Service Provider and Software Vendor Year 2000 Readiness

Federal Financial Institutions Examination Council Guidance Papers

Enclosed you will find the following documents released by the Federal Financial Institutions Examination Council (FFIEC) concerning the Year 2000 issue:

• FFIEC Press Release.
• Guidance Concerning Institution Due Diligence in Connection With Service Provider and Software Vendor Year 2000 Readiness (Vendor Due Diligence Guidance).
• Guidance Concerning The Year 2000 Impact on Customers (Customer Risk Guidance).

The FFIEC issued the guidance papers as part of their on-going effort to update federally insured financial institutions on the risks associated with the Year 2000. The Vendor Due Diligence Guidance outlines a process for monitoring service providers and software vendors. The Customer Risk Guidance focuses on steps to reduce potential credit or liquidity risk caused by customers/members encountering Year 2000 related problems. The following are the key points of each paper.

Vendor Due Diligence Guidance

• Identify mission critical services and products provided by service providers and software vendors.
• Establish monitoring procedures to verify that service providers and software vendors are appropriately addressing the Year 2000 concerns.
• Test services and products within credit unions’ own environment to the extent possible.
• Establish contingency plans for all mission critical systems.
• Pursue alternative plans when service providers or software vendors fail to deliver, in an acceptable time frame, products or services that are Year 2000 ready.

Customer Risk Guidance

• Identify material customers/members based on the size of their overall relationship with the credit union.
• Evaluate their Year 2000 preparedness.
• Assess their Year 2000 risk.
• Implement controls to manage risks.

The Customer Risk Guidance applies primarily to financial institutions that could be adversely impacted by their customers’/members’ failure to properly address the Year 2000 concerns. Typically, these institutions include those involved in business lending, have large borrowers, or have customers/members whose ability to repay debt may be impaired by the Year 2000 problem.

Information Systems Vendor Year 2000 Reviews

The enclosed March 17, 1998 FFIEC press release states that FFIEC agencies (Federal Reserve, Federal Deposit Insurance Corporation, Office of the Comptroller and of the Currency, Office of Thrift Supervision, and the National Credit Union Administration) will release the examination results of service providers. On March 20, 1998, the President of the United States signed into law The Examination Parity and Year 2000 Readiness for Financial Institutions Act (Examination Parity Act). This Act amends the Federal Credit Union Act to give NCUA the same regulatory authority over vendors as the other federal regulatory agencies. NCUA is in the process of developing policies and procedures to implement the Examination Parity Act , which includes disclosure of future Information Systems Vendor (ISV) Year 2000 reviews conducted by NCUA.

To date, NCUA has completed a Year 2000 review of ten large ISVs. These ISVs provide service to approximately 55% of all federally insured credit unions. Since we conducted these reviews prior to the implementation of the Examination Parity Act, the vendors voluntarily allowed us to conduct the review, and we agreed to keep the results of the review confidential. NCUA will not release these reviews to the vendors’ customers. However, we can state that at the time we conducted the reviews, some of them several months ago, these vendors were on an acceptable timeline for addressing the Year 2000 problem. In addition, NCUA has adopted the FFIEC Year 2000 rating system (satisfactory, needs improvement, unsatisfactory) and has rated these vendors as satisfactory.

NCUA is working with the other FFIEC agencies to develop standard procedures for disseminating the results of ISV Year 2000 reviews to the ISVs’ customers. Once developed, NCUA will begin sharing the results of these reviews with the ISV’s current customers of record.

Conclusion

The Year 2000 poses a wide range of risks. It is imperative that all levels of management, which includes your board of directors, understand and take a proactive approach in addressing these risks.

We will continue to keep you informed via our web site and letters. You may access the enclosed statements and previously released material at www.ncua.gov (Year 2000). You may also access the FFIEC Year 2000 guidance papers, as well as all previously released guidance papers, at www.ffiec.gov.

If you have any questions about these issues, the interagency policy statements, or our examination approach, please contact your NCUA Regional Office or State Supervisory Authority.