The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Testimony of Donna Tanoue Chairman Federal Deposit Insurance Corporation Status of Year 2000 Progress in the Banking and Financial Services Sector before the Committee on Banking and Financial Services U.S. House of Representatives 10:00 A.M., April 13, 1999 Room 2128 Rayburn House Office Building Good morning, Mr. Chairman and Members of the Committee. I appreciate this opportunity to testify on behalf of the Federal Deposit Insurance Corporation (FDIC) regarding the status of Year 2000 progress in the banking industry. The uncompromising deadline of January 1, 2000, presents extraordinary challenges for financial institutions and their regulators. As you know, we have made preparation for the Year 2000 date change—or Y2K, as it is commonly known—the number one safety-and-soundness priority at the FDIC. Today, we would like to provide an overview of the state of bank readiness regarding Y2K. The industry continues to make headway and although some financial institutions have experienced delays in meeting Federal Financial Institutions Examination Council (FFIEC) milestone dates, overall the progress is satisfactory. We believe the efforts and resources of the industry, coupled with the aggressive supervisory program carried out by the federal and state regulators, have contributed to the level of success. It is unrealistic, however, to expect that there will not be any problems as a result of the century date change. There are too many unknowns for anyone to reach such a conclusion. For example, factors outside the banking industry, both domestic and international, could pose problems to individual financial institutions. However, media reports predicting a worst-case scenario are not borne out by the results of our on-site examinations, which indicate that the overwhelming majority of institutions remain ontrack for being prepared for the century date change. In this testimony, we will outline the results of our second round of on-site Year 2000 assessments, and discuss our supervisory concerns and the actions we will take. Next, we will address the need to provide the public with adequate information about the Year 2000 date change and the steps the banking industry should take to inform the public of their Y2K preparations and the steps the FDIC is taking to inform the public. Every depositor should know that an FDIC-insured deposit is safe. In addition, we will explain our contingency plans if financial institutions fail because of problems caused by the century date change and we will discuss the FDIC's efforts to prepare our internal systems. Finally, we will address several other issues raised in the Committee's letter of invitation. RESULTS OF PHASE II ON-SITE ASSESSMENTS Since our last appearance before this Committee, the FDIC, along with the other federal and state banking and thrift regulators, has completed the second phase of our Y2K assessment program. In this phase of the program, FDIC examiners focused on the results of systems testing of financial institutions, service providers, and software vendors. The overwhelming majority of banks remain on-track to be Y2K ready. In addition, we are taking aggressive action to ensure that those financial institutions, service providers, and software vendors that did not receive a Satisfactory rating in this phase take the actions necessary to prevent disruptions because of the century date change. Year 2000 Assessment Program The FDIC is the primary federal supervisor of 5,867 institutions (FDIC-supervised institutions). Our overall Year 2000 supervisory plan is to conduct a risk-focused analysis of Year 2000 assessment data for each supervised institution in order to gauge the effectiveness of its readiness efforts and formulate ongoing supervisory strategy. To this end, the FDIC, along with the other members of the FFIEC, developed and enhanced examination procedures to address each of the phases of the Year 2000 project and provided training to ensure examination staff competency. The FFIEC also developed several guidance papers to aid the industry in achieving Year 2000 readiness. These papers incorporated milestones by which an institution should complete certain tasks such as testing, contingency planning, and customer readiness assessments. The milestones, however, are not the sole factor for the assignment of a rating. Other factors to be considered include the overall effectiveness of the institution's readiness project, the resources available to accomplish its goals, and the competency of management. The federal and thrift banking agencies use a three-tier rating system (Satisfactory, Needs Improvement, or Unsatisfactory) to measure the readiness of financial institutions, service providers and software vendors. The Satisfactory rating is assigned to those institutions exhibiting acceptable performance and where project weaknesses, if any, are minor and can be readily corrected within the existing project management framework. A Satisfactory institution's remediation progress to date meets or nearly meets expectations laid out in its Year 2000 project plan. In addition, senior management and the board of directors of the institution recognize and understand Year 2000 risk, are active in overseeing institutional corrective efforts, and have ensured that the necessary resources are available to address this risk area. A Needs Improvement rating is assigned to an institution that is not expected to meet all FFIEC testing time frames on or shortly after the target dates; its written testing program does not adequately address all testing issues; its assessment of material customers' Year 2000 preparedness is incomplete; or its customer awareness strategy is incomplete or unresponsive to customer concerns. In addition, the institution's remediation progress to date may be behind schedule and senior management or the board of directors may not be fully aware of the status of Year 2000 corrective efforts, may not have committed sufficient financial or human resources to address this risk, or may not fully understand Year 2000 date change implications. Those institutions rated Unsatisfactory exhibit poor performance and project weaknesses that are serious in nature and not easily corrected within the existing project management framework. The institution's progress to date is seriously behind the schedule laid out in its Year 2000 project plan. In addition, senior management and the board of directors do not understand or recognize the effect that the Year 2000 will have on the institution. To ensure that our ratings, and the examination data on which our ratings are based, are accurate and consistent with FFIEC standards, FDIC staff has received extensive training in the application of the FFIEC guidance to the examination process. In addition, staff has been given a number of examination tools, work programs and clarifying memoranda to assist in the consistent application of policy. Also, all Year 2000 assessment findings are reviewed at an FDIC regional office by Case Managers who are highly trained in examination and review procedures. The assessments are then subject to final review by a senior regional official. Year 2000 Phase II Assessment Results As of March 31, 1999, the FDIC, with the assistance of state banking supervisors, completed the second round of on-site assessments at the financial institutions we supervise. In addition, on-site assessments of the 142 data service providers and software vendors for which we are responsible were completed. Ratings were assigned on the basis of a qualitative analysis of an institution's risk profile, taking into consideration the institution's size and sophistication, as well as the nature and complexity of its activities. Financial Institution Results Our results show that approximately 97 percent of FDIC-supervised institutions were rated Satisfactory. Less than 3 percent were rated Needs Improvement, and less than one-half of one percent were rated Unsatisfactory. Year 2000 Ratings for FDIC-Supervised Institutions as of March 31, 1999 Assessment Satisfactory Needs Improvement Number of Institutions Percentage 5,709 97.3 144 2.5 Unsatisfactory Total 14 0.2 5,867 100.0% As the insurer of deposits at all banks and savings associations, the FDIC also reviews information from the other federal banking and thrift regulators on the Year 2000 status of the financial institutions they supervise. In the aggregate, of the insured depository institutions assessed, over 96 percent were rated Satisfactory, 3 percent were rated Needs Improvement, and less than one-half of one percent were rated Unsatisfactory. Year 2000 Ratings for All FDIC-Insured Institutions as of March 31, 1999 Assessment Number of Institutions Percentage 10,042 96.8 Needs Improvement 313 3.0 Unsatisfactory 24 0.2 10,379 100.0% Satisfactory Total Service Provider and Software Vendor Results The FDIC and the other banking agencies also completed Phase II assessments of 256 service providers and software vendors that provide data processing services or software to the industry. Virtually all banks and savings associations rely on service providers and software vendors for at least a portion of their data processing services. Therefore, these companies play a critical role in helping financial institutions become Year 2000 ready. Of the 142 service providers and software vendors examined by the FDIC, our data show that over 96 percent were rated Satisfactory and under 4 percent were rated Needs Improvement. None were assessed as Unsatisfactory. Year 2000 Assessment Ratings for FDIC-Examined Service Providers and Software Vendors as of March 31, 1999 Assessment Number of Companies Percentage 137 96.5 Needs Improvement 5 3.5 Unsatisfactory 0 0.0 142 100.0% Satisfactory Total Taken together, of the total service providers and software vendors examined by the FFIEC agencies, data show that more than 97 percent were assessed as Satisfactory and less than 3 percent were rated Needs Improvement. None were rated Unsatisfactory. Federal banking and thrift examiners are contacting each of the service providers and software vendors, regardless of their rating, every three months to follow up on their progress. Year 2000 Assessment Ratings for All FFIEC-Examined Service Providers and Software Vendors as of March 31, 1999 Assessment Number of Companies Percentage 249 97.3 Needs Improvement 7 2.7 Unsatisfactory 0 0.0 256 100.0% Satisfactory Total The FFIEC member agencies share the results of service provider and software vendor reviews with the client financial institutions. This information provides financial institutions with facts regarding the efforts and state of readiness of their service providers and software vendors. We are continuing to stress the importance of continued monitoring on the financial institution's part. We also are emphasizing that these reviews show a company's progress at a particular point in time and the ratings could change over time. Corrective Actions Throughout the various phases of our supervisory program, the FDIC took a number of actions against institutions that failed to address Year 2000 issues appropriately. During Phase II, guidance issued by the FDIC suggested that a board resolution or a Memorandum of Understanding be sought from institutions rated Needs Improvement. For institutions rated Unsatisfactory, the guidance suggested that a plan or a Safetyand-Soundness Order under Section 39 or a Cease-and-Desist Order under Section (8)(b) of the Federal Deposit Insurance Act (FDI Act) generally should be sought. As of March 31, 1999, the FDIC had 379 financial institutions adopt board resolutions and another seven are in process. The FDIC had entered into 141 Memoranda of Understanding and another 24 Memoranda are in process. The FDIC also requested 22 corrective plans under Section 39 of the FDI Act and issued 10 formal Cease-andDesist Orders. In total, as of March 31, 1999, the FDIC completed a total of 552 corrective actions and had 41 pending. These actions have been effective in getting management to address deficiencies and take necessary action toward Year 2000 readiness. For example, of the 552 institutions for which corrective actions were completed, 488 institutions now are rated Satisfactory. FDIC Year 2000 Supervisory Corrective Programs and Enforcement Actions against Financial Institutions as of March 31, 1999 Type of Action Completed In Process Bank Board Resolution 379 7 Memorandum of Understanding 141 24 Request for Plans under Section 39 of the FDI Act 22 10 Cease-and-Desist Orders 10 0 Total 552 41 As of March 31, 1999, the FDIC also took actions against 13 service providers and another two actions are in process. The actions included board resolutions, Memoranda of Understanding, and formal enforcement actions. These actions also appear to have been effective in getting management to take necessary steps. Of the thirteen service providers against which supervisory action has been taken, eight are now rated Satisfactory and one has been sold. Given the short time remaining until the century date change, the FDIC has adopted a more aggressive stance to achieve desired remedial attention at institutions rated Needs Improvement or Unsatisfactory during Phase III. In procedures spelled out in a Memorandum dated April 6, 1999, from the FDIC Director of Supervision to all Regional Directors, the FDIC will generally seek action under Section 39 or a Ceaseand-Desist Order for institutions assessed as Needs Improvement or Unsatisfactory. The FDIC has prepared standard language to enable us to process such actions quickly. FDIC Year 2000 Supervisory Corrective Programs and Enforcement Actions against Service Providers as of March 31, 1999 Type of Action Completed In Process Board Resolution 7 0 Memorandum of Understanding 4 2 Formal Enforcement Actions 2a 0 Total 13 2 aThese actions were issued jointly with the other FFIEC agencies. PHASE III SUPERVISORY STRATEGY On April 1, 1999, the FDIC and the other banking agencies, began Phase III of our Year 2000 supervisory assessment program. This phase will focus on the following: • • By June 30, 1999, financial institutions' testing of mission-critical systems should be complete and implementation of mission-critical systems should be substantially complete. By June 30, 1999, financial institutions should have substantially completed the development of their business resumption contingency plans and designed a method of validation so the plans can be tested for effectiveness and viability. • • Financial institutions should have identified their material customers and should have evaluated their Year 2000 readiness in order to assess their risk to the institution. Financial institutions should be communicating with their customers about their Year 2000 preparedness. During Phase III, for those institutions with a Satisfactory assessment rating, FDIC examiners will either visit or telephone their management at least every 90 days. For every institution rated less than Satisfactory, examiners will go on-site every 90 days, or more frequently if necessary, to monitor progress and ensure that deficiencies are corrected. At a minimum, a follow-up phone contact with their management will be made to these institutions within 45 days of the on-site assessment. In addition, we will visit on-site every 90 days, and contact every 45 days, those entities with a composite CAMELS rating or management component rating of 4 or 5. Certain institutions that play a critical role in the regional financial structure—such as those with extensive interstate or intrastate operations (or both), significant retail operations, large merchant processing volume, or large funds transfer volume—also will receive an on-site assessment. The exclusion of any institution with deposits over one billion dollars as of December 31, 1998, must be justified in writing. FDIC examiners will conduct an on-site assessment at any financial institution that has converted any or all of its mission-critical systems during Phase III after the conversion is completed and tested. Service providers and software vendors will continue to be contacted every 90 days. If circumstances warrant, we will contact institutions, and service providers and software vendors more frequently, as we have done in the past. Role of the Office of Inspector General An important component of the FDIC's Year 2000 effort has been the ongoing assessments and suggestions of our Office of Inspector General (OIG). The OIG has had significant oversight of our Year 2000 efforts. This oversight is an important part of the FDIC’s overall quality assurance of its Year 2000 effort, and we welcome the views and suggestions for improvement that the OIG has provided. Recently, the OIG completed a review of selected Phase II exams. We are pleased that the OIG has indicated to us its belief that the FDIC’s overall Y2K supervisory program is effective. However, the OIG noted certain exceptions that, while they cannot be extrapolated to the Year 2000 program as a whole, did suggest possible improvements to the examination process. Our Division of Supervision has worked closely with the OIG to implement these suggestions. In its report, the OIG discussed how the Y2K supervisory program could be improved. The OIG's suggestions were incorporated into guidance that was issued on April 6, 1999, to all Regional Directors for distribution to examiners. The guidance discussed the frequency and nature of the contacts with FDIC-supervised institutions during Phase III. For example, a combination of on-site visits and telephone contacts was specified, depending on the risk profile of the institution. The areas of concentration for examiners were delineated, including deficiencies noted at previous Y2K assessments. Weaknesses identified must be documented and resolved through acquisition of supporting documentation from the institution. The time frame for preparation and distribution of assessment reports was specified and rating criteria were clarified. The FDIC reminded regional staff that we place a high premium on accuracy in the examination process and we have reaffirmed to our staff that they should take sufficient time to ensure that examinations are complete and accurate. PUBLIC AWARENESS The FDIC has a unique responsibility to the public to maintain confidence in the financial system. Over the past 66 years, we have worked to make bank failures a nonevent for insured depositors. As a result, three generations of Americans have been secure in the knowledge that their insured deposits are safe. The FDIC recognizes that the unique challenges of the Year 2000 date change present us with an additional obligation to provide information to the public, but the primary obligation rests with individual banks and the banking industry. Year 2000 readiness is, and ultimately must be, the responsibility of each financial institution's directors and officers. These individuals are in the best position to know their institution's operations, strategies, resources and exposure, as well as the concerns of their customers. Therefore, the federal banking and thrift regulators have repeatedly advised banks and savings associations that providing meaningful information to customers should be an important part of their Y2K project plans. Information should be available regarding the progress a bank is making and when the bank expects to complete its preparations. Unfortunately, it appears that many institutions have not communicated sufficiently with their customers about the Year 2000 date change. We are concerned about this situation and will continue to stress the need for consumer awareness and communication efforts on the part of the industry during Phase III of the Y2K program. Fostering Consumer Awareness For its part, the FDIC will continue efforts over the next few months to inform and to educate the public. The FDIC has formed a partnership with the Conference of State Bank Supervisors to educate the public about Y2K and financial institutions. In addition, the FDIC is a member of the President's Council on Year 2000 Conversion. The FDIC is disseminating Year 2000 information through local civic organizations. FDIC staff is being made available to respond to speaking requests or other outreach opportunities and we have participated in local seminars sponsored by Members of Congress. Our most senior-level officials—including Vice Chairman Hove and myself— are discussing Y2K issues and industry preparations with the public. To help bank customers understand Y2K and how it might affect them, we are providing various educational materials to the public. For example, the Fall 1998 issue of FDIC Consumer News was devoted entirely to Y2K. It provides a comprehensive guide to the issues of Y2K and banking. Copies of this issue are being distributed to the public through the Consumer Information Center, in Pueblo, Colorado. Its availability was announced in the February 7, 1999, edition of Parade magazine. In the first three days following the announcement, the Consumer Information Center received 14,000 phone calls requesting the FDIC Consumer News and their Web site received 50,000 hits. In addition, we will be providing cautions against various Y2K scams in the next issue of FDIC Consumer News. The agencies also have published a pamphlet, The Year 2000 Date Change, available in English and Spanish. Trade associations have distributed more than 12 million copies of The Year 2000 Date Change pamphlet to financial institutions for further distribution to their customers. These materials also are available to the public at no charge and can be obtained through our Web site (www.fdic.gov). The FDIC, in conjunction with the other banking and thrift regulators, is finalizing A Y2K Checklist for Customers, an expanded version of which has appeared in the FDIC Consumer News. Although the public has absolutely no reason to question the deposit insurance guarantee, the checklist provides steps that each person can take to help reduce or eliminate any problems that might occur as a result of the century date change. It includes helpful suggestions for consumers, such as: • Educate Yourself About Y2K—Read all you can about the Year 2000 issue and what your financial institution is doing to protect customers. • Keep Copies of Financial Records—As always, keep good records of all your financial transactions, especially for the last few months of 1999, until you get several statements in 2000. • Pay Attention to Your Finances—As always, balance your checkbook regularly and check your transactions for accuracy. • Make Prudent Preparations—Remember all your payment options (checks, credit cards, debit cards, ATMs, and tellers) in the event one form of payment doesn't work as planned. • Be On Guard Against Y2K Scams—Be skeptical if someone asks for your account information or tries to sell you a product, service, or investment that is supposedly Y2K safe. Protect your personal information, including your bank account, credit-card, and social security numbers. • Review Your FDIC Deposit Insurance Coverage—The federal government's protection of insured deposits will not be affected by Y2K. Aside from providing information to the public, the FDIC is implementing measures to make it easier for the public to obtain answers to questions about the Year 2000 and banking. The FDIC has begun operation of a toll-free telephone line (1-877-FDIC-Y2K) to respond to public inquiries about the Year 2000 date change and its effect on financial institution customers. FDIC CONTINGENCY PLANNING FOR FAILED FINANCIAL INSTITUTIONS Throughout its history, the FDIC has continually created and refined contingency plans to address different types of bank failures involving diverse types of financial institutions. Our current contingency plans are intended to ensure that should any institution be closed because of Year 2000 problems, there will be minimal disruption to insured depositors. We are developing plans to provide depositors access to their insured funds in a timely manner. In addition, the FDIC is represented on the various subgroups established by the FFIEC that are formulating contingency plans to address issues raised by Y2K. Contingency planning is particularly important because a Year 2000 failure, should one or more occur, will not be similar to past bank failures. The FDIC always has relied upon the fact there is reasonably good information available when a bank fails. This may not be true if computer systems break down and data are corrupt. Although the unavailability of information could make the job more complicated, appropriate contingency planning should enable the FDIC to address this new type of failure and protect depositors just as we have in the past. The FDIC’s contingency plans address issues related to: (1) reconstructing corrupted data; (2) transferring deposit accounts and assets from a failed bank to a healthy institution; (3) providing insured depositors their money even if there is no acquirer; (4) providing customer service; and (5) having available resources to carry out those responsibilities if there are multiple failures in various locations. Although some institutions that could fail may be readily identified with reasonable lead-time, it is possible that an institution could fail with little or no warning starting in January 2000. If a failure occurs, the FDIC will need to arrange a resolution transaction for the failed bank quickly, perhaps within a few days of the problem being uncovered. To accomplish this, the FDIC needs to identify potential acquirers and inform them of the types of resolution transactions available to them in advance of any Y2K failures. In a typical closure of an insured financial institution, financial information systems are not subject to corruption. In the event of a Year 2000 technological disruption, however, financial data may not be accessible or accurate. The FDIC may have to recreate electronic data files and validate information systems before the resolution process can proceed. With input from institutions, service bureaus, trade groups, and regulatory agencies, we have been exploring options for possibly requiring some financial institutions to backup and retain data. These options include requirements for some high-risk institutions to maintain a limited standardized asset and liability backup program for a short period of time. In the event of a failure of an insured financial institution, such a backup program would facilitate the transfer of information on insured deposits to a new acquirer or to the FDIC’s payoff system for insured deposits. This backup program would reduce the time for deposit insurance determinations and provide depositors with quicker access to their funds. In addition, we have formulated planning scenarios to ensure appropriate resources are available in the event of a technological failure. The resolution and closing experience of current FDIC employees has been assessed and training materials are being updated to include a possible Year 2000 failure scenario. In summary, our planning is directed toward having a well-developed contingency plan designed to protect insured depositors in the event Year 2000 failures occur. We are working diligently on minimizing potential disruptions. We intend to ensure that insured depositors will have timely access to their money, should failures occur. STATUS OF FDIC INTERNAL EFFORTS The FDIC is on schedule to complete preparation of all of its internal systems in time for the Year 2000 date change. We have adhered to the time frames established in guidance from the Office of Management and Budget (OMB) and the General Accounting Office (GAO) for the five stages of Year 2000 project management: awareness, assessment, renovation, validation and implementation. Since our last testimony in September 1998, we have completed the validation and implementation phases, in accordance with the OMB schedule for mission-critical systems. The FDIC currently has a total of 36 mission-critical systems. Of these, 35 systems were validation tested by the end of January 1999. The final system was replaced with a new system, tested, and implemented by February 28, 1999. The remaining missioncritical systems, cited in our previous testimony, have been retired or replaced. In one case, two systems were replaced by one. Three hundred forty-eight of our non-mission-critical information technology systems are scheduled to continue beyond January 1, 2000. These systems were all validation tested by January 31, 1999. In addition, 33 new non-mission-critical systems were validation tested before implementation by March 31, 1999. Four additional minor, and non-mission-critical, internal work-tracking systems will be implemented this month. Independent verification and validation of a subset of our applications are ongoing, sponsored by both the Internal Year 2000 Project Team and the OIG. These efforts will confirm that our renovation and test procedures were effective, and that the test results reflect Year 2000 compliance. Maintaining an application’s Year 2000 compliance while normal production activities occur is a vital task in the FDIC’s Year 2000 plan. The FDIC currently is improving its configuration management process to ensure management of renovated code through 1999. In February 1999, we instituted a new process specifically to evaluate Year 2000 issues before system enhancement or modification. Changes will require risk assessment, re-testing as needed, and approval by the Year 2000 project manager for internal systems. This system will augment increased emphasis on existing configuration management software on both the mainframe and client/server platforms. Together, these processes will ensure that renovated code will remain compliant. We continue working with our data exchange partners—financial institutions, the Federal Reserve System, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the National Credit Union Administration, state banking authorities, and other business partners. We have resolved Y2K issues in nearly all exchanges of pertinent data and are completing testing with exchange partners. The FDIC has over 1,800 purchased products supporting its operations, including commercial off-the-shelf software, mainframe operating systems and associated software, and vendor-provided hardware components, including personal computers and telephones. We have purchased replacements for all identified non-compliant personal computers, and expect to complete nationwide installation by June 30, 1999. We contacted vendors to request Year 2000 readiness information on software packages, and will conduct tests on those most important to our business functions. We have identified upgrades that are necessary for our telephone equipment to be Year 2000 ready, and are implementing the upgrades. We also have replaced other equipment, such as facsimile machines, that were not Year 2000 ready. We are working with a contractor who specializes in remediation of embedded systems to complete our efforts with respect to building systems controls by the end of July 1999. We believe that our efforts will enable us to continue business as usual after January 1, 2000. As recommended by the GAO and the OIG, the FDIC has nonetheless prepared a business continuity plan outlining how the agency would resume normal business operations for each of the FDIC's core business processes in the event that unforeseen Year 2000 problems cause disruptions. In summary, the FDIC has a rigorous, centralized Year 2000 project for its internal systems. We believe our comprehensive approach will result in a smooth transition of our automated systems. OTHER ISSUES In the Committee’s letter of invitation, we were asked to respond to several issues regarding pending Year 2000 related legislation. First, you asked us to respond to the suggestion that the federal holiday observance be moved from December 31, 1999, to January 3, 2000. The FDIC sees no particular advantage to moving this holiday to Monday, because it would require that banks reprogram their computers to recognize the holiday date change, thus placing an additional burden on the industry. You asked us also to comment on pending Y2K liability legislation, and H.R. 775, in particular. Any legislation, including H.R. 775—the Year 2000 Readiness and Responsibility Act of 1999, could have a significant effect on the FDIC as a supervisor of state nonmember banks, as insurer, and as receiver of failed insured depository institutions. The FDIC believes that H.R. 775, or any other Y2K liability bill, should preserve the authority of the FDIC and the other banking and thrift agencies to take enforcement actions necessary to maintain the safety and soundness of insured depository institutions. This will ensure that the FDIC is able to exercise its statutory enforcement authority because of false, inaccurate, or misleading Year 2000 related filings, reports, or statements made by depository institutions or their employees. As Congress considers legislation to limit liability related to Y2K failures, we recommend that any such bill contain an exception for any action brought by a federal, state, or other public entity, agency, or authority acting in a regulatory, supervisory, or enforcement capacity. This exception would parallel the exception in the Year 2000 Information and Readiness Disclosure Act, which was enacted last year. We would note further that H.R. 775 would prohibit civil penalties for first-time violations by small businesses, including small depository institutions, of federal collection of information requirements, if the violation were related to a Year 2000 failure. Given the importance of some of this information to our monitoring of the condition of insured institutions and assessing their deposit insurance obligation, a general prohibition on penalties for such institutions would seem imprudent. The FDIC, therefore, would suggest that the definition of "small business concern" be amended to exclude expressly financial institutions, which are regulated by the federal banking and thrift agencies. Liability legislation also could affect financial institutions and their customers. The proposals generally would increase the burden of proof on plaintiffs, limit damage recoveries for Y2K related claims, and offer additional defenses to such claims. Therefore, the restrictions on liability can help or hurt a financial institution, or its customers, depending on what its position as plaintiff or defendant is in any particular litigation. Liability legislation should, however, not be so broad as to afford immunity or complete unlimited protection for any exposure for gross negligence or recklessness resulting in a failure and loss to the insurance funds. Finally, you asked for our response to whether references to bona fide error in current banking consumer law should be clarified to include, in the definition of computer error, explicit reference to Y2K related errors. Computer malfunction and programming error related to the century date change could be covered under current law by the federal statutory provisions dealing with bona fide errors, and institutions presumably would assert this defense in the event of a Y2K problem. As the Federal Reserve Board is charged with implementing many of the consumer protection laws, it could define generally the circumstances that would qualify as bona fide errors. These cases however, would involve a defense against civil liability to third parties, so the courts, rather than the banking agencies, will determine how these provisions apply in specific cases. We have not determined, at this point, that additional legislation would be beneficial. We remain concerned that any legislative proposals to limit liability be crafted carefully so as not to reduce incentives for financial institutions to correct their Y2K problems. CONCLUSION The Year 2000 date change is the highest safety-and-soundness priority for the FDIC. We have been aggressively assessing Year 2000 progress at FDIC-supervised financial institutions and service providers and software vendors. As we begin the final phase of assessments, the FDIC will continue to direct all necessary human and financial resources to ensure public confidence in the banking system. The FDIC has taken, and will continue to take, aggressive supervisory and enforcement action against institutions that fail to meet regulatory guidance and expectations. Both the banking and thrift industries and the FDIC have a responsibility to inform the public. The FDIC, for its part, is on schedule to complete its efforts for internal Year 2000 readiness. We are developing comprehensive contingency plans in the event that institutions do not become Year 2000 ready. Above all, however, no insured depositor need worry. The FDIC will protect insured deposits. Mr. Chairman and Members of the Committee, the FDIC will continue to ensure that insured deposits are protected and that public confidence in our nation's banking system is maintained. Last Updated 06/25/1999