INFORMATION COPY ONLY - PRELIMINARY

YEAR 2000 FIRST DAY LETTER REQUEST - - Phase II, Part I

I.        Introduction

The purpose of this information request is to assist the examiners in assessing your institution’s management of Year 2000 risks, as well as progress of your overall Y2K project. Please have the following information ready for the examiners who will be performing Phase II, Part 1, of the Year 2000 reviews. Given that organizations are of varying size engaged in diverse activities of different complexities, there are no single best answers to this information request. Each area of question has been prefaced by its purpose. With that in mind, the specific requests are only examples of the type of documentation that would serve to demonstrate the organization’s management of the risk. Obviously, the example of documents is neither all-inclusive nor appropriate in all cases.

The examiners will be on-site to assess Phase II, Part 1, of the institution’s process. This review is independent of the Phase I assessment conducted earlier this year. The Phase I rating previously communicated in a notification letter is a point-in-time assessment. However, issues that remain unaddressed from Phase I will be considered in determining the institution’s Phase II, Part 1, rating.

Please provide documentation of your organization’s effort in the following areas:

II.           Management - Purpose: Demonstrate ongoing commitment, visibility of issues, responsiveness, and oversight of
               project and progress. Sample documents:

  1. Minutes of any Y2K Committee meetings (from March 1998 to present).

  2. Minutes of the Board of Directors meetings (or communications submitted to head office for FBOs) regarding the progress of the Y2K project.

III.          Planning - Purpose: Demonstrate a comprehensive scope of critical products and services, controls to preserve
               compliant environments, project monitoring of progress to plan, and work in progress on testing and contingency                plans. Sample documents:

  1. An inventory list of "non-automated" vendor/servicer products that are critical to the institution (i.e. armored courier, customer statement producer, microfilm service, etc.)

  2. A copy of your institution’s "change control" procedures.

  3. A description of the tracking system(s) that reports vendor readiness and a copy of the most recent report showing vendor progress.

  4. A description of the contingency planning process and progress toward developingY2K Contingency and Business Resumption Plans.

  5. A description of any significant changes to your institution’s Y2K Readiness Plan submitted in Phase I including commentary on progress and target milestones as well as the fulfillment of funding and staffing budgets.

IV.          Independent Appraisal - Purpose: Demonstrate an independent opinion of the appropriateness and soundness of
               the project approach, methodology, and processes, including the integrity of reporting. Sample documents:

  1. A description of current audit coverage, plan and schedule pertaining to Y2K related activities. A copy of audit report(s) containing any Y2K- related issues and management’s response(s).

  2. A description of a outside consultant’s engagement to review Y2K -related activities. A copy of consultant report(s) containing any Y2K- related issues and management’s response(s).

  3. A description of engagements by outside accountants in reviewing aspects of Y2K-related activities. A copy of the management letter noting Y2K issues and the organization’s responses.

  4. A description of an independent "peer project or panel review" of Y2K activities, including findings and management responses.

V.            Risk Management - Purpose: Demonstrate due diligence over Y2K activities and attentiveness to regulatory
               guidelines and timeframes. Sample documents:

  1. A copy of the procedures used to identify your material customers and business counterparties, assess their Y2K readiness, and analyze the risk posed to your institution. (See FFIEC Interagency Statement dated March 17, 1998 entitled "Guidance Concerning the Year 2000 Impact on Customers.")

  2. Copies of plans, procedures, or processes designed to monitor and mitigate the risks identified above and any reports submitted to executive management, the board of directors, or related committees concerning customer Y2K risk.

  3. Inventory lists of systems or application software that analyze, assess, and report counterparty risk. Discussion of applications or systems classification as mission critical, consideration of Y2K as a risk factor, and status of Y2K compliance.

  4. A description of changes to the Allowance for Loan and Lease Losses (ALLL) attributed to the Y2K component of the risk assessment process.

  5. A description of your plans to assess and mitigate liquidity risk during the period of the century date change.

  6. Documentation, including plan and status, of how your institution communicates its Y2K readiness and related information to customers, business partners, and counterparties.

  7. Documentation and status of the flow of Y2K-related information concerning credit participations.

  8. A description of the institution’s approach to the management of credit/counterparty risk relating to Y2K.