Certification

23. Certification has been a recurring and confusing issue for many institutions. Many institutions and especially smaller institutions believe that if a vendor certifies a particular product as being Year 2000 compliant, they need not worry about it. There are two fallacies to this idea. First, some vendors indicate that their product is compliant when in fact it is not. Second, even if the product is compliant, it still must be tested by the institution to make sure that it runs properly within the institution's own environment and interfaces properly with other applications. At least some level of testing by the business line area will be required to assure true compliance.

Vendor management

24. Third party vendors pose special risks because the amount of oversight and control that an individual bank can influence is limited. As a result, banks need to have a clear understanding of vendor plans and hold vendors accountable. If key targets are not met, contingency plans should be in place to change vendors, complete work internally, or otherwise adjust to vendor failure.

Target dates

25. Target dates for testing are critical both internally and externally. Most institutions have been developing target dates for testing for internal use but have not been active in communicating these dates to correspondents and customers. Because meaningful testing often requires testing internally and with external parties, the coordination of test plans with correspondents and large, active customers become very important to the institution. Indeed, setting priorities and internal target dates will depend to some extent on when external testing becomes feasible. Especially for larger institutions, payment systems, clearance and settlement systems, and similar utilities, communicating test plans for applications having external interfaces becomes crucial for the industry-wide planning process.

26. For institutions that may be somewhat lagging in their Year 2000 efforts to date, the need to communicate meaningful target dates for testing poses a dilemma. Not communicating readiness dates for external testing now or indicating a date that is too far out in the future sends immediate indications to the financial community that the institution may be lagging in Year 2000 efforts. On the other hand, communicating a target date that appears acceptable but which might not be met runs the risk of having credibility questioned even more severely if the target is missed. Even internally, as institutions think about setting target dates for testing or other project milestones, they need to recognise that the century date change is inevitable. Setting optimistic targets that barely make compliance possible may be only disguising the real problem and issue for the organisation.

Spillover business risks

27. Spillover business risks and opportunities represent an area that is often overlooked when developing Year 2000 plans. Typically, institutions focus first on the internal efforts necessary to become compliant. Yet, the Year 2000 issue can also be a survival issue for customers. Failure of customers to make the necessary adjustments can lead to a loss of business and loss of asset values for the bank. On the other hand, having a strong Year 2000 program may open strategic opportunities to market the readiness posture of the institution. In any event, credit and relationship officers should already be cognisant of their customer's readiness, tracking progress over time, estimating possible business ramifications if customers fail to become compliant, and developing contingency plans as appropriate.

Mergers and acquisitions

28. Mergers and acquisitions represent another area where Year 2000 readiness should be taken into account because such activity would place additional burden on scarce technical and managerial resources of the organisations. At minimum, a rigorous due diligence on Year 2000 preparedness should be conducted in order to assess the status of the institution being absorbed and how the combined institutions would affect Year 2000 plans, actions and ultimately readiness. For organisations that are stretched in meeting Year 2000 compliance, acquiring another institution would be highly risky. Indeed, the possibility of being acquired might be an approach to contingency planning. However, as time passes, there is decreasing ability for any organisation to absorb a non-compliant one and make the necessary changes before the century date change.

Satellite operations and foreign activities

29. Satellite operations and foreign activities pose a significant risk for many institutions. While inventorying mainframe and other applications under the control of a centralised information systems management may be relatively easy, departmental applications unknown to the centralised operation are increasingly common. Many of these applications are essential risk monitoring and business decision tools. Extra effort is needed to identify these applications and make certain that they are compliant. Making business line staff at all levels aware of the Year 2000 issue is essential if problems are to be avoided.

30. Similarly, foreign and decentralised operations frequently have applications specific to the local market trading activity or the local currency. Staff in these locations are often not as aware of corporate issues like the Year 2000 as staff would be at the head office. As a result, the likelihood increases that applications - potentially significant ones - would not be picked up in the inventory or appropriately addressed.

Security issues

31. Security issues arise and will become more pressing as the urgency of the Year 2000 increases. Normally sound security controls may be relaxed as consultants and subcontractors for consultants undergo less rigorous background checks before being granted access to bank systems and records. Date dependent security applications may be turned off to facilitate testing. As businesses focus more on resolving interconnectivity concerns, resources normally focused on security controls may be diverted.

Cost control

32. Cost control represents a problem area for many institutions. In particular, the adequacy of budgets becomes an issue. Many organisations appear to be underestimating the costs of testing by not recognising that many tests will have to be performed multiple times as vendors change releases or operating system environments or applications change. Additionally, business line management often fails to recognise that the largest share of the testing burden will ultimately fall to them.

33. Technical resource scarcities are also getting worse with the passage of time. Institutions are already experiencing significant turnover of key staff as salaries are bid up ever higher in the market. Bonuses and special retention packages are being used in many institutions to address the turnover issue.

34. Outside consultants are facing similar demands resulting in higher costs. Here, however, the issue is not just cost but the quality (skill and integrity) of the consultant and the level of confidence one can have that the consultant will continue to exist if problems are encountered. As a result of all of these factors, many organisations are finding it necessary to increase budget estimates, sometimes several times and often significantly.

Monitoring

35. Monitoring Year 2000 progress should be a high priority for every institution. The role that the audit function plays in the monitoring process should be clearly defined, proactive, and clearly visible at the highest levels. Follow up on audit exceptions should be tracked carefully and on a timely basis. Control mechanisms need to be developed specifically for monitoring Year 2000 progress and senior management and directors need to be monitoring progress on a regular basis as one of the highest priorities of the institution.

Potential systemic issues

36. Potential systemic issues need to be identified. The Year 2000 issue is not one that will present problems only to those who fail to rise to the challenge. For large banks and industry "utilities" that serve the entire banking community by offering services or products not readily available elsewhere, problems focused in a single location could rapidly affect others if payments fail to move as expected. Potential weak links in the payment chains need to be identified as early as possible with appropriate contingency plans developed and followed as necessary.

37. Credit issues with systemic implications can also arise if very large customers or classes of customers become unable to conduct business. Obligations may not be met and collateral values can deteriorate rapidly. While the systemic implications of Year 2000 credit issues may take somewhat longer to manifest themselves, they are nonetheless real.

Outside auditors and public reports

38. Outside auditors and public reports are likely to become an issue at the end of the current fiscal year for some organisations. In some countries like the United States, the decision has already been made that Year 2000 renovation costs must be accounted for in the year in which they are incurred. While the accounting profession is still debating whether such costs will have to be disclosed as a specific item, there is building consensus that organisations appearing to be unable to be Year 2000 compliant for material businesses or applications will have to have this risk specifically noted in certified statements. At what point such disclosure begins to be required remains uncertain.