oversight

Year 2000 Computing Crisis: National Credit Union Administration's Efforts to Ensure Credit Union Systems Are Year 2000 Compliant

Published by the Government Accountability Office on 1997-10-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                   United States General Accounting Office

GAO                Testimony
                   For the Subcommittee on Financial Services and
                   Technology, Committee on Banking, Housing, and Urban
                   Affairs, U.S. Senate


For Release
at 10 a.m.
Wednesday,
                   YEAR 2000 COMPUTING
October 22, 1997
                   CRISIS

                   National Credit Union
                   Administration’s Efforts to
                   Ensure Credit Union
                   Systems Are Year 2000
                   Compliant
                   Statement for the Record by
                   Jack L. Brock, Jr.
                   Director, Information Resources Management/
                     General Government Issues
                   Accounting and Information Management Division




GAO/T-AIMD-98-20
Mr. Chairman and Members of the Subcommittee:

We are pleased to be asked to provide our views on the progress being
made by the National Credit Union Administration (NCUA) in ensuring that
automated information systems belonging to the thousands of credit
unions that NCUA oversees are ready for the upcoming century date
change. If the Year 2000 problem is not addressed in time, credit union
computer systems—which affect billions of dollars of assets and
transactions—will be unable to readily process transactions or produce
accurate information. According to NCUA, without properly functioning
systems, credit unions like other financial institutions face the potential of
failure.

This testimony is the first in a series of reports you requested on the status
of efforts by federal financial regulatory agencies to ensure that the
organizations they oversee are ready to handle the Year 2000 computer
conversion challenge. To prepare for this testimony, we performed a quick
overview of NCUA’s efforts to date to ensure that credit unions have
adequately mitigated the risks associated with the Year 2000 date change
and compared these activities to our Year 2000 Assessment Guide.1 In
performing the overview, we interviewed NCUA officials responsible for
examining and overseeing the safety and soundness of credit union
management practices and procedures. We reviewed examination policies,
procedures, and manuals—including specific examination procedures for
assessing Year 2000 compliance. We also reviewed NCUA correspondence
to credit unions and third-party contractors (that provide automated
systems services to many credit unions) regarding the Year 2000 problem.
Finally, we interviewed officials from the Credit Union National
Association, the National Association of State Credit Union Supervisors,
and the CUNA Mutual Group (which provides liability insurance for the
credit union industry). We provided a draft of this testimony to NCUA for
review and comment. NCUA officials stated that they would provide written
comments at a later date. We performed our work at NCUA headquarters in
Alexandria, Virginia, between October 7 and 17, 1997, in accordance with
generally accepted government auditing standards.


1
  Year 2000 Computing Crisis: An Assessment Guide (GAO/AIMD-10.1.14, September 1997). Published
as a exposure draft in February 1997 and finalized in September 1997, the guide was issued to help
federal agencies prepare for the Year 2000 conversion. It addresses common issues affecting most
federal agencies and presents a structured approach and a checklist to aid in planning, managing, and
evaluating Year 2000 programs. The guide describes five phases—supported by program and project
management activities—with each phase representing a major Year 2000 program activity or segment.
While the guide focuses on federal agencies, it is general enough that nonfederal organizations can
also use it to assess their automated systems.



Page 1                                                                          GAO/T-AIMD-98-20
                      As requested, my testimony today will highlight the Year 2000 problem’s
                      potential impact on credit unions and their systems. I will then discuss
                      NCUA’s Year 2000 strategy and highlight our observations with its efforts to
                      ensure that credit unions are appropriately addressing the problem.

                      In summary, we found that the Year 2000 problem poses a serious
                      dilemma for credit unions because they like other financial institutions
                      rely heavily on information systems. We also found that NCUA recognizes
                      the severity of the problem, has developed a plan, and has initiated action.
                      For example, NCUA issued several letters to the credit unions informing
                      them of the risks associated with Year 2000 problem. In addition, working
                      in conjunction with other federal financial regulators, NCUA developed
                      procedures for examiners to use in reviewing credit union Year 2000
                      efforts. However, we are concerned with NCUA’s approach because
                      (1) current agency efforts to determine industrywide compliance are
                      behind the generally accepted schedule for achieving Year 2000
                      compliance, and, consequently, NCUA does not yet have a complete picture
                      of where credit unions stand individually or as an industry, (2) the agency
                      lacks a formal, documented contingency plan in case credit unions do not
                      become compliant in time or have other problems, (3) credit union
                      internal auditors may not be thoroughly addressing Year 2000 issues as
                      part of their work, and (4) NCUA does not have enough technical capability
                      to conduct Year 2000 and other examinations in complex systems areas.


                      Credit unions are nonprofit financial cooperatives organized to provide
The Year 2000         their members with low-cost financial services. According to NCUA, as of
Problem Poses a       1996, federally insured credit union assets totaled $326 billion. About one
Serious Dilemma for   in four Americans belongs to a credit union, and credit unions accounted
                      for about 2 percent of the total financial services in the United States.
Credit Unions
                      NCUA supervises and insures more than 7,200 federally chartered credit
                      unions and insures member deposits in an additional 4,200 state-chartered
                      credit unions through the National Credit Union Share Insurance Fund. As
                      part of its goal of maintaining the safety and soundness of the credit
                      unions, NCUA is responsible for ensuring credit unions are addressing the
                      Year 2000 problem.

                      The Year 2000 problem is rooted in the way dates are recorded and
                      computed in automated information systems. For the past several
                      decades, systems have typically used two digits to represent the year, such
                      as “97” representing 1997, in order to conserve on electronic data storage



                      Page 2                                                      GAO/T-AIMD-98-20
and reduce operating costs. With this two-digit format, however, the year
2000 is indistinguishable from 1900, or 2001 from 1901. As a result of this
ambiguity, system or application programs that use dates to perform
calculations, comparisons, or sorting may generate incorrect results.

According to NCUA, most credit unions rely on computers to provide for
processing and updating of records and a variety of other functions. As
such, the Year 2000 problem poses a serious dilemma for the industry. For
example, the problem could lead to numerous problems when calculations
requiring the use of dates are performed, such as calculating interest,
calculating truth-in-lending or truth-in-savings disclosures, and
determining amortization schedules. Moreover, automated teller machines
may also assume that all bank cards are expired due to this problem. In
addition, errors caused by Year 2000 miscalculations may expose
institutions and data centers to financial liability and risk of damage to
customer confidence. Other systems important to the day-to-day business
of credit unions may be affected as well. For example, telephone systems
could shut down as can vaults, security and alarm systems, elevators, and
fax machines.

In addressing the Year 2000 problem, credit unions must also consider the
computer systems that interface with, or connect to, their own systems.
These systems may belong to payment system partners, such as wire
transfer systems, automated clearing houses, check clearing providers,
credit card merchant and issuing systems, automated teller machine
networks, electronic data interchange systems, and electronic benefits
transfer systems. Because these systems are also vulnerable to the Year
2000 problem, they can introduce and/or propagate errors into credit
unions systems. Accordingly, credit unions must develop comprehensive
solutions to this problem and prevent unintentional consequences from
affecting their systems and the systems of others.

To address these Year 2000 challenges, GAO issued its Year 2000
Assessment Guide2 to help federal agencies plan, manage, and evaluate
their efforts. The Office of Management and Budget (OMB), which is
responsible for developing the Year 2000 strategy for federal agencies, also
issued similar guidance. Both require a structured approach to planning
and managing five delineated phases of an effective Year 2000 program.
The phases include (1) raising awareness of the problem, (2) assessing the
complexity and impact the problem can have on systems, (3) renovating,
or correcting, systems, (4) validating, or testing, corrections, and

2
 GAO/AIMD-10.1.14, September 1997.



Page 3                                                      GAO/T-AIMD-98-20
                        (5) implementing corrected systems. GAO has also identified other
                        dimensions to solving the Year 2000 problem, such as identifying
                        interfaces with outside organizations and their systems and establishing
                        agreements with these organizations specifying how data will be
                        exchanged in the year 2000 and beyond. In addition, GAO and OMB have
                        established a timeline for completing each of the five phases and believe
                        agencies should have completed assessment phase activities last summer
                        and should be well into renovation with the goal of completing this phase
                        by mid to late 1998. Our work at other federal agencies indicates that
                        because the cost of systems failures can be very high, contingency plans
                        must be prepared so that core business functions will continue to be
                        performed even if systems have not been made Year 2000 compliant.


                        NCUA  has developed a three-pronged approach for ensuring that credit
NCUA Has Developed      unions are aggressively addressing the Year 2000 problem, which
a Strategy and Has      encompasses (1) incorporating the Year 2000 issue into its examination
Initiated Action to     and supervision program, (2) disseminating information about the problem
                        to credit unions, and (3) assessing Year 2000 compliance on the part of
Address the Year 2000   credit union data processing vendors.
Problem
                        The first aspect of NCUA’s strategy, the examination and supervision
                        program, involves assessing credit union Year 2000 efforts through regular
                        annual examinations at the 7,200 federally chartered credit unions and 30
                        to 40 percent of the 4,200 federally insured, state chartered credit unions
                        for which NCUA conducts an insurance review. These examinations seek to
                        identify credit unions that are in danger of not renovating their systems on
                        time and to reach “formal agreements” that specify corrective measures. In
                        conducting these reviews, examiners are to follow NCUA guidelines, which
                        provide step-by-step procedures for identifying problem areas. Once a
                        formal agreement is reached, the examiner is expected to monitor the
                        credit union’s implementation of the agreed-upon corrective measures.
                        Also as part of its examination effort, NCUA has contracted a consulting
                        firm to train selected examiners in Year 2000 efforts. Through this training,
                        NCUA expects to have one in-house Year 2000 specialist available as a
                        resource for every eight examiners. In addition, NCUA’s board recently
                        authorized the hiring of an electronic data processing (EDP) auditor to
                        provide more in-depth technical assistance and education on Year 2000
                        problems.

                        Another part of NCUA’s examination and supervision strategy includes
                        working with state regulators to ensure that federally insured, state



                        Page 4                                                      GAO/T-AIMD-98-20
                   chartered credit unions are also Year 2000 compliant. Officials from NCUA
                   and the National Association of State Credit Union Supervisors told us that
                   all but two state regulators are following the same Year 2000 examination
                   strategy established by NCUA; the other two state regulators are planning
                   on performing added steps in addition to performing those included in
                   NCUA’s strategy.


                   The second aspect of NCUA’s strategy—information dissemination—seeks
                   to heighten credit union awareness of the Year 2000 problem. In August
                   1996 and June 1997 letters to federally insured credit unions, NCUA formally
                   alerted credit unions to the potential dangers of the Year 2000 problem,
                   identified the specific impacts the problem could have on the industry,
                   provided detailed explanations of the problem, and identified steps needed
                   to correct the problem. It also related its plans to include Year 2000
                   evaluations in regular examinations and provided credit unions with
                   copies of its examination guidance. In addition, NCUA has appointed a Year
                   2000 executive responsible for achieving Year 2000 compliance
                   industrywide and assigned Year 2000 compliance officers to its central
                   office and six regional offices. These staff will be responsible for serving
                   as Year 2000 focal points to coordinate efforts across the agency. Finally,
                   NCUA is working with credit union trade groups, such as the Credit Union
                   National Association, in raising awareness of Year 2000 issues.

                   The third component of NCUA’s program—vendor compliance—targets
                   organizations that provide electronic data processing services to credit
                   unions. According to NCUA, approximately 40 vendors provide data
                   processing services to 76 percent of all federally insured credit unions,
                   which account for 79 percent of federally insured credit union assets.
                   Consequently, it is vital that these vendors correct their own systems and
                   help ensure that information can be easily transferred after the Year 2000
                   deadline. NCUA has begun identifying and contacting major EDP vendors,
                   and it plans to assess their efforts through questionnaires. Specifically, in
                   May 1997 and again in August 1997, NCUA mailed a questionnaire to the 87
                   vendors, including the 40 vendors that support the bulk of credit unions,
                   requesting information on Year 2000 readiness and, as of September 1997,
                   had received 29 responses.


                   While NCUA has initiated actions to build the Year 2000 issue into
Concerns With      examinations and to raise awareness about the issue among credit unions
NCUA’s Year 2000   and their vendors, our work to date has identified four issues that must be
Efforts

                   Page 5                                                       GAO/T-AIMD-98-20
addressed to provide greater assurance that NCUA efforts will be
successful.

First and foremost of our concerns is that NCUA still does not have a
complete picture of where credit unions and their vendors stand in
resolving the Year 2000 problem, and current efforts to determine credit
union compliance are behind the schedule established by OMB and GAO. To
collect information from the credit unions on their Year 2000 status, NCUA
examiners used a high-level questionnaire that inquired whether (1) credit
union systems were capable and ready to handle Year 2000 processing,
(2) plans were in place to resolve the problem, (3) enough funds were
budgeted to correct systems, and (4) responsibility and reporting
mechanisms were appropriately established to support the Year 2000
effort. NCUA issued a separate high-level questionnaire to credit union
vendors. However, as of the time of our work, NCUA had not yet queried
20 percent of the credit unions and had only received 29 of the 87 vendor
responses. In addition, of the credit union and vendor responses received,
NCUA has not yet analyzed the information to determine which credit
unions and vendors are at high risk of not correcting their systems on
time.

This problem is compounded by the fact that the NCUA questionnaires did
not inquire about the status of efforts in completing each important phase
of correction: (1) raising awareness of the problem, (2) assessing the
complexity and impact the problem can have on systems, (3) renovating,
or correcting, systems, (4) validating, or testing, corrections, and
(5) implementing corrected systems. The questionnaires also did not
include system interface issues. For example, they did not inquire about
(1) identifying interfaces with outside organizations and their systems,
such as payment, check clearing, credit card, and benefit transfer systems,
and (2) establishing agreements with these organizations specifying how
data will be exchanged in the year 2000 and beyond.

As a result, even when NCUA assesses the results, it still will not have a
complete understanding of how far along the industry is in addressing the
problem. In addition, NCUA examinations are conducted only on an annual
basis. This means that each credit union will be examined only two more
times between the end of 1997 and the year 2000. Further, NCUA has not yet
established a formal mechanism for credit unions to submit interim
progress reports to provide an up-to-date picture of individual correction
efforts between examinations. NCUA officials told us that examiners
perform off-site supervision in between exams by tracking performance



Page 6                                                     GAO/T-AIMD-98-20
via credit union financial reports and by contacting credit union officials
should a problem arise. However, this may not be enough given the
seriousness of the problem and the fact that the Year 2000 deadline is just
2 years away.

Further complicating NCUA’s situation is the fact that it is still involved in
assessment phase activities. According to OMB and GAO guidance, these
activities should have been completed back in the summer. As it stands,
NCUA does not plan to complete them until the end of this calendar year.


Accordingly, we believe NCUA should accelerate agency efforts to complete
the assessment of the state of the industry by no later than November 15,
1997, rather than waiting until the end of the year. NCUA should also collect
the necessary information to determine the exact phase of each credit
union and vendor in addressing the Year 2000 problem. Because NCUA
currently does not have a process in place for interim reporting of this
information between examinations, NCUA should require credit unions to
report the precise status (phase) of their efforts on at least a quarterly
basis. One option would be to use the financial reports, commonly
referred to as call reports, that credit unions provide to NCUA quarterly. As
part of this report, NCUA should also require credit unions to report on the
status of identifying their interfaces to determine whether this issue is
being adequately addressed and, if not, require credit unions to implement
such agreements as soon as possible.

A second concern we have with NCUA’s efforts is that the agency does not
yet have a formal contingency plan. Our Year 2000 Assessment Guide3
calls on agencies to initiate realistic contingency plans during the
assessment phase for critical systems to ensure the continuity of their core
business processes. Contingency planning is important because it
identifies alternative activities, which may include manual and contract
procedures, to be employed should systems fail to meet the Year 2000
deadline. NCUA guidance directs credit unions to conduct contingency
planning, and NCUA officials told us that they have developed numerous
contingency options and have discussed among the staff what steps to
take should a credit union not be compliant by January 1, 2000. However,
officials stated that the precise actions have not been documented in a
formal plan. Not having this plan increases the risk of unnecessary
problems in an already uncertain situation. Consequently, we recommend
that NCUA formally document its contingency plans.


3
 GAO/AIMD-10.1.14, September 1997.



Page 7                                                         GAO/T-AIMD-98-20
A third concern that we have is that credit union auditors may not be
addressing the Year 2000 problem as part of their work. NCUA requires each
credit union to perform supervisory committee audits. These audits are to
determine whether management practices and procedures are sufficient to
safeguard members’ assets and whether effective internal controls are in
place to guard against error, carelessness, and fraud. They are conducted
by the credit union’s supervisory committee staff or by an outside
accountant. However, NCUA officials noted that such reviews typically
focus on general controls (e.g., ensuring accurate data is entered into the
system, securing data from unauthorized use) and would not specifically
include controls to prevent malfunctions due to the Year 2000 problem.
Audits are an integral management control and expanding their scope to
include important and high-risk Year 2000 issues is critical since it would
provide credit union management with greater assurance and
understanding about where their institution stands in addressing the
problem.

Accordingly, we are recommending to NCUA that it require credit unions to
implement the necessary management controls to ensure that these
financial institutions have adequately mitigated the risks associated with
the Year 2000 problem. Specifically, NCUA should require credit union
auditors to include Year 2000 issues within the scope of their management
and internal control work and report serious problems and corrective
actions to NCUA immediately. To aid credit union auditors in this effort,
NCUA should provide the auditors with the procedures developed by NCUA
for its examiners to use in assessing Year 2000 compliance and any other
guidance that would be instructive.

We also believe NCUA should require credit unions to establish processes
whereby credit union management would be responsible for certifying
Year 2000 readiness by a deadline well before the millennium. Such a
certification process should include credit union compliance testing by an
independent third party and should allow sufficient time for NCUA to
review the results.

Our fourth concern is that NCUA does not have enough staff qualified to
conduct examination work in complex technical areas. At present, NCUA is
the process of hiring one EDP auditor to help examine thousands of credit
unions. Recognizing this weakness, NCUA is considering hiring up to three
EDP auditors. However, these personnel additions may still not suffice
given the tremendous workload and the short time frame for getting it
done. To mitigate this concern, we recommend that before the end of the



Page 8                                                     GAO/T-AIMD-98-20
           year, NCUA determine the level of technical capability needed to allow for
           thorough review of credit unions’ Year 2000 efforts and hire or contract for
           this capability.


           Our initial work showed that NCUA has made some progress in addressing
Summary    Year 2000 compliance issues for credit unions systems that it regulates.
           However, we are concerned that NCUA (1) is behind schedule and does not
           yet know the exact status of credit union Year 2000 readiness, (2) has not
           prepared a formal, detailed plan for contingencies, (3) does not have
           assurance that sufficient credit union management controls are in place to
           address Year 2000 problems, and (4) is lacking sufficient technical
           capability. These concerns lead us to believe that NCUA needs to do more
           to ensure that credit unions have adequately mitigated the risks associated
           with the Year 2000 problem, and we have made recommendations to assist
           NCUA in addressing these issues.




(511108)   Page 9                                                      GAO/T-AIMD-98-20
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested