To the Chief Executive Officers of All State Member Banks, Bank Holding Companies, Edge and Agreement Corporations, and Branches and Agencies of Foreign Banks in the Second Federal Reserve District, and Related Information Systems Service Providers:
The FFIEC member agencies are continuing to monitor the progress of financial institutions in addressing Year 2000 issues and to provide guidance to assist their efforts to prepare for the Year 2000. Accordingly, the FFIEC has issued the fourth and fifth advisories in a series addressing safety and soundness issues pertaining to the Year 2000.
One advisory, entitled "Guidance Concerning the Year 2000 Impact on Customers," describes the responsibilities of a financial institution's senior management and board of directors for assessing the risks arising from the failure or inability of the institution's customers to address their Year 2000 exposures. This guidance prescribes a due diligence process that identifies, assesses and establishes controls for Year 2000 risk posed by three categories of customers: funds takers, funds providers, and capital market/asset management counterparties. The guidance states that financial institutions should have implemented a due diligence process by June 30, 1998, and that the assessment of customer preparedness and the resulting impact on the institution should be substantially completed by September 30, 1998. Financial institutions also are advised that management should provide quarterly reports to the board of directors that identify customers who could cause material risk exposure and who are not effectively addressing Year 2000 problems. These reports also should summarize actions taken to manage the risk. The guidance provides models of information collection processes used by financial institutions to manage Year 2000-related customer risk.
The other advisory, "Guidance Concerning Due Diligence in Connection with Service Provider and Software Vendor Year 2000 Readiness," provides that senior management and the boards of directors of financial institutions should establish a due diligence process for determining the ability of its service providers and software vendors to be Year 2000-ready. Among other things, the guidance states that an effective due diligence program should identify and assess mission-critical services and products provided by service providers and software vendors; monitor their progress; establish a process for testing remediated products in the financial institution's own environment to the extent possible; and establish contingency plans for each mission-critical product and service. The guidance identifies information financial institutions should obtain from service providers and software vendors concerning Year 2000 readiness and advises financial institutions to establish "trigger dates" for changing service providers and software vendors to allow sufficient time to achieve readiness.
The FFIEC is conducting examinations of certain service providers and vendors in order to assess their Year 2000 programs. While results of these examinations will be provided to serviced institutions, the work that the FFIEC is doing is not a certification of the vendor's product but rather a review of the process that the vendor is using to address Year 2000 issues. Each financial institution needs to conduct its own independent due diligence process to make certain that the product works properly in its unique environment.
Financial institutions may choose to forward a copy of the relevant Interagency Statement to their customers, vendors and third party service providers.
Should you or your staff have any questions regarding the enclosed statements, please contact, at this Bank, Sarah Dahlgren, Vice President, Bank Supervision Group, or William Francis or Thomas Wines, Examining Officers, Bank Supervision Group (respectively).