United States General Accounting Office GAO Report to Congressional Requesters April 1999 YEAR 2000 COMPUTING CRISIS Federal Reserve Has Established Effective Year 2000 Management Controls for Internal Systems Conversion GAO/AIMD-99-78 GAO United States General Accounting Office Washington, D.C. 20548 Leter Accounting and Information Management Division B-280502 Letter April 9, 1999 The Honorable Robert F. Bennett Chairman, Subcommittee on Financial Institutions Committee on Banking, Housing, and Urban Affairs United States Senate The Honorable James A. Leach Chairman, Committee on Banking and Financial Services House of Representatives This report addresses the Federal Reserve Systems (FRS) efforts to remedy the Year 2000 problem 1 for its internal computer systems and is the latest in a series of reports and testimonies responding to your requests to review federal financial regulatory agencies Year 2000 efforts. 2 Established by the Federal Reserve Act of 1913, FRS is instrumental to our nations economic well-being by providing depository institutions and government agencies services, such as (1) processing checks, (2) transferring funds and federal securities, and (3) auctioning, issuing, servicing, and redeeming Treasury securities. If FRS does not effectively manage its Year 2000 program, key systems that process trillions of dollars could malfunction or fail, potentially causing serious national and international financial disruptions. The objective of our review was to determine whether FRS has established effective management structures and processes for managing and reporting on its internal Year 2000 program. To satisfy our objective, we analyzed FRS Year 2000 program management structures and processes against our 1 The Year 2000 problem is rooted in the way dates are recorded and computed in automated information systems. For the past several decades, systems have used two digits to represent the year, such as 99 representing 1999, to conserve electronic data storage and reduce costs. With this two- digit format, however, the Year 2000 is indistinguishable from 1900, or 2001 from 1901, etc. As a result, system or application programs that use dates to perform calculations, comparisons, or sorting may generate incorrect results or not function at all. 2 We previously reported and testified on the Year 2000 oversight efforts of the Federal Deposit Insurance Corporation, Federal Reserve System, National Credit Union Association, Office of the Comptroller of the Currency, and Office of Thrift Supervision. (See appendix III for a list of these products.) Page 1 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls B-280502 Year 2000 guidance3 to determine if important management controls for increasing Year 2000 readiness and reducing Year 2000 risks were in place. For eight mission-critical systems that support the processing and movement of trillions of dollars in checks, funds, and securities in a majority of FRS core business processes used by depository institutions and the federal government, 4 we reviewed supporting documentation to verify that the controls were functioning as intended. Appendix I provides a description of FRS core business functions and systems environment. On February 25, 1999, we provided the Chairman of the Board of Governors of the Federal Reserve System with a draft of this report for review and comment. FRS comments are discussed in the Agency Comments section of this report and are included in appendix II. Results in Brief FRS Year 2000 progress reports and plans show that its Year 2000 program is on schedule with Office of Management and Budget (OMB) milestones. Further, we found that FRS has effective controls to help ensure that its Year 2000 progress is reported accurately and reliably. We also found that it is effectively managing the renovation and testing of its internal systems and the development and planned testing of contingency plans for continuity of business operations. Despite its progress, FRS has much to accomplish before it is fully ready for January 1, 2000, such as completing validation and implementation of all its internal systems and completing its contingency plans to address both unexpected internal system failures and potential external business partner and public infrastructure system failures. However, FRS has plans for completing remaining tasks, and has implemented management controls to ensure that they are accomplished. While there is no way to guarantee that significant Year 2000-induced business failures will not 3 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, issued as an exposure draft in February 1997; issued in final in September 1997); Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, issued as an exposure draft in March 1998; issued in final in August 1998); Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21, issued as an exposure draft in June 1998; issued in final in November 1998). 4 Integrated Accounting System, Bulkdata File Transfer System, Check Processing System for the Dallas Reserve Bank, Funds Transfer System, National Book Entry System, Treasury Direct, Electronic Tax Application, and Fed Automated Clearing House. (See the scope and methodology section of this report for a description of these systems.) Page 2 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls B-280502 occur, if FRS implements its plans, it will have effectively reduced the risk of such failures. FRS Has Reported FRS reported status of its Year 2000 efforts meets OMB milestones. As of December 1998, FRS reported that renovation of mission-critical internal Meeting OMB Year systems was complete and that over 75 percent of these systems have been 2000 Milestones validated as Year 2000 compliant. FRS plans call for implementing all of its validated mission-critical systems, i.e., moving them back into production, by OMBs Year 2000 implementation milestone of March 31, 1999. FRS also plans to develop (1) contingency plans for ensuring continuity of business operations and (2) plans for supporting event management by the end of March 1999--and to test these plans beginning in April 1999. FRS Is Effectively FRS has established and implemented effective Year 2000 management controls, including structures and processes for overall program Managing Its Year 2000 management, system renovation and testing, and contingency planning for Program continuity of business operations, as described in our Year 2000 guides. For example, FRS (1) has assigned management authority and responsibility for Year 2000 activities, (2) has defined Year 2000 compliance criteria, (3) is engaging independent verification and validation agents, (4) has issued Year 2000 test guidance specifying, among other things, the types of tests to be conducted (e.g., unit, integration, system acceptance, and end-to-end), (5) is actively managing risks, and (6) is analyzing existing emergency and disaster recovery plans and augmenting them to address Year 2000 contingencies. FRS is also ensuring that its management controls are operating as intended. Specifically, our analysis of renovation and testing activities on selected components of the eight aforementioned mission-critical systems demonstrated that FRS Year 2000 policies, procedures, and guidance governing such things as test plans, conditions, outputs, and documentation, were being satisfied. FRS Has Established FRS has established and implemented effective controls to help ensure that its Year 2000 reports are accurate and reliable. For example, FRS has Effective Structures defined the frequency, format, and content of the Year 2000 information to and Processes for Year be reported. Also, the program office periodically reviews the reports contents to determine that the reporting requirements are satisfied and that 2000 Reporting inaccurate or obsolete data are removed. In addition, the general auditors at each reserve bank independently review the status and reported Page 3 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls B-280502 progress of Year 2000 projects at their banks for compliance with the program office policies, procedures, guidance, and plans. For example, the general auditors compliance review of the Electronic Tax Application at the Minneapolis Reserve Bank disclosed only two minor documentation issues that the bank subsequently resolved. To determine if FRS reporting controls were functioning as intended, we analyzed internal reports on the status of selected components of the eight aforementioned mission-critical systems against FRS reporting requirements and found that the reports were complete. Also, we traced the reported status information back to supporting documentation and found no discrepancies or inaccuracies. Scope and To assess FRS management structures and processes, we reviewed FRS' Year 2000 program management plans, guidance, procedures, and Methodology organizational structures relating to Year 2000 renovation, testing, contingency planning, reporting, quality assurance/independent verification and validation, and risk management, and compared them to GAOs Year 2000 guides. In particular, we analyzed the following: Year 2000 project plan, test strategy, technical reference manual, risk assessment, guiding principles, contingency policies and guidelines, business resumption plan guidance, and a variety of documents maintained on the FRS Year 2000 intranet web site. We then reviewed system documentation to determine whether remediation and reporting requirements specified in FRS' plans, procedures, and guidance were being satisfied for selected components of eight of FRS mission-critical systems. More specifically, we judgmentally selected at least 10 software components for each of the 8 systems and compared internal Year 2000 status reports on each to supporting project documentation.5 For these system components, we reviewed relevant Year 2000 documentation, including project plans, schedules, and status reports; test plans, test scripts, and test results; source code; configuration management plans; quality assurance plans and reports; audit reports; and approvals for moving renovated code back into production. 5 We did not statistically sample FRS system components. Instead, we selected components that satisfied one or more of the following criteria: critical to the systems ability to function as intended, large in terms of software size, and recently completed testing. Page 4 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls B-280502 The systems that we reviewed were: Integrated Accounting System, the system that maintains the general ledger and processes all accounting entries for FRS; Bulkdata File Transfer System, the file transfer utility used by FRS to exchange data between FRS applications and with depository institutions and government entities; Check Processing System for the Dallas Reserve Bank, one of the 12 unique FRS check systems; Fedwire Funds Transfer System, an electronic payment system used by depository institutions and the U.S. Treasury for the transfer of large- dollar6 amounts, including certain federal government receipts and disbursements; National Book Entry System, a consolidated book-entry securities 7 processing system that (1) maintains the commercial book-entry securities accounts of depository institutions and certain governmental entities and (2) transfers securities to and from participating institutions, including the U.S. Treasury; Treasury Direct, a system of book-entry securities accounts for institutions and individuals that allows individuals and institutions to hold their securities directly with the Treasury; Electronic Tax Application, an automated system by which businesses report and pay federal taxes on the day they are due through their depository institutions, which forward the data to the Treasury through the reserve banks; and Fed Automated Clearing House, a nationwide system designed for the electronic exchange of low-dollar, repetitive retail payments between participating depository institutions as a substitute for paper checks. We selected these systems because they are mission-critical systems that support a majority of the FRS core business processes used by depository institutions and the federal government. Collectively these processes provide cash; process checks; make electronic payments and settlements; receive tax receipts; maintain accounts; and issue, transfer, and redeem federal securities. 6 According to FRS, the average 1998 funds transaction was about $3.35 million, with daily averages of about 390,000 transactions totaling over $1.3 trillion. 7 Book-entry securities are marketable securities in electronic form issued primarily by the federal government. According to FRS, the 1998 average book-entry transaction was about $13.8 million, with daily averages of over 57,000 transactions totaling nearly $785 billion. Page 5 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls B-280502 To supplement our documentation review, we also interviewed officials from the Board of Governors of the FRS and at the Federal Reserve Banks of Boston, Dallas, New York, Minneapolis, Philadelphia, and San Francisco. Interviewees included staff from audit, program management, project management, reserve bank management, and technical services. Our audit work was performed from May 1998 through March 1999 in accordance with generally accepted government auditing standards. Agency Comments In its comments on a draft of this report, FRS agreed with the reports findings and conclusions. FRS also stated that during the remainder of 1999, its highest priority is to complete and rigorously test its contingency plans. We are sending copies of this report to Senator Richard Bryan, Senator Christopher Dodd, Senator Phil Gramm, Senator Paul Sarbanes, Representative Stephen Horn, Representative John LaFalce, and Representative Jim Turner, in their capacities as the Chair, Vice Chair, or Ranking Minority Member of Senate and House Committees and Subcommittees. We are also sending copies to: The Honorable Robert Rubin, Secretary of the Treasury; The Honorable Alan Greenspan, Chairman, Board of Governors of the Federal Reserve System; The Honorable John D. Hawke, Jr., Comptroller of the Currency; The Honorable Donna Tanoue, Chairman, Federal Deposit Insurance Corporation; The Honorable Ellen Seidman, Director, Office of Thrift Supervision; The Honorable Norman E. DAmours, Chairman, National Credit Union Administration; The Honorable John Koskinen, Chair, President's Council on Year 2000 Conversion; The Honorable Jacob Lew, Director, Office of Management and Budget; and The Honorable Barry Snyder, Inspector General, Federal Reserve Board. Copies will also be made available to others upon request. Page 6 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls B-280502 If you or your staffs have any questions about this report please contact me at (202) 512-6240 or by e-mail at email@example.com. Major contributors to this report are listed in appendix IV. Randolph C. Hite Associate Director Governmentwide and Defense Information Systems Page 7 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls Contents Letter 1 Appendix I 10 Description of FRS Core Business Functions and Systems Environment Appendix II 12 Comments From the Federal Reserve System Appendix III 13 GAO Reports and Testimonies on Federal Depository Institutions Regulators Year 2000 Preparations Appendix IV 14 Major Contributors to This Report Abbreviations FRAS Federal Reserve Automation Services FRS Federal Reserve System OMB Office of Management and Budget Page 8 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls Page 9 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls Appendix I Description of FRS Core Business Functions and Systems Environment AppIexndi FRS mission is to provide a safe, flexible, and stable monetary and financial system for the country. To accomplish its mission, FRS has established core business functions and organized its operations to (1) conduct monetary policy, (2) maintain the stability of financial markets, (3) provide services to financial institutions and other governmental agencies, and (4) supervise and regulate banks and bank-holding companies. Each of these business functions is described below. In conducting monetary policy, the Federal Reserve carries out activities to influence the money supply and credit conditions in pursuit of full employment and stable prices. For example, FRS affects the money supply by buying and selling U.S. securities in the open market (known as open-market operations). FRS also buys and sells foreign currencies and securities to affect the dollars exchange rate and help stabilize financial markets internationally. In maintaining the stability of financial markets, FRS increases the liquidity of markets by temporarily supplying extra reserves to the banking system through open-market operations and lends funds to financial entities through its discount window operations. FRS also safeguards the integrity and efficiency of the nations payment systems. In assisting financial institutions, FRS provides such services as check- clearing and processing and electronic funds transfers between financial institutions. For example, FRS reported in 1998, that it made a daily average of about 390,000 Fedwire electronic funds transfers-- totaling over $1.3 trillion--between financial institutions. FRS also provides services for the U.S. Department of the Treasury and other agencies. For instance, it distributes and receives Federal Reserve notes (paper money) and coins, holds U.S. securities to back its notes, and ensures that enough currency and coins are in circulation to meet public demand. It also auctions, issues, and redeems Treasury securities (e.g., bills, notes, and bonds) used to fund federal government operations. In supervising and regulating financial institutions, FRS oversees (1) more than 5,000 U.S. bank-holding companies, (2) 994 state chartered banks that are members of the Federal Reserve, (3) 15 Edge Act1 and agreement corporations, (4) the foreign activities of member banks, and (5) the U.S. operations of 256 foreign banks. It does this by 1 Edge Act corporations are corporations chartered by FRS to engage in international banking activities. The Board of Governors of FRS reviews and approves the applications to establish Edge Act corporations and also has supervisory responsibility for examining the corporations and their subsidiaries. Page 10 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls Appendix I Description of FRS Core Business Functions and Systems Environment establishing standards for the safe and sound operation of financial institutions and examining institutions to ensure these standards are followed. As part of this effort, FRS ensures that institutions are adequately mitigating Year 2000 risks. 2 To perform these functions, FRS relies extensively on information technology and has a Federal Reserve Automation Services (FRAS) organization to provide mainframe data processing and network services to the 12 Federal Reserve Banks. FRAS operates three data centerslocated at the New York, Richmond, and Dallas Federal Reserve Banks supporting 61 applications that are used by all Reserve Banks, such as the Fedwire Funds Transfer System. These data centers also support another 50 applications that are used by selected Reserve Banks. Depository institution and Reserve Bank users access these applications and data via the FEDNET telecommunications system, which is controlled and operated by FRAS primary network operations center in Richmond, Virginia, and its alternate network operations center in Chicago, Illinois. 2 Our work on FRS Year 2000 oversight of financial institutions found that FRS was taking the Year 2000 problem very seriously and had devoted considerable resources and effort to ensure that the institutions it oversees mitigate Year 2000 risks. (See Year 2000 Computing Crisis: Federal Reserve Is Acting to Ensure Financial Institutions Are Fixing Systems, But Challenges Remain (GAO/AIMD-98-248, September 17, 1998).) Page 11 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls Appendix II Comments From the Federal Reserve System ApIpexndi Page 12 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls Appendix III GAO Reports and Testimonies on Federal Depository Institutions Regulators Year 2000 Preparations AIpIexndi Year 2000 Computing Crisis: Federal Depository Institution Regulators Are Making Progress, but Challenges Remain (GAO/T-AIMD-98-305, September 17, 1998). Year 2000 Computing Crisis: Federal Reserve Is Acting to Ensure Financial Institutions Are Fixing Systems, But Challenges Remain (GAO/AIMD-98- 248, September 17, 1998). Year 2000 Computing Crisis: Federal Regulatory Efforts to Ensure Financial Institution Systems Are Year 2000 Compliant (GAO/T-AIMD-98-116, March 24, 1998). FDICs Year 2000 Preparedness (GAO/AIMD-98-108R, March 18, 1998). Year 2000 Computing Crisis: Office of Thrift Supervisions Efforts to Ensure Thrifts Systems Are Year 2000 Compliant (GAO/T-AIMD-98-102, March 18, 1998). Year 2000 Computing Crisis: Federal Deposit Insurance Corporations Efforts to Ensure Bank Systems are Year 2000 Compliant (GAO/T-AIMD-98- 73, February 10, 1998). Year 2000 Computing Crisis: Actions Needed to Address Credit Union Systems Year 2000 Problem (GAO/AIMD-98-48, January 7, 1998). Year 2000 Computing Crisis: National Credit Union Administrations Efforts to Ensure Credit Union Systems Are Year 2000 Compliant (GAO/T-AIMD- 98-20, October 22, 1997). Page 13 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls Appendix IV Major Contributors to This Report ApV Ienxdi Accounting and Keith Rhodes, Technical Director Gary Mountjoy, Assistant Director Information Ronald Hess, Assistant Director Management Division, Washington, D.C. Atlanta Field Office Carl Higginbotham, Assistant Director Tonia Brown, Senior Evaluator (511124) eL rtet Page 14 GAO/AIMD-99-78 Federal Reserve Year 2000 Management Controls Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with info in the body to: firstname.lastname@example.org or visit GAOs World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: Federal Reserve Has Established Effective Year 2000 Management Controls for Internal Systems Conversion
Published by the Government Accountability Office on 1999-04-09.
Below is a raw (and likely hideous) rendition of the original report. (PDF)