The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
FEDERAL RESERVE BANK
OF NEW YORK
>lD3-$0@r)
January 9, 1989
SUPERVISORY POLICY ON LARGE-SCALE INTEGRATED
FINANCIAL SOFTWARE SYSTEMS
To A ll State Member Banks and Bank Holding Companies
in the Second Federal Reserve District:
The Federal Financial Institutions Examination Council has issued a joint
policy statem ent identifying the risks, as well as bank m anagem ent’s
responsibilities, concerning the acquisition and/or development of Large-Scale
Integrated Financial Software Systems (LSIS), including potential problems
associated with those systems.
Printed on the following pages is the text of the Examination Council’s
statem ent. Questions regarding this m atter may be directed to the Specialized
Examinations Departm ent of this Bank (Tel. No. 212-720-7946).
J a m e s K. H o d g e t t s ,
Chief Compliance Examiner.
Federal Financial Institutions Examination Council
1776 G Street, NW, Suite 701 • Washington, CXI 20006
Supervisory Policy on Large-Scale Integrated Financial Software
Systems (LSIS)
TO:
Chief Executive Officers of all Federally Supervised Financial
Institutions, Senior Management of each FFIEC Agency, and all
Examining Personnel
Financial institutions have experienced significant
problems in attempts to introduce LSIS systems.
o
After 2 1/2 years in development, one financial
institution abandoned $20 million large scale
integrated system!
o
After 5 years in development, a major software
vendor abandoned $100 million integrated system
- once described as the perfect software system
for regional banks!
PURPOSE:
Financial institution executives and directors should be aware of and
concerned about the potential problems with LSIS.
The purpose of this
paper is to alert financial institutions to the risks associated with
these systems and to identify management's responsibilities when
entering into an LSIS project.
BACKGROUND:
"An integrated software system is one in which programs for different
applications— loans, deposits, retail, and wholesale— that normally are
designed and operated as stand-alone programs are built from the start
as related parts of a whole.
They share a common language, operating
system, and other technical details so that they can be made to 'talk'
to each other with relative ease.
More importantly, they function as
one unit so that the sum of the parts is greater than the whole." 1/
1/ Christopher K. Heaney, "Who are these guys anyway?" ABA Banking
Journal, May 1986, pp. 84-85
Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Federal Home Loan Banl
National Credit Union Administration, Office of the Comptroller of the Currency
Financial institutions are adopting LSIS in order to meet competitive
pressures, increase timeliness of information, foster operational
efficiency, and ease introduction of new products.
A commitment to
LSIS sets the course of an institution's technology, management
information system, and delivery systems for several years.
Successful
implementation of LSIS requires careful planning by both senior
management and the board of directors.
Ineffective planning caused several financial institutions and software
companies to spend millions of dollars and years of conversion and
implementation time on LSIS, only to implement a portion of the system
or in some cases abandon the project altogether.
In many instances,
the software vendors depended upon substantial ongoing investment by
the financial institutions to fund the vendor's research and
development process. When these projects experienced lengthy delays,
the financial institutions not only suffered large monetary losses but
also delays in product development and a loss in their competitive
positions.
CONCERNS:
Financial institutions have underestimated the cost, time and
personnel resources required for the successful installation of
LSIS.
Therefore, time and cost targets should be established at
the beginning of the project and closely reviewed by senior
management on an ongoing basis.
In certain cases LSIS projects were abandoned because of the
financial instability of software vendors.
To prevent these
situations from recurring, the financial condition and viability of
each prospective vendor must be considered when evaluating systems.
Data backup and recovery measures for integrated systems are often
more costly than those required for single application systems.
In
certain situations, the data base may require simultaneous backup.
The additional costs for backup and recovery must be evaluated when
determining the feasibility of LSIS.
If the system provides for instantaneous update of information— in
other words, the user has direct access to the data— existing
security systems may not be adequate.
Thus, data security features
must be evaluated to ensure that sufficient controls exist for
LSIS.
Seemingly simple program changes can have unpredictable results in
a mixed-application system.
Thus, system development life cycle
methodologies, which identify the sequence of activities required
in the systems development process and throughout the useful life
of the software, may need to be modified.
- 2 -
There is an increased possibility of unwarranted data manipulation
and at the same time, there is less of an audit trail in an LSIS
environment.
Therefore, EDP audit coverage should be reviewed at
the onset to determine whether specialized audit techniques are
needed.
Board of Directors and Senior Management Responsibilities
The decision to acquire or develop in-house large-scale integrated
software should be preceded by a strong and independent management
planning process.
This should include a thorough examination of
existing software performance.
Also, a detailed analysis of the
system's capability to meet the institution's strategic business plans
is essential.
The complexity of the software and its impact on the entire
organization require a commitment from top management for the project
to be successful.
Responsibility for the conversion should be clearly
identified and established at the senior management level.
Senior management should regularly review the project's status.
This
improves control over the complex process of implementation and ensures
completion within established time and cost targets.
It is
particularly important that the board continue its oversight
responsibilities after implementation.
The attached pages discuss the impact and responsibilities associated
with large-scale integrated systems.
-
3
-
APPENDIX
LARGE-SCALE INTEGRATED FINANCIAL SOFTWARE SYSTEMS
l
Large-Scale Integrated Systems (LSIS) are sophisticated software
products which provide interconnections and facilitate the
exchange of information between applications and functions.
The
integration architecture may be horizontal, tying together
applications, such as deposits, loans, and general ledger.
Alternatively, the architecture may be vertical, tying together
functions, as in teller transactions being linked immediately to
all operating departments.
These systems are designed so that
each application no longer exists individually but operates as
part of a unified system.
They often employ data base
management technology, which increases the complexity of the
system.
LSIS processing may employ combinations of batch,
on-line, or memo-posting methods.
A variety of LSIS are being
marketed and others are in various stages of development.
Small-to-medium size financial software systems whose
applications simply interfaced through a Central or Customer
Information File (CIF) have been operating for many years.
Many
of these systems have been successfully installed and have
operated properly for a considerable period.
These systems are
not included in the scope of this issue paper, although they are
sometimes described as "integrated systems."
Advantages of Large-Scale Integrated Systems
o
provide tools to increase product line and customer
relationships, ultimately increasing fee income on
deposit and loan services
o
enable financial institutions to meet competition
generated from forces outside the banking industry
o
lower the unit processing costs through standardization
of operating techniques
o
eliminate redundancy in data files
o
provide information at more points throughout the
institution, enabling faster and more accurate
management decisions.
-
4
-
Disadvantages of LSIS
o
The complexity and size of large-scale integrated
systems can lead to underestimation of the time and
resources needed for successful installation of these
systems.
o
The magnitude of the installation effort requires more
comprehensive management techniques and project
control.
o
The financial instability of the software vendor may
require the institution to furnish unplanned additional
financial support to maintain contemplated service
levels.
o
The failure to properly install the software can lead
to significant losses to the institution, in terms of
time and resources expended, and a decline in
competitive position.
Internal Control Related Concerns
o
Data Security:
Data security should be addressed prior
to the installation of such a system.
Existing data
security systems may not be adequate for a complex
integrated system, particularly one using on-line
real-time processing.
Each individual function should
be controlled, e.g. access controls, file maintenance,
inquiry, and new accounts.
o
EDP Auditing:
A greater chance of unwarranted data
manipulation and a diminished audit trail exists.
Therefore, institutions should recognize the need for
expanded EDP audits of this technology, especially in
an on-line real-time environment.
Absence of Acceptable Audit Trails - When a system
allows the automatic generation of a transaction
prompted by a prior transaction, controls must be
designed within the system to ensure satisfactory
audit trails.
This is especially critical
considering that a single transaction may generate
several other transactions.
-
5
-
Accountability for all transactions must be
maintained through audit trails.
Otherwise,
system integrity deficiencies will jeopardize the
software system's ability to provide a consistent
product, as well as compromise internal controls.
Absence of Comprehensive Audit Software - Existing
generalized audit software may not be readily
adaptable for use with large-scale integrated
systems, and may not be sufficiently sophisticated
to follow an audit trail of all transactions
generated by the system.
Provision for audit
software should be made at the time of system
acquisition.
o
Disaster Recovery Planning:
Integrated systems have
unique features which will require a thorough
consideration of contingency requirements in the
initial feasibility study.
The complexity of the
integration, horizontally, vertically, or both, may
determine that current industry standards for the
backup of hardware, software, data and communications
are no longer applicable.
A determination should be
made how the institution, as a whole, will recover and
how recovery will be addressed along functional lines.
Subsequently, required testing may pose cost,
logistical or other problems which will have to be
resolved to ensure a viable disaster recovery plan.
o
Changes in System Development Life Cycle ("SDLC")
Methodology:
There are several significant control
issues regarding the use of traditional SDLC methods
with large-scale integrated systems.
Current system
development techniques may not permit the timely
development and implementation of a complex system.
SDLC techniques may need to be revamped to provide for
increased flexibility.
However, control and management
methods may vary according to the complexity of the
system under development.
Minimum SDLC standards should ensure that project
development is sufficiently controlled to provide for
the integrity of the system.
Testing of various stages
within large-scale integrated systems may require
innovative techniques.
- 6 -
Management should carefully consider the cost of the
extensive user involvement in the system development
stage. User involvement is necessary to ensure the
successful implementation of a large-scale integrated
system.
Management must provide more comprehensive employee
training since the adoption of a LSIS will affect all
departments.
SDLC standards need to be flexible, while still
providing for the maintenance of system integrity
during development to ensure that a system of internal
control is maintained.
-
7
-
@FedFRASER