NATIONAL
CREDIT UNION ADMINISTRATION
1775 Duke Street, Alexandria, VA 22314 NATIONAL CREDIT UNION SHARE INSURANCE FUND LETTER
TO CREDIT UNIONS
SUBJECT: Information System Vendor Reviews
As part of our Year 2000 Readiness Program,
NCUA and our contractor performed onsite Year 2000 reviews of
ten Information Systems Vendors (ISVs). These initial ten reviews
were conducted prior to enactment of the Examination Parity and
Year 2000 Readiness for Financial Institutions Act. Therefore,
NCUA, at that time, had no regulatory authority over the ISVs.
The reviews were conducted based on voluntary agreements with
the ISVs; part of the agreements included non-disclosure of the
specific results of the reviews. The purpose of this letter,
then, is to provide you with general information on the results
of the reviews. Which Information System Vendors did
we review? We selected ten ISVs that provide data processing
services to credit unions. Our selection of ISVs was based on the number
of credit union clients and total credit union assets served by the ISV.
By selecting these ten large ISVs, we were able to perform reviews on
ISVs which serve 55% of federally insured credit unions. The ten ISVs
reviewed by NCUA and our contractor are:
We are currently planning to perform
on-site reviews of additional ISVs as well as follow up contacts on vendors
already reviewed.
The first ten reviews were voluntary - the
ISVs agreed to allow us to conduct the reviews. At the time our
review program began, we did not have the statutory authority
granted by passage of the Examination Parity and Year 2000
Readiness for Financial Institutions Act on March 20, 1998.
This law gives NCUA the authority to examine ISVs and allows
NCUA to release additional information regarding examinations
of ISVs conducted in the future. What were the objectives of the reviews?
The reviews focused on the process each ISV
was undertaking to become Year 2000 ready. Each review had the
following objectives:
What did we do during the reviews?
The ISV reviews addressed the following 3 areas:
After each review, we issued a report to the
ISV which contained findings, recommendations, and an assessment
of the potential impact of each finding on credit union clients.
In addition, the report contains a profile of the ISV's business,
as well as a review of the ISV's capacity for new customers.
We also requested that the ISV provide a response to our findings.
What did the reviews provide the credit
union community?
The ISV reviews provide NCUA with insight into
each ISV's Y2K process and stability. This process also provided
an opportunity to engage in a dialogue with the ISVs; the result
being improved communication and understanding of both NCUA's
and the ISVs' concerns. This continuing enlightenment of NCUA
and ISVs will assist the credit union community by fostering the
means for the development of further strategies and processes
for assuring Y2K compliance.
Based on the progress demonstrated by each
ISV at the time of the review; all ten ISVs would be rated as
satisfactory in making progress in becoming Y2K ready. How can you, the credit union, use this
information?
Due to the complexities of the Y2K issue, the
review of ISVs at any one point in time does not ensure that they
will continue progress at the same rate over the life of the project.
Therefore, the fact that NCUA has performed a review of an ISV
does not alleviate the credit union's responsibility to perform
sufficient due diligence of vendor efforts and progress. Given
the credit union's continued responsibilities for due diligence,
if you have not already done so, you can best use this information
by asking your ISV the following questions:
The following is a summary of the major
findings of the ISV reviews.
Project Management and Planning
-
Technical Evaluation and Repair -
Business Considerations -
Status of the ISV in terms of the Year
2000 Five Phase Process. Awareness
- All ISVs were cited as being 100% aware with knowledgeable staff, and
involved in the process of communicating with their customers. Assessment
- At the time of our review, the majority of ISVs were 100% assessed.
Renovation
- At the time of our reviews, all ISVs were solidly engaged in the renovation
phase. Validation
- All of the ISVs either had testing
plans in place or were in the process of testing. Implementation
- All of the ISVs had distribution processes in place. Generally, we found these ten ISVs very
committed to ensuring their credit union clients' progress through the
Y2K problem with minimal disruption to their interaction with credit union
members. But you must not rely upon our findings alone; we cannot,
and do not, certify whether an ISV is Y2K compliant. Our reviews should
not be viewed as a substitute for independent due diligence. The information
provided in this letter is intended to assist you in your communications
with your ISV, whether or not the ISV has been the subject of one of our
reviews.
Credit union management and Y2K project leaders
must continue their due diligence to ensure they are ready for
the millennium change. Every credit union is unique and management
is responsible for establishing comprehensive Y2K due diligence,
remediation, testing, and contingency planning processes. Look
for more guidance from NCUA on acceptable sound testing strategies
in the near future. In the meantime, if you have questions or
comments, please contact your examiner, regional office or state
supervisory authority.
Sincerely, /S/ Norman E. D'Amours
Chairman of the Board EI/SEA:sa
SSIC 13610 |