Virtually every financial institution relies on computers, either their own or a servicer's, to provide for processing and updating of records and a variety of other functions. Most institutions cannot survive without the use of computers. Because of this, all institutions are vulnerable to problems associated with the Year 2000.
All levels of management, including the Board of Directors, must understand the implications of this problem; specifically, the fact that all computer systems will be affected; the cost of the solution may be significant; and, because the deadline for compliance is an immovable date and fully implementing solutions may take years, management cannot delay action.
Many computer systems and programs may not be currently designed to handle the Year 2000 for a variety of reasons. The core problem is that a majority of the systems in use today have a two-digit field for the year. When the Year 2000 comes, the date will be reflected as "00", but many systems will mistake that for the year 1900, leading to numerous problems when calculations requiring the use of dates are performed such as:
- calculating interest;
- calculating truth-in-lending or truth-in-savings disclosures;
- determining a person's age; and
- determining amortization schedules.
Automated Teller Machines (ATMs) may also assume all cards are expired due to this problem. Errors caused by these miscalculations may also expose institutions and data centers to financial liability and risk of damage to customer confidence in the institution. If computer systems are not made Year 2000 compliant, systems and programs may fail.
For an institution or data center to prepare for the Year 2000, several steps must be taken. The hardware and software used by the institution and/or its servicers must be analyzed for compliance. Any system with a date function built into it may need to be made Year 2000 compliant either by being replaced or reprogrammed. If there are deficiencies, new software, and possibly hardware, which is compliant, will have to be identified and purchased in time for records to be converted; or massive reprogramming of existing software may be necessary. Due to the complexity of the issue, both options will be expensive and, in some cases, cost millions of dollars. Institutions and data centers that have begun to research how to address this issue are finding that the solution will take several years to define, test, and fully implement.
The Year 2000 problem is not limited to one type of software or hardware, critical or non-critical. Examples of affected critical systems include mainframes, personal computers (PCs), and networks. Other critical systems which could be affected include:
- telephones and PBX systems;
- audio voice systems;
- elevators;
- security systems (badge readers, surveillance systems, parking lot gates, vaults);
- time dependent controls (parking lot lighting, programmable thermostats);
- power management functions (heating/air conditioning controls, uninterruptable power supply systems, building lighting systems); and
- environmental safety systems.
Examples of non-critical systems that could be affected include:
- fax machines;
- electronic time clocks;
- vending machines; and
- landscaping systems.
In researching acceptable solutions, institutions and data centers will need to bear in mind the interrelationships between the various software systems they use, as well as any data received from or provided to outside sources, such as Automated Clearing Houses (ACH) or payroll servicers. Data from outside sources not compliant with the Year 2000 may corrupt an institution's or data center's files causing disruption in the institution or data center's ability to process transactions. Alternatively, institution data or files not compliant which are sent to outside sources may corrupt those outside sources leaving the institution with potential liability for any incurred losses.
The ability to adequately manage the time left to deal with the situation is critical. There are a finite number of companies and individuals capable of reprogramming existing systems. The longer institutions and data centers wait, the fewer of these companies or individuals will be available to assist them and the higher the price will be.
Institutions and data centers which purchase their software need to take a proactive approach to this situation. They cannot assume their software vendors are adequately addressing the problem. Situations have already arisen where institutions have contacted vendors and been informed that software products currently being used are not Year 2000 compliant, and the vendor does not intend to make them compliant.
It is imperative that management take an aggressive and proactive approach to this problem in order to meet the deadline. Institutions and data centers should inquire specifically as to what plans the outside software vendors have made and/or implemented to make their software compliant. Time frames should allow for any reprogramming to be accomplished, and full testing done, well before December 31, 1999. Institutions and data centers which do in-house programming of their software must make an assessment of the costs and time involved immediately so that reprogramming can be completed and fully tested well before December 31, 1999.
Institutions lacking the expertise to address this problem should seek help from outside resources such as trade organizations, EDP auditing firms, and Year 2000 resource firms.
To assist credit unions in this endeavor, we sent the enclosed letter to the major credit union vendors (listed in the attachment) inquiring about their Year 2000 compliance status. If your vendor is not on the list, we ask that you forward their company name, address, and contact person (if available) to: National Credit Union Administration, Examination & Insurance, 1775 Duke Street, Alexandria, VA 22314-3428. If you have access to the Internet, you may send this information to: eisupv@ncua.gov. We ask that you send this information by one method only. Periodically, we will make the vendor information available to assist you in obtaining knowledge of your vendor's status.
We have also enclosed an Appendix which discusses in more depth the complexity of the problem and viable solutions. Your examiner will be inquiring about your readiness and ability to handle the Year 2000 problem. Those credit unions not in compliance should expect to reach formal agreements with their examiner to ensure compliance by December 31, 1999.
If you have any questions, please contact your regional office or your state supervisory authority.
/S/
Norman E. D'Amours
Chairman