1. Since the earliest days of electronic computers, programmers have used two digits to represent the year in date fields (YYMMDD). While many newer applications are Year 2000 compliant, many older applications upon which compliant applications depend or interact continue to run. Assuming that any application is Year 2000 compliant without appropriate analysis and testing poses substantial risks.

2. Further complexities to the issue are introduced by other considerations such as the use of reserved values such as using 99 in the year field to indicate that a file should be saved forever, archived, or treated differently in some way. Even before 2000 is reached, some applications will start behaving badly as, in this example, records for the year 1999 will be treated as special files and handled other than normally. Finally, all programs will need to be checked to see that leap year is properly handled in 2000.

3. There is no single way of fixing existing applications or databases. Two of the most common approaches are to add two digits to the year field (CCYYMMDD) or a technique called windowing, which analyses the two digit year field and automatically recognises years under a specified number (say 60) as being 20yy while years over the number are recognised as being 19yy. Other fixes are also appropriate as permanent or temporary measures to address particular applications.

4. Applications affect all areas of the business : the front office, the middle and back offices, the customer delivery system, and management information and decision support systems. Because applications are frequently interdependent on each other, all interdependencies must be identified and thoroughly tested every time one element in the chain is modified.

5. Making the appropriate changes is complex. Different situations require different solutions. Adding two digits affects the amount of memory and storage space needed and can affect performance with larger records to process. Windowing requires added calculations whenever a date is encountered and can affect performance. Either approach can affect how one application interacts with another. For example, if a four-digit representation for the year is chosen, linking applications that expect to receive only two digits will require further modifications to assure correct communication. Every time an application is modified to be Year 2000 compliant, it will have to be tested against every other application with which there are linkages. Such testing has to be done not only internally but also with correspondents and customers to assure that interdependencies work properly. Because compliant applications become ready to be implemented on a sequential basis, testing will be an ongoing and repetitive process.

Areas Affected

6. The potential for Year 2000 problems pervades virtually every area of an institution. Applications relying on dates are clearly vulnerable. However, many applications that do not appear to rely on dates use dates in ways that are often not apparent to the user such as in file naming conventions or where the date is part of a key. Wherever dates are used, they must be identified, checked for being compliant, and addressed by appropriate change when necessary.

7. All applications are vulnerable regardless of whether they are developed internally or externally. Applications developed by third parties may be especially vulnerable because reliance must be placed on someone else to make the necessary changes. After changes are made, a bank must test the application to see that it works properly in its unique environment. Testing is essential because vendor applications almost always require current or at least recent releases for operating systems or utilities upon which the application depends. If a bank is not current in its version control, compliant applications may fail.

8. Computer operating systems are vulnerable because dates play a crucial role in file maintenance and performance optimisation routines that are invisible to the user. Access control and security systems are affected and could lock out users both logically from automated applications and physically from buildings or departmental areas.

9. Hardware is also affected. Mainframes are particularly vulnerable as individual components may be of widely different vintages and a single non-compliant component could affect the entire system. Mini-computers and PCs may also be affected. ATM machines or communications equipment have built in dating features that must be identified, tested, and corrected where necessary.

10. Internal communications networks and public carriers have many date sensitive components. Assuring that all problems are identified and made compliant requires carefully designed tests involving both applications and the network/carrier. Environmental and other systems (heating and cooling systems, elevators, vaults, facsimile machines, etc.) also may have both date sensitive software and hardware with embedded computer chips that may have hidden date sensitive elements.

Risks and costs

11. Significant risks exist in not making all necessary changes and thoroughly testing systems. Operational risks are obvious. Failure to have fully operational automated systems can prevent even simple business functions from being completed because manual or other alternatives may not be feasible if processing volumes are sizeable or information exchanges are extensive.

12. Any operational problems immediately become reputational and legal risks as correspondents and clients react to business problems. If significant banks face problems, the systemic implications could be extensive. Consultants estimate that legal costs alone could be in the hundreds of billions of dollars if problems are extensive in the industry. Such estimates clearly suggest the magnitude of the strategic risk faced by a bank and the industry more generally.

13. Because correspondents and customers are also subject to the Year 2000 issue, they too must make the necessary changes to conduct business normally. Testing normal connectivity and message transfers with correspondents and customers is essential but not enough. If they have not also made the necessary adjustments to their own systems, they could pose credit and liquidity risks to the bank. Credit officers need to understand the Year 2000 risks faced by their customers and how well their customers are managing these risks. Current financial performance will not be an indication of future performance for organisations that have not developed sound plans and provided for appropriate resources to carry them out.

14. The costs that the banking industry will need to incur to address the Year 2000 are extensive. The Gartner Group has publicly estimated that it will cost between US$300-US$600 billion worldwide just to complete needed changes and testing. Every line of code in every program needs to be reviewed at costs typically estimated at about US$1 per line. Costs for global banks are frequently estimated in the hundreds of millions of dollars. Smaller banks with few in-house developed applications will still incur substantial costs to test thoroughly applications modified by others.

15. Skilled technical resources are already scarce and will become even more scarce as the deadline approaches. Already salaries for certain specialists are rising and key staff are being bid away by other companies. Consultants with top reputations are heavily committed, and new clients are accepted only on a very selective basis. As time passes, banks will be forced to turn to consultants with little or no demonstrated performance record and uncertain futures.

16. Test facilities also can pose a challenge. Establishing a test environment for live testing using dates in the year 2000 is not easily done. If possible, dedicated systems should be used. Alternatively, a production system might be shut down and re-established for the Year 2000 testing, but such an approach can pose significant risks because moving an advanced date backwards (i.e. from 20xx to 19xx) for the operating system is often a difficult and time consuming process. Also, the number of weekends and holidays available to conduct testing is constantly shrinking. Renting computer time from third parties service providers may be possible but, like consultants, their resources are being booked rapidly.

17. Testing will also be more difficult than usual. First, there will be competing demands for test environments. New applications like those related to the Euro or replacing fractions with decimals in trading activities will require testing in current environments. Yet given the importance of these applications and their interdependencies with other applications that must be tested for Year 2000 compliance, strategies will have to be developed for testing in both current and Year 2000 environments. Test data will need to be specially developed. Because testing is primarily a business line activity, business line resources will be under heavy pressure.

18. The Year 2000 is sufficiently complex that it should not be combined with other maintenance or software changes in the application. If problems are encountered, determining whether the Year 2000 or other changes are causing the problems can become extremely difficult. Many organisations are freezing other projects until the Year 2000 is addressed to minimise difficulties in tracking problems although such freezes are probably impractical for long periods of time.