To: Chief Executive Officers of all federally supervised financial institutions, providers of data services, senior management of each FFIEC agency, and all examining personnel.

Purpose:
This Interagency Statement is intended to emphasize the need to make all information processing systems Year 2000 compliant and identify specific concerns that should be considered in managing a conversion program. The FFIEC first alerted the industry in June 1996 of the Year 2000 problem. At that time, we recommended that financial institutions perform a risk assessment of their processing systems and begin developing an action plan to address vulnerable systems. This Interagency Statement expands on those topics and stresses a number of areas which may need special attention. It also describes the supervisory strategy that the federal banking agencies will pursue in monitoring Year 2000 conversion efforts of financial institutions, as well as third-party data processing servicers, and software suppliers servicing insured financial institutions.

The Year 2000 poses serious challenges to the industry. Many experts believe that even the most prepared organizations may encounter some implementation problems. The federal banking agencies want to ensure that financial institutions avoid major disruptions and will work with the industry to reach that goal. They will implement a supervisory plan designed to: heighten awareness of the Year 2000 problem within the industry; perform an assessment of the planning efforts of financial institutions for Year 2000; conduct a supervisory review of all institutions for Year 2000 preparedness; and work with institutions that face difficulties. The agencies will undertake follow-up activities to ensure institutions focus on problem areas and take appropriate supervisory action if they are unable to encourage a financial institution to devote adequate attention to achieving Year 2000 compliance.

This Statement has four major parts: an outline of the Year 2000 project management process; identification of three external risk issues that the Year 2000 conversion plan should consider; other operational issues that may be relevant to an institution's Year 2000 planning; and a description of the federal banking agencies' supervisory strategy.

Year 2000 Project Management:
The Year 2000 problem presents a number of difficult challenges to financial institution management. Information systems are often complex and have been developed over many years through a variety of computer languages and hardware platforms. For many financial institutions, correction of those problems will be costly and complex. A lack of skilled mainframe programmers and system experts compounds the problem.

Year 2000 conversion projects will require executive management sponsorship and an effective project management process. The project management process begins with an awareness of the issue and an assessment of the extent of Year 2000 problems within financial institution systems. This includes identification of affected applications and databases. Mission critical applications should be identified and priorities set for Year 2000 work by the end of the third quarter of 1997. Financial institutions and service providers should be well into this phase of the project. Code enhancements and revisions, hardware upgrades, and other associated changes follow the assessment phase and should be largely completed by December 31, 1998.

Since the 1996 Interagency Statement, it has become clear that testing mission critical system interdependencies, particularly those with external systems, will be time consuming and could take up to at least one year in more complex data processing environments. Accordingly, for mission critical applications, the federal banking agencies strongly encourage the industry to assure that programming changes are largely completed and that testing be well underway by December 31, 1998. This is a change from the June 1996 Interagency Statement due to the importance of fully testing connectivity between major servicers and other financial institutions.

Year 2000 project management processes are expected to be more formalized in financial institutions with complex systems or which rely on in-house application development. In all financial institutions, regardless of size or complexity, strong leadership, effective communication, and accountability are necessary to ensure that Year 2000 initiatives will be successful. The following describes the discovery, planning, and implementation process in managing an institution's conversion program:

• Awareness Phase - Define the Year 2000 problem and gain executive level support for the resources necessary to perform compliance work. Establish a Year 2000 program team and develop an overall strategy that encompasses in-house systems, service bureaus for systems that are outsourced, vendors, auditors, customers, and suppliers (including correspondents).

• Assessment Phase - Assess the size and complexity of the problem and detail the magnitude of the effort necessary to address Year 2000 issues. This phase must identify all hardware, software, networks, automated teller machines, other various processing platforms, and customer and vendor interdependencies affected by the Year 2000 date change. The assessment must go beyond information systems and include environmental systems that are dependent on embedded microchips, such as security systems, elevators and vaults.

  Management also must evaluate the Year 2000 effect on other strategic business initiatives. The assessment should consider the potential effect that mergers and acquisitions, major system development, corporate alliances, and system interdependencies will have on existing systems and/or the potential Year 2000 issues that may arise from acquired systems.

  The financial institution or vendor should also identify resource needs, establish time frames and sequencing of Year 2000 efforts. Resource needs include appropriately skilled personnel, contractors, vendor support, budget allocations, and hardware capacity. This phase should clearly identify corporate accountability throughout the project, and policies should define reporting, monitoring, and notification requirements. Finally, contingency plans should be developed to cover unforeseen obstacles during the renovation and validation phases and include plans to deal with lesser priority systems that would be fixed later in the renovation phase.

• Renovation Phase - This phase includes code enhancements, hardware and software upgrades, system replacements, vendor certification, and other associated changes. Work should be prioritized based on information gathered during the assessment phase. For institutions relying on outside servicers or third-party software providers, ongoing discussions and monitoring of vendor progress are necessary.

• Validation Phase - Testing is a multifaceted process that is critical to the Year 2000 project and inherent in each phase of the project management plan. This process includes the testing of incremental changes to hardware and software components. In addition to testing upgraded components, connections with other systems must be verified, and all changes should be accepted by internal and external users. Management should establish controls to assure the effective and timely completion of all hardware and software testing prior to final implementation. As with the renovation phase, financial institutions should be in ongoing discussions with their vendors on the success of their validation efforts.

• Implementation Phase - In this phase, systems should be certified as Year 2000 compliant and be accepted by the business users. For any system failing certification, the business effect must be assessed clearly and the organization's Year 2000 contingency plans should be implemented. Any potentially noncompliant mission-critical system should be brought to the attention of executive management immediately for resolution. In addition, this phase must ensure that any new systems or subsequent changes to verified systems are compliant with Year 2000 requirements.

• Reliance on Vendors - The agencies find that some financial institutions, relying on third-party data processing servicers or purchased applications software, have not taken a proactive approach in ensuring Year 2000 compliance by their vendors. Management should evaluate vendor plans and actively monitor project milestones. Institutions should determine if vendor contract terms can be revised to include Year 2000 covenants. Management should be aware of vendor specific responsibilities and their institution's vulnerability if the vendor cannot meet contractual obligations.

  Alternate service or software providers should be considered if vendor solutions or time frames are inadequate. If purchased products or services belong to larger, integrated systems, financial institutions' testing and certification processes will have to be fully coordinated with their vendor's Year 2000 testing. Management must also ensure that vendors have the capacity (both financial and personnel) to complete the project and are willing to certify Year 2000 compliance.

• Data Exchange - The Year 2000 problem also poses a risk to the quality of information that institutions exchange with other firms. Large volumes of date sensitive data are transferred electronically between financial institutions, their customers, and their regulators. Institutions will need to know how methods of data exchange differ among financial institutions, across vendors, and between other institutions. Therefore, Year 2000 planning should allow sufficient time to assess the effect that Year 2000 solutions will have on data transfers. The project plan should also include testing and verification, as appropriate, of data exchanges with clearing associations, governmental entities, customers and international financial institutions.

• Corporate Customers - Many corporate customers (borrowers) depend on computer systems that must be Year 2000 compliant. Corporate customers, who have not considered Year 2000 issues, may experience a disruption in business, resulting in potentially significant financial difficulties that could affect their creditworthiness. Financial institutions should develop processes to periodically assess large corporate customer Year 2000 efforts and may consider writing Year 2000 compliance into their loan documentation. Loan and credit review officers should consider in their credit analysis of large corporate customers whether the borrower's Year 2000 conversion efforts are sufficient to avoid significant disruptions to operations.

Other Year 2000 Operating Issues:
The following issues should also be considered in addressing Year 2000 planning:

• Replacement vs. Repair - Cost and timing considerations will affect a financial institution's decision to replace or repair strategic systems. Those factors may dictate that some systems will be repaired in the short term and strategically replaced sometime after January 1, 2000. Conversely, it may be more cost effective to accelerate the replacement of strategic systems.

• Cost and Monitoring - As the Year 2000 approaches and the urgency of fixing problems increases, the costs of obtaining/retaining qualified staff to address the problems will undoubtedly rise, perhaps significantly. Some experts believe that the limited availability of technical support will be a major obstacle to making systems Year 2000 compliant. Knowledge of market conditions for skilled programmers and developing programs to retain key personnel may be necessary to ensure that adequate resources are available throughout the project's life.

• Mergers and Acquisitions (M&As) - The extent of Year 2000 conversion efforts will bear directly on corporate M&As' strategies since conversions resulting from M&As will compete for project managers and technical resources. Acquisition strategies should include the institution's Year 2000 assessment to the extent possible.

• Remote Locations - Remote or overseas operations also need to devote attention to Year 2000 issues. In particular, management information systems for businesses that run semi-autonomously from the head office must be included in the financial institution's system inventory and plans. To the extent that such systems serve as critical controls for business operations, they could expose the financial institution to significant undetected vulnerabilities. Appropriate staff members throughout the organization must be aware of the risks associated with the Year 2000 issue and how they might be affected.

• Contracts - Legal issues may arise from the lack of specificity in contract terms dealing with Year 2000 issues. Financial institutions should modify existing contracts which do not specifically address Year 2000 compliance by the vendor. Otherwise, conflicts may result regarding the commitment and responsibility to assure Year 2000 compliance. Current and future purchases should require Year 2000 certification. If contract changes or modifications are refused, then the institution should consider replacing the service or product.

• Leap Year - All Year 2000 plans need to address the leap year - February 29, 2000 - issue. All date and calculation routines need to be reviewed to ensure that leap year calculations are Year 2000 certified.

Supervisory Strategy:
The federal banking agencies plan to conduct a supervisory review of all financial institutions' Year 2000 conversion efforts by mid-1998. They will soon complete an assessment of financial institutions' Year 2000 planning efforts. The appropriate regulatory agency may use the examiner questionnaire in Appendix A, or a similar tool, to help conduct this assessment. Financial institutions will be provided with specific instructions from your agency about this part of their supervisory strategy. The agencies will use the results of their assessment to prioritize on-site examinations and will target first those institutions that have not actively begun a Year 2000 conversion program.

.The federal banking agencies will utilize uniform examination procedures to facilitate Year 2000 examinations (Appendix B). Management is encouraged to use these examination tools to perform internal reviews or self-evaluations in connection with their own efforts to address the Year 2000 problem. Examiners will work with institutions that encounter significant problems addressing Year 2000 issues.

Focusing on financial institutions alone will not prevent Year 2000 disruptions. The federal banking agencies will work cooperatively to ensure that supervisory reviews include data processing service providers and third-party software vendors who provide services to federally insured financial institutions. This effort will include vendors who are a part of the Multiregional Data Processing Servicer program and the Shared Application Software Review program.