SAFETY AND SOUNDNESS STANDARDS

12 Banks and Banking 1 2001-01-01 2001-01-01 false SAFETY AND SOUNDNESS STANDARDS 30 PART 30 Banks and Banking COMPTROLLER OF THE CURRENCY, DEPARTMENT OF THE TREASURY Pt. 30 PART 30—SAFETY AND SOUNDNESS STANDARDS Sec. 30.1 Scope. 30.2 Purpose. 30.3 Determination and notification of failure to meet safety and soundness standard and request for compliance plan. 30.4 Filing of safety and soundness compliance plan. 30.5 Issuance of orders to correct deficiencies and to take or refrain from taking other actions. 30.6 Enforcement of orders. Appendix A to Part 30—Interagency Guidelines Establishing Standards for Safety and Soundness Appendix B to Part 30—Interagency Guidelines Establishing Year 2000 Standards for Safety and Soundness Appendix C to Part 30—Supplemental Guidelines Establishing Year 2000 Standards for Safety and Soundness for National Bank Transfer Agents and Brokers or Dealers Authority:

12 U.S.C. 93a, 1818, 1831p-1, 3102(b).

Source:

60 FR 35680, July 10, 1995, unless otherwise noted.

§ 30.1 Scope.

The rules and procedures set forth in this part apply to national banks and federal branches of foreign banks, that are subject to the provisions of section 39 of the Federal Deposit Insurance Act (section 39) (12 U.S.C. 1831p-1).

§ 30.2 Purpose.

Section 39 of the FDI Act, 12 U.S.C. 1831p-1, requires the Office of the Comptroller of the Currency (OCC) to establish safety and soundness standards. Pursuant to section 39, a bank may be required to submit a compliance plan if it is not in compliance with a safety and soundness standard prescribed by guideline under section 39(a) or (b). An enforceable order under section 8 of the FDI Act, 12 U.S.C. 1818(b), may be issued if, after being notified that it is in violation of a safety and soundness standard prescribed under section 39, the bank fails to submit an acceptable compliance plan or fails in any material respect to implement an accepted plan. This part establishes procedures for requiring submission of a compliance plan and issuing an enforceable order pursuant to section 39. The Interagency Guidelines Establishing Standards for Safety and Soundness are set forth in Appendix A to this part, the Interagency Guidelines Establishing Year 2000 Standards for Safety and Soundness are set forth in Appendix B to this part, and the Supplemental Guidelines Establishing Year 2000 Standards for Safety and Soundness for National Bank Transfer Agents and Brokers or Dealers are set forth in Appendix C to this part.

[60 FR 35680, July 10, 1995, as amended at 63 FR 55488, Oct. 15, 1998; 64 FR 52641, Sept. 30, 1999]

§ 30.3 Determination and notification of failure to meet safety and soundness standard and request for compliance plan.

(a) Determination. The OCC may, based upon an examination, inspection, or any other information that becomes available to the OCC, determine that a bank has failed to satisfy the safety and soundness standards contained in the Interagency Guidelines Establishing Standards for Safety and Soundness set forth in Appendix A to this part, the Interagency Guidelines Establishing Year 2000 Standards for Safety and Soundness set forth in Appendix B to this part, or the Guidelines Establishing Year 2000 Standards for Safety and Soundness for National Bank Transfer Agents and Brokers or Dealers are set forth in Appendix C to this part.

(b) Request for compliance plan. If the OCC determines that a bank has failed a safety and soundness standard pursuant to paragraph (a) of this section, the OCC may request, by letter or through a report of examination, the submission of a compliance plan and the bank shall be deemed to have notice of the deficiency three days after mailing of the letter by the OCC or delivery of the report of examination.

[60 FR 35680, July 10, 1995, as amended at 63 FR 55488, Oct. 15, 1998; 64 FR 52641, Sept. 30, 1999]

§ 30.4 Filing of safety and soundness compliance plan.

(a) Schedule for filing compliance plan—(1) In general. A bank shall file a written safety and soundness compliance plan with the OCC within 30 days of receiving a request for a compliance plan pursuant to § 30.3(b) unless the OCC notifies the bank in writing that the plan is to be filed within a different period.

(2) Other plans. If a bank is obligated to file, or is currently operating under, a capital restoration plan submitted pursuant to section 38 of the FDI Act (12 U.S.C. 1831o), a cease-and-desist order entered into pursuant to section 8 of the FDI Act (12 U.S.C. 1818(b)), a formal or informal agreement, or a response to a report of examination or report of inspection, it may, with the permission of the OCC, submit a compliance plan under this section as part of that plan, order, agreement, or response, subject to the deadline provided in paragraph (a) of this section.

(b) Contents of plan. The compliance plan shall include a description of the steps the bank will take to correct the deficiency and the time within which those steps will be taken.

(c) Review of safety and soundness compliance plans. Within 30 days after receiving a safety and soundness compliance plan under this part, the OCC shall provide written notice to the bank of whether the plan has been approved or seek additional information from the bank regarding the plan. The OCC may extend the time within which notice regarding approval of a plan will be provided.

(d) Failure to submit or implement a compliance plan—(1) Supervisory actions. If a bank fails to submit an acceptable plan within the time specified by the OCC or fails in any material respect to implement a compliance plan, then the OCC shall, by order, require the bank to correct the deficiency and may take further actions provided in section 39(e)(2)(B). Pursuant to section 39(e)(3), the OCC may be required to take certain actions if the bank commenced operations or experienced a change in control within the previous 24-month period, or the bank experienced extraordinary growth during the previous 18-month period.

(2) Extraordinary growth. For purposes of paragraph (d)(1) of this section, extraordinary growth means an increase in assets of more than 7.5 percent during any quarter within the 18-month period preceding the issuance of a request for submission of a compliance plan, by a bank that is not well capitalized for purposes of section 38 of the FDI Act. For purposes of calculating an increase in assets, assets acquired through merger or acquisition approved pursuant to the Bank Merger Act (12 U.S.C. 1828(c)) will be excluded.

(e) Amendment of compliance plan. A bank that has filed an approved compliance plan may, after prior written notice to and approval by the OCC, amend the plan to reflect a change in circumstance. Until such time as a proposed amendment has been approved, the bank shall implement the compliance plan as previously approved.

§ 30.5 Issuance of orders to correct deficiencies and to take or refrain from taking other actions.

(a) Notice of intent to issue order—(1) In general. The OCC shall provide a bank prior written notice of the OCC's intention to issue an order requiring the bank to correct a safety and soundness deficiency or to take or refrain from taking other actions pursuant to section 39 of the FDI Act. The bank shall have such time to respond to a proposed order as provided by the OCC under paragraph (c) of this section.

(2) Immediate issuance of final order. If the OCC finds it necessary in order to carry out the purposes of section 39 of the FDI Act, the OCC may, without providing the notice prescribed in paragraph (a)(1) of this section, issue an order requiring a bank immediately to take actions to correct a safety and soundness deficiency or take or refrain from taking other actions pursuant to section 39. A bank that is subject to such an immediately effective order may submit a written appeal of the order to the OCC. Such an appeal must be received by the OCC within 14 calendar days of the issuance of the order, unless the OCC permits a longer period. The OCC shall consider any such appeal, if filed in a timely matter, within 60 days of receiving the appeal. During such period of review, the order shall remain in effect unless the OCC, in its sole discretion, stays the effectiveness of the order.

(b) Content of notice. A notice of intent to issue an order shall include:

(1) A statement of the safety and soundness deficiency or deficiencies that have been identified at the bank;

(2) A description of any restrictions, prohibitions, or affirmative actions that the OCC proposes to impose or require;

(3) The proposed date when such restrictions or prohibitions would be effective or the proposed date for completion of any required action; and

(4) The date by which the bank subject to the order may file with the OCC a written response to the notice.

(c) Response to notice—(1) Time for response. A bank may file a written response to a notice of intent to issue an order within the time period set by the OCC. Such a response must be received by the OCC within 14 calendar days from the date of the notice unless the OCC determines that a different period is appropriate in light of the safety and soundness of the bank or other relevant circumstances.

(2) Content of response. The response should include:

(i) An explanation why the action proposed by the OCC is not an appropriate exercise of discretion under section 39;

(ii) Any recommended modification of the proposed order; and

(iii) Any other relevant information, mitigating circumstances, documentation, or other evidence in support of the position of the bank regarding the proposed order.

(d) Agency consideration of response. After considering the response, the OCC may:

(1) Issue the order as proposed or in modified form;

(2) Determine not to issue the order and so notify the bank; or

(3) Seek additional information or clarification of the response from the bank, or any other relevant source.

(e) Failure to file response. Failure by a bank to file with the OCC, within the specified time period, a written response to a proposed order shall constitute a waiver of the opportunity to respond and shall constitute consent to the issuance of the order.

(f) Request for modification or rescission of order. Any bank that is subject to an order under this part may, upon a change in circumstances, request in writing that the OCC reconsider the terms of the order, and may propose that the order be rescinded or modified. Unless otherwise ordered by the OCC, the order shall continue in place while such request is pending before the OCC.

§ 30.6 Enforcement of orders.

(a) Judicial remedies. Whenever a bank fails to comply with an order issued under section 39, the OCC may seek enforcement of the order in the appropriate United States district court pursuant to section 8(i)(1) of the FDI Act.

(b) Failure to comply with order. Pursuant to section 8(i)(2)(A) of the FDI Act, the OCC may assess a civil money penalty against any bank that violates or otherwise fails to comply with any final order issued under section 39 and against any institution-affiliated party who participates in such violation or noncompliance.

(c) Other enforcement action. In addition to the actions described in paragraphs (a) and (b) of this section, the OCC may seek enforcement of the provisions of section 39 or this part through any other judicial or administrative proceeding authorized by law.

Pt. 30, App. A Appendix A to Part 30—Interagency Guidelines Establishing Standards for Safety and Soundness Table of Contents I. Introduction

A. Preservation of existing authority.

B. Definitions.

II. Operational and Managerial Standards

A. Internal controls and information systems.

B. Internal audit system.

C. Loan documentation.

D. Credit underwriting.

E. Interest rate exposure.

F. Asset growth.

G. Asset quality.

H. Earnings.

I. Compensation, fees and benefits.

III. Prohibition on Compensation That Constitutes an Unsafe and Unsound Practice

A. Excessive compensation.

B. Compensation leading to material financial loss.

I. Introduction

i. Section 39 of the Federal Deposit Insurance Act 1 (FDI Act) requires each Federal banking agency (collectively, the agencies) to establish certain safety and soundness standards by regulation or by guideline for all insured depository institutions. Under section 39, the agencies must establish three types of standards: (1) Operational and managerial standards; (2) compensation standards; and (3) such standards relating to asset quality, earnings, and stock valuation as they determine to be appropriate.

1 Section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1) was added by section 132 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), Pub. L. 102-242, 105 Stat. 2236 (1991), and amended by section 956 of the Housing and Community Development Act of 1992, Pub. L. 102-550, 106 Stat. 3895 (1992) and section 318 of the Riegle Community Development and Regulatory Improvement Act of 1994, Pub. L. 103-325, 108 Stat. 2160 (1994).

ii. Section 39(a) requires the agencies to establish operational and managerial standards relating to: (1) Internal controls, information systems and internal audit systems, in accordance with section 36 of the FDI Act (12 U.S.C. 1831m); (2) loan documentation; (3) credit underwriting; (4) interest rate exposure; (5) asset growth; and (6) compensation, fees, and benefits, in accordance with subsection (c) of section 39. Section 39(b) requires the agencies to establish standards relating to asset quality, earnings, and stock valuation that the agencies determine to be appropriate.

iii. Section 39(c) requires the agencies to establish standards prohibiting as an unsafe and unsound practice any compensatory arrangement that would provide any executive officer, employee, director, or principal shareholder of the institution with excessive compensation, fees or benefits and any compensatory arrangement that could lead to material financial loss to an institution. Section 39(c) also requires that the agencies establish standards that specify when compensation is excessive.

iv. If an agency determines that an institution fails to meet any standard established by guideline under subsection (a) or (b) of section 39, the agency may require the institution to submit to the agency an acceptable plan to achieve compliance with the standard. In the event that an institution fails to submit an acceptable plan within the time allowed by the agency or fails in any material respect to implement an accepted plan, the agency must, by order, require the institution to correct the deficiency. The agency may, and in some cases must, take other supervisory actions until the deficiency has been corrected.

v. The agencies have adopted amendments to their rules and regulations to establish deadlines for submission and review of compliance plans.2

2 For the Office of the Comptroller of the Currency, these regulations appear at 12 CFR Part 30; for the Board of Governors of the Federal Reserve System, these regulations appear at 12 CFR Part 263; for the Federal Deposit Insurance Corporation, these regulations appear at 12 CFR Part 308, subpart R, and for the Office of Thrift Supervision, these regulations appear at 12 CFR Part 570.

vi. The following Guidelines set out the safety and soundness standards that the agencies use to identify and address problems at insured depository institutions before capital becomes impaired. The agencies believe that the standards adopted in these Guidelines serve this end without dictating how institutions must be managed and operated. These standards are designed to identify potential safety and soundness concerns and ensure that action is taken to address those concerns before they pose a risk to the deposit insurance funds.

A. Preservation of Existing Authority

Neither section 39 nor these Guidelines in any way limits the authority of the agencies to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. Action under section 39 and these Guidelines may be taken independently of, in conjunction with, or in addition to any other enforcement action available to the agencies. Nothing in these Guidelines limits the authority of the FDIC pursuant to section 38(i)(2)(F) of the FDI Act (12 U.S.C. 1831(o)) and Part 325 of Title 12 of the Code of Federal Regulations.

B. Definitions

1. In general. For purposes of these Guidelines, except as modified in the Guidelines or unless the context otherwise requires, the terms used have the same meanings as set forth in sections 3 and 39 of the FDI Act (12 U.S.C. 1813 and 1831p-1).

2. Board of directors, in the case of a state-licensed insured branch of a foreign bank and in the case of a federal branch of a foreign bank, means the managing official in charge of the insured foreign branch.

3. Compensation means all direct and indirect payments or benefits, both cash and non-cash, granted to or for the benefit of any executive officer, employee, director, or principal shareholder, including but not limited to payments or benefits derived from an employment contract, compensation or benefit agreement, fee arrangement, perquisite, stock option plan, postemployment benefit, or other compensatory arrangement.

4. Director shall have the meaning described in 12 CFR 215.2(c).3

3 In applying these definitions for savings associations, pursuant to 12 U.S.C. 1464, savings associations shall use the terms “savings association” and “insured savings association” in place of the terms “member bank” and “insured bank”.

5. Executive officer shall have the meaning described in 12 CFR 215.2(d).4

4 See footnote 3 in section I.B.4. of this appendix.

6. Principal shareholder shall have the meaning described in 12 CFR 215.2(l).5

5 See footnote 3 in section I.B.4. of this appendix.

II. Operational and Managerial Standards

A. Internal controls and information systems. An institution should have internal controls and information systems that are appropriate to the size of the institution and the nature, scope and risk of its activities and that provide for:

1. An organizational structure that establishes clear lines of authority and responsibility for monitoring adherence to established policies;

2. Effective risk assessment;

3. Timely and accurate financial, operational and regulatory reports;

4. Adequate procedures to safeguard and manage assets; and

5. Compliance with applicable laws and regulations.

B. Internal audit system. An institution should have an internal audit system that is appropriate to the size of the institution and the nature and scope of its activities and that provides for:

1. Adequate monitoring of the system of internal controls through an internal audit function. For an institution whose size, complexity or scope of operations does not warrant a full scale internal audit function, a system of independent reviews of key internal controls may be used;

2. Independence and objectivity;

3. Qualified persons;

4. Adequate testing and review of information systems;

5. Adequate documentation of tests and findings and any corrective actions;

6. Verification and review of management actions to address material weaknesses; and

7. Review by the institution's audit committee or board of directors of the effectiveness of the internal audit systems.

C. Loan documentation. An institution should establish and maintain loan documentation practices that:

1. Enable the institution to make an informed lending decision and to assess risk, as necessary, on an ongoing basis;

2. Identify the purpose of a loan and the source of repayment, and assess the ability of the borrower to repay the indebtedness in a timely manner;

3. Ensure that any claim against a borrower is legally enforceable;

4. Demonstrate appropriate administration and monitoring of a loan; and

5. Take account of the size and complexity of a loan.

D. Credit underwriting. An institution should establish and maintain prudent credit underwriting practices that:

1. Are commensurate with the types of loans the institution will make and consider the terms and conditions under which they will be made;

2. Consider the nature of the markets in which loans will be made;

3. Provide for consideration, prior to credit commitment, of the borrower's overall financial condition and resources, the financial responsibility of any guarantor, the nature and value of any underlying collateral, and the borrower's character and willingness to repay as agreed;

4. Establish a system of independent, ongoing credit review and appropriate communication to management and to the board of directors;

5. Take adequate account of concentration of credit risk; and

6. Are appropriate to the size of the institution and the nature and scope of its activities.

E. Interest rate exposure. An institution should:

1. Manage interest rate risk in a manner that is appropriate to the size of the institution and the complexity of its assets and liabilities; and

2. Provide for periodic reporting to management and the board of directors regarding interest rate risk with adequate information for management and the board of directors to assess the level of risk.

F. Asset growth. An institution's asset growth should be prudent and consider:

1. The source, volatility and use of the funds that support asset growth;

2. Any increase in credit risk or interest rate risk as a result of growth; and

3. The effect of growth on the institution's capital.

G. Asset quality. An insured depository institution should establish and maintain a system that is commensurate with the institution's size and the nature and scope of its operations to identify problem assets and prevent deterioration in those assets. The institution should:

1. Conduct periodic assetquality reviews to identify problem assets;

2. Estimate the inherent losses in those assets and establish reserves that are sufficient to absorb estimated losses;

3. Compare problem asset totals to capital;

4. Take appropriate corrective action to resolve problem assets;

5. Consider the size and potential risks of material asset concentrations; and

6. Provide periodic asset reports with adequate information for management and the board of directors to assess the level of asset risk.

H. Earnings. An insured depository institution should establish and maintain a system that is commensurate with the institution's size and the nature and scope of its operations to evaluate and monitor earnings and ensure that earnings are sufficient to maintain adequate capital and reserves. The institution should:

1. Compare recent earnings trends relative to equity, assets, or other commonly used benchmarks to the institution's historical results and those of its peers;

2. Evaluate the adequacy of earnings given the size, complexity, and risk profile of the institution's assets and operations;

3. Assess the source, volatility, and sustainability of earnings, including the effect of nonrecurring or extraordinary income or expense;

4. Take steps to ensure that earnings are sufficient to maintain adequate capital and reserves after considering the institution's asset quality and growth rate; and

5. Provide periodic earnings reports with adequate information for management and the board of directors to assess earnings performance.

I. Compensation, fees and benefits. An institution should maintain safeguards to prevent the payment of compensation, fees, and benefits that are excessive or that could lead to material financial loss to the institution.

III. Prohibition on Compensation That Constitutes an Unsafe and Unsound Practice A. Excessive Compensation

Excessive compensation is prohibited as an unsafe and unsound practice. Compensation shall be considered excessive when amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director, or principal shareholder, considering the following:

1. The combined value of all cash and non-cash benefits provided to the individual;

2. The compensation history of the individual and other individuals with comparable expertise at the institution;

3. The financial condition of the institution;

4. Comparable compensation practices at comparable institutions, based upon such factors as asset size, geographic location, and the complexity of the loan portfolio or other assets;

5. For postemployment benefits, the projected total cost and benefit to the institution;

6. Any connection between the individual and any fraudulent act or omission, breach of trust or fiduciary duty, or insider abuse with regard to the institution; and

7. Any other factors the agencies determines to be relevant.

B. Compensation Leading to Material Financial Loss

Compensation that could lead to material financial loss to an institution is prohibited as an unsafe and unsound practice.

[60 FR 35678, 35682, July 10, 1995, as amended at 61 FR 43950, Aug. 27, 1996] Pt. 30, App. B Appendix B to Part 30 Interagency Guidelines Establishing Year 2000 Standards for Safety and Soundness Table of Contents I. Introduction A. Preservation of existing authority B. Definitions II. Year 2000 Standards for Safety and Soundness A. Review of mission-critical systems for Year 2000 readiness B. Renovation of internal mission-critical systems C. Renovation of external mission-critical systems D. Testing of mission-critical systems E. Business resumption contingency planning F. Remediation contingency planning G. Customer risk H. Involvement of the board of directors and management I. Introduction

The Interagency Guidelines Establishing Year 2000 Standards for Safety and Soundness (Guidelines) set forth safety and soundness standards pursuant to section 39 of the Federal Deposit Insurance Act (section 39) (12 U.S.C. 1831p-1) that are applicable to an insured depository institution's efforts to achieve Year 2000 readiness. The Guidelines, which also interpret the general standards in the Interagency Guidelines Establishing Standards for Safety and Soundness adopted in 1995, apply to all insured depository institutions.

A. Preservation of Existing Authority

Neither section 39 nor the Guidelines in any way limits the authority of the Federal banking agencies to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. The Federal banking agencies, in their sole discretion, may take appropriate actions so that insured depository institutions will be able to successfully continue business operations after January 1, 2000, including on a case-by-case basis requiring actions by dates that are later than the key dates set forth in the Guidelines. Action under section 39 and the Guidelines may be taken independently of, in conjunction with, or in addition to any other action, including enforcement action, available to the Federal banking agencies.

B. Definitions

1. In general. For purposes of the Guidelines the following definitions apply:

a. Business resumption contingency plan means a plan that describes how mission-critical systems of the insured depository institution will continue to operate in the event there are system failures in processing, calculating, comparing, or sequencing date or time data from, into, or between the 20th and 21st centuries; and the years 1999 and 2000; and with regard to leap year calculations.

b. External system means a system the renovation of which is not controlled by the insured depository institution, including systems provided by service providers and any interfaces with external third party suppliers and other material third parties.

c. External third party supplier means a service provider or software vendor that supplies services or products to insured depository institutions.

d. Internal system means a system the renovation of which is controlled by the insured depository institution, including software, operating systems, mainframe computers, personal computers, readers/sorters, and proof machines. An internal system also may include a system controlled by the insured depository institution with embedded integrated circuits (e.g., heating and cooling systems, vaults, communications, security systems, and elevators).

e. Mission-critical system means an application or system that is vital to the successful continuance of a core business activity or process. An application or system may be mission-critical if it interfaces with a designated mission-critical system. Software products also may be mission-critical.

f. Other material third party means a third party, other than an external third party supplier, to whom an insured depository institution transmits data or from whom an insured depository institution receives data, including business partners (e.g., credit bureaus), other insured depository institutions, payment system providers, clearinghouses, customers, and utilities.

g. Remediation contingency plan means a plan that describes how the insured depository institution will mitigate the risks associated with the failure to successfully complete renovation, testing, or implementation of its mission-critical systems.

h. Renovation means code enhancements, hardware and software upgrades, system replacements, and other associated changes that ensure that the insured depository institution's mission-critical systems and applications are Year 2000 ready.

i. Year 2000 ready or readiness with respect to a system or application means a system or application accurately processes, calculates, compares, or sequences date or time data from, into, or between the 20th and 21st centuries; and the years 1999 and 2000; and with regard to leap year calculations.

II. Year 2000 Standards for Safety and Soundness

A. Review of Mission-Critical Systems For Year 2000 Readiness. Each insured depository institution shall in writing:

1. Identify all internal and external mission-critical systems that are not Year 2000 ready;

2. Establish priorities for accomplishing work and allocating resources to renovating internal mission-critical systems;

3. Identify the resource requirements and individuals assigned to the Year 2000 project on internal mission-critical systems;

4. Establish reasonable deadlines for commencing and completing the renovation of such internal mission-critical systems;

5. Develop and adopt a project plan that addresses the insured depository institution's Year 2000 renovation, testing, contingency planning, and management oversight process; and

6. Develop a due diligence process to monitor and evaluate the efforts of external third party suppliers to achieve Year 2000 readiness.

B. Renovation of Internal Mission-Critical Systems. Each insured depository institution shall commence renovation of all internal mission-critical systems that are not Year 2000 ready in sufficient time that testing of the renovation can be substantially completed by December 31, 1998.

C. Renovation of External Mission-Critical Systems. Each insured depository institution shall:

1. Determine the ability of external third party suppliers to renovate external mission-critical systems that are not Year 2000 ready and to complete the renovation in sufficient time to substantially complete testing by March 31, 1999;

2. Maintain written documentation of all its communications with external third party suppliers regarding their ability to renovate timely and effectively external mission-critical systems that are not Year 2000 ready; and

3. Develop in writing an ongoing due diligence process to monitor and evaluate the efforts of external third party suppliers to achieve Year 2000 readiness, including:

a. monitoring the efforts of external third party suppliers to achieve Year 2000 readiness on at least a quarterly basis and documenting communications with these suppliers; and

b. reviewing the insured depository institution's contractual arrangements with external third party suppliers to determine the parties’ rights and obligations to achieve Year 2000 readiness.

D. Testing of Mission-Critical Systems. Each insured depository institution shall:

1. Develop and implement an effective written testing plan for both internal and external systems. Such a plan shall include the testing environment, testing methodology, testing schedules, budget projections, participants to be involved in testing, and the critical dates to be tested to achieve Year 2000 readiness;

2. Verify the adequacy of the testing process and validate the results of the tests with the assistance of the project manager responsible for Year 2000 readiness, the owner of the system tested, and an objective independent party (such as an auditor, a consultant, or a qualified individual from within or outside of the insured depository institution who is independent of the process under review);

3. Substantially complete testing of internal mission-critical systems by December 31, 1998;

4. Commence testing of external mission-critical systems by January 1, 1999;

5. Substantially complete testing of external mission-critical systems by March 31, 1999;

6. Commence testing with other material third parties by March 31, 1999; and

7. Complete testing of all mission-critical systems by June 30, 1999.

E. Business Resumption Contingency Planning. Each insured depository institution shall develop and implement an effective written business resumption contingency plan that, at a minimum:

1. Defines scenarios for mission-critical systems failing to achieve Year 2000 readiness;

2. Evaluates options and selects a reasonable contingency strategy for those systems;

3. Provides for the periodic testing of the business resumption contingency plan; and

4. Provides for independent testing of the business resumption contingency plan by an objective independent party, such as an auditor, consultant, or qualified individual from another area of the insured depository institution who was not involved in the formulation of the business resumption contingency plan.

F. Remediation Contingency Planning. Each insured depository institution that has failed to successfully complete renovation, testing, and implementation of a mission-critical system, or is in the process of remediation and is not on schedule with the key dates in section II.D., shall develop and implement an effective written remediation contingency plan that, at a minimum:

1. Outlines the alternatives available if remediation efforts are not successful, including the availability of alternative external third party suppliers, and selects a reasonable contingency strategy; and

2. Establishes trigger dates for activating the remediation contingency plan, taking into account the time necessary to convert to alternative external third party suppliers or to complete any other selected strategy.

G. Customer Risk. Each insured depository institution shall develop and implement a written due diligence process that:

1. Identifies customers, including fund providers, fund takers, and capital market/asset management counterparties, that represent material risk exposure to the institution;

2. Evaluates their Year 2000 preparedness;

3. Assesses their existing and potential Year 2000 risk to the institution; and

4. Implements appropriate risk controls, including controls for underwriting risk, to manage and mitigate their Year 2000 risk to the institution.

H. Involvement of the Board of Directors and Management.

1. During all stages of the renovation, testing, and contingency planning process, the board of directors and management of each insured depository institution shall:

a. be actively involved in efforts to plan, allocate resources, and monitor progress towards attaining Year 2000 readiness;

b. oversee the efforts of the insured depository institution to achieve Year 2000 readiness and allocate sufficient resources to resolve problems relating to the institution's Year 2000 readiness; and

c. evaluate the Year 2000 risk associated with any strategic business initiatives contemplated by the insured depository institution, including mergers and acquisitions, major systems development, corporate alliances, and system interdependencies.

2. In addition, the board of directors, at a minimum, shall require from management, and management shall provide to the board of directors, written status reports, at least quarterly and as otherwise appropriate to keep the directorate fully informed, of the insured depository institution's efforts in achieving Year 2000 readiness. Such written status reports shall, at a minimum, include:

a. The overall progress of the insured depository institution's efforts in achieving Year 2000 readiness;

b. The insured depository institution's interim progress in renovating, validating, and contingency planning measured against the insured depository institution's Year 2000 project plan as adopted under section II.A.5. of appendix B;

c. The status of efforts by key external third party suppliers and other material third parties in achieving Year 2000 readiness;

d. The results of the testing process;

e. The status of contingency planning efforts; and

f. The status of the ongoing assessment of customer risk.

[64 FR 66704, 66705, Nov. 29, 1999] Pt. 30, App. C Appendix C to Part 30—Supplemental Guidelines Establishing Year 2000 Standards for Safety and Soundness for National Bank Transfer Agents and Brokers or Dealers Table of Contents A. Introduction. B. Preservation of existing authority. C. Definitions. D. Year 2000 Standards for safety and soundness. A. Introduction

These Supplemental Guidelines are issued pursuant to section 39 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831p-1) and apply to transfer agent and broker or dealer systems that a national bank has not designated as mission-critical. These Supplemental Guidelines are in addition to, but do not supersede, the Year 2000 Guidelines previously adopted as Appendix B to 12 CFR Part 30. The Guidelines in Appendix B continue to apply to efforts of national banks to achieve Year 2000 readiness of their mission-critical systems.

B. Preservation of existing authority

Neither section 39 nor these Supplemental Guidelines in any way limits the authority of the OCC to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices of bank transfer agents and brokers or dealers. For example, failure to complete any of the standards set forth in the Supplemental Guidelines may constitute an unsafe or unsound practice under 12 U.S.C. 1818(b). Action under section 39 and the Supplemental Guidelines may be taken independently of, in conjunction with, or in addition to any other remedy, including enforcement action, available to the OCC.

C. Definitions

1. In general. For purposes of the Supplemental Guidelines the following definitions apply:

a. Bank transfer agent means a national bank that provides transfer agent services directly or through an operating subsidiary, or a Federal branch that is subject to the provisions of section 39 of the FDI Act (12 U.S.C. 1831p-1), if the national bank, operating subsidiary or Federal branch is a registered transfer agent whose appropriate regulatory agency, as that term is defined in 15 U.S.C. 78c(a)(34), is the Office of the Comptroller of the Currency. The term bank transfer agent does not include a transfer agent that qualifies as an issuer or small transfer agent, as these terms are defined in 17 CFR 240.17Ad-13(d) (1) and (2).

b. Bank broker or dealer means a national bank that effects securities brokerage or dealer transactions for customers, or a Federal branch that is subject to the provisions of section 39 of the FDI Act (12 U.S.C. 1831p-1). The term bank broker or dealer does not include operating subsidiaries of national banks. The term bank broker or dealer does not include a national bank effecting fewer than 500 securities brokerage transactions per year for customers during the prior three calendar year period.

c. System means an automated system and related applications necessary to ensure the prompt and accurate processing of securities transactions, including order entry, transfer execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, the delivery of funds and securities, or the production or retention of required records.

d. Business resumption contingency plan means a plan that describes how a bank transfer agent or bank broker or dealer will continue to perform transfer agent or broker or dealer functions, respectively, in the event transfer agent or broker or dealer systems fail to function because of Year 2000 readiness.

e. Year 2000 ready or readiness with respect to a system means the system accurately processes, calculates, compares, or sequences date or time data from, into, or between the 20th and 21st centuries; and the years 1999 and 2000; and with regard to leap year calculations.

D. Year 2000 standards for safety and soundness

1. No later than November 1, 1999, each bank transfer agent and bank broker or dealer shall identify all transfer agent and broker or dealer systems that are not Year 2000 ready.

2. For each system identified pursuant to section D.1., each bank transfer agent and bank broker or dealer shall develop and implement an effective written business resumption contingency plan by November 15, 1999, that, at a minimum:

a. Defines scenarios for transfer agent and broker or dealer systems failing to achieve Year 2000 readiness;

b. Evaluates options and selects a reasonable contingency strategy for those systems; and

c. Provides for independent testing of the business resumption contingency plan by an objective independent party (such as an auditor, consultant, or qualified individual from another area of the insured depository institution who is independent of the plan under review).

[64 FR 52641, Sept. 30, 1999]