loss Red □ C. In your opinion, will this customer meet significant Year 2000 timetables? Highly likely Green Tight schedule - not sure Yellow □ Unlikely Red □ □ C. Consider this question in the light of Ifceapecifkity of the plan, the complexity of the operations, the resources and funds dedicated to the prayect, ahd the track record of management in overcoming similar challenges. In situations where risk of loss or downgrade to problem loan status is the outcome of failure, we need to be very certain of the-answer. Appendix D Appendix D Year 2000: Credit Risk Assessment Worksheet Y2K Credit Risk Assessment Worksheet Page 1 Information The purpose of this worksheet is to help credit officers assess the level of a business borrower’s risk associated with the Year 2000 (Y2K) problem and to ensure consistency of Y2K risk assessment approach. The worksheet is multidimensional, assessing (1) the borrower’s overall vulnerability to the Y2K problem, (2) the borrower’s resources to manage the problem, and (3) the adequacy of the borrower’s Y2K plan. Although designed in a “check-the-box” format, the worksheet does not replace thoughtful and informed analysis. Add to this worksheet issues that are specific to the business that you are assessing. Record and support appropriate conclusions driven by your information and analysis, whether or not derived directly from the worksheet logic. The worksheet is divided into four parts: • Part 1 is an overall Y2K credit risk conclusion, based on the assessments in Parts 2, 3, and 4. • Part 2 is a vulnerability assessment, which helps to determine whether the business because of its reliance on technology, supplier, and or customer concentrations, and other considerations is at high, medium, or low risk to the Y2K problem. • Part 3 is a financial, management, and technology resource assessment, which helps to determine whether the business is at high, medium, or low risk in relation to the depth and stability of resources available to address its Y2K problem. • Part 4 is a Y2K plan assessment, which helps to determine whether the business is at high, medium, or low risk based on the adequacy of its Y2K plan. Y2K Credit Risk Assessment Worksheet Page 2 Borrower Name Borrower Industry Binding Commitments ($000) Risk Rating SIC W orksheet Prepared by Unit Name Date Prepared Telephone Unit # Part 1: Year 2000 Credit Risk Summary and Conclusion Complete Part 1 after completing Parts 2, 3, and 4 on the following pages. Section C is provided for updating conclusions at intervals as required by managers or as new information is obtained from the borrower. A: Summary of Conclusions from Parts 2 ,3, and 4 Part 2. Y2K. Vulnerability Risk □ Low □ Medium □ High Part 3. Y2K Resource Risk □ Low □ Medium □ High Part 4. Y2K Plan Risk □ Low □ Medium □ High B: Conclusion: Overall Y2K Credit Risk Assessment Based on the above and other considerations as applicable, determine an overall Y2K credit risk conclusion for the borrower. Generally, if both resource and vulnerability risk assessments are low, the conclusion should be low overall risk regardless of the adequacy of the Y2K plan. □ Low Y2K credit risk □ Medium Y2K credit risk □ High Y2K credit risk Comments: C: Update Date: ____________________ Name (if differs from above): _________________________ BANet: _________ Based on information in the comments below, provide an updated Y2K credit risk conclusion. □ Low Y2K credit risk Comments: □ Medium Y2K credit risk □ High Y2K credit risk Y2K Credit Risk Assessment Worksheet Page 3 Part 2. Year 2000 Vulnerability Assessment A. Overall technological and business vulnerability to the year 2000 problem Yes No Comments Are mainframe or mini-computer applications critical to core business operation, whether in-house or outsourced? Does core business operation depend on one or more automated processes (e.g., inventory, assembly line, shipping, customer orders, etc.), whether delivered on desktop computers or mainframes, whether in-house or outsourced? Does the business depend on any one supplier for 25% or more of inventory, is there a single mission critical supplier, and/or is the supply chain generally vulnerable to Y2K disruption? Does the business depend on any one customer for 25% or more of revenue and/or is the customer base generally vulnerable to Y2K disruption? Are there other key Y2K vulnerabilities? If you check yes, explain your assessment in the comment section. B. Vulnerability Risk Conclusion • • If all boxes in Section A. Above are checked No, it is likely that business vulnerability risk is low; if this is your conclusion, stop here and indicate low vulnerability risk below. If one or more boxes above have been checked Yes, vulnerability to the Y2K problem is medium to high. Continue Part 2 by c h e c k in g s or no to the following (substantiate all yes responses). Yes No Comment/Substantiation of “Yes” Response Is the business by its nature generally not vulnerable to technology failure (e.g., some personal service businesses)? If there is a business interruption caused by a Y2K problem, could the business recover rapidly because of ready accessibility of viable alternatives, or other reasons particular to this business operation? • • If one or more of the section B boxes above are checked Yes, it is likely that Y2K vulnerability is medium; if this is your conclusion, indicate medium vulnerability risk below. If both boxes are checked No, it is likely that Y2K vulnerability is high; if this is your conclusion, indicate high vulnerability risk below. Overall Year 2000 Vulnerability Conclusion Technological and business vulnerability risk is: □ Low □ Medium □ High Comments: Y2K (Credit Risk Assessment Worksheet Page 4 Part 3. Year 2000 Resource Risk: Financial, Management, and Technological Assessment Consider the adequacy of financial, management, and technology resources in relation to the extent of the technological vulnerability risk identified in Part 1. □ Low Resource Risk Financial, management, and technology resources (whether in-house or outsourced) available to address Y2K are superior to exceptional and business is not facing other unavoidable internal or external challenges likely to divert necessary resources. □ Medium Resource Risk Financial resources available to address Y2K are ample, management quality is good, technological expertise is readily available (in-house or outsourced) and business is not facing other unavoidable internal or external challenges likely to divert necessary resources. □ High Resource Risk Financial resources available to address Y2K are marginal to inadequate, management depth is thin, technological expertise is marginal to inadequate or not readily available, and/or business is facing other unavoidable claims on cash flow or business stability that threaten the adequacy of resources available for Y2K. Comments: Part 4. Year 2000 Plan Assessment (based on discussions with management). Yes Does the business have a comprehensive Y2K plan that effectively prioritizes mission-critical systems? Does the Y2K plan have the endorsement and involvement of executive management? Has management clearly established that implementation of the Y2K plan has first priority? Does the Y2K. plan include vendor eompliance? Does the Y2K plan include Contingencies for the impact of Y2K business interruptions affecting key vendors, suppliers, or customers? No N/A Comments Y2K Credit Risk Assessment Worksheet Page S Part 4. Year 2000 Plan Assessment Continued Yes No N/A Comments Does the Y2K plan include computer controlled systems such as telecommunications, security systems, elevators, and climate control? Has a Y2K budget been established? (Enter budget totals in Comments.) ($000) 1997 S 1998 $ 1999 S 2000 and beyond S Has the business incorporated the effect of Y2K into its financial planning? Has the business taken any steps to ensure key staff do not leave prior to project completion? Is the business generally meeting its plan deliverables at the dates specified in the plan? Target completion date Is the business developing contingency plans to mitigate risk if the Y2K project is not completed on time? Other key considerations: Overall Plan Assessment □ Low Risk: Good Overall Plan □ Medium Risk: Adequate Plan □ High Risk: Inadequate Plan All questions above are answered yes or not applicable Most questions above are answered yes or not applicable; those that are answered no are not critical to success. Most questions above are answered no, or one or more answered no are critical to success. Federal Financial Institutions Examination Council 2100 Pennsylvania Avenue, NW, Suite 200 - Washington, DC 20037 - (202)634-6526 - FAX (202)634-6556 April 10, 1998 Guidance Concerning Testing for Y ear 2000 Readiness TO: The Board of Directors and Chief Executive Officers of all federally supervised financial institutions, examining personnel and senior management of each FFIEC agency, and all service providers and software vendors who provide services or software to federally supervised financial institutions. BACKGROUND The Federal Financial Institutions Examination Council (FFIEC) has issued several statements on the Year 2000 problem. These interagency statements address key phases in the Year 2000 process, specific responsibilities o f the board of directors and senior management with regard to the business risks, the due diligence process in connection with service providers and software vendors, and risks associated with financial institution customers. The FFIEC considers testing to be the most critical phase of the Year 2000 readiness process. Failure to conduct thorough testing may mask serious remediation problems. Failure to properly identify or correct those problems could threaten the safety and soundness of the institution. PURPOSE The purpose of this guidance is to describe FFIEC expectations regarding the Year 2000 testing efforts of financial institutions. This guidance identifies key milestones and testing methods for financial institutions to use to prepare their systems and applications for the Year 2000. SUMMARY • Each financial institution is unique and management should determine the best testing strategies and plans for its organization taking into account the size of the institution, the complexity of its operation, and the level of its own business risk exposure to the Year 2000. Ultimately, each financial institution is responsible for ensuring its readiness for the Year 2000. • The FFIEC expects financial institutions to meet key milestones in their Year 2000 testing process. Board of G overnors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision • Financial institutions should develop and implement a written testing strategy and plan to test both internal and external systems (including hardware, software, and environmental systems). Financial institutions should test mission-critical systems first.1The plans should include, at a minimum, the following elements: testing environment, testing methodology, testing schedules, human and financial resources, critical test dates, documentation, and contingency planning. • Management should ensure that qualified sources verify the testing process. KEY MILESTONES FOR TESTING PHASE The FFIEC expects financial institutions to meet the following key milestones in their Year 2000 testing process. On or before: June 30, 1998 Institutions should complete the development of their written testing strategies and plans. September 1, 1998 Institutions processing in-house and service providers should have commenced testing of internal mission-critical systems, including those programmed in-house and those purchased from software vendors. December 31,1998 Testing of internal mission-critical systems should be substantially complete. Service providers should be ready to test with customers. March 31,1999 Testing by institutions relying on service providers for mission-critical systems 'should be substantially complete. External testing with material other third parties (customers, other financial institutions, business partners, payment system providers, etc.) should have begun. June 30,1999 Testing o f mission-critical systems should be complete and implementation should be substantially complete. TESTING FOR YEAR 2000 READINESS The FFIEC estimates that testing will consume 50 to 60 percent of the time, funding, and personnel needed to make financial institutions Year 2000 ready. Testing is critical to ensure that remediation efforts work effectively. Financial institutions must test because of the widespread changes being required to become Year 2000 ready. The software and hardware changes may not affect only one isolated application or 'An application or system is mission-critical if it is vital to the successful continuance of a core business activity. An application also may be mission-critical if it interfaces with a designated mission-critical system. Products of software vendors also may be mission-critical. 2 system, but they may affect many or all internal systems and interfaces with internal and external entities. The FFIEC expects financial institutions to manage effectively the Year 2000 testing process, regardless of how individual systems are developed and operated. In practice, the controls necessary to manage the testing process effectively will differ depending on the design o f the financial institution’s system, interfaces with third parties, and the type o f testing used. Management is responsible for ensuring that testing is conducted by the party in the best position to perform the testing and assess the results. Given the size and complexity o f an institution and its testing needs, the FFIEC recognizes that the testing process may present a myriad of problems to financial institutions that program systems “in-house” as well as financial institutions that rely on service providers and software vendors. Some o f these problems may involve only the coordination o f available resources and timing, while others may entail more fundamental issues regarding a financial institution’s ability to remediate all systems successfully by the Year 2000. Financial institutions should test mission-critical systems first, as the failure o f mission-critical services and products will have a significant adverse impact on the institution’s operations and financial condition. Each system and application should be evaluated and tested based on its importance to the institution’s continuing operations and the costs and time required to implement alternative solutions. The FFIEC expects financial institutions to obtain sufficient information to determine if their missioncritical service providers and software vendors are able to test successfully products and services to ensure that service providers and software vendors are Year 2000 ready. The failure o f these service providers and software vendors to test adequately their products and services could pose a risk to the safety and soundness o f financial institutions. Financial institutions may find it beneficial to join forces with other financial institutions in similar circumstances and coordinate group efforts to evaluate the performance and testing methodologies o f service providers and software vendors. Such user groups also can be beneficial to financial institutions as a forum to exchange ideas and information on testing within the institution’s own environment. The extent to which financial institutions rely on third parties to design, implement and manage their systems will affect the extent o f an institution’s involvement in testing. Financial institutions that outsource all of these functions will have less extensive involvement in testing than financial institutions that perform some or all of their own programming or processing in-house. Testing Methodologies The FFIEC recognizes that there is no single approach to testing for the Year 2000. Testing options range from testing within a financial institution’s own environment to proxy testing. Where, how, and when testing is conducted will depend on a variety o f factors, including whether the testing is being conducted on software or services received from third parties, as well as the type of system or application to be tested. Listed below are representative types o f tests that financial institutions could use in validating their systems. The terminology to describe these tests may vary among financial institutions. Each financial institution 3 should determine the types o f tests it will perform based on the complexity of its systems, the level o f its Year 2000 risk exposure and its reliance on third parties for computer-based products and services. Moreover, in addition to testing a particular product or service, financial institutions should conduct testing between systems and products that interface with internal and external entities. The following are examples of various types o f tests. • Baseline tests are performed before any changes are made to a computer program or application. The baseline test helps a financial institution compare performance of the system after changes are made to it. • Unit tests are performed on one application to confirm whether remediation efforts yield accurate results for that application. They do not test how well the application will perform with other applications. • Integrated tests are performed on multiple applications or systems simultaneously. Integrated tests confirm whether computer programs function properly as they interact with other programs. • Regression tests verify a remediated system against the original system to ensure that errors were not introduced during the remediation process. Regression testing should be applied to both the remediated portion and the unchanged portion of the system. • Future date tests simulate processing of renovated programs and applications for future critical dates to ensure that those dates will not cause program or system problems. • User acceptance tests are performed with users done correctly and applications still function as • Point-to-point tests verify the ability of a financial institution to transmit data directly to another entity or system. • End-to-end tests verify the ability of a financial institution originating a transaction to transmit test data to a receiving entity or system through an intermediary. and validate whether the remediations have been expected. WRITTEN TESTING STRATEGY AND PLAN Financial institutions should develop a testing strategy and set testing priorities based on the risks that the failure of a system may have on operations. The objective of a financial institution’s Year 2000 testing strategy is to minimize business risk due to operational failures. Financial institutions should develop a written testing plan to implement the testing strategy. The plan should provide for testing of both internal and external systems. Internal systems may include software, operating systems, mainframe computers, personal computers, reader/sorters, and proof machines. Internal systems also may include environmental systems including heating and cooling systems, vaults, security 4 systems, and elevators. External systems p a y include services from service providers and any interfaces with external entities. Management and staff are expected to have the knowledge and skills necessary to understand and effectively manage their Year 2000 testing efforts. Management should identify special staffing and training needs for personnel involved in testing. They also should determine how they will allocate resources and, if necessary, hire and train employees to run and analyze tests. Examiners will evaluate testing efforts by reviewing a financial institution’s testing strategies and testing plans to ensure that it can meet key milestones addressed in this guidance. Elements of a Testing Plan Financial institutions should develop and implement a testing plan that includes the following elements. These elements apply to financial institutions that test systems programmed in-house, as well as financial institutions that test with service providers and software vendors. • Testing Environment. Considerations for an appropriate test environment should include whether to partition current operating computers, by setting aside one or more sections to be used only for testing, or by using a separate computer system to test. Testing should not be done in a production environment. If the institution uses either a separate computer facility or the computer at its contingency site, it should consider how all interfaces, both internal and external, will be duplicated and adequately tested. Management should evaluate whether the test environment has sufficient computing capacity needed to complete the testing plan. • Testing Methodology. The plan should address the types o f tests for each application and system. See “Testing Methodologies” above for a description o f various tests. • Test schedules. The plan should identify when software and hardware will be tested, including interfaces between systems. Test schedules also should be coordinated with the test schedules of third parties. • Human and financial resources. The plan should include budget issues as well as a description o f the participants to be involved in testing, (e.g., the information technology staff, end-user, and external parties). • Critical Test Dates. Financial institutions should determine critical dates to be tested for each of their mission-critical systems. If an institution’s systems or applications fail to operate properly when tested for these critical dates, management must determine whether remediation and subsequent testing can be completed successfully or whether contingency plans must be implemented. Critical dates may vary for a variety of reasons. Because additional dates may be critical for a given financial institution, each institution should test o f the dates it deems critical. Financial institutions should test for any of the following dates that are applicable, including the “rollover” or progression before and after these dates, to ensure that applications and systems will 5 operate properly: Date Reason April 9, 1999 9999 on the Julian Calendar.2 The 99th day o f the year 1999. 9999 denotes the “end o f input” in many computer programs. September 9,1999 9999 on the Gregorian Calendar. 9999 denotes the “end of input” in many computer programs. December 31,1999 Last day in 1999 year. January 1, 2000 Beginning of the Year 2000. January 3, 2000 First business day in the Year 2000. January 10,2000 First date to require a 7 digit date field ( 1/ 10/ 2000). January 31,2000 End of the first month of the year 2000. February 29,2000 Leap year day. March 31,2000 End o f first quarter o f 2000. October 10,2000 First date to require an 8 digit date field ( 10/ 10/ 2000). December 31,2000 End o f Year 2000. January 1, 2001 Beginning of the Year 2001. December 31,2001 Check that year has 365 days. Documentation. The institution should maintain written documentation supporting every stage of the testing process. This documentation provides an audit trail and should facilitate corrections of problems when they occur. The documentation should include the following: *• Types of tests performed (e.g. baseline, unit, regression, etc.); ► Explanation o f why an institution chose the tests that it performed and how extensive those tests were; 2Although the Gregorian calendar is used throughout most of the world, many computer programs are based on the Julian Calendar. 6 ► Results o f tests; ► Criteria used to determine whether an application or system is deemed Year 2000 ready; ► Plans for remediating and retesting any computers, systems or applications that failed Year 2000 tests; and ► Individuals responsible for authorizing the testing plan and accepting testing results. The testing plan should be consistent with the financial institution’s Year 2000 contingency plans. The FFIEC intends to issue guidance in the near future on contingency planning for Year 2000. Testing Internally Developed Systems Financial institutions with internally developed systems should establish a formal process for testing these systems. The financial institution should test mission-critical systems first. When internal expertise is unavailable, management should retain appropriate external technical expertise to test and to evaluate test results. Financial institutions should follow their established change ''ontrol processes (under the systems development life cycle3) during the remediation and testing process. Financial institutions should conduct testing between the financial institution’s internal systems and any interface with external entities. Testing with Service Providers, Software Vendors, and Other Third Parties Financial institutions should coordinate and implement (where appropriate) test plans to address the testing with service providers, software vendors and other third parties as discussed in the section on “Testing for Year 2000 Readiness.” The following are options for testing with service providers, software vendors, and other third parties. • Service Providers. Although it is preferable for financial institutions to test the full range of applications provided by service providers, the results of proxy tests may be acceptable. In proxy testing, the service provider tests with a representative sample of financial institutions who use a particular service on the same platform. Test results then are shared with all similarly situated clients of the service provider. The service provider should make test results available for audit by customers or their representatives. The financial institution is responsible for assessing testing results provided by service providers to determine whether the institution can rely on the proxy test results. The financial institution also should test all systems and interfaces under its direct control. • Software Vendors. Financial institutions should strive to test software provided by software vendors, including turnkey systems, in the financial institution’s own environment, to the extent 3A systems development life cycle is the stages through which software evolves from an idea to implementation. possible. Testing in a financial institution’s own environment is preferable because it is the best indicator that their systems are Year 2000 ready. Such testing can be done in a variety o f ways, including obtaining a testing package from the software vendor and testing within the financial institution’s own test environment. Any interfaces with significant vendor-supplied software also should be tested within the financial institution’s own testing environment to confirm that when used together they will function properly. If the financial institution is unable to test wholly within its own environment, it may test at a contingency or disaster recovery “hot site.” The contingency site is a separate facility configured with identical or similar hardware used by the institution to process transactions and produce records if the institution’s own environment becomes inoperable. Another option is for a financial institution or a user group to rent or purchase equipment to use for testing. Typically, in these cases, the financial institution must provide the application software and operating system. This testing environment should recreate and test all interfaces and/or exchanges of data between both internal and external systems. • Other Third Parties. Financial institutions should test their mission-critical applications with m ater i\ third parties to whom they transmit or from whom they receive data. For additional information see “Guidance Concerning The Year 2000 Impact on Customers.” Other third parties may include business partners (e.g., credit bureaus), other financial institutions, payment system providers, clearinghouses, customers, and, to the extent possible, utilities. Testing external interfaces with other financial institutions will verify that each institution’s network protocol, business applications, and operating system platforms are performing as expected. Financial institutions should develop various scenarios to verify or test that these interfaces will function as expected. They should consider using point-to point testing and end-to-end testing for transactions such as electronic payments (e.g., ACH, ATM transmittals). Financial institutions should contact their telecommunications and utility companies to discuss the feasibility of testing with them. VERIFICATION OF TESTING PROCESS Financial institution management may use internal auditors, external auditors, or other qualified sources to evaluate tests. A verification of the testing process should involve, at a minimum, the project manager, the owner o f the system tested, and an objective independent party such as an auditor, consultant, or expert from an independent area. This objective review should critique the Year 2000 tests to ensure that the tests are effective, that key dates are checked, and that changes made resulted in reliable information processing. If the financial institution lacks internal expertise, management should use other qualified professionals, such as management consultants or CPA firms, to provide an independent review. If auditors or consultants are used, they should consult with management during the planning process to ensure that Year 2000 tests can be thoroughly reviewed in a cost-effective manner. If most or all of a financial institution’s services are provided by vendors or service providers, management should ensure that the vendors have performed reviews similar to the type described here, and management should receive results of those reviews. 8 MAINTAINING YEAR 2000 READINESS In addition to ensuring that existing systems will function properly for critical dates described above, management also should ensure that all new applications, operating systems, software, and hardware are Year 2000 ready before installation. Institutions should test all systems, products and services regardless of when they were upgraded or purchased. CONCLUSION The FFIEC expects financial institutions to manage effectively the Year 2000 testing process, regardless of how individual computer systems are developed and operated. The board o f directors and management are responsible for ensuring that testing is conducted by the party in the best position to perform the testing. A testing strategy and a written testing plan should be developed for all mission-critical systems and management should review the results of the testing. Management should adhere to the key testing milestone dates outlined in this guidance to help ensure that their financial institutions will be Year 2000 ready. SOURCES FOR ADDITIONAL INFORMATION Financial institutions may find additional information on the Year 2000 by researching websites maintained by their software vendors and service providers and others that supply products and services for missioncritical applications. Also, the General Accounting Office’s “GAO Year 2000 Guidelines,” includes checklists that institutions may find useful. The guidance can be obtained from the GAO or from their website (www.gao.gov). For additional information on the Year 2000 problem, financial institutions also should consult the following helpful websites: • • • • • • Federal Financial Institutions Examination Council (www.ffiec.gov) Federal Deposit Insurance Corporation (www.fdic.gov) Federal Reserve Board (www.frb.gov) Office o f the Comptroller of the Currency (www.occ.treas.gov) Office of Thrift Supervision (www.ots.treas.gov) National Credit Union Administration (www.ncua.gov) 9