NCUA LETTER TO FEDERAL CREDIT UNIONS

As part of our Year 2000 Readiness Program, NCUA and our contractor performed onsite Year 2000 reviews of ten Information Systems Vendors (ISVs). These initial ten reviews were conducted prior to enactment of the Examination Parity and Year 2000 Readiness for Financial Institutions Act. Therefore, NCUA, at that time, had no regulatory authority over the ISVs. The reviews were conducted based on voluntary agreements with the ISVs; part of the agreements included non-disclosure of the specific results of the reviews. The purpose of this letter, then, is to provide you with general information on the results of the reviews.

We selected ten ISVs that provide data processing services to credit unions. Our selection of ISVs was based on the number of credit union clients and total credit union assets served by the ISV. By selecting these ten large ISVs, we were able to perform reviews on ISVs which serve 55% of federally insured credit unions. The ten ISVs reviewed by NCUA and our contractor are:

CompuSource Systems, Inc.	January 26 - 29, 1998
Computer Consultants Corporation	February 17 - 20, 1998
C. U. Processing, Inc.	March 9 - 12, 1998
CUSA Technologies, Inc.	March 2 - 5, 1998
FedComp, Inc.	March 2 - 5, 1998
Fiserv Summit	April 6 - 9, 1998
Fiserv Galaxy	March 9 - 12, 1998
Ultradata Corporation	February 23 - 26, 1998
Users, Inc.	December 15 - 18, 1997
XP Systems Corporation	February 17 - 20, 1998

We are currently planning to perform on-site reviews of additional ISVs as well as follow up contacts on vendors already reviewed.

The first ten reviews were voluntary - the ISVs agreed to allow us to conduct the reviews. At the time our review program began, we did not have the statutory authority granted by passage of the Examination Parity and Year 2000 Readiness for Financial Institutions Act on March 20, 1998. This law gives NCUA the authority to examine ISVs and allows NCUA to release additional information regarding examinations of ISVs conducted in the future.

The reviews focused on the process each ISV was undertaking to become Year 2000 ready. Each review had the following objectives:

Determine the status of the ISV's efforts in becoming Y2K ready;
Identify risks related to the ISV's support of credit union Y2K efforts; and
Assess the impact to credit unions of any Y2K problems detected.

Project Management and Planning;
Technical Evaluation and Repair; and
Business Considerations.

After each review, we issued a report to the ISV which contained findings, recommendations, and an assessment of the potential impact of each finding on credit union clients. In addition, the report contains a profile of the ISV's business, as well as a review of the ISV's capacity for new customers. We also requested that the ISV provide a response to our findings.

The ISV reviews provide NCUA with insight into each ISV's Y2K process and stability. This process also provided an opportunity to engage in a dialogue with the ISVs; the result being improved communication and understanding of both NCUA's and the ISVs' concerns. This continuing enlightenment of NCUA and ISVs will assist the credit union community by fostering the means for the development of further strategies and processes for assuring Y2K compliance.

Based on the progress demonstrated by each ISV at the time of the review; all ten ISVs would be rated as satisfactory in making progress in becoming Y2K ready.

Due to the complexities of the Y2K issue, the review of ISVs at any one point in time does not ensure that they will continue progress at the same rate over the life of the project. Therefore, the fact that NCUA has performed a review of an ISV does not alleviate the credit union's responsibility to perform sufficient due diligence of vendor efforts and progress. Given the credit union's continued responsibilities for due diligence, if you have not already done so, you can best use this information by asking your ISV the following questions:

Who is responsible for the 3rd party interfaces of my system? Is it my responsibility to communicate to you my 3rd party interface vendors' Y2K compliance and methodology?

Will you be performing beta testing with credit unions; if so, how can I get involved?

Does your Year 2000 planning process include a formal documented plan which includes a schedule by which you evaluate your progress? If so, please provide a status report of your progress thus far.

What version/release will be Year 2000 compliant? What version/release should I be on at this time? When will the Year 2000 compliant version be ready for general release?

Which systems will you not be making Year 2000 compliant, and how will that impact the way I currently use my system?

Half of the ISVs had a documented project plan available; those without a documented plan did have a methodology which was cited as moving them toward completion of Y2K repairs.

All of the ISVs were cited as having informal contingency plans and received recommendations to expand their contingency plans.

All ISVs were cited as working closely with interfacing vendors to determine the compliance status of their software; however, most were cited as needing to establish cut-off dates to incorporate vendor changes.

All ISVs were cited as demonstrating that they were making progress toward full compliance.

Many of the ISVs reported the need for credit union customers to ensure that their hardware and operating systems were Year 2000 compliant rather than the ISV doing so.

All ISVs had internal testing plans, and most had plans to conduct beta testing with credit unions.

All ISVs were reported to have a willingness to accept new customers, yet only half were able to provide a degree of specific capacity.

Awareness - All ISVs were cited as being 100% aware with knowledgeable staff, and involved in the process of communicating with their customers.

Assessment - At the time of our review, the majority of ISVs were 100% assessed.

Renovation - At the time of our reviews, all ISVs were solidly engaged in the renovation phase.

Validation - All of the ISVs either had testing plans in place or were in the process of testing.

Generally, we found these ten ISVs very committed to ensuring their credit union clients' progress through the Y2K problem with minimal disruption to their interaction with credit union members. But you must not rely upon our findings alone; we cannot, and do not, certify whether an ISV is Y2K compliant. Our reviews should not be viewed as a substitute for independent due diligence. The information provided in this letter is intended to assist you in your communications with your ISV, whether or not the ISV has been the subject of one of our reviews.

Credit union management and Y2K project leaders must continue their due diligence to ensure they are ready for the millennium change. Every credit union is unique and management is responsible for establishing comprehensive Y2K due diligence, remediation, testing, and contingency planning processes. Look for more guidance from NCUA on acceptable sound testing strategies in the near future. In the meantime, if you have questions or comments, please contact your examiner, regional office or state supervisory authority.