In testimony before the House Banking Committee, James Devlin of Citibank outlined the magnitude of its problem. It's a worldwide problem, he says.
The most important section of his long testimony is this statement: "Citibank believes that each banking organization can, and will, address these contingency issues. But there is little that a single organization can do against systemic failures within, or external to, the banking industry. The issue then becomes not contingency planning but disaster recovery planning."
The key phrase is "systemic failures."
His testimony also included these items:
The usual deadline promise occurs: December 31, 1998, ready for testing.
The usual warning about vendors is here. The banks' vendors are not yet compliant.
The banks' borrowers are not yet compliant.
The telecommunications industry is behind the curve. Banks are dependent on it.
Foreign banks are behind.
Y2K insurance policies are inadequate to insure against the problem.
Yet the testimony regarding Citibank itself is upbeat and optimistic . . . except for "systemic failures," i.e., system's responsibility, for which no one is legally responsible.
* * * * * * * *
Citibank, N.A. ("Citibank") recognizes that the arrival of the year 2000 poses a unique worldwide challenge to the ability of all systems to recognize the date change from December 31, 1999 to January 1, 2000. . . .
. . . Citibank has positioned the Year 2000 date problem as a business issue (see Exhibit 2 - Investorís Business Daily, Wednesday, February 12, 1997) rather than just a technological one. The Senior Operating Committee, which includes the Bank's chairman and all senior managers, reviews corporate-wide progress in resolving the problem each quarter. In addition to these operational reviews, periodic status updates are provided to the Citicorp Board of Directors. . . .
. . . our global target is to complete all reprogramming and testing efforts by December 31, 1998, thus providing a full year (1999) for validation in production.
Third Party Compliance Activities
Citibank utilizes a wide array of hardware and software products around the world. We initiated a Year 2000 compliance certification program targeted at ensuring that those products will produce the expected results in all manipulations of time-related data (dates, durations, days of the week, etc.) as we move from the 20th to the 21st century.
Letters have been sent to our hardware and software vendors to advise them of Citibank's definition of Year 2000 Compliance and to request certification that their products meet (or will meet) that definition. . . .
We are confident that the program and initiatives we have implemented will help ensure a smooth transition for Citibank's customers and business partners. To date, Citibank, has not found, nor does it anticipate, any major problem in modifying its data processing systems to accurately process date and calendar data after 1999. Our findings are congruent with those who have identified the Year 2000 as a major project management and change management task. . . .
Anecdotal evidence suggests that smaller banks, especially those relying heavily on external service providers, have been slower to recognize and respond to the Year 2000 issue. To the extent that their service providers donít have active Year 2000 programs, these banks may be at risk without knowing the extent of their risk.
The Year 2000 problem has not generated the same sense of urgency in the banking industry outside the US. In some geographies, other issues are competing for resources and attention; for example: Europe is focused on the impact of the EMU; Japan is pre-occupied with the "big bang" and to some extent, the EMU. In Latin America, there has been a tendency to compare Year 2000 remediation to the currency changes with which they are familiar. Some governments do not appear to believe that remediation will be a major effort. Unlike the US, banking industry action in other countries is being primarily driven by ABA-like industry associations instead of banking regulators. Hopefully this will begin to change as a result of the recent Basle Committee on Banking Supervision Statement. In addition, Citibank, other banks and the New York Clearing House are engaged in activities to help raise awareness of the Year 2000 issue among non-US Central Banks and regulatory agencies. . . .
Bank remediation, testing and certification activities are negatively impacted by these vendor actions:
∑ the lack of clear and direct response to requests for the compliance status of products
∑ in limited cases, the use of the Year 2000 as a marketing ploy to force customer acceptance of expensive (and perhaps unnecessary) product upgrades
∑ the lack of consistent year 2000 compliance definitions across vendors
∑ the lack of consistent remediation approaches among vendors. . . .
Telecommunications vendors were late in getting started on their remediation efforts and have sometimes provided incorrect information due to the immaturity of their own programs. The banking industry would benefit from the following actions by telecommunications vendors:
∑ standard minimum definitions of compliance
∑ vendors agreement to certify products to these definitions
∑ establishment of industry target dates, for example
∑ June 1998 - for compliant products in adequate supply
∑ December 1998 - for certification of end-to-end service offerings
∑ co-operation with the banking industry in end-to-end testing. . . .
Citibank believes that the Year 2000 is a matter for broad business concern; it is not limited to simply the computer technicians. Any business or government can be at serious risk if these issues are not properly addressed, particularly if companies need to build exceptional liquidity to manage through the transition. That translates to an exceptional investment and credit quality factor that the financial community has never had to face before. It is likely to be an adverse event for its creditors and investors if a company's computers cease to operate because of the Year 2000 Problem. . . .
Companies also have to understand their suppliers' and customers' states of preparedness for Year 2000 problems. If a company cannot deliver its product because key suppliers cannot deliver or if the company's customers cannot purchase its products, the indirect financial consequences could be devastating. Companies that have not started to deal with the issue now are in serious jeopardy of not completing the task. We suspect that some of our clients may be at significant risk if they fail to address the problem expeditiously. . . .
That is why we have begun to assess client Year 2000 compliance and ability to manage the calendar transition. We have established a set of questions that our credit officers are exploring with our clients. Until this matter is fully behind us, all credit initiation memos, annual reviews and investment recommendations must include a discussion of the client's position vis-ŗ-vis these questions. They apply to all clients who have significant dependencies on computer data processing. We know from our own experience that this is crucial for financial institutions. It is obvious that large corporate, and even small corporate, clients may have complex issues. . . .
Citibank believes that each banking organization can, and will, address these contingency issues. But there is little that a single organization can do against systemic failures within, or external to, the banking industry. The issue then becomes not contingency planning but disaster recovery planning. . . .
We have reviewed available Year 2000 insurance programs designed to insure against losses arising out of the failure of Year 2000 conversions. We do not believe these programs offer any meaningful value to well capitalized financial institutions who are actively managing the conversion process. The policies have insufficient limits and are extremely expensive with very little risk taking by insurers. The typical premium charge will cost 60 - 80% of the limits purchased (i.e., a $100 million policy would cost $65 to $80 million). The bulk of the premium charge is used to create a loss fund account, the unused portion of which would be returned at termination of the policy. However, 10 - 15% of the total premium would be retained by the insurer, in addition to all interest earned on the total premium. By way of comparison, premiums for fidelity insurance and Directors and Officers Liability coverage, two of the most expensive insurances for banks, typically cost about $2 - $3 million for $100 million or more of limit.