Good morning Mr. Chairman and members of the Subcommittee. I appreciate this opportunity to testify before you today on behalf of the Federal Deposit Insurance Corporation regarding Year 2000 issues. My testimony today will discuss Year 2000 Issues as they relate to the banking industry, our current supervisory concerns, and the initiatives underway to ensure that financial institutions will be prepared to meet the needs of their customers in the year 2000 and beyond. I will also discuss the FDIC's internal remediation efforts.
The potential for problems related to the inability of computer systems to recognize accurately dates beyond 1999 is a significant concern for the financial services industry and financial institution regulators. Financial institutions face vulnerability to Year 2000 problems in a number of areas. Internal data processing systems -- including mainframe, mid-size, network and personal computers -- may be unable to record and process financial information accurately. Equipment that relies on embedded computer chips to perform date driven functions may also malfunction. Examples include automated teller machines, telephone switchboards, vault locks, security systems, elevators, heating, ventilation and air conditioning systems, security systems, elevators, heating, ventilation and air conditioning systems. In addition, data exchanges with parties outside the financial institution may be disrupted and credit quality issues could arise as borrowers deal with these same vulnerabilities.
Computer systems, and particularly systems used in banking and finance, employ dates for a large number of functions. Failure to correct Year 2000 problems could affect even basic banking transactions, causing problems for banks and their customers. The inability of a financial institution's computer systems to perform date driven calculations might, for example, eliminate or overdraw the balance of a checking account. This could occur because in some software applications, interest on a checking account is accrued by using the number of days since the last date interest was credited. At the end of January, the computer compares the current month's date "O 1/3 1/97" to the last date interest was calculated " 1 2/3 1/96" and credits the account with thirty-one days worth of interest. In January of the year 2000, however, a computer that is not Year 2000 compliant might perform this calculation and conclude that the customer's account should be charged for 99 years of interest rather than credited for one month of interest. This error can occur if the two digit year "date fields" are subtracted as part of the interest accrual calculation, The result may be a negative 99 years, i.e.,"00" - 99" = -99 years. Correcting this type of problem can be time consurning and expensive, particularly if the error affects all of an institution's checking accounts In the meantime, the consurner may be without the use of his or her funds. Checks drawn on the institution could be returned unpaid and the consumer's ATM card transactions may be rejected.
Equipment that is dependent on the same type of date sensitive programming presents similar risks. A bank's vault, for example, may run on a timer and only open at certain time intervals. If the timer cannot properly read the date to calculate the time interval, it might not open the vault on schedule. Equipment with embedded chips, such as automated teller machines, security systems, elevators, as well as environmental control systems -- heating, ventilation and air conditioning -- must also be investigated to determine if it will function properly in the year 2000.
Considering the number of software applications that might be affected -- each in different ways -- bank regulators must be concerned about the significant impact that Year 2000 problems could have on a financial institution's operations. It is very difficult to predict precisely the effect that being unprepared for the year 2000 will have on an institution's records and systems, and there is no single solution to the problem. It Is clear, however, that financial institutions that do not adequately address their Year 2000 problems could face serious disruptions to their normal operations.
Year 2000 risks to financial institutions are not limited to their internal systems Even financial institutions that have taken a proactive approach in addressing Year 2000 problems internally, nevertheless, may encounter difficulties if parties external to the bank with whom they exchange data electronically are not prepared for the century date change. Financial institutions routinely receive date sensitive information from third parties. Errors in customers' account balances may occur if the third-party is transferring information in a two digit year format when the financial institution has reprogrammed its systems to store and process information using a four digit year format. The lack of uniform standards for formatting dates among groups that exchange data electronically complicates this aspect of the remediation effort and makes the testing process especially important.
It is also difficult to predict how long the potential for disruptions related to transactions with third parties will remain a risk. A bank may not have electronic contact with every client and counterparty on a daily basis. Thus, data exchange problems with some third parties might not become apparent until well after January 1, 2000. In addition, a bank's clients and counterparties may exchange data with third parties. Therefore, a bank is not just exchanging electronic information with its clients and counterpartles but, by extension, with every client and counterparty with whom the latter has exchanged information as well. This means that a client or counterparty that transferred data successfully in one transaction may encounter disruptions with its next attempt. As a result, it is essential for a financial institution to be aware of how parties with whom it exchanges data electronically are addressing Year 2000 problems.
Year 2000 problems also have the potential to create unanticipated or heightened credit risks for financial institutions. Borrowers whose internal systems have riot been upgraded or replaced may face serious disniptions to their own business activities. In the extreme, this disruption could negatively impact the borrower's financial situation and impair the quality of the financial institution's lending relationships.
Modifying any part of a computer program that has date problems is not especially difficult in most cases. What makes the task challenging ls 1) finding all of the locations where a program might miscalculate or improperly terminate due to date problems-, 2) coordinating the modification of each part of the svstem so that it does not interfere with the operations of the overall system- and 3) testing the changes with data that accurately simulates the processing that will occur in the next decade.
Fixing date sensitive programs is further complicated by the trend In the field of data processing of integrating different systems. A system that maintains certificates of deposit (CDs), for example, may receive the holders' names and addresses from the customer information file or transfer interest to the checking account system. Upgrading the CD system may require that these other systems be reprogrammed as well. The identification of date problems, modification of affected systems and especially testing, which are needed to bring a large scale system into date compliance, are time consuming and, therefore, expensive processes. Furthermore, because the process of putting newly written programs on-line usually must occur during weekends and holidays when it will cause the least disruption to normal business operations, organizations that maintain complex systems encompassing a large number of applications face substantial time pressures in correcting Year 2000 problems.
The costs of upgrading or replacing current systems that are not capable of handling dates beyond the year 2000 are expected to be significant. As the deadline approaches, the limited number of available qualified programmers may further increase remediation costs. Institutions that are not prepared or that encounter unanticipated problems despite being prepared also may face the prospect of litigation expenses for data processing errors. For example, customers whose funds are inaccessible may seek compensation for the harm done to themselves or their businesses. In addition, an institution that relies on a third-party to make its systems Year 2000 compliant may seek redress through the courts if the "fix" ultimately does not work. It is unclear whether conventional insurance policies held by institutions will cover losses related to Year 2000 problems.
The FDIC is working closely with the other federal banking agencies and state authorities to minimize the potential adverse impact of Year 2000 problems on financial institutions and their customers. Our current primary concerns are 1) an apparent lack of appreciation by some institutions of the scope and complexity of the Year 2000 problem, and 2) the potential risk of overreliance bv an institution on its third-party servicer or software vendor to address the issue
While most financial institutions have heard of the problem, it is not clear whether all insured institutions, particularly smaller community banks, fully appreciate the risks posed by Year 2000 problems. A December 1996 survey of community banks conducted by a national accounting firm indicated a disturbing indifference and lack of attention to Year 2000 problems -83 percent of the financial institutions indicated that the Year 2000 problem is either a minor concern or not a concern at all. More recent media reports have reinforced this perception of indifference or inattention.
It is critical that each insured institution understand which of its systems may be affected and develop a plan for upgrading or replacing systems that will fail to function properly in the new millennium. Virtually every institution will be affected to some degree. Insured institutions that perform the work themselves will incur the expense of upgrading their computer systems and ensuring that they ftinction properly. Institutions that rely on a servicer or software vendor may not face the direct expense of upgrading software systems but will share the responsibility of making sure that all their systems function properly -- including equipment and data exchanges with parties outside the bank -- and reviewing how the Year 2000 problem may affect their borrowers.
FDIC examiners are calling attention to the potential problems as they review the Year 2000 management plans of individual Institutions. Examiners discuss the Year 2000 problem with senior management and encourage institutions, to the extent they have not already done so, to act quickly to develop a Year 2000 plan. In March of this year, the FDIC directed its regional supervisory staff to contact all FDIC-supervised institutions by year-end 1997 to determine their level of awareness, what their Year 2000 plans are and what problems they may be encountering. These reviews are being conducted, in cooperation with the respective state banking authorities, at each scheduled examination. For those institutions not scheduled for examination In 1997, this evaluation will be performed by directly contacting the institution. These reviews will be used to identify those financial institutions that will receive increased supervisory attention during the first six months of 1998.
Since March, the FDIC and state banking authorities have conducted Year 2000 reviews for approximately 2,081 FDIC-supervised financial institutions and 44 third-party servicers and software vendors. These numbers represent roughly one-third of all FDIC-supervised financial institutions and servicers. The results indicate that institutions are generally aware of the Year 2000 problem. However, senior management and outside directors usually do not possess in-depth technical knowledge and, as a result, may not have the same appreciation of the risks posed by Year 2000 noncompliance that would be expected in larger, more sophisticated data centers. Examiners have noted the potential for credit quality exposure from corporate borrowers that are unprepared. In addition, the reviews to date have identified instances where institutions have failed to recognize potential problems with personal computers and environmental control systems.
As discussed further below, the large majority of I'DIC-supervised institutions either use third-party servicers for processing or use purchased software packages on In-house systems, These institutions must rely on the servicers or vendors to take the necessary steps to make their software Year 2000 compliant. The FDIC's reviews indicate that while most systems are not yet Year 2000 compliant, vendors and servicers are working to address the problem. Some of our smaller institutions, however, are having problems obtaining specific information regarding their vendors' Year 2000 project time lines. In addition, some large servicers are discontinuing products that will not be able to handle dates into the year 2000, compelling the financial institutions that use these products to convert to other systems. The FDIC has created a centralized tracking system to monitor the progress and manage the oversight of all FDIC- supervised institutions going forward. Supervisory action will be taken, including formal enforcement action when warranted, if an institution is not addressing this issue on a timely basis
The FDIC, in cooperation with the other federal banking regulatory agencies and state supervisory authorities, is focusing its efforts on raising awareness of the seriousness of Year 2000 issues. Since March of this year, we have been working with the other federal banking agencies to educate the industry about the risks posed by Year 2000 problems. Thus far, these efforts have produced 1) an updated interagency statement on Year 2000 issues, and 2) an outreach meeting with the major industry trade associations.
The federal banking agencies, through the auspices of the Federal Financial Institutions Examination Council (FFIEC), issued an Interagency Statement on Year 2000 Project Management Awareness in May of this year. The Statement expands on the agencies' June 1996 FFIEC statement, which was the first formal regulatory alert to the industry regarding this problem. The May 1997 Statement outlines five phases essential to the Year 2000 conversion process: awareness, assessment, renovation, validation and implementation. The statement also suggests target dates designed to ensure timely completion of the conversion process. The statement discusses three areas of potential risk that are external to the financial institution's data processing system: vendor reliance, exchanging data electronically with external parties, and lending relationships. It also gives a general outline of the agencies' supervisory approach which includes Year 2000 supervisory reviews by mid-1998.
Shortly after this statement was issued, the federal banking agencies met with representatives from several financial services trade associations to discuss the Year 2000 problem and the FFIEC statement. The agencies offered their assistance to the trade groups in further outreach efforts and encouraged them to use their available resources to help increase awareness.
The FDIC discussed the Year 2000 issue at our industry outreach session in April and the subject has been raised by the FDIC at more informal gatherings with members of several state bankers associations. At recent conferences sponsored by the Conference of State Bank Supervisors, the FDIC chose to highlight this issue as one warranting joint supervisory attention, and our regional offices are working with state authorities to emphasize the seriousness of Year 2000 risks. The FDIC also continues to provide speakers for industry conferences in an effort to further raise awareness of the Year 2000 problem
On an international level, the FDIC is cooperating with the Year 2000 working group organized under the Basle Committee on Banking Supervision. This working group is developing a paper which will highlight the seriousness of the Year 2000 problem, as well as some of the unique issues related to Year 2000 compliance. The paper will also suggest ways for bank supervisors to play a role in assuring that the industry addresses this issue in a timely manner.
The FDIC shares supervisory responsibility with state banking authorities for approximately 6,500 financial institutions. These institutions tend to be small -- approximately 69 percent have total assets of less than $1 00 million. We estimate that about 95 percent of all FDIC-supervised institutions either are serviced by a party external to the financial institution or have purchased their software applications from a vendor. As a result, we are particularly interested in the efforts of third-party vendors in addressing Year 2000 problems.
A passive approach to addressing Year 2000 problems may expose institutions that are serviced by a third-party or have purchased software to significant risk. The inability or failure of a vendor to modify a financial institution's computer system could potentially leave the institution in the position of having to find an alternate service or software provider on short notice. As the year 2000 draws closer, the limited availability of alternatives may reduce an institution's options and make the available choices extremely expensive. Personnel resources also may become scarce as the demand for qualified programmers increases.
Management that is relying on a vendor to make its systems Year 2000 compliant should take an active role in evaluating the vendor's Year 2000 project management plan. It should monitor closely the vendor's progress in meeting its self-imposed target deadlines for addressing problems in the institution's systems. The vendor's plan should allow ample time for testing, and management should insist on a full test of all the financial institution's systems in a simulated year 2000 environment as early in 1999 as possible. In addition, potential alternate service or software iders should be identified as part of the institution's Year 2000 planning.
The FDIC is working closely with the other federal banking agencies to assess the efforts of data processing servicers and software providers in resolving Year 2000 problems. The agencies are currently performing preliminary assessments at each of the 275 data processing servicers that serve financial institutions, including the 15 large multiregional data processing servicers that have been identified by the agencies as posing a systemic risk to the financial industry should one or more fall. With respect to software providers, the agencies are performing a similar assessment of the 12 major software products used by a wide segment of financial institutions. We estimate that these twelve packages are used by 75 percent of the FDICsupervised financial institutions that purchase software applications for their data processing.
Each FDIC-supervised financial institution with total assets greater than $1 billion also will be included in this assessment, as will financial institutions where in-house programming is performed or where the financial institution provides data processing services to other financial institutions. Most of these initial assessments for these institutions should be finished by the end of the August. The agencies plan to notify the serviced banks when their third-party semicer has not taken sufficient action to achieve Year 2000 compliance. In response, we will expect clear commitments and specific timetables for rernedlation from the serviced bank. The results of both the assessments and the subsequent supervisory reviews will be shared among the banking agencies. In cases where satisfactory responses are not forthcoming, the agencies will coordinate supervisory action, including formal enforcement action, if necessary, to ensure that Year 2000 issues are adequately addressed.
The FDIC also is addressing contingency planning issues. The Year 2000 problem is unique in nature and presents many unusual issues from a supervisory standpoint. The effects of an egregious Year 2000 problem may not surface until January 2000 and then only incrementally. How Year 2000 issues can best be addressed in the supervisory process must be evaluated carefully. Dealing consistently with institutions that will not achieve Year 2000 readiness is of primary importance, and the FDIC will work closely with the other agencies as well as the state authorities to coordinate our approach.
While the FDIC is not prepared to predict, at this time, whether any institution may fail as a result of Year 2000 problems, we will be ready to intervene should an institution's viability be threatened by an inability to maintain accurate books and records. In order to be prepared for the possibility of failures, our contingency planning process will include analyzing how the FDIC's traditional resolution and receivership methods would be affected by this type of problem. No matter what difficulties financial institutions may encounter, each depositor will remain fully insured up to the $1 00,000 limit. Maintaining consumer confidence in the U.S. banking system will be our primary goal in this contingency planning process.
The FDIC is aggressively addressing internal Year 2000 issues. A separate project office within the FDIC's Division of Information Resources Management was created in January 1997. That office has centralized responsibility for a wide range of Year 2000 compliance issues including all computer systems applications, corporate computer hardware, and systems software on all corporate computing platforms. It is also responsible for telephone system, voice and data network Year 2000 issues. The FDIC is using the same planning approach the FFIEC has recommended to financial institutions.
The FDIC has in excess of 300 computer application systems and uses hundreds of commercial off-the-shelf packages for various business functions. Further, the Corporation uses a variety of operating systems and associated packages on the mainframe and other computer platforms. All of this software has been, or is in the process of being, assessed for year 2000 compliance.
Code remediation for those applications identified in the high level assessment as essential to FDIC operations is currently underway. We have judged 88 applications systems as being mission-critical and are focusing on them as our highest priority for scheduling repair work. For several years, the FDIC has also been modifying how data is stored in our data bases to use a four-digit date format. Approximately 70-80 percent of our data is already in a Year 2000 compliant format. As we assess and test programs, we will determine where other data must be modified and where program code must be repaired. The testing of systems will begin in an isolated, Year 2000 compliant environment for client/server systems in September 1997 Mainframe systems testing in such an isolated, compliant environment will begin in January 1998.
FDIC efforts are proceeding on schedule and will meet the goal of having all code repairs completed by December 31, 1998, while reserving 1999 for rigorous testing and final implementation. Our preliminary total cost estimate for the FDIC's Year 2000 remediation effort is approximately $20 million.
The FDIC is working with the other federal banking agencies to monitor the potential risk to the insurance funds posed by Year 2000 problems. Through the supervisory process, we plan to continue our efforts to raise the level of awareness in the banking industry of the potential dangers of failing to address this issue. The status of FDIC-insured institutions as well as their servicers and software providers will be monitored closely with supervisory action taken as necessary to ensure that every insured institution is addressing this risk.
This concludes my statement to the subcommittee. I will be happy to answer any
questions.
Home | Menu | Links | Info | Chairman's Page