------------ Year 2000 Bankers Conference Editorial Coverage
American Banker and The Strategic Research Institute
presented this conference for Bankers dealing with the year
2000 problem. American Banker is the leading information
provider to the financial services industry and produces
the magazine American Banker and other publications for
financial institutions. The Strategic Research Institute
is a provider of conferences in the areas of finance,
health care, information technology, manufacturing, sales,
natural resources, and media/entertainment. American
Banker is at americanbanker.com and the
Strategic Institute is at srinstitute.com.
The conference organizers were expecting at least 150
attendees from banks and financial institutions around the
country. They actually had more. The attendees were a mix
of people from the industry. One of the organizers told me
that she was impressed that there was a good mix of people,
from CEOs and CIOs down to loan officers and support
staff. The most numerous group were members of the
legal profession, with about fifty lawyers in the audience.
There were five venders in attendance: Accler8
Technology Corporation, Arter and Hadden LLP
attorneys, McCabe Visual 2000 and Vendor Verification Inc.
------------ Opening Keynote by Peter de Jager
Peter de Jager gave the keynote address opening the
conference. He began by noting that Bill Gates had said two years
ago that Microsoft products didn't have any year 2000 problems
but that now he is admitting that Windows 95 and Windows NT
both have problems, and that Microsoft has opened a web site of
solutions (see microsoft.com. The web site,
following a hallowed tradition of almost all large IT projects, is late.
Peter describes programmers as the most optimistic people in the
world, who always believe that this next fix will be the last
necessary and everything will finally work. He reported that the
Denver airport has 100 non-compliant systems, including 40 that
are mission critical. He went on to report that only 5% of Japanese
companies are doing anything, and pointed out two reasons that
exacerbate the year 2000 problem over there. Total consensus is
usually needed to initiate any project and there is an extreme
hesitation when delivering bad news to management. Some
companies in this country have the same problem. Peter also
pointed out that most of Europe wasn't even scheduling Y2K
work until 1999.
------------ Best Practices
Shifting to best practices, Peter listed three. The first was triage.
Look hard at everything you have and see what you can ignore.
Start looking at only what really needs to be fixed.
The second best practice was NOT putting an IT person in charge
of the year 2000 project. The project manager needs to be a
businessperson who understands the business, so he or she can
make an accurate determination of whether a system or process is
necessary to the bottom line. IT people seldom have the
perspective to make those decisions.
The third best practice was to set up some kind of internal
verification and certification system with rules so that once a
system or program is fixed it stays fixed. Peter told of instances
where programmers had gone back into programs that had been
fixed and re-instituted 2 digit dates! He said this should result in
instant dismissal.
------------ Questions
A short question and answer period followed. One person
inquired about Peter's opinion of the state of the global economy
and Y2K. Peter replied that it was his opinion that a global
recession was unavoidable because we were still discussing the
issue instead of fixing it.
When asked what he was sharing with the rest of the world, Peter
answered that there was good news and bad news. The good news
is that the US leads the world in fixing the problem. The bad news
is that the US leads the world in fixing the problem and our present
level of compliance is nothing to brag about to anybody.
The last question was on contingency planning. Peter said that the
best practice for contingency planning is to have a contingency, a
plan B" for every single critical system including basic
infrastructure.
He ended by telling the participants of this conference, all from a
highly regulated part of the economy, that the regulators were on
the move and they wanted answers to their questions about banks'
year 2000 plans. He said they were telephoning now, but this would
soon be replaced by visits. "They will sit across from you and stare
and ask how you are coming along and they will watch your
response closely. What are you going to tell them?"
Peter ended by asking for anyone to send him some good news if
they had any. He said he didn't want to get the reputation of being
a gloom and doomer, but that he really had not received any
reassuring news yet.
----------- First Session: Managing Business Risk
The first general session was on identifying and managing business
risk. This session was presented by Nicholas Benvenuto and Brian
Lang, both from Arthur Andersen. They began by showing how
great the risk is in the banking industry. They asked the audience to
think of their companies' core competencies and functions and then
to list the critical decisions that arise from processes that require
comparing two dates or computing a value using a date. Examples
given were loan origin and due date, when and how much stock
should be ordered, when does a stock expire, and which orders
need to be delivered first. Then the audience was asked to assess
the impact of a wrong answer to any of those factors.
The rest of this session detailed the awareness and assessment
phases, determining exposure to risk, setting priorities, and finding
contingencies. They also provided details for identifying risks and
support tools.
------------ Time to assess the borrower's effort
The next session was about the year 2000 problem as it affected
lending and borrowers. The presenter was David Furnace,
Technology Practice Manager for Alex Sheshunoff Management
Services, Inc. Banks and financial institutions are being required
by the FFIEC to assess their bigger customers' year 2000
remediation efforts. This means the loan officers need to become
conversant with the problem enough to determine if the Y2K plans
of potential borrowers are adequate to keep them out of trouble.
The due diligence process, which identifies and makes assessment
controls for Y2K customer risks, needs to be in place by June 30.
The process needs to be completed by September 30 of this year.
------------ Its Not Just an IT Problem Anymore
In November of last year I asked all the banks in the Portland,
Oregon area if they were asking their business customers about
their year 2000 exposure and efforts at fixing the problem. At that
time, only the Bank of America was asking its customers about
their year 2000 plans. All the loan officers I talked to told me they
thought IT was taking care of the problem and they didn't need to
get involved. Now they will be involved -- even though they are
only required to assess "substantial" customers. This should
have a quantum effect on raising of the consciousness of the
business community in the next few months.
The Gartner Group estimates 3% to 5% of US businesses will be
fatally impacted by the year 2000 problem. H. Rubin, the Hunter
College economist, estimates that 2 out of 3 large U.S. companies
did not have a plan to deal with Y2K as of December of 1997.
These numbers, and the Produce Palace lawsuit, prompted the
change in regulations. Some of the factors that will impact loans are:
declining demand for products that are seen as Y2K non-compliant
or potentially defective, delays in production or delivery of
products, and delays or mistakes in billings and payments from
customers.
------------ Training of Loan Officers and Those in Customer Service
The presentation focused on how to train lenders and how to
implement the new regulations with customers. It was stressed
that the lenders really need to understand the basic Y2K issues.
Training and testing was called for -- but with no blueprint on who
would do it, how or when it would be done. The results have to be
in place by June 30, however.
------------ "Systemic Risk" and Other Problems
This topic was expanded on in the afternoon sessions. Brian Smith,
Partner and Chairman of Year 2000 Task Force for Mayer, Brown
and Platt and Michael Ugliarolo, Managing Director of BT
Company presented some of the problems financial institutions will
face. He pointed out that regulated institutions such as theirs
would be the most severely impacted and also the most severely
penalized if things go wrong.
The concept of "systemic risk" was put forward, meaning the
potential threats to the linkages between systems that are
necessary to do daily business. A non-compliant data transfer
system could render an entire network unusable. This concern
caused a cease-and-desist order against Putnam-Green Financial
Corp. for year 2000 violations. The FDIC and the Georgia
Department of Banking demanded the same from Putnam-Green's
three subsidiaries. They were charged with operating inadequate
and unreliable electronic information systems and failing to ensure
those systems could perform data processing after December 31,
1999. Putnam-Green needs to have all their systems tested by
December 31 of this year and be using only fully compliant systems
in their actual operations by no later than July, 1999.
It was pointed out that once the issues and the possible
ramifications of Y2K are understood by the lender, it becomes just
another factor of business risk to assess and determine loan
eligibility and shouldn't be more difficult to handle than any other
business factor.
Banks also need to review their current portfolios for potential Y2K
risk. Y2K risk factors can be worked into existing credit standards
and applied to any customer. The presenters emphasized that
concentrations of credit need to be looked at carefully. It might be
that some banks have targeted certain industries that are
potentially sensitive to Y2K. Manufacturers with significant
embedded logic in their production facilities such as refineries or
chemical plants are examples. Any large customer needs to be
scrutinized for possible loan problems. Business plans and Y2K
planning need to be looked at quarterly from now on.
------------ A Concise and Complete Y2K Business Plan
Sometimes you go to a session and it turns out to be just what you
wanted to hear. When that happens, it makes the whole conference
an energizing experience. The next session was put on by the
people responsible for the regulations these institutions had to
follow and incorporate. It could have been a dry recitation of
commands from on high -- but instead it turned out to be a very
valuable 45 minutes, largely because the panel laid out almost
everything any business needs to know and do to create and
implement a plan to deal with the business processes liable to be
disrupted by the millennium bug.
The session covered the guidelines the FFIEC (Federal Financial
Institutions Examination Council) has promulgated for the directors
and members of senior management. The panel members were
Mark O'Dell, Director for Bank Technology from the Office of the
Comptroller of the Currency, Anne Worthy, Assistant Vice
President, Year 2000 Task Force of the Federal Reserve Bank of
Dallas and Louis Barton, Vice President of Frost National Bank.
They began by spelling out to the group exactly what they would
be looking for in the banking community. They would look for
direct management and board involvement, use of the project
management process, credit/customer issues addressed, vendor
management, testing of systems and procedures and
implementation of risk controls. The testing would be unique to
each institution, but they wanted a developed a written plan in
place by June of this year. The panel members said that the testing
process would be difficult for the smaller institutions, especially as
they were required to test all their outside interfaces too.
Proxy testing would be alright for much of it, but the software also
needed to be tested on their own operating system, although doing
it at a hot site is acceptable. It is also OK to rent or buy the
equipment to do the testing, as long as the same OS is used.
The time benchmarks laid out for a testing plan and customer due
diligence are to be ready by June 30, 1998. Testing of systems are
to be started by September 1, 1998. Customer evaluation are to be
finished by September 30, 1998. Internal testing is to be
substantially complete by December 31, 1998 and all testing
complete by June 30, 1999.
The activities necessary to do this are: begin planning and
establishing the guidelines, do a business impact analysis, develop
contingency plans, design a way to validate the plans, evaluate all
options along the way, develop contingencies for every core
process, document all the core products, establish the trigger dates,
assign responsibility and arrange for independent review. And a
final note, have hard copies of everything by 12/31/99.
They also recommended starting a customer awareness program
immediately and the development of ways to communicate with
customers. Brochures, hot lines, seminars and web sites were
mentioned as possibilities.
The panel quickly delivered a substantial amount of information in a
rather tight conference schedule but still allowed for a number of
questions from the audience.
They finished by listing the four types of contingency plans
everyone had to deal with. These were late vendor fixes,
certification failure, year 2000 failure, and planning for physical
outages.
------------ The Legal Perspective
The next presentation was titled, Don't Bank on Avoiding Year
2000 Liabilities. A Discussion of Theories and Defenses for the
Banking Industry was given by Carl A. Salisbury, a Partner with
Killan and Salisbury and Thomas P. Vartanian, a managing Partner
with Fried, Frank, Harris, Shriver and Jacobson. This talk covered
several of the many ways banks can be liable if something goes
wrong with one or more of their systems -- and what can be done
about it.
The law imposes strict liability on financial institutions. "Strict
liability" means banks don't have to be at fault in order to be liable
under many circumstances. Also, there is no defense in blaming a
computer for a mistake. Numerous cases have shown that the
humans who work with the machines are responsible for the
information that goes into them and the output they produce.
Customers have an absolute right to stop payment on a check and
to not have a check bounce when there is money to cover it. In one
example, a customer requested stop payment of a check written for
$1,844.48. This amount was entered into the computer and the
computer did the search and didn't find the check because the
actual amount of the check was $1,844.98. But the bank was liable
because a human checking the account would have seen the
mistake and corrected it. Banks are also liable for checks mistakenly
bounced, (wrongful dishonor), and for consequential damages
suffered. There were several examples of simple, year 2000 type
computer errors that could cause problems such as those
mentioned above. If there is a mistake, the customer has 60 days
to notify the bank. The bank has 10 days to investigate the claim
and then 1 day to fix it.
Think for a minute on this timeline and the labyrinth the checks
travel, remember that each stop has to be year 2000 compliant, and
we can conclude that February and March of 2000 is probably
going to be a very difficult time for financial institutions unless
everything is fixed. The presenters offered some interesting
defenses that could be used in case of losses. Everyone involved
with the year 2000 problem is concerned about the litigation that
will come from it. One lawyer said that it doesn't happen very often
when you get a two year warning that someone is going to sue
you -- so begin planning for it now. The overall strategy for
defense against suits is to limit the damages and then try to get
someone else to pay for them. Someone else usually means
insurance companies. The basic business policies were mentioned
along with the anticipated Y2K coverage they would offer.
Since all the insurance companies are busy writing special
exclusions for the year 2000 problem, this advise was interesting
and timely. With business interruption insurance and commercial
liability insurance, the key point is that a business does not have to
be shut down in order to make a claim. "Loss of use" qualifies as a
business interruption. It means you are potentially covered and
that is good enough for a defense. It is a little different with D
and O (Director and Officers) and E and O (Errors and Omissions)
insurance. These policies are written a year at a time and are only
good for the year in which they are written. Next year's policies
will all have year 2000 exclusions. The recommendation was to
give notice this year of a "laundry list" of possible year 2000
liabilities on 1998 insurance for claims to be made later. (There
are problems with this that I will mention later when I cover another
presentation on insurance.)
Specific Y2K insurance was mentioned but panned because the
policies are very expensive, require the insured to contract and pay
for very expensive auditing of their efforts, and there is a good
chance the insurance company will deny coverage of a claim
anyway. The conclusion was that "computer error" is not a valid
defense from liability and that insurance policies are vague enough
on this matter to create a valid defense. When insurance policies
are vague or ambiguous, the ruling almost always goes against the
insurance companies and for the coverage.
------------ Liability of CIO's Are they Liable? What about a Trial?
The last presentation of the day was a mock trial put on by Warren
S. Reid, Managing Director of WSR Consulting Group and a well
know year 2000 contributor and author and Jeffrey S. Lichtman, a
Partner with Skadden, Arps, Slate, Meagher and Flom. Warren
Reid is not a lawyer, but he is a litigation strategist, and expert
witness and a special master in computer litigation matters. He is
specially versed in high-impact, high-technology systems failures.
His newest book is just out, in three ring binder form, titled The
Year 2000 Computer Crisis: The Law, Business and Technology,
published by Glasser Legal Works. Mr. Reid presented his list of
19 management "Gotchas" for year 2000 projects:
1. Year 2000 compliance is more difficult to achieve than you realize
2. You are NOT immune to the Year 20000 problem
3. The "drop dead" fix date is 1/1/1999 and NOT 1/1/2000
4. Your CIO's may not have the skills and experience to accomplish
Year 2000 Compliance on time and on budget
5. Will you be able to get the necessary, qualified staff and
hardware/software resources to develop and test the solution?
6. You must expense Year 2000 Compliance costs
7. Year 2000 compliance testing will be the largest and most
complicated testing project ever undertaken by your company
8. Is this a "development project"-or is it a "Research &
Development" project?
9. Have you planned for Re-synchronization?
10. A qualified, diligent and careful Executive Steering Committee
can oversee a successful Year 2000 solution, and protect you
in court
11. Should vendors attempt to limit their liability to previous
customers by advising them how to obtain Year 2000
Compliance?
12. What liability is potentially being assumed by Year 2000
Solution Providers as a result of agreeing to make changes to
the customer's computer programs?
13. What responsibility do Directors and Officers have to: 1) ensure
that Year 2000 Problems will not materially disrupt their
business; 2) disclose the potential cost of conversion?
14. CIO Liability - CIO Insurance: Know where you stand! Know
your options!
15. What are the potential pitfalls in Year 2000 Certification for
software venders?
16. What questions should be posted by and for the Board Room
to help limit Director and Officer Liability and to help assure the
Year 2000 project will be successful?
17. Different organizations and industries face different Year 2000
challenges
18. Some serious issues/Patterns in outsourcing and information
technology staff movement
19. Sample warranty provisions in contracts with vendors
------------ The Trial
In the mock trial, Warren played the part of a CIO of some
company, defending the actions he took in preparing for the year
2000. The trial was in two parts, both written by Mr. Reid. First
interrogated by the attorney for the defense, played by Jeffrey
Lichtman, Mr. Reid recounted everything he had done to fix his
company's systems and computers. He appeared assured and
competent. He seemed the model of the prudent CIO, who did
everything expected and maybe more. Then Mr. Lichtman changed
roles and became the attorney for the plaintiff. With almost the
same questions as before, it suddenly seemed that Warren had not
done so much to help his company, and that he had, in fact, hurt
his firm because of his inability to foresee many of issues that his
company had to confront. The message for CIOs is obvious. Even
though Mr. Reid wrote the drama and the conclusion, it was
obvious that ANY attorney can portray any CIO as incompetent,
shortsighted, and naive when it comes to the year 2000 issue.
Most people don't understand what programming is or what
programmers do. It is a safe bet that most juries won't either.
There is no way to cover all the bases, let alone your behind.
------------ The Second Day: Awareness and Implementation
The first presentation was by Nancy Everett, Vice President of
Global Communications and Project 2000 Manager. Her program
was building Year 2000 awareness to employees and customers.
She suggested enterprise wide efforts including seminars, web sites,
brochures and hot lines. There was much emphasis on team
building and communication.
The next presentation was by Gregory P Cirillo, a partner of
Williams Mullen Christian and Dobbins. His talk was on whether
your bank's response plan was good enough to protect you. He
began with the general advise of being sure not to flunk out
because you don't practice acceptable standards of care, but don't
sleep easy if you do. He stressed the importance of document
control and public disclosure His conclusion was that Directors
would be relatively safe if they empower a good Y2K program and
do nothing to hinder it. I was not able to attend the rest of the
sessions that afternoon. However, most of the presentations were
prepared in advance in a conference book of truly substantial
proportions. I did have a chance to have lunch that day with
Peter de Jager. His comment regarding insurance was,
"They still don't get it! There isn't going to be ANY insurance
coverage!"
------------ The Insurance Question
We can see what he meant when we remember how insurance
companies make money. They agree to underwrite a risk for a price.
Usually it is a known risk with a statistical probability which can be
calculated. Although some insurers, like Lloyds of London, will
insure almost anything for a price, there is no way to calculate the
risks regarding year 2000 problems. Insurance companies take the
money from the premiums and with this they pay all their staff,
their overhead, the valid claims against their policies and there is
usually some profit left over.
We know they are good at this because the insurance companies
make a lot of money. But every now and then a monkey wrench
gets thrown into the equation. Hurricane Andrew devastated
Florida, causing Allstate to announce it would stop writing policies
in that state. If there had been two or three more Andrews that
year, and the record shows that some years there have been more
than one major storm hitting populated areas, the claims could
easily have wiped out one or more insurance companies. The
only way insurance will cover any year 2000 problems will be if
almost everyone fixes their systems and the number of business
outages caused by Y2K are much less, or at the worst, at least
equal to business outages caused by all other insurable reasons.
If they are equal to all other causes, meaning we have double the
normal business failures in a year, and half of that total is due to
the computer problem, it would put a severe strain on the
insurance companies to cover the losses. They would probably
contest all the claims if for no other reason than to delay payment.
Most people involved with the year 2000 problem think it will
impact businesses harder than what I just described in the above
paragraph.
Peter is right. If you are betting on your business insurance to
cover your butt for any year 2000 problems, YOU LOSE!
------------ Closing It Out
At the end of the first day, Michael Ugliarolo, Managing
Director of Bankers Trust Company of New York gave succinct
recommendations for handling the compliance effort. He
suggested the Best Practices of:
* Planning in Detail
* Triage
* Business, not IT make the critical decisions
* Certify internally with independent review
* Simplify, outsource, sell non-compliant parts
* Instill confidence through controlled disclosure to customers
and employees
* Begin contingency planning now
* Use crisis management for systems and facilities outages
The conference gave everyone a lot to think about and a lot more
to get accomplished in the next few months. In all likelihood, your
business will experience some impact from all this soon. Y2K isn't
going to be under a bushel basket much longer. Of course, that's
what I thought a year ago too. |
