SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
MILLENNIUM BUG: BANKING AND THE YEAR 2000 COMPUTER PROBLEM
TUESDAY, NOVEMBER 4, 1997
House of Representatives,
Committee on Banking and Financial Services,
Washington, DC.
The committee met, pursuant to notice, at 2:51 p.m., in room 2128, Rayburn House Office Building, Hon. James A. Leach, [chairman of the committee], presiding.
Present: Chairman Leach; Representatives Roukema, Bereuter, Castle, Lucas, Cook, Snowbarger, LaFalce, Vento, Kilpatrick and Sherman.
Chairman LEACH. The hearing will come to order.
Although few now recognize it, the Nation stands on the threshold of one of the most challenging problems the banking and financial services industry has ever faced—the so-called ''Year 2000'' problem. Computer logic is simply unprepared to deal with a steadily ticking logic bomb.
When the clock strikes midnight on December 31, 1999, many computers could malfunction or even shut down. At financial institutions, it could mean errors in checking account transactions, interest calculations, or payment schedules. It could mean problems with ATM systems or credit and debit cards. It could affect bank recordkeeping, investments, currency transfer, and legal liability. It might interfere with payment systems, both here and abroad, and affect EFT transfers for payroll or pension recipients. It takes little imagination to picture the ricochet effects that malfunctioning computer systems could have on important bank operations.
Page 2 PREV PAGE TOP OF DOC
Ironically, the cause of all of this potential confusion sounds simple. For many years, computer systems were designed to record only the last two digits of the year in the date field in order to save computer data storage space. Hence, 1997 is recorded as ''97.'' This design concept serves us well as long as we're still in the 1900's, but has left us ill-prepared for the century date change to the year 2000.
The problem, while not a virus, can act as what some have called a ''logic bomb,'' which can effectively infect interrelated computer systems. As a result, millions of lines of computer code at banks across the Nation need to be checked, and thousands of computer programs converted or replaced.
Further, the problem isn't confined to computer systems. Everything that has a computer chip in it may be vulnerable: the time lock on a bank vault, the telecommunications system by which data is exchanged, and the computer-controlled elevator in a bank office building. Virtually every institution appears likely to be affected in some way, and costs may be significant.
For example, Chase Manhattan has publicly estimated its year 2000 remediation costs to be in the range of $200 to $250 million. A consultant to the industry, the Tower Group, has estimated the total cost of year 2000 conversion for U.S. commercial banks at around $7.2 billion.
Experts also emphasize that the problem must be fixed properly and on time if year 2000-related problems are to be avoided. I was also intrigued by a statement Federal Reserve Chairman Alan Greenspan made a couple of weeks ago. He pointed out that 99 percent readiness for the year 2000 will not be enough; it must be 100 percent. Thus, the message seems clear. All financial institutions must be ready; Federal and State regulatory agencies must be ready; data processing service providers and other bank vendors must be ready; bank customers and borrowers must be ready, and international counterparties must also be ready.
Page 3 PREV PAGE TOP OF DOC
Unfortunately, the fact that success or failure in meeting the year 2000 challenge won't be evident until just over two years from now has led some to ignore or downplay its importance. For this reason, the committee is obligated to lay out a clear record on the state of readiness of financial institutions and regulators to deal with the problem and to make sure that all possible precautions are taken as early as possible.
We need to establish how pervasive the year 2000 problem is at financial institutions, and whether we can have reasonable confidence that it will be fixed on time. We need to know whether the industry is facing minor inconvenience, serious disruption of service, or total computer meltdown. We hope in the process of defining the parameters of the year 2000 problem to avoid the pitfalls of either exaggerating or understating its consequences.
The committee also intends this hearing to be but the first of a series of oversight hearings on the issue. We plan to monitor closely the pace and quality of progress in year 2000 remediation efforts. If a large number of institutions have not finished repairs in preparation for testing by roughly this time next year, the safety and soundness consequences may be severe, with attendant systemic risk ramifications. Here, I am particularly concerned with the pace of smaller domestic and most foreign institutions in addressing the problem. It is unclear at this point whether vendor dependence is a liability or a Godsend for the banking system.
Today the committee will hear from Senator Robert F. Bennett and two panels of witnesses. The first consists of the Honorable Edward W. Kelley, Jr., a member of the Board of Governors of the Federal Reserve System, and the Honorable Eugene A. Ludwig, Comptroller of the Currency and Chairman of the interagency Federal Financial Institutions Examination Council. At the invitation of the committee, written statements are also being provided by the Federal Deposit Insurance Corportation, National Credit Union Administration, and the Office of Thrift Supervision.
Page 4 PREV PAGE TOP OF DOC
Our second panel provides a non-governmental perspective. We will hear from Mr. James Devlin, from Citibank, about the institution's experience with conversion programs; from Mr. John Meyer, of Electronic Data Systems Corporation, about their role as a vendor of data processing services to banks, and from Mr. Lou Marcoccio, of the GartnerGroup, on the broader year 2000 picture and how the financial sector fits into it.
I'd like to take the opportunity to commend the GAO for the helpful year 2000 assessment guide they have prepared and the technical assistance they have provided in recent weeks. I have asked the GAO to prepare a formal report for the committee, assessing the strategies and progress of the Federal banking agencies in addressing year 2000 challenges internally, as well as at institutions they supervise. We expect to be briefed regularly by the GAO on subsequent updates to that report.
Finally, I would notify the committee that I am drafting legislation on which I seek comment today to address several discrete aspects of the problem as it relates to regulated financial institutions.
The proposed legislation would direct Federal banking agencies to hold seminars for their regulated financial institutions on the problem, and require the regulators to provide financial institutions with model approaches to addressing it. The bill also would give the Office of Thrift Supervision regulatory parity with other regulators in the specific area of oversight of service corporations or vendors providing year 2000-sensitive services to thrifts.
It would amend Federal copyright laws to allow regulated financial institutions or year 2000 vendors to authorize them to temporarily copy the institution's software for the sole purpose of year 2000 compliance, if the appropriate consent is difficult to obtain in a timely fashion.
Page 5 PREV PAGE TOP OF DOC
And, finally, it would authorize Federal banking agencies to waive any civil monetary penalties and work toward reducing any damages that otherwise might be imposed by a Federal court for inadvertent technical violations of law directly caused by failure to correct a year 2000 problem.
Despite reasonable efforts by institutions to correct all year 2000 issues, it seems inevitable that some unforeseen problems will arise, and if institutions correct them on a timely and forthright basis upon discovery, it does not seem reasonable that they be held liable. This provision is intended only as a statutory clarification to ensure that such technical errors would be treated, for example, as bona fide errors for the purposes of Section 130(c) of the Truth in Lending Act, or Section 271(c) of the Truth in Savings Act, and in no way should be construed as an effort to indemnify any institution against negligence.
With that as an opening statement, let me ask Mr. LaFalce if he would like to make any comments.
Mr. LAFALCE. Thank you, Mr. Chairman.
First of all, let me commend you for having today's hearing. I think it could well be one of the most important that we've had this year, or will have. And if you have no objection, Mr. Chairman, I'll simply introduce the rest of my opening statement to the record.
Chairman LEACH. Without objection, so ordered.
Page 6 PREV PAGE TOP OF DOC
Mrs. Roukema.
Mr. Vento.
Mr. Castle.
Mr. CASTLE. Thank you, Mr. Chairman. I would like to make a statement, if I may, and I do want to thank you for holding the hearing on this important issue that has been treated by the press mostly in breathless, ''Chicken Little'' terms, but has seen most of the financial industry, until recently, deal with it like another bird—the ostrich—with its head thrust deep in the sands of denial. It is reasonably clear that the sky probably will not fall in, at least in this country, but in other areas of the world's financial markets, it is far less certain that a hard hat is unnecessary.
Real computer-generated glitches may well occur throughout society. These problems could well impact on financial institutions, as software written for the minimalist programs and machines of the mid-century is faced with dates that literally do not compute. Most of the difficulties should be able to be anticipated and fixed, although the costs of the fixes could be substantial.
A high degree of careful, thoughtful preparation will be required to avoid masses of unproductive litigation, because the two things that we can count on are the inexorable operation of the law of unintended consequences and the irrepressible optimism of the trial law industry that there is a silver or even gold cloud around all dark linings.
Page 7 PREV PAGE TOP OF DOC
As the dimensions of the investment of time and money required to search out and install all the fixes become apparent, I expect Congress will be asked to grant some form of immunity from liability to all those companies and individual programmers who originally wrote the computer code that is at the source of the year 2000 problems, and to all those institutions and their directors and officers that too slowly responded to the need to fix the programs.
For myself, I would be reluctant to grant such immunity, if these same companies, individuals, and institutions are then able to come in and reap gigantic profits at our expense for correcting the problems they originally created, or the institutions reap huge rewards at the expense of consumers or corporations.
I look forward to the testimony of the witnesses, and hope to be reassured that financial institutions and their regulators have the institutions well in hand.
I would also note that I am considering several possible hearings on the year 2000 issue in the Subcommittee on Domestic and International Monetary Policy, which I chair. Among those topics will be whether Europe can safely adapt both to a new common currency in 1999 and to the year 2000 issue a year later, what the effects of any year 2000 problems may be on the financial industry and fragile, emerging democracies, and an extended look at the international aspects of the year 2000 issue on the global retail and wholesale payment system.
And I thank you, Mr. Chairman, for the opportunity, and I yield back.
Chairman LEACH. Thank you, Mr. Castle.
Page 8 PREV PAGE TOP OF DOC
Mr. Snowbarger or Mr. Cook.
Mr. COOK. Yes, if I could.
Chairman LEACH. Please.
Mr. COOK. Mr. Chairman, I just wanted to thank you for holding this hearing on a very important subject. And I think it's very interesting that just this morning I was also at a hearing of the Technology Subcommittee of the Science Committee that was talking about the same thing—the millennium bug and the year 2000 problem. In that committee, the emphasis was not as much on financial services and banking as it was on problems in our Defense Department and things that already are showing up as chaotic two-and-one-half years before the year 2000, that are related to this problem.
And I am particularly delighted to have the Senator from my State, Senator Bennett, here, who knows as much about this problem as just about anyone. So, it's a particular pleasure for me to be in attendance today with you being a witness, Senator.
Senator BENNETT. Thank you.
Chairman LEACH. Thank you.
Ms. Kilpatrick.
Ms. KILPATRICK. Thank you, Mr. Chairman, for the opportunity for an opening statement. I'd like for my written statement to be in the record, without objection.
Page 9 PREV PAGE TOP OF DOC
Chairman LEACH. Without objection, ma'am. Thank you.
Let me welcome Senator Robert Bennett. Senator Bennett is one of the leading authorities, I think in the world, not just the Congress, on this subject, and we welcome your attendance and your thoughtful observations. You may proceed in any manner you choose.
STATEMENT OF HON. ROBERT F. BENNETT, A UNITED STATES SENATOR FROM THE STATE OF UTAH
Senator BENNETT. Thank you, Mr. Chairman. I had a written statement; as you were giving your opening statement, I decided much of what I have written down is redundant to which you have already said, so I will choose to comment on the experience we've had in the Senate.
Let me say that the more I get into this issue, the more convinced I become that this is one of those sleeper issues that can rise up and bite us in ways that we have no anticipation of in advance. And I am delighted that you're holding this hearing, and that other hearings are being held around, because the more we can get awareness of this issue going in the country, in a responsible way, the better off the country and the world will be.
As Chairman of the Subcommittee on Financial Services and Technology, I have chaired four hearings on this subject, and I'd like to share each one of those with you as a background for what we've learned in the Senate and hope that it will be of value to you here.
Page 10 PREV PAGE TOP OF DOC
The first one had to do with the banks and the impact of the year 2000 issue on banks. We found that the larger banks generally are moving forward in a proper fashion to get this done; smaller banks, community banks, credit unions—behind the curve. Unfortunately, the one statistic that came out of that first hearing that I would share with you that reached out and grabbed me the most was the witness who said, ''If you do not have a comprehensive program in place by September of 1998, it's too late.'' September of 1998 is less than a year away. And when we asked him why that date, he said, ''Well, you're going to have to test it, and you can only test it on weekends because, otherwise, you're running your bank and your current systems. So you'll have two days on the weekends to test it, and you need about 50 weekends to do the test and then a little more space at the back-end to do what additional changes you might have to do when the test is over.'' So he said, ''if you don't have your system designed and paid for and in place by September of 1998, you're a bank in trouble.''
And the other witnesses who appeared before us said, ''We've got to adopt the medical term, 'triage,' because it is already too late to fix the entire system. We've got to do the things that have to be done to get us by the date so that we can still operate in the year 2000 and then clean up afterwards, just the way the surgeon performs triage to save the life, and then once the life of the patient is saved, at some leisure cleans up the other medical circumstance.'' He said we are already there, as far as the banks were concerned. That's the summary that came out of our first hearing.
Some of the Members of the subcommittee said, ''We better get the regulators in here and see what they are doing with respect to this, because this is clearly a safety and soundness issue.'' So our second hearing had to do with the regulators. We found the regulators aware of, but not on top of the issue, from my point of view. And we asked each of them to give us a report on where they were and what they were doing. So far, only one of these reports has been received; the others are still coming.
Page 11 PREV PAGE TOP OF DOC
The one that has been received that I will share with your committee, Mr. Chairman, is from the National Credit Union Administration, NCUA. I received the GAO's response to that, and now the NCUA's response to the GAO. I will provide all of this to the committee, of course. The NCUA's response troubled me for several reasons, and I'll outline them for you.
Number one, it made no effort to refute the GAO assertion that, ''For some credit unions, year 2000 problems could result in their failure.'' I don't know how many members of credit unions there are who know that the very existence of their credit union is at risk, and at the moment, the NCUA has no way of refuting that charge made by the GAO.
Number two, the NCUA implicitly agreed with the GAO's assertion that NCUA does not have the qualified staff to conduct examinations in the complex systems areas. So they're not capable at their present staffing level of experience and numbers to conduct the investigations and examinations that need to be done.
And number three, NCUA's response plan for Y2K compliance is all perspective; they didn't outline anything that they have done. It's all, ''We will do this and we will do that and we will do the other.'' Now that's wonderful to know that they will, but it's unsettling to discover that they have, in fact, not done anything up until now, even though both OMB and GAO guidelines have milestones in them that should already have been in place.
I don't want to sound as if I'm picking on NCUA; they're the ones that were first-in with their report. I'm a little nervous that if this is the first report, what we're going to find from the regulators in the other areas. So that's what came out of our second hearing.
Page 12 PREV PAGE TOP OF DOC
Our third hearing had to do with investors and the question of what kind of disclosure ought to be in the 10k's and the annual reports about businesses and what they're doing with respect to YK2 problems in the business. At the present time, there is a very loose kind of requirement that says you must report problems if they are, quote ''material,'' unquote. Material can be in the eye of the beholder if the regulators are not clear on what this means.
We found some businesses that had made disclosure of what they thought were material costs connected with solving Y2K problems, and we invited them to testify. They said, ''No, we don't want to testify.'' We said, ''You're the hero; we want to put you on as the example of what should be done.'' They said, ''Don't put us up there. We haven't dared put down a real number as to what we think it's really going to cost. We just put kind of a placeholder number there that got us off the hook for not disclosing anything, but we don't really want to have in public a full disclosure of how big a problem this is in our business until every one of our competitors does the same thing, because people will tend to dump our stock and sell us short if they think we have a unique problem and our competitors haven't disclosed anything.''
So they were asking that there be some kind of Federal requirement that there be disclosure on the part of businesses with respect to their liability obligations, which some witnesses testified in the aggregate could run as high as a $1 trillion dollars, as well as the costs of making the changes within their company and the kinds of dislocations that could occur if they don't make them properly. So we heard from people on Wall Street—investors, money managers, and so on—on that issue in the third hearing.
The fourth hearing escalated up in the series that we're talking about. We started with the banks. We then went to the regulators. We then went to the investment community. Today, we talked about the economy as a whole. And our witness said when he first started studying this he thought, ''Gee, if we don't get the year 2000 problem solved, we've got a 30 percent chance there will be a worldwide recession as a result of this problem.'' He says, ''The more I studied it, I revise that to a 35 percent chance, and as I sit here before you today, it's now a 40 percent chance.''
Page 13 PREV PAGE TOP OF DOC
And he shared with us several observations that I think this committee really needs to focus in on. He said, ''Remember the oil crisis of the early 1970's and the worldwide recession that was triggered as a result of the interruption of oil supplies from the Middle East?'' ''Well,'' he said, ''the world runs on oil, runs on power, but today's economy runs on information, and if you have a glitch in the flow of information, it can produce the same kind of recession effect as a glitch in the flow of oil.''
And he gave us as his example a circumstance with which we in Utah are very familiar. The decision on the part of Union Pacific to merge with Southern Pacific and then discover that the two computer programs wouldn't talk to each other in proper fashion has produced interruptions in service, deterioration of service, and impact on earnings of Union Pacific. And this is one company that doesn't have a year 2000 problem, just has interruptions in its own information flow.
I commented that I remembered when Air West was put together. Many of you don't remember that airline, but I did; I was vice president of it after a while. It was formed by three airlines coming together, and the merger on paper looked to be a really good thing. The three root structures worked together; the fleets were complementary, and all the rest of it. So the merger took place at midnight—and at 12:01 disaster struck, because the three merging airlines discovered their computers couldn't talk to each other, and they literally lost aircraft.
Somebody at headquarters would be on the phone calling an airport manager in Calispel and saying, ''Will you go out and look in the hangar and see if there's one of our airplanes sitting there? It completed a flight and then went off the computer screen, and we can't find it, and I've been calling around; I've checked San Diego; I've checked Salt Lake City; I've checked Los Angeles—we can't find it. Here's the number on the tail; will you go out and look?''
Page 14 PREV PAGE TOP OF DOC
When I repeated that to the witness he said, ''Senator, Union Pacific didn't have that option. They became so computer-dependent that they got rid of the towers and the guys with the binoculars and the radios out in the yard where the fellow in the tower could look out in the yard and say, 'I think it's over there,' and the fellow would go look at the number and radio back and say, 'Yes; here it is.' No—we got rid of all the backup system and became totally dependent on computers.''
And when their information flow got messed up as a result of problems connected with their merger—and others, I'm oversimplifying—they couldn't find any of their cars. And Congressman Cook and I have a very, very angry constituent who has lost $5 million worth of goods that rotted in a railroad car because it didn't get delivered, and nobody knew where it was. And these are the kinds of problems that this witness said are going to trigger a worldwide recession if we don't get this thing solved.
Think of the oil recession that was caused by the interruption in the flow of oil and compare it to the recession that could be caused by an interruption in the flow of information.
So, those are the four hearings that we've held on our side of the Capitol, Mr. Chairman, and I share that with you. I come away from this with this conviction: it is essential, in my opinion, that Congress act and act very quickly. We're about to disappear from this town for this year, which means we'll come back in session around the time of the State of the Union message next January. January is 1998, and as I said, the first witnesses that spoke to us said, at least as far as the banks are concerned, if they don't have their plans in place by September of 1998, it's too late.
Page 15 PREV PAGE TOP OF DOC
If we are going to provide the kind of safe harbor that Congressman Castle referred to in his opening statement, as did you, Mr. Chairman, we're going to have craft that very carefully. I agree there are all kinds of issues. If we're going to provide the impetus to the regulators and all of the other things we need to do, we need to do it very quickly.
So, I am working on legislation on our side designed to do that, and would be happy to work as closely with you and your committee as possible. Senator D'Amato, who is a Member of our subcommittee, has pledged his full support in trying to get something out as quickly as we possibly can.
Let me share with you the four elements of the legislation on which I'm working, and then I'm through.
First, I think we need disclosure of a moving peg, pinpointing a corporation's progress with regard to its year 2000 efforts by division and department. In other words, they could say, ''This is where we are; x-months later, this is where we are; x-months later, this is where we are,'' and so on, a disclosure required of all publicly traded companies. This would solve the problem that we found in one of our hearings, where people don't want to tell their investors for fear it puts them at a competitive disadvantage. If every publicly-traded company has to give that kind of disclosure, that fear goes away.
Number two, a disclosure of the likely costs associated with the defense of lawsuits against the corporation or its directors and officers due to any liabilities incurred through year 2000 problems, either with regard to breach of contract, tort, stockholder class action suits, or product liability suits.
Page 16 PREV PAGE TOP OF DOC
Think of the banks who are involved in direct deposit who face liability suits if, on the 5th of January, people start writing checks against the payroll deposit that they expected to be in their bank, and it's not there because a the year 2000 problem. And how much will the banks spend defending those kinds of lawsuits if that doesn't fall into its triage approach? How big is the liability?
Number three, a detailed discussion of existing insurance coverage for the defense of lawsuits or the specific occurrence of any year 2000 failure, large or small. If I were an investor, I'd want to know what kind of insurance the company in which I'm putting my money has in this area. How extensive is it? And what are its loopholes and exceptions?
And fourth, a disclosure of contingency plans for computer systems failure, by division or department. We're back to the spotter in the tower with the binoculars; maybe you don't want to be so hasty in getting rid of some of these backup systems until you're absolutely sure that the test works on the system where you are.
Those are the four items in the disclosure bill that I'm in the process of preparing. I'm delighted that you would give me the opportunity to be here. I recognize that I've taken a little longer than Members of Congress usually do, but I wanted to share with you all four of the hearings that we have had and the concern that I have that we, as a Congress, need to elevate the awareness of this problem, or we're going to be caught with real serious difficulty.
I commend you on holding your hearings and will be happy to respond to any questions you or Members of the committee may have.
Page 17 PREV PAGE TOP OF DOC
Chairman LEACH. Thank you very much, Senator Bennett. Your perspective is appreciated.
Are there any questions?
Mrs. Roukema.
Mrs. ROUKEMA. No; I greatly appreciate your insight here, and will certainly go over the details of your disclosure legislation, but it seems as though it's ''fast action required,'' and this has been a good—an excellent—heads-up and alert. Thank you very much, Senator.
Senator BENNETT. Thank you.
Chairman LEACH. Mr. Vento.
Mr. VENTO. Yes, Mr. Chairman. Senator Bennett, you had outlined for us your hearings, and we appreciate you sharing that information; I think it's helpful to give us some context.
In terms of the requirements that you're advocating, do you find that any or all of these are being followed by any institutions today?
Senator BENNETT. There are some market analysts who pay attention to these things in the various companies that they follow, but not very many. The principal tracking of where we are seems to be coming out of the Government, and in the areas that Congressman Cook probably heard in his hearing this morning; that is, where are we in the Defense Department? Where are we in the IRS? Where are we with the FAA and air traffic control?—and so on. But until I get back the reaction from the financial regulators, information like we got from the credit union folks, I won't really know how far along we are on tracking those things in the financial community.
Page 18 PREV PAGE TOP OF DOC
Mr. VENTO. Well, I think the concern is whether or not there is a common methodology that's agreed to. You know, I certainly appreciate the work that you've done on this, but obviously, if there is redundancy I expect it's all right, but the requirements seem to be pretty specific.
I don't have any basis to disagree with them for that matter, but I would like to know if there is some consensus that's forming? I'm certain that you remain ready to try and modify these, to try and have consensus so that at least we have a plan. I think some of these are especially relevant in terms of having some contingency plans and having some hard copy and some backup systems so that we don't have the sort of fault that would occur in the absence. But that isn't really your responsibility; I guess putting it out, you're going to get that type of feedback and develop that type of discussion, but I wonder if we're near a point where that is ripe?
Senator BENNETT. Well, the solution, of course, differs from company to company, from institution to institution. Sometimes it's a hardware problem; sometimes it's a software problem; sometimes it's both. Sometimes it's software that was written 40 years ago, and the folks who wrote it had no idea that it was going to last for 40 years. When they wrote it they assumed that its life would be 15 or 20 years at the most, and they have long since gone on to other places.
And even 20 years ago, documentation of software was not nearly the science that it is today. So there's many, many a situation where there is code embedded into a system for which there is no documentation, and no one knows where it is or how to find it. So what would be laid down as a requirement in one circumstance—let us take, for example, the big banks; I doubt that there's too much of that in Chase Manhattan or Citicorp or Bank of America—might have no application whatsoever to a medium-sized bank that bought a particular piece of software from a particular vendor, and they could comply absolutely with the requirements laid down for Citicorp and still miss their problem. It's got to be rooted out, one line of code at a time.
Page 19 PREV PAGE TOP OF DOC
Mr. VENTO. Thank you, Senator. Thank you, Mr. Chairman.
Senator BENNETT. Someone has described it this way: it's not a difficult fix. It's like changing a rivet on the Golden Gate Bridge; it's not too hard to knock the rivet out and put a new rivet in. The problem is you have to change all of the rivets in the entire bridge at rush hour, and if you miss one the bridge will still collapse. It's not a complicated problem; it's just a difficult one.
Chairman LEACH. Mr. Bereuter.
Mr. BEREUTER. I'll just say that I think Senator Bennett has made a very major contribution in sharing with us the information that he has already gleaned by Senate hearings and investigations, and it's an example of how we can benefit from the work of the other body. Thank you very much, Senator.
Senator BENNETT. My pleasure.
Chairman LEACH. Ms. Kilpatrick.
Ms. KILPATRICK. Thank you, Mr. Chairman, and Senator, thank you for your testimony. Act and act now is what you've done by proposing the current legislation that will be moved through the Senate, I assume. In reading the background and preparing for the meeting, the issue of cost came up, a severe and very major cost, and I think you just put what would happen if we don't move. Everyone knows we have to act. But whose responsibility is it? For example, our Federal Government to take care of its Federal agencies? Banks to take care of its financial institutions? What would you see as we move through this? I'm assuming the legislation will pass and there will be a framework from which people can act. What about the cost?
Page 20 PREV PAGE TOP OF DOC
Senator BENNETT. Obviously, each institution has to bear the cost of fixing its own problem, and at first blush this really is tough because the assumption is, ''Boy, this is an investment on which there is no rate of return. The only rate of return is you get to stay in business if you do it, but you don't get any advantage for having done that.'' I've come to the conclusion that that's not entirely true, that if you go through the cost of fixing this you will do so by the process of updating your software and improving your hardware in those cases where it's embedded in the hardware, and you will get the cost benefit of having better software and better hardware with which to deal with your data processing circumstances in the future. So there is a rate of return.
Also, interestingly enough, someone who spends time on this kind of thing—and it wouldn't have occurred to me—went back and did an analysis of how much we saved as a Nation by putting only two digits in the field in the old days when that was very precious, and said the cost savings probably was equal to, if not greater, over time, than the cost of fixing it is now going to be. So, if those institutions benefited from the cost savings of not having to have four digits in the field, they should appropriately now pay some of that savings back by paying for the cost of updating.
But, generally speaking, I think everybody who does the process of updating will achieve some benefit to their own institution.
Ms. KILPATRICK. And the main thing would be that they stay in business.
Page 21 PREV PAGE TOP OF DOC
Senator BENNETT. Yes; that's the obvious one.
Ms. KILPATRICK. OK. And then finally, the banks and the credit unions that you mentioned—this is the Banking Committee—do they not have—those of our constituents, of 125 million of us who use financial institutions in some form or fashion—more responsibility? I mean, it kind of disturbs me that—and you said September 1998, which is ten months away—some may be acting; the larger ones, of course, are acting; others are not. Do we have a responsibility as policymakers in this Committee, and your body as well, to make sure that something happens by September? Is that a good date that we ought to program for?
Senator BENNETT. That's why we held the hearing that we did with the regulators, because we wanted the regulators to understand their role in seeing to it that the institutions that they regulate are moving in this direction. So, I think the Office of the Comptroller of the Currency, the FDIC, the Fed, the other regulators who are there regulating financial institutions—certainly the SEC—they have the obligation to see to it that pressure is put on, and they are now including it in their examinations.
Ms. KILPATRICK. OK; that's what I wanted to hear.
Senator BENNETT. And as I say, the problem with the NCUA is they said they didn't have enough examiners that could do this. But this is clearly a safety and soundness issue that ought to concern the regulators.
Ms. KILPATRICK. Thank you, sir.
Page 22 PREV PAGE TOP OF DOC
Chairman LEACH. Mr. Castle.
Mr. CASTLE. Well, thank you, Mr. Chairman. This has been very interesting, and I congratulate you, Senator Bennett, for what I think is extremely good work in a very non-political sense. I had this desire to write Bill Gates a letter just asking if he would pay for all of this, but I think even he might blush a little bit at it.
And I appreciate the outline at the end of your statement concerning possible solutions. I was struck by what Mr. Cook had said, too; he was at another meeting, and they were discussing it. We think of it here in terms of banking, but it obviously involves huge segments of our economy in America and across the world.
But if there's ever been an issue that would seem to lend itself to the House and the Senate working together, that doesn't seem to be particularly political—and God only knows, we always find political bottom lines in everything we do around here—it would seem to me that this is the issue, and I am delighted that you've come here today. I'm delighted that you put forward the elements of legislation that you think we should be pursuing, which I have no reason to believe are not absolutely correct.
I'm also pleased that the Chairman of our committee has set forth some concepts that he is working on, and I would just hope that we would all be able to work together in a bicameral, bipartisan sense to resolve this problem, because time is short, and it just doesn't allow for the usual political nonsense that goes on in terms of what the Government's role should be. And I understand a lot of this is going to be a private role and not a Government role, so I do thank you for all that you've done. I think all of us have a lot to learn about what the problem is, the extent of it, and what our solution should be, and hopefully we can come to some sort of a rapid solution.
Page 23 PREV PAGE TOP OF DOC
Senator BENNETT. Thank you.
Chairman LEACH. Mr. Lucas.
Mr. Cook.
Mr. COOK. Yes, I certainly want to join those that have praised you, Senator, for the work in making people aware, because I certainly believe that awareness, at this stage, is the most important thing that we can do because as you've said, it's up to each agency, each company, each individual organization to do this work, to get this problem straightened out.
I was interested in your testimony that you think that the large banks are pretty much on top of this, but the smaller community banks and credit unions may have a way to go, and in that context I just wanted to ask you about your legislation that you have indicated that you will be initiating, requiring publicly traded companies to show, or at least disclose, the progress they're making. What does this mean in terms of awareness for all the privately held companies? And particularly companies outside this country that we obviously—companies in this country—have a lot of relationships with? And just generally, the organizations that really are probably behind the curve, does this legislation do anything in that regard?
Senator BENNETT. Well, you hope that privately held companies in the competitive arena will recognize that if the public is responding to information provided them by their publicly held competitors, they will decide to get into the business of disclosure. For example, a bank has asked informally, members of my staff, ''What happens if we send an alert to our customers saying, 'We need your help to get this done and you need to do the following things.' Instantly, the lawyer for the bank said, 'You don't want to send that out, because if you make a list of 15 things your customers should do in order to become year 2000-compliant themselves and then something goes wrong in their business—that is number 16—they will sue you for failure to tell them that they should have done number 16. So don't say anything at all.' ''
Page 24 PREV PAGE TOP OF DOC
Well, that may be the appropriate legal defense, but that's not going to solve the problem. The banks seriously need to be in touch with their customers. What happens if a loan goes bad because the customer is not Y2K-compliant? And suddenly a good loan in the bank's portfolio turns into a bad one. So, I'm hoping this will start a snowball effect that will cascade over into the private companies as well as the public companies as we get more awareness, more disclosure, and more involvement.
On the foreign front, Congressman Castle is exactly right. We have real problems there. I was in Germany about three weeks ago speaking to a group that would correspond with the business roundtable here, and we were talking about NATO expansion and the Euro and the European Union and all these things, and I raised the year 2000 issue. They all looked at me like I was crazy—blank stares around the room. ''What are you talking about?'' And then finally, one person spoke up and said, ''That's not a problem. Bill Gates will fix it for us.'' And you know, the assumption is that Bill Gates will take a weekend off, write a few lines of code, mail them around the world; everybody will sit down at their consoles and put those codes in and the problem will go away. Bill Gates, bright as he is, can't do it that way, because he doesn't know where the code is embedded any more than anybody else does, and he's not going to be able to find out.
So, the foreign problem is a serious one, but we're not going to get their attention until it becomes a high enough profile issue in this country that they know we're serious about it.
Mr. COOK. Thank you.
Page 25 PREV PAGE TOP OF DOC
Chairman LEACH. Mr. Sherman.
Mr. SHERMAN. Thank you, Mr. Chairman. I want to thank you for conducting these hearings and thank the Senator for his work in the other body.
I want to bring to the committee's attention the fact that the Budget Committee on which I previously served conducted hearings on this issue, and put into the record of our committee a reference to the committee proceedings before the Budget Committee in the first half of this year. I'd also like to enter into the record of these hearings a series of excellent articles that the Los Angeles Times has published, including one as recent as today.
Mr. SHERMAN. And, finally, simply mention that perhaps the lawyer mentioned by the Senator was being overly cautious. For many years I was a tax attorney and would work with banks and others in providing descriptions of new tax laws to their customers. Needless to say, all of those descriptions were inadequate and incomplete—I wrote them—and the way that that was always dealt with was you would urge the customer to be in touch with their own professional advisor. And I would think that any bank or other financial institution that provides a few highlights of the problem, but also urges people to hire a competent professional, should be insulated, except for perhaps the most extreme and unfounded lawsuit.
I wish I had some questions, but, frankly, I think all the issues are being well-addressed here, and I yield back the balance of my time.
Page 26 PREV PAGE TOP OF DOC
Chairman LEACH. I thank the gentleman and would only make the observation that I think this is also a field in which regulators can be helpful in making recommendations to financial institutions of what they can or cannot advise, and, perhaps, model approaches to doing that.
Mr. Lucas.
Well, if not, let me thank Senator Bennett for his thoughtful observations and hard work, and I think what has been underscored to this point in time is that we not only have a problem of individual institutions and customers, but a systemic problem, not only in the financial system, but that could become larger for the economy. And that makes it a public issue in the largest kind of way.
Thank you, Senator Bennett.
Senator BENNETT. Thank you, Mr. Chairman.
Chairman LEACH. For the second panel today, we are pleased to have the Honorable Edward W. Kelley, Jr., a member of the Board of Governors of the Federal Reserve Board, and the Honorable Eugene A. Ludwig, who will be wearing two hats today as the Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council.
Both Governor Kelley and Comptroller Ludwig have played strong leadership roles in drawing attention to the year 2000 problem and its implications for financial institutions. We look forward to hearing from them as to the steps the Fed, the OCC, and other Federal agencies are taking to ensure the year 2000 readiness internally, as well as among regulated institutions.
Page 27 PREV PAGE TOP OF DOC
And we'll begin with Governor Kelley.
STATEMENT OF HON. EDWARD W. KELLEY, JR., MEMBER, BOARD OF GOVERNORS, FEDERAL RESERVE SYSTEM
Mr. KELLEY. Thank you very much, Mr. Chairman. I request that my full statement be made a part of the record.
Chairman LEACH. Without objection.
Mr. KELLEY. Thank you, sir.
Chairman LEACH. And without objection, the articles of Mr. Sherman will be made part of the record, as well. Please proceed.
Mr. KELLEY. Mr. Chairman, I'm pleased to appear before the committee today to discuss the Federal Reserve's efforts to address issues related to the year 2000. First of all, let me express my appreciation for the committee's interest in this most important matter.
I will discuss what actions are being taken by the Federal Reserve System to address its own internal systems, Fed systems that interface with financial institutions, our supervisory efforts, international and public awareness, and contingency planning.
Page 28 PREV PAGE TOP OF DOC
It's crucial that the Federal Reserve maintain reliable services for the Nation's banking system and financial markets. Let me assure you that the Federal Reserve is giving the year 2000 its very highest priority, commensurate with our goal of maintaining the stability of the Nation's financial markets and payments systems, preserving public confidence, and supporting reliable Government operations.
The Federal Reserve is executing a comprehensive plan, which includes assessments of our systems, remediation, and testing to ensure our year 2000 readiness. We have completed our assessments and internal test plans and are currently renovating and testing software, a very large job that is scheduled to be completed by year-end, 1998.
Further, our critical financial systems will be year 2000-ready by mid-1998, when we will commence testing with financial depository institutions. We shared our testing strategy with our customers last month and are developing a coordinated test schedule for each of our services with each of our customers.
Like our counterparts in the private sector, the Federal Reserve still faces substantial challenges in achieving year 2000 readiness. These challenges include managing a highly complex project ensuring the readiness of our applications and products supplied by vendors, and establishing contingency plans. We are also faced with labor market pressures that call for creative measures to retain staff who are critical to the success of our year 2000 activities.
Comptroller Ludwig is testifying today as Chairman of the FFIEC about the bank supervisory efforts of all five national supervisory agencies, so I will limit my comments to specific Federal Reserve initiatives in this area. The Federal Reserve is closely monitoring year 2000 preparations at the institutions we supervise so that we can act aggressively to identify and resolve problems. We are well along toward meeting our objective of examining every bank subject to our authority by mid-1998, and every exam conducted until the millennium will include a year 2000 review.
Page 29 PREV PAGE TOP OF DOC
Earlier this year, the Federal Reserve and the other agencies conducted an assessment of the industry's readiness. As Senator Bennett just remarked, we believe the banking industry's awareness level has improved substantially during 1997 and is reflected in the intensified project management, planning, budgeting, and renovation efforts that have been initiated. Generally speaking, the Nation's largest banking organizations have done much to address the issues and devoted significant financial and human resources to preparing for the year 2000, and it appears, as of now, that they can be ready.
Smaller banks, including U.S. offices of foreign banks, are generally aware of the issues and are working on the problem. However, in many cases their progress is less visible and will be carefully monitored as part of our supervision program.
With regard to the international aspects of the year 2000, the majority of foreign central banks are confident that payment applications under their management will be year 2000-ready. Relative to their supervisory programs, the extent of foreign central banks' efforts to raise bank industry awareness varies widely. We are working through the Bank of International Settlements to elevate foreign bank supervisors' awareness of the risks posed by the century date change. The Federal Reserve is also participating in international forums to provide for the sharing of experiences, ideas, and best practices.
We are mindful that extensive communication with the industry and the public is crucial to the success of our efforts. Our public awareness program emphasizes communications with banks and the financial services industry generally, related to the Federal Reserve's testing efforts and concerns about the industry's readiness. We are advising our customers of the Federal Reserve's plans and expectations through a newsletter, technical bulletins, a special video, and a dedicated Internet web site; and I have examples of our communications efforts here and available for your inspection, if you would like to see them.
Page 30 PREV PAGE TOP OF DOC
Regarding the Federal Reserve's contingency planning efforts, our mission of preserving smooth and uninterrupted financial flows is the main focus, and we know from experience that upon occasion things can go wrong. Given our unique role as the Nation's central bank, the Federal Reserve has always stressed contingency planning, for both systemic risk as well as operational failures.
As a result of our experience in responding to problems arising from such diverse events as computer outages caused by natural disasters and power failures, as well as liquidity problems in institutions, we expect to be prepared to deal with similar problems in the financial sector that might arise as a result of the year 2000. We are, of course, developing specific contingency plans to address the possibility of various unique operational scenarios, and our existing business resumption plans will be updated to address date-related difficulties that may be faced in the financial industry.
We recognize, nonetheless, that despite their best efforts, some depository institutions may experience operating difficulties which could lead to possible liquidity problems. The Federal Reserve is prepared to provide information to depository institutions on the balances in their accounts with us throughout each day so that they can identify shortfalls and seek funding in the market. The Fed will also be prepared to lend, in appropriate circumstances, to depository institutions when market sources of funding are not reasonably available.
In closing, the Federal Reserve views its year 2000 preparations with great seriousness. We have placed a very high priority on the remediation of date problems and development of action plans intended to ensure business continuity for the critical financial systems which we operate. While we have made significant progress in both validating our internal systems and planning for testing with institutions using Federal Reserve services, we must and will work to ensure that our efforts remain on schedule and that problems are addressed in a timely manner.
Page 31 PREV PAGE TOP OF DOC
Thank you very much, Mr. Chairman. I'll be happy to address any questions the committee may have.
Chairman LEACH. Thank you, Mr. Kelley.
Mr. Ludwig.
STATEMENT OF HON. EUGENE A. LUDWIG, COMPTROLLER OF THE CURRENCY, CHAIRMAN OF THE FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL
Mr. LUDWIG. Mr. Chairman, and Members of the committee, I want to commend you for conducting these important hearings and focusing public attention on the impact that the year 2000 computer problem may have on the financial services industry. These important hearings raise public awareness of the issue and help focus on solutions. I have a detailed statement I would like to submit for the record. I would like to reserve the remainder of my time for a summary of that statement.
I also appreciate this opportunity to report to the committee on the actions we are taking to deal with this important issue. The Federal supervisors of banks, thrifts, and credit unions are working together through the FFIEC, which I currently chair, to make sure that year 2000 preparations are a major priority for all depository institutions and their vendors.
Page 32 PREV PAGE TOP OF DOC
The year 2000 issue arises because computer programmers, at a time in which computer memory was expensive, often economized by using only the last two digits of the year in storing dates. That worked fine for many years. But when the clock strikes midnight on the last day of this century, many computer programs will not know whether the entry ''00'' means 1900 or 2000. This distinction is enormously important for banks, which use dates in any number of mission-critical operations, such as computing interest on savings accounts.
While anyone using communications, computers, or office automation equipment must prepare for the year 2000, bank readiness is especially important, given the central role banks play in the Nation's payment and credit systems.
Time is indeed short. Banks test and implement major system changes over weekends, and there are just a little more than 100 weekends left to prepare for the year 2000. And no one should underestimate the magnitude of the problem, as Senator Bennett reminded us.
Large banks, which rely heavily on computer systems designed in-house, must review computer codes that can literally run into millions of lines. For smaller institutions, which often contract with third-party providers for computer services, the challenge will be to manage vendor relationships to ensure that their suppliers fix any codes which could lead to computer failures at the turn of the century.
Almost two years ago, the world got a small hint of how calendar-related computer problems could disrupt the marketplace. On February 29, 1996, Leap Year Day, the Brussels stock exchange had to shut down for the day, at a cost of more than $1 million in commissions. An aluminum factory in New Zealand, likewise, lost a day's production, worth another $1 million. The Arizona State Lottery Commission could not pay out winnings. Countless smaller events did not make the headlines, but still involved significant losses for the firms involved. And this was an event involving a single day for which everyone thought they were prepared.
Page 33 PREV PAGE TOP OF DOC
The FFIEC agencies first alerted the financial services industry to our concern over the year 2000 problem in a June 1996 statement. A second statement issued by the FFIEC in May of this year included examiner guidance on year 2000 project management. This was sent not only to every bank, thrift, and credit union, but also to companies that sell computer services and products to depository institutions.
To date, our guidance has stressed two points. First, banks need to take into account external sources of risk attributable to the year 2000 problem, including their reliance on vendors; their linkages with other systems, both domestic and international, with which they exchange data and funds; and their potential credit risk exposure if corporate borrowers fail to address their own year 2000 problems.
Second, banks must implement a comprehensive project management process to resolve their year 2000 problems. Effective project management falls into five phases: awareness, assessment, renovation, validation, and implementation. Banks and vendors should have wrapped up their assessment phase and be into the renovation phase at this time.
We will issue additional supplemental guidance later this year that will re-emphasize the importance of verification and testing cycles and timetables for a successful resolution of the year 2000 problem. This guidance will stress that senior management and the board of directors should be fully engaged in the planning and monitoring of year 2000 transition efforts. This guidance also will address credit risk posed by borrowers that have not taken adequate steps to make their systems year 2000 ready. It is particularly important to us that banks allow adequate time and resources for testing and retesting.
Page 34 PREV PAGE TOP OF DOC
Three additional steps we are taking jointly bear note. First, the FFIEC member agencies have formed a working group comprised of supervisory, legal, and receivership experts to address a number of issues, including coordinating examinations of vendors, industry education, and developing contingency planning and training programs.
Second, the FFIEC is committed to a broad, aggressive public outreach effort. For example, the FFIEC will hold a vendor conference on November 10 to clarify our supervisory expectations and to provide a forum for vendors, banks, and supervisors to meet and discuss the challenge of correcting the year 2000 problem.
And, third, since the year 2000 problem extends beyond our borders, I have worked to focus the attention of the international supervisory community on the global ramifications of this issue. Most recently, we persuaded the Basle Committee on Bank Supervision to make the issue an agenda item, which resulted in a recent report sent to financial supervisors worldwide.
The responsibility for implementing the FFIEC guidance rests with the lead Federal supervisor of each financial institution. At the OCC, we are implementing an aggressive strategy to see that national banks are prepared. Our strategy includes on-site examinations of every bank under our supervision for year 2000 compliance. We are committed to examining every single national bank and its vendors on-site by mid-1998, and we have already completed nearly 500 such examinations.
In addition, we are establishing a quarterly reporting system to make sure that examiners provide progress reports on banks and vendors at least every three months. This information also will be factored into an institution's overall safety and soundness CAMELS rating.
Page 35 PREV PAGE TOP OF DOC
As a prelude to these examinations, the OCC, this spring, reviewed every national bank and its vendors, taking a base snapshot of preparations that were underway. The other agencies conducted similar assessments.
We found that most national banks were taking appropriate steps to review their computer inventory or set up management programs. However, a number of institutions, primarily community banks, were not sufficiently involved with their vendors to know whether those contractors would be able to meet the FFIEC schedule. This matter is of some concern.
The community bank situation is difficult because most are counting upon the vendors' assurances that they have the problem well in hand. In some cases, these assurances are entirely legitimate. In some others, there may be more wishful thinking than accomplished fact. Accordingly, we are focusing a great deal of attention on community banks and their vendors to ensure a more energetic and focused response to the year 2000 issue.
We are continuing to monitor the progress of all banks under our jurisdiction, large and small. Our examiners followed up on the initial readiness assessment by contacting the CEO of each bank or vendor that had been found to be lagging in its planning efforts. The examiners looked at the steps that had been taken since the initial assessment, and new exams were scheduled for institutions that had not made adequate progress. On September 30, I wrote to all national banks and vendor CEOs, expressing my concern over these assessment results and calling upon the industry to make every effort to conform to the FFIEC compliance schedule.
In conclusion, the OCC and the FFIEC are committed to making sure banks are making adequate preparations for the year 2000. We are doing everything in our power to ensure the institutions under our supervision understand what the situation demands and respond accordingly.
Page 36 PREV PAGE TOP OF DOC
It is important to recognize, however, that problems may still occur given the complex web of technologies used by banks and the multiplicity of connections banks have with other institutions. Thus, our supervisory strategy takes into account the possibility of unanticipated problems by requiring backup strategies to be in place at the banks and having joint contingency plans ready to implement among the supervisory agencies.
These efforts are of great importance to the public welfare. By making this issue a high priority for banks and for ourselves, we hope to minimize disruptions to bank operations and bank customers.
Mr. Chairman, I will be happy to answer any questions you or your colleagues may have. Thank you.
Chairman LEACH. Well, I thank you both for thoughtful testimony. I'd like to turn first to Governor Kelley, and then ask Mr. Ludwig to respond to the same.
With regard to counterparty risk problems and the problems associated with other countries, the assessment I have received is, that as far behind as we may be, we we're well ahead of the rest of the world in terms of dealing with the issue. How concerned are you with foreign country capability of dealing with it? And what are the implications for the American financial system if countries are unable to deal with it?
Mr. KELLEY. Mr. Chairman, there certainly is cause for concern there. It's very difficult to do more than generalize because conditions and, indeed, legal systems and all other sorts of financial arrangements differ from country to country. We are reasonably assured that certainly all of the major and, indeed, most of the rest of the central banks around the world are now sensitized to this problem and will be able to conduct their responsibilities.
Page 37 PREV PAGE TOP OF DOC
We are unable to generalize about what may happen to the private financial institutions in each and every country. That is somewhat beyond our ability to see clearly, and we just simply are unable to assess that. Insofar as foreign banks that are operating in the United States, we are examining them closely. Those which are subsidiaries and are operating under United States charters will be treated just as any other United States bank will be treated. Comptroller Ludwig just outlined that program, which all of the agencies are following.
In the case of branches and agencies of foreign banks, we are investigating the conditions of each one of those. We have asked for additional information from them about how systems in their own parent companies would impact on their operations here in the United States, and we are working closely with central banks and supervisory agencies around the world. Where we have identified potential problems in institutions that are operating here in the United States, we will try to do all that's in our power to ensure that their operations here are able to be conducted satisfactorily.
Chairman LEACH. Mr. Ludwig, would you add to this?
Mr. LUDWIG. Mr. Chairman, this is an important issue. It is one of the reasons that, working with the Fed and the FDIC, we raised the issue in the Basle Committee, and they got out guidance worldwide. The other thing that the Basle Committee is doing is a worldwide survey of year 2000 compliance efforts. Our task force at the FFIEC will be interfacing with the Basle Committee in terms of this important survey so we can get a better assessment of what problems are out there beyond our borders.
Page 38 PREV PAGE TOP OF DOC
In addition, as part of our examination process we expect national banks, and, indeed, the other FFIEC agencies expect their institutions to assess their vulnerability to foreign counterparties with respect to year 2000 compliance.
Chairman LEACH. What happens if a given set of countries isn't in compliance? What effect will that have on our system? And if it is large, what leverage do you have to try to press other states to do more?
Mr. KELLEY. Well, I'll start there. We are working closely with central banks around the world. There have been a number of meetings, both at the senior executive level and also at the technical level, to sensitize central banks around the world as to the seriousness of this problem and our evaluation of what needs to be done to deal with it.
There have been a number of meetings of this sort held at the Bank for International Settlements; others are scheduled. Papers have been circulated around the world to central banks, and the feedback that we get is that central banks are now, perhaps somewhat more belatedly than we would have liked, but at least now are hard at work getting themselves ready for compliance. Based on that, on a very preliminary basis, with a lot of work ahead of everybody yet to do, I'm reasonably confident that central banks will be able to conduct their business. Part of their business will be to support their own domestic private institutions, and I'm sure that each one will be doing that in their own way in accordance with their own laws and customs.
Chairman LEACH. There has been a lot of talk of testing, and one can visualize an individual institution testing its own; one can visualize a central bank testing its own. Can you test internationally? Can central banks test relationships with each other? Can given banks test transfers from Germany to Belgium to the United States? Is that part of a testing program, and has anyone set up testing for that?
Page 39 PREV PAGE TOP OF DOC
Mr. KELLEY. Most of those interrelationships operate through a couple of systems, which are basically private sector systems, and they are being examined to endeavor to ensure that they will be able to conduct international business successfully; that is underway.
Chairman LEACH. Fair enough. Let me just conclude, because there are others who are going to have questions, too. But Senator Bennett proposed a series of precepts of legislation; I proposed a slightly different set of precepts. I would like to have each of your comments in writing on both approaches. I would also like to have written comments from both institutions on whether you think any legislation of any nature should be set forth at this time on this issue, and I'd like you to go back to your institutions and think that through, if you could.
Mr. LUDWIG. Certainly, Mr. Chairman.
Mr. KELLEY. I'd be happy to do that, sir.
Mr. LUDWIG. Mr. Chairman, I would make two additional observations on your international question. One is that this really ought to be a part of every institution's risk management efforts. The institution has a responsibility here, as well as the Government. Second, the problem is, as you pointed out, broader than the financial services industry. So as we assess country compliance, we have to assess it in a very broad fashion. For example, it is not just the banking industry or the central banks that can cause a disruption to the financial services system. International telecommunications are integrally important in terms of the ability of financial institutions to service their customers, as are other critical systems. We're including that as part of the FFIEC study and effort, but you're right to focus on this; it is a really broad-gauged international problem.
Page 40 PREV PAGE TOP OF DOC
Chairman LEACH. Mr. Vento.
Mr. VENTO. Thanks, Mr. Chairman. I keep thinking of the horror of Bill Murray's film, ''Groundhog Day.''
[Laughter.]
We keep repeating and repeating activities over and over again.
But, candidly, it's not something I've paid a great deal of attention to. But isn't there—and I read some of the vendor statements, or least one of them from EDS, and I don't want to pick on anyone; I was reading ahead on it—but they point out that they actually are providing a lot of the software for a substantial number of institutions and apparently are an advisor to the Financial Institutions Council that you chair, Mr. Ludwig.
And my questions are, what about this redundancy or backup? You know, Governor Kelley, from the Fed mentioned that they have some backup for institutions. I mean, is there a way that we can, in terms of more than just depending through examination—and I'm going to ask you some questions about that—but is there some redundancy or some backup system that can, in fact, be put in place where we don't have to be completely passive in terms of trying to restructure the information that's necessary?
Mr. LUDWIG. That's a very good question, Congressman Vento. Let me deal with it in terms of vendors, because this is important, particularly for community banks, but for large banks as well. Vendors, be they service or product vendors, supply a huge amount of both the equipment and software that financial institutions depend on. Today, as you know, the financial services industry outsources a great deal of its activities, so vendors are extremely important.
Page 41 PREV PAGE TOP OF DOC
We have the authority to examine service providers and to take enforcement actions against service providers if they're not complying. This is an important area, and we will be examining more than 300 service providers. Some of these service providers—hopefully, all of them—will get these fixes right, and we'll be able to tell that in our examination. The larger ones we're doing on an expedited basis. To some degree there will be redundancy among vendors because there is competition in the industry. One of the things we want to ensure in working with the smaller community banks is for them to understand which vendors could be backups to the vendor they are currently using if that vendor is not able to comply.
Mr. KELLEY. Two comments, if I may, sir.
Mr. VENTO. Yes, please, Governor Kelley.
Mr. KELLEY. Number one is, the best answer to the problem that you articulate is in the area of testing in advance, and we are going to do an enormous amount of that. The Federal Reserve is at this time finishing building a very large, very complete and complex, entirely dedicated test-bed set at our central mainframe facility. We will, starting next June, be testing every system wherein the Fed interfaces with one of our financial institution customers, and that will be done until each one of the systems, one-by-one-by-one, is compliant. That's an enormous amount of work, and with all due respect to Senator Bennett, it's not just going to be done on weekends. We're going to have this open six days a week, 24 hours a day, and we expect to have it scheduled fully every bit of that time, and we think it's going to require that.
Page 42 PREV PAGE TOP OF DOC
The other thing that I would like to mention is that we are not totally dependent upon electronic systems. The Fed still has paper systems that can serve as backups if there should, indeed, be some sort of failure on a large-scale basis. We also are going to have, to a limited degree, systems available in Federal Reserve facilities that can be made available to private institutions should their own hardware or software systems fail, where we will either be able to supply them with operative equipment or help them with working through diagnostics and testing, should failures occur.
Mr. VENTO. Yes, there are. I mean, after all, if somebody has everything on computer and on tapes—they have backup tapes. I remember visiting a large company that was an information-related company in the area that I represent; they had a separate system. So is that one of the requirements for the banks? I mean, they can take this one program that they have that they're running, and if they screw that up they still have the other program; in other words, in a lock-safe, fireproof location, with microfiche, or whatever. That's accurate, isn't it?
Mr. KELLEY. Well, one of the unique problems that we have here is that a standard way of solving a software problem is to fall back to a prior release that you may still have on the shelf, and even though it isn't quite as up to date as the one that just failed, you can still use it. Unfortunately, that's not going to work in the case of this year 2000 problem; that's a fallback contingency that's not available to us, so we're having to work away from that.
Mr. VENTO. Well, it's a fallback ultimately, I suppose, to some sort of paper base, or something.
Page 43 PREV PAGE TOP OF DOC
Mr. KELLEY. Yes; right.
Mr. VENTO. But, I mean, that's obviously out of the question, based on the advancement and the years of implementation that have occurred with the programs, I take it. The other issue is, when did the programs start changing? I mean, wasn't this some time in the early 1990's that many anticipated and began changing to the four-digit? Can you give us any insight, or should I wait for the technicians to come and answer that?
Mr. LUDWIG. It is true that many institutions, many in Government, anticipated the year 2000 problem in the early 1990's. And, indeed, a number of agencies have required year 2000 compliance for some time. But, what Governor Kelley said about testing is really quite important, because even in those systems that have been warranted year 2000-compliant, when you test them you find some that are not for a variety of reasons.
For example, where you have a computer system—and most of them are made up of multiple chip sets—where the new chips may be year 2000-compliant, if it is using second-hand chips in less critical functions, they may not be year 2000-compliant, and that can have an impact on the degree to which the computer functions as required. So testing is very, very important, and even though there's been a focus on this issue for some time, it is not the case that we can be complacent or sanguine at all.
I remember back several years ago when I first became Comptroller and heard about this problem, my reaction was the same as some of yours: ''Oh, come on. Computers are supposed to help people. Certainly there must be some easy fix here. Programmers couldn't have been so silly as not to anticipate that we'd hit the year 2000.'' But in fact, because of the economics of using a two-digit integer early-on in the computer industry, this problem is as intrusive and problematic as witnesses have related.
Page 44 PREV PAGE TOP OF DOC
Mr. VENTO. Mr. Chairman, my time has gone over. You know, it's sort of like a friendly virus, so it isn't quite as hidden or encoded. But I think the issue is, ultimately, if you have 90 million lines at the Fed, it sounds like you're going to have to rewrite a substantial number of those unless there is some easy fix. And I think what you're saying is, if you're planning that much time, is that there is no easy fix. And so it really involves an investment of time and effort.
Now there may be some sort of off-the-shelf models that other financial institutions use. When you talked about testing within the Fed, you were only talking about your own systems; you were not talking about financial institutions that you regulate. Is that right, Mr. Kelley?
Mr. KELLEY. No, sir; I was talking about both of those things.
Mr. VENTO. You were talking about both?
Mr. KELLEY. Absolutely. Those isolated test structures that I was referring to are for testing with all other financial institutions whose systems interface with the Federal Reserve. We will test every depository institution system that interfaces with the Federal Reserve.
Mr. VENTO. But you have no way of restructuring theirs to facilitate the modification to those software programs within the context of what you're doing within the Fed.
Page 45 PREV PAGE TOP OF DOC
Mr. KELLEY. Well, it's just a huge job. There are various software programs available, I'm told, that help you to go through your own code more rapidly than you could if you were doing it by hand, but it's still a massive job. We have at the Federal Reserve, as you noted, 90 million lines of code to review. We expect to have to make alterations in perhaps 10 percent of those. That's still a lot of work. It's just a very, very large job.
Mr. VENTO. Well, I think that's a procrastination, Mr. Chairman.
[Laughter.]
Mr. KELLEY. As Senator Bennett said, and he's quite correct, it's not an enormously complex job technologically; it's just a lot of work, and there's nothing to do but to do it. We have about 175 people at the Federal Reserve devoted full-time to this task between now and the millennium itself, and probably another 500 to 1,000 who are dedicating part of their time to it. We're going to get it done.
Mr. VENTO. Well, Mr. Chairman, what I noted in the testimony from Mr. Kelley, and others, probably, too, is that they said they're looking at the plan, they're looking at compliance with the plan, but that doesn't really tell us whether we're getting any results. And I expect that the Comptroller would have the same answer. Is that correct, Comptroller Ludwig?
Mr. LUDWIG. We are examining, as I mentioned, every single national bank. Our own year 2000 problem is quite a degree smaller than the Fed's, because we don't run payment systems where we have customers. We are well along in completing our own year 2000 remediation.
Page 46 PREV PAGE TOP OF DOC
Mr. VENTO. My only point is—I've long-extended and prevailed—but my point is that we really aren't running programs yet to say that this is modeling and it's coming back right, in terms of what I sense. But what I sense is that we're just looking at plans and seeing how far they are along, but the day is not here when we can actually run the plan and determine that X-Y-Z bank is in compliance.
Mr. KELLEY. No; that's correct. That day has not yet arrived.
Mr. LUDWIG. But we expect the banks will be doing that in the third quarter of 1998.
Mr. KELLEY. That's right.
Mr. LUDWIG. In other words, banks should begin testing in the third quarter of 1998, so that they have a year-and-a-quarter to test further and fix their systems. Some banks are ahead of that schedule, but, as you point out, Congressman Vento, this is enormously costly and time-consuming. We're talking about tens, maybe hundreds, of billions of dollars worldwide to fix this problem as it is incredibly time-consuming and expensive.
Mr. VENTO. Well, thank you, Mr. Chairman.
Chairman LEACH. There's a phrase here that changes the magnitude. We have a study in the United States that says $7.2 billion; you're saying hundreds of billions worldwide.
Page 47 PREV PAGE TOP OF DOC
Mr. LUDWIG. Well, of course, studies vary; they've got to be estimates. As Governor Kelley said, taking the Fed as an example, they must look through 90 million lines of code, and the best guess is that 10 percent is in need of correction. Until you identify where the errors are, you don't know the cost of remediation. It's been estimated that the cost of fixing a line of code is about $1.00 to $1.25, so you are in the ballpark. I will say this, we have found that where institutions have estimated their costs, the actual cost has tended to exceed what they had anticipated.
Mr. VENTO. Thank you very much, Mr. Chairman.
Chairman LEACH. Well, thank you, Mr. Vento.
Mr. Castle.
Mr. CASTLE. Thank you, Mr. Chairman. I'm becoming more dismayed the more I hear. I'm beginning to worry about the year 3000 up here as we have this discussion and what we're going to do about that.
Let me ask this question, and I just don't know this. You all have focused your answers on the central banks and on private banks and, generally, large banks. I assume that the extent of the problem, as we've heard earlier, as is referenced by other Members, invades fields other than just banking, and, in fact, some of our large corporations have financial transactions far beyond almost any other bank, with the exception of maybe just a few out there in terms of what they're dealing with. First of all, is that correct? Are virtually all large corporations facing these same issues? And if so, can you in some way or another compare the significance of the issue in terms of the fix that's needed in terms of private, non-banking business, maybe just in the United States, and banking business in the United States?
Page 48 PREV PAGE TOP OF DOC
Mr. KELLEY. Well, this entire year 2000 project will touch everybody. It will touch not only large corporations, it will touch every corporation, every business, and in one way or another, I think we could say every household. It is incredibly comprehensive, and everyone who operates any sort of an activity that involves automated data needs to check to be sure that they're in compliance. It affects things like elevators and locks and medical records; it just goes on and on and on. I've seen long lists of things that you would never think of that must be taken care of to make all this happen.
We're focusing, obviously, on financial institutions, and I would suspect that there probably isn't anything that's more critical than having financial institutions compliant.
On the order of magnitude of how much is this going to cost, it's been estimated that for the very largest banks, the top 10 or so, it's going to be between $100 million to $250 million apiece. The Federal Reserve will probably spend $75 million to $100 million getting our systems ready. The next 40 of the top 50 are probably going to spend between $75 million and $100 million apiece, and smaller institutions will be in lesser amounts.
This is not all incremental dead-loss expense; a lot of this is going to be reallocations of projects and work and people that would be doing other kinds of things in those organizations if they didn't have to get diverted to attending to the year 2000. In our case, we are keeping track of both the incremental expenses and also the reallocations. Those reallocations are going to involve pushing back some other things that we would like to do, but will not have the resources available for because year 2000 comes ahead of everything. The incremental expense is a relatively more modest amount.
Page 49 PREV PAGE TOP OF DOC
Mr. LUDWIG. Let me say a word about the non-bank financial and non-bank, non-financial institutions. The problem will affect everyone, as Governor Kelley said. Of course, how significant the problem will be will depend on a particular company's activities. Computer companies and companies that are integrally involved with a whole variety of activities that rely fundamentally on technology systems will be tremendously affected.
From our perspective, this is quite worrisome, because these companies interface with banks and other insured depositories, and it is, therefore, essential that domestic insured depositories have contingency plans in place. We are working through the FFIEC to ensure that they do have plans that take into account the losses they could suffer by reason of their counterparties not having gotten their systems in order. And, of course, as you well know, many of these industries are not regulated, so that this is a very serious national problem.
Mr. CASTLE. So there's a lot of interrelationship which all impacts the banking industry.
Now I'm just looking quickly at the legislation that the Chairman has discussed, and in listening to Senator Bennett, their legislation, as I understand it, pertains almost exclusively, if not exclusively, to the financial industry. Is that correct? Maybe I should ask the Chairman to answer that.
Chairman LEACH. Actually, not quite. Mine is related almost entirely to financial services. Senator Bennett's legislation is primarily disclosure, and it goes to every publicly traded corporation.
Page 50 PREV PAGE TOP OF DOC
Mr. CASTLE. That's correct; he did mention that.
Chairman LEACH. So it is very widespread.
Mr. CASTLE. And that leads me to this question—and maybe you're not the right witnesses, and maybe, again, the Chairman wishes to answer. But that is, are we going to see a series of fixes here? That is, fixes for the financial industry, fixes for publicly traded corporations, suggestions for privately traded corporations which don't have any public scrutiny, or whatever it may be, and can we get into conflicts over that? I'm just trying to look at the overall world of solutions of what we in Congress should be thinking about.
Mr. LUDWIG. I think that is genuinely a problem, and it is a problem even for regulated institutions, because the technological fixes can be done in different ways. We are working hard to try to make sure that there is inter-operability; that a bank not only fixes its systems so they work within the institution, but it fixes its systems so they operate with other institutions that may have fixed the problem somewhat differently. The problem of inter-operability is exacerbated, of course, by the fact that you have institutions in the banking industry, which is regulated very seriously in this area, and other institutions that will look to private vendors and are not regulated or are regulated by other bodies.
So, yes, there is an inter-operability issue here, and nobody can be entirely sanguine. Nobody can give the Congress a 100 percent guarantee that this problem will be fixed by January of 2000.
Page 51 PREV PAGE TOP OF DOC
Mr. CASTLE. May I ask one more question, Mr. Chairman?
Chairman LEACH. Please.
Mr. CASTLE. Of course, I guess Governor Kelley is the best to answer this because you've been answering it, but with respect to anything overseas, I would think, without knowing, that certain countries are probably a lot better prepared for this than are other countries, and that it varies as you go out into less-industrialized, less-modernized countries. And you mentioned that the central banks seem to be at least all conversant on the subject and that it's trickling down to the private banks, and we have some control over that when those private banks have branches in the United States, but in many instances, of course, they might not.
From your exposure, are there countries which simply are completely ill-prepared for this that really need to be brought up to speed a lot more than others? I would assume that England, Germany, and Switzerland and places like that are as up to speed as we are, and some of the other countries fall quite a bit further down the ladder on that. Is that more or less correct?
Mr. KELLEY. I think it's fair to say as a broad generality that the larger and more industrialized economies with the larger and more sophisticated financial sectors, as you would expect, are the ones that are furthest ahead in preparing. But we have been working very hard to try to make sure that the word gets to all central banks, and I believe we've been successful in that.
Page 52 PREV PAGE TOP OF DOC
Now that doesn't mean that every one of them went to work instantly when the light turned on; I can't say that they have. But we are working continually to upgrade their awareness and provide them information on what they need to do and how to do it, and we will just have to see how they come along. But there is a correlation, of course, between the size and sophistication of an economy and the extent of their preparation.
Mr. LUDWIG. Of course, the import of your question, Congressman Castle, which I think is an excellent one, goes beyond the central banks. For those countries where preparation is not adequate, even if the central bank were to be adequately prepared, dozens of counterparties may well not be prepared at all.
Mr. KELLEY. That's an excellent point, and I certainly agree. And with respect to Mr. Ludwig's comment a moment ago, the examiners from all of the agencies are now requesting information on the underwriting processes of banks and financial institutions to endeavor to ensure that they are interrogating their customers as far as their customers' ability to be compliant and, hence, handle their financial obligations in a timely manner. I think that, in and of itself, is going to be a big help to motivating some corporations to get with it.
Mr. CASTLE. Thank you. Thank you, Mr. Chairman.
Chairman LEACH. Thank you, Mr. Castle.
Mr. Cook.
Mr. COOK. Yes; when I contemplate the just millions and millions of financial transactions that obviously have a calendar-related aspect to them—just a common mortgage, and any bank in projecting interest, certainly, that's going to pass into the year 2000—I'm a little bit perplexed as to why there are not more problems right now related to the year 2000. I mean, it's not as though we have to wait until December 31 of 1999 at midnight to all of a sudden have all the problems hit. Aren't they making themselves manifest right now?
Page 53 PREV PAGE TOP OF DOC
Mr. LUDWIG. As a matter of fact, there is at least one instance of which I'm aware where credit cards were rejected because they had expiration dates beyond December 31, 1999, and the computer didn't know what to do with them. So, certainly, there are instances of this, but it is not dramatically widespread yet.
Mr. COOK. In your opinion, and from all the testimony I've heard at both committees today that have been concerned about this problem, people are optimistic that a lot of people are working on it, but no one is thinking it will be solved in time. But, am I correct in believing that you probably believe that, although it will involve a lot of reprogramming and re-fixing, the cost-cutting, and to go from the two-digit to the four, or whatever technical things have to be done, that when we start having these problems of a credit card being rejected or an elevator not working or somebody not having to pay their interest to the bank, that these will be corrected pretty quickly? When those kinds of things really start hitting more rapidly, I mean people are going to get these fixed because we're just not going to allow these problems.
Mr. LUDWIG. Congressman Cook, I can speak for our supervision of the banking system. It's not a matter of hoping. We will be examining every single bank, and they must have this fixed. And if it requires taking enforcement actions to ensure that it is fixed, we will do so, because this is a fundamental safety and soundness issue. It is something you can't take lightly.
Now having said that, as Congressman Castle and others have pointed out, this is a broad international problem, involving companies that are not regulated, some of which may not have it fixed. And there are estimates that there will be a number of bankruptcies caused by the fact that some companies don't have it fixed. But in terms of our responsibility for the financial system, we will be making every effort to make sure that these institutions comply.
Page 54 PREV PAGE TOP OF DOC
Mr. KELLEY. Congressman Cook, if I may add to that, I think there is certainly reason for concern and every reason to focus intensely on this and stay focused every day between now and when the thing gets past us and behind us. But there are an awful lot of very good people that are working very hard on this, certainly all across the financial system, and I'm very sure in other places that we're not personally aware of. I don't think there's any cause here for panic.
Will we have problems? I have no doubt that we will. It's hard to imagine that we wouldn't, and certainly no one is going to guarantee to the Congress that this thing is going to go perfectly. That's unrealistic. But we are working hard; I think we will have every opportunity to have a millennium that we can get through safely, if not problem-free.
Mr. LUDWIG. In that regard, let me say the one thing that is critical is having contingency plans. Part of our overall effort will be to have contingency plans, so that with all best efforts—people believing they're in compliance, having relied on vendors and their own fixes—if something doesn't work, there will be contingency plans in place to try to fix problems very quickly.
Mr. COOK. OK. I am getting a feeling that many of our financial institutions, particularly our banks, may be better prepared, come January 1, 2000, because of the regulatory nature of the industry than many of the non-financial areas. And I can certainly understand why Senator Bennett is concerned about increasing awareness among manufacturing companies and any publicly traded companies, as I guess his bill would do, but it's probably likely, I take it then, that the real problems may be outside of the financial areas. Even from this morning's testimony, submarines that may not, with all their programmed hardware in place, that embedded, kind of calendar-related programming could be a real problem; that really, the Federal Reserve and the Comptroller of the Currency aren't really going to have too much influence over some of those things.
Page 55 PREV PAGE TOP OF DOC
Mr. LUDWIG. That's right.
Mr. COOK. Thank you.
Chairman LEACH. Well, thank you, Mr. Cook. I have several very quick questions. One, not to be too much of a futurist, but is anyone concerned for the 22nd century?
Mr. LUDWIG. That is quite a good question, because the key here is making a four-digit fix. There are those who have tried to focus on a cheap fix, a two-digit fix such that the computer will recognize for a period of time that it's in the right year. A two-digit fix obviously has the problem that it would have to be corrected a century later. The better fix is a four-digit fix, which is going to be predominant. Getting a four-digit fix is what is ultimately required here.
Chairman LEACH. And that's what you are recommending?
Mr. LUDWIG. That is the ideal solution. If a two-digit fix, however, gets a financial institution through a period of time, it's better than no fix at all.
Chairman LEACH. The second question: At about this time period the Euro may be introduced. Is there any interlinking of problems?
Mr. LUDWIG. Absolutely. That's another good question. Our concern has been that with Europe focusing so much attention on making the Euro work, limited computer resources would be diverted away from fixing the year 2000 problem. Accordingly, we've recently surveyed banks and supervisors on the degree to which the Euro would create a problem. Our survey is somewhat comforting for a couple of reasons. First, dealing with the Euro has in some cases necessitated new computer systems, which are year 2000-compliant. Second, our survey doesn't reveal a debilitating strain on computer resources. Having said that, it is genuinely an issue, because there is going to be a lot going on in Europe, and we're quite focused on it.
Page 56 PREV PAGE TOP OF DOC
Mr. KELLEY. It's not a technical problem; it is a management attention and resource problem.
The LEACH. To the degree that it's the very last resource problem, are you going to see a structural panic for software writers to do what appears to be an enormous amount of—from a software perspective—rather plodding work?
Mr. KELLEY. That's a very important question, indeed. Panic is not a word I would use. I hope we don't have that; I don't expect it, but pressure on that market we certainly will have, and we're beginning to see it already. There are a finite number of people available in the country who can do this kind of work, and there is an enormous amount of work to do. So that is a very hot job, if you will, in terms of finding and retaining people on your staff who can successfully do that work, and we're feeling that pressure.
Mr. LUDWIG. There are estimates that show sort of an asymptotic curve in terms of the cost per hour of hiring people to fix the problem up to the year 2000. It's particularly sensitive in the area of COBOL, an older computer language in which many of the mainframes were programmed with the two-digit fix. Those folks who understand COBOL are quite at a premium. In addition, with very old systems, the source code, the written code, has been lost. You have to decompile the code from the existing systems, and that takes another type of expertise. So you're quite right; these folks are at a premium. It's one of the reasons we've got to push on with this program very rapidly now.
Chairman LEACH. Well, the question I would raise is that a fundamental aspect of any financial system is the word ''confidence,'' and are you suggesting that we have what could be a real confidence-shattering event?
Page 57 PREV PAGE TOP OF DOC
Mr. LUDWIG. It should not be. As I mentioned, the FFIEC put out its first public release on this issue in the spring of 1996. We have been working on the problem aggressively for quite some time and have an orderly process so that financial institutions will be ready. But I am, while not sanguine that there won't be some glitches, because that's the nature of the problem and we'll have contingency plans to deal with them, I think that it would be a mistake to blow this out of proportion and cause public panic. I don't think that's really called for.
Mr. KELLEY. I concur with Mr. Ludwig on that, entirely.
Chairman LEACH. And then the final question: is the Fed prepared with contingency planning to stand behind systemic problems?
Mr. KELLEY. Yes, sir; we certainly are. We have all the tools available that are necessary to do that, and we have our contingency plans in place, and we will be ready to lend and able to lend if that is what's required, to the extent that it's necessary.
Chairman LEACH. Well, thank you very much, and I thank you both for your testimony.
Our final panel today includes private witnesses who will give us a year 2000 perspective from inside a bank, from a vendor to thousands of banks and credit unions, and from an international expert on the global scope of the year 2000 problem. We're pleased to have with us James R. Devlin, who is the Director of Year 2000 Corporate Governance for Citibank, our second-largest bank; Mr. John Meyer, who is President of the Diversified Financial Services Division of EDS, and Mr. Lou Marcoccio, Research Director for the Year 2000 Group, and for an outside consulting organization called the GartnerGroup.
Page 58 PREV PAGE TOP OF DOC
And unless there's a pre-arrangement, I'd like to begin with Mr. Devlin. Is that appropriate?
Mr. DEVLIN. Yes.
Chairman LEACH. Fine; Mr. Devlin, please.
STATEMENT OF JAMES R. DEVLIN, DIRECTOR, YEAR 2000 CORPORATE GOVERNANCE, CITIBANK
Mr. DEVLIN. Thank you, Mr. Chairman. My name is Jim Devlin. I'm responsible for Citibank's year 2000 program. I'm pleased to be here today to talk about the implications of the year 2000 problem for the banking industry. In doing so, I'll summarize the major points of the written testimony which we have submitted.
Because we do business all over the United States and in nearly 100 countries around the world, and because we operate on nearly every technology that exists, Citibank faces unique challenges from the year 2000 problem. Accordingly, we adopted a project approach of centralized coordination with decentralized problem identification and solution deployment. In line with this, our overall methodology is focused on establishing required governance processes, dimensioning the risks that face us an organization, and then monitoring our global progress at reducing that risk.
Let me tell you briefly about some of the specific steps we've taken in our year 2000 response. We created a tiered governance model to ensure ongoing senior management involvement and oversight of the year 2000 solution. Using this structure, Citibank positioned the year 2000 date problem as a business issue rather than just a technological one. We recognized that the year 2000 problem extended beyond the traditional technology world and identified eight year 2000 problem domains, or risk areas, that we felt needed to be addressed and then developed specific strategies for dealing with each of them.
Page 59 PREV PAGE TOP OF DOC
We formalized a global plan to analyze and screen the bank's computer systems and business processes for susceptibility to year 2000-induced errors. To ensure the sense of urgency needed, we established a global target date of December 31, 1998 for the completion of all required modification, certification, and implementation tasks. This provides one full year, 1999, for validation of the changes in our production environment.
Finally, we initiated a program to verify that all externally supplied technology products and services are or will become year 2000-compliant. This program includes independent verification within Citibank. Vendor compliancy statements are simply the starting point for our internal certification processes. We're confident that the program and initiatives that we've implemented will help ensure a smooth transition for Citibank's customers and business partners, but we also recognize that significant challenges still lay ahead of us.
In addition to finding and correcting the problems in each of the problem domains that I described, we see three major challenges facing financial institutions. The first is compliance of external providers—our vendors, suppliers and business partners. Bank remediation, testing, and certification activities are negatively impacted, for example, by the lack of clear and direct responses to our requests for the compliance status of the products and services we use.
U.S. banking regulators have established an appropriate regulatory regimen for addressing the year 2000 problem. The setting of specific target dates and the identification of the critical issues to be addressed focused banking industry efforts. It would be helpful if similar regimens existed for the industries on which we rely to carry out our daily activities.
Page 60 PREV PAGE TOP OF DOC
The second major challenge is testing. Like others, we've determined that testing will encompass approximately 50 percent of the year 2000 effort. For Citibank and others, this means bank-wide testing, street-wide testing, and worldwide testing. As an industry, we are still grappling with theoretical issues like the best way to age test data and the best way to ensure that our systems work from end-to-end. When they are solved, we need to address the practical issues of establishing the necessary test beds, coordinating the parties involved, executing the tests, and then assessing the test results.
The third major challenge is contingency and disaster-recovery planning. Despite the best planning and execution efforts, we must work from the premise that some problems will not be uncovered. We are all addressing this potential with multiple levels of contingency planning, but there is little that a single organization can do against systemic failures within or external to the banking industry. The issue then becomes not contingency planning, but disaster-recovery planning.
Groups like the New York Clearinghouse Year 2000 Committee are addressing this topic, and a recent meeting sponsored by the Federal Reserve Bank of New York was an important first step to broader financial industry action, but this may be an area where more regulatory leadership is needed.
We've all learned a lot about the year 2000 problem over the past months, but probably the greatest lesson we've learned is that we've never had to deal with a problem of this scale before. We can respond successfully to the year 2000 issue, but it will require stronger coordination, more sharing of lessons learned, and closer cooperation across the entire financial services industry. Given the time remaining, we must all work together to ensure that we will all be ready on time.
Page 61 PREV PAGE TOP OF DOC
This concludes my testimony. Thanks for the opportunity to be here, and I'm happy to answer any questions you may have.
Chairman LEACH. Thank you, Mr. Devlin.
Mr. Meyer.
STATEMENT OF JOHN MEYER, PRESIDENT, DIVERSIFIED FINANCIAL SERVICES DIVISION, ELECTRONIC DATA SYSTEM CORPORATION
Mr. MEYER. Mr. Chairman, my name is John Meyer and I am the president of the Diversified Financial Services Division of EDS, and appreciate the opportunity to be here today.
EDS is a global professional services company that specializes in applying information technology to solve business problems and improve the performance of our 8,000 customers in 42 countries.
Financial Services represents the second largest industry group in EDS, representing almost 5,000 customers and 14 percent of our $14.4 billion worth of revenue last year. Our clients cover the entire spectrum of the diversified financial services industry, and our services are as varied as the types of financial industry customers we serve.
Page 62 PREV PAGE TOP OF DOC
The year 2000 is a business issue, and that all responsible companies are taking very seriously. If it were ignored or not addressed by financial institutions, their regulators, and their business partners like EDS, the consequences would be dire, indeed, but not the nightmarish picture painted by the popular press. It won't be business and social Armageddon, but neither is the year 2000 simply another computer glitch as some have claimed—an over-hyped, sensationalization kind of technical indigestion that will pass through our network and systems without incident. On the contrary. It's real, it's inevitable, and time is running out.
Responsible companies, those that intend to be in business in the year 2000, are formulating contingency plans to account for the issue's impact long after January 1, 2000. The cooperative efforts of these companies will significantly minimize disruptions to banks caused by multiple interfaces with computer systems and networks. That's not to say that no disruptions will occur. They inevitably will, particularly if the year 2000 is narrowly and mistakenly defined as simply a computer problem.
In truth, year 2000 is not a back-office problem that bank management can safely presume is being ''fixed'' by the data processing department or the services provider. It is a business problem, most appropriately addressed by banks' senior management.
More directly, it is a non-competitive business issue. All of us—service providers, Government agencies, banks, their business partners, and consumers themselves—have the same objective in mind, which is to maintain the health and the safety of the Nation's financial system, protect depositors, and minimize any disruption or inconvenience in the financial services industry. Non-competitive cooperation and coordination are key to meeting this shared goal.
Page 63 PREV PAGE TOP OF DOC
EDS began preparing for the year 2000 many years ago. In 1993, we began an in-depth, multi-step analysis of the year 2000 impact on our technical infrastructure and the systems supporting our financial industry customers. We began encouraging our clients to undertake those same steps. A summary of our actions is contained in the full statement, but to be in brief, all substantial changes to ensure that EDS's financial institution systems are year 2000-tolerant will be completed by December 31, 1998. Now by year 2000-tolerant, I mean that the data processing systems will accommodate year 2000 dates.
Before I finish, I want to address our experience with the regulatory oversight of this problem. As one of the largest providers of services to depository institutions, EDS is examined regularly by the FFIEC, its member agencies, and the State banking committees in States where we have a large contingency of financial customers.
About two years ago, the regulatory agencies began focusing on year 2000 and the preparedness of financial institutions and service providers such as EDS and how they were addressing that issue. In the last nine months, the level of scrutiny has increased dramatically. I can report to you that the regulators are proactive, thorough, and comprehensive in their scrutiny of information technology vendors. We found the process to be intensive and time-consuming, and at times grueling, requiring significant time and attention of our senior management. But we applaud their efforts and believe that the examiners' scrutiny of service providers and the financial institutions we serve is doing a great service in raising the year 2000 awareness and creating a sense of urgency in our clients' minds.
In my formal statement, I've included a number of other issues we believe the industry must keep in mind as we proceed.
Page 64 PREV PAGE TOP OF DOC
I am pleased to answer any questions that you may have. Thank you.
Chairman LEACH. Thank you very much. Our final witness is Mr. Lou Marcoccio. Now, have I pronounced that correctly, sir?
Mr. MARCOCCIO. That's correct.
Chairman LEACH. Thank you. Please, go right ahead.
STATEMENT OF LOU MARCOCCIO, RESEARCH DIRECTOR-YEAR 2000, GARTNERGROUP, INC.
Mr. MARCOCCIO. Thank you. Thank you, Mr. Chairman, and Members of this committee for inviting me to testify on such an important and critical topic.
There are three points that I would like to make in my discussion: method of measurement and worldwide status. GartnerGroup is a an advisory company, an information technology advisory company that is used by many companies throughout the world. We do a tremendous amount of research throughout the world, and it includes research throughout all industries, all companies, all countries, country governments, and so forth.
As I was stating, there are three points: method of measurement and worldwide status today, as far as the year 2000; the status and issues related to the U.S. banking and financial services industry, and some recommendations for reducing the likelihood of failures due to the year 2000 problem.
Page 65 PREV PAGE TOP OF DOC
Basically, the question I'd like to pose today is, what is the acceptable number of failures in the banking industry that we're willing to deal with throughout the world? How many banks are we willing to see either fail or have system failures? How many mission-critical systems are OK to fail in U.S. banks and banks throughout the world? How many negative effects to our banks' global investments or monetary systems are we willing to accept worldwide? And I'd like to talk about some issues related to some possible effects to these.
We can influence and regulate now to avoid major hazards, and time is getting very short, as Senator Bennett stated earlier, and that quite a few other people have testified in this committee and others. We really only have about three to six months. It was discussed earlier about some of the legislation that is being proposed, that we have about three to six months to actually influence some of the changed conditions.
We are now able to show direct correlations between several sectors through our research. We're able to show correlations between the progress to particular levels within a specific timeframe that banks and other industries are going through, and also the specific methods and strategies that are being used and how they correlate to the likelihood of a specific number of mission-critical failures. We have enough history built up now, enough benchmark information and case studies, such that we can identify the specific estimates, resources required, and potential failure probabilities.
We've also recently researched worldwide status of year 2000 progress, and let me discuss a few of these results. The method that I was mentioning has to do with a COMPARE scale.
Page 66 PREV PAGE TOP OF DOC
We have five levels; this is the way we do our research.
Basically, Level 0 means that a company or a government has not started any activity whatsoever. Level 1 means that they've started; they're doing some awareness, and they've gained some resources or a core team to start some work.
Level 2 means that a detailed inventory is being done of all the systems and potential problem areas. This includes internal systems, external vendors, the traditionally non-information technology-supported solutions, embedded systems, and supply chain vendors that are critical to the operation of those companies.
Level 3 is a level where you develop detailed project plans right down to the level of getting the work done, as well as getting resources committed and in place.
Level 4 is getting all of your mission-critical systems to your entire operation fully year 2000-compliant and back into production.
Level 5 means that you've covered all the areas which include embedded systems, vendors, supply chain vendors, dependencies on other companies—fully compliant and back into production.
Using that as a means for our research, what we found is that 30 percent of all companies throughout the world today, and this includes all sizes, all industries, have not started any work whatsoever on this year 2000 problem. Eighty-eight percent of that 30 percent are small companies, what we identify as under 2,000 employees. We've looked at medium-sized companies. They are basically at level 1 and 2, so they're just starting the process; they're just starting to do their inventories, and the large companies are actually at a solid level 3, and that means that they have now inventoried; they have done a considerable assessment; they're completing their assessment, and they've actually started well into the remediation of the software. And they've started looking at some of the other areas, or possible dependency areas.
Page 67 PREV PAGE TOP OF DOC
As far as banking, specific to the banking and financial industries, we have found that banks worldwide fell in at anywhere from not starting whatsoever, up to level 4, which means they've gone through the assessment phase and they've started well into remediation.
And it's dependent very heavily on specific geographies, specific countries. It was mentioned earlier by a few people on the committee about some of the risks associated with other countries and potential risks to financial institutions. We found a definite correlation between countries that are either emerging countries or less-developed countries, where their financial institutions are way behind on starting this work.
Seventy-three percent of banking institutions are using outside service providers to supplement their resources, so, of course, there is a dependency on those resources, and I was pleased to hear earlier today that there is some regulation and some work that's going on in terms of evaluating some of those service providers.
But, also, 87 percent are now using or are planning to use vendor survey letters in order to determine compliancy of vendors that they're dependent upon. This we totally disagree with, as far as a strategy, and actually we've now correlated some of the failures associated with this. And, in fact, only about 20 to 30 percent responses come back to these companies and to these banks from these vendors, and it's basically because they either don't have the information to provide—they haven't gone through enough investigation themselves—or they just don't know what they don't know.
We have done further research, and, more shockingly, only about 3 percent of the replies that are provided are accurate. We've proven this through surveys and research.
Page 68 PREV PAGE TOP OF DOC
Many banks have not yet secured business owners or business support. It was mentioned earlier that this is a business problem; this is also critical to the progress in these areas. Seventy-two percent of U.S. banks have had their computing systems impacted by a merger or acquisition within the last 24 months. There is a tremendous amount of work going on in the way of business process change and systems change associated with these mergers. They have to deal with that in addition to trying to work out this year 2000 problem.
Banks are typically taking longer to launch implementation efforts, the entire process of evaluations and pilots and so forth because their transactions are considerably complex, and they have to deal with banks or other institutions that are much more distributed, as far as their information. This entire process takes considerably longer than in some of the other industries.
Banks are typically budgeting between 10 percent to 30 percent of their information technology budget on the year 2000 projects. There are also additional incremental funds that are being considered and in some cases actually being spent, but for the most part this is being looked at as an additional project that's paid for with funds that were budgeted for other work.
And unlike other industries, banking institutions normally do not work with other banks to solve this problem. We have not seen a coming together of banks to work together. We've seen some small numbers of this occurring, as far as very large institutions within the U.S., but in the rest of the world this is just not occurring. If you go to Switzerland or any of the other countries, it's counter to the way they work, and, in fact, they have policies in place such that that cannot occur.
Page 69 PREV PAGE TOP OF DOC
As far as some major issues or considerations, it's been estimated that 11 percent of embedded firmware will have date-sensitive errors or failures. Embedded systems are just starting to be looked at at most banks, and, in fact, there is very, very little effort put forth so far in looking at or evaluating embedded systems.
Also, in the areas of infrastructure, PC's, and many other client-server systems, these things have been totally overlooked thus far, worldwide. Some of the larger banks in the U.S. have started efforts in this phase, but worldwide, other than mainframe and other than the largest transaction systems within the banks, these areas are almost totally ignored at the present time.
The traditionally non-information technology-supported systems also are being overlooked by other banks outside the U.S. In areas outside the U.S., if I go to eastern Europe or I go to South America, Asia, or many other countries, many of the areas that can influence the operation of the bank itself are just totally ignored up to this point, basically because they're at such an early stage of even looking at or addressing the problem in detail.
There's also a very high degree of dependency on vendor suppliers and supply chain vendors. Ninety-four percent of banks who have reached level 3 of that scale that I mentioned earlier use the survey letter that we discussed, but also only 1 percent of banks that we've surveyed are actually looking at their supply chain vendors as well as the vendors that supply information technology to them in the way of software, hardware, and services; so, all of the other supply chains, whether it be power companies, whether it be raw materials, telecom, and telephone.
Page 70 PREV PAGE TOP OF DOC
Telephone is very, very dependent upon specific regions, specific States, and even within specific communities. You have switching stations within telecom companies. You can have one in one community that's totally compliant, and you can have one in the next community that is not. This has been well under-analyzed up until this point, and that's a big consideration for banks.
And what I'd like to just finish with is related to some recommendations. Less than 100 percent replication testing has been planned at the majority of banks throughout the world, and what I mean by this is, if you take the systems that are mission-critical to the operation of the bank, there are only portions or percentages of testing that is being planned, and these banks aren't planning 100 percent replication testing of all transactions and all functions; therefore, the risk for failures is very high.
Also, when you go through and you do remediation of source code, when you actually touch the source code, we found through our research that 10 percent to 15 percent inaccurate errors are actually entered into the source code, in addition to the potential errors that are there already. So testing is highly critical, and full replication testing is critical for mission-critical systems.
It was mentioned earlier about panic, whether panic will occur. I certainly hope that's not the case, and I certainly hope that we can put enough things in place and address enough of these issues so that does not occur. However, I'd like to make in my statement here, or draw a light to the fact that in a survey, we found that 38 percent of information technology professionals have indicated that they may make some adjustments to their own personal finances, whether it means withdrawal or other changes to their investments.
Page 71 PREV PAGE TOP OF DOC
Chairman LEACH. Could I stop you at this point?
Mr. MARCOCCIO. Sure.
Chairman LEACH. Because this is a public confidence statement, and I want to make it very clear that all financial institutions in the United States of America have Federal Deposit Insurance. And so, let us say an individual American has $15,000 at their local bank, and their local bank might have a glitch in their system. Their deposit will be 100 percent insured and protected by the United States Government, and in the prior statement we heard a statement from the Federal Reserve Board that indicated that if that financial institution had a glitch in its larger relationships with other institutions on liquidity, the Federal Reserve Board was prepared to back that institution.
And the only reason I stress this at this point is that one can do survey data of knowledgeable people in the computer world that are doubtful that banks will be fully compliant, and that's a fair conclusion, but that doesn't mean that the deposits will not be protected. And I just think that's very important from a confidence factor that ought to be on the record, that even if there is a failure of an institution to be perfect on the day of January 1, 2000, the customer will not be disadvantaged up to the point of deposit insurance.
Mr. MARCOCCIO. The reason I bring that up, Mr. Chairman, is just because we feel after this research, this piece of research, that there's a public misunderstanding and that some PR work needs to be done there, perhaps, to make them aware of the great work that's being done so they don't have to have that kind of issue or worry.
Page 72 PREV PAGE TOP OF DOC
Chairman LEACH. Fair enough.
Mr. MARCOCCIO. Also, there is lack of contingency planning. I know it was discussed earlier by several other individuals about contingency planning. Less than 1 percent of all banks at level 3, worldwide, are actually doing contingency planning such that they're building contingencies around mission-critical systems in case they fail.
Additionally, in legal issues, it was mentioned earlier about what some of the legal costs could be. Our advice there is to do litigation avoidance, or actually plan for litigation such that you audit things properly, you show a decent amount of due diligence, and you make sure you put plans and contingencies in place so that you will not have those kinds of issues to deal with.
Chairman LEACH. Could I stop you there for a second? One can never intervene in the American system of justice, but I'm certainly at the cutting edge of hoping that this is not the most planned-for litigative circumstance in American history, and that those that are most prepared are those that are planning litigation. And so I am hopeful that we have a system where there are efforts at due diligence and efforts at correcting problems and not great damage to anybody, that you don't have every lawyer in the world joining in to litigate. But I will say, that should be a major worry for every corporation.
Mr. MARCOCCIO. Yes. Our recommendation there is to plan for avoidance and acknowledge that up front, and put those contingencies in place and take the right steps so that you won't have those issues to worry about throughout the process.
Page 73 PREV PAGE TOP OF DOC
Finally, our recommendations are to expand as much effort as possible into these additional parallel focus areas that I've discussed, and they are the contingency planning, the embedded system area, and the contingencies around vendors and the research around vendors, and to reduce the dependency on these vendors, especially through the survey process; use face-to-face audit methods with vendors. I notice from some of the previous testimony that that's being started, especially with some of the Federal agencies, and we definitely look very positively on that methodology.
Use a status and a measurement methodology. It was mentioned earlier that is there a measurement methodology that can be used throughout the world? Basically, our GartnerGroup's COMPARE methodology is used now by more than 6,000 companies worldwide and 21 country governments. It's been established, at least throughout those areas, as some type of a standard, and it's been used, in fact, even by quite a few now of the Federal agencies, and we would recommend that as a methodology for measurement, for determining status and comparison throughout various groups, divisions, agencies, and so forth.
Also, a plan for failures: One of the things that wasn't mentioned earlier is that we need to plan for failures. We need to plan for system failures in order to build the right contingencies in place, to make sure that we're looking at the dependencies that can cause other contingency or other dependency issues, like other companies, other banks from other countries, other economic issues, and dependencies on vendors and so forth.
Also, reduced loan default risks: We've been working with a number of banks on working out some strategies to make customers of banks aware—especially where you are talking large consumer or large commercial loan areas, investment areas—and to do some awareness work to make them aware, and make sure that you provide enough information so that they can drive and start working this problem as well, in order to reduce the risks of potential problems down the road.
Page 74 PREV PAGE TOP OF DOC
And, last, as I mentioned earlier, was to plan for litigation, reduce litigation risks by taking some of the steps that we mentioned.
Thank you for allowing me to provide this information, and I will answer any questions you suggest.
Chairman LEACH. I appreciate it very much, and I appreciate what an effect as a new specialty consulting organization that appears to have been led by your institution.
Let me first ask all of you, do you have a belief that any legislation is needed at this time that could be helpful? Or would you rather think that over and respond in writing?
Mr. MARCOCCIO. I think that legislation, as far as disclosure, would be exceptionally helpful. I think it would be—personally and through GartnerGroup and our research—to be able to disclose at least the status associated with your year 2000 activities that can be shared. If it were publicly disclosed, that could be shared with other banks that have other dependencies with other banks; other banks can gain from other countries; other banks that have other dependencies can actually advance themselves from that information, knowing and understanding what status other banks are at, and so forth. Plus, I think it will reduce risks; I think it will reduce some of the other issues that we've discussed. I think it would be very helpful.
Page 75 PREV PAGE TOP OF DOC
Chairman LEACH. Very good.
Mr. Meyer.
Mr. MEYER. The disclosure issue—probably the biggest benefit that I see in that is the raising of the awareness of the year 2000 issue among the general public and the financial institutions to where it's a proactive part on the business owners, this issue which really isn't in existence today.
Chairman LEACH. Mr. Devlin.
Mr. DEVLIN. Mr. Chairman, I think we'd like to think over the proposals we've heard and respond to you in writing.
Chairman LEACH. Good. I would appreciate any specifics any of you would like to provide in that regard. Particularly around the world, I visualize in the final measure the vast American banks to be in compliance with the problem by the year 2000. In some countries that vast majority may be a significant minority, and so one aspect is—and it's an extraordinary phenomenon—if you take the institution of Citicorp, which is the largest American presence in many countries, it's not at all inconceivable that there will be a run to your bank, in some societies, if you're the only bank that is capable of communicating properly with various institutions around the world. Are you prepared for growth?
Mr. DEVLIN. Mr. Chairman, what we're doing in each of the countries is trying to work with both the central banks and with other banking organizations in the country to make sure there's a sense of awareness and a sense of preparedness in all of the institutions within a country, and try and work through the system that way. At the same time, we're looking at all of our systems to see that those systems are as robust as they can be to support the activities we need to support.
Page 76 PREV PAGE TOP OF DOC
Chairman LEACH. One of the interesting aspects of this issue is that every institution in the world is going to have to take on more people to go through existing codes. One of the things banking systems pride themselves on is confidentiality. Are we raising the possibility of bank robberies through people learning how to access bank codes, and therefore using them in illicit ways to take funds from various deposits? And do institutions have protective mechanisms to that degree?
Mr. Devlin.
Mr. DEVLIN. Mr. Chairman, I can only speak for Citibank and what we're doing. In terms of the remediation within the bank, we've got roughly 5,000 people around the bank working on the year 2000 problem in its various aspects. To a very large extent, the people that are working on the problem for us are our employees rather than external consultants.
To the extent that we've gotten consultants involved or where we've sent some of our work out, we have a very strong system of internal controls, as most banks do, and what we've done is to make sure that in any of the work related to the year 2000, we've reinforced and put in additional controls to safeguard against just some of the things you're mentioning.
For example, we have rules that absolutely forbid sending out anything that relates to a security module or any of the passwords and any of the critical portions of our various systems. I think most banks are doing something similar to that.
Page 77 PREV PAGE TOP OF DOC
Chairman LEACH. So passwords are protected?
Mr. DEVLIN. Yes, sir.
Chairman LEACH. OK.
Mr. MEYER. I think you'd find, Mr. Chairman, too, that in addition to the security of dealing with the systems, we do an extensive amount of research into people's backgrounds that are operating in this environment so that you can never, I guess, protect against someone becoming a bad apple afterwards. But you can at least protect that they weren't a bad apple before they got into the venture.
You also, because of division of duty, create enough capability for one person to not have the control of the full process, and that's another way that we protect at EDS.
Chairman LEACH. Mr. Marcoccio, are you as sanguine?
Mr. MARCOCCIO. I'm sorry?
Chairman LEACH. Are you as confident of this circumstance?
Mr. MARCOCCIO. Well, in the large banks that I've been working with, I think the security measures that are in place have been quite adequate. I think the security checks I've seen in many of these banks are being done relatively well. Yes; I have a relatively good confidence in that regard.
Page 78 PREV PAGE TOP OF DOC
Chairman LEACH. Good. Well, I would like to ask one question about vendors, because Mr. Meyer represents a vendor community, and one I think we ought to place on the record the size of this circumstance. And by background, it's my understanding that up until about 20 years ago, and still existent today, but some of the greatest redundancy in computer capacity, was wherein individual banks, where every individual bank thought they had to operate everything themselves. And then banks came to the conclusion that this wasn't the principal function of banking, and so many banks decided to cut back on basic hardware and go to vendors who became specialists in doing much of the computer work for an individual institution, and that this became cost-efficient as well as a better technique to keep up with certain generational changes in technology.
Your institution is one of the largest vending institutions for—maybe the largest—for commercial banks, but as a general proposition, are we talking about an array of hundreds or thousands of vendors for banks? Approximately how many vendors are there out there that we should be concerned with?
Mr. MEYER. Probably more like tens of thousands of vendors.
Chairman LEACH. Tens of thousands.
Mr. MEYER. And although each one of them has varying degrees of penetration within the financial industry, in each one, even in situations where we may be running the entire data processing department for a financial institution, there are telecommunications companies, there are security companies, there are utility companies that they all interact with, that our systems need to interface with, where that responsibility actually resides with the actual banking executive to define those interfaces and ensure that those interfaces are being taken care of. So we spend a lot of time educating our customers on what types of things they need to check on to make sure that they are not blind-sided by this.
Page 79 PREV PAGE TOP OF DOC
Chairman LEACH. In my opening statement, I made the comment that it was unclear whether the existence of vendors was a great liability for smaller institutions or perhaps a Godsend; that is, in theory, if one goes to vendors because of greater degrees of sophistication, they might be better off to stay ahead of the game than each individual bank having to deal with a set of problems. On the other hand, they're outside a bank's control, to some degree.
Would you care to comment on that?
Mr. MEYER. Well, obviously, I have a vested interest in this answer, and you know what side I'll fall on, and that is it is to the financial industry's benefit that they have this. A lot of small institutions could not be competitive in acquiring the technical expertise necessary to change their systems within the next two years, and that to the extent that they are with a vendor, so to speak—and sometimes we use a ''partner'' term instead of a vendor—they have the capability that we can leverage that expertise across multiple financial institutions. That leverage equates to a cheaper cost, but it also equates to the capability for us to ensure that multiple institutions at one time are capable of being year 2000-compatible.
Chairman LEACH. Then let me just take the case of your company as a principal vendor to a bank. The bank would have certain things within the bank that they would have to be concerned with. Would this be a large number or a small number? I mean, for example, let us say I am a small bank that had a relationship with your company, and in the year 2000 issue, if I'm confident your company was on top of it, am I OK, or are there a lot of things that I still have to do?
Page 80 PREV PAGE TOP OF DOC
Mr. MEYER. There are a lot of things that you still would have to do, but realize that each one of our relationships with all of the 5,000 financial institutions is different. And to some extent we may be supplying software, and other times we may be doing the entire data processing department. So, the communication that comes from us is specific to each individual customer, based on the relationship that we have with them.
Chairman LEACH. Would 90 percent, as an average, fall with you and 10 percent to the bank? Or would it just be so assorted?
Mr. MEYER. It really varies by every customer. In some cases it's 90 percent; in some cases we supply one or two people to assist them in their systems.
Chairman LEACH. Mr. Marcoccio, how do you look at the vendor problem?
Mr. MARCOCCIO. Well, one of the things that we've found is that in larger banks in the U.S. most of them seem to be employing a strategy of using some of their own resources and then enhancing that with some additional resources from an outside vendor, or vendors.
As soon as you get into smaller banks in the U.S., many of them spend less of a percentage of net operating revenue on information technology, and therefore they have less infrastructure and normally less numbers of resources and expertise. Some of them are deciding to outsource some of this work to an even greater extent, or will have a need as they get further down the road, because they're behind to start with.
Page 81 PREV PAGE TOP OF DOC
As soon as you get into some other countries, however, that changes even more dramatically. If you go down to South America or you go to parts of Eastern Europe, some of these banks have even less net operating revenue percentage spent on information technology, and you have very small groups trying to support these business changes, mergers, and other things, so they're even more dependent on outside resources and vendors.
Chairman LEACH. Just in terms of cost; I don't know if I read it in a summary from testimony or from staff-provided notes, that your institution, Mr. Meyer, which is a vending institution itself, is going to spend something like $144 million to make yourselves year 2000-compliant. Is that a valid figure?
Mr. MEYER. The $144 million figure ties to ourselves, but also for our customers, the ones that we are providing system solutions to. That was an initial estimate that we put in place for our financial community and the disclosure that we provided, because the information technology is so important to us and to our investors, so what we have done is put that forward. As we have further refined that analysis, we have found that number to be less, and it continues as we refine it to be less and less.
Chairman LEACH. In terms of the industry itself, can you speak about the industry itself? I mean, in this regard can you say that you think half the vendors will be well-prepared? Ninety percent? Twenty percent? Is there a great differential among vendors?
Mr. MEYER. As there is a great differential on the size of the vendors, the financial wherewithall of the vendors, and really the need of whether they have a large customer base, there is the same sense of preparedness across that vendor community. I know that appears to be somewhat of a marshmallow answer, but that's really the business realities. The larger vendors who intend to and have a larger customer base are better prepared for the future.
Page 82 PREV PAGE TOP OF DOC
Chairman LEACH. Thank you very much. Is there anything any of the three of you would like to leave as a concluding comment?
Mr. Marcoccio.
Mr. MARCOCCIO. Just one thing. It was mentioned earlier about what failures are occurring now or what failures will occur before 2000. In the research we've done in banks and in companies that are quite advanced in this phase at the present time, there are quite a few failures that have occurred already, and some of which are still continuing to occur; I mean, some of which if they weren't fixed—for instance, back when 30-year mortgages had to be addressed, some modifications had to be done back then in the late 1960's.
Chairman LEACH. Excuse me, are you talking about failures of financial institutions?
Mr. MARCOCCIO. Financial institutions and systems within banks and financial institutions. So, failures that have occurred, there have been several already. Whether they have to do with 30-year mortgages, where modifications to the source code and systems had to be made back then.
Chairman LEACH. But the systemic failures have not, as yet, caused the failure of an institution?
Mr. MARCOCCIO. Correct. Well, there have been some failures associated with warranties, 3-year warranty scenarios. Many of these banks that have run into some of these issues—documentation that had to be processed prior to 2000—some of these issues have been addressed through work-arounds. The failures were identified, addressed, and we haven't been made aware of any major catastrophes associated with these failures.
Page 83 PREV PAGE TOP OF DOC
Chairman LEACH. What about in Southeast Asia? Do you visualize this circumstance compounding current problems?
Mr. MARCOCCIO. Well, I think outside of the U.S., I think the entire problem is much more substantial, because many of these banks are set up, first of all, like I mentioned earlier, they have a lot less information technology resources internally; they have not addressed the problem in many cases, either at all or almost not at all thus far, whether you're talking Southeast Asia or you're talking about several countries in South America, Eastern Europe—there are quite a few countries. Part of our survey, for instance, was done in Thailand. Some of these banks and financial institutions have not started at all, thus far, and they're just beginning some level of awareness.
Chairman LEACH. I appreciate that.
Mr. Meyer, do you have any concluding comments?
Mr. MEYER. I guess, just as a final concluding comment, I wanted to thank you for inviting us to participate and to contribute from a vendor community.
Chairman LEACH. Well, thank you, sir.
Mr. Devlin.
Mr. DEVLIN. Just to echo Mr. Meyer, I think this was an extremely good idea, and we're glad that you held this hearing.
Page 84 PREV PAGE TOP OF DOC
Chairman LEACH. Thank you, and let me express my appreciation to the three of you, who are experts from three different perspectives from estimable institutions. Your testimony is appreciated. Thank you very much.
This concludes our hearing.
[Whereupon, at 5:27 p.m., the hearing was adjourned, subject to the call of the Chair.]