Mr. Chairman and Members of the Subcommittee:
We are pleased to be here to discuss the progress being made by the Office of Thrift Supervision
(OTS) in ensuring that the more than 1,200 thrifts it oversees are ready for the upcoming century
date change. If Year 2000 issues are not adequately addressed, key automated thrift systems--affecting hundreds of billions of dollars in assets, transactions, and insured deposits--are subject
to serious consequences ranging from malfunction to failure. Such consequences would at the
very least cause significant inconveniences to both thrifts and their customers. More
significantly, system failure could lead to thrift closings and serious disruptions to both the thrift
community and customers. We will also be discussing the progress OTS is making in addressing
Year 2000 concerns for its own internal systems.
This testimony is the third in a series of reports you requested on the status of efforts by federal
financial regulatory agencies to ensure that the institutions they oversee are ready to handle the
Year 2000 computer conversion challenge.(1) We previously reported on the status of the Federal
Deposit Insurance Corporation (FDIC) and the National Credit Union Administration(2) (NCUA)
and plan to report on the Office of the Comptroller of the Currency and the Federal Reserve
System.
To prepare for this testimony, we evaluated OTS' efforts to date to ensure that the thrifts it
oversees have adequately mitigated the risks associated with the Year 2000 date change and
compared these efforts to criteria detailed in our Year 2000 Assessment Guide(3) and Year 2000
examination guidance and procedures set forth by the Federal Financial Institutions Examination
Council (FFIEC).(4) We reviewed OTS' Year 2000 procedures and guidance used to perform the
initial industry assessment and the follow-on on-site examinations. We reviewed relevant
correspondence to its examiners and the institutions it supervises and interviewed OTS officials
responsible for overseeing the safety and soundness of thrift management practices and
procedures. We also interviewed officials from America's Community Bankers, a trade
association representing thrifts, to obtain its views on the adequacy of OTS' efforts and determine
what the industry was doing to ensure Year 2000 readiness.
In addition, we compared OTS' efforts to prepare its own systems for the century date change
with our assessment guide. To accomplish this, we reviewed OTS' project plan, monthly status
reports, and other Year 2000 documentation. We interviewed officials responsible for planning
and implementing the Year 2000 initiative. We also reviewed an October 1997 contractor
assessment of OTS' internal system readiness. We performed our work at OTS headquarters in
Washington, D.C., and its field office in Jersey City, New Jersey, Atlanta, Georgia, and San
Francisco, California, from December 1997 through early March 1998 in accordance with
generally accepted government auditing standards.
In summary, we found that the Year 2000 problem poses a serious dilemma for thrifts due to
their heavy reliance on information systems. It also poses a challenge for OTS and the other
financial institution regulators who are responsible for ensuring the Year 2000 readiness of
thrifts, banks, and credit unions. Regulators have a monumental task in making sure that
financial institutions have adequate guidance in preparing for the Year 2000 and in providing a
level of assurance that such guidance is being followed. Further, regulators will likely face some
tough decisions on the readiness of individual institutions as the millennium approaches. We
found that OTS is taking the problem very seriously and is devoting considerable effort and
resources to ensure the thrifts it oversees mitigate Year 2000 risks. It has been very emphatic in
alerting thrifts to the Year 2000 problem, conducted a high-level assessment of the industry's
Year 2000 readiness, and is in the process of making more detailed assessments.
Despite aggressive efforts, OTS--like the other regulators--still faces significant challenges in
providing a high level of assurance that individual thrifts will be ready. In fact, the problems we
found at OTS are generally the same as those found at the other regulators we reviewed. First,
OTS was late in addressing the problem and consequently, is behind the Year 2000 schedule
recommended by both GAO and the Office of Management and Budget (OMB). In addition, key
guidance--being developed under the auspices of FFIEC--needed by thrifts and other financial
institutions to complete their own preparations is also late which, in turn, could potentially hurt
individual institutions' abilities to address Year 2000 issues. Finally, OTS needs to better assess
whether it has an adequate level of technical resources (staff) to evaluate the industry's Year 2000
efforts. These problems hinder the regulators' ability to develop more positive assurance that
institutions will be ready for the century date change. However, the regulators cannot turn the
clock back and start again. Consequently, the challenge for them at this point is how can they
use their resources from here to the millennium to ensure that thrifts, banks, and credit unions
mitigate Year 2000 risks.
OTS has done much to mitigate the risk to its mission critical, internal systems. In fact, it has
already renovated, tested, and implemented 13 of its 15 mission-critical systems. However, it
has not yet completed contingency plans--which should have been completed by mid-1997 as
part of the assessment phase--necessary to ensure business continuity in case system renovations
or replacements are not completed in time or do not work as intended. Such plans are expected
within the next 3 months. Compounding this problem is the fact that OTS has not developed a
comprehensive Year 2000 conversion program plan providing a clear understanding of the
interrelationships and dependencies among the automated systems that support, for example, its
supervisory functions, office equipment, and facilities. Such a plan provides added assurance
that all systems and interrelationships are assessed and corrected, mitigating the risk that systems
will not operate as intended in the year 2000 and beyond.
We are making recommendations to strengthen both the OTS examination process and its internal mitigation processes. Further, we are making recommendations designed to sharpen OTS' strategy for focusing its limited resources over the limited time remaining.
Located organizationally within the Department of the Treasury, the Office of Thrift Supervision
through its 5 regional offices supervises 1,210 federal and state chartered, savings institutions--commonly called thrifts--to maintain the safety, soundness, and viability of the industry. Thrifts
primarily emphasize residential mortgage lending and are an important source of housing credit.
Most of these institutions have assets of under $500 million and are locally owned and managed.
Together, they are responsible for about $770 billion in assets. As part of its goal of maintaining
safety and soundness, OTS is responsible for examining and monitoring thrifts' efforts to
adequately mitigate the risks associated with the century date change. To ensure consistent and
uniform supervision on Year 2000 issues, OTS and the other regulators coordinate their
supervisory efforts through FFIEC. For example, the regulators jointly prepared and issued a
August 1996 FFIEC letter to banks, thrifts, and credit unions informing them of the Year 2000
problem and it potential adverse impacts. Together they also developed and issued in May 1997
an FFIEC examination program and guidance on how to use it. More recently, the regulators
established an FFIEC working group to develop guidance on mitigating the risks associated with
using contractors that provide automated systems services and software to thrifts.
According to OTS, virtually every insured financial institution relies on computers--either their
own or those of a third-party contractor--to provide for processing and updating of records and a
variety of other functions. Because computers are essential to their survival, OTS believes that
all its institutions are vulnerable to the problems associated with year 2000. Failure to address
Year 2000 computer issues could lead, for example, to errors in calculating interest and
amortization schedules. Moreover, automated teller machines may malfunction, performing
erroneous transactions or refusing to process transactions. In addition, errors caused by Year
2000 miscalculations may expose institutions and data centers to financial liability and loss of
customer confidence. Other supporting systems critical to the day-to-day business of thrifts may
be affected as well. For example, telephone systems, vaults, security and alarm systems could
malfunction.
In addressing the Year 2000 problem, thrifts must also consider the computer systems that
interface with, or connect to, their own systems. These systems may belong to payment system
partners, such as wire transfer systems, automated clearing houses, check clearing providers,
credit card merchant and issuing systems, automated teller machine networks, electronic data
interchange systems, and electronic benefits transfer systems. Because these systems are also
vulnerable to the Year 2000 problem, they can introduce errors into thrift systems.
In addition to these computer system risks, thrifts also face business risks from the Year 2000. That is exposure from its corporate borrower's inability to manage their own Year 2000 compliance efforts successfully. Consequently, in addition to correcting their computer systems, thrifts have to periodically assess the Year 2000 efforts of large corporate customers to determine whether they are sufficient to avoid significant disruptions to operations. OTS and the other regulators established an FFIEC working group to developing guidance on assessing the risk corporate borrowers pose to thrifts.
OTS has taken a number of actions to raise the awareness of the Year 2000 issue among thrifts and to assess the Year 2000 impact on the industry. To raise awareness, OTS formally alerted thrifts in August 1996 to the potential dangers of the Year 2000 problem by issuing an awareness letter to thrift Chief Executive Officers. The letter, which included a statement from the interagency Federal Financial Institutions Examination Council, described the Year 2000 problem and highlighted concerns about the industry's Year 2000 readiness. It also called on thrifts to perform a risk assessment of how systems are affected and develop a detailed action plan to fix them.
In May 1997, OTS, along with the other regulators, issued a more detailed awareness letter which
As of November 30, 1997, OTS had completed its initial assessment of all thrifts for which it has
supervisory responsibility. In conducting this assessment, OTS performed off-site examinations
of the thrifts that addressed whether (1) their systems were ready to handle Year 2000
processing, (2) they had established a structured process for correcting Year 2000 problems, (3)
they prioritized systems for correction, (4) they had determined the Year 2000 impact on other
internal systems important to day-to-day operations, such as vaults, security and alarm systems,
elevators, and telephones, (5) they had estimated Year 2000 project costs and targeted sufficient
resources, (6) their milestones for renovating and testing mission critical systems were consistent
with those recommended by FFIEC, and (7) they had been closely tracking the progress of
service bureau and vendor Year 2000 remediation efforts. Thrifts were also asked to submit
Year 2000 assessment reports, action plans, and their most recent progress report.
According to OTS, this assessment showed that the thrift industry was generally aware of and
addressing the potential impact of Year 2000. For example, 94 percent of thrifts had assigned
Year 2000 oversight duties or a senior officer or committee and 90 percent were then developing
a Year 2000 action plan. However, OTS did find that about 170 thrifts were designated at high
risk due to poor performance in conducting awareness and assessment phase activities.
OTS is following up on this initial assessment with on-site exams to all thrifts to be completed
by the end of June 1998. To help thrifts prepare for these visits, OTS developed a detailed Year
2000 checklist. It is a self-assessment tool addressing the 5 phases of the Year 2000 correction
process and about 10 other areas including reliance on vendors and borrowers' credit risk that
informs thrifts of key activities to be performed and allows them to quantify their progress. OTS
also issued additional examination guidance and procedures to supplement those of the FFIEC.
This supplemental guidance, if implemented correctly, will address the FFIEC examination
procedure shortcomings (i.e., lack of detailed questions, vague terminology) reported in our
previous testimony.
To ensure OTS completes the on-site visits by June 1998, each regional office has been given the
authority to establish its own plans for assessing institutions. OTS' national Year 2000
coordinator is currently reviewing regional plans to assess their reasonableness. To make sure
regions stay on track, the coordinator is monitoring regional progress in completing the on-site
reviews on a bi-weekly basis, and starting in April, on a weekly basis. More recently, on March
13, 1998, OTS issued a memo to the regional offices that among other things reiterated its
supervisory goal of ensuring that the thrift industry becomes Year 2000 compliant and provided
guidance on exam followup for thrifts assigned a Year 2000 rating less than satisfactory.
OTS has also been participating with other regulators to conduct on-site Year 2000 assessments of major data processing servicers and software vendors. These servicers and vendors provide support and products to a majority of financial institutions. OTS and the other regulators expect to complete their first round of servicer and vendor assessments in April 1998. OTS is providing the results of the servicer assessments to OTS-supervised thrifts that use these services. Together with the results of on-site assessments conducted at thrifts, OTS expects to have a better idea of where the industry stands, which thrifts need close attention, and thus, where to focus its supervisory efforts.
As noted in our summary, OTS must successfully address a number of issues to provide adequate
assurance that the thrift industry will meet the Year 2000 challenge. Also noted, these issues for
the most part are similar to those we found at FDIC and NCUA.
First, like the other regulators, OTS is behind in assessing individual institution's readiness. As
with NCUA and FDIC, OTS got off to a late start assessing the readiness of the institutions it
oversees and, consequently, was late in completing assessment phase activities. For example, it
did not complete its initial assessment of all thrifts until November 1997. According to OMB
guidance and GAO's Assessment Guide, these activities should have been completed by the
summer of 1997. Because OTS is behind the recommended timelines, the time available for
assessing institutions' progress during renovation, validation, and implementation phases and for
taking needed corrective actions is compressed.
Second, OTS and the other regulators are still developing key guidance to help institutions
complete their Year 2000 efforts. In their May 1997 letter to thrifts, banks, and credit unions, the
financial regulators recommended that institutions begin (1) developing contingency plans to
mitigate the risk that Year 2000-related problems will disrupt operations and (2) ensuring that
their data processing services, software vendors, and large corporate customers are making
adequate Year 2000 progress.
In recommending these measures, the regulators noted that they have found that some financial
institutions were heavily relying on their service providers to solve their Year 2000 problem.
They outlined an approach for dealing with vendors that included (1) evaluating and monitoring
vendor plans and milestones, (2) determining whether contract terms can be revised to include
Year 2000 covenants, and (3) ensuring vendors have the capacity to complete the project and are
willing to certify Year 2000 compliance. The regulators also noted that all institutions--even
those who have Year 2000 compliant systems--could still be at risk if they have significant
business relations with corporate customers who, in turn, have not adequately considered Year
2000 issues. If these customers default or are late in repaying loans, then banks and thrifts could
experience financial harm. The regulators recommended that institutions begin developing
processes to periodically assess large corporate customer Year 2000 efforts and to consider
writing Year 2000 compliance into their loan documentation.
The regulators agreed to provide guidance on contingency planning and dealing with vendors
and borrowers. The guidance on vendors and borrowers is expected to be issued in mid-March
1998 and the contingency planning guidance by the end of April 1998. As noted in our last
testimony, these time lags in providing guidance increase the risk that thrifts have taken little or
no action on contingency planning and dealing with vendors and corporate borrowers in
anticipation of pending regulator guidance. Moreover, in the absence of guidance, thrifts may
have initiated action that does not effectively mitigate risk of Year 2000 failures.
Third, although OTS has been working hard to assess industrywide compliance, it has yet to
determine the level of technical resources needed to adequately evaluate the Year 2000
conversion efforts of the thrifts and vendors who service them. Instead, OTS is using its existing
resources to perform the evaluations. Specifically, OTS is using its 24 information systems
examiners to (1) evaluate the progress of the roughly 250 institutions with in-house or complex
systems; (2) work with systems examiners from the other regulators to assess the progress of
about 260 computer centers of data processing vendors that service thrifts, and (3) assist 84 OTS
safety and soundness examiners with their evaluations of the remaining 1,000 institutions that
rely heavily or entirely on vendors. As institutions and vendors progress in their Year 2000
efforts, we are concerned that the evaluations of the examiners will increase in length and
technical complexity, and put a strain on an already small pool of technical resources. Without
sufficient resources, OTS could be forced to slip its schedule for completing the current on-site
exams or worse, reduce the scope of its evaluations in order to meet its deadline. In the first
case, institutions would be left with less time to remediate any deficiencies. In the second, OTS
might overlook issues that could lead to failures. In either case, the risk of non-compliance by
thrifts and service bureaus--and the government's exposure to losses--is significantly increased.
OTS officials told us they are in the process of adding four additional systems examiners. They also believe that it is effective to use its safety and soundness examiners to perform Year 2000 assessments at the thrifts not visited by the system examiners. Finally, these officials expressed concern that even if they could hire more technical examiners, it is very hard to find and hire staff with these skills. However, without the requisite analysis, OTS cannot know whether adding four additional examiners will meet it needs. In addition, by using safety and soundness examiners, OTS runs the risk of having examiners make incorrect judgments about the readiness of thrifts. This risk will only increase as we get closer to the millennium because the latter phases of correction--renovation, testing and implementation--take a higher level of technical knowledge to asses whether these steps are performed correctly.
Challenge for Regulators Is How to Effectively Use
Their Resources During Remaining Time
Looking forward the challenge for OTS--and the other regulators--is to make the best use of
limited resources in the time remaining. The challenge is immense: thousands of financial
institutions, numerous service providers and vendors, and a finite number of examiners and time
to address the problem. By mid-1998, however, OTS and the other regulators should have
available a good picture of how their industry stands. The on-site examinations will be complete
as will the assessment of vendors and service providers.
This information should provide good definition as to the size and magnitude of the problem. That is, how many institutions are at high risk of not being ready for the millennium and require immediate attention and which service providers are likely to be problematic. Further, by carefully analyzing available data, OTS should be able to identify common problems or issues that are generic to thrifts that are of similar size, or use specific service providers, etc. This in turn will allow regulators to better able to develop a much better understanding of which areas require attention and where to focus limited resources. In short, regulators have an opportunity to regroup, develop specific strategies, and have a more defined sense of where the risks lie and the actions required to mitigate those risks.
OTS internal systems are critical to the day-to-day operation of the agency. For example, they
facilitate the collection of thrift assessments; monitor the financial condition of thrifts; provide
the Congress and the public with thrift mortgage activity; schedule and track examinations; and
calculate OTS employee payroll benefits. As with the other regulators, the effects of Year 2000
failure on OTS could range from annoying to catastrophic. OTS system failures could, for
example, result in inaccurate or uncollected assessments, inaccurate or unpaid accounts payable,
and miscalculated payroll and benefits. Because of the systems' importance, Treasury hired a
contractor to assess OTS' internal Year 2000 efforts, and the contractor reported its results in
October 1997.
The contractor reported that OTS had made good progress in completing its assessment phase
activities and was well underway in performing renovation and testing for selected systems. We
also found that OTS was making substantial progress in remediating its systems. For example,
13 of OTS' 15 mission critical systems have already been renovated, tested, and implemented.
The remaining two--the Home Mortgage Disclosure Act system and the Interest Rate Risk
systems--are expected to be completed by the end of this year. OTS has also inventoried and
assessed the non-mission critical systems that were developed and maintained outside the
Information Resources Management office at OTS' headquarters. In addition, it has assessed
other electronic equipment important to day-to-day operations, such as telecommunications
equipment, office equipment, security systems, and personal computers and made plans to
modify or replace the equipment it identified as being noncompliant.
Despite OTS' good efforts to convert its internal systems, the contractor found that OTS had not
prepared contingency plans as part of its assessment phase activities and recommended that it
develop such plans. As of the time of our work, OTS had not yet implemented this
recommendation. It was still developing these plans to ensure continuity of operations in the
event its remediated systems fail or the two systems being renovated are not fixed in time. Our
Assessment Guide calls on agencies to initiate contingency plans during the assessment phase so
that they have enough time to (1) identify the manual or other fallback procedures, (2) define the
specific conditions that will cause the activation of these procedures, and (3) test the procedures.
The agency expects to complete these plans by the middle of 1998.
Our final concern is that, even though OTS has corrected the majority of its mission critical
systems and is making good progress toward remediating other systems and equipment, it does
not have a comprehensive Year 2000 program plan. To its credit, the agency has prepared plans
for correcting its systems and has been reporting its progress to Treasury on a monthly basis.
However, OTS did not develop a single plan providing a clear understanding of the
interrelationships and dependencies among the automated systems that support its business
operations such as thrift supervision, office equipment, payroll, and facilities. Instead, OTS
officials told us they prepared separate plans for (1) systems operated and maintained by the
Information Resources Management office, (2) systems operated and maintained by other offices
and regions, and (3) office equipment and facilities. Without an integrated plan, OTS cannot not
provide assurance that all systems and interrelationships had been assessed and corrected. This
increases the risk that systems will not operate as intended in the year 2000 and beyond.
- - - - - -
In conclusion, Mr. Chairman, we believe that OTS has a good appreciation for the Year 2000
problem and has made significant progress, especially with regard to its effort in correcting its
own systems. However, OTS and the other regulators are facing a finite deadline that offers no
flexibility. OTS needs to take several actions to improve its ability to enhance the ability of
thrifts to meet the century deadline with minimal problems and to enhance the agency's ability to
monitor the industry's efforts and to take appropriate and swift measures against thrifts that are
neglecting their Year 2000 responsibilities. We, therefore, recommend that OTS
work with the other FFIEC members to complete their guidance to institutions on mitigating
the risks associated with corporate customers and reliance on vendors. Further, OTS should
work with the other FFIEC members to complete the contingency planning guidance by its April
1998 deadline.
Additionally, a combination of factors--including starting the thrift assessment process late and
issuing more specific guidance to thrifts at a relatively late date--are hindering OTS' and the
other regulators' ability to develop more positive assurance that their institutions will be ready for
the year 2000. Accordingly, we recommend that OTS work with the other FFIEC members to
develop in an expeditious manner, more explicit instructions to thrifts for carrying out the
latter stages of the Year 2000 process--renovation, validation, and implementation--which are the
critical steps to ensuring Year 2000 compliance.
Because OTS and the other regulators will have more complete information on the status of
institutions, servicers, and vendors by mid-1998, we recommend that OTS work with the other
FFIEC members to
develop a tactical plan that details the results of its assessments and provides a more explicit
road map of the actions it intends to take based on those results. This should include an
assessment of the adequacy of OTS' technical resources to evaluate the Year 2000 efforts of the
thrifts and the servicers and vendors that service them.
Finally, with regard to OTS' internal systems, we recommend that the Director instruct the
agency to develop (1) contingency plans for each of OTS' mission critical systems and core
business processes and (2) a comprehensive Year 2000 program plan.
Mr. Chairman, that concludes my statement. We welcome any questions that you or Members of
the Subcommittee may have.
1.The Year 2000 problem is rooted in the way dates are recorded and computed in automated information systems. For the past several decades, systems have typically used two digits to represent the year, such as "97" representing 1997, in order to conserve on electronic data storage and reduce operating costs. With this two-digit format, however, the year 2000 is indistinguishable from 1900, or 2001 from 1901, etc. As a result of this ambiguity, system or application programs that use dates to perform calculations, comparisons, or sorting may generate incorrect results, or worse, not function at all.
2. Year 2000 Computing Crisis: National Credit Union Administration's Efforts to Ensure Credit Union Systems Are Year 2000 Compliant (GAO/T-AIMD-98-20, October 22, 1997); Year 2000 Computing Crisis: Actions Needed to Address Credit Union Systems' Year 2000 Problem (GAO/AIMD-98-48, January 7, 1998); and Year 2000 Computing Crisis: Federal Deposit Insurance Corporation's Efforts to Ensure Bank Systems Are Year 2000 Compliant (GAO/T-AIMD-98-73, February 10, 1998).
3. Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997). Published as an exposure draft in February 1997 and finalized in September 1997, the guide was issued to help federal agencies prepare for the Year 2000 conversion. It advocates a structured approach to planning and managing an effective Year 2000 program through five phases: (1) raising awareness of the problem, (2) assessing the extent and severity of the problem, and identifying and prioritizing remediation efforts, (3) renovating, or correcting, systems, (4) validating, or testing, corrections, and (5) implementing corrected systems. The guide also stipulates that interfaces with outside organizations be identified and agreements with these organizations executed for exchanging Year 2000-related data. Contingency plans must be prepared during the assessment phase to ensure that agencies can continue to perform even if critical systems have not been corrected. GAO and the Office of Management and Budget established a schedule for completing each of the five phases, including requiring agencies to complete assessment phase activities last summer and the renovation phase by mid to late 1998.
4. FFIEC was established in 1979 as a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, and to make recommendations to promote uniformity in the supervision of these institutions. The Council's membership is composed of the federal bank regulators--FDIC, the Federal Reserve System, and the Comptroller of the Currency--plus the regulators for credit unions and thrift
institutions--the National Credit Union Administration and the Office of Thrift Supervision, respectively.
Home | Menu | Links | Info | Chairman's Page