Dear Board of Directors:
This Letter to Credit Unions reminds credit unions of the upcoming change in the schedule for Daylight Saving Time (DST). DST in the United States will begin three weeks earlier and end one week later than in previous years. Credit unions may be exposed to a variety of risks if they do not prepare their systems to reflect this change.
The Energy Policy Act of 2005, signed into law August 2005, moves the beginning of DST from the first Sunday in April to the second Sunday in March. DST will now end the first Sunday in November instead of the last Sunday in October.
RISK MANAGEMENT CONSIDERATIONS
The impact of the change in DST may not cause systems failures, but without remediation and preparation, credit unions could experience logging errors, monitoring difficulties, degraded system performance, or disruptions of some services. In addition, malfunctioning systems could result in compliance errors (e.g., incorrect ATM disclosures) and security issues (e.g., malfunctioning security systems).
Credit union management should understand the potential impact of the DST change on their hardware and software and plan for appropriate changes. Servers, mainframes, other important systems, and essential computer clock-dependent processes should be set to synchronize with the new time change. Management should review both date and time stamp processes and the many time-sensitive routines essential to information systems.
Major operating system vendors should have suitable patches available for the most current releases of their systems. Vendors of other systems and applications may also have patches available. If, however, no patch is currently available, credit union management should confirm that their vendors will provide a suitable patch. Internally developed or customized systems may require custom patches or other special attention. Whether suitable patches are available or not, credit union management should develop and implement strategies to appropriately mitigate risks associated with this time change.
Other systems may be affected as well; for example, those controlling heating, air conditioning, lights, alarms, telephone systems, and the opening of cash vault doors. If third parties provide time-sensitive services, management should ensure that the servicers are planning to make appropriate changes.
Management should consider the following actions to ensure readiness for the new start of DST:
- Review and verify modifications necessary for all important systems and essential processes, including servers, applications, and utility systems.
- Ensure that critical systems will synchronize and function properly by testing or other means.
- Determine which systems are connected to the United States Naval Observatory Master (Atomic) Clock through a network time protocol (NTP or NTPD) and whether they will synchronize with the master clock at the appropriate moment.
- Contact third-party service providers to ensure that the credit union is protected.
- Determine whether systems require a manual procedure to be performed and whether a follow-up plan is needed.
- Ensure that systems adjustments will not be duplicated when the historic change date occurs.
- Ensure that all employees throughout the credit union are alerted to this change.
Several organizations, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), recently issued alerts on this change. The NCUA encourages credit union management to consider participating in the FS-ISAC (www.fsisac.com (opens new window)) as part of an effort to detect and respond to intrusions and vulnerabilities.
If you have any questions or concerns, please contact your NCUA Regional Office or State Supervisory Authority.
JoAnn M. Johnson