Federal Financial Institutions Examination Council
|For Immediate Release||March 17, 1998|
The Federal Financial Institutions Examination Council (FFIEC) today issued additional guidance for financial institutions on risks they face due to the Year 2000 date change -- risk from service providers and software vendors and from institutions' customers. Today's guidance follows previous FFIEC Year 2000 statements on project management and business risk.
"Regulators want to make sure senior management and boards of directors are fully aware of the wide range of risks that the Year 2000 date change poses for their institutions," said FFIEC Chairman Eugene A. Ludwig. "Regulators have made a major commitment to this challenge and all financial institutions are expected to do the same."
Vendor Due Diligence Guidance
Today's FFIEC guidance on Year 2000 risks from service providers and software vendors calls for financial institutions to develop a due diligence process that includes identifying mission-critical services and products provided by service providers and software vendors, monitoring procedures to verify that service providers and vendors are taking appropriate Year 2000 action, establishing contingency plans, and testing of these services and products within the environment of the financial institution to the extent possible.
The guidance encourages financial institutions to join other financial institutions through user groups to evaluate and test service providers and software vendors' Year 2000 efforts. These joint efforts may help financial institutions to solicit information and demand performance from service providers and software vendors that provide mission-critical products and services.
Financial institutions should develop contingency plans for all mission critical systems and ensure that they pursue alternative means of achieving Year 2000 readiness in the event the service provider or software vendor cannot complete critical efforts by "trigger dates."
As part of the FFIEC's efforts, the FFIEC agencies are conducting examinations of service providers and will provide the results of these examinations to the federally insured financial institution clients of these servicers. The FFIEC agencies also will inspect software vendors that agree to examinations and, where software vendors consent, the agencies will release the results of those examinations to serviced institutions. The agencies, however, will not certify service providers or software vendors as Year 2000 compliant as a result of these reviews.
Customer Risk Guidance
Today's customer risk guidance outlines a due diligence process that will help financial institutions identify material customers, evaluate their Year 2000 preparedness, assess their Year 2000 customer risk, and implement controls to manage the risk. A financial institution can face increased credit, liquidity, or counterparty trading risk when its customers encounter Year 2000-related problems. By June 30, 1998, senior management should implement the due diligence process. By September 30, 1998, Year 2000 assessments, based on this due diligence process, should be substantially completed. The customer risk guidance includes sample forms and questionnaires to assist financial institutions in evaluating the Year 2000 preparedness of their customers.
The guidance recognizes that the due diligence process will vary among financial institutions, depending on the size of an institution and the size and technological sophistication of its customers. The FFIEC identifies three major types of customers: funds takers, funds providers, and capital market/asset management counterparties. For funds takers, such as borrowers and bond issuers, the guidance focuses on assessing how the Year 2000 will affect their ability to meet the terms of contracts.
The guidance notes that Year 2000 problems in the second group of customers, funds providers, can increase an institution's liquidity risk. Year 2000 due diligence plans for this group should focus particular attention to funding concentrations, including concentrations from one provider or group of providers.
Steps to limit Year 2000 risk from a third source -- counterparties and capital markets -- may include requirements for additional collateral or netting arrangements on contracts. The guidance underscores that failure by a capital market customer to meet its obligations because of the Year 2000 problem could cause liquidity problems and, in some cases, total loss on financial contracts.
The FFIEC will issue shortly two additional Year 2000 policy statements on testing and contingency planning.
Guidance Concerning Institution Due Diligence in Connection with Service Provider and Software Vendor Year 2000 Readiness
Guidance Concerning the Year 2000 Impact on Customers