U.S. House of Representatives
Preparing for the Year 2000:
Financial Institutions, Customers,
Telecommunications, and Power
Richard B. Calahan
Deputy Inspector General
Department of the Treasury
Office of Inspector General
We are pleased to provide the Committee with the preliminary results of our ongoing audit of the Office of the Comptroller of the Currency?s (OCC) initial supervisory efforts to ensure that national banks are adequately addressing the Year 2000 problem (Y2K). The Treasury?s Office of Inspector General (OIG) has planned a series of audits covering the progress of the OCC and the Office of Thrift Supervision (OTS) in ensuring that the institutions they supervise are ready for the Y2K conversion. Besides these audits, we are also reviewing the internal systems of OCC and OTS and will report on them in the near future. We coordinated this initial work with the General Accounting Office (GAO) enabling us at this point to concentrate our resources in OCC. The GAO reported on OTS last spring.
OCC, in coordination with the other federal financial industry regulators, has taken a number of steps toward raising awareness, assessing the state of the industry, and planning future supervisory efforts as the Year 2000 nears. For example, OCC has participated in various national and international seminars, created a Y2K internet web page, and issued supplemental guidance to national banks. We would like to commend OCC for their significant efforts to date. As with any effort, much still needs to be done as OCC and the banking industry enters the most resource intensive and critical portion of the multi-phase approach to Y2K compliance.
The following information focuses on OCC?s oversight and preparedness during the Y2K awareness and assessment phases. Our observations are based on an analysis of OCC Y2K examinations completed by June 30, 1998, a profile of banks with a less than satisfactory Y2K rating, and discussions with OCC senior officials and examiners.
In summary, we found that OCC?s initial Y2K supervisory efforts are proceeding on schedule and largely in line with the Federal Financial Institutions Examination Council?s (FFIEC) examination guidance. Our analysis of the Y2K examinations covering a broad cross section of banks of differing size, geographic location and operations reflects two favorable conditions. First, OCC?s supervisory efforts are progressing as planned with only minor exceptions; second, most national banks are both aware of the Y2K problem, and have satisfactorily assessed and planned for taking remedial action to fix the Y2K problem.
OCC?s and national banks? progress under the initial phases, however, only provides a limited view of readiness. Most experts and regulators agree that the most critical and difficult phases lie ahead as banks must now implement their plans to become Y2K compliant. The OIG?s review of OCC?s oversight and preparedness during the awareness and assessment phases suggests that added supervisory challenges lie ahead due to the complexities associated with large banking organizations, international banking, and the added requirement of assessing bank credit risk due to customers Y2K readiness. Our analysis of Y2K "problem" banks provides some indications as to how extensively consumers might be impacted, further underscoring the importance of the forth coming critical phases. For example, problem banks accounted for approximately 1.7 million retail accounts spread across roughly 390 branches.
Based on this initial work, the OIG has conveyed to OCC several suggestions aimed at assisting their oversight and preparedness during the remaining Y2K phases. Foremost is the need to formally identify those banks and systems presenting the greatest Y2K risks to the banking system, a process not much different from the FFIEC requirement that banks identify their most critical systems. In so doing, OCC will be better positioned to focus needed staffing and develop contingency plans on handling any non-compliant banks. The OIG also suggests that for their own oversight purposes the OCC consider developing component Y2K ratings underlying the FFIEC?s overall evaluation rating. Such a system would be similar to the FFIEC?s uniform rating systems for Information Technology and the Safety & Soundness examinations.
OVERSIGHT AND PREPAREDNESS - INITIAL PHASES
During the awareness and assessment phases, OCC?s supervisory efforts progressed as planned with only minor exceptions. We reviewed Y2K examinations for a sample of 33 banks. These banks range in asset size from $7 million to more than $260 billion, are located from California to New York, and have varied operations ranging from community banking to credit card operations to international banking. The sampled banks were under the supervision of one of three OCC district offices, or part of OCC?s Large Bank Supervision Department.
Examination Review Observations
The results of our sample show that OCC examiners generally followed FFIEC guidance in conducting the Y2K examinations. Y2K ratings were generally found to be (1) assigned in accordance with the relevant FFIEC definitions, (2) supported by documentation in the examination case file, and (3) consistent across the three districts and six large banks visited. However, it appears that some ratings can be based on bank promises of action rather than actual performance.
For example, although the FFIEC guidance expected that an overall Y2K plan be developed by September 30, 1997, one bank in our sample was given a satisfactory rating based on the promise to revise an inadequate plan. The plan had not been revised as of March 1998. Senior OCC officials acknowledged that some examiners will weigh a bank?s regulatory history, experience in managing technology resources, and other factors and give the bank the benefit of the doubt when assigning a Y2K rating. This practice does raise an issue of consistency.
We also found minor examination documentation weaknesses. Documentation was sometimes inadequate to determine whether a particular FFIEC examination step had been covered. For example, in nine examinations (27%), we could not determine if the bank had prioritized both its internally and externally maintained computer systems and applications. We do not believe these weaknesses had a material impact on the results of any of the examinations reviewed.
OCC generally took appropriate action in line with OCC?s enforcement policy for the 12 banks rated less than satisfactory. For these 12 banks, examiners typically used informal actions, such as Supervisory Directives or Memorandums of Understanding. These actions advised management of deficiencies or other supervisory concerns, and required banks to submit plans for corrective action within specific time frames, usually 30 days. Seven ratings were subsequently upgraded indicating that the banks had corrected their documented deficiencies. The other five ratings had not changed prior to the time of our analysis.
OCC records show they achieved their goal of completing one on-site Y2K examination at 2,800 institutions by June 30, 1998. Nearly all of the Y2K examination ratings had "as of" dates between April 1, 1998 and June 30, 1998, which indicates that OCC?s assessments were relatively current.
Staffing and Training
The existence of trained staff is of critical importance. Staffing for the initial examinations appeared adequate given that all the 2,800 examinations were completed on schedule. OCC has about 80 full time examiners with specialized experience in information systems (Bank Information Systems specialists.) Of the 80, we were told that about 28 are to be dedicated to large banks. The remaining 52 are primarily responsible for data centers, but can also be used for large and community banks based on available time and/or if the need arises. OCC plans to utilize approximately 500 Safety & Soundness examiners to conduct Y2K examinations of the community and mid-size banks up through the Year 2000.
We attended OCC Y2K examiner training which we found to be extensive. The training covered FFIEC and OCC developed regulatory guidance, and examination and enforcement policy and procedures. Although the training covered relevant Y2K issues, we did not attempt to assess its adequacy or effectiveness.
Management Information Systems
OCC has developed an extensive Y2K supervisory database containing over 80 data elements, capable of generating numerous summary reports. Information can be input by examiners in the field and consolidated in OCC headquarters. Database contents include indicators of bank progress, target dates, existence of plans, Y2K and Safety & Soundness ratings, and supervisory follow-up. Given the objectives of the initial phases of Y2K readiness, the data appears reasonable to support OCC oversight.
Y2K Rating Limitations
The Y2K ratings have some limitations. A single overall rating is no more than a point-in-time snapshot of a bank?s progress, and over simplifies the complexities of the Y2K remediation process and the varied aspects of banks? systems and operations. Consequently, a rating based on the preliminary phases is an unreliable predictor of a bank?s ultimate ability to be Y2K compliant. Being aware and having a good management plan does not guarantee implementation. It is widely accepted that succeeding phases, primarily the testing phase, will be the most technically challenging and complex.
OVERSIGHT AND PREPAREDNESS - UPCOMING PHASES
The initial phase examinations only provide a limited view of bank Y2K readiness. According to the FFIEC, the remaining phases, where banks must execute their plans, will be critical and difficult. From our observations of OCC?s oversight during the initial phases, we believe added challenges lie ahead.
Large banks clearly represent a major challenge for OCC as these banks enter the more complex phases of the Y2K process. These large banks have a major impact on the banking system. The nation?s top 50 U.S. bank holding companies held 59% of total commercial bank domestic deposits in the first quarter of 1998. Some large banks also have diverse operations and can be geographically dispersed with coast to coast offices. Moreover, their systems are vastly more complex. Some of the large banks in our sample process millions of transactions per day.
Staffing appears adequate for the community and mid-sized banks. Staffing for large banks, however, appeared thinly spread. For example, OCC had only a single Bank Information Systems (BIS) examiner assigned full-time to cover two large banks with combined assets of $310 billion. These banks have nationwide operations and have identified hundreds of mission critical systems. One bank also operates data processing centers in seven countries.
Up to February 1998, OCC had 15 BIS examiners assigned full-time to the 32 large banks in its Large Bank Supervision Department. Even with the assistance of bank internal audit staff and additional BIS staff made available by district offices, it would appear difficult for large bank BIS staff to stay current on day-to-day system development efforts, security issues, and other factors affecting a large bank?s data processing systems and overall safety and soundness. With the need to focus on critical Y2K issues as well, this appears to be a daunting task.
OCC officials agreed with this observation and noted they were in the process of increasing the number of full-time BIS examiners in the Large Bank Supervision Department to a total of twenty-eight, including an additional full-time BIS examiner at the two large banks discussed above. This is one step in the right direction, but we suspect more resources will likely be needed given the complexities of large bank systems and operations.
International banking operations also present added complexities for OCC. International operations are varied and arise from three sources: (1) domestic banks conducting business with foreign banks, (2) domestic banks with overseas operations, and (3) foreign banks with domestic operations (FBOs). As with large banks, international operations may entail large and complex systems, some of which are linked to systems residing in foreign countries.
We found anecdotal indications where OCC needed to rely on external assertions during the initial phase examinations. Four of the 33 sampled examinations were FBOs, which ranged in asset size from $52 million to $1.8 billion. The four FBOs were headquartered either in Asia or a European developing country. We found that in one instance, OCC had to rely on the external assertions that the foreign bank?s home country regulator had placed deadlines on financial institutions for being Y2K compliant. External reliance was also necessary in the area of infrastructure readiness. Again, OCC had to rely on host country assertions that their power and telecommunications systems were adequately assessing and planning for Y2K readiness. We believe there are risks in relying on foreign bank regulators, particularly those of developing countries.
OCC is aware of these added challenges posed by international operations, and has started several initiatives. For example, OCC?s Global Banking Group is developing a database to consolidate and disseminate international Y2K information. The database includes country Y2K risk assessments. Aside from these initiatives, the extent and nature of international Y2K risks are unclear. We believe the implications and impact of these risks are likely to be more difficult to sort out during the upcoming critical testing and implementation phases.
Assessing Y2K Credit Risks
FFIEC Y2K examination guidance provides for examiners to determine whether banks are assessing individual customer?s Y2K preparedness. In addition, banks are to review the adequacy of their loss reserves for customer Y2K risks. Although the underlying issue is Y2K, it would be OCC Safety & Soundness examiners that make these determinations.
OCC faces the added challenge of not being able to make all these credit risk determinations given the examination cycle for some banks. For non-problem small banks, a Safety & Soundness examination is scheduled on an 18 to 21 month cycle. There are approximately 1,500 banks, or 60% of all national banks, subject to this cycle.
OCC acknowledges the potential examination gap given the examination cycle and existing examination staffing levels. Although a normal onsite examination might not be feasible, OCC is requesting that these banks submit quarterly information from which arising problems could prompt additional oversight. The OIG believes the added challenge still lies in collaborating a bank?s determinations, an examination procedure normally completed onsite.
Developing Timely Quality Assurance
Although OCC is developing a Quality Assurance program for Y2K examinations, OCC's program should ensure that whatever process is in place be accomplished in a timely manner. For example, a quality assurance review should occur within days of the completion of an examination. Any delay beyond that greatly minimizes the benefits of the review and increases the chance that other examinations will have quality deficiencies.
The primary examination risk is to rate a bank too highly and potentially divert supervisory attention toward other banks with lower ratings. We noted during our review of the initial examinations that only normal supervisory review was provided for examinations where the banks were rated satisfactory. It is for these institutions that a quality assurance review would be most beneficial. Timely quality assurance becomes more necessary during subsequent examinations because of immutable deadlines and need for greater technical expertise and surety during the testing and implementation phases.
Discussions with examiners suggest that for some banks their ability to address Y2K may be distracted by more immediate issues. For example, the new EURO currency conversion could impact large bank systems and those with international banking operations. The EURO conversion is scheduled for January 1999. Another distraction is the Asian economic crisis, the effects of which are still being felt. More recent is the crisis in Russia and its possible lingering effects.
Although we saw no direct evidence that these external factors were actually preventing banks from addressing the Y2K problem, the fact that it was mentioned by examiners suggests yet another challenge to the Y2K problem. Moreover, these issues would most significantly impact large banks, whose added challenges were previously discussed.
PROFILE OF Y2K PROBLEM BANKS
Some experts contend that Y2K disruptions will occur, however, the magnitude of those disruptions is unknown. To gain a sense of the potential consumer impact should problem banks not become Y2K compliant, we analyzed 79 of the 119 banks rated "Needs Improvement" or "Unsatisfactory" as of June 30, 1998.
From available FDIC Call Report and OCC Y2K tracking databases, we found these problem banks ranged in asset size from $2 million to $1.8 billion. These banks also typically rely on 3 rd parties to provide computer operations or software.
One important characteristic of the problem banks was that approximately 30% of the banks had not devoted sufficient financial resources to Y2K activities. In addition, nearly 60% of the banks had not specifically identified a Y2K budget.
To gauge the potential impact on consumers should these problem banks not become Y2K compliant, we determined the number of retail accounts under $100,000 held by the banks. Problem banks reported approximately 1.7 million retail accounts spread across about 390 branches.
An important point to recognize is the potential impact of a single mid-size or large bank should it have problems. For example, one of the sampled large banks was initially rated unsatisfactory. Subsequent Y2K remedial actions resulted in raising the rating to satisfactory prior to June 30, 1998. Nevertheless, the potential disruption of service to its customers is illustrated by its millions of retail accounts and thousand plus branches.
MATTERS FOR OCC CONSIDERATION
Based on our initial observations of OCC?s oversight and preparedness, the OIG has conveyed several suggestions aimed at enhancing OCC?s supervision during the remaining critical phases. In some instances, OCC had already started an initiative or was still assessing the areas.
Formally Identify The Highest Risk Institutions And Systems
As the FFIEC Y2K examination guidance requires banks to identify their mission critical systems, we suggested that OCC similarly identify those institutions and systems that represent the highest Y2K risk to the national banking system. The need for early identification is parallel to the fact that the FFIEC requirement is a general examination procedure for the awareness phase.
In terms of formally identifying the highest risk banks, OCC officials generally agreed but indicated that this might be better reserved until the results of the testing phase are known. They also indicated that their existing processes and strategies substantively provided for a risk based means for identifying problem banks and systems, albeit not in a formal assessment document. For example, full-time Safety & Soundness resident examiners are assigned to each of the large banks and mid-sized banks. As for identifying high risk systems, OCC?s Global Banking Group had an initiative in process as part of their information data base which includes information such as a description of payment systems used by banks.
We recognize the objective of the risk based approach to OCC?s supervisory system for identifying problem banks. However, we indicated that there might be limitations given certain extenuating circumstances and the urgent nature of the Y2K problem. Y2K problems may not allow the normal time for solution as other supervisory problems, such as a deteriorating loan portfolio. While the existing supervisory system may well surface problem banks and systems as they arise, we see strategic benefits to formally establishing a system early on, despite the fact that over 90 percent of the initial ratings were satisfactory.
As previously mentioned, initial readiness as suggested by the first set of OCC examinations is not a reliable predictor of successful implementation. But, we believe formally identifying those banks and systems presenting the greatest Y2K risks will facilitate OCC?s supervisory contingency planning, as well as provide a prospective view of where and what type of staffing and experience might be needed for the second group of Y2K examinations. A formal systematic identification process could also provide for identifying specific risk areas such as systemic risk, service disruption, international operations, payment systems, etc. Besides facilitating staffing determinations, we believe a formalized identification process will better enable OCC to systematically focus on specific Y2K risk areas.
Develop Expanded Y2K Rating System
As previously discussed, the overall Y2K rating has some limitations. A single overall rating does not reflect the complexity of a bank?s operations, especially that of a large multinational bank. Such a bank may have a hundred mission critical applications whose impact could negatively effect bank operations. Anyone of these applications could fail and have more impact on the banking system than the Y2K problems of a community bank.
We suggested that OCC consider developing for internal purposes a rating system that provides senior officials with information on specific components to the FFIEC overall Y2K summary rating. This would parallel the current FFIEC rating systems used for the Safety & Soundness and the Information Technology examinations. As with these rating systems, OCC senior officials would then have a systematic means of determining Y2K readiness beyond a single descriptive rating. OCC would need to determine the precise components, but some aspects for consideration might include separate assessments distinguishing major critical applications, environmental areas, international operations, and the impact on consumers, businesses and/or external entities. OCC officials acknowledge the intent behind the OIG suggestion and indicated that it would be considered further.
Clarify Rating Guidance
As discussed above, some Y2K ratings are based on bank promises of action rather than on actual performance in meeting FFIEC criteria. Current FFIEC Y2K summary rating guidance permits bank examiners certain latitude in arriving at the rating. However, too much latitude when assigning ratings creates potentially meaningless and incomparable results. As the Y2K deadline approaches, it is important that OCC and other interested parties, such as the Department of the Treasury and Congress, can rely on the ratings to represent a consistent set of conditions.
We suggested that OCC issue clarifying guidance as to when promises of action can be accepted in lieu of actual performance. To illustrate, in OCC?s examiner training classes, we were told that if a bank misses a FFIEC mandated deadline the operating presumption will be that the rating will be less than satisfactory. To ensure examiners follow management intent, we believe this type of guidance along with other clarification on the summary Y2K rating should be issued.
Develop Formal Contingency Plans
Two significant tasks before the OCC over the next 18 months will be handling non-compliant institutions and making timely credit risk determinations. OCC has indicated that it is taking several steps to develop contingency plans. These plans include addressing bank insolvency and closure, industry capacity to absorb non-Year 2000 ready institutions, as well as other regulatory issues. The OIG commended OCC for taking these pro-active steps and suggested that these efforts be formalized.
As discussed earlier, OCC faces the challenge of not being able to make timely credit risk determinations given potential staffing limitations and the Safety & Soundness examination cycle for some banks. We suggested that OCC also consider developing formal contingency plans for conducting on-site credit risk assessments, particularly in the event staffing limitations affect their ability to review the adequacy of loan loss provisions.
Assess Need For OCC To Independently Validate Testing
The FFIEC has established a requirement that banks independently review and verify two critical Y2K remediation processes: testing and contingency planning. Given the critical nature of these processes, we suggested that OCC consider assessing the need to, in turn, validate these independent verifications. The OIG recognizes that it would not be practical or needed to duplicate every bank?s independent verifications. However, in line with the process of identifying high risk banks and systems, the OIG suggested that OCC only assess to what extent OCC verification might be warranted.
This suggestion is rooted in the notion that some banks likely constitute greater risks to the national, if not international, banking system. In addition, as previously discussed, we cited anecdotal instances when OCC had to rely on foreign party assertions during the initial examinations. In the area of international banking, we pointed out the risk in relying on foreign regulators.
OCC officials indicated that it would not be feasible for them to validate either a bank?s testing results or any independent validation of those tests. Instead, OCC plans to sample and review (as opposed to revalidate) banks? validation policies, practices and procedures. They also pointed out that international bank regulatory organizations such as the Bank for International Settlements Joint Year 2000 Council and the Basle Committee on Banking Supervision had issued international Y2K guidance. OCC officials acknowledge, however, that developing countries outside the G7 industrialized nations may not have a regulatory apparatus or structure in place that could effectively implement the Bank for International Settlements? guidance.