NCUA LETTER TO CREDIT UNIONS
NATIONAL CREDIT UNION ADMINISTRATION
1775 Duke Street, Alexandria, VA 22314

DATE: August 16, 1996
LETTER NO.: 96-CU-5

TO ALL FEDERALLY INSURED CREDIT UNIONS:

SUBJECT: Federal Financial Institutions Examination Council's (FFIEC) Statement on the Risks to Financial Institutions Involving Computer Systems in the New Millennium

The FFIEC has issued the attached statement on the substantial risks to financial institutions involving their computer systems as the industry enters the new century (year 2000). These risks are attributed to the programming code in many existing computer systems that may result in inaccurate calculations based on any two-digit year field containing the value "00" which the system may read as 1900.

The FFIEC statement alerts financial institutions, servicers, and vendors to the need to adequately address the risks, including system failures or erroneous data, associated with the existing programming code. This issue potentially affects all organizations that rely upon computer systems.

Management should take action to ensure the credit union's computer system (hardware and software) is capable of handling the transitions into the twenty-first century correctly. We encourage you to use the attached statement as guidance for developing a plan of action. Credit unions which use outside electronic data processing vendors and servicers should seek assurance that their vendors and servicers are adequately addressing the system and software issues related to the coming millennium.

If you have any questions, please contact your regional office or your state supervisory authority.

Sincerely,

/S/
Norman E. D'Amours
Chairman

EI
Attachment

Federal Financial Institutions Examination Council
2100 Pennsylvania Avenue, NW, Suite 200
Washington, DC 20037
(202) 634-6526 - FAX (202) 634-6556

THE EFFECT OF YEAR 2000 ON COMPUTER SYSTEMS

To: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior management of each FFIEC Agency, and all examining personnel.

PURPOSE

This interagency statement alerts financial institutions to substantial risks to the industry represented by the programming code in existing computer systems as the industry enters the new millennium (year 2000).

BACKGROUND

The "year 2000" problem is pervasive and complex. Virtually every organization will have its computing operations affected in some way by the rollover of the two digit year value to 00. The majority of computer operating systems and programs currently in use have been developed utilizing six digit date fields (YYMMDD). For example, December 31, 1999, would be represented by "991231" in computer code. The two digit field for the year (in example "99") is the basis for all calculation formulas within most computer systems, particularly those processed through mainframes.

Up until now, this two digit field has sufficed, using a subtraction of current date from some future date (up to 12-31-99). As the industry enters the year 2000, the two digit field "00" will not permit accurate calculations based on the current formulas. January 1, 2000 would be read as 000101. Many computer systems will recognize this date as the year 1900. The potential impact is that date sensitive calculations would be based on erroneous data or could cause a system failure. This affects all forms of financial accounting (including interest computation, due dates, pensions, personnel benefits, investments, legal commitments). It can also affect record keeping, such as inventory, maintenance, and file retention. Reliable information is necessary for financial institutions to conduct business.

Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision

These coding changes impact billions of lines of program code, throughout government, banking, and all other users of computer technology. Most large financial institutions should be aware of this potential problem, however, industry estimates are that only 30 percent are currently addressing the issue. In some cases, individual financial institutions are projecting costs of $50 to $100 million over the next three years. Most vulnerable are the community financial institutions that do their own programming with in-house developed software systems. According to industry "guesstimates," costs to resolve these programming challenges worldwide will approach $600 billion (all computer systems, not just banking). Banking, however, is a heavily technology sensitive industry and will be impacted greatly.

CONCERNS

Many financial institutions, servicers, and vendors have not adequately addressed the risks associated with the coming millennium. This lack of planning could result in the extended or permanent disruption of computer system operations. This may be the result of either the problem itself or the cost of fixing it.

Time is critical. Commitments to action and funding cannot be deferred, as the year 2000 is a finite date. This issue affects EVERY financial institution, whether processing information internally, through service bureaus, or a combination of both.

ACTION PLAN

Financial institutions should achieve year 2000 compatibility by performing a high level risk assessment of how systems are affected. This should be followed by the development of a detailed action plan. The board of directors and senior management should take the following steps in addressing this issue:

An institution should review all aspects of computer systems to include those provided by service bureaus, hardware vendors, and other software vendors. For any aspect of its information systems processing management must:

TESTING

All reprogramming efforts must be completed in time for adequate system testing. It is recommended that reprogramming efforts be completed by December 31, 1998. This will provide one full year for testing. It is important to note that all systems from mainframes to personal computers and local area networks are susceptible to the impact of year 2000 consequences.

The appendix to this issuance provides a suggested outline of the process that should be followed to ensure that issues concerning the millennium are addressed.

APPENDIX

Millennium Planning Process

  1. Establish a Year 2000 Review Team
    1. Management should consider utilizing both internal and external information systems and audit resources to ensure that a risk-based Year 2000 Action Plan is developed.
    2. An inventory of all computer operating systems, applications and files should be created. All those with year 2000 issues must be identified.
  2. Develop an institution wide year 2000 plan.
    1. The initial step in developing the plan should be to consider whether current systems and files should be modified, replaced, outsourced, or discontinued. It should be noted that even if new systems are purchased, old files may still have to be modified. (All computer systems, including mainframes, personal computers, local area networks, etc., should be considered).
    2. The year 2000 plan should also identify and prioritize applications and processes that are the most date sensitive and those which are most vulnerable. Interdependent applications should be grouped together.
    3. Management and the board of directors need to ensure that adequate funds and resources are allocated so that all year 2000 projects are completed in a timely manner.
  3. Year 2000 Plan Implementation.
    1. Initiate pilot projects to test solutions to identified problems. It may be feasible to work with more than one vendor in order to evaluate their various solutions/capabilities before making a final decision.
    2. Begin the process of systematically implementing year 2000 changes by priority in accordance to risk. These projects should be conducted within the framework of the system development life cycle process currently in place.
    3. Conduct post implementation reviews to ensure the integrity and functionality of the modified systems.