The banks are behind, the Gartner Group testified to the House Banking Committee on November 4. They do not generally cooperate with each other. Yet this is a systemic problem.
This testimony is detailed. It is so important that I found it difficult to summarize. This list of problem areas is huge.
One matter is extremely important: bank runs. There could be a panic in 1999. "Since a significant number of people are planning for money and investment retrieval just prior to the millennium (2000), a panic could easily occur regarding savings, mutual funds, stocks, etc. Any news publicizing this issue just before 2000, could easily add to the panic. Banks and Financial Institutions in other countries will see critical failures, and this will also gain news attention."
* * * * * * *
• 73% of Banking Institutions are using outside service providers to supplement their resources or outsourcing altogether
• 87% are now using, or are planning to use Vendor Survey Letters to determine their vendor supplier's compliancy or compliancy strategy
• Many Banks have not yet secured business owners or business support to accomplish compliancy
• 72% of U.S. Banks have had their computing systems impacted by a merger or acquisition in the last 24 months
• Banks are typically taking longer to launch implementation efforts with service providers or tool vendors, due to contract approval processes, budget approval processes, the large number of steps required, and/or little large IT project expertise
• Many Banks still have little knowledge of their source code, where their source code is, what software is on what systems, or what transactions are done with what source code. IT infrastructure has been limited and planning is normally done very mainframe-centric (normally done with waterfall approaches and controlled by one/few individuals)
• Banks are budgeting 10-30% of their IT budget on Year 2000 projects
• Unlike other industries, Banking Institutions normally do not work with other Banks to solve the Year 2000 problem (to leverage vendors, and gain advanced knowledge) - some are participating in Year 2000 User Groups, but do not normally work closely with other institutions
Issues and Risks Associated with Current State of Banking Institutions
• Heavy emphasis on Legacy mainframes and some mini-computers, but little emphasis on client/server, PCs, infrastructure, servers, embedded systems, and non-IT supported systems
• It has been estimated that 11% of embedded firmware will have date sensitive errors or failures
• Many PCs have BIOS, operating system, disk logic, power supply logic, spread sheet compliance, networking, and other date sensitive problems
• Some infrastructure software and hardware solutions have date sensitive problems that can cause failures
• Many Internet servers will have date sensitive problems due to their operating systems and layered products and utilities
• Non-IT supported system failures can shut down facilities or cause stoppage of business operations. These include facilities, environmental, waste control, transportation, security, and many others
• Client/server systems are difficult to address, due to limited expertise at many banks, there are more numbers of source code languages used, they are normally more distributed, and there are far less tools to aid the compliance efforts
• High degree of dependency on vendor suppliers and supply chain providers
• 94% of Banks who have reached Level III use a survey letter to determine compliancy of vendors. Research now shows that typically only 25% of the surveys are returned with response information. We also found that only 3-10% of the 25% returned are accurate!
• Only 1% of Banks that reached Level III are analyzing and auditing their mission critical supply chain vendors - these are vendors who provide power, water, telephone service, Internet providers, and suppliers of critical raw materials or supplies
• Telecom and telephone services are behind Banking in Year 2000 compliancy (at Level I through III), and pose a risk of telecom failures
• Less than 100% replication testing is planned at the majority of Banks now at Level III
• Thorough testing is required on mission critical systems prior to installation in production, to avoid critical failures and errors
• Remediation of source code introduces errors and also does not catch all required changes - this equates to 10-15% errors that must be tested and fixed prior to re-installing into production
• Banks are not developing test scripts/writing test plans early enough, since this must be done prior to remediation design and planning
• During Level I through III, testing is normally under-estimated
• Panic withdrawals may occur
• 38% of IT professionals surveyed state they may withdraw personal assets from Banks and investment companies just prior to 2000
• Dependencies on loan customers -- risk assessment
• Banks are just beginning to consider strategies for addressing loan approval criteria, certification methods, and monitoring Year 2000 status of loan customers, to reduce risks of defaults due to Year 2000 failures
• Dependencies on recent merger partner companies
• After reaching Level IV or V, major set-backs may occur due to mergers or consolidations
• Systems and compliancy strategies may not coincide between two major Banks once a merger occurs -- likely to have used different tools, methods, conversion techniques, and interfaces
• Dependencies on Banks from other countries and currencies
• Many Banks have large investments in foreign currencies, companies, countries, or Banks
• Many emerging countries and economically poor countries are at high risk of financial failures.
• Lack of contingency planning
• Less than 1% of all Banks at Level III are planning to fail, and are designing and implementing contingency systems and processes. . . .
• Non-Bank related business failures and investments
• Estimates for business failures as a result of Year 2000 failures, have been stated as high as 20% of all companies worldwide
• Other estimates indicate that the Year 2000 problem will cause bankrupt conditions for several high risk country governments and monetary units who show signs of unstable conditions today, and are far behind on compliancy efforts
• Even if only 1% of all companies fail as a result of this problem, the world economy will be negatively affected. . . .
• Reduce Risk of Runs on Banks and Financial Institutions in 1999 Since a significant number of people are planning for money and investment retrieval just prior to the millennium (2000), a panic could easily occur regarding savings, mutual funds, stocks, etc. Any news publicizing this issue just before 2000, could easily add to the panic. Banks and Financial Institutions in other countries will see critical failures, and this will also gain news attention. . . .
The worldwide status of Banking and Financial Institutions vary widely according to geography and size of the Institution. In the U.S., large Banks have made progress during the past year, but are advancing at a slower pace than large insurance companies or large financial investment companies. . . .
Banking and Financial Institutions in foreign countries are moving slower than the U.S. (with a few exceptions). Many small, emerging, or financially troubled countries will see an economic impact from the Year 2000 problem. Banks and Financial Institutions in those countries will be at high risk when their monetary system witnesses affects from other non-Year 2000 problems. Smaller Banking and Financial Institutions are farther behind in their Year 2000 compliancy progress, and their probability for failure is higher than large Banks. The Banking companies have dependencies between Banks, across countries, and between Banks going through mergers or acquisitions, to also be concerned with.