November 4, 1997
Testimony of Eugene A. Ludwig Comptroller of the Currency Before the Committee on Banking U.S. House of Representatives
Mr. Chairman and members of the Committee, I want to commend you for conducting these important hearings and focusing public attention on the impact that the year 2000 computer problem may have on the financial services industry. These important hearings raise public awareness of the issue and help focus on solutions. I also appreciate this opportunity to report to you on the actions we are taking to deal with this important issue. The federal supervisors of banks, thrifts, and credit unions are working together through the FFIEC — which I currently chair — to make sure that year 2000 preparations are a major priority for all depository institutions and their vendors.
The issue arises because computer programmers — at a time in which computer memory was expensive — often economized by using only the last two digits of the year in storing dates. That worked fine for many years. But when the clock strikes midnight on the last day of this century, many computer programs won't know whether the entry "00" means 1900 or 2000. This distinction is enormously important for banks, which use dates in any number of mission critical operations, such as computing interest on savings accounts.
While anyone using communications, computers, or office automation equipment must prepare for the year 2000, bank readiness is especially important, given the central role banks play in the nation's payment and credit systems.
Time is short — banks test and implement major system changes over weekends, and there are barely 100 weekends left to prepare for the year 2000. And no one should underestimate the magnitude of the problem.
Large banks, which rely heavily on computer systems designed in-house, must review computer code that can literally run into millions of lines. For smaller institutions, which often contract with third-party providers for computer services, the challenge will be to manage vendor relationships to ensure that their suppliers fix any code which could lead to computer failures at the turn of the century.
Almost two years ago, the world got a small hint of how calendar-related computer problems could disrupt the marketplace. On February 29, 1996 — Leap Year Day — the Brussels stock exchange had to shut down for the day, at a cost of more than $1 million in commissions.
An aluminum factory in New Zealand likewise lost a day's production, worth another $1 million. The Arizona state lottery commission could not pay out winnings. Countless smaller events did not make the headlines but still involved significant losses for the firms involved. And this was an event involving a single day for which everyone thought they were prepared.
Coordination with Other Agencies
The FFIEC agencies first alerted the financial services industry to our concern over the year 2000 problem in a June 1996 statement. A second statement issued by the FFIEC in May included examiner guidance on year 2000 project management. This was sent not only to every bank, thrift and credit union, but also to companies that sell computer services and products to depository institutions.
To date, our guidance has stressed two points. First, banks need to take into account external sources of risk attributable to the year 2000 problem, including their reliance on vendors; their linkages with other systems — both domestic and international — with which they exchange data and funds; and their potential credit risk exposure if corporate borrowers fail to address their own year 2000 problems.
Second, banks must implement a comprehensive project management process to resolve their year 2000 problems. Effective project management falls into five phases — awareness, assessment, renovation, validation, and implementation. Banks and vendors should have wrapped up their assessment phase and be into the renovation phase at this time.
We will issue additional, supplemental guidance later this year that will re-emphasize the importance of verification and testing cycles and timetables for a successful resolution of the year 2000 problem. This guidance will stress that senior management and the board of directors should be fully engaged in the planning and monitoring of year 2000 transition efforts.
This guidance also will address credit risk posed by borrowers that have not taken adequate steps to make their systems year 2000 ready. It is particularly important to us that banks allow adequate time and resources for testing and retesting.
Three additional steps we are taking jointly bear note. First, the FFIEC member agencies have formed a working group comprised of supervisory, legal and receivership experts to address a number of issues, including coordinating examinations of vendors, industry education, and developing contingency planning and training programs.
Second, the FFIEC is committed to a broad, aggressive public outreach effort. For example, the FFIEC will hold a vendor conference on November 10 to clarify our supervisory expectations and to provide a forum for vendors, banks, and supervisors to meet and discuss the challenge of correcting the year 2000 problem.
And third, since the year 2000 problem extends beyond our borders, I have worked to focus the attention of the international supervisory community on the global ramifications of this issue. Most recently, we persuaded the Basle Committee to make the issue an agenda item, which resulted in a recent report sent to financial supervisors worldwide.
The responsibility for implementing the FFIEC guidance rests with the lead federal supervisor of each financial institution. At the OCC, we are implementing an aggressive strategy to see that national banks are prepared. Our strategy includes on-site examinations of every bank under our supervision for year 2000 compliance. We are committed to examining every national bank and its vendors on site by mid-1998 and we have already completed nearly 500 such examinations.
In addition, we are establishing a quarterly reporting system to make sure that examiners provide progress reports on banks and vendors at least every three months. This information also will be factored into an institution's overall safety and soundness CAMELS rating.
As a prelude to these examinations, the OCC this spring reviewed every national bank and its vendors, taking a base snapshot of preparations that were underway. The other agencies conducted similar assessments.
We found that most national banks were taking appropriate steps to review their computer inventory or set up management programs. However, a number of institutions, primarily community banks, were not sufficiently involved with their vendors to know whether those contractors would be able to meet the FFIEC schedule. This is a matter of some concern.
The community banks situation is difficult, because most are counting upon the vendors' assurances that they have the problem well in hand. In some cases, these assurances are entirely legitimate. In some others, there may be more wishful thinking than accomplished fact. Accordingly, we are focusing a great deal of attention on community banks and their vendors to ensure a more energetic and focused response to the year 2000 issue.
We are continuing to monitor the progress of all banks under our jurisdiction, large and small. Our examiners followed up on the initial readiness assessment by contacting the CEO of each bank or vendor that had been found to be lagging in its planning efforts.
The examiners looked at the steps that had been taken since the initial assessment and new exams were scheduled for institutions that had not made adequate progress. On September 30, I wrote to all national banks and vendor CEOs, expressing my concern over these assessment results and calling upon the industry to make every effort to conform to the FFIEC compliance schedule.
In conclusion, the OCC and the FFIEC are committed to making sure banks are making adequate preparations for the year 2000. We are doing everything in our power to ensure the institutions under our supervision understand what the situation demands and respond accordingly.
It is important to recognize, however, that problems may still occur — given the complex web of technologies used by banks, and the multiplicity of connections banks have with other institutions. Thus, our supervisory strategy takes into account the possibility of unanticipated problems by requiring back-up strategies to be in place at the banks and having joint contingency plans ready to implement among the supervisory agencies.
These efforts are of great importance to the public welfare. By making this issue a high priority for banks and for ourselves, we hope to minimize disruptions to bank operations and bank customers.
Mr. Chairman, I will be happy to answer any questions you and your colleagues may have.