As part of our Year 2000 Readiness Program, NCUA and our contractor performed onsite Year 2000 reviews of ten Information Systems Vendors (ISVs). These initial ten reviews were conducted prior to enactment of the Examination Parity and Year 2000 Readiness for Financial Institutions Act. Therefore, NCUA, at that time, had no regulatory authority over the ISVs. The reviews were conducted based on voluntary agreements with the ISVs; part of the agreements included non-disclosure of the specific results of the reviews. The purpose of this letter, then, is to provide you with general information on the results of the reviews.
Which Information System Vendors did we review?
We selected ten ISVs that provide data processing services to credit unions. Our selection of ISVs was based on the number of credit union clients and total credit union assets served by the ISV. By selecting these ten large ISVs, we were able to perform reviews on ISVs which serve 55% of federally insured credit unions. The ten ISVs reviewed by NCUA and our contractor are:
- CompuSource Systems, Inc. January 26 - 29, 1998
- Computer Consultants Corporation February 17 - 20, 1998
- C. U. Processing, Inc. March 9 - 12, 1998
- CUSA Technologies, Inc. March 2 - 5, 1998
- FedComp, Inc. March 2 - 5, 1998
- Fiserv Summit April 6 - 9, 1998
- Fiserv Galaxy March 9 - 12, 1998
- Ultradata Corporation February 23 - 26, 1998
- Users, Inc. December 15 - 18, 1997
- XP Systems Corporation February 17 - 20, 1998
We are currently planning to perform on-site reviews of additional ISVs as well as follow up contacts on vendors already reviewed.
The first ten reviews were voluntary - the ISVs agreed to allow us to conduct the reviews. At the time our review program began, we did not have the statutory authority granted by passage of the Examination Parity and Year 2000 Readiness for Financial Institutions Act on March 20, 1998. This law gives NCUA the authority to examine ISVs and allows NCUA to release additional information regarding examinations of ISVs conducted in the future.
What were the objectives of the reviews?
The reviews focused on the process each ISV was undertaking to become Year 2000 ready. Each review had the following objectives:
- Determine the status of the ISV's efforts in becoming Y2K ready;
- Identify risks related to the ISV's support of credit union Y2K efforts; and
- Assess the impact to credit unions of any Y2K problems detected.
What did we do during the reviews?
The ISV reviews addressed the following 3 areas:
- Project Management and Planning;
- Technical Evaluation and Repair; and
- Business Considerations.
After each review, we issued a report to the ISV which contained findings, recommendations, and an assessment of the potential impact of each finding on credit union clients. In addition, the report contains a profile of the ISV's business, as well as a review of the ISV's capacity for new customers. We also requested that the ISV provide a response to our findings.
What did the reviews provide the credit union community?
The ISV reviews provide NCUA with insight into each ISV's Y2K process and stability. This process also provided an opportunity to engage in a dialogue with the ISVs; the result being improved communication and understanding of both NCUA's and the ISVs' concerns. This continuing enlightenment of NCUA and ISVs will assist the credit union community by fostering the means for the development of further strategies and processes for assuring Y2K compliance.
Based on the progress demonstrated by each ISV at the time of the review; all ten ISVs would be rated as satisfactory in making progress in becoming Y2K ready.
How can you, the credit union, use this information?
Due to the complexities of the Y2K issue, the review of ISVs at any one point in time does not ensure that they will continue progress at the same rate over the life of the project. Therefore, the fact that NCUA has performed a review of an ISV does not alleviate the credit union's responsibility to perform sufficient due diligence of vendor efforts and progress. Given the credit union's continued responsibilities for due diligence, if you have not already done so, you can best use this information by asking your ISV the following questions:
- Who is responsible for the 3rd party interfaces of my system? Is it my responsibility to communicate to you my 3rd party interface vendors' Y2K compliance and methodology?
- Who is responsible for ensuring Y2K compliance of all my hardware and operating systems?
- Will you be performing beta testing with credit unions; if so, how can I get involved?
- How should I test? What should I test? Where should I test? When should I test?
- Does your Year 2000 planning process include a formal documented plan which includes a schedule by which you evaluate your progress? If so, please provide a status report of your progress thus far.
- What version/release will be Year 2000 compliant? What version/release should I be on at this time? When will the Year 2000 compliant version be ready for general release?
- Which systems will you not be making Year 2000 compliant, and how will that impact the way I currently use my system?
The following is a summary of the major findings of the ISV reviews.
Project Management and Planning -
- Half of the ISVs had a documented project plan available; those without a documented plan did have a methodology which was cited as moving them toward completion of Y2K repairs.
- Most of the ISVs were cited as proactively addressing Y2K issues.
- The majority of the ISVs were rated as having a strong customer focus.
- All of the ISVs were cited as having informal contingency plans and received recommendations to expand their contingency plans.
- All ISVs were cited as working closely with interfacing vendors to determine the compliance status of their software; however, most were cited as needing to establish cut-off dates to incorporate vendor changes.
Technical Evaluation and Repair
- All ISVs were cited as demonstrating that they were making progress toward full compliance.
- Many of the ISVs reported the need for credit union customers to ensure that their hardware and operating systems were Year 2000 compliant rather than the ISV doing so.
- All ISVs had internal testing plans, and most had plans to conduct beta testing with credit unions.
Business Considerations -
- All ISVs were reported to have a willingness to accept new customers, yet only half were able to provide a degree of specific capacity.
- Credit unions should ensure they are aware of their hardware and software issues.
Status of the ISV in terms of the Year 2000 Five Phase Process.
- Awareness - All ISVs were cited as being 100% aware with knowledgeable staff, and involved in the process of communicating with their customers.
- Assessment - At the time of our review, the majority of ISVs were 100% assessed.
- Renovation - At the time of our reviews, all ISVs were solidly engaged in the renovation phase.
- Validation - All of the ISVs either had testing plans in place or were in the process of testing.
- Implementation - All of the ISVs had distribution processes in place.
Generally, we found these ten ISVs very committed to ensuring their credit union clients' progress through the Y2K problem with minimal disruption to their interaction with credit union members. But you must not rely upon our findings alone; we cannot, and do not, certify whether an ISV is Y2K compliant. Our reviews should not be viewed as a substitute for independent due diligence. The information provided in this letter is intended to assist you in your communications with your ISV, whether or not the ISV has been the subject of one of our reviews.
Credit union management and Y2K project leaders must continue their due diligence to ensure they are ready for the millennium change. Every credit union is unique and management is responsible for establishing comprehensive Y2K due diligence, remediation, testing, and contingency planning processes. Look for more guidance from NCUA on acceptable sound testing strategies in the near future. In the meantime, if you have questions or comments, please contact your examiner, regional office or state supervisory authority.
Norman E. D'Amours
Chairman of the Board