|
Year 2000 Quarterly Congressional Update - September 10, 1998
Both the National Credit
Union Administration (NCUA) and credit unions are making good progress
toward becoming Y2K compliant; detailed answers to each of the questions
posed by the Committee are included in the written statement which follows.
NCUA's plan for testing,
repairing and verifying our internal systems is on or ahead of schedule.
Six of NCUA's seven mission-critical systems are fully Y2K compliant.
Repairs to the remaining system will be completed by September 30, three
months earlier than the target date. We have been conducting
tests on individual parts of our mission critical systems since December,
1997, and began end-user tests of the entire systems in June, 1998.
End-user tests conducted in August ran cleanly, with no errors. KPMG
Peat Marwick has reviewed our Y2K verification testing results and recommended
providing further documentation of the tests we conducted. KPMG is scheduled
to review the revised documentation next week.
In general, credit unions' Y2K conversion efforts are progressing well. For the quarter ending June 30, only 29 federally-insured credit unions' Y2K efforts were unsatisfactory. 895 needed to improve, while the vast majority -- 10,525 -- were deemed to be making satisfactory progress.
NCUA's oversight efforts include quarterly data collection and on site supervisory contacts. Each quarter, each federally insured credit union must submit a progress report on their remediation efforts. NCUA's regional offices will validate the quarterly Y2K data provided by a three percent sample of federally insured credit unions. Each credit union will also have at least one on site contact which focuses on Y2K readiness in both 1998 and 1999. In addition, we have contracted for a review of the Y2K efforts of 20 to 30 large and complex credit unions.
NCUA has taken a total of
122 supervisory actions against 116 federally insured credit unions
for Y2K reasons. Of the 52 actions outstanding, 27 are letters from
Regional Directors, while 25 are more serious Letters of Understanding
or Memos of Understanding. Of course, still more serious sanctions would
apply if the credit union continued to ignore our directives. The next
major milestone date is September 30, 1998, when renovation of mission
critical systems should be substantially complete. NCUA has also increased
oversight of credit union service providers after receiving authority
to examine vendors in March of this year. Upon receiving this authority,
we arranged reviews of 29 service providers in addition to the ten service
providers we had earlier reviewed. When these reviews are completed,
we will have covered 80% of credit unions which use outside service
providers, representing 74% of the total assets of all federally insured
credit unions.
NCUA has advised credit
unions of the need to consider the Y2K readiness of local utility and
telecommunication providers in order to ensure uninterrupted service
to members. The recently introduced "Good Samaritan" Y2K liability
limitation legislation may encourage utilities and telecommunications
providers to disclose their progress with Y2K remediations. Increased
disclosure will allow credit unions to develop more realistic business
resumption plans and educate their members about the credit union's
response to the potential Y2K threat from third parties.
NCUA believes the major
potential systemic Y2K risk to the financial services industry relates
to liquidity risks. Thus, we continue to analyze and position the National
Credit Union Share Insurance Fund's expected cash flows to ensure that
ample liquidity will be available. A possible source of liquidity for
credit unions will be NCUA's Central Liquidity Facility (CLF). Although
Congress has chosen to limit the CLF's borrowing authority, considering
the as yet unknown liquidity demands driven by the Y2K situation, Congress
should consider removing the limit. NCUA is also acting to reduce
the liquidity risk to individual credit unions. Recently, the agency
worked with leadership of the credit union movement to provide credit
unions with models for informing members of Y2K progress and establishing
liquidity plans. NCUA's examiners also discuss liquidity planning during
each supervisory contact. In conclusion, NCUA appreciates
the Committee's attention to this important issue, and remains committed
to ensuring a successful transition to the new millenium.
Good morning, Chairman Leach, Congressman LaFalce and members of the Committee. I appreciate this opportunity to update you on NCUA's Y2K efforts, both within the agency and in our oversight of federally insured credit unions. I am happy to report that the agency and credit unions are making good progress toward becoming Y2K compliant; detailed answers to each of the questions posed in your invitation letter are below. Our quarterly report to the House and Senate Banking Committee on our Y2K efforts, which is attached, contains further information.
NCUA's plan for testing, repairing and verifying our internal systems is on or ahead of schedule. Six of NCUA's seven mission-critical systems are fully Y2K compliant. The system that is not Y2K compliant -- our Asset Management and Liquidation Center (AMAC) system for tracking accounts in liquidated credit unions -- was originally scheduled for replacement by December 31, 1998. When we received no responses to our Request For Proposal for replacement, we chose to repair AMAC's current system, and testing of these repairs is underway. The repairs will be completed by September 30, three months earlier than the target replacement date. NCUA's Office of Technology and Information Services (OTIS) has been conducting tests on individual parts of our mission critical systems since December, 1997, and began end-user tests of the entire systems in June, 1998. The June tests revealed several minor problems, which have now been corrected. Further end-user tests in August ran cleanly, with no errors. As Y2K readiness is an continuing and iterative process, OTIS will maintain an ongoing testing capability to test changes to systems and new systems which are being developed. This summer, we contracted with KPMG Peat Marwick to review our internal Y2K verification testing results and documentation process. KPMG's recommendations centered around providing further documentation of the tests we conducted. KPMG is scheduled to return next week to review the revised documentation. NCUA also utilizes several systems owned and operated by other agencies. For example, our Office of Human Resources is a customer of the General Services Administration (GSA) for human resources support. GSA is building a new human resources system and has scheduled NCUA for conversion in June, 1999. Our contingency plan, should the new system not be ready as scheduled, is to remain on the old system, which GSA is in the process of making Y2K compliant. Similarly, our Chief Financial Officer uses several programs from the Treasury Department, and we are working with them to assure that these systems are Y2K compliant.
Credit Unions In general, credit unions' Y2K conversion efforts are progressing well. For the quarter ending June 30, only 29 -- one-quarter of one percent of -- federally-insured credit unions' Y2K efforts were unsatisfactory. 895 credit unions -- 7.8% of federally-insured credit unions -- needed to improve, while the vast majority -- 10,525 or 91.9% of federally-insured credit unions - were deemed to be making satisfactory progress. Our oversight efforts continue to identify those federally insured credit unions needing additional supervisory attention. A keystone of NCUA's oversight efforts is our quarterly data collection. Every quarter, each federally insured credit union must submit a progress report on their remediation efforts. The credit union's senior management certifies the accuracy of the information, providing continued focus on the issue at the highest levels within the credit union. In addition to the quarterly reports, each credit union will have at least one on site contact which focuses on Y2K readiness in both 1998 and 1999. We have also contracted with PricewaterhouseCoopers (formerly Coopers and Lybrand) for a review of the Y2K efforts of 20 to 30 large and complex credit unions. These reviews should be completed by the end of the year. NCUA has taken a total of 122 supervisory actions against 116 federally insured credit unions for Y2K reasons. Most of these -70 - have since been removed. Of the 52 actions outstanding, 27 are letters from Regional Directors, while 25 are more serious Letters of Understanding or Memos of Understanding. Regional Director letters lay the groundwork for the more serious actions; if these letters are not heeded, a Letter or Memo of Understanding is put in place. Of course, still more serious sanctions would apply if the credit union continued to ignore our directives. NCUA's timeline for credit unions' Y2K remediation efforts, adopted by the NCUA Board in January, 1998, establishes the milestone date at which the Agency must consider taking some type of administrative action. If there are mitigating circumstances, regional directors may request a formal waiver of the timeline. However, the Agency also built flexibility into the timeline for earlier intervention. Regional directors may take administrative action with a credit union that is not showing sufficient progress well before the timeline dates. The next major milestone date will be September 30, 1998, when renovation of mission critical systems should be substantially complete; credit unions whose renovations are not substantially complete could face administrative actions. Other upcoming deadlines include substantial completion of testing of mission critical systems by December 31, 1998, completion of validation and testing by June 30, 1999, and substantial implementation of mission critical systems by July 31, 1999. Service Providers Enactment of the "Examination
Parity and Year 2000 Readiness for Financial Institutions Act, "
P.L. 105-164, in March of this year gave NCUA authority to examine credit
union service providers. We appreciate the Committee's work on this
issue and have made use of this authority. Prior to the enactment of
P.L. 105-164, we had negotiated agreements with only 10 of the largest
vendors to assess their Y2K readiness. When we received statutory authority,
we arranged for reviews of an additional 29 service providers; these
reviews, which are being conducted by PricewaterhouseCoopers, are scheduled
to be completed by the end of the year. Thus far, a total of 15 service
providers, representing more than 50% of the credit unions served by
outside service providers, have been reviewed, and all were rated satisfactory.
When the additional reviews are completed, we will have covered 80%
of credit unions which use outside service providers. The credit unions
served by these providers represent 74% of the total assets of all federally
insured credit unions.
NCUA remains concerned about vendor readiness, especially among smaller credit union service providers. As noted above, NCUA has contracted with PricewaterhouseCoopers to review additional vendors, and we expect this series of reviews to cover 80% of the credit unions which use outside service providers. Due to the large number of credit union vendors, it is not possible to review every service provider before the end of this year. However, since we will conduct a Y2K review of every federal credit union, we will have the opportunity to review vendor-provided substantive systems, primarily focusing on share and loan systems, on site at the credit union. Where necessary, we will encourage credit unions which are uncertain about the status of their vendor's applications to begin making other arrangements as soon as possible. As the Year 2000 draws nearer,
credit unions which are behind onY2K remediation efforts will have an
increasingly more difficult time finding skilled assistance for their
conversion efforts. NCUA will continue to work with credit unions to
achieve the best solutions. However, we anticipate that at least some
credit unions will have to be merged or liquidated for Y2K-related reasons.
NCUA intends to approve mergers, where necessary, by mid-1999 to ensure
that continuing credit unions have adequate time to adjust to their
expanded membership before the date change. 4) Methodology for Ensuring Reliability of Y2K Data NCUA staff have developed
a process to check Y2K information provided by credit unions. Each quarter,
NCUA's regional offices will validate Y2K data provided by a three percent
sample of federal and state credit unions. Also, all information provided
by federal credit unions on their Y2K quarterly reports is subject to
review during examinations. 5) Y2K Credit Risk In general, credit unions
do not face credit risk due to business customers' potential Y2K problems.
Commercial lending by credit unions is very limited - member business
loans account for only 1.25% of the loan volume for federally-insured
credit unions as of December 31, 1997. The small number of credit unions
with substantial business loan portfolios are primarily involved in
agricultural loans, taxi cab medallions or small business loans. Accordingly,
the credit risk associated with "corporate" business is not
a primary concern for credit unions. Still, our examiners are aware
of this issue and will continue to weigh the credit risk threat where
there might be a potential problem. 6) Y2K Readiness of Critical Third Parties NCUA has advised credit
unions of the need to consider the Y2K readiness of local utility and
telecommunication providers during Y2K remediations in order to ensure
uninterrupted service to members. However, many credit unions are having
difficulty receiving this information when they have requested it, particularly
if they are located in a community served by utility or telecommunications
monopolies. The recently introduced "Good Samaritan" Y2K liability
limitation legislation may encourage information system providers, particularly
utilities and telecommunications providers, to disclose their progress
with Y2K remediations. We believe increased disclosure will help credit
unions and their members prepare for the date change by allowing development
of more realistic business resumption plans and time for credit unions
to educate their members about the credit union's response to the potential
Y2K threat posed by third parties. 7) Y2K Risk to Insurance Fund and Contingency Planning NCUA believes the major area of potential systemic Y2K risk to the financial services industry relates to liquidity risks. Thus, we continue to analyze and position the National Credit Union Share Insurance Fund's expected cash flows for the last few months of 1999 to ensure that ample liquidity is available to credit unions and the agency. The agency is currently revising its business resumption plan, which will outline agency actions if a systemic crisis erupts. The revision is expected to be complete by December 31, 1998. A possible source of liquidity for credit unions will be NCUA's Central Liquidity Facility (CLF). Although Congress has chosen to limit the CLF's borrowing authority, given the as yet unknown liquidity demands driven by the Y2K situation, Congress should consider removing the limit. NCUA is also acting to reduce the liquidity risk to individual credit unions. We cooperated with leadership of the credit union movement in the recent release to all credit unions of a model for communicating with members concerning Y2K progress. The focus is to keep credit union members informed and alleviate member concerns. The publication also provides a model for credit union liquidity plans, which suggests actions credit unions can take to address the liquidity issue, such as issuing money orders and travelers checks. NCUA may follow this release with a letter to credit unions on the subject of crisis management and dealing with member inquiries. Additionally, NCUA's examiners discuss liquidity planning during each supervisory contact in order to ensure that credit union managers have taken appropriate action to address any weakness, such as establishing additional lines of credit. Where credit unions fail to address the liquidity risks of Y2K proactively, formal agreements will be put in place. Examiners will be further monitoring credit unions' liquidity situation throughout the last quarter of 1999 and the first quarter of 2000. In early 1999, the agency plans a letter to all federally insured credit unions addressing liquidity planning. Finally, NCUA may issue a letter addressing credit union operations during December, 1999 and January, 2000. 8) Other Issues NCUA remains committed to outreach and education efforts on the Y2K remediation process. Because of the large number of credit unions and their relatively small size, group education and outreach is particularly important for the credit union movement. In addition to the examiner-level contacts with individual credit unions, various NCUA Senior Staff and Y2K Supervisory Group Specialists have participated in meetings with a total attendance of approximately 18,000 persons as of June 30, 1998. Our Deputy Director of Examination and Insurance recently took part in a satellite broadcast on testing, which reached 3,000 people nationwide. Also, our "Empowerment 2000" conference for Community Development Credit Unions will feature several sessions specifically addressing the Y2K conversion issues faced by CDCUs. Finally, we forwarded the Y2K customer brochure developed by the Federal Financial Institutions Examination Council to all credit unions to make available to their members. We believe that these group education activities are an important supplement to the individual Y2K exams and quarterly reports. The special Year 2000 section
of NCUA's web page (www.ncua.gov) is another important communications
tool, where the agency's guidance on Y2K issues is assembled in one
place. Most importantly, the site provides information on vendors' Y2K
plans, target dates and summaries of our vendor reviews. Credit unions
have indicated to us that this site has been an important tool in obtaining
reliable Y2K information quickly. 9) Y2K Liability for Credit Unions and Their Officers and Directors The Federal Credit Union Act tasks credit union directors with responsibility for the overall direction and control of a credit union's affairs. Part of this responsibility includes the continued delivery of all critical services unaffected by the Y2K date change. We have issued a letter to credit union supervisory committees reminding them that an important part of their general oversight responsibility involves overseeing efforts to assure Y2K compliance. We have also provided considerable detailed guidance on the steps necessary to assure Y2K compliance. We expect credit union officers, directors and supervisory committee members to take reasonable and prudent actions designed to meet their responsibilities in this area. Sometimes NCUA is asked about the liability to third parties of credit union officers and directors in the event of Y2K problems. In cases of system failure issues of liability are likely to be fact-specific and dependent on state tort law. It is therefore difficult to offer specific guidance as to the standard of care officials should exercise. The Federal Credit Union Act does not provide protection from liability for negligence in the performance of duties by officers and directors, including activities related to Y2K conversion. Nonetheless, some state statutes may afford protection to these volunteers. Some credit unions also carry an optional endorsement to their fidelity bond coverage which insures directors and officers against claims of negligence. NCUA believes that if directors and officers carry out their duties in a conscientious manner with the best interests of the credit union in mind they would likely have some measure of protection in the event a claim of breach of duty is made. In conclusion, Chairman Leach, thank you for allowing NCUA the opportunity to provide the Committee with an update on our Y2K actions. I believe the agency and credit union will be well-prepared to deal with the millenium date change. I appreciate your diligent attention to this important issue, and I am happy to answer any questions.
AGENCY PROGRESS
Attachment I is an updated
version of the last quarterly report in the OMB format, documenting
our progress since the last report. Changes from the previous quarter's
report are highlighted in bold faced text.
Our plan for testing, repairing
and verifying our internally developed and maintained systems is on
or ahead of schedule; there have been no schedule slippages. We expect
all internal agency application systems to be fully Y2K ready by September
30, 1998. We have completed two end user tests of our systems in June
and August 1998, which confirmed that all but one are now compliant.
The Asset Management and Assistance Center (AMAC) system was originally
slated to be replaced by December 31, 1998. However, we did not receive
any responses to our Request for Proposals and have since chosen to
repair the current system. The renovation work is nearly completed and
the repaired and verified system will be in production by September
30, 1998. As a result, we are now ahead of our previous schedule, which
originally called for replacement of the AMAC system by December 31,
1998. We had originally planned
to convert our General Services Administration (GSA)-supplied Personnel
Information Resources System (PIRS) to SAP, our internal enterprise
support system. We now plan to remain a customer of GSA for human resources
support. GSA is building a new human resources system, Comprehensive
Human Resources System (CHRIS), and has scheduled NCUA for conversion
from PIRS to CHRIS in June 1999. GSA has notified us that CHRIS will
be fully Y2K compliant. Our contingency plan, should CHRIS not be ready
as scheduled, is to remain on the PIRS system, which is currently being
made Y2K compliant by GSA with testing targeted for the last quarter
of 1998 and implementation during January 1999. Our Chief Financial Officer utilizes several systems owned and operated by the Treasury Department and GSA. We are currently working with these agencies, based on their schedules, to test and validate Y2K compliance of each of their systems. For our internal systems,
we have drafted a Year 2000 Technical Resumption Plan (Y2KTRP). It is
a listing of the automated systems - hardware, software, and technical
infrastructure - that NCUA uses in the performance of its daily business.
The Y2KTRP identifies each agency technical system, product and service;
its vendor; and the current Year 2000 compliance status. Furthermore,
the Y2KTRP outlines specific steps to follow if a particular system,
product, or service is not fully compliant by the Year 2000 or otherwise
fails when we enter the new millennium. We also have a Disaster
Recovery Plan, in the event of any disaster, including a Y2K failure,
that causes an interruption of service in one of our critical systems. We have not established
"trigger dates" because it is clear that we will have completed
all necessary renovation work on internal systems by September 30, 1998.
As a result, our Technical Resumption Plan will only be triggered by
an actual and unanticipated system failure. To coordinate internal disaster
recovery plans for Year 2000 risks and our regulatory business resumption
supervisory responsibility for credit unions, NCUA has established a
Year 2000 Task Force made up of key senior office directors. Completion
of this planning effort is scheduled for December 31, 1998. Training
staff and testing the plan is proposed for completion by June 30, 1999.
This planning effort is primarily focused on assisting credit unions
to resume operations under emergency conditions and the possibility
for handling the administration of increased levels of supervisory actions.
The draft plan covers key concerns/risks and planned agency responses
to provide the resources necessary to meet our regulatory responsibilities
with Federally insured credit unions. The costs of the Year 2000
Business Resumption plans are in process of being developed for the
NCUA 1999 Operating Budget. Since most of the identified risks involve
the reallocation of existing examiner resources to handle increased
supervisory work and or emergency response, a substantive level of additional
budget expenditures for this activity is not anticipated.
In order to get an independent
assessment of our compliance status, we submitted our test documentation
and initial results to a Big Five accounting firm, KPMG Peat Marwick
(KPMG). They have conducted an initial review of our test plans, processes,
and procedures. KPMG found the "process is considerably further
along than we would normally encounter in a large number of our clients."
The review found weaknesses in formalizing our Testing Plans and documentation,
and provided recommendations to improve these areas during testing conducted
in August 1998. We will bring them in again in September after we complete
our final test. We are on schedule to develop
a business resumption contingency plan for the agency by December 31,
1998, which we will also have KPMG review. If and when we deploy new
hardware or software systems currently planned for 1999, we will again
submit our verification testing results and documentation to KPMG for
an independent assessment of the compliance status of these systems.
Finally, we have also implemented a configuration management control system to ensure that compliant systems remain compliant. As each system was certified compliant, we moved the source code for the system into our Visual Source Safe repository. No new software will go into production without first being tested for Y2K compliance, then checked into Visual Source Safe. INDUSTRY PROGRESS
Credit Union Remediation
Status: Ratings: As indicated
in our prior Congressional Update (dated May 15, 1998), the agency had
planned to begin categorizing risk based on the three-tiered system
developed by other federal financial regulators (satisfactory, needing
improvement, or unsatisfactory). After further reviewing our method
of collecting the data, through the electronic Eforms completed during
each Year 2000 contact, we determined it would be counterproductive
to alter our risk ratings (high, medium, or low) to coincide with those
developed by other federal financial regulators after our system was
already in place. For purposes of this report, however, we will continue
to interpret our risk assessment in terms of the rating system used
by other federal financial regulators. To reiterate, our interpretation
is as follows:
The breakdown of federally
insured credit unions' ratings including corporate credit unions, based
on the milestone dates established in the NCUA contingency plan is as
follows:
Our oversight efforts continues
to identify those federally insured credit unions needing additional
supervisory attention as the renovation phase ends and the testing phase
is initiated. Movement from "needs improvement" to "unsatisfactory"
is a function of our administrative action process. For an aging of
credit unions rated "needs improvement" or "unsatisfactory"
see Attachment II. In
our March, 1998, testimony, we reported 9 credit unions in the unsatisfactory
category. Of these 9 credit unions,7 have moved to the needs improvement
category. We also have had 27 credit unions move into the unsatisfactory
category since our last report, primarily due to the following reasons:
(1)inadequate Y2K plan, (2)inadequate due diligence process for risks
posed by service providers/software vendors, (3)inadequate test plan,
(4)inadequate contingency plan, and (5)inadequate customer awareness
program. We have been
paying particular attention to small credit unions (under $5 million
in assets) rated as "needs improvement" for longer than six
months. In late October and early November we will sponsor Empowerment:
2000 workshops to heighten small credit unions' awareness of issues
and topics which will insure their viability. Year 2000 issues will
be discussed in detail during these workshops. Similarly, we are also aware
of the number of large credit unions (assets exceeding $50 million)
which have been rated as "needs improvement" for longer than
6 months. We have developed a tracking program to summarize and monitor
their ratings, as well as the frequency of on-site contacts. For example,
six of the ten largest federally insured credit unions are federal credit
unions; all six of these have had a contact in the last six months.
The remaining ten largest are all state charted credit unions, and we
are working with the appropriate state supervisory authority to ensure
contacts are completed in the near future. Remediation Progress:
Those federally insured credit unions utilizing a computerized recordkeeping
system which have not completely implemented all mission critical systems
continue to report their progress with Year 2000 remediations each quarter.
Credit unions continue to demonstrate good progress with respect to
renovating, testing, and implementing mission critical systems. The
results of the most recent quarter-end reporting cycle (June 30, 1998)
are illustrated below. Remember, some credit unions have multiple mission
critical systems, and may report some systems in renovation, some in
testing, and some systems as already implemented. Therefore, a credit
union may be included in one or more phase of each category listed below.
The remediation summary
tables clearly show credit unions have steadily progressed from the
December 1997 cycle to the June 1998 cycle. As more work is completed,
the quarterly report trends show a increasing number of credit unions
appearing in the higher completion percentage ranges. Please note, there
may be some slippage, however, as some systems are tested, re-renovated,
and re-tested throughout the process. The next major NCUA milestone
date will be September 30, 1998, when mission critical systems should
be substantially complete with renovations.
As reported during the last
Congressional Update, the agency received examination authority over
information system providers in March. Relevant information for each
vendor, such as products, test release dates, and general release dates,
has been posted to the agency's web page for the general public. In April, the agency concluded
initial Year 2000 reviews of ten large information system providers.
We contracted with PricewaterhouseCoopers (then known as Coopers and
Lybrand) to perform the reviews, along with our own examiner staff.
These first ten were chosen based on the substantial number of credit
unions they serve; nearly 55 percent of all federally insured credit
unions. Once the reviews were completed, we published a Letter to Credit
Unions (98-CU-11) to summarize the results of the reviews. All ten of
the initial vendors reviewed were progressing satisfactorily with their
Year 2000 remediation efforts. NCUA has contracted with
PricewaterhouseCoopers to conduct 50 additional information system provider/large,
complex credit union reviews. In addition to the expertise of the PricewaterhouseCoopers
staff, we staff these reviews with at least three NCUA employees, with
a majority of NCUA participants being our supervisory examiner group
Y2K Specialists. This pattern allows us to increase the experience base
of the Specialists, through their participation on several reviews.
The expertise and training provided by PricewaterhouseCoopers allows
us to leverage our examiners expertise to become the examiner-in-charge
of subsequent reviews. Recently all our Year 2000
field and regional specialists attended Year 2000 testing training sponsored
by the FFIEC so they can become trainers in the testing workprogram
for our general examination staff. We are in the process of adapting
the Testing Program developed by the FFIEC to NCUA needs. The final
program should be operational to coincide with the renovation milestone
date. In addition to the FFIEC training provided to our regional office
and field Y2K Specialists, a vendor conference, held in May, included
training on testing methodologies for the supervisory examiner group
Y2K Specialists. Finally, specialized Y2K testing training was provided
to our general field staff during each regional conference. The agency
has also hired two more Information Systems Officers (for a total of
three), working from the Central Office, to assist in managing, monitoring,
and tracking our Y2K efforts. NCUA has reallocated budget resources
to address Y2K in 1999. NCUA's proposed 1999 budget includes 104,509
hours specifically allocated for Y2K; therefore, we will have sufficient
resources to follow-up on all Y2K testing and implementation issues
and concerns. Credit Union Education
Efforts Since our last Congressional
Update (May 15, 1998), the agency has issued a Y2K testing paper to
provide top-level guidance to all federally insured credit unions. We
published Letter to Credit Unions 98-CU-12, transmitting FFIEC guidance
papers on Business Resumption Planning and Customer Awareness. We plan
to draft letters that specifically address liquidity issues, crisis
management, and planning for Year 2000 day one operations for release
in early 1999. The agency continues to offer our assistance to various
trade organizations by participating in education workshops, and have
reached over 18,000 participants. Recently we took part in a Year 2000
satellite broadcast on testing, which reached 3,000 people nationwide.
As stated earlier, the NCUA
Board approved 50 additional Year 2000 reviews at select vendors and
complex credit unions to be carried out by PricewaterhouseCoopers, with
NCUA staff assisting. To date, ten reviews (five information system
providers and five credit unions) have been completed from this second
wave of scheduled reviews. All five information system providers were
rated satisfactory by our team of NCUA examiners, and bring the percentage
of credit unions served to nearly 53 percent. Forty additional reviews
are scheduled to be completed from late August to early December, including
27 vendor reviews. Once completed, these additional 27 vendor reviews,
when added to the 15 already completed, will represent 80
percent of the credit unions serviced by information system providers,
and will cover 74 percent of the assets of
credit unions insured by the NCUSIF. The results of the reviews will
be provided to the client credit unions. A summary of findings will
be available on the NCUA vendor website.
The agency's Inspector General
is currently collecting information to perform a detailed review of
our Year 2000 efforts to date, as well as actions we plan to initiate.
We anticipate receiving a management letter detailing the findings of
the review by the fourth quarter of 1998.
As revealed in the May 15,
1998 Congressional Report, credit unions are not heavily involved in
commercial lending. Therefore, the credit risk referred to by the FFIEC
in its March 17, 1998 Interagency Statement is not uniformly present
throughout the credit union movement. Those credit unions with substantial
business loan portfolios are primarily involved in agricultural loans,
taxi cab medallions, or small business loans. Consequently, the credit
risk associated with "corporate business" is not a primary
factor for credit unions. Our examiners continue to consider this issue
during examinations and special Year 2000 on-site contacts.
While credit unions have
been made aware of the need to consider local utilities and telecommunications
providers during enterprise Year 2000 remediations, often this element
has taken a "backseat" to more obvious internal mission critical
systems. Furthermore, many credit unions operate in a community served
by monopolies of utility companies and telecommunications providers.
This makes it difficult for them to receive relevant information to
evaluate their ability to provide uninterrupted service to the membership.
The pending "good Samaritan"
legislation should provide all information system providers, particularly
utilities and telecommunications providers, the necessary comfort level
to disclose their progress with Year 2000 remediations, without the
threat of potential litigation.
Liquidity Risks The agency continues to
believe the major area of potential systemic Year 2000 risk to the nation's
banking and financial services industry relates to liquidity risks.
NCUA continues to analyze and position the National Credit Union Share
Insurance fund's expected cash flows towards the end of 1999 to ensure
ample liquidity is available to credit unions and the agency. A credit
union Y2K task force is developing a model liquidity plan to manage
their member perceptions, and will provide some non-cash actions credit
unions can take to address this issue. Additionally, examiner staff
has been instructed to discuss liquidity planning with credit union
officials during each contact to ensure management is aware of potential
liquidity concerns, and has taken appropriate steps to address any weaknesses,
such as establishing additional lines of credit or limiting share withdrawals
by the membership. Formal agreements have been reached in those instances
were credit unions are not pro-actively addressing the liquidity risks
of the Year 2000. NCUA's business resumption
plan, currently being updated, will outline agency actions if a systemic
crisis erupts. In addition, it requires all NCUA examiners to review
credit unions' liquidity plans during examinations completed in late
1998 and early 1999. Examiners will be expected to monitor credit unions'
liquidity situation throughout the last quarter of 1999 and the first
quarter of 2000. Credit unions will be expected to monitor local media
for any potential liquidity concerns relating to the financial industry.
In early 1999, the agency plans to develop a letter for all federally
insured credit unions addressing liquidity planning and crisis management. In addition to the normal
liquidity contingency plans in place, some corporate credit unions are
planning for additional Y2K liquidity contingencies by:
NCUSIF Risks Regions report monthly on
the potential share insurance fund risks with a special section relating
to Y2K. Implementation milestone dates (July 31, 1999 and September
30, 1999) will trigger any necessary liquidation action. NCUA's business
resumption plan includes additional staffing and crisis management teams
for large failures before and after the Year 2000. As each milestone date is
reached, examiners will determine if federally insured credit unions
have made sufficient progress or whether administrative action is needed
to compel credit unions to take specific steps. We have seen one corporate
credit union decide to merge due to Year 2000 concerns. The merging
corporate is rated as needs improvement under the prior question regarding
the rating of credit unions, however due to its small asset size, the
corporate is a low industry risk.
There are very few credit
unions which routinely do business in international banking and financial
arenas. Where appropriate, our examiners have been instructed to evaluate
the credit union's ability to successfully manage this issue, as it
relates to the Year 2000, and to develop formal agreed upon actions
to correct any weakness noted during routine examinations or Year 2000
contacts. On the corporate credit
union front, regulatory limitations have limited exposure to international
banking. To engage in international investments, the NCUA Board must
approve corporates for Part Expanded Authorities. To date, only two
corporates have that authority, and neither have begun investing in
foreign markets.
With the exception of the pending "good Samaritan" bill, the agency does not anticipate the need for any new legislation relating to the Year 2000, specifically relating to business continuity or contingency planning. The Examination Parity Act, which was passed in March 1998, provides NCUA the needed supervisory authority over information system providers. This was a significant step towards our ability to identify potential concerns with large vendors, and disseminate this information to the client credit unions. As it also gives us an array of enforcement actions to use with vendors who are not making progress, we can resolve issues as they are identified. Our draft business resumption plan includes avenues to pursue if a mass conversion is required from a failing vendor. If a vendor is slow in achieving Y2K readiness, we now have the ability to take enforcement action with the vendor specifically, rather than a multitude of actions with the clients, leveraging NCUA's resources.Status of the National Credit Union Administration's Year 2000 Efforts
Note: Changes
to the text of the previous report, dated May 15, 1998, are shown in
bold face print.
There are two aspects
to NCUA's Y2K efforts. The first deals with our internal information
systems and related information technology, IT resources, external data
interfaces, and certain aspects of the Agency's infrastructure containing
embedded computer technology, e.g., fire detection and suppression systems,
elevator systems, telephone systems, security systems, and environmental
control systems. The second is our regulatory effort to ensure the successful
Y2K readiness of the 11,238 natural person credit unions insured by
NCUA and the 39 corporate credit unions.
The NCUA Board
has primary Year 2000 oversight responsibility. Specific oversight coordination
has been assigned to the Director of Strategic Planning, an executive
level position located in the Central Office in Alexandria, Virginia.
This position reports to the Executive Director, who in turn, reports
to the NCUA Board of Directors. The Office of Examination
and Insurance is responsible for programs monitoring and supervising
the readiness of federally-insured credit unions. The Office of Corporate
Credit Unions is responsible for programs monitoring and supervising
the readiness of corporate credit unions. The Chief Information Officer
(Director of the Office of Technology and Information Services) is responsible
for the Y2K readiness of all of NCUA's internal information technology
resources. The Director of Administration is responsible for the Y2K
readiness of the agency's physical plant facilities.
The Director of
Strategic Planning is responsible for coordination and oversight for
all NCUA Year 2000 programs. Each office provides a monthly Year 2000
update to the Executive Director and the NCUA Board through the Director
of Strategic Planning. Monitoring of problems with meeting internal
target dates are identified and resolved during this process. The Office
of Inspector General is also monitoring target dates and progress and
reporting any concerns to the NCUA Board. Federally insured
credit union readiness is monitored in the same manner by the Office
of Examination and Insurance and the Office of Corporate Credit Unions
which are responsible for the supervision of credit unions and the programs
which monitor their readiness. The status of credit union readiness
is reported by examiners during their supervision and examination contacts
and by specific Year 2000 reporting provided quarterly by all Federally
insured credit unions. These status reports are measured against the
contingency plan targets for accomplishing various levels of readiness
established by the NCUA Board.
The Director of
Strategic Planning, in conjunction with the assigned Office Director,
is responsible for recognizing schedule adjustments and proposing resolution
or action to the NCUA Board. The following actions are examples of the
process in place: Each Office provides
monthly Y2K readiness reports to the Executive Director and the NCUA
Board. During March, the NCUA Board approved a plan submitted by the
Office of Examination and Insurance and the Regional Directors for a
one time adjustment to the safety and soundness examination cycle to
provide ability for examiners to continue to devote the planned allocation
of time for Year 2000 contacts during 1998. During April, in
conjunction with passage of new legislation to permit NCUA to examine
credit union information system vendors, the NCUA Board has approved
obtaining outside contracted services to assist in Year 2000 readiness
reviews to supplement NCUA resources.
For the past three
years, the Office of Technology and Information Services has been working
to modernize the entire NCUA information systems infrastructure. This
project included replacing our legacy mainframe host, system software,
database, and communications network with a new client/server architecture;
replacing all desktop workstations; refurbishing all examiner laptop
computers; upgrading to a new operating system platform and office automation
suite; and rewriting every custom information system in the agency using
the most current tools, techniques, and processes. From the beginning,
a key requirement of this modernization process was complete Year 2000
readiness. As a result, we are currently testing all our systems to
ensure that agency Y2K readiness standards have been met, with the exception
of one system which will be replaced by December 1998.
*Note: The
Asset Management and Assistance Center (AMAC) system was originally
slated to be replaced through procurement of an off-the-shelf system,
which would then be customized to support the unique functions of AMAC.
However, we did not receive any responses to our Request for Proposals
and have since chosen to repair the current system. The renovation work
is nearly completed and the repaired system is scheduled to be in production
by September 30, 1998. As a result, we are now ahead of our previous
schedule, which originally called for replacement by December 31, 1998.
*Note: Human
resources support was included in this system in the last quarterly
report. However, it will now be provided to our agency by the PIRS /
CHRIS systems through a service bureau arrangement with GSA. GSA expects
NCUA to be converted to CHRIS in June 1999. Our contingency plan is
to remain with PIRS, which is currently being made Y2K compliant by
GSA.
The Office of Technology
and Information Services has compiled an inventory of all external data
exchanges. These interfaces are currently being tested for Y2K
readiness as part of our overall agency Y2K testing plan. NCUA has developed
a common shared credit union examination system and credit union call
report with state credit union regulatory authorities. Therefore, as
changes to these systems occur, they are automatically provided to the
state regulatory authorities assuring that both parties have updated
systems which are Year 2000 ready. We have provided
educational material through letters to all Federally insured credit
unions with regard to Year 2000 readiness. NCUA also has participated
in over 130 formal training and educational sessions attended by over
8000 credit union officials since January 1, 1998. Contingency
Planning. Provide a description of contingency
planning activities, including any criteria used to decide for which
systems contingency plans will be prepared for when plans must be in
place. NCUA has established a Year 2000 Task Force made up of key senior Office Directors under the chairmanship of the Director of Strategic Planning. The task force is currently working to develop NCUA Business Resumption plans. Completion of this planning effort is scheduled for December 31, 1998. Training staff and testing the plan is scheduled for completion by June 30, 1999. This effort is primarily focused on assisting credit unions to resume operations under emergency conditions and handling the administration of increased supervisory actions. The draft plan identifies key concerns/risks and planned agency responses to provide the resources necessary to meet our regulatory responsibilities with Federally insured credit unions. For our
internal systems, we have drafted a Year 2000 Technical Resumption Plan
(Y2KTRP). It is a listing of the automated systems - hardware, software,
and technical infrastructure - that NCUA uses in the performance of
its daily business. The Y2KTRP identifies each agency technical system,
product and service; its vendor; and the current Year 2000 compliance
status. Furthermore, the Y2KTRP outlines specific steps to follow if
a particular system, product, or service is not fully compliant by the
Year 2000 or otherwise fails when we enter the new millennium. We also
have a Disaster Recovery Plan, which will be implemented in the event
of any disaster, including a Y2K failure, that causes an interruption
of service in one of our critical systems.
We have inventoried
all non-IT components of the agency's physical plant with potential
embedded computer technology, e.g., building security, fire detection
and suppression, elevator, and environmental control systems. These
components are included in our overall Y2K readiness plan.
Internal program
- None. Credit union program
- Field staffing losses and hiring limitations required a one time extension
of examination cycle for 1998 - 1999. The Office of Examination and
Insurance has had difficulty in hiring senior program officers for Y2K
work. These positions have been advertised at a lower grade to attract
applicants.
We had originally
planned to convert our GSA-supplied PIRS human resources system to SAP,
our internal enterprise support system. We now plan to remain a customer
of GSA for human resources support. GSA is building a new human resources
system, CHRIS, and has scheduled NCUA for conversion from PIRS to CHRIS
in June 1999. GSA has notified us that CHRIS will be fully Y2K compliant.
Our contingency plan, should CHRIS not be ready as scheduled, is to
remain on the PIRS system, which is currently being made Y2K compliant
by GSA. Our Chief
Financial Officer utilizes several systems owned and operated by the
Treasury Department and GSA. We are currently working with these agencies,
based on their schedules, to test and validate Y2K compliance of each
of their systems.
In order
to get an independent assessment of our compliance status, we submitted
our test documentation and initial results to a Big Five accounting
firm, KPMG Peat Marwick (KPMG). They have conducted an initial review
of our test plans, processes and procedures. We will bring them in again
in September after we complete our final test. We are on
schedule to develop a business resumption contingency plan for the agency
by December 31, 1998, which we will also have KPMG review. If and when
we deploy new hardware or software systems currently planned for 1999,
we will again submit our verification testing results and documentation
to KPMG for an independent assessment of the compliance status of these
systems. Finally,
we have also implemented a configuration management control system to
ensure that compliant systems remain compliant. As each system was certified
compliant, we moved the source code for the system into our Visual Source
Safe repository. No new software will go into production without first
being tested for Y2K compliance, then checked into Visual Source Safe.
We expect
all internal agency application systems to be fully Y2K ready by September
30, 1998. Our initial end user test of all systems in June 1998 turned
up a handful of minor problems, which we have since corrected. We conducted
another test in August, which confirmed that all of our internal systems
are now compliant, with the exception of the AMAC system discussed above.
|