There are 13 months remaining in which to achieve Year 2000 ("Y2K") compliance. This should not be difficult, though, in light of the fact that most deadlines imposed by the Federal Financial Institutions Examination Council ("FFIEC") have already come and gone. The FFIEC first alerted senior bank management of their responsibility to analyze the risk of Y2K to internal computer systems back in mid-1996. At that time, bank regulators advised senior management and boards of directors to establish a Y2K review team, develop an institution-wide Y2K plan, and oversee its implementation. Since then, the FFIEC has issued guidance on topics such as project management phases, responsibilities of the board of directors and senior management with respect to business risks, due diligence with respect to service providers and software vendors, risks associated with financial institution customers, and testing for Y2K readiness. At this time, financial institutions should have completed most aspects of their Y2K Project Plans, certified their mission critical systems, and be well underway with testing.

To review, the following is a brief sample of the tasks that your financial institution will have completed by December 31, 1998:

  1. Identification of all affected applications and databases. Mission critical applications were identified and prioritized as of September 30, 1997. All enhancements, revisions, replacements, upgrades, and other associated changes will be completed by December 31, 1998. For mission critical applications, programming changes will be largely completed and testing well underway by December 31, 1998.
  2. Outside dependencies. Bank management has inventoried all external reliances, including vendors, service providers, business partners, counterparties, and any electronic data exchange partners. For each, communication has been established. A formal risk assessment has been performed, which has been reviewed and approved by the bank board. Policies and procedures are in place for regular monitoring of these external providers.

    3.  

  3. Material customer credit risk. As of September 30, 1998, the bank has identified, assessed and established controls for Y2K risk posed by its material customers. The Y2K risk posed to the institution by its customers has been assessed on both an individual and collective basis. The formal due diligence process now in place for dealing with the Y2K impact on customers includes several key elements, most notably: (i) a standard set of questions to assess the extent of a customer's Y2K efforts to evaluate customer preparedness, (ii) a document retention policy for the original assessment conclusions, status updates, and any Y2K-related communications with the customer, and (iii) revised Y2K-compliant loan documentation for future borrowers. The board has been, and continues to be, informed of customers not addressing Y2K problems effectively, as well as the actions taken by the bank to control the risk.

    4.  

  4. Testing. Testing plans were prepared for all internal and external systems as of June 30, 1998. These plans identify the testing environment, testing methodology, test schedules, financial and human resources, documentation, contingency plans, and critical test dates. Internal mission critical system testing began by September 1, 1998, and will be substantially complete by December 31, 1998. Senior management is monitoring the testing of all mission-critical systems.
  5. Contingency planning. Contingency plans have been developed for all core business functions and their supporting mission-critical systems, complete with trigger dates for implementing alternative solutions. Core business risks have been prioritized based upon greatest risk posed to the institution. The contingency plans identify financial and human resources necessary for their execution. The contingency plan contains a business risk assessment that identifies potential disruptions and the effects of such disruptions on the bank's business operations, the minimum acceptable level of outputs and services, an analysis of strategies and resources available to restore system or business operations, a recovery program that identifies participants (both external and internal) and the processes and equipment needed for the institution to function at an adequate level, and a comprehensive schedule of the remediation program of the service provider or software vendor that includes a trigger date. The contingency plans have been reviewed by knowledgeable, independent individuals to assess the plans' reasonableness and effectiveness, and have been approved by senior management. The contingency plans are reviewed at least quarterly and adjusted, as necessary, to reflect changing circumstances.
  6. Litigation. The bank has assessed its litigation posture. In consultation with legal counsel, it has identified legal remedies and resolutions available to the institution in the event its products and services are not Y2K compliant.

Finally, though it goes without mentioning, all of the above has been prepared by appropriate management personnel, formally reduced to writing, and reviewed and approved by the bank board. In addition, management has formally considered the need to hire outside experts to supplement internal efforts in those areas where the bank's progress may be lacking (such as legal counsel, industry associations and accounting firms), and has documented their decisions. The board is provided with, at a minimum, quarterly status reports from management detailing the bank's progress in all Y2K areas.

Right?

Probably not. The FFIEC has been issuing guidance on Y2K matters for over two years, and yet most institutions have not, despite the best intentions and efforts, complied to the fullest extent possible with these issuances. Not surprising, given the enormous amount of time and expense necessary to achieve complete compliance with the FFIEC's guidelines requires. Nonetheless, in its most assertive guidance to date, on October 15, 1998, the FFIEC issued "Interagency Guidelines Establishing Year 2000 Standards for Safety and Soundness." The most noticeable difference in this release is the unusually commanding tone of the regulators. The suggestions and advisory guidance of prior Y2K guidelines have been replaced with mandates. In essence, the "should's" have become "shall's." The most critical distinction, however, is the inclusion for the first time of a discussion on regulatory enforcement actions. Specifically, the FFIEC states that failure to adhere to the October Guidelines may result in the appropriate regulatory agency requiring an institution to submit an acceptable compliance plan. Failure to submit a plan, or failure to implement an approved plan, in a timely manner, can subject the institution to a cease-and-desist order, as well as civil penalties. The FFIEC regulators note that they issued the October Guidelines pursuant to their authority under section 39 of the Federal Deposit Insurance Act to establish operational and managerial safety and soundness standards for insured depository institutions. Section 39 grants an agency authority to take several enforcement actions; in specified circumstances, the enforcement actions are mandatory.

This recent issuance by the regulators is indicative of an increasingly strict position on Y2K matters, but may also be a part of a larger strategy. For example, the Office of the Comptroller of the Currency (the "OCC") issued an update to national banks on September 14, 1998 indicating that the agency intends to conduct two additional on-site examinations of regulated banks by June 1999. The final Y2K examination for all regulated financial institutions will occur no later than mid-1999. If bank management cannot achieve a satisfactory level of Y2K compliance by then, the regulators can take harsh enforcement action, including forcing an institution to sell. The Federal Reserve Board has already begun informally advising banks not to enter into merger/acquisition deal after April 30, 1999 because of the anticipated focus on Y2K compliance assessments. It has also been suggested that the regulators are discouraging acquisition activities now to ensure that there are available buyers in the event of any necessary "supervisory sale" of a particularly non-compliant bank. In fact, the next round of acquisition candidates may already have been determined by the third-quarter 10-Qs recently filed with the Securities and Exchange Commission ("SEC"). In July, 1998, the SEC notified companies that third-quarter 10-Qs would be required to contain the most elaborate disclosures to date about companies' Y2K efforts. Specifically, companies must disclose their current state of Y2K readiness, the costs of making their systems compliant, and include a "worst-case" scenario describing the impact on operations and financial soundness of a potential Y2K-related failure.

Now is the time, therefore, for banks to prepare their strategy for pending regulatory examinations in order to demonstrate satisfactory Y2K progress. There are common weak spots in Y2K compliance efforts, but two deserve special mention. First, the OCC has indicated that the most common problems and deficiencies of national banks include inadequate processes to assess customer readiness. The agency has warned that subsequent Y2K examinations will specifically include a review of a bank's customer due diligence process. While existing loans are difficult to alter, banks have been advised to avoid making loans they might normally make, and/or require additional collateral. Many lenders already are urging borrowers to assess, and reduce if possible, Y2K risks. Fearful of alienating customers, banks may be reluctant to publicize and implement possible remedial measures. This is a particular problem for smaller banks, whose loan customers tend to be smaller businesses that are more likely to be ignoring the Y2K issue. A careful balance will need to be struck between satisfying the regulators and not antagonizing the customer. In any event, the OCC has warned that failure to have adequately considered the Y2K preparedness of material customers could result in a cease-and-desist order issued pursuant to the OCC's regulatory enforcement authority.

Another "Achilles heel" of most banks in Y2K examinations will probably be the lack of appropriate contingency planning. This situation is the consequence of several factors, some intentional, some unintentional. First, most institutions have been so preoccupied with assessing their overall Y2K situation, contacting vendors and customers, and testing mission-critical systems, that there has been no time for a concerted, Y2K-oriented contingency planning effort. Second, the strategy of most banks, and rightly so, is to spend their limited resources avoiding Y2K problems rather than planning for their assumed failure. Third, documented contingency plans create a whole separate category of Y2K litigation concerns. Nonetheless, the regulators want to see them, in writing, and the institution will be expected to implement them if need be. Any sound, viable and practically useful contingency plan must be dynamic. Circumstances and time alter contingencies. Failure to develop, to modify, or to implement a contingency plan is an indictment of management. In short, the Y2K contingency plan must be regarded by management as a living document.

No element of a bank's CAMEL rating is immune from the threat of Y2K, and while the extent of an institution's responsibility for Y2K has yet to be defined, the regulators appear to preparing to conduct rigorous assessments. If it can be said that there was ever a time for a "more relaxed" attitude toward Y2K compliance, that time has now certainly passed. The regulators are on their way.

Prepared by Joseph E. Yesutis, Esq. of the Washington, D.C. Office

This article was first published in the October/November 1998 Issue of Mayer, Brown & Platt's Financial Services Regulatory Report. The Financial Services Regulatory Report is edited by Melody A. Chestnut of the Washington, DC Office.

Copyright © 1999 Mayer, Brown & Platt. This Mayer, Brown & Platt article provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.