United States General Accounting Office GAO Testimony For the Subcommittee on Financial Services and Technology, Committee on Banking, Housing, and Urban Affairs, U.S. Senate For Release at 10 a.m. Wednesday, YEAR 2000 COMPUTING October 22, 1997 CRISIS National Credit Union Administration’s Efforts to Ensure Credit Union Systems Are Year 2000 Compliant Statement for the Record by Jack L. Brock, Jr. Director, Information Resources Management/ General Government Issues Accounting and Information Management Division GAO/T-AIMD-98-20 Mr. Chairman and Members of the Subcommittee: We are pleased to be asked to provide our views on the progress being made by the National Credit Union Administration (NCUA) in ensuring that automated information systems belonging to the thousands of credit unions that NCUA oversees are ready for the upcoming century date change. If the Year 2000 problem is not addressed in time, credit union computer systems—which affect billions of dollars of assets and transactions—will be unable to readily process transactions or produce accurate information. According to NCUA, without properly functioning systems, credit unions like other financial institutions face the potential of failure. This testimony is the first in a series of reports you requested on the status of efforts by federal financial regulatory agencies to ensure that the organizations they oversee are ready to handle the Year 2000 computer conversion challenge. To prepare for this testimony, we performed a quick overview of NCUA’s efforts to date to ensure that credit unions have adequately mitigated the risks associated with the Year 2000 date change and compared these activities to our Year 2000 Assessment Guide.1 In performing the overview, we interviewed NCUA officials responsible for examining and overseeing the safety and soundness of credit union management practices and procedures. We reviewed examination policies, procedures, and manuals—including specific examination procedures for assessing Year 2000 compliance. We also reviewed NCUA correspondence to credit unions and third-party contractors (that provide automated systems services to many credit unions) regarding the Year 2000 problem. Finally, we interviewed officials from the Credit Union National Association, the National Association of State Credit Union Supervisors, and the CUNA Mutual Group (which provides liability insurance for the credit union industry). We provided a draft of this testimony to NCUA for review and comment. NCUA officials stated that they would provide written comments at a later date. We performed our work at NCUA headquarters in Alexandria, Virginia, between October 7 and 17, 1997, in accordance with generally accepted government auditing standards. 1 Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997). Published as a exposure draft in February 1997 and finalized in September 1997, the guide was issued to help federal agencies prepare for the Year 2000 conversion. It addresses common issues affecting most federal agencies and presents a structured approach and a checklist to aid in planning, managing, and evaluating Year 2000 programs. The guide describes five phases—supported by program and project management activities—with each phase representing a major Year 2000 program activity or segment. While the guide focuses on federal agencies, it is general enough that nonfederal organizations can also use it to assess their automated systems. Page 1 GAO/T-AIMD-98-20 As requested, my testimony today will highlight the Year 2000 problem’s potential impact on credit unions and their systems. I will then discuss NCUA’s Year 2000 strategy and highlight our observations with its efforts to ensure that credit unions are appropriately addressing the problem. In summary, we found that the Year 2000 problem poses a serious dilemma for credit unions because they like other financial institutions rely heavily on information systems. We also found that NCUA recognizes the severity of the problem, has developed a plan, and has initiated action. For example, NCUA issued several letters to the credit unions informing them of the risks associated with Year 2000 problem. In addition, working in conjunction with other federal financial regulators, NCUA developed procedures for examiners to use in reviewing credit union Year 2000 efforts. However, we are concerned with NCUA’s approach because (1) current agency efforts to determine industrywide compliance are behind the generally accepted schedule for achieving Year 2000 compliance, and, consequently, NCUA does not yet have a complete picture of where credit unions stand individually or as an industry, (2) the agency lacks a formal, documented contingency plan in case credit unions do not become compliant in time or have other problems, (3) credit union internal auditors may not be thoroughly addressing Year 2000 issues as part of their work, and (4) NCUA does not have enough technical capability to conduct Year 2000 and other examinations in complex systems areas. Credit unions are nonprofit financial cooperatives organized to provide The Year 2000 their members with low-cost financial services. According to NCUA, as of Problem Poses a 1996, federally insured credit union assets totaled $326 billion. About one Serious Dilemma for in four Americans belongs to a credit union, and credit unions accounted for about 2 percent of the total financial services in the United States. Credit Unions NCUA supervises and insures more than 7,200 federally chartered credit unions and insures member deposits in an additional 4,200 state-chartered credit unions through the National Credit Union Share Insurance Fund. As part of its goal of maintaining the safety and soundness of the credit unions, NCUA is responsible for ensuring credit unions are addressing the Year 2000 problem. The Year 2000 problem is rooted in the way dates are recorded and computed in automated information systems. For the past several decades, systems have typically used two digits to represent the year, such as “97” representing 1997, in order to conserve on electronic data storage Page 2 GAO/T-AIMD-98-20 and reduce operating costs. With this two-digit format, however, the year 2000 is indistinguishable from 1900, or 2001 from 1901. As a result of this ambiguity, system or application programs that use dates to perform calculations, comparisons, or sorting may generate incorrect results. According to NCUA, most credit unions rely on computers to provide for processing and updating of records and a variety of other functions. As such, the Year 2000 problem poses a serious dilemma for the industry. For example, the problem could lead to numerous problems when calculations requiring the use of dates are performed, such as calculating interest, calculating truth-in-lending or truth-in-savings disclosures, and determining amortization schedules. Moreover, automated teller machines may also assume that all bank cards are expired due to this problem. In addition, errors caused by Year 2000 miscalculations may expose institutions and data centers to financial liability and risk of damage to customer confidence. Other systems important to the day-to-day business of credit unions may be affected as well. For example, telephone systems could shut down as can vaults, security and alarm systems, elevators, and fax machines. In addressing the Year 2000 problem, credit unions must also consider the computer systems that interface with, or connect to, their own systems. These systems may belong to payment system partners, such as wire transfer systems, automated clearing houses, check clearing providers, credit card merchant and issuing systems, automated teller machine networks, electronic data interchange systems, and electronic benefits transfer systems. Because these systems are also vulnerable to the Year 2000 problem, they can introduce and/or propagate errors into credit unions systems. Accordingly, credit unions must develop comprehensive solutions to this problem and prevent unintentional consequences from affecting their systems and the systems of others. To address these Year 2000 challenges, GAO issued its Year 2000 Assessment Guide2 to help federal agencies plan, manage, and evaluate their efforts. The Office of Management and Budget (OMB), which is responsible for developing the Year 2000 strategy for federal agencies, also issued similar guidance. Both require a structured approach to planning and managing five delineated phases of an effective Year 2000 program. The phases include (1) raising awareness of the problem, (2) assessing the complexity and impact the problem can have on systems, (3) renovating, or correcting, systems, (4) validating, or testing, corrections, and 2 GAO/AIMD-10.1.14, September 1997. Page 3 GAO/T-AIMD-98-20 (5) implementing corrected systems. GAO has also identified other dimensions to solving the Year 2000 problem, such as identifying interfaces with outside organizations and their systems and establishing agreements with these organizations specifying how data will be exchanged in the year 2000 and beyond. In addition, GAO and OMB have established a timeline for completing each of the five phases and believe agencies should have completed assessment phase activities last summer and should be well into renovation with the goal of completing this phase by mid to late 1998. Our work at other federal agencies indicates that because the cost of systems failures can be very high, contingency plans must be prepared so that core business functions will continue to be performed even if systems have not been made Year 2000 compliant. NCUA has developed a three-pronged approach for ensuring that credit NCUA Has Developed unions are aggressively addressing the Year 2000 problem, which a Strategy and Has encompasses (1) incorporating the Year 2000 issue into its examination Initiated Action to and supervision program, (2) disseminating information about the problem to credit unions, and (3) assessing Year 2000 compliance on the part of Address the Year 2000 credit union data processing vendors. Problem The first aspect of NCUA’s strategy, the examination and supervision program, involves assessing credit union Year 2000 efforts through regular annual examinations at the 7,200 federally chartered credit unions and 30 to 40 percent of the 4,200 federally insured, state chartered credit unions for which NCUA conducts an insurance review. These examinations seek to identify credit unions that are in danger of not renovating their systems on time and to reach “formal agreements” that specify corrective measures. In conducting these reviews, examiners are to follow NCUA guidelines, which provide step-by-step procedures for identifying problem areas. Once a formal agreement is reached, the examiner is expected to monitor the credit union’s implementation of the agreed-upon corrective measures. Also as part of its examination effort, NCUA has contracted a consulting firm to train selected examiners in Year 2000 efforts. Through this training, NCUA expects to have one in-house Year 2000 specialist available as a resource for every eight examiners. In addition, NCUA’s board recently authorized the hiring of an electronic data processing (EDP) auditor to provide more in-depth technical assistance and education on Year 2000 problems. Another part of NCUA’s examination and supervision strategy includes working with state regulators to ensure that federally insured, state Page 4 GAO/T-AIMD-98-20 chartered credit unions are also Year 2000 compliant. Officials from NCUA and the National Association of State Credit Union Supervisors told us that all but two state regulators are following the same Year 2000 examination strategy established by NCUA; the other two state regulators are planning on performing added steps in addition to performing those included in NCUA’s strategy. The second aspect of NCUA’s strategy—information dissemination—seeks to heighten credit union awareness of the Year 2000 problem. In August 1996 and June 1997 letters to federally insured credit unions, NCUA formally alerted credit unions to the potential dangers of the Year 2000 problem, identified the specific impacts the problem could have on the industry, provided detailed explanations of the problem, and identified steps needed to correct the problem. It also related its plans to include Year 2000 evaluations in regular examinations and provided credit unions with copies of its examination guidance. In addition, NCUA has appointed a Year 2000 executive responsible for achieving Year 2000 compliance industrywide and assigned Year 2000 compliance officers to its central office and six regional offices. These staff will be responsible for serving as Year 2000 focal points to coordinate efforts across the agency. Finally, NCUA is working with credit union trade groups, such as the Credit Union National Association, in raising awareness of Year 2000 issues. The third component of NCUA’s program—vendor compliance—targets organizations that provide electronic data processing services to credit unions. According to NCUA, approximately 40 vendors provide data processing services to 76 percent of all federally insured credit unions, which account for 79 percent of federally insured credit union assets. Consequently, it is vital that these vendors correct their own systems and help ensure that information can be easily transferred after the Year 2000 deadline. NCUA has begun identifying and contacting major EDP vendors, and it plans to assess their efforts through questionnaires. Specifically, in May 1997 and again in August 1997, NCUA mailed a questionnaire to the 87 vendors, including the 40 vendors that support the bulk of credit unions, requesting information on Year 2000 readiness and, as of September 1997, had received 29 responses. While NCUA has initiated actions to build the Year 2000 issue into Concerns With examinations and to raise awareness about the issue among credit unions NCUA’s Year 2000 and their vendors, our work to date has identified four issues that must be Efforts Page 5 GAO/T-AIMD-98-20 addressed to provide greater assurance that NCUA efforts will be successful. First and foremost of our concerns is that NCUA still does not have a complete picture of where credit unions and their vendors stand in resolving the Year 2000 problem, and current efforts to determine credit union compliance are behind the schedule established by OMB and GAO. To collect information from the credit unions on their Year 2000 status, NCUA examiners used a high-level questionnaire that inquired whether (1) credit union systems were capable and ready to handle Year 2000 processing, (2) plans were in place to resolve the problem, (3) enough funds were budgeted to correct systems, and (4) responsibility and reporting mechanisms were appropriately established to support the Year 2000 effort. NCUA issued a separate high-level questionnaire to credit union vendors. However, as of the time of our work, NCUA had not yet queried 20 percent of the credit unions and had only received 29 of the 87 vendor responses. In addition, of the credit union and vendor responses received, NCUA has not yet analyzed the information to determine which credit unions and vendors are at high risk of not correcting their systems on time. This problem is compounded by the fact that the NCUA questionnaires did not inquire about the status of efforts in completing each important phase of correction: (1) raising awareness of the problem, (2) assessing the complexity and impact the problem can have on systems, (3) renovating, or correcting, systems, (4) validating, or testing, corrections, and (5) implementing corrected systems. The questionnaires also did not include system interface issues. For example, they did not inquire about (1) identifying interfaces with outside organizations and their systems, such as payment, check clearing, credit card, and benefit transfer systems, and (2) establishing agreements with these organizations specifying how data will be exchanged in the year 2000 and beyond. As a result, even when NCUA assesses the results, it still will not have a complete understanding of how far along the industry is in addressing the problem. In addition, NCUA examinations are conducted only on an annual basis. This means that each credit union will be examined only two more times between the end of 1997 and the year 2000. Further, NCUA has not yet established a formal mechanism for credit unions to submit interim progress reports to provide an up-to-date picture of individual correction efforts between examinations. NCUA officials told us that examiners perform off-site supervision in between exams by tracking performance Page 6 GAO/T-AIMD-98-20 via credit union financial reports and by contacting credit union officials should a problem arise. However, this may not be enough given the seriousness of the problem and the fact that the Year 2000 deadline is just 2 years away. Further complicating NCUA’s situation is the fact that it is still involved in assessment phase activities. According to OMB and GAO guidance, these activities should have been completed back in the summer. As it stands, NCUA does not plan to complete them until the end of this calendar year. Accordingly, we believe NCUA should accelerate agency efforts to complete the assessment of the state of the industry by no later than November 15, 1997, rather than waiting until the end of the year. NCUA should also collect the necessary information to determine the exact phase of each credit union and vendor in addressing the Year 2000 problem. Because NCUA currently does not have a process in place for interim reporting of this information between examinations, NCUA should require credit unions to report the precise status (phase) of their efforts on at least a quarterly basis. One option would be to use the financial reports, commonly referred to as call reports, that credit unions provide to NCUA quarterly. As part of this report, NCUA should also require credit unions to report on the status of identifying their interfaces to determine whether this issue is being adequately addressed and, if not, require credit unions to implement such agreements as soon as possible. A second concern we have with NCUA’s efforts is that the agency does not yet have a formal contingency plan. Our Year 2000 Assessment Guide3 calls on agencies to initiate realistic contingency plans during the assessment phase for critical systems to ensure the continuity of their core business processes. Contingency planning is important because it identifies alternative activities, which may include manual and contract procedures, to be employed should systems fail to meet the Year 2000 deadline. NCUA guidance directs credit unions to conduct contingency planning, and NCUA officials told us that they have developed numerous contingency options and have discussed among the staff what steps to take should a credit union not be compliant by January 1, 2000. However, officials stated that the precise actions have not been documented in a formal plan. Not having this plan increases the risk of unnecessary problems in an already uncertain situation. Consequently, we recommend that NCUA formally document its contingency plans. 3 GAO/AIMD-10.1.14, September 1997. Page 7 GAO/T-AIMD-98-20 A third concern that we have is that credit union auditors may not be addressing the Year 2000 problem as part of their work. NCUA requires each credit union to perform supervisory committee audits. These audits are to determine whether management practices and procedures are sufficient to safeguard members’ assets and whether effective internal controls are in place to guard against error, carelessness, and fraud. They are conducted by the credit union’s supervisory committee staff or by an outside accountant. However, NCUA officials noted that such reviews typically focus on general controls (e.g., ensuring accurate data is entered into the system, securing data from unauthorized use) and would not specifically include controls to prevent malfunctions due to the Year 2000 problem. Audits are an integral management control and expanding their scope to include important and high-risk Year 2000 issues is critical since it would provide credit union management with greater assurance and understanding about where their institution stands in addressing the problem. Accordingly, we are recommending to NCUA that it require credit unions to implement the necessary management controls to ensure that these financial institutions have adequately mitigated the risks associated with the Year 2000 problem. Specifically, NCUA should require credit union auditors to include Year 2000 issues within the scope of their management and internal control work and report serious problems and corrective actions to NCUA immediately. To aid credit union auditors in this effort, NCUA should provide the auditors with the procedures developed by NCUA for its examiners to use in assessing Year 2000 compliance and any other guidance that would be instructive. We also believe NCUA should require credit unions to establish processes whereby credit union management would be responsible for certifying Year 2000 readiness by a deadline well before the millennium. Such a certification process should include credit union compliance testing by an independent third party and should allow sufficient time for NCUA to review the results. Our fourth concern is that NCUA does not have enough staff qualified to conduct examination work in complex technical areas. At present, NCUA is the process of hiring one EDP auditor to help examine thousands of credit unions. Recognizing this weakness, NCUA is considering hiring up to three EDP auditors. However, these personnel additions may still not suffice given the tremendous workload and the short time frame for getting it done. To mitigate this concern, we recommend that before the end of the Page 8 GAO/T-AIMD-98-20 year, NCUA determine the level of technical capability needed to allow for thorough review of credit unions’ Year 2000 efforts and hire or contract for this capability. Our initial work showed that NCUA has made some progress in addressing Summary Year 2000 compliance issues for credit unions systems that it regulates. However, we are concerned that NCUA (1) is behind schedule and does not yet know the exact status of credit union Year 2000 readiness, (2) has not prepared a formal, detailed plan for contingencies, (3) does not have assurance that sufficient credit union management controls are in place to address Year 2000 problems, and (4) is lacking sufficient technical capability. These concerns lead us to believe that NCUA needs to do more to ensure that credit unions have adequately mitigated the risks associated with the Year 2000 problem, and we have made recommendations to assist NCUA in addressing these issues. (511108) Page 9 GAO/T-AIMD-98-20 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with "info" in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov PRINTED ON RECYCLED PAPER United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested
Year 2000 Computing Crisis: National Credit Union Administration's Efforts to Ensure Credit Union Systems Are Year 2000 Compliant
Published by the Government Accountability Office on 1997-10-22.
Below is a raw (and likely hideous) rendition of the original report. (PDF)