NATIONAL CREDIT UNION ADMINISTRATION
WASHINGTON, D.C. 20456
LETTER TO CREDIT UNIONS

TO THE BOARD OF DIRECTORS OF THE FEDERALLY INSURED CREDIT UNION ADDRESSED:

INFORMATION PROCESSING ISSUES

For your reference, I am enclosing three papers, one from the National Credit Union Administration (NCUA) and two from the Federal Financial Institutions Examination Council (FFIEC), which outline issues related to the automated processing of credit union information.

Many credit unions use information system service bureaus for their data processing needs. There is the potential for certain risks to all financial institutions that contract out for these services. The first paper explains NCUA's program to examine and assess the safety and soundness of organizations that provide data processing services to federally insured credit unions. These reviews will bring NCUA in line with the other federal financial institution regulators that have been per-forming these types of examinations for many years.

On a related issue, the second paper alerts management to specific risks and accounting problems that have been identified in some federally insured financial institutions using data processing services from outside vendors.

NCUA continues to stress the importance of strategic planning in all areas of credit union operations. As such, I am releasing the third paper, addressing the issue of strategic information systems planning as part of the overall planning process for your institution.

Enclosures

NATIONAL CREDIT UNION ADMINISTRATION
WASHINGTON, D.C. 20456

The National Credit Union Administration (NCUA) has established a program to perform on-site examinations of information system vendors. This program was initiated because of the critical importance automated information systems have to many credit unions. There is the potential for a high degree of risk to credit unions and the National Credit Union Share Insurance Fund should problems occur with these vendors or their products. Assessing this potential risk, with both individual vendors and the industry as a whole, is a key element of this examination program.

Information system vendors provide a variety of products and services to federally insured credit unions. These include:

• service bureau services (remote, on-line information processing)
• turnkey systems (complete in-house information processing systems, including equipment and vendor developed and supported software)
• software products (for use on credit union-owned hardware)
• facilities management services (vendor supplied personnel and expertise to operate a credit union-owned system)

Vendors may be private companies or credit union service organizations (CUSOs).

NCUA will be accessing the overall safety and soundness of information system product providers. The following areas will, at a minimum, be included in the scope of our reviews:

• organization and management
• strategic planning
• financial condition
• data center controls
• systems and programming controls
• backup and recovery methods and testing
• contingency planning and testing
• customer contracts
• interest and dividend computations
• delinquency calculations

Other areas of a vendor's operation may be reviewed as necessary.

NCUA will contract with third-party information system auditing specialists to act as our agents in performing these examinations. This is being done to augment our in-house information system auditing resources and facilitate the completion of work in a timely manner.

NCUA plans to perform reviews of approximately 20 information system vendors per year. Initially, we will focus on the largest service bureau vendors. In subsequent years, we will expand our reviews to include other information system providers and perform follow-up examinations as needed.

NCUA will work directly with information system vendors to correct any deficiencies found in our reviews. If deficiencies are corrected within a reasonable period of time, NCUA will not issue a report of our findings. If, however, a vendor will not agree to, or does not correct, any significant problems noted in our review, a written report of our findings will be issued to all credit union customers of the vendor and to all NCUA examiners.

Federal Financial Institutions Examination Council
Washington, DC 20006

Interagency Statement on EDP Service Contracts

To: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior Management of each FFIEC Agency, and all Examining Personnel

PURPOSE:

This interagency statement alerts financial institutions to potential risks in contracting for EDP services and/or failing to properly account for certain contract provisions.

ISSUE:

Some financial institutions are entering into EDP servicing contracts that contain provisions which may adversely affect the institution. Contract provisions may include extended terms (up to ten years), significant increases in costs after the first few years, and/or substantial cancellation penalties.

In addition, some service contracts improperly offer inducements that allow an institution to retain or increase capital by deferring losses on the disposition of assets or avoiding expense recognition for current charges. Institutions experiencing earnings and capital problems are particularly attracted to these inducements.

Examples of inducements include:

• The servicer purchasing assets (e.g., computer equipment or foreclosed real estate) at book value, which exceeds current market value;

• The servicer providing capital by purchasing stock from the institution;

• The servicer providing cash bonuses to the institution once the conversion process is complete; and

• The institution deferring expenses for conversion costs or processing fees under the terms of a lease or licensing contract.

These inducements offer a short-term benefit to the institution. However, the servicer usually recoups its costs by charging a premium for the data processing services it provides. These excessive data processing fees adversely affect an institution's financial condition over the long-term. Furthermore, the institution's accounting for such inducements typically is inconsistent with generally accepted accounting principles (GAAP) and regulatory reporting requirements.

Title II, Section 225 of the Financial Institutions Reform, Recovery and Enforcement Act of 1989 states:

Accordingly, when negotiating contracts, an institution must ensure that the servicer can provide a level of service that meets the needs of the institution over the life of the contract. It is also the responsibility of the institution to ensure that contracts are accounted for in accordance with GAAP.

In summary, contracting for excessive servicing fees and/or failing to properly account for such transactions is considered an unsafe and unsound practice. Servicing agreements that include contract provisions or inducements similar to those discussed above should be closely reviewed by the institution. Institutions must ensure that accounting under such agreements reflects the "substance" of the transaction, not merely the "form."

Although this statement focuses on contracting for EDP services, these same issues may exist in contracts for other vital services.

Federal Financial Institutions Examination Council
Washington, DC 20006

PURPOSE

T'his policy issuance alerts all financial institutions to the importance of strategic information systems planning and its role in overall corporate management and planning. It identifies management's responsibilities in preparing strategic plans for their information systems requirements.

BACKGROUND

Information is a valuable corporate asset which is vital to the success of all financial institutions. The ability to remain competitive, introduce new products and services, and attain desired corporate goals often depends on the effective management of information systems technology.

Corporate level strategic planning is important in all financial institutions to effectively utilize available resources and achieve the long term goals and objectives of the organization. Strategic information systems planning is integral to the overall corporate strategic planning process and must support individual business strategies throughout the institution. The information systems strategic plan should address technology risks affecting all areas of operation, including contingency planning and disaster recovery, information security, systems and programming, computer operations, and end-user computing.

Effective strategic planning considers the impact of technology on the internal and external concerns of the institution. Intemal issues are those where management has planning control. This includes profitability, delivery of new products and services, efficient and consistent operations, and corporate strategic planning. External issues are those over which management has no direct control, but must react to in a timely manner. These include technological advancements by competitors, regulatory requirements, and changing economic environments.

Strategic information systems planning is generally structured to address two primary objectives.

• Cost effective in meeting business objectives;
• Timely (i.e. available when needed);
• Flexible (i.e. expandable/contractible);
• Efficient (i.e. competitive parity and competitive advantage); and
• Reliable (i.e. complete and accurate data).

• Proper collection and processing of information;
• Availability of information, as required, at different locations; and
• Proper distribution of applications.

POLICY

Financial institutions should develop and implement a written strategic information systems plan commensurate with the complexity and sophistication of the institution. Tne plan should be integrated into overall corporate goals and should include in-house, end-user, and service bureau processing, as applicable. Successful implementation of a strategic information systems plan requires the board of directors of an institution to:

• Provide adequate oversight, including the review and approval, of business objectives and related information systems strategies;

• Ensure the ongoing development and implementation of the information systems plan;

• Ensure the technology strategy considers the size and complexity of the institution, the markets it pursues, and the nature of the products and services it offers; and

• Ensure the design of the organizational structure includes well defined delegations of authority commensurate with information systems technology.

The appendix provides additional guidance relating to strategic information systems planning.

The board of directors is responsible for reviewing and approving corporate strategies to ensure the continuance of successful operations. Oversight includes periodic review and approval of overall business objectives. This review should ensure coordination of the information systems plan with the overall corporate strategic plan. The monitoring process should reflect changes in current systems development. These changes should be reported in summary format in board and steenring committee minutes.

Oversight activities include:

• Reviewing cost benefit analyses;
• Monitoring periodic performance/status reports;
• Ensuring that goals are consistent with overall corporate goals and safety and soundness;
• Implementing the plan through the effective utilization offinancial resources, personnel skills a and methodologies;
• Reviewing contingency/recovery policies on an annual basis; and
• Evaluating acquisition/merger conversion plans.

The following diagram and definitions illustrate the flow and structure of the planning hierarchy.

CORPORATE STRATEGIC GOALS STRATEGIC PLAN TACTICAL PLAN OPERATIONAL PLANS

The board of directors establishes long term corporate goals and objectives for the financial institution. More specifically, the board determines the institution's current market position, methods needed to gain a competitive edge, and resources required to achieve the desired goals.

This plan defines the future direction and mission of the institution. It may be revised every two years and encompasses a time span of three to seven years. Its scope includes target markets, resources, technologies, and other appropriate criteria. Results show a framework and vision for the institution's future direction. This plan is the backbone for supporting tactical plans.

This is a program of action over a two- to five-year time period. It is updated annually and focuses more narrowly on the broad scope identified in the strategic plan. It results in a determination of specific activities, budgets, opportunities, and functional objectives.

Often these plans list specific actions and milestones by month to achieve project plans, budgets, management by objective (MBO) agreements, and commitments. The plan life-cycle is generally for one year and can be subject to numerous updates and revisions.