[Federal Register Volume 64, Number 228 (Monday, November 29, 1999)]
[Rules and Regulations]
[Pages 66700-66706]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-30284]



[[Page 66699]]

_______________________________________________________________________

Part II

_______________________________________________________________________
Department of the Treasury
Office of the Comptroller of the Currency
_______________________________________________________________________
Federal Reserve System
_______________________________________________________________________
Federal Deposit Insurance Corporation
_______________________________________________________________________
Department of the Treasury
Office of Thrift Supervision
_______________________________________________________________________
12 CFR Part 30, et al.
Interagency Guidelines Establishing Year 2000 Standards for Safety and 
Soundness; Final Rule
Safety and Soundness Standards; Final Rule

  Federal Register / Vol. 64, No. 228 / Monday, November 29, 1999 / 
Rules and Regulations  

[[Page 66700]]


-----------------------------------------------------------------------


DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 30

[Docket No. 99-16]
RIN 1557-AB67

FEDERAL RESERVE SYSTEM

12 CFR Part 208

[Docket No. R-1017]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 364

RIN 3064-AC18

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 570

[Docket No. 99-35]
RIN 1550-AB27


Interagency Guidelines Establishing Year 2000 Standards for 
Safety and Soundness

AGENCIES: Office of the Comptroller of the Currency, Treasury; Board of 
Governors of the Federal Reserve System; Federal Deposit Insurance 
Corporation; and Office of Thrift Supervision, Treasury.

ACTION: Final uniform guidelines.

-----------------------------------------------------------------------

SUMMARY: The Office of the Comptroller of the Currency (OCC), the Board 
of Governors of the Federal Reserve System (Board), the Federal Deposit 
Insurance Corporation (FDIC), and the Office of Thrift Supervision 
(OTS) (collectively, the Agencies) are adopting in final form the 
interim guidelines establishing Year 2000 safety and soundness 
standards for insured depository institutions published by the Agencies 
on October 15, 1998, and in effect since that date. This issuance of 
final guidelines (Guidelines), pursuant to section 39 of the Federal 
Deposit Insurance Act (FDI Act), is a technical action of the Agencies, 
which remain confident that, based on their reviews, insured depository 
institutions are appropriately preparing for the Year 2000.

EFFECTIVE DATE: The final Guidelines are effective November 29, 1999.

FOR FURTHER INFORMATION CONTACT: OCC: Mark L. O'Dell, Director, Year 
2000 Bank Supervision Policy (202) 874-2340; Brian McCormally, 
Assistant Director, Enforcement and Compliance (202) 874-4800; Karl 
Betz, Attorney, Legislative and Regulatory Activities (202) 874-5090; 
or Stuart E. Feldstein, Assistant Director, Legislative and Regulatory 
Activities (202) 874-5090, Office of the Comptroller of the Currency, 
250 E Street, SW, Washington, DC 20219.
    Board of Governors: Angela Desmond, Special Counsel, Division of 
Banking Supervision and Regulation (202) 452-3497; or Nancy Oakes, 
Counsel, Division of Banking Supervision and Regulation (202) 452-2743. 
For the hearing impaired only, Telecommunication Device for Deaf (TDD), 
Diane Jenkins (202) 452-3544, Board of Governors of the Federal Reserve 
System, 20th and C Streets, NW, Washington DC 20551.
    FDIC: Frank Hartigan, Year 2000 Project Manager, Division of 
Supervision (202) 898-6867; Sandy Comenetz, Year 2000 Project Manager, 
Legal Division (202) 898-3582; Richard Bogue, Counsel, Legal Division 
(202) 898-3726; or Nancy Chase Burton, Counsel, Legal Division (202) 
898-6533, Federal Deposit Insurance Corporation, 550 17th Street, NW, 
Washington, DC 20429.
    OTS: Dorothy Van Cleave, National Year 2000 Coordinator (202) 906-
7380; Stephen E. Hart, Assistant Chief Counsel, Office of Enforcement, 
Office of Chief Counsel (202) 906-7204; or Timothy P. Leary, Counsel 
(Banking & Finance), Regulations and Legislation Division, Office of 
Chief Counsel (202) 906-7170, Office of Thrift Supervision, 1700 G 
Street, NW, Washington, DC 20552.

SUPPLEMENTARY INFORMATION:

Background

    The Agencies today are issuing Guidelines establishing Year 2000 
standards for safety and soundness pursuant to section 39 of the FDI 
Act. 12 U.S.C. 1831p-1. Section 39 requires the Agencies to establish 
operational and managerial standards either in the form of a regulation 
or guidelines for insured depository institutions relating to, among 
other things, internal controls, information systems, and internal 
audit systems. Section 39 also authorizes the Agencies to prescribe 
operational and managerial standards as they determine to be 
appropriate, and to require institutions that fail to meet such 
standards to submit corrective action plans.1
---------------------------------------------------------------------------

    \1\ Standards issued under section 39 may take the form of 
regulations or guidelines. If an agency determines that an insured 
depository institution fails to meet any standard established by 
regulation, then, by the terms of the statute, the agency must 
require the institution to submit an acceptable plan to achieve 
compliance with the standard. If an agency determines that an 
insured depository institution fails to meet any standard 
established by guideline, the agency may require the institution to 
submit an acceptable compliance plan.
---------------------------------------------------------------------------

    On October 15, 1998, the Agencies requested comment on joint 
interim guidelines establishing Year 2000 standards for safety and 
soundness. 63 FR 55480. After careful review of the comments received, 
the Agencies adopt the interim guidelines with only minor technical 
changes, discussed in the following.
    The Guidelines are distilled from--and are intended to be 
consistent with--key principles contained in several FFIEC guidance 
papers 2 on important aspects of Year 2000 readiness. Among 
other things, the Guidelines describe certain essential steps that 
insured depository institutions must take at the awareness, assessment, 
renovation, validation (testing), and implementation phases of their 
efforts to achieve Year 2000 readiness. The Guidelines, for instance, 
establish standards for management and boards of directors in 
developing and managing Year 2000 project plans, validating remediation 
efforts, and planning for contingencies. The Guidelines do not replace 
or supplant the FFIEC guidance, which will continue to apply to all 
entities regulated or examined by the Agencies. Insured depository 
institutions also should refer to the FFIEC guidance.3
---------------------------------------------------------------------------

    \2\ Additional Questions and Answers Concerning Year 2000 
Business Resumption Contingency Planning (May 6, 1999); Year 2000 
Customer Communication Outline (February 17, 1999); Questions and 
Answers Concerning Year 2000 Contingency Planning (December 11, 
1998); Guidance Concerning Fiduciary Services and Year 2000 
Readiness (September 2, 1998); Questions and Answers Concerning 
FFIEC Year 2000 Policy (August 31, 1998); Guidance Concerning 
Contingency Planning in Connection with Year 2000 Readiness (May 13, 
1998); Guidance on Year 2000 Customer Awareness Programs (May 13, 
1998); Guidance Concerning Testing for Year 2000 Readiness (April 
10, 1998); Guidance Concerning the Year 2000 Impact on Customers 
(March 17, 1998); Guidance Concerning Institution Due Diligence in 
Connection with Service Provider and Software Vendor Year 2000 
Readiness (March 17, 1998); Safety and Soundness Guidelines 
Concerning the Year 2000 Business Risk (December 17, 1997); Year 
2000 Project Management Awareness (May 5, 1997); and The Effect of 
Year 2000 on Computer Systems (June 1996) [collectively, the FFIEC 
guidance].
    \3\ The standards in the Guidelines are described in mandatory 
terms in order to clarify the specific actions insured depository 
institutions are expected to take to achieve Year 2000 readiness. 
Nevertheless, as explained in the following, an Agency will decide 
whether to require corrective action under section 39 for an 
institution's noncompliance with these standards based on the 
circumstances of the particular case.
---------------------------------------------------------------------------

    The Agencies will use the existing rules regarding safety and 
soundness standards to require submission of

[[Page 66701]]

compliance plans by institutions that fail to comply with the 
Guidelines. Under those rules, an insured depository institution must 
file a compliance plan within 30 days of a request to do so from an 
appropriate Federal banking agency, unless a different date is 
prescribed by the agency. Within 30 days of the compliance plan's 
receipt, the agency must provide written notice to the insured 
depository institution of whether the compliance plan has been approved 
or if additional information is required.
    An insured depository institution that fails to submit an 
acceptable compliance plan within the time allowed or fails in any 
material respect to implement an accepted compliance plan will be 
subject to supervisory action, including an agency order directing the 
institution to correct the deficiency. The agency order is directly 
enforceable in Federal district court; there is no requirement for a 
prior administrative adjudication. See 12 U.S.C. 1818(i)(1). A 
violation of such an order can serve as the basis for assessing civil 
money penalties and other enforcement remedies. See 12 U.S.C. 
1818(i)(2). Section 39 also describes certain supervisory actions that 
an agency may take, and in certain cases must take, until the 
deficiency is corrected.

Description of the Guidelines and Comments Received

    In response to the interim guidelines, the Agencies received nine 
comments. The commenters include three depository institutions, three 
trade associations, one state banking regulator, and two individuals. 
The commenters supported the interim guidelines. Several commenters, 
however, suggested modifications to the interim guidelines. A 
discussion of these comments and changes to the interim guidelines 
follows.

Definitions (I.B.)

    The Guidelines define certain key terms to help clarify the types 
of actions insured depository institutions are expected to undertake. 
For example, the Guidelines define the terms ``external system,'' 
``internal system,'' ``external third party supplier,'' ``other 
material third party,'' ``renovation,'' and ``remediation contingency 
plan.'' The Agencies received no comments on these definitions and are 
adopting them without any changes.
    The Guidelines also define the key term ``mission-critical 
system.'' The interim guidelines defined a mission-critical system as 
``an application or system that is vital to the successful continuance 
of a core business activity.'' The Agencies made one clarifying change 
to this definition in the Guidelines so that it covers ``an application 
or system that is vital to the successful continuance of a core 
business activity or process.'' The FFIEC guidance interchangeably uses 
the terms core business activity, core business process, or core 
business function in the context of discussing a mission-critical 
system. The Agencies find that these terms are synonymous and, 
therefore, may be used interchangeably for purposes of defining a 
mission-critical system.
    Under the Guidelines, applications or systems interfacing with 
designated mission-critical systems and software products also may be 
mission-critical. Two commenters suggested that the Agencies revise the 
definition of a mission-critical system to clarify further the types of 
interfacing applications and software products that may be mission-
critical. The first commenter urged the Agencies to consider an 
application that interfaces with a mission-critical system to be 
mission-critical only if the application's failure would prevent the 
continuance of the core business activity supported by such mission-
critical system. The second commenter requested additional guidance on 
what systems and applications, particularly software products, are 
mission-critical and suggested that the definition contrast mission-
critical systems with non-mission-critical systems.
    To address these concerns, the Agencies emphasize that the question 
whether a specific system or application qualifies as ``mission-
critical'' depends on whether it is ``vital to the successful 
continuance of a core business activity or process.'' Since it is 
conceivable that a system or application that is mission-critical for 
one insured depository institution may not be mission-critical for 
another, neither the FFIEC guidance nor the Guidelines provide 
illustrative examples of mission-critical systems. The FFIEC guidance, 
however, further describes core business activities or processes. As 
stated in the FFIEC guidance, a core business activity or process means 
a task or group of tasks that must be performed together to ensure that 
an insured depository institution continues to be viable. A core 
business activity or process is generally defined along functional 
lines. For example, the deposit function, lending function, payments 
function, and investment function are examples of a core business 
activity or process.
    Likewise, an application or system that interfaces with a 
designated mission-critical system also qualifies as mission-critical 
if it is vital to the successful continuance of a core-business 
activity or process. Specific mission-critical systems may be 
components of a number of core business activities or processes and may 
serve as interfaces between and among the operations of core business 
activities or processes. For example, the deposit taking function is a 
core business activity or process that could depend on various 
interfacing mission-critical systems, such as the automated clearing 
house (ACH), proof, and deposit systems.4
---------------------------------------------------------------------------

    \4\ See FFIEC Questions and Answers Concerning Year 2000 
Contingency Planning (December 11, 1998) (discussing how core 
business processes relate to mission-critical systems).
---------------------------------------------------------------------------

    The Guidelines also define ``business resumption contingency plan'' 
as a plan that ``describes how mission-critical systems of the insured 
depository institution will continue to operate if there are system 
failures * * *'' One commenter requested the Agencies to revise this 
definition to focus on the resumption of core business activities in 
the event of Year 2000-related system failures. As noted above, the 
term ``mission-critical system'' covers those systems and applications 
that are vital to the successful continuance of a core business 
activity or process. Accordingly, the Agencies find that the definition 
of a business resumption contingency plan, as stated in the interim 
guidelines, already focuses only on the resumption of systems vital to 
the successful continuance of a core business activity or process and, 
therefore, no change to the Guidelines is necessary.
    Finally, the Agencies made minor, but clarifying changes to the 
definitions of ``business resumption contingency plan'' and ``Year 2000 
ready or readiness.'' The interim guidelines inadvertently used the 
conjunction or instead of and in these two definitions, and this has 
been corrected in the final Guidelines.

Review of Mission-Critical Systems for Year 2000 Readiness (II.A.)

    The Guidelines specify that an insured depository institution's 
initial review of mission-critical systems for Year 2000 readiness 
should provide the basis for establishing priorities and deadlines and 
for identifying and allocating available resources. The development and 
implementation of a written due diligence process to monitor and 
evaluate Year 2000 efforts by third party service providers and 
software vendors is a critical component of an institution's initial 
assessment. The

[[Page 66702]]

Guidelines also require each insured depository institution to develop 
and adopt a written project plan that addresses each phase of the 
planning process. However, an insured depository institution that has 
already developed and adopted an adequate written project plan, or 
other plans and procedures for achieving Year 2000 readiness, need not 
prepare a new, separate project plan, or other plans and procedures, 
just to satisfy the Guidelines. Plans and procedures already adopted 
may suffice if they have been reviewed and deemed acceptable under the 
Guidelines by the appropriate Agency. The Agencies did not receive any 
comments on these provisions and, therefore, adopt them without any 
changes.

Renovation of Internal and External Mission-Critical Systems (II.B. and 
II.C.)

    The Guidelines distinguish between renovation of systems controlled 
by the insured depository institution (internal mission-critical 
systems) and those controlled by a third party (external mission-
critical systems). Renovation of internal mission-critical systems must 
be completed in sufficient time for testing to be substantially 
complete by December 31, 1998.
    Insured depository institutions relying on systems controlled and 
renovated by external third party suppliers must determine the ability 
of their service providers and software vendors to address Year 2000 
readiness for external mission-critical systems that are not Year 2000 
ready and to establish programs that allow testing and remediation to 
be substantially completed by March 31, 1999. Insured depository 
institutions also must develop in writing an ongoing due diligence 
process to monitor and evaluate the efforts of external third party 
suppliers to achieve Year 2000 readiness. As part of this process, the 
institutions must maintain written documentation of their 
communications with external third party suppliers regarding the third 
party suppliers' efforts to achieve Year 2000 readiness and review the 
institution's contractual arrangements with third party suppliers to 
determine the parties' respective rights and obligations to achieve 
Year 2000 readiness. In response to one commenter's concerns, the 
Agencies clarify that the Guidelines require the institution to review 
only those contracts pertaining to external mission-critical systems.

Testing of Mission-Critical Systems (II.D.)

    The Agencies consider testing to be a critical process in achieving 
Year 2000 readiness. Failure of an insured depository institution to 
perform adequate testing of mission-critical systems poses a risk to 
the safe and sound operation of the institution. Failure to conduct 
thorough testing may mask serious remediation problems. Failure to 
properly identify or correct those problems could threaten the safety 
and soundness of the institution. The Guidelines reflect the Agencies' 
expectations on the timing and scope of required testing.
    One commenter raised concerns about the inability of an institution 
to meet the internal testing deadline because of extended delays by 
software vendors in producing software that is Year 2000 ready. 
Software products may be either internal or external systems, depending 
on whether the insured depository institution has control over the 
renovation. For example, in ``turnkey'' situations, where an 
institution has purchased software from a vendor and does all the data 
processing in-house or where it has a software license from a vendor 
and does all the data processing in-house, these are ``internal'' 
systems. Under the Guidelines, the purchase or license arrangement is 
deemed to give the institution responsibility for renovation, even 
though the software vendor must perform the actual renovation. 
Therefore, these situations were subject to the testing deadline for 
``internal'' systems, which was December 31, 1998.

Contingency Planning (II.E. and II.F.)

    Another essential component of achieving Year 2000 readiness 
addressed in the Guidelines is the development and implementation of 
effective contingency plans for Year 2000 technology failures. The 
Guidelines require an insured depository institution to design 
contingency plans appropriate for the institution's technological 
systems and operating structure that describe how the institution will 
mitigate the risks associated with the failure of systems (the business 
resumption contingency plan) and, as applicable, the failure to 
complete renovation, testing, or implementation of its mission-critical 
systems (the remediation contingency plan).
    As noted in recent FFIEC guidance, contingency planning is a 
dynamic process. An effective contingency plan may become inadequate at 
a later date if the institution does not revise the plan to address 
current needs. Accordingly, each insured depository institution must 
continue to update the contingency plans it has developed and 
implemented, as needed, to ensure that the plans remain effective. For 
example, some institutions rated less than satisfactory after June 1999 
may need to establish plans that address obtaining alternative sources 
of service, transitioning to a new service provider, discontinuing the 
provision of certain bank services, and/or creating standardized backup 
programs for their deposit and loan accounts.

Customer Risk (II.G.)

    The Guidelines require insured depository institutions to implement 
a due diligence process that identifies customers posing material Year 
2000 risks, evaluates their Year 2000 preparedness, assesses their Year 
2000 risk, and implements appropriate risk controls. The Agencies 
received no comments on this section and, therefore, adopt this section 
without any changes.

Involvement of the Board of Directors and Management (II.H.)

    The Guidelines require the board of directors and management to be 
involved in all stages of the institution's efforts to achieve Year 
2000 readiness. Management and the board of directors together must be 
actively involved in efforts to plan, allocate resources, and monitor 
progress towards attaining Year 2000 readiness. Management must provide 
to the board of directors written status reports at least quarterly or 
as otherwise required to keep the board of directors fully informed of 
the institution's Year 2000 efforts.
    One commenter noted that the Guidelines are inconsistent with the 
FFIEC guidance in that they impose on the board of directors an 
inappropriate management function and a greater burden than would exist 
under accepted notions of corporate governance. The Agencies do not 
intend to alter traditional notions of corporate responsibility of the 
board of directors. The FFIEC guidance, as reflected in the Guidelines, 
emphasizes that Year 2000 issues present an enterprise-wide challenge, 
necessitating the active involvement of both senior management and the 
board of directors in overseeing the insured depository institution's 
internal Year 2000 efforts and monitoring its business risks. As stated 
in the FFIEC guidance, however, senior management continues to be 
responsible for the day-to-day management of the project. In order to 
erase any confusion on this point, however, the Agencies deleted the 
word ``managing'' from

[[Page 66703]]

section H.1. of the Guidelines. The Guidelines now require only that 
the board of directors and management ``be actively involved in efforts 
to plan, allocate resources, and monitor progress towards attaining 
Year 2000 readiness.''
    Another commenter noted that management, in the past, generally 
provided oral status reports to the board of directors documented in 
the minutes. The commenter requested clarification whether this 
practice would satisfy the requirement for written status reports. The 
Agencies recognize that practices for documenting management's status 
updates to the board of directors varied from institution to 
institution. To ensure consistency in documenting an institution's 
progress in attaining Year 2000 readiness, however, the Agencies will 
require management to provide to the board of directors written status 
reports. Therefore, the Agencies are adopting this section without any 
changes.

Section 39 Remedies

    The Guidelines enable the Agencies to use the streamlined 
compliance and enforcement mechanisms provided by section 39 to 
address, in appropriate circumstances, Year 2000 readiness-related 
safety and soundness concerns in insured depository institutions. 
Section 39 remedies for insured depository institutions allow the 
Agencies to move promptly in situations where immediate supervisory 
action is essential for safety and soundness reasons.
    Nonetheless, issuance of a safety and soundness order pursuant to 
section 39 may not be the most appropriate remedy in every case where 
an insured depository institution fails to comply with the Guidelines. 
It is for this reason the Agencies have chosen to proceed by guideline, 
within the meaning of section 39, rather than by regulation. As is the 
case with respect to the Agencies' 1995 safety and soundness 
guidelines, the Agencies also wish to preserve their discretion to 
require supervisory actions different from those prescribed by section 
39 with respect to the Guidelines if a different action is warranted by 
the facts and circumstances of a particular situation.
    The Guidelines do not limit the authority of an Agency to address 
unsafe or unsound practices or conditions, violations of law, or other 
practices, or to adopt appropriate remedies to achieve compliance with 
the Guidelines, including requiring actions by dates that are different 
from those set forth in the Guidelines. Actions under section 39 and 
the Guidelines may be taken independently of, in conjunction with, or 
in addition to, other appropriate enforcement actions.
    The Agencies note that by law the Guidelines apply only to insured 
depository institutions, not to all financial institutions supervised 
by the Agencies, such as bank holding companies and U.S. offices of 
foreign banking organizations. The Agencies will continue to examine 
and inspect all financial institutions that they supervise for 
compliance with the FFIEC guidance and may use their authority under 
section 8 of the FDI Act if these institutions fail to comply with the 
FFIEC guidance.

Effective Date

    The Agencies find good cause for issuing the Guidelines effective 
immediately. Cf. 5 U.S.C. 553(d) (good cause exception to APA 
requirement for a 30 day delayed effective date for final rule); 12 
U.S.C. 4802(b)(1) (good cause exception to the CDRIA requirement that 
the Federal banking agencies make rules effective on the first day of a 
calendar quarter which begins on or after the date on which the 
regulations are published in final form). Making the Guidelines 
effective immediately is essential for ensuring that the Agencies can 
properly and timely address the Year 2000 problem and that insured 
depository institutions can achieve Year 2000 readiness in the 
relatively short time remaining before Year 2000 problems may begin to 
occur. The Agencies note that Congress has recently underscored the 
importance and urgency of ensuring Year 2000 readiness in the financial 
services sector by passing the Examination Parity and Year 2000 
Readiness for Financial Institutions Act, Public Law 105-164, sec. 2, 
112 Stat. 32, 32 (1998). Congress expressly found that the Year 2000 
problem poses a serious challenge to the American economy, including 
the Nation's banking and financial services industries, and that 
Federal financial regulatory agencies must have sufficient examination 
authority to ensure that the safety and soundness of the Nation's 
financial institutions will not be at risk. Under these circumstances, 
the Agencies conclude that they have good cause for issuing the 
Guidelines with an immediate effective date.

Regulatory Flexibility Act Analysis

    The Regulatory Flexibility Act (RFA) does not apply to a rule for 
which an agency is not required to publish a notice of proposed 
rulemaking. 5 U.S.C. 603. In issuing the interim guidelines, the 
Agencies concluded, for good cause, that they are not required to 
publish a notice of proposed rulemaking. Accordingly, they issued the 
interim guidelines without prior notice and comment to be effective 
immediately. Since the RFA does not apply to a rule for which an agency 
is not required to publish a notice of proposed rulemaking, the 
Agencies also conclude that the RFA does not require a regulatory 
flexibility analysis of these joint final guidelines.
    Nonetheless, the Agencies considered the likely economic impact of 
the Guidelines on small entities and believe that the Guidelines do not 
have a significant impact on a substantial number of small entities. 
The potential inability of computers to correctly recognize certain 
dates in 1999 and on and after January 1, 2000, compels all 
institutions, including small institutions, to formulate appropriate 
and timely management responses. The Guidelines provide a procedural 
framework for formulating that response and reiterate the Agencies' 
expectations, distilled from existing FFIEC guidance, regarding 
appropriate business practices for achieving Year 2000 readiness. For 
example, as indicated earlier in this preamble, plans and procedures 
that institutions have already developed to achieve Year 2000 readiness 
can satisfy the Guidelines if they have been reviewed and deemed 
acceptable by the appropriate Agency. The Agencies requested comments 
on the impact of the Guidelines on small entities and received no 
comments.

Paperwork Reduction Act

    These Guidelines contain no continuing information collections that 
must be approved by the Office of Management and Budget (OMB).

Executive Order 12866

    The OCC and OTS have determined that the Guidelines are not a 
significant regulatory action under Executive Order 12866.

OCC and OTS: Unfunded Mandates Reform Act Analysis

    The Unfunded Mandates Reform Act of 1995 (UMA), Public Law 104-4, 
applies only when an agency is required to promulgate a general notice 
of proposed rulemaking or to a final rule for which a general notice of 
proposed rulemaking was published. 2 U.S.C. 1532. As noted above, the 
Agencies did not publish a general notice of proposed rulemaking when 
they, for good cause, issued the interim guidelines with an immediate 
effective date. Accordingly, the OCC and OTS conclude that the UMA does 
not require an unfunded mandates analysis of the Guidelines.

[[Page 66704]]

    Moreover, the OCC and OTS believe that the Guidelines will not 
result in expenditures by State, local, and tribal governments, or by 
the private sector, of more than $100 million in any one year. 
Accordingly, neither the OCC nor the OTS has prepared a budgetary 
impact statement or specifically addressed the regulatory alternatives 
considered.

Text of Uniform Final Guidelines (All Agencies)

    The text of the Agencies' uniform final guidelines appears below:

Appendix ____ To Part ____ Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

Table of Contents

I. Introduction
    A. Preservation of existing authority
    B. Definitions
II. Year 2000 Standards for Safety and Soundness
    A. Review of mission-critical systems for Year 2000 readiness
    B. Renovation of internal mission-critical systems
    C. Renovation of external mission-critical systems
    D. Testing of mission-critical systems
    E. Business resumption contingency planning
    F. Remediation contingency planning
    G. Customer risk
    H. Involvement of the board of directors and management

I. Introduction

    The Interagency Guidelines Establishing Year 2000 Standards for 
Safety and Soundness (Guidelines) set forth safety and soundness 
standards pursuant to section 39 of the Federal Deposit Insurance 
Act (section 39) (12 U.S.C. 1831p-1) that are applicable to an 
insured depository institution's efforts to achieve Year 2000 
readiness. The Guidelines, which also interpret the general 
standards in the Interagency Guidelines Establishing Standards for 
Safety and Soundness adopted in 1995, apply to all insured 
depository institutions.

A. Preservation of Existing Authority

    Neither section 39 nor the Guidelines in any way limits the 
authority of the Federal banking agencies to address unsafe or 
unsound practices, violations of law, unsafe or unsound conditions, 
or other practices. The Federal banking agencies, in their sole 
discretion, may take appropriate actions so that insured depository 
institutions will be able to successfully continue business 
operations after January 1, 2000, including on a case-by-case basis 
requiring actions by dates that are later than the key dates set 
forth in the Guidelines. Action under section 39 and the Guidelines 
may be taken independently of, in conjunction with, or in addition 
to any other action, including enforcement action, available to the 
Federal banking agencies.

B. Definitions

    1. In general. For purposes of the Guidelines the following 
definitions apply:
    a. Business resumption contingency plan means a plan that 
describes how mission-critical systems of the insured depository 
institution will continue to operate in the event there are system 
failures in processing, calculating, comparing, or sequencing date 
or time data from, into, or between the 20th and 21st centuries; and 
the years 1999 and 2000; and with regard to leap year calculations.
    b. External system means a system the renovation of which is not 
controlled by the insured depository institution, including systems 
provided by service providers and any interfaces with external third 
party suppliers and other material third parties.
    c. External third party supplier means a service provider or 
software vendor that supplies services or products to insured 
depository institutions.
    d. Internal system means a system the renovation of which is 
controlled by the insured depository institution, including 
software, operating systems, mainframe computers, personal 
computers, readers/sorters, and proof machines. An internal system 
also may include a system controlled by the insured depository 
institution with embedded integrated circuits (e.g., heating and 
cooling systems, vaults, communications, security systems, and 
elevators).
    e. Mission-critical system means an application or system that 
is vital to the successful continuance of a core business activity 
or process. An application or system may be mission-critical if it 
interfaces with a designated mission-critical system. Software 
products also may be mission-critical.
    f. Other material third party means a third party, other than an 
external third party supplier, to whom an insured depository 
institution transmits data or from whom an insured depository 
institution receives data, including business partners (e.g., credit 
bureaus), other insured depository institutions, payment system 
providers, clearinghouses, customers, and utilities.
    g. Remediation contingency plan means a plan that describes how 
the insured depository institution will mitigate the risks 
associated with the failure to successfully complete renovation, 
testing, or implementation of its mission-critical systems.
    h. Renovation means code enhancements, hardware and software 
upgrades, system replacements, and other associated changes that 
ensure that the insured depository institution's mission-critical 
systems and applications are Year 2000 ready.
    i. Year 2000 ready or readiness with respect to a system or 
application means a system or application accurately processes, 
calculates, compares, or sequences date or time data from, into, or 
between the 20th and 21st centuries; and the years 1999 and 2000; 
and with regard to leap year calculations.

II. Year 2000 Standards for Safety and Soundness

    A. Review of Mission-Critical Systems For Year 2000 Readiness. 
Each insured depository institution shall in writing:
    1. Identify all internal and external mission-critical systems 
that are not Year 2000 ready;
    2. Establish priorities for accomplishing work and allocating 
resources to renovating internal mission-critical systems;
    3. Identify the resource requirements and individuals assigned 
to the Year 2000 project on internal mission-critical systems;
    4. Establish reasonable deadlines for commencing and completing 
the renovation of such internal mission-critical systems;
    5. Develop and adopt a project plan that addresses the insured 
depository institution's Year 2000 renovation, testing, contingency 
planning, and management oversight process; and
    6. Develop a due diligence process to monitor and evaluate the 
efforts of external third party suppliers to achieve Year 2000 
readiness.
    B. Renovation of Internal Mission-Critical Systems. Each insured 
depository institution shall commence renovation of all internal 
mission-critical systems that are not Year 2000 ready in sufficient 
time that testing of the renovation can be substantially completed 
by December 31, 1998.
    C. Renovation of External Mission-Critical Systems. Each insured 
depository institution shall:
    1. Determine the ability of external third party suppliers to 
renovate external mission-critical systems that are not Year 2000 
ready and to complete the renovation in sufficient time to 
substantially complete testing by March 31, 1999;
    2. Maintain written documentation of all its communications with 
external third party suppliers regarding their ability to renovate 
timely and effectively external mission-critical systems that are 
not Year 2000 ready; and
    3. Develop in writing an ongoing due diligence process to 
monitor and evaluate the efforts of external third party suppliers 
to achieve Year 2000 readiness, including:
    a. monitoring the efforts of external third party suppliers to 
achieve Year 2000 readiness on at least a quarterly basis and 
documenting communications with these suppliers; and
    b. reviewing the insured depository institution's contractual 
arrangements with external third party suppliers to determine the 
parties' rights and obligations to achieve Year 2000 readiness.
    D. Testing of Mission-Critical Systems. Each insured depository 
institution shall:
    1. Develop and implement an effective written testing plan for 
both internal and external systems. Such a plan shall include the 
testing environment, testing methodology, testing schedules, budget 
projections, participants to be involved in testing, and the 
critical dates to be tested to achieve Year 2000 readiness;
    2. Verify the adequacy of the testing process and validate the 
results of the tests with the assistance of the project manager 
responsible for Year 2000 readiness, the owner of the system tested, 
and an objective independent party (such as an auditor, a 
consultant, or a qualified individual from within or outside of the 
insured depository institution who is independent of the process 
under review);

[[Page 66705]]

    3. Substantially complete testing of internal mission-critical 
systems by December 31, 1998;
    4. Commence testing of external mission-critical systems by 
January 1, 1999;
    5. Substantially complete testing of external mission-critical 
systems by March 31, 1999;
    6. Commence testing with other material third parties by March 
31, 1999; and
    7. Complete testing of all mission-critical systems by June 30, 
1999.
    E. Business Resumption Contingency Planning. Each insured 
depository institution shall develop and implement an effective 
written business resumption contingency plan that, at a minimum:
    1. Defines scenarios for mission-critical systems failing to 
achieve Year 2000 readiness;
    2. Evaluates options and selects a reasonable contingency 
strategy for those systems;
    3. Provides for the periodic testing of the business resumption 
contingency plan; and
    4. Provides for independent testing of the business resumption 
contingency plan by an objective independent party, such as an 
auditor, consultant, or qualified individual from another area of 
the insured depository institution who was not involved in the 
formulation of the business resumption contingency plan.
    F. Remediation Contingency Planning. Each insured depository 
institution that has failed to successfully complete renovation, 
testing, and implementation of a mission-critical system, or is in 
the process of remediation and is not on schedule with the key dates 
in section II.D., shall develop and implement an effective written 
remediation contingency plan that, at a minimum:
    1. Outlines the alternatives available if remediation efforts 
are not successful, including the availability of alternative 
external third party suppliers, and selects a reasonable contingency 
strategy; and
    2. Establishes trigger dates for activating the remediation 
contingency plan, taking into account the time necessary to convert 
to alternative external third party suppliers or to complete any 
other selected strategy.
    G. Customer Risk. Each insured depository institution shall 
develop and implement a written due diligence process that:
    1. Identifies customers, including fund providers, fund takers, 
and capital market/asset management counterparties, that represent 
material risk exposure to the institution;
    2. Evaluates their Year 2000 preparedness;
    3. Assesses their existing and potential Year 2000 risk to the 
institution; and
    4. Implements appropriate risk controls, including controls for 
underwriting risk, to manage and mitigate their Year 2000 risk to 
the institution.
    H. Involvement of the Board of Directors and Management.
    1. During all stages of the renovation, testing, and contingency 
planning process, the board of directors and management of each 
insured depository institution shall:
    a. be actively involved in efforts to plan, allocate resources, 
and monitor progress towards attaining Year 2000 readiness;
    b. oversee the efforts of the insured depository institution to 
achieve Year 2000 readiness and allocate sufficient resources to 
resolve problems relating to the institution's Year 2000 readiness; 
and
    c. evaluate the Year 2000 risk associated with any strategic 
business initiatives contemplated by the insured depository 
institution, including mergers and acquisitions, major systems 
development, corporate alliances, and system interdependencies.
    2. In addition, the board of directors, at a minimum, shall 
require from management, and management shall provide to the board 
of directors, written status reports, at least quarterly and as 
otherwise appropriate to keep the directorate fully informed, of the 
insured depository institution's efforts in achieving Year 2000 
readiness. Such written status reports shall, at a minimum, include:
    a. The overall progress of the insured depository institution's 
efforts in achieving Year 2000 readiness;
    b. The insured depository institution's interim progress in 
renovating, validating, and contingency planning measured against 
the insured depository institution's Year 2000 project plan as 
adopted under section II.A.5. of appendix B;
    c. The status of efforts by key external third party suppliers 
and other material third parties in achieving Year 2000 readiness;
    d. The results of the testing process;
    e. The status of contingency planning efforts; and
    f. The status of the ongoing assessment of customer risk.

[End of text of Uniform Interagency Guidelines]

List of Subjects

12 CFR Part 30

    Administrative practice and procedure, National banks, Reporting 
and recordkeeping requirements, Safety and soundness.

12 CFR Part 208

    Accounting, Agriculture, Banks, banking, Confidential business 
information, Crime, Currency, Federal Reserve System, Mortgages, 
Reporting and recordkeeping requirements, Safety and soundness, 
Securities.

12 CFR Part 364

    Administrative practice and procedure, Bank deposit insurance, 
Banks, banking, Reporting and recordkeeping requirements, Safety and 
soundness.

12 CFR Part 570

    Accounting, Administrative practice and procedure, Bank deposit 
insurance, Holding companies, Reporting and recordkeeping requirements, 
Savings associations, Safety and soundness.

Adoption of Uniform Interagency Final Guidelines

    The agency specific adoptions of the uniform interagency final 
guidelines, which appear at the end of the common preamble, are set 
forth below.

Office of the Comptroller of the Currency

12 CFR CHAPTER I

Authority and Issuance

    For the reasons set forth in the common preamble, part 30 of 
chapter I of title 12 of the Code of Federal Regulations is amended as 
follows:

PART 30--SAFETY AND SOUNDNESS STANDARDS

    1. The authority citation for part 30 continues to read as follows:

    Authority: 12 U.S.C. 93a, 1818, 1831p-1, 3102(b).

    2. Appendix B to part 30 is revised to read as set forth at the end 
of the common preamble:

Appendix B to Part 30--Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

    Dated: October 12, 1999.
John D. Hawke, Jr.,
Comptroller of the Currency.

Federal Reserve System

12 CFR CHAPTER II

Authority and Issuance

    For the reasons set forth in the common preamble, part 208 of 
chapter II of title 12 of the Code of Federal Regulations is amended as 
follows:

PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL 
RESERVE SYSTEM (REGULATION H)

    1. The authority citation for 12 CFR Part 208 continues to read as 
follows:

    Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a, 
371d, 461, 481-486, 601, 611, 1814, 1816, 1818, 1823(j), 1828(o), 
1831o, 1831p-1, 1831r-1, 1835a, 1882, 2901-2907, 3105, 3310, 3331-
3351, and 3906-3909, 15 U.S.C. 78b, 781(b), 781(g), 781(i), 78o-
4(c)(5), 78q, 78q-1, and 78w; 31 U.S.C. 5318; 42 U.S.C. 4012a, 
4104a, 4104b, 4106, and 4128.

    2. The interim rule redesignating Appendix D to 12 CFR part 208 as 
Appendix D-1 to 12 CFR part 208 published at 63 FR 55480 on October 15, 
1998, is adopted as final.
    3. Appendix D-2 to part 208 is revised to read as set forth at the 
end of the common preamble:

[[Page 66706]]

Appendix D-2 to Part 208--Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

    By Order of the Board of Governors of the Federal Reserve 
System.

    Dated: October 22, 1999.
Robert deV. Frierson,
Associate Secretary of the Board.

Federal Deposit Insurance Corporation

12 CFR CHAPTER III

Authority and Issuance

    For the reasons set forth in the common preamble, part 364 of 
chapter III of title 12 of the Code of Federal Regulations is amended 
as follows:

PART 364--STANDARDS FOR SAFETY AND SOUNDNESS

    1. The authority citation for 12 CFR part 364 continues to read as 
follows:

    Authority: 12 U.S.C. 1819 (Tenth), 1831p-1.

    2. Appendix B to part 364 is revised to read as set forth at the 
end of the common preamble:

Appendix B to Part 364--Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

    By Order of the Board of Directors.

    Dated at Washington, DC, this 8th Day of November, 1999.

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

Office of Thrift Supervision

12 CFR CHAPTER V

Authority and Issuance

    For the reasons set forth in the common preamble, part 570 of 
chapter V of title 12 of the Code of Federal Regulations is amended as 
follows:

PART 570--SUBMISSION AND REVIEW OF SAFETY AND SOUNDNESS COMPLIANCE 
PLANS AND ISSUANCE OF ORDERS TO CORRECT SAFETY AND SOUNDNESS 
DEFICIENCIES

    1. The authority citation for part 570 continues to read as 
follows:

    Authority: 12 U.S.C. 1831p-1.

    2. Appendix B to part 570 is revised to read as set forth at the 
end of the common preamble:

Appendix B to Part 570--Interagency Guidelines Establishing Year 
2000 Standards for Safety and Soundness

    Dated: October 15, 1999.
Ellen Seidman,
Director.
[FR Doc. 99-30284 Filed 11-26-99; 8:45 am]
BILLING CODE 4810-33-U; 6210-01-U; 6714-01-U; 6720-01-U