[Federal Register Volume 63, Number 199 (Thursday, October 15, 1998)]
[Rules and Regulations]
[Pages 55480-55486]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-27672]



[[Page 55479]]

_______________________________________________________________________

Part IV

Department of the Treasury
_______________________________________________________________________



Office of the Comptroller of the Currency



Office of Thrift Supervision



_______________________________________________________________________
Federal Reserve System
_______________________________________________________________________
Federal Deposit Insurance Corporation
_______________________________________________________________________



12 CFR Part 30, et al.



Interagency Guidelines Establishing Year 2000 Standards for Safety and 
Soundness; Safety and Soundness Standards; Interim Rules

  Federal Register / Vol. 63, No. 199 / Thursday, October 15, 1998 / 
Rules and Regulations  

[[Page 55480]]



DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 30

[Docket No. 98-14]
RIN 1557-AB67

FEDERAL RESERVE SYSTEM

12 CFR Part 208

[Docket No. R-1017]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 364

RIN 3064-AC18

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 570

[Docket No. 98-97]
RIN 1550-AB27


Interagency Guidelines Establishing Year 2000 Standards for 
Safety and Soundness

AGENCIES: Office of the Comptroller of the Currency, Treasury; Board of 
Governors of the Federal Reserve System; Federal Deposit Insurance 
Corporation; and Office of Thrift Supervision, Treasury.

ACTION: Joint interim guidelines with request for comment.

-----------------------------------------------------------------------

SUMMARY: The Office of the Comptroller of the Currency (OCC), the Board 
of Governors of the Federal Reserve System (Board), the Federal Deposit 
Insurance Corporation (FDIC), and the Office of Thrift Supervision 
(OTS) (collectively, the Agencies) are issuing interim guidelines (the 
Guidelines) establishing Year 2000 safety and soundness standards for 
insured depository institutions pursuant to section 39 of the Federal 
Deposit Insurance Act (FDI Act). Under the auspices of the Federal 
Financial Institutions Examination Council (FFIEC), the Agencies have 
previously issued eight guidance papers on important aspects of Year 
2000 readiness. The Guidelines complement these eight guidance papers 
by establishing minimum safety and soundness standards for achieving 
Year 2000 readiness.

DATES: The Guidelines are effective October 15, 1998. Comments must be 
received by December 14, 1998.

ADDRESSES: Comments should be directed to:
    OCC: Office of the Comptroller of the Currency, Communications 
Division, 250 E Street, SW, Washington, DC 20219, Attention: Docket No. 
98-14. Comments will be available for public inspection and 
photocopying at the same location. In addition, comments may be sent by 
facsimile transmission to FAX number (202) 874-5274 or by Internet mail 
to [email protected].
    Board: Jennifer J. Johnson, Secretary, Board of Governors of the 
Federal Reserve System, Docket No. R-1017, 20th Street and Constitution 
Avenue, NW, Washington, DC 20551. Comments addressed to Ms. Johnson may 
also be delivered to the Board's mail room between 8:45 a.m. and 5:15 
p.m., and to the security control room outside of those hours. Both the 
mail room and control room are accessible from the courtyard entrance 
on 20th Street between Constitution Avenue and C Street, NW, 
Washington, DC. Comments may be inspected in room MP-500 between 9:00 
a.m. and 5:00 p.m., except as provided in Sec. 261.14 of the Board's 
Rules Regarding Availability of Information, 12 CFR 261.14.
    FDIC: Robert E. Feldman, Executive Secretary, Attention: Comments/
OES, Federal Deposit Insurance Corporation, 550 17th Street, NW, 
Washington, DC 20429. Comments may be hand delivered to the guard 
station at the rear of the 550 17th Street Building (located on F 
Street), on business days between 7:00 a.m. and 5:00 p.m. (Fax number: 
(202) 898-3838; Internet address: [email protected]). Comments may be 
inspected and photocopied in the FDIC Public Information Center, Room 
100, 801 17th Street, NW, Washington, DC, between 9:00 a.m. and 4:30 
p.m. on business days.
    OTS: Manager, Dissemination Branch, Records Management and 
Information Policy, Office of Thrift Supervision, 1700 G Street, NW, 
Washington, DC 20552, Attention Docket No. 98-97. These submissions may 
be hand delivered to 1700 G Street, NW, Washington, DC, from 9:00 a.m. 
to 5:00 p.m. on business days; sent by facsimile transmission to FAX 
number (202) 906-7755, or may be sent by e-mail to: 
[email protected]. Those commenting by e-mail should include 
their name and telephone number. Comments will be available for 
inspection at 1700 G Street, NW, Washington, DC, from 9:00 a.m. until 
4:00 p.m. on business days.

FOR FURTHER INFORMATION CONTACT: OCC: Mark L. O'Dell, Director, Year 
2000 Bank Supervision Policy (202) 874-2340; Brian McCormally, 
Assistant Director, Enforcement and Compliance (202) 874-4800; Ursula 
Pfeil, Attorney, Legislative and Regulatory Activities (202) 874-5090; 
or Stuart E. Feldstein, Assistant Director, Legislative and Regulatory 
Activities (202) 874-5090.
    Board: Angela Desmond, Special Counsel, Division of Banking 
Supervision and Regulation (202) 452-3497; or Nancy Oakes, Senior 
Attorney, Division of Banking Supervision and Regulation (202) 452-
2743. For the hearing impaired only, Telecommunication Device for Deaf 
(TDD), Diane Jenkins (202) 452-3544, Board of Governors of the Federal 
Reserve System, 20th and C Streets, NW, Washington DC 20551.
    FDIC: Frank Hartigan, Year 2000 Project Manager, Division of 
Supervision (202) 898-6867; Sandy Comenetz, Year 2000 Project Manager, 
Legal Division (202) 898-3582; Richard Bogue, Counsel, Legal Division 
(202) 898-3726; or Nancy Chase Miller, Counsel, Legal Division (202) 
898-6533.
    OTS: Dorothy Van Cleave, National Year 2000 Coordinator (202) 906-
7380; or Robert D. DeCuir, Senior Enforcement Attorney, Office of 
Enforcement, Office of Chief Counsel (202) 906-7152.

SUPPLEMENTARY INFORMATION:

Background

    The potential inability of computers to recognize correctly certain 
dates in 1999 and on and after January 1, 2000, presents significant 
and unprecedented enterprise-wide challenges for insured depository 
institutions. Timely management response is critical in order for 
insured depository institutions to identify problems and implement 
effective remediation programs in the relatively short time remaining 
until those dates occur. Under the auspices of the FFIEC, the Agencies 
have issued eight guidance papers 1 on important aspects of 
Year 2000 readiness. The Agencies are issuing the Guidelines, which are 
distilled from the FFIEC guidance, to establish minimum safety and 
soundness standards for achieving

[[Page 55481]]

Year 2000 readiness. The Guidelines do not replace or supplant the 
FFIEC guidance, which will continue to apply to all entities regulated 
or examined by the Agencies. Insured depository institutions also 
should refer to the FFIEC guidance.
---------------------------------------------------------------------------

    \1\ See Guidance Concerning Contingency Planning in Connection 
with Year 2000 Readiness (May 13, 1998); Guidance on Year 2000 
Customer Awareness Programs (May 13, 1998); Guidance Concerning 
Testing for Year 2000 Readiness (April 10, 1998); Guidance 
Concerning the Year 2000 Impact on Customers (March 17, 1998); 
Guidance Concerning Institution Due Diligence in Connection with 
Service Provider and Software Vendor Year 2000 Readiness (March 17, 
1998); Safety and Soundness Guidelines Concerning the Year 2000 
Business Risk (December 17, 1997); Year 2000 Project Management 
Awareness (May 5, 1997); and The Effect of Year 2000 on Computer 
Systems (June 1996) [collectively, the FFIEC guidance].
---------------------------------------------------------------------------

    The Agencies are issuing the Guidelines pursuant to section 39 of 
the FDI Act.2 Section 39 requires the Agencies to establish 
operational and managerial standards for insured depository 
institutions relating to, among other things, internal controls, 
information systems, and internal audit systems. Section 39 also 
authorizes the Agencies to prescribe operational and managerial 
standards as they determine to be appropriate, and to require 
institutions that fail to meet such standards to submit corrective 
action plans.
---------------------------------------------------------------------------

    \2\  Section 39 was added to the FDI Act by section 132 of the 
Federal Deposit Insurance Corporation Improvement Act, Pub. L. 102-
242, 105 Stat. 2236, 2267-70 (December 19, 1991), and was 
subsequently amended by section 318 of the Riegle Community 
Development and Regulatory Improvement Act (CDRIA), Pub. L. 103-325, 
108 Stat. 2160, 2223-24 (September 23, 1994).
---------------------------------------------------------------------------

    Standards issued under section 39 may take the form of regulations 
or guidelines. If an agency determines that an insured depository 
institution fails to meet any standard established by regulation, then, 
by the terms of the statute, the agency must require the institution to 
submit an acceptable plan to achieve compliance with the standard. If 
an agency determines that an insured depository institution fails to 
meet any standard established by guideline, the agency may require the 
institution to submit an acceptable compliance plan.
    In 1995, the Agencies promulgated Interagency Guidelines 
Establishing Standards for Safety and Soundness. 60 FR 35674 (July 10, 
1995).3 Among other things, the 1995 guidelines provided 
generally that an insured depository institution should have internal 
controls and information systems that are appropriate to the size of 
the institution and the nature, scope, and risk of its activities.
---------------------------------------------------------------------------

    \3\ For a brief history of the Agencies' regulations and 
guidelines implementing section 39, see 61 FR 43948 (Aug. 27, 1996) 
(adopting final asset quality and earnings standards).
---------------------------------------------------------------------------

    As the Agencies noted in adopting the 1995 safety and soundness 
guidelines, their purpose in issuing standards as guidelines rather 
than regulations is to retain the flexibility to determine whether to 
require an insured depository institution to submit an acceptable 
compliance plan or to pursue another course of supervisory action, 
depending on the circumstances and severity of an institution's 
noncompliance with one or more of the standards and the significance of 
the particular standard at issue. See 60 FR at 35675.
    The Guidelines adopted today establish standards for management and 
boards of directors in developing and managing Year 2000 project plans, 
validating remediation efforts, and planning for contingencies. In 
appropriate circumstances, an agency will require an insured depository 
institution that fails to comply with the Guidelines to prepare and 
submit an acceptable compliance plan. The Agencies will use the rules 
already in place under the 1995 safety and soundness guidelines to 
require submission of compliance plans.
    Under those rules, an insured depository institution must file a 
compliance plan within 30 days of a request to do so from an 
appropriate Federal banking agency, unless a different date is 
prescribed by the agency. Within 30 days of the plan's receipt, the 
agency must provide written notice to the insured depository 
institution of whether the plan has been approved or if additional 
information is required. An insured depository institution that fails 
to submit an acceptable compliance plan within the time allowed or 
fails in any material respect to implement an accepted compliance plan 
will be subject to an agency order directing the institution to correct 
the deficiency. The agency order is directly enforceable in Federal 
district court; there is no requirement for a prior administrative 
adjudication. See 12 U.S.C. 1818(i)(1). A violation of such an order 
can serve as the basis for assessing civil money penalties. See 12 
U.S.C. 1818(i)(2). Section 39 also describes certain supervisory 
actions that an agency may take, and in certain cases must take, until 
the deficiency is corrected.

Description of the Guidelines

    The Guidelines describe certain essential steps that insured 
depository institutions must take at the awareness, assessment, 
renovation, validation (testing), and implementation phases of their 
efforts to achieve Year 2000 readiness.4 The standards 
contained in the Guidelines are based on--and are intended to be 
consistent with--key principles contained in the FFIEC guidance.
---------------------------------------------------------------------------

    \4\ The standards in the Guidelines are described in mandatory 
terms in order to clarify the specific actions insured depository 
institutions are expected to take to achieve Year 2000 readiness. 
Nevertheless, as explained above, an Agency will decide whether to 
require corrective action under section 39 for an institution's 
noncompliance with these standards based on the circumstances of the 
particular case.
---------------------------------------------------------------------------

    The Guidelines define certain key terms to help clarify the types 
of actions insured depository institutions are expected to undertake. 
For example, the term ``mission-critical system'' is defined as ``an 
application or system that is vital to the successful continuance of a 
core business activity.'' An application that interfaces with a 
designated mission-critical system and software products also may be 
deemed a mission-critical system. The Guidelines also set forth 
definitions for ``external system,'' ``internal system,'' ``external 
third party supplier,'' ``other material third party,'' ``renovation,'' 
``business resumption contingency plan,'' ``remediation contingency 
plan,'' and ``Year 2000 ready or readiness.'' The Agencies invite 
comment on whether these terms are defined appropriately and whether 
the Guidelines should include additional definitions.
    The Guidelines specify that an insured depository institution's 
initial review of mission-critical systems for Year 2000 readiness 
should provide the basis for establishing priorities and deadlines and 
for identifying and allocating available resources. The development and 
implementation of a written due diligence process to monitor and 
evaluate Year 2000 efforts by third party service providers and 
software vendors is a critical component of an institution's initial 
assessment. The Guidelines also require each insured depository 
institution to develop and adopt a written project plan that addresses 
each phase of the planning process. However, an insured depository 
institution that has already developed and adopted an adequate project 
plan, or other plans and procedures for achieving Year 2000 readiness, 
need not prepare a new, separate project plan, or other plans and 
procedures, just to satisfy the Guidelines. Plans and procedures 
already adopted will suffice if they have been reviewed and deemed 
acceptable by the appropriate Agency.
    The Guidelines distinguish between renovation of systems controlled 
by the insured depository institution (internal mission-critical 
systems) and those controlled by a third party (external mission-
critical systems). Renovation of the internal mission-critical systems 
must be done in sufficient time for testing to be substantially 
complete by December 31, 1998. Insured depository institutions relying 
on systems controlled and renovated by external third party suppliers 
must determine

[[Page 55482]]

the ability of their service providers and software vendors to address 
Year 2000 readiness for external mission-critical systems that are not 
Year 2000 ready and to establish programs that allow testing and 
remediation to be substantially completed by March 31, 1999. Insured 
depository institutions must maintain written documentation of all 
their communications with external third party suppliers regarding 
their ability to renovate timely and effectively external mission-
critical systems that are not Year 2000 ready.
    The Agencies consider testing to be a critical process in achieving 
Year 2000 readiness. Failure of an insured depository institution to 
perform adequate testing of mission-critical systems poses a risk to 
the safe and sound operation of the institution. Failure to conduct 
thorough testing may mask serious remediation problems. Failure to 
properly identify or correct those problems could threaten the safety 
and soundness of the institution. The Guidelines reflect the Agencies' 
expectations on the timing and scope of required testing.
    Another essential component of achieving Year 2000 readiness 
addressed in the Guidelines is the development and implementation of 
contingency plans for Year 2000 technology failures. The Guidelines 
require an insured depository institution to design contingency plans 
appropriate for the institution's technological systems and operating 
structure that describe how the institution will mitigate the risks 
associated with the failure of systems (the business resumption 
contingency plan) and, as applicable, the failure to complete 
renovation, testing, or implementation of its mission-critical systems 
(the remediation contingency plan).
    The Guidelines require insured depository institutions to implement 
a due diligence process that identifies customers posing material Year 
2000 risks, evaluates their Year 2000 preparedness, assesses their Year 
2000 risk, and implements appropriate risk controls. Finally, the 
Guidelines require that the board of directors and management must be 
involved in all stages of the institution's efforts to achieve Year 
2000 readiness. Management must provide to the board of directors 
written status reports at least quarterly or as otherwise required to 
keep the board of directors fully informed of the institution's Year 
2000 efforts.
    The Guidelines enable the Agencies to use the streamlined 
compliance and enforcement mechanisms provided by section 39 to 
address, in appropriate circumstances, Year 2000 readiness-related 
safety and soundness concerns in insured depository institutions. 
Section 39 remedies for insured depository institutions allow the 
Agencies to move promptly in situations where immediate supervisory 
action is essential for safety and soundness reasons.
    Nonetheless, issuance of a safety and soundness order pursuant to 
section 39 may not be the most appropriate remedy in every case where 
an insured depository institution fails to comply with the Guidelines. 
It is for this reason the Agencies have chosen to proceed by guideline, 
within the meaning of section 39, rather than by regulation. As is the 
case with respect to the Agencies' 1995 safety and soundness 
guidelines, the Agencies also wish to preserve their discretion to 
require supervisory actions different from those prescribed by section 
39 with respect to the Guidelines if a different action is warranted by 
the facts and circumstances of a particular situation.
    The Guidelines do not limit the authority of an Agency to address 
unsafe or unsound practices or conditions, violations of law, or other 
practices, or to adopt appropriate remedies to achieve compliance with 
the Guidelines, including requiring actions by dates that are different 
from those set forth in the Guidelines. Actions under section 39 and 
the Guidelines may be taken independently of, in conjunction with, or 
in addition to, other appropriate enforcement actions.
    The Agencies note that by law the Guidelines apply only to insured 
depository institutions, not to all financial institutions supervised 
by the Agencies, such as bank holding companies and U.S. offices of 
foreign banking organizations. The Agencies will continue to examine 
and inspect all financial institutions that they supervise for 
compliance with the FFIEC guidance and may use their authority under 
section 8 of the FDI Act if these institutions fail to comply with the 
FFIEC guidance.

Request for Comment

    The Agencies invite comment on all aspects of the Guidelines.

Effective Date

    The Agencies find good cause for issuing the Guidelines effective 
immediately, without prior notice and comment. Cf. 5 U.S.C. 553(b)(B) 
(Administrative Procedure Act (APA) provision permitting an agency to 
issue a rule without prior notice and comment when the agency for good 
cause finds that notice and public procedure thereon are impracticable, 
unnecessary, or contrary to the public interest); 5 U.S.C. 553(d) (good 
cause exception to APA requirement for a 30 day delayed effective date 
for final rule); 12 U.S.C. 4802(b)(1) (good cause exception to the 
CDRIA requirement that the Federal banking agencies make rules 
effective on the first day of a calendar quarter which begins on or 
after the date on which the regulations are published in final form). 
Making the Guidelines effective immediately is essential for ensuring 
that the Agencies can properly and timely address the Year 2000 
computer problem and that insured depository institutions can achieve 
Year 2000 readiness in the relatively short time remaining before Year 
2000 problems may begin to occur. The Agencies note that Congress has 
recently underscored the importance and urgency of ensuring Year 2000 
readiness in the financial services sector by passing the Examination 
Parity and Year 2000 Readiness for Financial Institutions Act, Pub. L. 
105-164, sec. 2, 112 Stat. 32, 32 (1998). Congress expressly found that 
the Year 2000 computer problem poses a serious challenge to the 
American economy, including the Nation's banking and financial services 
industries, and that Federal financial regulatory agencies must have 
sufficient examination authority to ensure that the safety and 
soundness of the Nation's financial institutions will not be at risk. 
Under these circumstances, the Agencies conclude that prior notice and 
comment procedure is impracticable and contrary to the public interest.

Regulatory Flexibility Act Analysis

    An initial regulatory flexibility analysis under the Regulatory 
Flexibility Act (RFA) is required when an agency is required to publish 
a general notice of proposed rulemaking. 5 U.S.C. 603. As noted above, 
the Agencies have concluded, for good cause, that these Guidelines 
should take immediate effect and, therefore, that a notice of proposed 
rulemaking is not required. Accordingly, the Agencies have concluded 
that the RFA does not require an initial regulatory flexibility 
analysis of these Interim Guidelines.
    Nonetheless, the Agencies have considered the likely impact of the 
Guidelines on small entities and believe that the Guidelines do not 
have a significant impact on a substantial number of small entities. 
The potential inability of computers to correctly recognize certain 
dates in 1999 and on and after January 1, 2000, compels all

[[Page 55483]]

institutions, including small institutions, to formulate appropriate 
and timely management responses. The Guidelines provide a procedural 
framework for formulating that response and reiterate the Agencies' 
expectations, distilled from existing FFIEC guidance, regarding 
appropriate business practices for achieving Year 2000 readiness. For 
example, as indicated earlier in this preamble, plans and procedures 
that institutions have already developed to achieve Year 2000 readiness 
can satisfy the Guidelines if they have been reviewed and deemed 
acceptable by the appropriate Agency.
    The Agencies invite interested persons to submit comments on the 
impact of the Guidelines on small entities for consideration in the 
development of final Guidelines.

Paperwork Reduction Act

    The Agencies invite comment on:
    (1) Whether the collections of information contained in the 
Guidelines are necessary for the proper performance of each Agency's 
functions, including whether the information has practical utility;
    (2) The accuracy of each Agency's estimate of the burden of the 
information collections;
    (3) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (4) Ways to minimize the burden of the information collections on 
respondents, including the use of automated collection techniques or 
other forms of information technology; and
    (5) Estimates of capital or start-up costs and costs of operation, 
minutes, and purchase of services to provide information.
    Respondents and Recordkeepers are not required to respond to this 
collection of information unless it displays a currently valid Office 
of Management and Budget (OMB) control number.
    OCC: The collection of information requirements contained in the 
Guidelines have been submitted to and approved by the OMB under its 
emergency procedures and in accordance with the Paperwork Reduction Act 
of 1995. 44 U.S.C. 3507. Since OMB clearance is for a 6-month period, 
OCC will use any comments received to develop its renewed request. 
Comments on the collections of information should be sent to the 
Legislative and Regulatory Activities Division (1557-0212), Office of 
the Comptroller of the Currency, 250 E Street, SW, Washington, DC 
20219, with a copy to the Office of Management and Budget, Paperwork 
Reduction Project (1557-0212), Washington, DC 20503.
    In essence, the Guidelines incorporate the important elements of 
the outstanding FFIEC guidance. In addition to the paperwork usually 
maintained by an insured depository institution in the regular course 
of business, the FFIEC guidance and the Guidelines impose some 
additional paperwork burden. This burden is found in appendix B to part 
30. The OCC needs this information to assess an insured depository 
institution's compliance with the Guidelines set forth in appendix B. 
The likely respondents are national banks.
    Estimated number of respondents: 650.
    Estimated average annual burden hours per respondent: 60 hours.
    Estimated total annual recordkeeping burden: 39,255 hours.
    Board: In accordance with section 3506 of the Paperwork Reduction 
Act of 1995 (44 U.S.C. Ch. 35; 5 CFR 1320, appendix A.1), the Board 
reviewed the Guidelines under the authority delegated to the Board by 
the OMB. Comments on the collections of information should be sent to 
Mary M. McLaughlin, Chief, Financial Reports Section, Division of 
Research and Statistics, Mail Stop 97, Board of Governors of the 
Federal Reserve System, Washington, DC 20551, with a copy to the Office 
of Management and Budget, Paperwork Reduction Project (7100-0290), 
Washington, DC 20503.
    In essence, the Guidelines incorporate the important elements of 
the outstanding FFIEC guidance. In addition to the paperwork usually 
maintained by an insured depository institution in the regular course 
of business, the FFIEC guidance and the Guidelines impose some 
additional paperwork burden. This burden is found in appendix D-2 to 
part 208. The Board needs this information to assess an insured 
depository institution's compliance with the Guidelines set forth in 
appendix D-2. The likely respondents are state member banks.
    Estimated number of respondents: 994.
    Estimated average annual burden hours per respondent: 20 hours.
    Estimated total annual recordkeeping burden: 19,880.
    FDIC: The collections of information contained in the Guidelines 
have been submitted to and approved by the OMB under its emergency 
procedures and in accordance with the Paperwork Reduction Act of 1995. 
44 U.S.C. 3507. Since OMB clearance is for a 6-month period, the FDIC 
will use any comments received to develop its renewed request. Comments 
on the collections of information should be sent to Steven F. Hanft, 
Office of the Executive Secretary, Federal Deposit Insurance 
Corporation, 550 17th Street, NW, Washington, DC 20429, with a copy to 
the Office of Management and Budget, Paperwork Reduction Project (3064-
0128 Year 2000), Washington, DC 20503.
    In essence, the Guidelines incorporate the important elements of 
the outstanding FFIEC guidance. In addition to the paperwork usually 
maintained by an insured depository institution in the regular course 
of business, the FFIEC guidance and the Guidelines impose some 
additional paperwork burden. This burden is found in appendix B to part 
364. The FDIC needs this information to assess an insured depository 
institution's compliance with the Guidelines set forth in appendix B. 
The likely respondents are insured nonmember banks.
    Estimated number of respondents: 341.
    Estimated average annual burden hours per respondent: 68 hours.
    Estimated total annual recordkeeping burden: 23,188 hours.
    OTS: The collection of information requirements contained in the 
Guidelines have been submitted to and approved by the OMB under its 
emergency procedures and in accordance with the Paperwork Reduction Act 
of 1995. 44 U.S.C. 3507. Since OMB clearance is for a 6-month period, 
the OTS will use any comments received to develop its renewed request. 
Comments on the collection of information should be sent to the 
Regulations and Legislation Division (1550-0051), Office of Thrift 
Supervision, 1700 G Street, NW, Washington, DC 20552, with a copy to 
the Office of Management and Budget, Paperwork Reduction Project (1550-
0051), Washington, DC 20503.
    In essence, the Guidelines incorporate the important elements of 
the outstanding FFIEC guidance. In addition to the paperwork usually 
maintained by an insured depository institution in the regular course 
of business, the FFIEC guidance and the Guidelines impose some 
additional paperwork burden. This burden is found in appendix B to part 
570. The OTS needs this information to assess an insured depository 
institution's compliance with the Guidelines set forth in appendix B. 
The likely respondents are savings associations.
    Estimated number of respondents: 275.
    Estimated average annual burden hours per respondent: 57 hours.
    Estimated total annual recordkeeping burden: 15,675 hours.

[[Page 55484]]

Executive Order 12866

    The OCC and OTS have determined that the Guidelines are not ``a 
significant regulatory action'' under Executive Order 12866.

OCC and OTS: Unfunded Mandates Reform Act Analysis

    The Unfunded Mandates Reform Act of 1995 (UMA), Pub. L. 104-4, 
applies only when an agency is required to promulgate a general notice 
of proposed rulemaking or a final rule for which a general notice of 
proposed rulemaking was published. 2 U.S.C. 1532. As noted above, the 
Agencies have concluded, for good cause, that a notice of proposed 
rulemaking is not required. Accordingly, the Agencies have concluded 
that the UMA does not require an unfunded mandates analysis of the 
Guidelines.
    Moreover, the Agencies believe that the Guidelines will not result 
in expenditures by State, local, and tribal governments, or by the 
private sector, of more than $100 million in any one year. Accordingly, 
neither the OCC nor the OTS has prepared a budgetary impact statement 
or specifically addressed the regulatory alternatives considered.

Text of Uniform Interim Guidelines (All Agencies)

    The text of the agencies' uniform interim guidelines appears below:

Appendix ______ to Part______Interagency Guidelines Establishing 
Year 2000 Standards for Safety and Soundness

Table of Contents

I. Introduction
    A. Preservation of existing authority
    B. Definitions
II. Year 2000 Standards for Safety and Soundness
    A. Review of mission-critical systems for Year 2000 readiness
    B. Renovation of internal mission-critical systems
    C. Renovation of external mission-critical systems
    D. Testing of mission-critical systems
    E. Business resumption contingency planning
    F. Remediation contingency planning
    G. Customer risk
    H. Involvement of the board of directors and management

I. Introduction

    The Interagency Guidelines Establishing Year 2000 Standards for 
Safety and Soundness (Guidelines) set forth safety and soundness 
standards pursuant to section 39 of the Federal Deposit Insurance 
Act (section 39) (12 U.S.C. 1831p-1) that are applicable to an 
insured depository institution's efforts to achieve Year 2000 
readiness. The Guidelines, which also interpret the general 
standards in the Interagency Guidelines Establishing Standards for 
Safety and Soundness adopted in 1995, apply to all insured 
depository institutions.

A. Preservation of Existing Authority

    Neither section 39 nor the Guidelines in any way limits the 
authority of the Federal banking agencies to address unsafe or 
unsound practices, violations of law, unsafe or unsound conditions, 
or other practices. The Federal banking agencies, in their sole 
discretion, may take appropriate actions so that insured depository 
institutions will be able to successfully continue business 
operations after January 1, 2000, including on a case-by-case basis 
requiring actions by dates that are later than the key dates set 
forth in the Guidelines. Action under section 39 and the Guidelines 
may be taken independently of, in conjunction with, or in addition 
to any other action, including enforcement action, available to the 
Federal banking agencies.

B. Definitions

    1. In general. For purposes of the Guidelines the following 
definitions apply:
    a. Business resumption contingency plan means a plan that 
describes how mission-critical systems of the insured depository 
institution will continue to operate in the event there are system 
failures in processing, calculating, comparing, or sequencing date 
or time data from, into, or between the 20th and 21st centuries; or 
the years 1999 and 2000; or with regard to leap year calculations.
    b. External system means a system the renovation of which is not 
controlled by the insured depository institution, including systems 
provided by service providers and any interfaces with external third 
party suppliers and other material third parties.
    c. External third party supplier means a service provider or 
software vendor that supplies services or products to insured 
depository institutions.
    d. Internal system means a system the renovation of which is 
controlled by the insured depository institution, including 
software, operating systems, mainframe computers, personal 
computers, readers/sorters, and proof machines. Internal system also 
may include a system controlled by the insured depository 
institution with embedded integrated circuits (e.g., heating and 
cooling systems, vaults, communications, security systems, and 
elevators).
    e. Mission-critical system means an application or system that 
is vital to the successful continuance of a core business activity. 
An application or system may be mission-critical if it interfaces 
with a designated mission-critical system. Software products also 
may be mission-critical.
    f. Other material third party means a third party, other than an 
external third party supplier, to whom an insured depository 
institution transmits data or from whom an insured depository 
institution receives data, including business partners (e.g., credit 
bureaus), other insured depository institutions, payment system 
providers, clearinghouses, customers, and utilities.
    g. Remediation contingency plan means a plan that describes how 
the insured depository institution will mitigate the risks 
associated with the failure to successfully complete renovation, 
testing, or implementation of its mission-critical systems.
     h. Renovation means code enhancements, hardware and software 
upgrades, system replacements, and other associated changes that 
ensure that the insured depository institution's mission-critical 
systems and applications are Year 2000 ready.
    i. Year 2000 ready or readiness with respect to a system or 
application means the system or application accurately processes, 
calculates, compares, or sequences date or time data from, into, or 
between the 20th and 21st centuries; or the years 1999 and 2000; or 
with regard to leap year calculations.

II. Year 2000 Standards for Safety and Soundness

    A. Review of Mission-Critical Systems For Year 2000 Readiness. 
Each insured depository institution shall in writing:
    1. Identify all internal and external mission-critical systems 
that are not Year 2000 ready;
    2. Establish priorities for accomplishing work and allocating 
resources to renovating internal mission-critical systems;
    3. Identify the resource requirements and individuals assigned 
to the Year 2000 project on internal mission-critical systems;
    4. Establish reasonable deadlines for commencing and completing 
the renovation of such internal mission-critical systems;
    5. Develop and adopt a project plan that addresses the insured 
depository institution's Year 2000 renovation, testing, contingency 
planning, and management oversight process; and
    6. Develop a due diligence process to monitor and evaluate the 
efforts of external third party suppliers to achieve Year 2000 
readiness.
    B. Renovation of Internal Mission-Critical Systems. Each insured 
depository institution shall commence renovation of all internal 
mission-critical systems that are not Year 2000 ready in sufficient 
time that testing of the renovation can be substantially completed 
by December 31, 1998.
    C. Renovation of External Mission-Critical Systems. Each insured 
depository institution shall:
    1. Determine the ability of external third party suppliers to 
renovate external mission-critical systems that are not Year 2000 
ready and to complete the renovation in sufficient time to 
substantially complete testing by March 31, 1999;
    2. Maintain written documentation of all its communications with 
external third party suppliers regarding their ability to renovate 
timely and effectively external mission-critical systems that are 
not Year 2000 ready; and
    3. Develop in writing an ongoing due diligence process to 
monitor and evaluate the efforts of external third party suppliers 
to achieve Year 2000 readiness, including:
    a. monitoring the efforts of external third party suppliers to 
achieve Year 2000 readiness on at least a quarterly basis and 
documenting communications with these suppliers; and

[[Page 55485]]

    b. reviewing the insured depository institution's contractual 
arrangements with external third party suppliers to determine the 
parties' rights and obligations to achieve Year 2000 readiness.
    D. Testing of Mission-Critical Systems. Each insured depository 
institution shall:
    1. Develop and implement an effective written testing plan for 
both internal and external systems. Such a plan shall include the 
testing environment, testing methodology, testing schedules, budget 
projections, participants to be involved in testing, and the 
critical dates to be tested to achieve Year 2000 readiness;
    2. Verify the adequacy of the testing process and validate the 
results of the tests with the assistance of the project manager 
responsible for Year 2000 readiness, the owner of the system tested, 
and an objective independent party (such as an auditor, a 
consultant, or a qualified individual from within or outside of the 
insured depository institution who is independent of the process 
under review);
    3. Substantially complete testing of internal mission-critical 
systems by December 31, 1998;
    4. Commence testing of external mission-critical systems by 
January 1, 1999;
    5. Substantially complete testing of external mission-critical 
systems by March 31, 1999;
    6. Commence testing with other material third parties by March 
31, 1999; and
    7. Complete testing of all mission-critical systems by June 30, 
1999.
    E. Business Resumption Contingency Planning. Each insured 
depository institution shall develop and implement an effective 
written business resumption contingency plan that, at a minimum:
    1. Defines scenarios for mission-critical systems failing to 
achieve Year 2000 readiness;
    2. Evaluates options and selects a reasonable contingency 
strategy for those systems;
    3. Provides for the periodic testing of the business resumption 
contingency plan; and
    4. Provides for independent testing of the business resumption 
contingency plan by an objective independent party, such as an 
auditor, consultant, or qualified individual from another area of 
the insured depository institution who was not involved in the 
formulation of the business resumption contingency plan.
    F. Remediation Contingency Planning. Each insured depository 
institution that has failed to successfully complete renovation, 
testing, and implementation of a mission-critical system, or is in 
the process of remediation and is not on schedule with the key dates 
in section II.D, shall develop and implement an effective written 
remediation contingency plan that, at a minimum:
    1. Outlines the alternatives available if remediation efforts 
are not successful, including the availability of alternative 
external third party suppliers, and selects a reasonable contingency 
strategy; and
    2. Establishes trigger dates for activating the remediation 
contingency plan, taking into account the time necessary to convert 
to alternative external third party suppliers or to complete any 
other selected strategy.
    G. Customer Risk. Each insured depository institution shall 
develop and implement a written due diligence process that:
    1. Identifies customers, including fund providers, fund takers, 
and capital market/asset management counterparties, that represent 
material risk exposure to the institution;
    2. Evaluates their Year 2000 preparedness;
    3. Assesses their existing and potential Year 2000 risk to the 
institution; and 4. Implements appropriate risk controls, including 
controls for underwriting risk, to manage and mitigate their Year 
2000 risk to the institution.
    H. Involvement of the Board of Directors and Management.
    1. During all stages of the renovation, testing, and contingency 
planning process, the board of directors and management of each 
insured depository institution shall:
    a. be actively involved in managing efforts to plan, allocate 
resources, and monitor progress towards attaining Year 2000 
readiness;
    b. oversee the efforts of the insured depository institution to 
achieve Year 2000 readiness and allocate sufficient resources to 
resolve problems relating to the institution's Year 2000 readiness; 
and
    c. evaluate the Year 2000 risk associated with any strategic 
business initiatives contemplated by the insured depository 
institution, including mergers and acquisitions, major systems 
development, corporate alliances, and system interdependencies.
    2. In addition, the board of directors, at a minimum, shall 
require from management, and management shall provide to the board 
of directors, written status reports, at least quarterly and as 
otherwise appropriate to keep the directorate fully informed, of the 
insured depository institution's efforts in achieving Year 2000 
readiness. Such written status reports shall, at a minimum, include:
    a. The overall progress of the insured depository institution's 
efforts in achieving Year 2000 readiness;
    b. The insured depository institution's interim progress in 
renovating, validating, and contingency planning measured against 
the insured depository institution's Year 2000 project plan as 
adopted under section II.A.5. of appendix B;
    c. The status of efforts by key external third party suppliers 
and other material third parties in achieving Year 2000 readiness;
    d. The results of the testing process;
    e. The status of contingency planning efforts; and
    f. The status of the ongoing assessment of customer risk.

[End of text of Uniform Interim Guidelines]

List of Subjects

12 CFR Part 30

    Administrative practice and procedure, National banks, Reporting 
and recordkeeping requirements, Safety and soundness.

12 CFR Part 208

    Accounting, Agriculture, Banks, banking, Confidential business 
information, Crime, Currency, Federal Reserve System, Mortgages, 
Reporting and recordkeeping requirements, Safety and soundness, 
Securities.

12 CFR Part 364

    Administrative practice and procedure, Bank deposit insurance, 
Banks, Banking, Reporting and recordkeeping requirements, Safety and 
soundness.

12 CFR Part 570

    Accounting, Administrative practice and procedures, Bank deposit 
insurance, Holding companies, Reporting and recordkeeping requirements, 
Savings associations, Safety and soundness.
    Adoption of Uniform Interagency Guidelines. The agency specific 
adoptions of the uniform interagency guidelines, which appear at the 
end of the common preamble, are set forth below.

Office of the Comptroller of the Currency

12 CFR Chapter I

Authority and Issuance

    For the reasons set forth in the common preamble, part 30 of 
chapter I of title 12 of the Code of Federal Regulations is amended as 
follows:

PART 30--SAFETY AND SOUNDNESS STANDARDS

    1. The authority citation for part 30 continues to read as follows:

    Authority: 12 U.S.C. 93a, 1831p-1.

    2. A new appendix B is added to part 30 to read as set forth at the 
end of the common preamble:

Appendix B to Part 30--Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

    Dated: September 21, 1998.
Julie L. Williams,
Acting Comptroller of the Currency.

Federal Reserve System

12 CFR Part 208

Authority and Issuance

    For the reasons set forth in the common preamble, part 208 of 
chapter II of title 12 of the Code of Federal Regulations is amended as 
follows:

PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL 
RESERVE SYSTEM (REGULATION H)

    1. The authority citation for 12 CFR Part 208 continues to read as 
follows:

    Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a, 
371d, 461, 481-486,

[[Page 55486]]

601, 611, 1814, 1816, 1818, 1823(j), 1828(o), 1831o, 1831p-1, 1831r-
1, 1835a, 1882, 2901-2907, 3105, 3310, 3331-3351, and 3906-3909, 15 
U.S.C. 78b, 781(b), 781(g), 781(i), 78o-4(c)(5), 78q, 78q-1, and 
78w; 31 U.S.C. 5318; 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 4128.

Appendix D [Redesignated as Appendix D-1]

    2. Appendix D to part 208 is redesignated as Appendix D-1.
    3. A new appendix D-2 is added to part 208 to read as set forth at 
the end of the common preamble:

Appendix D-2 to Part 208--Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

    By Order of the Board of Governors of the Federal Reserve 
System, September 30, 1998.
Jennifer J. Johnson,
Secretary of the Board.

Federal Deposit Insurance Corporation

12 CFR Part 364

Authority and Issuance

    For the reasons set forth in the common preamble, part 364 of 
chapter III of title 12 of the Code of Federal Regulations is amended 
as follows:

PART 364--STANDARDS FOR SAFETY AND SOUNDNESS

    1. The authority citation for 12 CFR part 364 continues to read as 
follows:

    Authority: 12 U.S.C. 1819 (Tenth), 1831p-1.

    2. A new Appendix B is added to part 364 to read as set forth at 
the end of the common preamble:

Appendix B to Part 364--Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

    By Order of the Board of Directors,

    Dated at Washington, DC, this 8th Day of October, 1998.

Federal Deposit Insurance Corporation.
James D. LaPierre,
Deputy Executive Secretary.

Office of Thrift Supervision

12 CFR Part 570

Authority and Issuance

    For the reasons set forth in the common preamble, part 570 of 
chapter V of title 12 of the Code of Federal Regulations is amended as 
follows:

PART 570--SUBMISSION AND REVIEW OF SAFETY AND SOUNDNESS COMPLIANCE 
PLANS AND ISSUANCE OF ORDERS TO CORRECT SAFETY AND SOUNDNESS 
DEFICIENCIES

    1. The authority citation for part 570 continues to read as 
follows:

    Authority: 12 U.S.C. 1831p-1.

    2. A new appendix B is added to part 570 to read as set forth at 
the end of the common preamble:

Appendix B to Part 570--Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

    Dated: September 29, 1998.
Ellen Seidman,
Director.
[FR Doc. 98-27672 Filed 10-14-98; 8:45 am]
BILLING CODES 4810-33-P, 6210-01-P, 6714-01-P, 6720-01-P