| William J. McDonough, President
Remarks by President William J. McDonough before the Annual Membership Meeting of the Institute of International Finance I am pleased to be able to share my thoughts with you today on an issue that is sure to challenge every one of our organizations for the next several years -- the Year 2000 and how the century date change poses a very significant risk for financial markets.
As I look at the membership of the Institute of International Finance gathered here in Hong Kong, I cannot help but be impressed as to how truly global financial markets have become. Realizing that this meeting is being hosted here in Hong Kong, with the People's Republic of China as the host country, further underscores how rapidly the world is changing and how interdependent we are.
As a central banker, I worry a lot about events that could disrupt financial markets. Many of the events that I worry about are hypothetical. In those cases, a large part of my job is to convince others that the hypothetical event in question is sufficiently possible that it is in the industry's best interest to work together to try to avoid the event and related problems.
Today, I am sure that I do not have to convince you about the inevitability of the approaching century date change. It is a certainty. What remains for me to do is to help put the dimension of the Year 2000 issue in perspective and suggest some of the actions that are necessary now if we are to avoid potentially serious problems down the road.
As recently as the early 1990s, few banks and other financial institutions paid much attention to the Year 2000 problems. After all, using two digits in programs to represent the year made sense for decades. Many institutions didn't recognize the problem at all; others speculated that changes in technology would somehow appear and solve the problem. Now, however, delays have come back to haunt those institutions that acted passively, or not at all, in marshalling the resources needed to manage the problem.
Financial institutions depend on the proper sequencing of events and calculations based on dates, but the logic built into applications to sequence events and perform calculations will not work properly when we hit 2000. As a result, Year 2000 issues pervade every business area of all financial and non-financial institutions.
As if that were not enough, the problem is not just limited to the business lines and the applications upon which businesses rely. Operating systems and the equipment on which business applications run also are reliant on microchip-embedded logic affected by two-digit year representations. Unlike business applications where the dates usually are visible, potential problems in operating systems and equipment usually are invisible or embedded in programs. That means that banks and other institutions must rely on vendors, rather than their in-house technical staff, to identify and fix the problems. Similarly, mechanical devices used in security systems, elevators, and heating and cooling equipment controlled by microchips can be affected and may even cease to run.
Making sure that all of our business applications work together properly will be a formidable challenge, both internally and across the financial services industries. For a variety of business and economic reasons, different approaches to correcting Year 2000 problems will be taken by different organizations. Even within organizations, corrective approaches may well vary for different business applications. Because the changes necessary to fix applications to make them Year 2000-compliant will be completed at different times, testing and retesting will be needed to assure that information flows properly. Continual testing, however, will consume a very significant amount of resources, usually drawn from business line areas. Consultants estimate that testing alone will absorb as much as 70 percent of Year 2000 project resources at some institutions.
The Year 2000 issue stretches well beyond the doors of financial services companies. Your customers and counterparties also must cope. How well they handle this complex and costly technical challenge could affect their business prospects and even their viability. Consequently, over the next couple of years, underwriting standards should specially consider how customers are addressing the issue, and credit officers should monitor the progress of customers who rely on technology on a regular basis.
In my Bank's and the Basle Supervisors' work with the industry to meet the Year 2000 challenge, a number of issues have arisen that are worth calling to your attention. Probably the most significant issue is the relationship that banks have with third-party vendors and service providers. Not infrequently, we have found that banks have assumed either that vendors will make their products and services Year 2000-compliant, or have sought only general assurances from the vendors, which have been accepted at face value. Either approach puts a bank at significant risk.
In addition, we uncovered instances when products represented by vendors as compliant simply were not. More significantly, we found that even if a vendor has made appropriate modifications and tested a product, there can be no guarantee that it will work properly in a bank's unique operating environment or in concert with related applications. It is now quite clear that every product must be tested and certified as compliant by the user, and testing must be repeated upon the release of new compliant applications, environmental software, and hardware. Remote operations and foreign activities pose special challenges for Year 2000 programs. Efforts to develop or use off-the-shelf applications or to put in place a general plan of action can fail to take into account activities that are unique to a particular business or location. Making certain that inventories are complete for complex organizational structures and geographically dispersed banks is proving to be a very difficult task.
Obtaining and retaining the staff resources capable of dealing with Year 2000 issues will be another increasingly difficult problem. There is a limited pool of skilled technical staff to make needed changes, and demands on this pool are growing as the time draws closer. In the short run, the ability to add to this pool significantly through training is limited. Qualified outside consultants already are heavily committed and will become even more scarce over time. Obtaining equipment on which to conduct tests also often requires significant lead time.
All of this suggests that controlling the cost of Year 2000 projects will be a problem for many institutions as resource prices are bid up. Already, we have seen many institutions increase their Year 2000 budgets several times, and by significant amounts, as they develop their detailed plans.
Security also is likely to be of increasing concern as we move forward. As time pressures mount, there is a risk that shortcuts will be taken. The checking of credentials for new staff or outside contractors or consultants may be rushed and less rigorous. Date-dependent security applications may be turned off to facilitate testing. In an industry like ours, with so much interconnectivity, any compromise of security simply cannot be tolerated.
Every financial institution needs its own comprehensive project plan to address the Year 2000 problem. In the United States, bank supervisors have suggested an approach that includes a number of phases. A technical paper prepared by the Basle Committee on Banking Supervision and released by the G-10 Governors on September 8th discusses a very similar approach. In both cases, the basic approach includes the following components:
- setting the Year 2000 project as a strategic objective to be managed at the highest level;
- making sure that staff at all levels recognize the importance of the project as a business issue, not just a technical one;
- identifying all applications, operating systems and equipment affected by the Year 2000 problem, and developing appropriate plans and schedules that can be monitored at the highest level within the organization;
- determining what needs to be done and making the necessary changes;
- testing each system to be sure that it works, not only as an independent application, but in concert with related systems within the institution, and with those of correspondents and customers; and, lastly,
- putting Year 2000-compliant applications into production.
The Basle Supervisors' paper does a good job of laying out the full scope of the challenge, and I commend it to your attention. The paper should serve as a strong wake-up call. There still is time to address the problem, but now there is urgency in making the difficult choices. In the mere two years that are left, the challenge will be to minimize business and systemic impacts as much as possible.
By now, all major financial institutions should have identified what needs to be done and be in, or near, the final stages of developing detailed plans. Work on changing all applications identified as high business priorities also should be well under way. In the United States, most large institutions plan to have their major applications available for external testing around the middle of 1998, with an expectation that testing with other major institutions would largely be completed by year-end 1998. This schedule allows all of 1999 for end-to-end testing on an industry-wide basis.
But even with two years to spare, it is safe to say that no organization will be able to cope successfully with the Year 2000 challenge unless both its management and staff realistically measure its scope and commit to its solution. Bluntly stated, if your own management and staff, or your correspondents and customers, take any of the following positions, your organization may be at risk:
- Denial -- the Year 2000 is not an issue for our organization.
- No resource problems -- our organization can handle the Year 2000 with its existing resources and within current information technology budgets.
- Vendors will address the issue -- our outside vendors and service providers won't let us down.
Trust is not a substitute for testing.
- Covered by contract -- our lawyers have determined that we are appropriately protected by our legal agreements.
The lawyers may get rich, but will you be in business?
- Testing is not a problem -- our organization has good testing and acceptance procedures and we test all the time.
Previous internal testing standards probably won't do the job this time.
- Obtaining adequate resources will not be an issue -- our organization has a great technical staff and we can always hire additional resources if it becomes necessary.
As a bank supervisor, the Federal Reserve Bank of New York will do whatever it can to encourage banks to set up and adhere to programs that deal with Year 2000 problems. Our examiners will focus on how well individual banks are doing and will highlight for senior management and directors those instances when progress may be lagging. This oversight will include not only U.S. banks, but also the U.S. branches and agencies of foreign banks. However, the motivation and determination to cope with the Year 2000 problem must come from within banking organizations rather than from supervisory oversight. Getting the Year 2000 issue right is critical for every organization. Failure to get it right will affect the integrity of the payments system and the performance of the domestic, and maybe even the global, economy.
The Federal Reserve is working hard to make certain that our systems will be ready and fully tested. And I am pleased by the high level of central bank coordination on this issue, as the recent release of the Basle Supervisors' technical paper demonstrates. All of us need to make sure we are paying sufficient attention and applying appropriate resources to the Year 2000 issue. Only in that way will we be able to insure that the millennium changeover is an occasion for joy and optimism.