| 1. |
|
Y2K compliance scheme Should any of the following apply to the institutionfs schemes to achieve
Y2K compliance:
|
|
|
|
(Note 1) gComplianceh
for the purposes of this document refers not only to the computer systems used by
individual financial institutions but to all measures taken by an institution to
counteract all conceivable influences from the Y2K problem from all conceivable sources,
including other financial institutions, customers, and others with which the institution
has business dealings.
|
|
|
(Note 2) gSystemsh and gcomputer systemsh for the
purposes of this document refer not only to computer systems that are connected to the
outside and computer systems directly involved in the business of the institution, but to
all computer systems used for internal purposes (personnel management, payroll, etc.) and
all equipment containing microcomputers, including safes, security equipment, and
elevators.
|
|
| (1) |
|
The institution has not clearly articulated the strategic position of Y2K
in its business planning and the like (not acceptable to have Y2K merely as part of the
operations planning of the computer systems divisions).
|
| (2) |
|
The institution has not clearly appointed a director and department to
have overall responsibility for its Y2K compliance (not acceptable to appoint only
computer systems divisions).
|
| (3) |
|
The institution has not clearly developed a chain of command and
reporting from the top management (including the chairman, president, or chief executive
officer, and so on) to the director in charge, to the department in charge, and to
individual departments.
|
| (4) |
|
The top management does not receive at least monthly reports on the Y2K
problem and the progress made in complying.
|
| (5) |
|
The top management has failed to issue specific remedial instructions for
inadequate progress.
|
| (6) |
|
The institution has not put in place policies and programs to inform and
deepen the understanding of the entire staff of the risks posed by the Y2K bug.
|
|
| 2. |
|
Formulation of compliance plans
| (1) |
|
The institution has failed to complete its review of the computer systems
for which Y2K compliance is required, or has classified systems requiring compliance
asgnot requiring complianceh in its review.
|
|
(Note 1) gComplianceh in
this context includes both repairs and testing (internal testing, connection tests with
customers [when necessary], and external connection tests [when necessary] and so on).
|
|
|
(Note 2) Institutions must
conduct on-site tests of Y2K compliance even for computer systems certified (guaranteed)
to be Y2K compliant by the manufacturer or other parties.
|
|
|
(Note 3) gExternal
connection testsh include testing of connections with the BOJ-Net, Tokyo Stock Exchange
system, and other systems.
|
|
| (2) |
|
The institution has failed to formulate appropriate plans for computer
systems compliance (completed repairs, internal testing, and external connection testing
[when its systems are connected to systems outside the institution]).
In this context, gappropriate plansh refers to:
| 1) |
|
Compliance schedules comply with the targets below, or when they do not,
the institution can provide a reasonable explanation as to how it will be able, with
absolute certainty, to have compliance completed by the end of 1999. A greasonable
explanationh in this context would include the timing of the first attempt to handle
dates beyond January 1, 2000 by the system in question, response should the need for
repairs be discovered in testing (including provisions for the technicians, budget, and
time required), and response should repairs not be completed by December 1999.
- End of 1998: Completion of repairs, internal testing, and identification of customers
connected to all important systems.
- End of June 1999: Completion of external connection tests and customer connection tests
for all important systems.
- End of September 1999: Confirmation that there are no systems that have gone unrepaired.
|
| 2) |
|
Plans clearly articulate compliance priorities.
|
| 3) |
|
Testing includes the change over from 1999 to 2000, and such dates in
addition to January 1, 2000 as are required by the specific nature of the system.
|
|
| (3) |
|
The institution has failed to appropriately estimate or provide budget
for the expenses involved in Y2K compliance (it does not have an approved budget or the
prospects of an approved budget).
|
| (4) |
|
The institution has failed to find if customers (large borrowers and
depositors) and major transactional counterparties (excluding those connected via
electronic banking), which could have an impact on it, will be Y2K compliant, or to take
appropriate measures in light of its findings.
|
|
| 3. |
|
Progress in implementing plans
| (1) |
|
Progress in implementing plans meets any of the following (except when
proceeding according to the initial schedule) but at the same time the institution is
unable to provide a reasonable explanation as to how it will be able to achieve sufficient
Y2K compliance by the end of 1999.
- End of 1998: Repairs, internal testing, and identification of customers connected to all
important systems not completed.
- End of June 1999: External connection tests and customer connection tests for all
important systems not completed.
- End of September 1999: Systems remain that have not yet been repaired.
|
|
(Note) A greasonable
explanationh in this context would include the timing of the first attempt to handle
dates beyond January 1, 2000 by the system in question, response should the need for
repairs be discovered in testing (including provisions for the technicians, budget, and
time required), and response should repairs not be completed by December 1999.
|
|
| (2) |
|
The institution has systems that are not projected to be Y2K compliant by
the end of 1999 and lack of compliance will have a potentially major impact.
|
| (3) |
|
System repairs are egregiously behind schedule and it is clear that the
institution will not be able to adequately test its systems (for example, the institution
has failed to provide a reasonable explanation of its response for problems identified
during tests or its failure to participate in industry-wide testing of the interbank
payments systems or other systems).
|
| (4) |
|
The institution has failed to find if customers (large borrowers and
depositors) and major transactional counterparties, which could have an impact on it, will
be Y2K compliant, or to take appropriate measures in light of its findings (does not
include tests with those connected to its system).
|
|
| 4. |
|
Contingency plans
| (1) |
|
The institution has not begun to formulate a contingency plan by the end
of March 1999.
|
|
(Note 1) Crisis management
plans are required even if system repairs and testing are complete or system management
has been outsourced.
|
|
| (2) |
|
The institution has failed to formulate a contingency plan by the end of
June 1999.
|
|
(Note) Crisis management
plans must cover the possible spill-over effects from problems at customers and others
with which the institution has business dealings, not just problems caused by the
institutionsf own systems. In addition, plans must cover system anomalies (including a
clear definition of who is to decide if an anomaly is Y2K related and whether the
contingency plan will be invoked), not just system crashes.
|
|
|
| 5. |
|
Appropriate disclosure The institution has failed to make appropriate disclosure of its Y2K compliance
program. |
