GUIDANCE CONCERNING THE YEAR 2000 IMPACT ON CUSTOMERS To: The Boards of Directors and Chief Executive Officers of all federally supervised financial institutions, Department and Division Heads of each FFIEC agency, and all Examining Personnel. BACKGROUND The Federal Financial Institutions Examination Council (FFIEC) has issued three statements providing guidance on the Year 2000 problem. Two interagency statements were issued in June 1996 and May 1997 to address the key phases of the Year 2000 project management process. The most recent guidance, published in December 1997, outlined the specific responsibilities of senior management and the board of directors to address risks associated with the Year 2000 problem. PURPOSE The purpose of this guidance is to assist financial institutions in developing prudent risk controls to manage the Year 2000- related risks posed by their customers. This guidance describes a variety of approaches for a financial institution's senior management and board of directors to assess the risks arising from the failure or inability of the institution's customers to address their Year 2000 vulnerabilities. This guidance outlines the due diligence process that financial institutions should adopt to manage their Year 2000- related risks arising from relationships with three broad categories of customers: funds takers, funds providers, and capital market/asset management counterparties. SUMMARY Key points addressed in this guidance include: A financial institution can face increased credit, liquidity, or counterparty trading risk when its customers encounter Year 2000-related problems. These problems may result from the failure of a customer to properly remediate its own systems and from Year 2000 problems that are not addressed by the customer's suppliers and clients. By June 30, 1998, senior management should have implemented a due diligence process which identifies, assesses and establishes controls for the Year 2000 risk posed by customers. By September 30, 1998, the assessment of individual customers' Year 2000 preparedness and the impact on an institution should be substantially completed. The due diligence process outlined in this guidance focuses on assessing and evaluating the efforts of an institution's customers to remediate their Year 2000 problems. Year 2000 issues related to the institution exchanging data with its customers should be addressed as a part of the institution's internal Year 2000 project management program. The guidance recognizes that each institution must tailor its risk management process to its size, its culture and risk appetite, the complexity of its customers, and its overall Year 2000 risk exposure. The FFIEC understands that these differences will affect the risk management programs developed by financial institutions. However, financial institutions must evaluate, monitor, and control Year 2000-related risks posed by funds providers, funds takers, and capital market/asset management counterparties. The institution's due diligence process should identify all customers representing material Year 2000-related risk, evaluate their Year 2000 preparedness, assess the aggregate Year 2000 customer risk to the institution, and develop appropriate risk controls to manage and mitigate Year 2000 customer risk. Risk management procedures will differ based on a variety of factors, including the institution's size, risk appetite and culture, the complexity of customers' information and operating systems, and the level of its own Year 2000 risk exposure. The Year 2000 due diligence processes used by smaller institutions may not be as extensive or formal as those in larger institutions where customers may be more dependent upon information technology. The attached appendices provide examples of processes used by financial institutions to manage Year 2000-related customer risk. An institution's management should provide quarterly reports to the board of directors that identify material customers who are not effectively addressing Year 2000 problems. The reports should summarize the action taken to manage the resulting risk. OVERVIEW The Year 2000 problem presents many challenges for financial institutions and their customers. The FFIEC recognizes that risk management procedures will vary depending on the institution's size, its risk appetite and culture, the complexity of customers' information and operating systems, and the level of its own Year 2000 risk exposure. For example, customers of small community financial institutions may not depend on computer-based information systems to the same extent as large business customers of large financial institutions. As a result, Year 2000 due diligence processes used by these institutions may not be as extensive or formal as those in institutions whose customers may be more dependent upon information technology. Senior management should oversee the development and implementation of a due diligence process which is tailored to reflect the Year 2000 risk in their institution's customer base. Three major types of customers may expose a financial institution to Year 2000-related risks. They include funds takers, funds providers, and capital market/asset management counterparties. Funds Takers Funds takers include borrowers and bond issuers that borrow or use bank funds. Failure of fund takers to address Year 2000 problems may increase credit risk to a financial institution through the inability of fund takers to repay their obligations. Funds Providers Funds providers provide deposits or other sources of funds to a financial institution. Liquidity risk may result if a funds provider experiences a Year 2000-related business disruption or operational failure and is unable to provide funds or fulfill funding commitments to an institution. Capital Market/Asset Management Counterparties Capital market and asset management counterparties include customers who are active in domestic and global financial markets. Market trading, treasury operations, and fiduciary activities may be adversely affected if a financial institution's capital market and asset management counterparties are unable to settle transactions due to operational problems caused by the Year 2000 date change. GENERAL RISK CONTROL GUIDELINES By June 30, 1998, financial institutions should establish a process to manage the Year 2000 risks posed by its customers. The process should: (1) identify material customers; (2) evaluate their Year 2000 preparedness; (3) assess their Year 2000 risk to the institution; and (4) implement appropriate controls to manage and mitigate their Year 2000-related risk to the institution. The assessment of individual customers' Year 2000 risk and their impact on an institution should be substantially completed by September 30, 1998. Year 2000 issues related to data exchanges between the institution and customers should be addressed as a part of an institution's internal Year 2000 project management program. Identify Material Customers Management should identify customers that represent material risk exposure to the institution, including international customers. Material risk exposure may depend on:  Size of the overall relationship;  Risk rating of the borrower;  Complexity of the borrower's operating and information technology systems;  Customer's reliance on technology for successful business operations;  Collateral exposure for borrowers;  Funding volume or credit sensitivity of funds providers; and  Customer's dependence on third party providers of data processing services or products. Assess Preparedness of Material Customers The impact of Year 2000 issues on customers will differ widely. Smaller financial institutions may find that most of their material borrowers use either manual systems or depend on commercial software products and services. The evaluation of Year 2000 preparedness for these customers will be less involved and may not require additional risk management oversight. To ensure consistent information and a basis for comparisons among customers, management should address the following.  Train account officers to perform a basic assessment of Year 2000 risk of customers.  Develop a standard set of questions to assess the extent of a customer's Year 2000 efforts. Appendices A - D contain samples of forms some financial institutions use to evaluate customer Year 2000 preparedness. Financial Institutions are not required to use these forms, although they provide useful examples of methods to evaluate customer preparedness.  Update the status of a customer's Year 2000 efforts periodically, but at least semi-annually. For customers that represent significant Year 2000 exposure to the institution, quarterly updates may be necessary.  Document Year 2000 assessment conclusions, subsequent discussions, and status updates in the institution's customer files. Evaluate Year 2000 Risk to the Institution After identifying all customers representing material Year 2000 risk and evaluating the adequacy of their Year 2000 programs, management should assess the Year 2000 risk posed to the institution by these customers, individually and collectively. Management should determine whether the level of risk exposure is high, medium, or low. Management also should provide quarterly updates to the board of directors on customers that are not addressing Year 2000 problems effectively and discuss the actions taken by the institution to control the risk. Develop Appropriate Risk Controls Once the institution has evaluated the magnitude of Year 2000 risk from its customers, management must develop and implement appropriate controls to manage and mitigate the risk. Senior management should be active in developing risk mitigating strategies and ensure that effective procedures are implemented on a timely basis to control risk. SPECIFIC RISK CONTROL GUIDELINES The specific risk controls an institution implements will vary depending on the size of the institution, its risk appetite and culture, the complexity of customers' information and operating systems, and its own level of Year 2000 risk exposure. Different risk management controls may be needed to address unique and material Year 2000 issues that arise from business dealings with different categories of customer. Funds Takers An institution's Year 2000 risk management controls for funds takers should focus on limiting potential credit risk by ensuring that Year 2000 problems do not prevent a borrower or bond issuer from meeting the terms of its agreements with the institution. Controls to manage an institution's exposure to its funds takers should address underwriting, documentation, credit administration, and the allowance for loan and lease losses (ALLL). These same factors also should be considered, where appropriate, when evaluating risk posed by an institution's capital market and asset management counterparties.  Underwriting During any underwriting process, management should evaluate the extent of the borrower's Year 2000 risk. Specifically, management should: - Ensure that underwriters are properly trained and have sufficient knowledge to perform a basic assessment of Year 2000 customer risk. There are a number of resource materials available that will assist in informing lenders of Year 2000 issues. State and national trade associations have prepared materials to assist lenders in understanding customer risk created by the Year 2000. Additional information is available on the Internet and can be located by searching on the words "Year 2000". - Evaluate whether Year 2000 issues will materially affect the customer's cash flows, balance sheet, or supporting collateral values. As a part of the assessment and based on materiality, management should consider the complexity of the customer's operations; their dependence on service providers or software vendors; the extent of management oversight of the Year 2000 project; the resources the customer has committed to the project; and the date the customer expects to complete Year 2000 efforts. - Control credit maturities or obtain additional collateral, as appropriate, if credit funding is to be continued for high-risk customers.  Documentation Proper loan documentation provides an effective means to monitor and manage the Year 2000 risk posed by borrowers. Loan documents should reflect the degree of risk posed by customers. Institutions should consider incorporating some or all of the following into loan agreements: - Representations by borrowers that Year 2000 programs are in place; - Representations that borrowers will disclose Year 2000 plans to the lender, provide periodic updates on the borrower's progress of the Year 2000 program, and provide any assessment of the borrower's Year 2000 efforts conducted by a third party; - Audits that address Year 2000 issues; - Warranties that the borrower will complete the plan; - Covenants ensuring that adequate resources are committed to complete the Year 2000 plan; and - Default provisions allowing the lender to accelerate the maturity of the debt for non -compliance with Year 2000 covenants;  Credit Administration After the initial assessment, ongoing credit administration provides the best opportunity for an institution to manage Year 2000-related customer risk. Periodic credit analyses, which should include an update of the customer's Year 2000 efforts, can help to monitor a borrower's Year 2000 efforts. When performing credit analyses, loan officers should determine whether a customer's Year 2000-related risk merits an adjustment to its internal risk rating.  ALLL Analysis Management's review of the adequacy of loan and lease loss allowances should include Year 2000 customer risk. When Year 2000 issues adversely impact a customer's creditworthiness, the allowance for loan and lease losses should be adjusted to reflect adequately the increased credit risk. Additionally, management's analysis of loss inherent in the entire portfolio should reflect Year 2000 risk. Funds Providers Management should consider the potential effect on an institution's liquidity by assessing the potential for unplanned reductions in the availability of funds from significant funding sources that have not taken appropriate measure to manage their own Year 2000 problems. Management should develop appropriate strategies and contingency plans to deal with this potential problem.  Risk Assessment of Funds Providers As with funds takers, management should discuss Year 2000 issues with significant funds providers, evaluate their Year 2000 readiness to the extent possible, and assess the Year 2000-related risks posed by the providers. Management should be aware of concentrations -- including concentrations in any single currency -- from an individual provider or group of providers that may not be Year 2000 ready.  Contingency Planning The risk assessment of major funds providers' Year 2000 readiness should be incorporated into an institution's liquidity contingency plans. As with other contingency planning processes, management should evaluate its exposure and potential funds needs under several scenarios that incorporate different assumptions about the timing or magnitude of funds providers' Year 2000 -related problems. Institutions with significant funds flows in different currencies may needs separate contingency plans for each major currency. Although the liquidity risks from funds providers' Year 2000-related problems are similar to other "event risks" that institutions address in their liquidity contingency plans, Year 2000-related liquidity risks differ because the date of this event is known in advance. As a result, institutions may be better able to plan for and mitigate potential liquidity risks. For example, institutions may be able to reduce potential liquidity risks by extending the maturity of their advances under funding lines sufficiently past January 1, 2000, to provide time to assess and evaluate the effect of the Year 2000 on its funds providers. Maintaining close contact with funding sources throughout this potentially difficult period can provide management with timely, market sensitive information and thus allow for more effective liquidity planning. Capital Market and Asset Management Counterparties The focus of the controls for an institution's exposure to Year 2000-related problems in capital markets and among counterparties mirror those needed for funds takers and funds providers. Potential Year 2000-related problems with capital market participants range from a counterparty's failure to complete a securities transaction or derivatives contract settlement to, in extreme cases, the failure of the counterparty itself. A counterparty failure could lead to the total loss of the value of the payment or contract. A counterparty's failure to settle a transaction could cause the institution unexpected liquidity problems, which in turn could result in the failure of a financial institution to deliver dollars or foreign currencies to its counterparties. In addition, Year 2000-related problems among fiduciary counterparties could prevent a financial institution from fulfilling its fiduciary responsibilities to protect and manage assets for fiduciary beneficiaries. A counterparty's failure to remit bond payments, fund employer pension contributions or settle securities transactions could increase the institution's fiduciary risk.  Risk Assessment of Counterparties As part of a sound due diligence process, management should identify and discuss Year 2000 compliance issues with those counterparties which represent large exposures to the bank itself and to fiduciary account beneficiaries. Financial institutions should evaluate counterparty exposure and develop risk reducing action plans to help manage and control that risk.  Risk Reduction Plans In cases where institutions are not fully satisfied that their counterparties will be Year 2000 ready, management should establish mitigating controls such as early termination agreements, additional collateral, netting arrangements, and third-party payment arrangements or guarantees. In cases where management has a high degree of uncertainty regarding a counterparty's ability to address its Year 2000 problems, the institution should consider avoiding transactions with settlement risk after January 1, 2000. As noted earlier, the interest rate effect of material mismatches of funding, or maturity, should be evaluated as maturity and settlement risk is adjusted. The financial institution should not resume normal transaction activities until the counterparty has demonstrated that it will be prepared for the Year 2000. CONCLUSION Financial institutions face significant internal and external challenges from Year 2000-related risks posed by their customers. The concepts and guidance in this interagency statement are designed to assist institutions in developing appropriate risk controls. The FFIEC recognizes that risk management procedures may vary depending on the institution's size, its risk appetite and culture, the complexity of its customers' information systems, and its own Year 2000 risk exposure. While these differences will affect the risk management practices developed by management, it is essential that financial institutions identify, measure, monitor and control Year 2000- related risks posed by funds providers, funds takers, and capital market/asset management counterparties. Appendices (4)