The Federal Financial Institutions Examination Council has published a report to U.S. banks (Dec. 17), "Safety And Soundness Guidelines Concerning The Year 2000 Business Risk." Anyone who thinks this problem is trivial should read the entire report. Pay close attention to the use of the phrase, "contingency plans." This is especially important as it applies to software vendors, over whom the banks and the government have no control.
Throughout every industry, software vendors are the source of continuing operations. Yet they are not under anyone's authority. They may not meet the 2000 deadline. Any discussion of y2k remediation that ignores this fact is terminally naive. This document does not ignore it, but it offers no suggestions except contingency plans. It is not said what these might be if rival vendors cannot supply compliant products.
For banking as a whole, there is no contingency plan. That's the problem facing this society. There are no contingency plans for a modern society devoid of banks.
* * * * * * * *
The Board of Directors and Chief Executive Officers of all federally supervised financial institutions,providers of data services, senior management of each FFIEC agency, and all examining personnel. . . .
The Year 2000 problem presents corporate-wide challenges for financial institutions, their vendors, business partners, counter parties, and customers. However, the regulatory agencies are concerned that many financial institutions view the Year 2000 issue solely as an information system (IS) problem rather than a broader, enterprise-wide challenge. Many institutions may not have adequately funded their Year 2000 programs and may lack the necessary resources to properly address the issue.
The board of directors should ensure that senior management is taking an enterprise-wide approach to address Year 2000 problems and must provide sufficient resources to resolve Year 2000 problems. For example:
•As the Year 2000 will affect most, if not all, of an institution’s accounting and risk control systems, there should be close coordination between business units and the institution’s operational and risk management functions as conversion programs are executed. •
•Financial institutions relying on vendors for information processing services or products should determine their vendors’ progress in resolving Year 2000 issues and the readiness of their own systems and data for appropriate testing. Parties throughout the institution should be involved to coordinate readiness efforts and to develop contingency plans. •
•The interdependencies of a financial institution's information systems will require comprehensive testing of applications with all internal and external systems that share information. Senior management should monitor the testing of all mission critical systems. •
•The approach of the Year 2000 creates potentially adverse effects on the creditworthiness of borrowers. Corporate customers who have not considered Year 2000 issues may experience a disruption in business, resulting in potential financial difficulties affecting their creditworthiness. Financial institutions should develop processes to identify, assess, and control the potential Year 2000 credit risk in their lending and investment portfolios. The regulatory agencies are preparing additional guidance with respect to their expectations of senior management concerning these indirect risks and other important topics. • . . .
The Interagency Statement suggested that financial institutions obtain certification from their vendors when products and services are Year 2000 compliant. However, the regulatory agencies recognize that certification alone is not sufficient to provide adequate assurance that a product will operate properly in the unique environments of the many user financial institutions. Only a comprehensive test of all internal and external systems and system interdependencies by each user financial institution will ensure that they will function properly together. Therefore, formal certification is not required. Instead, financial institutions should (a) communicate with their vendors and conduct due diligence inquiries concerning Year 2000 readiness and also (b) implement their own appropriate internal testing or verification processes pertaining to these vendor products and services to ensure that their systems and data function properly together. They should monitor closely their vendor’s progress in meeting target deadlines. The vendor’s plan should allow adequate time for user testing in a Year 2000 environment. . . .
Financial institutions should develop contingency plans for all vendors that service mission critical applications and establish a trigger date for implementing alternative solutions should the vendor not complete its conversion efforts on time. These plans should consider the institution’s own level of preparedness as well as that of their service providers. Contingency plans should be reviewed at least quarterly and adjusted, if necessary, to reflect current circumstances.
In establishing relevant trigger dates, management should have a thorough understanding of the complex interrelationships between its systems and those of its vendors. An institution also should consider the time necessary to convert the existing system to one that is ready for the Year 2000, the staff training time needed to implement an alternative system, and the availability of alternative systems. If, after a thorough analysis, it appears that the institution’s Year 2000 conversions, or those of its vendors, will not be completed on time, management should be ready to implement its contingency plans. If success is in doubt for complex applications, it may be necessary to begin implementation of the contingency plan while continuing to work on the desired solution. Additionally, it may be necessary to begin renovation on an existing system, if timely implementation of a replacement system is not assured.
For in-house developed applications, the contingency plan should identify how the institution will transition to an alternate system or to an external vendor. For institutions that rely on vendors, the contingency plan should identify alternative suppliers and outline migration plans. In addition, time frames for Year 2000 contingency plans should be consistent with the time frames set forth in the Interagency Statement. The statement establishes December 31, 1998, as the date that institutions will have completed programming changes and have testing well underway for mission-critical systems. . . .
The regulatory agencies are concerned that many financial institutions and service providers will underestimate the costs of Year 2000 projects, especially those costs associated with the testing phase. As the Year 2000 approaches, the demand for technical resources will likely rise and the supply of these resources is expected to diminish, thereby increasing costs. Financial institutions must exercise appropriate due diligence in their budget planning to ensure that they have sufficient financial and human resources to complete their Year 2000 plans in a timely manner.