To the Chief Executive Officers of all State Member Banks, Branches and Agencies of Foreign Banks, Bank Holding Companies, And Edge Corporations in the Second Federal Reserve District:
The potential disruption that the Year 2000 could have on computer applications or operating systems, where dates are reflected with two digits for the year, can be significant. In response to earlier alerts on this issue, many institutions have developed comprehensive plans to address the problem. Bank supervisors have had a chance to review a significant number of the plans and have found that plans and actions to date are uneven across the industry. This alert highlights a number of areas where special attention may be needed and provides more detail on our supervisory expectations with regard to your plans and actions.
Most institutions have focused their efforts to date on identifying the changes that must be made internally to address the Year 2000 issue. Most are well along in this process. Fewer institutions are as advanced in their thinking about how the Year 2000 may affect their dealings with customers, vendors, or service providers. In this District, many institutions are significant providers of financial services to others, giving rise to potential implications more broadly if problems develop. The Federal Reserve Bank of New York believes such problems can be avoided if appropriate attention is being directed to a number of areas.
All applications and systems need to be thoroughly tested in ways that simulate actual business activity. Such testing should include not only internal systems but also products and services purchased from service bureaus or vendors. Relying on someone else to test or certify a system can pose significant risks. Because system interfaces often vary from institution to institution, what works in one place may not work in another.
Last year, an alert issued by the Federal Financial Institutions Examination Council (FFIEC) recommended that all reprogramming be completed by December 31, 1998. This date was a minimum standard and was designed to allow sufficient time for thorough testing of systems. For financial institutions that service large numbers of other financial institutions by providing correspondent, clearing or other services where system failures could have systemic consequences, the Federal Reserve Bank of New York believes a more aggressive target is appropriate. Not only programming changes but testing with other similar institutions should be largely completed by December 31, 1998 for major applications. Only in this way can end-to-end testing by other institutions relying on these systems be assured throughout 1999.
Spillover Business Risks
Some institutions have not as yet thoroughly analyzed how the Year 2000 will affect their clients or customers or determined if these clients and customers are appropriately planning for the Year 2000. Business lines should be considering whether their clients and customers are adequately addressing their own risks from the Year 2000 as some are likely to face problems that will affect normal business operations and banking relationships.
Special Risks for Certain Institutions
Satellite operations and overseas activities require special attention. In particular, management information systems for businesses that run semi-autonomously from the head office may not be identified in the system inventory or plans developed to date. To the extent that such systems serve as critical controls for business operations, significant undetected vulnerabilities may exist. Staff throughout the entire organization must be aware of risks associated with the Year 2000 issue and how they might be affected. All business units and locations should ensure that plans adequately cover systems and tools that are used to support operations, risk management, and control environments.
Costs and Monitoring
Budget estimates to address Year 2000 issues have been surprisingly high for many institutions. But even early estimates often are being adjusted upward as the costs of obtaining/retaining qualified staff to address the problems rise and additional issues are encountered. Progress should be measured against plans and targets frequently with particular attention paid to monitoring the availability of skilled programmers.
Experts differ on estimating the financial impact for the economy generally, but all agree that at least some institutions will have problems that will be substantial. Senior management and the board of directors need to be involved actively with approving plans, assuring adequate resources, and monitoring progress on Year 2000 projects, and periodic updates should be incorporated into the agenda for board of directors' meetings.
Policies regarding Year 2000 risks are being coordinated closely by Federal banking supervisors. An interagency group is preparing an advisory that will provide additional guidance on this issue. We believe the points raised in this alert will be consistent with any supervisory advisories that will be issued in the future. We also believe that Year 2000 systemic risk issues are particularly significant in this District and that increased attention is necessary to help avoid future problems.
Federal Reserve Plans
The Federal Reserve has developed a comprehensive Year 2000 plan as to make its systems Year 2000 compliant and able to service financial institutions. The Federal Reserve is currently developing plans to assure all institutions appropriate testing opportunities. These plans for testing will be communicated to the financial community in a timely manner. Questions regarding the Federal Reserve's plans may be directed to Bruce Cassella, Vice President, Bank Services Office at this Bank or Elaine Geller, Federal Reserve System Century Date Change Project Office [(415)974-3148].
Questions or comments about Year 2000 issues more generally can be referred to George Juncker, Vice President or Thomas Wines, Bank Examinations Officer, Information Systems and Technology Team, Bank Supervision Group.