AL 98-03
Subject:   Year 2000 Guidance on Customer Risk and Vendor Due
           Diligence
Date:     March 17, 1998

TO:  Chief Executive Officers of National Banks, Federal
Branches and Data-Processing Centers, Department and
Division Heads, and Examining Personnel


This advisory is to alert you to the recent release of two
FFIEC interagency statements on the Year 2000 problem.
"Guidance Concerning the Year 2000 Impact on Customers"
and "Guidance Concerning Institution Due Diligence in
Connection with Service Provider and Software Vendor Year
2000 Readiness" supplement previous FFIEC interagency
statements by providing additional information on overseeing
and managing Year 2000-related risk for bank customers and
for vendors that provide mission-critical products and
services.  

"Guidance Concerning the Year 2000 Impact on Customers"
describes the responsibilities of a financial
institution's senior management and board of directors
for assessing the risks arising from the failure of
the institution's customers to address their Year 2000
vulnerabilities.  A financial institution can face
increased credit, liquidity, or counterparty trading
risk when its customers encounter Year 2000-related
problems.  Year 2000 risk may result from the failure
of a customer to properly remediate its own systems
and from Year 2000 problems that are not addressed
by the customer's suppliers and its clients.  By
June 30, 1998, senior management should have
implemented a process which identifies, assesses
and controls the Year 2000 risk posed by their
customers. 
 
"Guidance Concerning Institution Due Diligence in
Connection with Service Provider and Software
Vendor Year 2000 Readiness" addresses the process
for determining the ability of a bank's service
providers and software vendors to become Year 2000
ready.

The vendor due diligence process should enable management to:
     
         identify and assess the mission-critical services and
         products provided by service providers and software
         vendors; 
          
         identify and articulate the obligations of the service
         provider or software vendor and the institution for
         achieving Year 2000 readiness; 

         test the remediated services and products in the
         institution's own environment;

         adopt contingency plans for each mission-critical
         service and product; and

         establish monitoring procedures to verify that the
         service provider or software vendor is taking
         appropriate action to achieve Year 2000 readiness.

For further information on year 2000 issues, contact the Bank
Technology unit at
(202) 874-2340.


                               
Emory Wayne Rushton
Senior Deputy Comptroller
Bank Supervision Policy


Attachments