Senate Banking, Housing and Urban Affairs Committee

Subcommittee on Financial Services and Technology


Oversight Hearing on Financial Institutions and the Year 2000 Problem


Prepared Testimony of Jeff Jinnett
President
LeBoeuf Computing Technologies

10:00 a.m., Thursday, July 10, 1997



Mr. Chairman, distinguished Members of the Subcommittee:

My name is Jeff Jinnett and I am President of LeBoeuf Computing Technologies, L.L.C., a business subsidiary of the law firm of LeBoeuf, Lamb, Greene & MacRae, L.L.P., of which law firm I was formerly a Partner and now serve as Of Counsel. I appreciate the opportunity to testify before this Subcommittee and wish to note that the testimony I give today represents my personal views and does not necessarily represent the views of either LeBoeuf Computing Technologies, L.L.C. or its parent law firm. Consistent with the expressed scope of this hearing, my testimony will be devoted to assessing (a) the magnitude of the Year 2000 computer problem and its impact on the financial services industry and U.S. consumers, (b) business risks associated with the Year 2000 computer problem, (c) the adequacy of risk management and remediation efforts currently being undertaken, and (d) possible government roles and regulations in connection with the remediation process. I ask that a copy of my written statement be included in the record.

I. Magnitude of the Year 2000 Computer Problem

A. Overview of Problem

The Year 2000 computer problem, variously known as the "Century Date Change", "Millennium Bug" or "Y2K" problem, arises because most business application software programs written over the past few decades use only two digit date fields to specify the year, rather than four digit date fields. Therefore, on January 1, 2000, unless the software is corrected, most computers with date-sensitive programs will recognize the year as "00" and may assume that the year is 1900 rather than 2000. This could either force the computer to shut down (a hard crash) or lead to incorrect calculations ( a soft crash). An example of a hard crash is an application software program which refuses to accept a settlement date after December 31, 1999. Examples of soft crashes caused by the Year 2000 problem are (a) incorrect calculation of maturity dates on debt instruments that mature after December 31, 1999, (b) incorrect calculation of a four year loan from 1996 to 2000 as a minus 96 year loan, and (c) incorrect calculations in risk management, hedging and derivative software models.

It is generally understood that programmers in the past used two digits rather than four digits in order to save then-expensive memory during processing and believed that the software they designed would have been replaced before the turn of the century. Unfortunately, many of the software programs ("legacy systems") they designed are still in use. Further, the Year 2000 computer problem can exist not only in software, but also in mainframe computers, midrange computers and personal computers (specifically with respect to BIOS chips) and in embedded microprocessors in non-computer equipment (e.g., "microcontrollers" operating equipment such as security systems, HVAC, elevators and telephone equipment). Although a recent study indicates that on a cost-benefit analysis, more money was saved by reducing the need for processing memory over the past decades than will be spent on Y2K corrective work, we must now "pay the piper".

The initial Gartner Group estimate that the total cost of correcting the Y2K problem worldwide would total $300 billion to $600 billion was originally thought excessive by some. For example, J.P. Morgan conducted an independent analysis and estimated the total corrective cost for the Y2K problem worldwide to be in the range of $200 billion. Recently, however, J. P. Morgan reevaluated their $200 billion estimate and advised that the Gartner Group estimate might not be as "outrageously high" as originally thought. Recent announcements by various entities of their individual estimated Y2K corrective costs (e.g., Chase Manhattan Bank at approximately $250 million) indicate that Y2K corrective work will indeed be costly. The costs for Y2K correction for U.S. commercial banks has been estimated by one consulting group to be $7.2 billion. The estimated cost of Y2K correction for the U.S. securities industry has been reported to be $4 billion. None of the above estimates takes into account the added potential cost to the financial services industry of productivity losses resulting from computer system shutdowns due to the Year 2000 problem. One study has estimated that U.S. securities firms each typically suffer 6.9 on-line system failures per year, which collectively resulted in $3.4 billion in productivity losses in 1992.

B. Problem Areas Outside of an Entity's Control

There is no technological silver bullet for the Year 2000 computer problem. The reason for this is that although "silver bullet" technologies may be developed to automate and speed up corrective work on certain software languages, there may be as many as 500 different software languages in current use and automated corrective tools will not be developed for all of these languages. For many languages, correction will depend solely on use of programmers trained in the particular software language. Further, inventory and corrective work represents less than half of the typical Y2K corrective plan, with unit and system testing possibly comprising up to 55% of the total effort. Finally, with respect to replacing non-compliant embedded microcontrollers in non-computer equipment, financial institutions must first locate the defective microcontroller, identify the responsible manufacturer and obtain a compliant microcontroller to replace the defective microcontroller.

To illustrate the magnitude of the embedded microcontroller problem, it has been estimated that over 2 billion microcontrollers were sold in 1993 alone. As an example of how a non-compliant microcontroller might seriously cause an item of non-computer equipment to malfunction, consider an item of medical equipment in a hospital emergency room which measures the flow of blood or plasma into a patient. The microcontroller in this hypothetical medical equipment keeps track of when the equipment was last calibrated and automatically shuts the equipment down as unsafe if it is not calibrated on schedule. If the microcontroller is not Year 2000 compliant, on January 1, 2000 it might compare "00" to the date of last calibration (say, June 1, 1999, or "99") and miscalculate that 99 years had passed since the last calibration, shutting down the equipment.

In addition, even if an entity were to succeed in its Y2K corrective effort, it still might suffer a system failure due to the failure of one of its business partners to become Year 2000 compliant- a business dependency risk. For example, the failure of a national clearinghouse for the settlement of securities trades, such as the National Securities Clearing Co. (NSCC), the Depository Trust Company (DTC), the Government Securities Clearing Corp (GSCC) or the MBS Clearing Corporation (MBS), would have a serious negative impact on their associated financial customers. The failure of a value-added-network (VAN) handling electronic data interchange (EDI) transactions for numerous financial institutions and customers would have a similar negative effect. Above all third party dependency risks, the financial services industry is totally dependent on maintaining access to power and telephone service in order to function normally. Some Year 2000 experts are concerned that Year 2000 compliancy efforts and status with respect to power, telephone and other critical infrastructures may vary significantly from country to country outside the U.S. and from state to state within the U.S.

C. Structural Impact on the Financial Services Industry

Since financial institutions frequently deal with date-sensitive calculations, such as interest calculations, they obviously are heavily impacted by the Year 2000 computer problem. In addition, since these calculations are often forward-looking, such as with the calculation of a mortgage payment schedule, financial institutions have found that portions of their computer systems have already encountered Year 2000 problems. Indeed, one large investment company encountered this problem in the 1980's with forward-looking calculations on zero coupon bonds which matured on or after the year 2000. The occurrence of the Year 2000 impact on a program or system is known as the "Event Horizon", which can occur earlier than January 1, 2000 for many applications.

Aside from the obvious system disruptions, the Year 2000 computer problem may also cause, or accelerate, certain structural changes in the financial services industry. First, since financial institutions may not have sufficient software programming and other personnel to carry out a full-scale correction of impacted computer systems, financial institutions may decide to outsource portions of their operations which do not represent core competencies (e.g., credit card processing to a vendor such as First Data Resources or trust account processing to a vendor such as SEI). In addition, rather than incur Y2K corrective costs for a subsidiary which is not viewed as critical, a financial institution may instead sell off the non-compliant subsidiary. Accordingly, some mergers and acquisitions activity during the next three years may be due to the Year 2000 problem. In addition, since an increasing portion of information technology budgets during the next three years will be devoted to Y2K work, a decreasing portion of investment may be devoted to developing new technologies, such as electronic commerce software for banking over the Internet. Finally, for multinational companies doing business in Europe, the need to handle the proposed single European currency (the "euro") between 1999 and 2002 may tend to exacerbate the difficulties arising out of the Year 2000 problem.

II. Associated Business Risks

A. Risks to the Financial Services Industry

The following business risks may negatively impact the financial services industry as a result of the Year 2000 computer problem: (a) loss of faith by the investing public in the financial services sector and by depositors in the security of their banks, (b) a rise in security problems due to computer "hackers" taking advantage of Y2K disruptions, (c) an increase in bad debt problems within bank loan portfolios, (d) an increase in litigation involving financial institutions due to the failure of third parties, and (e) the possibility that some losses may not be covered by existing business interruption, Directors' and Officers' (D&O) liability and other insurance policies.

(1) Loss of Faith by Investors and Depositors

Unfortunately, the tone of many Year 2000 articles in the public press is long on melodrama and "doomsday" predictions, most of which are unlikely to occur with the severity imagined. Accordingly, even if almost all of the U.S. financial institutions become fully Year 2000 compliant, a highly publicized computer system failure of one institution, together with the resulting litigation, may prompt stock market analysts and investors to "short" the stocks of other companies in the affected business sector. One site on the Internet, "http://www.y2kinvestor.com", is devoted to gathering information for investors concerned about the impact of the Year 2000 problem on their stock portfolios. If a bank is involved in a highly publicized systems failure, depositors may become concerned about their ability to access their funds if a "run" on their bank ultimately occurs. "Doomsday" articles alleging that Federal government agencies and/or state agencies are unlikely to become Year 2000 compliant in time may add "fuel to the flames". A recent survey of 40 CEO's and CFO's of Fortune 500 companies conducted privately by Yankelovich Partners, Inc., a recognized market research firm, confirmed that the executives were fully confident that their companies would successfully become Year 2000 compliant. A significant percentage of the executives, however, were concerned that stockholders might sell off their companies' stock due to unsupported fears over the Year 2000 problem.

(2) Breaches of System Security

It is possible that financial institutions will have to turn to numerous third party vendors for help in undertaking Year 2000 corrective work and site testing. The employees and independent contractors brought in by these vendors may be given extensive access to the institution's computer systems and gain considerable knowledge as to the firewall layouts and other security designs utilized by the institutions. In addition, computer hackers may attempt to take advantage of general system disruptions caused by the Year 2000 computer problem to gain unauthorized access to the institutions' systems. Both of these developments may increase the likelihood that breaches in financial institutions' security systems may occur. The Federal government recognition that computer system security is a critical concern is evidenced by the introduction of H.R. 1903 ("The Computer Security Enhancement Act of 1997").

(3) Increase in Bad Debt Losses in Loan Portfolios

Although major corporations appear, for the most part, to be fully funding their Year 2000 corrective plans, some smaller entities may not have sufficient funding to undertake a full Year 2000 corrective plan. This situation may have been unintentionally exacerbated further due to a July 18, 1996 consensus reached by the Emerging Issues Task Force (EITF) of the Financial Accounting Standards Board (FASB) to the effect that companies must expense their Year 2000 corrective work as incurred. This decision appears reasonable from a securities disclosure point of view, since to rule otherwise would result in companies listing their multimillion dollar Y2k corrective work as assets on their financial statements, misleading potential investors that a new asset had been created. However, some smaller companies may not be able to take the "hit" to their bottom line in one or two years and may spread out their corrective work through 1999. This may result in the companies having insufficient time in which to test their corrective work, since it is generally advisable to leave at least one year for testing. These companies may experience an above average number of system failures due to a poorly planned Year 2000 corrective plan and may ultimately produce bad debt losses for their bank lenders. Of course, banks will be reviewing their loan portfolios in the next two years in order to determine if adequate allowances have been made for possible loan defaults due to the Year 2000 computer problem.

(4) Litigation Risk

In testimony before the U.S. House of Representatives Science Committee on March 20, 1997, Ann Coffou, a Managing Director of the Giga Information Group, predicted that litigation arising out of the Year 2000 computer problem could near or exceed $1 trillion. Year 2000 litigation could be based on numerous legal theories. Contrary to recent press reports, I personally do not wish to speculate as to the total amount of potential Y2K litigation. Since there has been no substantial litigation reported as having been filed to date and since the ultimate amount of litigation filed will depend on how much necessary corrective work is not completed on time, any prediction as to the total amount of litigation which will arise is pure speculation. The Year 2000 problem is not solely a technical problem, but is also a business and legal problem of the highest order, requiring the involvement of each company's Chief Information Officer, Internal Auditor, Chief Financial Officer, General Counsel, Chief Executive Officer and Board of Directors. Use of proper risk management techniques can substantially reduce the likelihood of a company becoming involved in Year 2000 litigation.

(5) Losses May Be Uninsured

Financial institutions should face the possibility that some losses which they may incur due to the Year 2000 computer problem may ultimately not be covered by their existing insurance policies. For example, insurers may decline to cover business interruption losses under the institution's property and casualty policy on the grounds that a loss due to the Year 2000 computer problem is not an insurable "fortuitous event". Further, the issue of what Year 2000 losses are, or in the future will be, covered under standard Directors and Officers (D & O) liability policies is in a state of flux. Several insurance underwriters are in the process of sending their D & O insureds questionnaires concerning their Year 2000 problems and corrective plans in order to raise awareness. If the insurers determine that they have serious exposure with respect to a particular insured in a D & O portfolio, the insurer might also decide to change the terms of the policy at the time of renewal or even decline to renew the policy. This could pose a significant problem for a financial institution which needs to maintain D & O coverage in order to attract and retain qualified independent directors. Such independent directors may be anxious about their potential personal liability if the institution were to experience a Year 2000 system failure, attracting a shareholder derivative suit alleging inadequate securities law disclosures in annual reports filed with the U. S. Securities and Exchange Commission. Accordingly, prospective new independent directors may require assurances prior to joining the board of directors that the company's D & O policy will cover the directors for possible Y2K shareholder derivative suits.

B. Risks to Consumers

U.S. consumers may be faced with the following risks arising out of the disruption of normal operations of financial institutions, among others : (a) loss of transaction records, disruption of wire transfers, miscalculation of transactions impacting savings, checking and brokerage accounts, and miscalculation of interest with respect to mortgages, bonds and other instruments, (b) inability to access bank funds when needed, which could be especially critical if welfare and other public assistance benefits are delivered electronically, (c) increase in unemployment due to failures of small businesses unable to become Year 2000 compliant in time, (d) diminution of value of stock market holdings due to a Year 2000 computer problem "bear market", and (e) disputes with the U.S. Internal Revenue Service over underpayment of taxes on tax filings using incorrect calculations received from non-compliant third party financial institutions. In addition, to the extent there are bank failures due to the Year 2000 computer problem, U. S. taxpayers would ultimately "foot the bill" for any Federal bail-out efforts, as occurred in connection with the savings and loan crisis. In this regard, it should be noted that if a bank were to fail, it may be technically difficult for another bank to quickly take over the failed bank's transaction processing due to computer system memory and other capacity limitations and difficulties arising due to use of incompatible account formats.

III. Risk Management Efforts Currently Being Undertaken

A. Efforts by the Financial Services Industry

It has been estimated that U.S. commercial banks will spend $19 billion on information technology in 1997. Further, global spending by commercial banks on risk management has been estimated to grow to be $4.2 billion by 1999. This commitment of the financial services industry to risk management is evidenced in the efforts of the Securities Industry Association (SIA) Data Management Division (DMD) Year 2000 Committee, the National Securities Clearing Co. (NSCC)/Securities Industry Automation Corp. (SIAC) and the American Bankers Association (ABA)/Bank Marketing Association (BMA) to raise Y2K awareness within the financial services industry. These efforts can be seen in the SIA's Financial Services Industry Scorecard questionnaire, which has been sent by the SIA to the CEO's of all of its members (and also to 1000 banks and 1500 institutional firms), in the awareness materials on the SIA-DMD Year 2000 Subcommittee Internet site, in the ABA/BMA Year 2000 FYI Research Kit # 58 ("Year 2000 and Your Computer System"), and in the various Year 2000 conferences sponsored by various financial industry organizations. The SIA will also provide critical assistance in the implementation of "street-wide" testing of the SIA members' systems after completion of their Y2K corrective plans.

Other organizations have adopted a mandate/penalty approach. For example, the VISA credit card organization has adopted a monetary penalty program whereby VISA members which cannot certify that their point of sale (POS) devices and processing pathways can handle credit cards bearing expiration dates of 2000 and beyond will be subject to fines.

One Year 2000 expert has estimated that as of March, 1997, only 40% of U.S. banks had begun an earnest assessment of their Year 2000 impact. It appears that some financial institutions are now recognizing that they are late in commencing their Year 2000 corrective work and may not have sufficient personnel and other resources to be able to correct 100% of their computer systems by January 1, 2000. Accordingly, instead of correcting all systems using a full four digit date field expansion, some systems will be corrected using a logic fix, such as a 100 year window. In addition, institutions are prioritizing their corrective work so that mission-critical systems will be fixed first. For example, one approach for a U.S. bank would be to first correct programs which deal with customers, the Federal Reserve Bank, accruals and financial applications. Programs that generate purely internal reports could be assigned a lower priority. These efforts at "triage" conform to the recommendations of many Year 2000 experts.

Although the financial services industry appears to be leading some other industries in the Y2K corrective effort, it should be recognized that financial services entities, such as stock brokerage firms, often have a higher percentage of their computer systems which qualify as "mission-critical" than do manufacturing firms and entities in other industries. This is reflected in the fact that the financial services industry spends an average of 12% of its annual budget on information technology resources, with the computer industry and banking industry each spending 10% of their annual budgets on IT resources. The next highest expenditure is by the utilities industry at 7%.

B. Assistance from the Insurance Industry

In order to assist insureds to cover the likely business interruption insurance "gap", the insurance industry has produced two new forms of Year 2000 insurance. J & H Marsh & McLennan is currently marketing a $200 million risk transfer insurance product to cover business interruption losses, D & O claims and liability to third parties. Significantly, the policy also covers risks of loss suffered by an insured due to the failure of scheduled third parties to become Year 2000 compliant. In addition, the policy offers an optional coverage which would cover the expense of an insured having to run scheduled back office functions such as payroll and benefits at a predesignated data processing service bureau running its own Year 2000 compliant software. The second policy being offered in the marketplace is a $100 million finite risk policy offered by AIG through J.H. Minet, which has coverage similar to the J & H Marsh & McLennan policy, but excludes the back office processing coverage and carries premiums at approximately 60-80% of the purchased limit of the policy.

With respect to qualifying audits, the J & H Marsh & McLennan product, 2000 Secure , requires an initial audit and quarterly monitoring audits after issuance of the insurance. The audit company performing the audits, 2000 Secure Audit Company, L.L.C., is a joint venture of LeBoeuf Computing Technologies, L.L.C. and Ascent Logic Corporation. Each insured is required to license Year 2000Plus risk management software developed by Ascent Logic Corporation in order to assist the insured in mapping out its internal and external business dependencies. Project management software is also used in conjunction with the Ascent Logic Corporation software to produce reports on the insured's progress in implementing its Year 2000 corrective plan. One non-insurance benefit to a company which qualifies for such Year 2000 insurance is that the insured can use the fact of its being subject to ongoing monitoring audits to help reassure industry analysts, shareholders, regulators, auditors and business partners that the insured is likely to become Year 2000 compliant in time.

C. Assistance from the Accounting Industry

A new set of auditing standards, entitled "Control Objectives for Information Technology (CobiT) has been developed under the auspices of the International Systems Audit and Control Association (ISACA), Unisys, Coopers & Lybrand and other sponsors, to assist independent public accountants in the audit of information technology systems. The new standards cover auditor's independence, technical competence, work performance and reporting and should prove useful in assisting management, regulators and auditors by providing generally accepted IT security and control practices to benchmark an entity's existing and planned IT environment. In addition, the AICPA is considering identifying information technology as a fourth practice area for accountants in addition to the existing practice areas of audit, accounting and tax services.

D. Assistance from the Technical Community

The Institute of Electrical and Electronics Engineers-Computer Society (IEEE-CS) announced its intention at the International Symposium on the Year 2000 held at the National Institute of Standards and Technology (NIST) on June 10, 1997, to produce a Year 2000 test method specification within the next six months. This specification would build on the "Test Assertions For Date and Time Functions" document produced by Gary Fisher of NIST.

E. Assistance from the Federal Government

A number of activities merit favorable comment with respect to the role of the Federal government in raising awareness in the financial services industry over the Year 2000 problem. First, the Chairman should be commended for his February 27, 1997 letters, together with Senator D'Amato (R-NY), to the FDIC, the Federal Reserve System, the Office of Thrift Supervision, the National Credit Union Administration, the Office of the Comptroller of the Currency and the Securities and Exchange Commission, making inquiries as to their plans for ensuring Year 2000 compliance in the institutions they regulate. Also noteworthy is the excellent Securities and Exchange Commission "Report to the Congress on the Readiness of The United States Securities Industry and Public Companies to Meet The Information Processing Challenges of The Year 2000", produced in June, 1997 in response to a request from Representative Dingell (D-MI). The Year 2000 Interagency Committee of the Federal CIO Council should also be commended for its work in coordinating Federal Year 2000 awareness and remediation efforts. The latest positive development is the announcement of funding by the Federal CIO Council for a multi-agency database on Y2K vendor compliance, to be maintained by the General Services Administration on its Internet site. The present hearing by this Subcommittee and the hearings which have taken place in the U.S. House of Representatives before the Science Committee and the Government Reform and Oversight Committee also have played a large role in heightening awareness of the complexity of the Year 2000 computer problem.

In addition to the above efforts by Congress, various Executive Branch organizations have the potential to play a significant role in raising Year 2000 awareness. The first is the President's Commission on Critical Infrastructure Protection, which was created with the mandate to identify threats (including the Year 2000 computer problem) to critical national infrastructures (telecommunications, electrical power systems and banking and finance, among others) and advise the President on legislative options and policies to protect the critical infrastructures. Further, the U.S. General Services Administration's Access America plan includes as part of its program action items that the Federal CIO Council, the Intergovernmental Enterprise Panel (IEP) and the National Association of State Information Resource Executives (NASIRE) coordinate to prepare an intergovernmental action plan to assist both Federal and state agencies to become Year 2000 compliant. Finally, the Internet "Year 2000 Information Directory" web site managed by the CIO Council Subcommittee on the Year 2000 and the U.S. General Services Administration, Office of Governmentwide Policy (MKS) has proven extremely useful in making widely available on an expedited basis critical Federal Year 2000 materials. Of course, more can be done by the Federal government in this regard and recommendations as to possible additional actions are set forth below.

IV. Possible Governmental Roles and Regulations

I recommend the following be considered as possible additional actions which could be taken by this Subcommittee, other Congressional Committees and other individual members of Congress: (1) enact Senate Bill 22 ("Commission on the Year 2000 Computer Problem Act") into law, (2) consider mandating participation by financial institutions in the SIA "street-wide" testing plan, with appropriate regulatory oversight and penalties for noncompliance, (3) consider enacting a cap on potential Year 2000 litigation damages, under appropriate circumstances, in order to encourage more open disclosure of Year 2000 problems and remediation technologies and product upgrades, (4) examine and reevaluate default rules in statutes, regulations and in case law which place the burden of discovering fraud and transaction errors in banking and other financial records on U.S. consumers, and (5) reexamine existing control mechanisms relating to stock exchange trading volatility and "run on the bank" scenarios in light of potential public loss of faith in financial institutions due to "doomsday" articles in the public press and over-publicized Year 2000 failures.

A. Senate Bill 22 ("Commission on The Year 2000 Computer Problem Act")

I recommend that Members of this Subcommittee endorse Senate Bill 22, which was introduced by Senator Moynihan (D-NY), has been co-sponsored by Senators Hollings (D-SC), Dorgan (D-ND), Lieberman (D-CT) and Inouye (D-HI) and has been referred to the Committee on Governmental Affairs. I have authored an extensive article discussing the importance of the issues raised by S. 22 and the valuable contribution the Commission could make to raising awareness as the complexity of the Year 2000 problem and to developing risk management and audit methodologies for the benefit of the Federal government, state governments and the private sector. I recommend the article to interested Senators.

B. Street-Wide Year 2000 Testing Mandates

The SIA is currently developing plans for conducting "street-wide" testing beginning in February, 1999 and finishing in October, 1999 in order to confirm that the SIA members' computer systems have in fact been made Year 2000 compliant. If any SIA member refuses to participate in street-wide testing or fails such testing, the names of such SIA members should be disclosed so that appropriate protective measures may be taken by the impacted member's transaction partners. In order to avoid exposing the SIA and individual SIA members to legal actions, I recommend that the appropriate Federal regulatory agency mandate participation in the SIA "street-wide" testing and mandate disclosure to the agency and all SIA members of the results of the testing.

C. Cap on Year 2000 Litigation Damages

Financial institutions currently face a problem with respect to embedded microcontrollers in non-computer equipment, since they are totally dependent on the equipment manufacturers to identify the location of the microcontrollers, to advise whether the microcontrollers are date-sensitive and will cause the associated equipment to malfunction on or after January 1, 2000, and to provide Year 2000 compliant microcontrollers. In some instances the manufacturers may decide not to expend the money necessary to produce Year 2000 compliant microcontrollers for outdated equipment. In order to motivate these manufacturers to devote the time and money necessary to locate non-compliant microcontrollers in all equipment currently in use in the economy, Congress could enact legislation capping the manufacturer's potential liability for Year 2000 product liability litigation arising out of the anticipated equipment malfunctions due to the Year 2000 problem, provided the manufacturers actually supply the needed Year 2000 compliant microcontrollers. Precedent for this legislation can be found in the swine flu vaccine legislation and the Price-Anderson provisions of the U.S. Atomic Energy Act. Caps on Year 2000 litigation liability could be extended to other types of entities (third party hardware and software vendors, financial institutions) as deemed appropriate by Congress. The concept of a cap on Y2K litigation damages was recently cited by Representative Constance Morella (R-MD) in her presentation at the NIST International Symposium on the Year 2000, where she noted that "[s]ome have suggested that the only method to open up an effective discourse among industry and speed up some action is to statutorily limit or cap private sector legal liability".

D. Default Rules Affecting Consumers

Under certain circumstances, applicable statutes, regulations and/or case law place the burden on U.S. consumers to detect errors in their financial transaction records or bear the consequences of those errors. If the Year 2000 problem results in more widespread errors in financial transaction records than is currently anticipated, a more extensive consumer disclosure system may be necessary in order to protect unsuspecting consumers, who may not fully realize their exposure to loss with respect to inaccurate bank account and other financial records.

E. Stock Exchange/Bank Volatility Controls

The major stock exchanges have adopted and maintain various "collar" and "circuit breaker" controls on trading and program trading in order to reduce excessive volatility in market trading. Given the current flood of "doomsday" articles on the Year 2000 problem and the likelihood that at least some highly publicized systems failures will eventually occur, with resulting litigation, this Subcommittee may wish to reexamine the current exchange trading controls to determine if they are sufficient to maintain an orderly market in the face of an irrational wave of stock selling due to overpublicized Year 2000 worries. A similar review of current banking controls may be appropriate in the unlikely event that a bank suffers a Year 2000 system failure and some depositors become "spooked" and start a "run on the bank". Since the Federal Deposit Insurance Corporation (FDIC) insures deposits up to $100,000, the potential "run" on a bank would more likely be caused by large institutional investors.

CONCLUSION

I hope that my testimony has evidenced my personal belief that the Year 2000 computer problem is neither overblown hype on the one hand, nor the end of the world as we know it on the other hand. The Year 2000 computer problem represents the most significant information technology challenge the U.S. economy has yet faced, but the challenge is not purely a technical one. The Year 2000 computer problem is at its core not a technical problem with a solely technological solution, meriting delegation only to the chief information officer and technical staff. Instead, the Year 2000 computer problem is a business and legal problem which merits the attention of each affected company's top management and board of directors. There is no technological "silver bullet" for the Year 2000 computer problem. There is a "silver bullet" solution to the Year 2000 computer problem, however, and it is called project management. Further, an essential element of each company's project management approach to solving its Year 2000 computer problem has to be risk management. With proper project management and risk management, the Year 2000 computer problem can be brought under control. Finally, I believe that government can play a significant role in the Y2K arena, not just in remediating its own Y2K problem so that essential governmental services can continue to be provided, but also in providing needed oversight and guidance to the critical financial services industry in the course of its remediation efforts, both for the benefit of the financial services industry and for the protection of U.S. consumers.

Mr. Chairman and distinguished Members of the Subcommittee, that concludes my testimony and I would be pleased to address any questions you may have.




Home | Menu | Links | Info | Chairman's Page