Year 2000 Computing Crisis: National Credit Union Administration's
Efforts to Ensure Credit Union Systems Are Year 2000 Compliant (Stmnt.
for the Rec., 10/22/97, GAO/T-AIMD-98-20).

Pursuant to a congressional request, GAO reviewed the National Credit
Union Administration's (NCUA) progress in making sure that the automated
information systems belonging to the thousands of credit unions it
oversees are ready for the upcoming century change.

GAO noted that: (1) NCUA has taken steps to address the Year 2000
problem; (2) these involve incorporating the Year 2000 issue into its
examination and supervision program, disseminating information about the
problem, and assessing Year 2000 compliance on the part of data
processing vendors; (3) concerns exist that must be resolved if the NCUA
is to achieve greater certainty that credit unions will meet their Year
2000 deadline; (4) NCUA still does not have a complete picture of where
credit unions and their vendors stand in resolving the Year 2000
problem, and current efforts to determine credit union compliance are
behind the schedule established by GAO and the Office of Management and
Budget (OMB); (5) while NCUA sent questionnaires to credit unions and
data processing vendors about the problem, it has not yet queried 20
percent of credit unions and has only received 29 of 87 vendor
responses; (6) of the credit union and vendor responses received, NCUA
has not yet analyzed this information to identify high-risk credit
unions and vendors; (7) further, the surveys did not specifically ask
about the status of corrective efforts and whether interface issues were
appropriately being addressed; (8) NCUA has directed credit unions to
conduct contingency planning and its staff have discussed what steps
they should take should a credit union not be compliant by January 1,
2000; (9) however, the agency still lacks a formal contingency plan;
(10) NCUA must take prompt action to ensure that these discussions are
formally documented so that it will be well-positioned to handle
unforeseen problems; (11) as potentially damaging as the Year 2000
problem is, NCUA has not yet ensured that the issue is addressed by
credit union auditors; (12) doing so would provide credit union
management with a greater assurance and understanding about where their
institution stands in addressing the problem; (13) NCUA does not have
enough staff qualified to conduct examination work in complex system
areas; (14) at present, NCUA is in the process of hiring an electronic
data processing (EDP) auditor and is requesting authority to hire 2
more; and (15) these personnel additions may not suffice given the
tremendous workload and short time frame for getting it done.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-98-20
     TITLE:  Year 2000 Computing Crisis: National Credit Union 
             Administration's Efforts to Ensure Credit Union Systems Are
             Year 2000 Compliant
      DATE:  10/22/97
   SUBJECT:  Information systems
             Credit unions
             Computer software
             Data integrity
             Systems conversions
             Bank examination
             Financial management systems
             Internal controls
             Strategic information systems planning
             ADP
IDENTIFIER:  NCUA Year 2000 Strategy
             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


For the Subcommittee on Financial Services and Technology, Committee
on Banking, Housing, and Urban Affairs, U.S.  Senate

For Release
at 10 a.m.
Wednesday,
October 22, 1997

YEAR 2000 COMPUTING CRISIS -
NATIONAL CREDIT UNION
ADMINISTRATION'S EFFORTS TO ENSURE
CREDIT UNION SYSTEMS ARE YEAR 2000
COMPLIANT

Statement for the Record by
Jack L.  Brock, Jr.
Director, Information Resources Management/
 General Government Issues
Accounting and Information Management Division

GAO/T-AIMD-98-20

GAO/AIMD-98-20T


(511108)


Abbreviations
=============================================================== ABBREV

  CUNA - Credit Union National Association
  EDP - electronic data processing
  NCUA - National Credit Union Administration
  OMB - Office of Management and Budget

============================================================ Chapter 0

Mr.  Chairman and Members of the Subcommittee: 

We are pleased to be asked to provide our views on the progress being
made by the National Credit Union Administration (NCUA) in ensuring
that automated information systems belonging to the thousands of
credit unions that NCUA oversees are ready for the upcoming century
date change.  If the Year 2000 problem is not addressed in time,
credit union computer systems--which affect billions of dollars of
assets and transactions--will be unable to readily process
transactions or produce accurate information.  According to NCUA,
without properly functioning systems, credit unions like other
financial institutions face the potential of failure. 

This testimony is the first in a series of reports you requested on
the status of efforts by federal financial regulatory agencies to
ensure that the organizations they oversee are ready to handle the
Year 2000 computer conversion challenge.  To prepare for this
testimony, we performed a quick overview of NCUA's efforts to date to
ensure that credit unions have adequately mitigated the risks
associated with the Year 2000 date change and compared these
activities to our Year 2000 Assessment Guide.\1 In performing the
overview, we interviewed NCUA officials responsible for examining and
overseeing the safety and soundness of credit union management
practices and procedures.  We reviewed examination policies,
procedures, and manuals--including specific examination procedures
for assessing Year 2000 compliance.  We also reviewed NCUA
correspondence to credit unions and third-party contractors (that
provide automated systems services to many credit unions) regarding
the Year 2000 problem.  Finally, we interviewed officials from the
Credit Union National Association, the National Association of State
Credit Union Supervisors, and the CUNA Mutual Group (which provides
liability insurance for the credit union industry).  We provided a
draft of this testimony to NCUA for review and comment.  NCUA
officials stated that they would provide written comments at a later
date.  We performed our work at NCUA headquarters in Alexandria,
Virginia, between October 7 and 17, 1997, in accordance with
generally accepted government auditing standards. 

As requested, my testimony today will highlight the Year 2000
problem's potential impact on credit unions and their systems.  I
will then discuss NCUA's Year 2000 strategy and highlight our
observations with its efforts to ensure that credit unions are
appropriately addressing the problem. 

In summary, we found that the Year 2000 problem poses a serious
dilemma for credit unions because they like other financial
institutions rely heavily on information systems.  We also found that
NCUA recognizes the severity of the problem, has developed a plan,
and has initiated action.  For example, NCUA issued several letters
to the credit unions informing them of the risks associated with Year
2000 problem.  In addition, working in conjunction with other federal
financial regulators, NCUA developed procedures for examiners to use
in reviewing credit union Year 2000 efforts.  However, we are
concerned with NCUA's approach because (1) current agency efforts to
determine industrywide compliance are behind the generally accepted
schedule for achieving Year 2000 compliance, and, consequently, NCUA
does not yet have a complete picture of where credit unions stand
individually or as an industry, (2) the agency lacks a formal,
documented contingency plan in case credit unions do not become
compliant in time or have other problems, (3) credit union internal
auditors may not be thoroughly addressing Year 2000 issues as part of
their work, and (4) NCUA does not have enough technical capability to
conduct Year 2000 and other examinations in complex systems areas. 


--------------------
\1 Year 2000 Computing Crisis:  An Assessment Guide
(GAO/AIMD-10.1.14, September 1997).  Published as a exposure draft in
February 1997 and finalized in September 1997, the guide was issued
to help federal agencies prepare for the Year 2000 conversion.  It
addresses common issues affecting most federal agencies and presents
a structured approach and a checklist to aid in planning, managing,
and evaluating Year 2000 programs.  The guide describes five
phases--supported by program and project management activities--with
each phase representing a major Year 2000 program activity or
segment.  While the guide focuses on federal agencies, it is general
enough that nonfederal organizations can also use it to assess their
automated systems. 


   THE YEAR 2000 PROBLEM POSES A
   SERIOUS DILEMMA FOR CREDIT
   UNIONS
---------------------------------------------------------- Chapter 0:1

Credit unions are nonprofit financial cooperatives organized to
provide their members with low-cost financial services.  According to
NCUA, as of 1996, federally insured credit union assets totaled $326
billion.  About one in four Americans belongs to a credit union, and
credit unions accounted for about 2 percent of the total financial
services in the United States. 

NCUA supervises and insures more than 7,200 federally chartered
credit unions and insures member deposits in an additional 4,200
state-chartered credit unions through the National Credit Union Share
Insurance Fund.  As part of its goal of maintaining the safety and
soundness of the credit unions, NCUA is responsible for ensuring
credit unions are addressing the Year 2000 problem. 

The Year 2000 problem is rooted in the way dates are recorded and
computed in automated information systems.  For the past several
decades, systems have typically used two digits to represent the
year, such as "97" representing 1997, in order to conserve on
electronic data storage and reduce operating costs.  With this
two-digit format, however, the year 2000 is indistinguishable from
1900, or 2001 from 1901.  As a result of this ambiguity, system or
application programs that use dates to perform calculations,
comparisons, or sorting may generate incorrect results. 

According to NCUA, most credit unions rely on computers to provide
for processing and updating of records and a variety of other
functions.  As such, the Year 2000 problem poses a serious dilemma
for the industry.  For example, the problem could lead to numerous
problems when calculations requiring the use of dates are performed,
such as calculating interest, calculating truth-in-lending or
truth-in-savings disclosures, and determining amortization schedules. 
Moreover, automated teller machines may also assume that all bank
cards are expired due to this problem.  In addition, errors caused by
Year 2000 miscalculations may expose institutions and data centers to
financial liability and risk of damage to customer confidence.  Other
systems important to the day-to-day business of credit unions may be
affected as well.  For example, telephone systems could shut down as
can vaults, security and alarm systems, elevators, and fax machines. 

In addressing the Year 2000 problem, credit unions must also consider
the computer systems that interface with, or connect to, their own
systems.  These systems may belong to payment system partners, such
as wire transfer systems, automated clearing houses, check clearing
providers, credit card merchant and issuing systems, automated teller
machine networks, electronic data interchange systems, and electronic
benefits transfer systems.  Because these systems are also vulnerable
to the Year 2000 problem, they can introduce and/or propagate errors
into credit unions systems.  Accordingly, credit unions must develop
comprehensive solutions to this problem and prevent unintentional
consequences from affecting their systems and the systems of others. 

To address these Year 2000 challenges, GAO issued its Year 2000
Assessment Guide\2 to help federal agencies plan, manage, and
evaluate their efforts.  The Office of Management and Budget (OMB),
which is responsible for developing the Year 2000 strategy for
federal agencies, also issued similar guidance.  Both require a
structured approach to planning and managing five delineated phases
of an effective Year 2000 program.  The phases include (1) raising
awareness of the problem, (2) assessing the complexity and impact the
problem can have on systems, (3) renovating, or correcting, systems,
(4) validating, or testing, corrections, and (5) implementing
corrected systems.  GAO has also identified other dimensions to
solving the Year 2000 problem, such as identifying interfaces with
outside organizations and their systems and establishing agreements
with these organizations specifying how data will be exchanged in the
year 2000 and beyond.  In addition, GAO and OMB have established a
timeline for completing each of the five phases and believe agencies
should have completed assessment phase activities last summer and
should be well into renovation with the goal of completing this phase
by mid to late 1998.  Our work at other federal agencies indicates
that because the cost of systems failures can be very high,
contingency plans must be prepared so that core business functions
will continue to be performed even if systems have not been made Year
2000 compliant. 


--------------------
\2 GAO/AIMD-10.1.14, September 1997. 


   NCUA HAS DEVELOPED A STRATEGY
   AND HAS INITIATED ACTION TO
   ADDRESS THE YEAR 2000 PROBLEM
---------------------------------------------------------- Chapter 0:2

NCUA has developed a three-pronged approach for ensuring that credit
unions are aggressively addressing the Year 2000 problem, which
encompasses (1) incorporating the Year 2000 issue into its
examination and supervision program, (2) disseminating information
about the problem to credit unions, and (3) assessing Year 2000
compliance on the part of credit union data processing vendors. 

The first aspect of NCUA's strategy, the examination and supervision
program, involves assessing credit union Year 2000 efforts through
regular annual examinations at the 7,200 federally chartered credit
unions and 30 to 40 percent of the 4,200 federally insured, state
chartered credit unions for which NCUA conducts an insurance review. 
These examinations seek to identify credit unions that are in danger
of not renovating their systems on time and to reach "formal
agreements" that specify corrective measures.  In conducting these
reviews, examiners are to follow NCUA guidelines, which provide
step-by-step procedures for identifying problem areas.  Once a formal
agreement is reached, the examiner is expected to monitor the credit
union's implementation of the agreed-upon corrective measures.  Also
as part of its examination effort, NCUA has contracted a consulting
firm to train selected examiners in Year 2000 efforts.  Through this
training, NCUA expects to have one in-house Year 2000 specialist
available as a resource for every eight examiners.  In addition,
NCUA's board recently authorized the hiring of an electronic data
processing (EDP) auditor to provide more in-depth technical
assistance and education on Year 2000 problems. 

Another part of NCUA's examination and supervision strategy includes
working with state regulators to ensure that federally insured, state
chartered credit unions are also Year 2000 compliant.  Officials from
NCUA and the National Association of State Credit Union Supervisors
told us that all but two state regulators are following the same Year
2000 examination strategy established by NCUA; the other two state
regulators are planning on performing added steps in addition to
performing those included in NCUA's strategy. 

The second aspect of NCUA's strategy--information
dissemination--seeks to heighten credit union awareness of the Year
2000 problem.  In August 1996 and June 1997 letters to federally
insured credit unions, NCUA formally alerted credit unions to the
potential dangers of the Year 2000 problem, identified the specific
impacts the problem could have on the industry, provided detailed
explanations of the problem, and identified steps needed to correct
the problem.  It also related its plans to include Year 2000
evaluations in regular examinations and provided credit unions with
copies of its examination guidance.  In addition, NCUA has appointed
a Year 2000 executive responsible for achieving Year 2000 compliance
industrywide and assigned Year 2000 compliance officers to its
central office and six regional offices.  These staff will be
responsible for serving as Year 2000 focal points to coordinate
efforts across the agency.  Finally, NCUA is working with credit
union trade groups, such as the Credit Union National Association, in
raising awareness of Year 2000 issues. 

The third component of NCUA's program--vendor compliance--targets
organizations that provide electronic data processing services to
credit unions.  According to NCUA, approximately 40 vendors provide
data processing services to 76 percent of all federally insured
credit unions, which account for 79 percent of federally insured
credit union assets.  Consequently, it is vital that these vendors
correct their own systems and help ensure that information can be
easily transferred after the Year 2000 deadline.  NCUA has begun
identifying and contacting major EDP vendors, and it plans to assess
their efforts through questionnaires.  Specifically, in May 1997 and
again in August 1997, NCUA mailed a questionnaire to the 87 vendors,
including the 40 vendors that support the bulk of credit unions,
requesting information on Year 2000 readiness and, as of September
1997, had received 29 responses. 


   CONCERNS WITH NCUA'S YEAR 2000
   EFFORTS
---------------------------------------------------------- Chapter 0:3

While NCUA has initiated actions to build the Year 2000 issue into
examinations and to raise awareness about the issue among credit
unions and their vendors, our work to date has identified four issues
that must be addressed to provide greater assurance that NCUA efforts
will be successful. 

First and foremost of our concerns is that NCUA still does not have a
complete picture of where credit unions and their vendors stand in
resolving the Year 2000 problem, and current efforts to determine
credit union compliance are behind the schedule established by OMB
and GAO.  To collect information from the credit unions on their Year
2000 status, NCUA examiners used a high-level questionnaire that
inquired whether (1) credit union systems were capable and ready to
handle Year 2000 processing, (2) plans were in place to resolve the
problem, (3) enough funds were budgeted to correct systems, and (4)
responsibility and reporting mechanisms were appropriately
established to support the Year 2000 effort.  NCUA issued a separate
high-level questionnaire to credit union vendors.  However, as of the
time of our work, NCUA had not yet queried 20 percent of the credit
unions and had only received 29 of the 87 vendor responses.  In
addition, of the credit union and vendor responses received, NCUA has
not yet analyzed the information to determine which credit unions and
vendors are at high risk of not correcting their systems on time. 

This problem is compounded by the fact that the NCUA questionnaires
did not inquire about the status of efforts in completing each
important phase of correction:  (1) raising awareness of the problem,
(2) assessing the complexity and impact the problem can have on
systems, (3) renovating, or correcting, systems, (4) validating, or
testing, corrections, and (5) implementing corrected systems.  The
questionnaires also did not include system interface issues.  For
example, they did not inquire about (1) identifying interfaces with
outside organizations and their systems, such as payment, check
clearing, credit card, and benefit transfer systems, and (2)
establishing agreements with these organizations specifying how data
will be exchanged in the year 2000 and beyond. 

As a result, even when NCUA assesses the results, it still will not
have a complete understanding of how far along the industry is in
addressing the problem.  In addition, NCUA examinations are conducted
only on an annual basis.  This means that each credit union will be
examined only two more times between the end of 1997 and the year
2000.  Further, NCUA has not yet established a formal mechanism for
credit unions to submit interim progress reports to provide an
up-to-date picture of individual correction efforts between
examinations.  NCUA officials told us that examiners perform off-site
supervision in between exams by tracking performance via credit union
financial reports and by contacting credit union officials should a
problem arise.  However, this may not be enough given the seriousness
of the problem and the fact that the Year 2000 deadline is just 2
years away. 

Further complicating NCUA's situation is the fact that it is still
involved in assessment phase activities.  According to OMB and GAO
guidance, these activities should have been completed back in the
summer.  As it stands, NCUA does not plan to complete them until the
end of this calendar year. 

Accordingly, we believe NCUA should accelerate agency efforts to
complete the assessment of the state of the industry by no later than
November 15, 1997, rather than waiting until the end of the year. 
NCUA should also collect the necessary information to determine the
exact phase of each credit union and vendor in addressing the Year
2000 problem.  Because NCUA currently does not have a process in
place for interim reporting of this information between examinations,
NCUA should require credit unions to report the precise status
(phase) of their efforts on at least a quarterly basis.  One option
would be to use the financial reports, commonly referred to as call
reports, that credit unions provide to NCUA quarterly.  As part of
this report, NCUA should also require credit unions to report on the
status of identifying their interfaces to determine whether this
issue is being adequately addressed and, if not, require credit
unions to implement such agreements as soon as possible. 

A second concern we have with NCUA's efforts is that the agency does
not yet have a formal contingency plan.  Our Year 2000 Assessment
Guide\3 calls on agencies to initiate realistic contingency plans
during the assessment phase for critical systems to ensure the
continuity of their core business processes.  Contingency planning is
important because it identifies alternative activities, which may
include manual and contract procedures, to be employed should systems
fail to meet the Year 2000 deadline.  NCUA guidance directs credit
unions to conduct contingency planning, and NCUA officials told us
that they have developed numerous contingency options and have
discussed among the staff what steps to take should a credit union
not be compliant by January 1, 2000.  However, officials stated that
the precise actions have not been documented in a formal plan.  Not
having this plan increases the risk of unnecessary problems in an
already uncertain situation.  Consequently, we recommend that NCUA
formally document its contingency plans. 

A third concern that we have is that credit union auditors may not be
addressing the Year 2000 problem as part of their work.  NCUA
requires each credit union to perform supervisory committee audits. 
These audits are to determine whether management practices and
procedures are sufficient to safeguard members' assets and whether
effective internal controls are in place to guard against error,
carelessness, and fraud.  They are conducted by the credit union's
supervisory committee staff or by an outside accountant.  However,
NCUA officials noted that such reviews typically focus on general
controls (e.g., ensuring accurate data is entered into the system,
securing data from unauthorized use) and would not specifically
include controls to prevent malfunctions due to the Year 2000
problem.  Audits are an integral management control and expanding
their scope to include important and high-risk Year 2000 issues is
critical since it would provide credit union management with greater
assurance and understanding about where their institution stands in
addressing the problem. 

Accordingly, we are recommending to NCUA that it require credit
unions to implement the necessary management controls to ensure that
these financial institutions have adequately mitigated the risks
associated with the Year 2000 problem.  Specifically, NCUA should
require credit union auditors to include Year 2000 issues within the
scope of their management and internal control work and report
serious problems and corrective actions to NCUA immediately.  To aid
credit union auditors in this effort, NCUA should provide the
auditors with the procedures developed by NCUA for its examiners to
use in assessing Year 2000 compliance and any other guidance that
would be instructive. 

We also believe NCUA should require credit unions to establish
processes whereby credit union management would be responsible for
certifying Year 2000 readiness by a deadline well before the
millennium.  Such a certification process should include credit union
compliance testing by an independent third party and should allow
sufficient time for NCUA to review the results. 

Our fourth concern is that NCUA does not have enough staff qualified
to conduct examination work in complex technical areas.  At present,
NCUA is the process of hiring one EDP auditor to help examine
thousands of credit unions.  Recognizing this weakness, NCUA is
considering hiring up to three EDP auditors.  However, these
personnel additions may still not suffice given the tremendous
workload and the short time frame for getting it done.  To mitigate
this concern, we recommend that before the end of the year, NCUA
determine the level of technical capability needed to allow for
thorough review of credit unions' Year 2000 efforts and hire or
contract for this capability. 


--------------------
\3 GAO/AIMD-10.1.14, September 1997. 


   SUMMARY
---------------------------------------------------------- Chapter 0:4

Our initial work showed that NCUA has made some progress in
addressing Year 2000 compliance issues for credit unions systems that
it regulates.  However, we are concerned that NCUA (1) is behind
schedule and does not yet know the exact status of credit union Year
2000 readiness, (2) has not prepared a formal, detailed plan for
contingencies, (3) does not have assurance that sufficient credit
union management controls are in place to address Year 2000 problems,
and (4) is lacking sufficient technical capability.  These concerns
lead us to believe that NCUA needs to do more to ensure that credit
unions have adequately mitigated the risks associated with the Year
2000 problem, and we have made recommendations to assist NCUA in
addressing these issues. 


*** End of document. ***