I. Introduction
Mr. Chairman and members of the Subcommittee, good morning and thank you for the invitation
to discuss the Office of Thrift Supervision's preparedness in addressing the Year 2000 computer
problem. As you stated at a hearing before the Subcommittee this past October, Mr. Chairman,
"the Year 2000 problem is more than a computer problem; it is a pervasive business issue for
which there is no quick fix. Businesses rely on computer systems for nearly every aspect of their
operations." As you noted, "virtually every business in this country will face a stream of
potential direct and contingent liabilities based on the failures of their own systems or those of
their business partners."
The Year 2000 problem is critical for financial institutions, which rely heavily--and in many
instances, virtually exclusively--on computer systems to communicate sensitive financial and
transactional data to and from customers and other institutions, as well as to process transactions
and maintain customer information. The Office of Thrift Supervision ("OTS") has expended
considerable resources on the Year 2000 issue. We have budgeted even more in the coming
months to address the many different problems that both the industry and the agency must
confront as the calendar turns.
I want to thank Chairmen D'Amato and Bennett and the members of this Subcommittee for your
continuing focus on addressing the Year 2000 computer challenges faced by the federal banking
agencies and the financial institutions we regulate. Chairman Bennett and his staff have invested
substantial time and effort on this issue, and their contributions to this important matter are much
appreciated. I would also like to thank Chairman Bennett and Senator Dodd for their work in
securing passage of H.R. 3116, which is particularly important to our continuing efforts to
prepare the thrift industry for Year 2000 computer compliance.
In my testimony today, I will first describe our internal Year 2000 compliance efforts. This
includes an assessment of where we are with respect to our Year 2000 conversion efforts on our
15 mission critical systems, as well as our physical infrastructure systems. Next, I will discuss
our efforts to ensure that our regulated institutions are taking the necessary steps to achieve Year
2000 compliance. This includes background on our efforts to educate our regulated thrifts on
what they need to do to address the Year 2000 problem and to encourage them via our outreach
efforts to take the necessary steps; our examination work to monitor thrift industry Year 2000
compliance efforts; our current thinking on enforcement actions that may be needed for
institutions that fail to take the necessary steps to achieve Year 2000 compliance; and the current
state of our contingency planning. Finally, I will respond to the specific issues raised by the
General Accounting Office ("GAO") in connection with its assessment of the OTS's
preparedness for the Year 2000.
Before proceeding, I want to thank the GAO for their candor and assistance in helping us to
identify the areas they believe we can improve upon in our Year 2000 efforts. They have
provided many valuable insights.
II. Internal Year 2000 Progress
A. Mission Critical Systems
In addition to monitoring industry efforts to address Year 2000 problems, the OTS is actively
addressing the conversion of our internal systems. OTS program managers in charge of the
various internal Year 2000 efforts report regularly to senior management and to me on their
progress and pending issues. We have made substantial progress toward accomplishing our
internal Year 2000 goals. In 1996, we completed an assessment of our national systems and
developed a conversion plan to complete all coding efforts by the end of 1998. I am pleased to
report that approximately 89 percent of necessary computer code modifications have been
completed, tested and implemented.
The OTS has fifteen mission critical national systems that support the key functions of the
agency. Examples of our mission critical systems include the Thrift Financial System and
Interest Rate Risk System that support the financial monitoring and risk management functions;
the Examination Data and Corporate Structure systems that support the regulatory functions; and
the Assessment Billing, Accounting and Payroll systems that support the administrative function
of the agency. Thirteen of these systems have been renovated and implemented with the Year
2000 changes. Modifications to the remaining two are scheduled to be completed by November
of 1998.
We began validation testing of converted systems in September 1997, at our disaster recovery
site. For three days, the renovated systems operated under dates ranging from December 31,
1999 to June 1, 2000. This validated the date rollover from December 1999 to January 2000 and
also enabled us to test leap year items and quarterly process functions. The tests were successful,
identifying only a few small, but easily correctable problems that have been addressed.
The final step in our process to make our mission critical systems Year 2000 compliant involves
contingency planning to address the situation if, despite our expectations, one or more of our
systems experience a Year 2000 failure. We expect to complete a contingency plan for
addressing this possibility by mid-year 1998. A necessary part of this effort involves
incorporating any problems we have identified so far during validation testing. Thus, feedback
from our validation testing will be a critical component in structuring our contingency planning
efforts. We believe that our plan will be more comprehensive, and that we will be better
prepared by having the benefit of these test results before proceeding. The plan will address each
mission critical system and include special testing procedures and support requirements for the
century date change.
In addition to work on our mission critical systems, another significant Year 2000 compliance
effort involves working with the third-party vendor that provides us with electronic filing
software used by our regulated institutions for financial reporting purposes. Since this requires a
reliable interface between the agency and the regulated institutions, this is an important aspect of
our ability to receive financial data from these institutions. Currently, we are working with the
software vendor to ensure that the software is Year 2000 compliant for the industry's 1998
reporting cycles. The testing has been completed and the new software is scheduled to be mailed
to the industry by March 20, 1998.
B. Infrastructure
Another important aspect of our internal Year 2000 compliance efforts involves identifying and
fixing the various parts of our physical infrastructure that must be made Year 2000 compliant.
Infrastructure issues were identified by using a checklist provided initially by the Treasury
Department, as well as thorough physical inspection of Washington and regional offices to
determine any equipment or systems that were not included as part of that checklist. Using the
resulting list of items and systems, we have identified equipment and systems as being non-Year
2000 compliant. Examples of items found to be non-compliant include some telephone and
voice mail systems, a security card access system, a postage scale and a few fax machines. All
items, with the exception of the fax machines are scheduled for modification during 1998. The
fax machines are scheduled for replacement in 1999.
In addition, 100 percent of our Washington building systems, including elevators, heating and air
conditioning controls, emergency systems, and electrical distribution systems have been
identified by their manufacturers to be Year 2000 compliant. Actual testing of all systems,
including those identified as Year 2000 compliant by their manufacturer, will occur throughout
1998.
C. Year 2000 Costs for OTS Systems and Infrastructure
We have estimated that the total costs that will be incurred in connection with ensuring that our
mission critical and related systems and our physical infrastructure are Year 2000 compliant will
be approximately $1,290,000. Of this amount, approximately $899,000 has already been spent,
with another $391,000 budgeted for fiscal year 1998 through 2000. In the event that actual costs
exceed our projected outlays, we believe we have sufficient funds available to cover any shortfall
in our estimates.
III. Industry Activities
A. Education and Encouragement
Our first formal effort to enhance industry awareness about Year 2000 issues began in the
summer of 1996 when the OTS, along with the other financial institution regulators represented
on the Federal Financial Institutions Examination Council ("FFIEC"), sent the banking, thrift and
credit union industries a statement alerting them to computer system risks that may arise from the
calendar year 1999 rollover into the next century. The FFIEC statement stressed the need for
early, careful planning by institution management to develop an action plan for identifying Year
2000 issues and implementing programs to effectuate Year 2000 compliance in a timely manner.
It also included guidelines for financial institutions to follow in their efforts to ensure that
computer systems will function properly and without disruption when the calendar rolls over to
the next millennium.
In May 1997, the FFIEC agencies sent a follow-up industry advisory highlighting the need for
institutions to make all information processing systems Year 2000 compliant and specifically
identifying concerns that should be considered in managing a Year 2000 project plan. The
statement provided an outline of the Year 2000 project management process, an identification of
external risk issues that a Year 2000 project plan should consider, other operational issues that
may be relevant to Year 2000 planning, and a description of the supervisory strategy that would
be followed by the federal banking agencies.
In December 1997, the OTS and the other FFIEC agencies sent out additional safety and
soundness guidelines that focused primarily on Year 2000 business risks. This guidance
emphasized that the preparation for Year 2000 is more than a computer system issue. It is an
enterprise-wide challenge that must be addressed at the highest levels of management. The
advisory established specific expectations for senior management and the board of directors of
financial institutions for addressing the business risks associated with the Year 2000 problem.
This week, the OTS and the other FFIEC agencies are issuing guidance to address two potential
areas of Year 2000 exposure for financial institutions--risks posed by service providers and
software vendors, and risks from customers of financial institutions, including funds providers.
The guidance relating to service providers and software vendors encourages financial institutions
to develop a due diligence process. That process includes identifying mission critical services
and products provided by these entities, monitoring procedures to verify that these entities are
taking appropriate Year 2000 actions, establishing contingency plans, and testing services and
products.
The guidance further stresses that financial institutions should require well-defined objectives,
testing approaches, and testing schedules from these entities. It also encourages management to
join forces and coordinate group efforts to evaluate the performance and testing methodologies of
service providers and software vendors, to participate in testing efforts to the extent possible, and
to evaluate contingency plans. These joint efforts may help financial institutions more
effectively solicit information and demand performance from service providers and software
vendors. In cases where financial institutions encounter difficulties with their service providers
and software vendors, they are advised to report these problems to their primary federal
regulatory agency.
The customer risk guidance helps financial institutions develop a process to identify material
customers, evaluate their Year 2000 preparedness, assess their Year 2000 credit risks, and
implement controls to manage any risk exposure. The guidance recognizes that this process will
vary on a case-by-case basis depending on the size of the institution and the size and
technological sophistication of its customers. The guidance includes sample forms and
questionnaires to assist financial institutions in evaluating and monitoring the Year 2000
preparedness of their customers.
The FFIEC agencies are also in the process of drafting additional advisories and expect to issue
testing guidance in the next few weeks, and contingency planning guidance toward the end of
April.
As each of these FFIEC advisories is released, the OTS transmits them to the industry. We
highlight the contents of the advisory and reinforce our commitment to oversee the industry's
Year 2000 preparations and compliance efforts. In addition, our regional offices have
supplemented the national letters with supervisory notices and bulletins of their own, and have
distributed copies of the Federal Reserve Board's Year 2000 Awareness videotape to each OTS-regulated thrift.
The OTS, both in conjunction with the other FFIEC agencies and on its own, has taken every
opportunity to speak directly with the thrift industry and its service providers about the Year
2000 issue. For example, in May 1997, our Northeast Region held a Year 2000 symposium that
attracted over 100 thrift institution representatives and 29 service providers. On November 10,
1997, the FFIEC sponsored a conference, in which about 40 service providers participated, to
establish an ongoing dialogue on Year 2000 related issues and to communicate agency
expectations to data processing and software providers. On January 13, 1998, the FFIEC
agencies sponsored their third interagency Year 2000 meeting with about a dozen financial
institution trade associations and one service provider trade association. All of these efforts have
addressed the needs of financial institutions in their efforts to become Year 2000 compliant.
In addition, since being sworn in as Director of the OTS less than five months ago, I have given
at least 20 speeches--to both large and small groups of thrift executives--that have emphasized
the Year 2000 problem. In numerous press interviews, I have also continually stressed the
importance of the Year 2000 issue. Similarly, my staff has been very outspoken on the Year
2000 problem. Since September of last year, Washington and regional staff have given over 40
presentations on Year 2000 issues at meetings and conferences with thrifts and industry groups.
Looking forward, on June 2, 1998, our Northeast regional office will host a symposium in New
York City entitled "Facing the Year 2000 Challenge Together." The region will build on the
success of its prior symposium held in May 1997 by reinforcing the assessment, inventory and
conversion/renovation stages of the Year 2000 process and, most importantly, featuring timely
information on the critical testing phase and contingency planning process.
We are very pleased that Mr. John Koskinen, Assistant to the President and Chair of the
President's Council on Year 2000 Conversion, will be the keynote speaker. Other program
participants will include a member of the Senate Banking Committee staff, select financial
institution representatives who are making progress towards Year 2000 compliance, and data
processing service providers.
We expect about 200 CEOs and CIOs of banks and thrift institutions located in the Northeast to
attend. We will be videotaping the conference and making copies available to financial
institutions, service providers, software providers, our other regional offices, and other agencies.
We are also exploring the possibility of linking other locations in the country to the symposium
via teleconferencing.
We are also working closely with industry trade associations that are coordinating conferences on
Year 2000 issues and facilitating communications within the financial institutions industry as a
whole. The OTS, in cooperation with the FDIC and America's Community Bankers ("ACB")
presented three Year 2000 conferences to approximately 400 of ACB's member institutions in
February and March in Los Angeles, Chicago, and in Washington, D.C. The conferences,
entitled "Countdown 2000: Is Your Bank Ready?" included presentations by OTS officials on
business risk, examination issues, testing, and contingency planning. Also in March, the OTS
will discuss how the regulators are preparing for the Year 2000 at a conference sponsored by the
Association for Financial Technology. During May, the OTS and the other FFIEC agencies, in
cooperation with industry trade associations will conduct five "vendor" conferences around the
country. These conferences will emphasize to vendors the agencies' expectations for Year 2000
compliance.
In August 1997, the OTS added a Year 2000 page to its web site. The Year 2000 page includes
an electronic checklist that helps institution management monitor internal progress toward
completing a Year 2000 renovation project. We have received feedback from service providers
and institution management indicating that this is a useful management tool. We have already
made one major revision to the checklist and will continue to devote our information services
resources to keep the checklist current with the best practices of the industry as those emerge.
We have developed a new product called "Prudent Practices for Y2K Testing" that will be added
to our web site shortly. The page also includes links to the FFIEC web site where the FFIEC
Year 2000 advisory statements and other relevant information and links are maintained.
The OTS is also publishing a monthly newsletter devoted to Year 2000 issues. The first edition
of the newsletter, which is called "MMillennium," was released to the thrift industry in January
of this year. Copies of the January and February editions are attached to this statement. We
adopted the newsletter approach to provide another way to keep the industry aware of Year 2000
issues and to urge the industry proactively to address potential problems. It also provides the
industry with insight into what the OTS is doing to address the Year 2000 problem, and
encourages a more open dialogue with our institutions so that we can do even more to help them
address problems.
The OTS's Year 2000 Working Group will continue to work internally, with the FFIEC agencies
and with other government agencies, to assess whether there are additional issues or other
matters requiring guidance to the industry and the best means for delivering the needed
information.
B. Examination Efforts
The most important aspect of our Year 2000 work is examining the institutions we regulate to
determine and evaluate their progress. Our initial round of examinations coincided with the
"Awareness" and "Assessment" phases of the FFIEC's 5-phase program guidelines for Year
2000 compliance set forth in its May 1997 policy statement.
To evaluate each institution's exposure to Year 2000 risks and its strategy for managing those
risks, the OTS performed 1,211 supplemental off-site compliance examinations between May
and November 1997. In conducting these examinations, our regional offices sent each thrift
institution a supplemental examination program and requested responses by September 30, 1997.
Examiners carefully reviewed the responses to ascertain the degree of industry awareness of
potential Year 2000 rollover problems and the adequacy of institution planning for renovation,
testing and implementation. The depth and detail of the requested information far surpassed that
called for by the FFIEC procedures.
OTS examiners then conducted follow-up inquiries, as necessary, of institutions that either
provided insufficient data or appeared particularly unaware of, or unprepared to address, Year
2000 compliance issues. Upon completion of the follow-up inquiries, we prepared a Report of
Examination or letter for the board of directors of each institution, and entered key elements and
conclusions from the examinations into a national database.
Results from the initial off-site assessment examinations conducted in 1997 were encouraging.
They showed that the thrift industry generally was aware of and addressing the potential impact
of the Year 2000 calendar rollover. For example, 94 percent of thrifts had then assigned Year
2000 oversight duties to a senior officer or committee and 90 percent of thrifts were developing a
Year 2000 Action Plan. Based on the information thrift managers provided, OTS examiners
rated 85 percent of thrifts as having average-or-better awareness and average-or-better
commitment to resolution. Also encouraging was the finding that conversion efforts, including
those by those thrifts that are also considered service providers, were well underway for 45
percent of the industry. At a few thrifts (1 percent of the industry) that started their Year 2000
projects early, renovation efforts were essentially complete, subject only to additional testing of
various interfaces with other parties.
Nonetheless, there were concerns at 15 percent of the thrifts regulated by the OTS, primarily the
absence of Action Plans and reliance on vendors that was not buttressed by due diligence efforts.
Other common concerns for these thrifts and for those assigned an "average risk" rating were
incomplete Action Plans; inadequate planning for testing; and the absence of contingency
planning. In addition, often the assessment of other items that can be adversely affected by the
calendar year rollover, such as telephones and environmental controls (HVAC), was planned for
the near future but had not yet started. The examiners also noted some lack of understanding
about interfaces and about credit risk. Finally, even for those serviced institutions attempting
due diligence, information obtained to date from vendors did not always provide sufficient
information about renovation approaches and testing opportunities and plans.
One of our findings from these examinations paralleled a common finding of other agencies and
trade groups. That is, in general, Year 2000 matters had not been addressed as aggressively by
smaller thrifts as they have been by larger ones. There are some small and medium-sized thrifts
with excellent Year 2000 Action Plans and some large thrifts with Year 2000 efforts lagging in
one or more respects. But a relatively larger percentage of smaller thrifts (than larger thrifts) had
yet to demonstrate a vigorous approach to Year 2000 oversight and remediation.
We are now well into our second round of Year 2000 compliance examinations, which coincides
with the "Renovation" phase of the Year 2000 project management plan noted in the FFIEC's
May 1997 policy statement. We have instructed our regional offices to commence the last of
these examinations no later than mid-June 1998. Examination reports will be written, reviewed,
and transmitted to the institutions as soon as practicable after completion of each examination
conducted during this second round of examinations.
Institutions identified in the first round of supplemental assessment examinations as lagging in their Year 2000 awareness and assessment were queued up early in the second round examinations so that, if needed, examiners could return for further field visits or examinations by July 1, 1998. This second round of examinations will help us better assess each institution's actual renovation track record and prospects for timely completion of their Year 2000 renovation efforts. This will help us prioritize later rounds of Year 2000 examinations that will focus on testing and implementation of Year 2000-ready applications.
In conducting these examinations, our examiners are using the Year 2000 examination
procedures enclosed with the May 1997 FFIEC policy statement to establish a consistent starting
point for the on-site review of each institution. As these examinations proceed, our examiners
have been directed to supplement the FFIEC procedures with steps designed to respond to
specific fact circumstances as their initial findings are developed and the level of risk at a
particular institution becomes more apparent.
For example, the first step in the FFIEC program calls for the examiner to "[d]etermine the
organization's source of information systems support for hardware . . . and related applications
and operating system software. Note whether information systems processing is provided
internally, externally, or a combination of both." The information obtained by the examiner is
cross-checked to our national IS databases and in the examination workpapers. These databases
help us respond more quickly and effectively as problems surface with particular vendors or
application types.
OTS requires its examiners to complete two steps that are not part of the FFIEC program--to
review recent reports of examination on the thrift's vendors and to complete a 39-question
Internal Assessment Survey. Responses are entered into a national database which is used to
monitor Year 2000 conditions in the thrift industry and to respond to inquiries from members of
Congress and others. The database information also helps us identify problem areas. We
address those problems by adjusting our examination efforts and by discussing the concerns in
presentations to industry and trade groups and in our Year 2000 newsletter. The database may
also reveal areas where thrift management needs additional clarification or guidance which can
then be addressed by OTS either separately or with the other FFIEC agencies.
Among other things, the Internal Assessment Survey requires OTS examiners to rate Year 2000
"Awareness," "Assessment," "Contingency Planning," "Renovation," "Testing Plan," "Testing
Progress," "Implementation Plan" and "Implementation Progress." Examiners must also
complete a section on "Mission-Critical Items" and identify specific mission-critical items (e.g.,
hardware, operating systems, applications, etc.) where renovation progress is lacking.
Although the FFIEC program does not explicitly require an examiner to assess each phase of an
institution's Year 2000 Project Management, the examiner must take that approach in order to
complete the Internal Assessment Survey questions and to prepare a Year 2000 Report of
Examination (ROE). The ROE must present the examiner's findings--good, bad or
indifferent--regarding the 5 phases and must also address problems noted under 10 different
areas (e.g., Reliance on Vendors, Data Exchange, etc.). Instructions for the ROE provide
additional guidance and questions which supplement the FFIEC examination program.
Since November 1, 1997, we have commenced on-site Year 2000 examinations at 337 thrift
institutions. Although these examinations involve just 28 percent of the population of thrifts we
regulate, we are on target with our examination scheduling plan. Our regional offices
intentionally scheduled most of these examinations as late in the second cycle as possible to
allow time for additional staff training after the completion of our initial off-site examinations.
Moreover, examinations conducted further into the "renovation" phase will likely produce more
realistic, meaningful and conclusive findings.
Last Friday we sent additional Year 2000 guidance to our regional offices to assist them with
their second round of examinations. This material includes not only examination report
templates, but also a rating system for evaluating Year 2000 progress, and specific detail on data
collection, supervisory follow-up, and enforcement actions. We shared with our GAO evaluators
drafts of this package as it was being developed and asked for their thoughts and comments,
particularly with respect to any supplemental items that they believed might enhance our
examination procedures and improve our industry oversight efforts. Unfortunately, our GAO
evaluators were not able to provide us with any feedback. We will consider sending our regional
offices a revised, supplemental package that incorporates comments that the GAO may
eventually offer to us.
Second round Year 2000 examinations results are still being reviewed by regional staff to ensure the appropriateness and consistency of assigned ratings. For the examinations that have been finalized, we are seeing some slippage in our ratings. While our initial findings in the fall of 1997 indicated concerns at
15 percent of the institutions we regulate, 22 percent of the first 199 institutions rated in the
current round had a "Needs Improvement" rating assigned and another 1 percent was
categorized as "Unsatisfactory." Status reports from our regional offices regarding examinations
in progress suggest the possibility of further slippage.
One reason for the decline in ratings noted to date, and expected in the near-term, is that we used
the results of the initial supplemental examinations to prioritize the second round of
examinations. Not all of the institutions examined for Year 2000 between November and now
exhibited weaknesses in the fall of 1997. Nonetheless, early second round findings are likely
biased by the fact that the pool of institutions includes a disproportionately large percentage of
thrifts where weaknesses had already been detected.
Concerns noted in this round include the fact that some thrifts that are primarily reliant on data
service providers had made little progress in finalizing an action plan that would provide the
appropriate framework to monitor the servicer's efforts as well as efforts by thrift personnel
regarding in-house items. Another common concern was that institutions had not completed the
assessment of their infrastructure.
Findings from a sample of examination reports from the 77 percent of the thrifts where the
examiners assigned "Satisfactory" Year 2000 ratings show those thrifts are actively monitoring
their data service providers and that those servicers are reporting satisfactory progress in
renovating and testing mission critical applications they maintain for the thrifts. Thrift managers
for these shops typically have ascertained how and when their service providers will allow clients
to perform their part of testing. The target dates are generally in compliance with the FFIEC
guidance in some cases, the target dates for renovation, testing and implementation are
substantially in advance of the FFIEC dates, leaving a cushion which would be available should
problems surface in testing or implementation.
Nonetheless, for some of these thrifts, the examiners are making recommendations for further
improvement. Most commonly, these recommendations pertain to contingency planning and
testing strategies. Regarding the former, the thrifts need to move beyond exploring the
possibilities for alternate service providers should their main service provider not be able to
complete renovation and testing before critical dates are reached. They also need to expand their
contingency plans to cover other potential problems that could surface during testing and
implementation. As noted earlier, the FFIEC will be issuing additional guidance on contingency
planning and testing.
In our efforts to marshal our examination resources to address the Year 2000 problem, each of
our regional offices identified and trained a team of safety and soundness ("S&S") examiners to
concentrate solely on Year 2000 work. This special group of 84 examiners, which represents
almost 20 percent of our S&S examination staff, will work with our 24 Information System
("IS") examiners and managers to ensure that the second round of our Year 2000 examinations
are successfully completed. Our regional offices have also trained additional examiners and field
managers who are available to be reassigned to Year 2000 duties should on-site work indicate the
need for back-up assistance.
In addition to assisting our Year 2000 examination work at thrifts, our IS examiners are
examining third party entities that provide data processing services and software applications to
thrifts. The IS managers and examiners also have an active role in training the S&S examiners
and serve as a resource to S&S examiners. The IS examiners also take the lead on Year 2000
examination work at large thrifts that have in-house data systems and those of any size that have
complex data processing environments. OTS regional management is coordinating the efforts of
these examination disciplines to avoid duplication of work at institutions with in-house data
centers.
In addition to our specifically targeted Year 2000 examination efforts, we are looking at Year
2000 issues at all regularly scheduled S&S examinations of our regulated institutions and
examinations of thrift holding companies. S&S examiners have been directed to factor Year
2000 risks and efforts into their assessment of thrift Management/Administration as part of the
Uniform Financial Institution Rating System, also known as "CAMELS." They are also to
consider an institution's exposure to other risks, such as credit risk, that may result from
counterparties being unprepared for the Year 2000.
We will continue to review Year 2000 issues at each thrift examination we conduct until
problems are resolved. As we approach mid-year 1998, we will adjust our examination
procedures to focus more on the final phases of the Year 2000 guidelines set forth in the May
1997 FFIEC Statement--"Validation," which includes testing, and "Implementation."
Finally, in a coordinated FFIEC interagency effort, our IS examiners are currently conducting
Year 2000 examinations of the Multiregional Data Processing Servicers ("MDPS") and Shared
Application Software Review ("SASR") bank software providers. MDPS data centers are large
multiregional data processing servicers that pose a systemic risk to the financial industry should
one or more of these entities fail. The SASR program includes firms that provide stand-alone
customer software and integrated software packages that involve high risk applications for
institutions, such as wire transfers, securities transfers, loans, deposits, and general ledger items.
The FFIEC agencies are cooperating on a large-scale project to complete on-site Year 2000
examination work of all MDPS and SASR firms by early April. Significantly, this group of
targeted companies provides over half of the core data processing products and services used by
the banking and thrift industries. This coordinated, interagency project will ensure that: (1) the
Year 2000 progress of key service providers posing the greatest risks to the industry is measured;
(2) the Year 2000 efforts of these entities are consistently evaluated; (3) Year 2000 compliance
information is shared among the regulatory agencies; and, (4) examination findings of service
providers are shared with client federally insured financial institutions.
C. Enforcement and Contingency Planning
Our examination procedures require examiners to initiate supervisory follow-up whenever
problems are detected or concerns arise. OTS regional management uses appropriate informal
and formal enforcement tools to remedy supervisory problems. Informal enforcement tools
include: (1) increased on-site supervision through supplemental examinations and field visits
focusing primarily on Year 2000 issues; (2) accelerated full-scope examinations; (3) directives to
institution boards of directors through letters and meetings to ensure safe and sound operations;
and (4) required responses from boards of directors containing key dates and milestones for
correcting Year 2000 deficiencies. Formal enforcement tools include supervisory agreements,
cease-and-desist orders ("C&Ds"), temporary C&Ds and civil money penalties.
OTS regional staff have been advised to involve legal counsel early in the process when
problems surface and to establish a proper trail to facilitate the timely issuance of any necessary
formal enforcement actions related to the Year 2000. Of significance is a recent directive that
establishes a rebuttable presumption of a formal enforcement action when an institution is rated
"Unsatisfactory" for Year 2000 purposes. In addition, our Year 2000 training efforts specifically
address enforcement matters such as the need for prompt action whenever problems are cited.
The FFIEC agencies have formed a multi-disciplinary working group that includes
representatives from our respective legal, examination, supervision, and receivership areas. This
task force is developing uniform approaches to contingency plans designed to mitigate systemic
risks. One aspect of our efforts has focused on possible enforcement actions against financial
institutions, service companies, and independent data servicers not meeting the guidelines set
forth in the May 1997 FFIEC Statement. We are taking steps to ensure that our examiners
respond quickly and appropriately through the use of informal supervisory methods as well as
formal enforcement tools, where appropriate.
The unique prospect of an institution failing due to a technological disruption rather than a lack
of capital has prompted an interagency effort to study the specific technical impact that a Year
2000 failure will have on an institution's books, records, systems and operations. The FFIEC
agencies are organizing a team of regulators with a variety of skills and perspectives, including
S&S examiners, information systems examiners, attorneys and accountants to conduct this study.
The goals of this effort are:
to isolate technological failures and identify potential work-around solutions in the event of a
Year 2000 failure;
to ensure consistent application to all institutions and service providers of our supervisory and
resolution strategies;
to develop a better understanding of the interdependencies of depository institution systems;
and
to gain a better understanding of the likely consequences posed by corrupt data that we may
encounter.
On-site visits to selected financial institutions by the study team will begin in early April.
In addition, since April 1997, we have considered Year 2000 preparedness in connection with
our corporate applications process review. In at least one case, we have imposed a general
requirement regarding Year 2000 compliance as a condition of approval. If appropriate, we will
deny applications or impose specific Year 2000 compliance conditions as part of an approval.
We are very close to releasing formal guidance to prospective applicants that incorporate more
stringent requirements relative to Year 2000 issues.
I. Response to GAO Findings
We are very pleased that the GAO recognizes and appreciates the hard work the OTS has put into
its overall Year 2000 campaign, and the efforts we will undertake between now and the
millennium. During our exit meeting on March 10 with our GAO evaluators, we were
particularly pleased with Mr. Brock's statements that overall he saw "a responsible effort going
on here," that on the internal side, his findings unearthed a "couple of nits," and that we were
"not in bad shape with one exception," which related to the contingency plan discussed above.
With regard to our industry supervision efforts, Mr. Brock indicated that his findings were "not
incredibly significant."
We are also encouraged by the positive and cooperative working relationship we established with the GAO evaluators on this review. We believe that much can be gained from having others look at our work, and welcome the independent critique GAO provides. We look forward to working with
Mr. Brock's team as our Year 2000 work continues.
Mr. Chairman, we understand the pressing urgency of this GAO review, as well as those being
conducted of the other banking regulatory agencies regarding Year 2000 preparations. I am sure
you can appreciate that we want to do the best job we can, and to be as responsive as possible to
you and your colleagues. Clearly, we would have preferred more time to prepare for this
hearing, and would have appreciated the opportunity to carefully review the written findings of
the GAO. Notwithstanding these difficulties, we will attempt to offer our observations with
regard to the items discussed at our exit interview last week.
Generally, many of the GAO's observations relating to our supervision of the industry involve
timing. The GAO believes that the agencies, including OTS, should have started addressing this
issue sooner than we did, and should have been more prompt in disseminating guidance to the
industry on key topics. In particular, the GAO recommends that we:
work with the other FFIEC agencies to complete by the end of March 1998 our guidance to
institutions on customer risk exposure, and on due diligence for service providers and software
vendors;
work with the other FFIEC agencies to develop contingency planning guidance and set a
deadline for completing this effort; and,
provide more guidance to institutions on renovation, validation and implementation.
We certainly agree with the merits of an earlier start, but believe that we must look forward and
make the best use of the time we have remaining. This requires us to continue our vigorous
examination regimen and work to complete the FFIEC advisories as promptly as possible. We
believe that this testimony lends ample support to our resolve to address the Year 2000 computer
problem in a comprehensive and responsible way.
The FFIEC papers on customer risk and vendor due diligence are being released this week. The
FFIEC agencies have also established a working group to develop contingency planning
guidance, and we expect to complete that project later this spring. Finally, the agencies are
completing additional industry guidance on Year 2000 testing procedures, which also should be
released this spring.
The GAO also recommends that the OTS work with the other FFIEC agencies to develop a
tactical plan that details the results of our industry assessments and indicates the actions we
intend to take based on those results. We will work closely with the other agencies to address
this recommendation. However, we believe that the GAO could assist us and the other agencies
by discussing with us the specific expectations it has in mind for this tactical plan. OTS already
has supervisory follow-up procedures in place for when institutions are rated "Needs
Improvement" or "Unsatisfactory" for Year 2000 purposes.
The GAO indicates they would like to see the FFIEC Year 2000 Examination Procedures
organized differently and include specific questions about each phase of the Year 2000 project
management plan. We, as well as the other FFIEC agencies, agree that the product can be
improved and are already working to accomplish this. We are particularly interested in
supplementing those questions pertaining to the critical, and resource-intensive, testing phase.
We believe it is important to mention again that OTS has supplemented the FFIEC guidance with
other questions and examination steps, and with examiner judgment. As noted in this testimony,
we prepared an industry assessment from the results of our first round of supplemental off-site
Year 2000 examinations, and have developed a detailed internal survey to help us analyze
examination results from our second round of Year 2000 examinations.
The GAO is also concerned that the FFIEC guidance issued to date does not provide firm
guidance on the timing of different phases of the Year 2000 project management plan. We are
reviewing our existing guidance and will be clarifying our expectations with regard to when
testing should begin, and when it should be completed. We expect to issue these clarifications
soon.
The GAO remarks further indicate that the OTS has not determined the level of technical
resources needed adequately to evaluate the Year 2000 conversion efforts of thrifts and service
providers. Their concern is that our resources will be strained by examinations that increase in
length and technical complexity.
Significantly, we are currently conducting an agency-wide analysis of examination resource
needs. This analysis includes an assessment of IS examination resources. Although we believe
we have an outstanding IS examination program, we fully recognize that it must be structured to
ensure proper coverage and attention to the Year 2000 problem, and to respond to the rapidly
changing technological landscape. During the past eight years, our caseload of thrift institutions
has dropped from over 3000 to about 1200. During this time, OTS also downsized its workforce
to respond to the reduction in the number of thrift institutions. However, our IS examination
staff resources remained relatively constant during this period while gaining valuable experience.
Most of our IS examiners are accredited Federal Information Systems Regulators, and have
earned the designation of "Certified Information Systems Auditor."
Further, we recently introduced a training course for our S&S examiners to enhance their
knowledge of emerging information technology. We expect that virtually all our S&S examiners
will attend this training course. Moreover, as noted earlier, we have provided in-depth Year
2000 training to a select group of S&S examiners. Since most of our thrifts outsource their
complex data processing needs, our S&S staff can more than adequately assess information
system risk exposure at these institutions, including that related to Year 2000 compliance. Our
IS examination staff provides technical guidance and assistance to these examiners, as necessary.
With respect to GAO's recommendation that the OTS develop contingency plans for mission
critical systems and core business processes, as mentioned earlier, we will have a Year 2000
contingency plan in place by mid-year 1998. A senior OTS program manager has been assigned
to lead this effort. The plan will be based on available guidance from the Treasury Department
and will incorporate results we have obtained from our renovation efforts and validation tests.
We believe that our plan will be more comprehensive and that we will be better prepared by
having the benefit of these results as we complete the plan.
In response to GAO's recommendation that we address and develop a comprehensive Year 2000
program plan, as discussed earlier, we have completed Year 2000 plans for the agency's
information systems, for our Washington and Regional infrastructure, and for our industry
regulatory efforts. The plans were developed separately as the program requirements were
defined by the Treasury Department, the agency, and the FFIEC agencies. Although the integrity
of our current efforts has not been threatened due to the lack of an integrated plan, pursuant to the
GAO's recommendation, we will integrate the separate plans into a comprehensive agency plan.
This document will be developed in parallel with our contingency planning efforts by mid-year
1998.
Importantly, OTS has already integrated its status reporting to the Treasury Department, to
Congress and to OTS senior management. Monthly status reports are prepared for the Treasury
Department that address all key program areas, with quarterly cost information updated for
Treasury in an integrated worksheet. In addition, status reports on our internal systems as well as
industry progress on Year 2000 efforts are provided quarterly to Congress. Finally, OTS senior
management is kept abreast of agency progress on Year 2000 issues through periodic reports
from those responsible for the various aspects of the agency's Year 2000 efforts.
V. Conclusion
Mr. Chairman, we believe the combination of our examination efforts, our active supervision of
the thrift industry, and our monitoring of our own compliance efforts should ensure that effective
and timely actions are taken to avoid problems involving thrifts and the OTS when the calendar
rolls over to the Year 2000. We know that, no matter how well we are prepared, there will be
glitches and problems. We are committed to addressing those problems and making the Year
2000 conversion process as manageable as possible for our regulated institutions.
Home | Menu | Links | Info | Chairman's Page