Previous Document IconPrevious Info Memo

Next Document IconNext Info MemoExam Manual Table of Contents IconList of Info Memos

Informational Memorandum
Subject:Service Provider and Software Vendor--Year 2000 Readiness
Date of Memorandum:04/13/1998
Expiration Date:
Office:OE
Signed By:Smith, Roland
FCA Contact Person:Glenn, Thomas
Contact Phone:703-883-4412
List of Attachments:None



INFORMATIONAL MEMORANDUM

April 13, 1998



To: Chairman, Board of Directors
Chief Executive Officer
All Farm Credit System Institutions

From: Roland E. Smith, Chief Examiner Roland E. Smith
Office of Examination

Subject: Service Provider and Software Vendor--Year 2000 Readiness


Nearly all financial institutions, including Farm Credit System (FCS or System) institutions, rely to some degree on service providers and software vendors to operate mission-critical systems. Those institutions have a vested interest to ensure that such services and products are Year 2000 ready. Therefore, Farm Credit Administration (FCA) examiners will ascertain those actions taken by an institution to determine if its service providers and software vendors are Year 2000 ready.

Boards of directors and senior management of System institutions should establish a due-diligence process for determining the ability of its service providers and software vendors to become Year 2000 ready. The process should include appropriate and effective remediation programs, testing performed to the extent possible, and effective contingency plans developed in the event service providers and software vendors are not Year 2000 ready. The due-diligence process should enable management to:

Identify and assess the mission-critical services and products of service providers and software vendors;

Identify and articulate the obligations of the service provider or software vendor and the institution for achieving Year 2000 readiness;

Establish a process for testing, to the extent possible, the remediated services and products in the institution's own environment;

Adopt contingency plans for each mission-critical service and product; and

Establish monitoring procedures to verify that the service provider or software vendor is taking appropriate action to achieve Year 2000 readiness.

System institutions should obtain sufficient information to determine if their mission-critical vendors will be able to successfully deliver Year 2000-ready products and services. Some service providers and software vendors may not be able or may be unwilling to correct Year 2000-related problems for a variety of reasons. Developers of software and equipment may no longer be in business, or they may no longer support the application or operating system. Source codes may not be available for remediation, and the systems and hardware equipment may have components that are no longer manufactured. In addition, a software provider that sells a large variety and volume of programs might provide only general instructions for reconfiguring a product to the user because of the high cost associated with changing each product. Alternatively, a service provider may assume total responsibility for the renovation of its operating systems, software applications, and hardware because its systems are maintained internally.

FCS institutions may find it beneficial to join forces with other financial institutions in similar circumstances and coordinate group efforts to evaluate the performance and testing methodologies of service providers and software vendors, to participate in testing efforts "to the extent possible," and to evaluate contingency plans. By working through user groups, System institutions can gather and disseminate information on the effects of service providers and software vendors, testing methodologies, contingency plans, and monitoring techniques. User groups can also be useful to encourage uncooperative service providers and software vendors that are not willing to provide more prompt and effective service to client institutions. An extensive list of user groups can be found on the Internet at www.year2000.com. Other Year 2000-specific web sites may also provide links to user groups.

Responsibilities

The management of an institution is responsible for determining the ability of its service providers and software vendors to address Year 2000 readiness, establishing appropriate and effective testing and remediation programs, and developing effective contingency plans in the event providers are not Year 2000 ready. FCS institutions should contact service providers and software vendors to determine what is needed to make the product or service Year 2000 ready. Management should assess whether the service provider or software vendor has the capacity and expertise to complete the task. Service providers and software vendors should make full and accurate disclosures to their client institutions concerning the state of their remediation efforts.

The following information for all mission-critical products should be requested of service providers and software vendors:

Information on Year 2000 project plans, including the scope of the effort, a summary of resource commitments, dates when remediation and testing will begin and end, and dates when Year 2000 products and services will be delivered to the institution.

Plans to discontinue or extensively modify existing services and products.

Ongoing updates on the service providers' and software vendors' progress in meeting timetables of their Year 2000 project plans.

Estimates of product and support costs to be incurred by the System institutions required for remediation and testing.

Contingency plans of service providers or software vendors in the event their project plans fail.

The legal ramifications of renovating software vendor codes should be thoroughly investigated because there is considerable legal risk in renovating software vendor-supplied codes. For example, code modifications could render warranties and maintenance agreements null and void. FCS institutions may need to determine whether they can terminate their current service contracts and at what cost.

The failure of service providers and software vendors to meet these expectations could pose a risk to the safety and soundness of an institution and, in such circumstances, institutions may need to terminate their relationship with the service provider or software vendor.

Testing

Testing for changes to the services and products will play a critical role in the Year 2000 process. FCS institutions should test, to the extent possible, service provider and software vendor-provided products and services in the institution's own environment. Management should not rely solely on the stated commitment of a service provider or software vendor to test, but it should request that the scope be defined, objectives listed, and testing approaches and scenarios be developed. Testing schedules should be supplied by service providers and software vendors. In addition, the institution's testing strategy should include a testing scenario to simulate and measure the impact of a Year 2000-related disaster on normal operations.

Contingency Plans

Institutions should develop contingency plans to address situations where service providers and software vendors have not provided adequate information about their Year 2000 readiness or where proposed solutions do not appear to be viable. These contingency plans should describe how the organization will handle normal business operations if remediated systems do not perform as planned, either before or after the century date change. They should establish "trigger dates" for changing service providers and software vendors to allow sufficient time to achieve Year 2000 readiness. Management of System institutions, in consultation with the institution's legal counsel, should identify any legal remedies or resolutions available to the institution in the event products are not able to handle Year 2000 date processing.

If service providers and software vendors are unwilling or are unable to participate in Year 2000 readiness efforts, or if commitments to migrate software or replace or repair equipment cannot be made by the "trigger date," the institution should pursue an alternate means of achieving Year 2000 readiness. In either of these cases, the institution should consider contracting with other service providers and software vendors to provide either remediation or replacement of a product or service.

Year 2000 contingency plans should be tailored to the needs and complexity of an institution and should incorporate the following components:

A risk assessment that identifies potential disruptions and the effects such disruptions will have on business operations, determines the probability of occurrence, and defines controls to minimize, eliminate, or respond to the disruption.

An analysis of strategies and resources available to restore system or business operations.

A recovery program that identifies participants (both external and internal) and the processes and equipment needed for the institution to function at an adequate level. The program should ensure that all participants are aware of their roles and are adequately trained.

A comprehensive schedule of the remediation program of the service provider or software vendor that includes a trigger date. Institutions need to assure themselves that adequate time is available should their internal test results require additional remediation efforts.

The development and implementation of contingency plans should be subject to the scrutiny of senior management and the board of directors. Institution management should periodically review its contingency plans and approve all material changes to their plans.

Monitor Service Provider and Software Vendor Performance

Institutions should monitor the efforts of service providers and software vendors. The monitoring process should include frequent communication and documentation of all communication. Since the institution cannot rely solely on the proposed actions of service providers and software vendors, management should contact each mission-critical service provider and software vendor quarterly, at a minimum, to monitor its progress during the remediation and testing phases. Many service providers and software vendors maintain web sites on the Internet with information about the Year 2000 readiness of their services and products.

If you have any questions regarding this document, please call Thomas M. Glenn, Director of Operations, Office of Examination, at 703-883-4412. Contact may also be made at the following E-Mail address: glennt@fca.gov.