Year 2000 Computing Crisis:

National Credit Union Administration's Efforts to Ensure Credit Union Systems Are Year 2000 Compliant

T-AIMD-98-20: Published: Oct 22, 1997. Publicly Released: Oct 22, 1997.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the National Credit Union Administration's (NCUA) progress in making sure that the automated information systems belonging to the thousands of credit unions it oversees have adequately mitigated the risks associated with the year 2000 date change.

GAO noted that: (1) NCUA has taken steps to address the Year 2000 problem; (2) these involve incorporating the Year 2000 issue into its examination and supervision program, disseminating information about the problem, and assessing Year 2000 compliance on the part of data processing vendors; (3) concerns exist that must be resolved if the NCUA is to achieve greater certainty that credit unions will meet their Year 2000 deadline; (4) NCUA still does not have a complete picture of where credit unions and their vendors stand in resolving the Year 2000 problem, and current efforts to determine credit union compliance are behind the schedule established by GAO and the Office of Management and Budget (OMB); (5) while NCUA sent questionnaires to credit unions and data processing vendors about the problem, it has not yet queried 20 percent of credit unions and has only received 29 of 87 vendor responses; (6) of the credit union and vendor responses received, NCUA has not yet analyzed this information to identify high-risk credit unions and vendors; (7) further, the surveys did not specifically ask about the status of corrective efforts and whether interface issues were appropriately being addressed; (8) NCUA has directed credit unions to conduct contingency planning and its staff have discussed what steps they should take should a credit union not be compliant by January 1, 2000; (9) however, the agency still lacks a formal contingency plan; (10) NCUA must take prompt action to ensure that these discussions are formally documented so that it will be well-positioned to handle unforeseen problems; (11) as potentially damaging as the Year 2000 problem is, NCUA has not yet ensured that the issue is addressed by credit union auditors; (12) doing so would provide credit union management with a greater assurance and understanding about where their institution stands in addressing the problem; (13) NCUA does not have enough staff qualified to conduct examination work in complex system areas; (14) at present, NCUA is in the process of hiring an electronic data processing (EDP) auditor and is requesting authority to hire 2 more; and (15) these personnel additions may not suffice given the tremendous workload and short time frame for getting it done.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Last fall, NCUA implemented a quarterly tracking system and started collecting quarterly information from the credit unions on the status of their remediation efforts including the completion percentage of each phase for mission-critical systems and interfaces in December 1997. In addition, on January 14, 1998, NCUA issued a letter to federally insured credit unions describing the potential problems associated with the system interface issue and providing steps to manage the problem.

    Recommendation: NCUA should collect the necessary information to determine the exact phase of each credit union and vendor in addressing the Year 2000 problem. Because NCUA currently does not have a process in place for interim reporting of this information between examinations, NCUA should require credit unions to report the precise status (phase) of their efforts on at least a quarterly basis. One option would be to use the financial reports, commonly referred to as call reports, that credit unions provide to NCUA quarterly. As part of this report, NCUA should also require credit unions to report on the status of identifying their interfaces to determine whether this issue is being adequately addressed and if not, require credit unions to implement such agreements as soon as possible.

    Agency Affected: National Credit Union Administration

  2. Status: Closed - Not Implemented

    Comments: NCUA completed its initial industry assessment by December 31, 1997, as originally planned and agreed to with the Federal Financial Institutions Examination Council.

    Recommendation: NCUA should accelerate agency efforts to complete the assessment of the state of the industry by no later than November 15, 1997, rather than waiting until the end of the year.

    Agency Affected: National Credit Union Administration

  3. Status: Closed - Implemented

    Comments: NCUA did not perform an analysis to determine the level of technical capability needed to allow for thorough review of credit unions' year 2000 efforts because, according to agency officials, it did not have the time or resources to hire and develop a large in-house technical staff. Instead of making this assessment, NCUA identified how it could use existing resources to assess technical year 2000 issues. Using this approach, NCUA: (1) contracted with a public accounting firm to review 35 of the largest data processing service providers and 25 large credit unions with either in-house or very complex systems; and (2) hired 3 information systems officers to support its examiners.

    Recommendation: NCUA should, before the end of the year, determine the level of technical capability needed to allow for thorough review of credit unions' Year 2000 efforts and hire or contract for this capability.

    Agency Affected: National Credit Union Administration

  4. Status: Closed - Implemented

    Comments: In a November 28, 1997, letter to the credit unions, NCUA required credit union management to attest via signature to the accuracy and completeness of future quarterly Year 2000 progress reports to NCUA. However, regarding the use of independent third parties to review system testing results, NCUA stated that it does not believe such reviews would be cost-effective due to, among other things: (1) the difficulty of finding enough firms to perform the reviews; (2) the cost of having all credit unions conduct them; and (3) the potential credit union complacency that could result from the sense that such reviews mitigate all Year 2000 risks.

    Recommendation: NCUA should require credit unions to establish processes whereby credit union management would be responsible for certifying Year 2000 readiness by a deadline well before the millenium. Such a certification process should include credit union compliance testing by an independent third party and should allow sufficient time for NCUA to review the results.

    Agency Affected: National Credit Union Administration

  5. Status: Closed - Implemented

    Comments: NCUA's December 1, 1997, letter notifying the credit union supervisory committees of the need to include Year 2000 within the scope of their work included the examination procedures used by NCUA's examiners in assessing Year 2000 compliance.

    Recommendation: To aid credit union auditors in this effort, NCUA should provide auditors with the procedures developed by NCUA for its examiners to use in assessing Year 2000 compliance and any other guidance that would be instructive.

    Agency Affected: National Credit Union Administration

  6. Status: Closed - Implemented

    Comments: On December 1, 1997, NCUA issued a letter, including examination procedures, to the credit union supervisory committees notifying them of the need to include Year 2000 issues as part of the required annual internal control analysis work.

    Recommendation: NCUA should require credit unions to implement the necessary management controls to ensure these financial institutions have adequately mitigated the risks associated with the Year 2000 problem. Specifically, NCUA should require credit union auditors to include Year 2000 issues within the scope of their management and internal control work and report serious problems and corrective actions to NCUA immediately.

    Agency Affected: National Credit Union Administration

  7. Status: Closed - Implemented

    Comments: On January 22, 1998, NCUA issued an instruction to its examiners containing its Y2K contingency plan and specific guidance on how examiners are to enforce it. A week before, NCUA had issued a letter to the federally insured credit unions containing guidance for preparing their own contingency plans.

    Recommendation: NCUA should formally document its contingency plans.

    Agency Affected: National Credit Union Administration

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Sep 26, 2016

Sep 15, 2016

Sep 14, 2016

Sep 8, 2016

Jun 29, 2016

Jun 22, 2016

Jun 10, 2016

Jun 9, 2016

Jun 2, 2016

Looking for more? Browse all our products here